Sunday, September 23, 2018
Another Municipality with Issues
Government entities tend to have a unique situation. The entity has a set amount of revenue received annually. There are fluctuations with this as property values and taxes fluctuate and other sources of fees are collected. These adjustments are not significant. With the limited resources, the government entities have to plan for activities through the year. These usually cost money and don’t allow for a mass amount of changes. There are also the random events that occur that we try and plan for, which also are an expense unless these are certain events covered by the insurance.
City Payment System Breach
The city uses a system to collect payments from its citizens, much like any other. This makes the citizens paying fees a bit easier for them. This system may be done online and in-person. These payments may be for utilities, municipal court fines, and fees. Due to an unknown issue, the system was compromised. The successful attack allowed these persons to take the user’s credit card information including the credit card numbers, security codes, and expiration dates. Unfortunately, along with this, the user’s first name, last name, middle initial, address, city, state, and zip codes were stolen. The only benefit from this situation is not every citizen was affected. This fortunately excluded the citizens that paid at the 24-hour kiosk with a credit card, and those who paid with a credit card over the phone with the IVR system.
Timing
Breach periods vary for each circumstance. These could vary immensely based on the monitoring, configuration, InfoSec teams, and too many other factors to take into consideration. In this circumstance, the period was approximately eight weeks, from June 18-August 22, 2018. Once the city was notified, the payment system was shut down. The payment system was provided by Superion. The service was Click2Gov software. After the notification, the city began to work with Superion to review the client’s data to ensure it was not affected or modified. As a result of this, the city did implement additional security features.
Follow-Up
As to be expected, the city contacted the pool of potentially affected persons. The city is notifying the affected persons to review their credit card statements for any unauthorized charges. Additionally, the users may ask the credit card company to deactivate their card and request a replacement. To monitor the accounts for fraud, the users are also able to request a fraud alert to be placed on their account.
Even though this is being investigated, there are still many questions surrounding the issue, involving who or which group breached the system. Also the credit card processor, Superion, only has a portion of the credit card payments being affected. Did they have two different systems to process the different types of payments? Also, why didn’t their InfoSec team have a clue this occurred? There had to be a relatively significant amount of traffic to exfiltrate this. This should have shown up with the logs. This is notable as the U.S. Secret Service had to notify the city.
Resources
City of Tyler. (2018). Click2gov payment system security breach. Retrieved from http://www.cityoftyler.org/Departments/TylerWaterUtilities/WaterBillingOffice/PayingYourBill.aspx
Kirst, K. (2018, September 10). What you can do to protect your information. Retrieved from http://knue.com/city-of-tylers-online-payment-system-breached-what-you-can-do-to-protect-your-information/
Mansfield, E. (2018, September 10). U.S. secret service reported software back to city of tyler. Retrieved from https://tylerpaper.com/news/local/u-s-secret-service-reported-software-hack-city-of/
Terry, C. (2018, October 10). City of tyler’s click2gov payment system breached. Retrieved from http://www.kltv.com/story/39060322/city-of-tylers-click2gov-payment-system-breached
Wood, C. (2018, September 10). City of tyler notified of payment system breach. Retrieved from https://www.easttexasmatters.com/news/local-news/city-of-tyler-notified-of-breach-for-system-to-collect-utility-and-court-fee-payments/1431720813
Saturday, September 22, 2018
GovPayNow.com Compromise Issues
Another payment portal breach-Here we go again: GovPayNow.com
Charles Parker, II
>_
Third party vendors have historically been the Achilles heel of the business world for years. The examples of this abound through the news feeds over the last seven years. The first, huge compromise based on this is the Target breach occurring proximate to the holidays, allowed by trusting explicitly a third party vendor. This vendor, a heating/cooling vendor, allowed their compromised system to deliver the malware to Target and make its way to the PoS system, and exfiltrate a mass amount of data, in the form of the Target customer’s credit card information.
While this was a rather large and eye-catching sized compromise, a recent breach approaches the relevant magnitude of this type of a mistake.
GovPayNow.com is a service used by government agencies to process payments. These payments were for law enforcement agencies, courts, correction facilities, departments of revenue, restitution payment, criminal fines, property taxes, and more. The company is based in Indianapolis, IN. This is a vital service for the government entity’s clients.
Unfortunately for the service and government agencies using the service, and their clients who used this, the service was compromised. Krebs on Security notified them on September 14, 2018. To make matters worse, the exfiltrated data was for approximately over 14M records or six years of data. This included the client’s name, address, phone number, and last four digits of the credit card number. The last four of the credit card number isn’t as critical as the rest of the data.
Two days post-notification by Krebs on Security, the service stated they had addressed “a potential issue”. It seems odd that a downplayed security issue (singular) would allow for this breach, fix any log records indicating who was there, and scrubbing any other data indicating who did this. The published accounts don’t indicate the attack vector. This could have been from a number of different sources using a myriad of unique tools and combination of these. This simply could be an aggressive phishing campaign.
Resources
Krebs, B. (2018, September 17). GovPayNow.com leaks 14m+ records. Retrieved from https://krebsonsecurity.com/category/data-breaches/ and https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records
Charles Parker, II
>_
Third party vendors have historically been the Achilles heel of the business world for years. The examples of this abound through the news feeds over the last seven years. The first, huge compromise based on this is the Target breach occurring proximate to the holidays, allowed by trusting explicitly a third party vendor. This vendor, a heating/cooling vendor, allowed their compromised system to deliver the malware to Target and make its way to the PoS system, and exfiltrate a mass amount of data, in the form of the Target customer’s credit card information.
While this was a rather large and eye-catching sized compromise, a recent breach approaches the relevant magnitude of this type of a mistake.
GovPayNow.com is a service used by government agencies to process payments. These payments were for law enforcement agencies, courts, correction facilities, departments of revenue, restitution payment, criminal fines, property taxes, and more. The company is based in Indianapolis, IN. This is a vital service for the government entity’s clients.
Unfortunately for the service and government agencies using the service, and their clients who used this, the service was compromised. Krebs on Security notified them on September 14, 2018. To make matters worse, the exfiltrated data was for approximately over 14M records or six years of data. This included the client’s name, address, phone number, and last four digits of the credit card number. The last four of the credit card number isn’t as critical as the rest of the data.
Two days post-notification by Krebs on Security, the service stated they had addressed “a potential issue”. It seems odd that a downplayed security issue (singular) would allow for this breach, fix any log records indicating who was there, and scrubbing any other data indicating who did this. The published accounts don’t indicate the attack vector. This could have been from a number of different sources using a myriad of unique tools and combination of these. This simply could be an aggressive phishing campaign.
Resources
Krebs, B. (2018, September 17). GovPayNow.com leaks 14m+ records. Retrieved from https://krebsonsecurity.com/category/data-breaches/ and https://krebsonsecurity.com/2018/09/govpaynow-com-leaks-14m-records
Vehicle Cybersecurity Positions are Difficult to Fill
Vehicle Cybersecurity Professionals-Still a Difficult Position to Fill
Charles Parker, II
>_
In the metro-Detroit area, the primary industry and revenue force is the auto industry. This is clearly due to the number and concentration of the vehicle manufacturer headquarters, assembly plants, and admin offices. As these vehicles are designed and engineered, they require cybersecurity testing. This ensures as much as possible the vehicles are safe and secure for being successfully attacks. Cybersecurity for the presently connected vehicles and future autonomous vehicles is paramount. Without this in place and the vehicles being active, directly tested, any vehicle on the road would not be safe itself or from other vehicles which could be hijacked.
To accomplish this vast task, the vehicle manufacturers require qualified people to complete the testing. This does not appear to be a significant issue. There are jobs to fill in a technology area creating a demand for years, and there should be people to fill the open positions. Unfortunately, this is not remotely the case. This is occurring presently in the field for many reasons. The primary reason for this is the available persons with this skill are limited. The persons with the skill and experience to test the cybersecurity of embedded, equipment is rather narrow. Of this narrow field, the applicants need to be vetted not only for their technological prowess but also for their ethics, as there are bad apples present who would not morally do the right thing 100% of the time. Based on this need/demand is far outpacing the demand. This is further exacerbated due to this need being across several industries, not only auto manufacturers.
As an option, the manufacturer may reach out to third parties to complete a portion of the testing. The manufacturer may also incorporate a bug bounty program into their process. Programs like this would pay the cybersecurity persons when they would find a bug in their product. By using a program as such there are a great number of persons reviewing the product and are paid for their time if a bug is found. GM and FCA’s Bug Bounty programs are well known.
There are a limited number of universities and colleges attempting to train persons for this vast need. There are also contests in which high school and college students may apply to be in to learn the basics. This will assist with increasing the pipeline for the cybersecurity talent.
BackSwap Returns
BackSwap Returns
Charles Parker, II
>_
The attackers and malware coders have a focus. These persons are looking for data to steal and sell or manipulate. One area which continues to grow in popularity are trojans coded to steal the user’s banking credentials. With this area of expertise, there isn’t merely more of the banking trojans, but adding a nuance to this.
The subject malware is BackSwap. Historically this has been successful in compromising targets. The updated version has been targeting Polish users and banks. At this junction, the primary targets have been users at PKO BP (Bank Polski), mBank, and ING.
Prior Versions
The prior version, while exemplary in its own right, utilized a complex process involving injection methods. The malware kept track of browsing activities. Banking malware, historically, used to inject itself into the browser’s process address space. The next step would be for the malware to hook itself into the browser-specific function. At this point, the malware would modify the traffic.
Update
Naturally, the malware was detected and the signature was placed within the AV. This lowered its overall impact on the targets, in that there were fewer successful attacks and compromises.
The improved version implemented a simple method to bypass the browser detection. This version began to be used and noted in the wild in March 2018. This malware curiously was also being revised nearly daily.
The transportation for the malware is also pertinent. For a successful campaign, the malware has to be forwarded in some manner to the targets. This path has to lull the target into clicking and downloading the malware. In this case, the malware was transported to the user via an email. This process was simple, concise, and mundane. This would have not raised a red flag. The malware itself used a heavily obfuscated JavaScript downloader (Nemucod). The malware, to assist the target in deciding to open and thus install it, was delivered and labelled as an updated version of genuine, authentic apps. The malware was launched within the initialization process of the application. This was somewhat stealthy in that the user was tricked into believing they had clicked on the true app. This feature also made the malware difficult to detect in the browser and by AV.
The malware looks for when the user is connecting to a bank’s website. The malware uses a specific script for each bank’s website. The recent malware version has been coded to initiate a wire transfer request from the target’s account. To make the theft less obvious and to ease processing, the attackers insert their account number in the form. As this is processed, the funds are wired out to the attacker’s bank account. As this is processed, the funds are wired out to the attacker’s bank account. As this appears the target is sending the money and there is not a hint this is not voluntary, this bypasses any additional authentication. The amounts stolen have varied from $10K-$20k (approximately $2,800-$5,600).
To avoid issues much like this, there needs to be training for the users focus on awareness, and the point of they don’t have to click on everything. The user being aware of potential phishing attacks is better able to recognize these and not become a victim.
Resources
Arghire, I. (2018, May 29). BackSwap trojan uses new browser monitoring and injection techniques. Retrieved from https://www.securityweek.com/backswap-trojan-uses-new-browser-monitoring-and-injection-techniques
Belton, M. (2018, May 30). Backswap trojan-How to remove it from infected hosts. Retrieved from https://securityboulevard.com/2018/05/backswap-trojan-how-to-remove-it-from-infected-hosts/
Cimpanu, C. (2018, May 25). BackSwap banking trojan uses never-before-seen techniques. Retrieved from https://www.bleepingcomputer.com/news/security/backswap-banking-trojan-uses-never-before-seen-techniques/
Enigma Software. (n.d.). Backswap banking trojan. Retrieved from https://www.enigmasoftware.com/backswapbankingtrojan-removal/
Zorz, Z. (2018, May 29). BackSwap trojan exploits standard browser features to empty bank accounts. Retrieved from https://www.helpnetsecurity.com/2018/05/29/backswap-trojan/
Tuesday, September 18, 2018
Ahoy! USBHarpoon Attack
You would be hard pressed to find a person who has not in the least seen a USB. Most people have probably used a USB with their phones, to charge an accessory, attach a printer to a laptop, transfer a file, or any other various activities with these. As the users take these and use them for their specific use, in nearly all of the cases the USB is generally fine and creates no issues. The USB works as expected.
Unpleasant Ends
Researchers decided to see what else could be done with these. To meet the challenge the researchers created a modified USB with an unpleasant surprise for the user. In short, this is a programmable USB. This is normally not experienced with a USB. The modified USB appears in every form, just like any other simple USB.
The user receives the USB. The user may have been given this, by someone with a misguided sense of humor, may have found this on the ground, or given away by a vendor who purchased this from another vendor in a batch. The user unlocks their computer and plugs the USB into their computer. The user’s excitement, unbeknownst to them, after a few seconds.
Operations
Once the adulterated USB is plugged in, the USB goes into action. This is coded to type and launch commands for its malware payload. The SUB inputs these commands automatically. On a Windows machine, the malware runs from the Run prompt. On a Mac or Linux machine, these are run from a terminal.
This malware is built on the BadUSB prior research and implementation. This is done via reprogramming the controller on the chip on the USB. In theory, this could be coded to complete very detrimental tasks to the user’s computer.
The lesson, in this case, is not to plug just any USB into your computer. These USBs are not the ones purchased from the local office supply store. These have been purchased, removed from their packaging, modified and passed onto the unsuspecting user. The users don’t have to plug any USB into their computer.
Resources
Ilascu, I. (2018, August 20). USBHarpoon is a BadUSB attack with a twist. Retrieved from https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/
Threat Brief. (2018, August 21). USBHarpoon is a BadUSB attack with a twist. Retrieved from https://threatbrief.com/usbharpoon-is-a-badusb-attack-with-a-twist/
Yiu, V. (2018). USBHarpoon. Retrieved from https://vincentyiu.co.uk/usbharpoon/
Monday, September 10, 2018
Yet more malware for the Android!
Overall, there are two primary smartphone forms-the iPhone and Android. Of the two, the Android phones have been targeted at a much greater rate. Yet another example of this target shift has recently been noted. This new Android phone malware is termed MysteryBot.
Targeted
In this case, the targets were the Android 7.X and Android 8.X (Nougat and Oreo). This malware tricks the user into installing the malware, pretending to be Adobe Flash Player. The method for the payload being uploaded into the device has yet to be published.
Function
MysteryBot is still in process of being developed. This has been detected in the wild, but not widely experienced. This malware sample is related to a previously noted and successful malware, LokiBot.
MysteryBot works as a banking trojan, keylogger, and mobile ransomware, all in one malware package. These, unfortunately far from the target, are not all the functionalities experienced.
MysteryBot was coded to send data back to the same command & control (C&C) server as the LokiBot malware. This, among other attributes, indicate these are from the same malware creators.
For this malware, the nuance for the banking trojan was creative. On the targeted and compromised devices, the unknowing user sees their “screen”, which is an overlay placed there by the malware application. The malware monitors the activity, waiting for the user to try and log into their bank. The screen is for the user’s bank login screen. With earlier versions, the malware did not work exceptionally well. MysteryBot improved on this, evidencing learning from prior code errors. With this malware version, the overlay screens are presented at the appropriate time. This is done by manipulating the Android PACKAGE_USAGE_STATS permission. This is available through the Accessibility Service/Usage Access. The factor that makes this work so well is the user provides the permissions.
The nuance goes beyond this. The keylogger’s unique-ness records the location of where the user touched the screen. The malware attempted to guess what the user is typing based on this location using the FLAG_SECURE setting. Although new, this is still under development.
This also has a ransomware component. This was coded to lock the user’s files or external storage devices. This does not encrypt the files but locks them. The files, directories, and subdirectories are locked in a password-protected ZIP archive. This malware module was not coded well. The ZIP archive password was only eight characters long. The password and infected device ID are then forwarded to a remote control panel (Myster_Locker). The ID number is between 0 and 9999. With this, there is no verification of pre-existing IDs. Once the files are locked, MysteryBot provides a message to the user, stating the device is blocked due to the device accessing pornographic videos.
To unlock the device, the user is directed to an email address in Russia. To make matters worse, the malware was able to access the user’s phonebook details, copy text messages, manage call forwarding, and delete contact details from the device. To make this even worse, the malware may make or stop phone calls, copy, delete, and send SMS messages, access and steal emails, and allow unauthorized remote access.
Removal
All is not lost. To remove this, the user needs to open the device in safe mode, install Reimage or Anti-malware, and scan their full system.
Looking Forward
As noted, the malware enters the user’s system after what they believe is an Adobe Flash Player. In moving forward and learning from other’s mistakes, user’s should install their applications only from trusted developers, don’t install applications requiring admin rights or other rights which are not necessary, if possible read the T&C, and read other user’s reviews.
Resources
Cimpanu, C. (2018, June 14). New mystery bot android malware packs a banking trojan, keylogger, and ransomware. Retrieved from https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/
Chakraborty, S. (2018, June 18). MysteryBot android malware combines banking trojan, ransomware, and keylogger. Retrieved from https://gadgets.ndtv.com/apps/news/mysterybot-android-malware-banking-trojan-ransomware-keylogger-1869351
Hall, G.E. (2018, June 19). MysteryBot virus: How to remove? Retrieved from https://www.2-spyware.com/remove-mysterybot-virus.html
Hashim, a. (2018, June 17). Android mysterybot banking malware is worse than lokibot. Retrieved from https://latesthackingnews.com/2018/06/17/android-mysterybot-banking-malware-is-worse-than-lokibot/
Lilly, P. (2018, June 15). MysteryBot android malware fuses keylogger, ransomware, and banking trojan into toxic hellstew. Retrieved from https://hothardware.com/news/mysterybot-android-malware-fuses-keylogger-ransomware-banking-trojan
Lorenz, N. (2018, June 15). Mystery bot-The android malware that’s keylogger, ransomware, and trojan. Retrieved from https://blog.avira.como/mysterybot-the-android-malware-thats-keylogger-ransomware-and-trojan/
Palmer, D. (2018, June 15). This new android malware delivers banking trojan, keylogger and ransomware. Retrieved from https://www.zdnet.com/article/this-new-android-malware-delivers-banking-trojan-keylogger-and-ransomware/
Sachdeva, A. (2018, June 18). MysterybBot android malware combines keylogger, ransomware, and banking trojan. Retrieved from https://fossbytes.com/mysterybot-android-malware/
Targeted
In this case, the targets were the Android 7.X and Android 8.X (Nougat and Oreo). This malware tricks the user into installing the malware, pretending to be Adobe Flash Player. The method for the payload being uploaded into the device has yet to be published.
Function
MysteryBot is still in process of being developed. This has been detected in the wild, but not widely experienced. This malware sample is related to a previously noted and successful malware, LokiBot.
MysteryBot works as a banking trojan, keylogger, and mobile ransomware, all in one malware package. These, unfortunately far from the target, are not all the functionalities experienced.
MysteryBot was coded to send data back to the same command & control (C&C) server as the LokiBot malware. This, among other attributes, indicate these are from the same malware creators.
For this malware, the nuance for the banking trojan was creative. On the targeted and compromised devices, the unknowing user sees their “screen”, which is an overlay placed there by the malware application. The malware monitors the activity, waiting for the user to try and log into their bank. The screen is for the user’s bank login screen. With earlier versions, the malware did not work exceptionally well. MysteryBot improved on this, evidencing learning from prior code errors. With this malware version, the overlay screens are presented at the appropriate time. This is done by manipulating the Android PACKAGE_USAGE_STATS permission. This is available through the Accessibility Service/Usage Access. The factor that makes this work so well is the user provides the permissions.
The nuance goes beyond this. The keylogger’s unique-ness records the location of where the user touched the screen. The malware attempted to guess what the user is typing based on this location using the FLAG_SECURE setting. Although new, this is still under development.
This also has a ransomware component. This was coded to lock the user’s files or external storage devices. This does not encrypt the files but locks them. The files, directories, and subdirectories are locked in a password-protected ZIP archive. This malware module was not coded well. The ZIP archive password was only eight characters long. The password and infected device ID are then forwarded to a remote control panel (Myster_Locker). The ID number is between 0 and 9999. With this, there is no verification of pre-existing IDs. Once the files are locked, MysteryBot provides a message to the user, stating the device is blocked due to the device accessing pornographic videos.
To unlock the device, the user is directed to an email address in Russia. To make matters worse, the malware was able to access the user’s phonebook details, copy text messages, manage call forwarding, and delete contact details from the device. To make this even worse, the malware may make or stop phone calls, copy, delete, and send SMS messages, access and steal emails, and allow unauthorized remote access.
Removal
All is not lost. To remove this, the user needs to open the device in safe mode, install Reimage or Anti-malware, and scan their full system.
Looking Forward
As noted, the malware enters the user’s system after what they believe is an Adobe Flash Player. In moving forward and learning from other’s mistakes, user’s should install their applications only from trusted developers, don’t install applications requiring admin rights or other rights which are not necessary, if possible read the T&C, and read other user’s reviews.
Resources
Cimpanu, C. (2018, June 14). New mystery bot android malware packs a banking trojan, keylogger, and ransomware. Retrieved from https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/
Chakraborty, S. (2018, June 18). MysteryBot android malware combines banking trojan, ransomware, and keylogger. Retrieved from https://gadgets.ndtv.com/apps/news/mysterybot-android-malware-banking-trojan-ransomware-keylogger-1869351
Hall, G.E. (2018, June 19). MysteryBot virus: How to remove? Retrieved from https://www.2-spyware.com/remove-mysterybot-virus.html
Hashim, a. (2018, June 17). Android mysterybot banking malware is worse than lokibot. Retrieved from https://latesthackingnews.com/2018/06/17/android-mysterybot-banking-malware-is-worse-than-lokibot/
Lilly, P. (2018, June 15). MysteryBot android malware fuses keylogger, ransomware, and banking trojan into toxic hellstew. Retrieved from https://hothardware.com/news/mysterybot-android-malware-fuses-keylogger-ransomware-banking-trojan
Lorenz, N. (2018, June 15). Mystery bot-The android malware that’s keylogger, ransomware, and trojan. Retrieved from https://blog.avira.como/mysterybot-the-android-malware-thats-keylogger-ransomware-and-trojan/
Palmer, D. (2018, June 15). This new android malware delivers banking trojan, keylogger and ransomware. Retrieved from https://www.zdnet.com/article/this-new-android-malware-delivers-banking-trojan-keylogger-and-ransomware/
Sachdeva, A. (2018, June 18). MysterybBot android malware combines keylogger, ransomware, and banking trojan. Retrieved from https://fossbytes.com/mysterybot-android-malware/
Subscribe to:
Posts (Atom)