Operation Shady RAT

Score another big one for the good guys!  Even if they are a little late to the scene to save the maiden or slay the dragon…  I guess we have to score a whole bunch for the bad guys too, since they ran this scam successfully for so long…

Security vendor McAfee published a report on Tuesday about a hacking group that managed to penetrate 72 global companies, governments and non-profit organizations in 14 countries since 2006.  This massive operation stole national secrets, business plans and other sensitive information.  McAfee discovered the intrusions after gaining access to a command-and-control server that collected data from the compromised computers.  Over the past 5 to 6 years there has been a “historically unprecedented transfer of wealth” due to the operation it has named “Shady RAT”.

The attackers gained access to computers by sending targeted e-mails to individuals within the organizations containing an exploit that downloads malicious software and communicates with the command-and-control server to exfiltrate data and further infect their networks.  The data stolen consists of everything from classified information on government networks, source code, e-mail archives, exploration details for new oil and gas field auctions, legal contracts, SCADA (supervisory control and data acquisition) configurations, design schematics and more.  They were not too selective regarding the data that they gathered.  McAfee declined to name all of the organizations affected, but did name the International Olympic Committee (IOC), the World Anti-Doping Agency, the United Nations and the ASEAN (Association of Southeast Asian Nations) Secretariat.  Those organizations were of little economic interest to hackers, and add the speculation of nation state involvement.

In 2006, eight organizations were attacked, but by 2007 that number increased to 29, according to the report.  The number of victimized organizations peaked at 38 in 2009.  The duration of the compromises ranged from less than a month to more than two years in the case of an attack on an Asian Olympic committee.

So, should the average business, large, medium or small sized, be worrying about malware and the APT threat?  Oh, only if secrets, business plans and sensitive information matter to you, you bet your assets!  This cruft is going mainstream, this type of code is available, and coming soon to a PC near you.

Recent Attacks Due To Common Vulnerabilities

The most recent and brazen security breaches and attacks at the CIA, US Senate, IMF and elsewhere have shown me one thing.  There has been a substantial amount of complacency in the Information Technology and Security fields.  There have been many reasons for skating by; budgets are tight, economy’s bad, no time, no resources, no training…  Businesses large and small have opted to do the bare minimum required by law or industry, expecting that to be enough to keep them out of the press.  I have said it before, and I will say it again, although saying it before has cost me at least one job.

Regulatory Compliance DOES NOT equal Security!!

If you are in the business of securing data that your customers have entrusted you with, and are of the mind that you only need to do what is mandated by Visa, Mastercard, PCI, Policy, or some other established standard on a subset of systems that are directly involved with the sensitive data, you are mistaken, and can expect to spend some time in the media shortly.  In an age where attackers are getting organized, popping up like mushrooms, where the greater challenge no longer appears to be breaking in or getting away with it, but finding enough space to post your 300,000 customer records as evidence of your success, you need to have a solid and enterprise encompassing STRATEGY.

Online attacks have taken on a targeted tone, whether to make quick money, prove a political point, or infiltrate high value and supposedly highly secure systems.  We have been arrogant and comfortable for far, far too long, thinking things were unbreakable, that our monitoring would be enough of a deterrent.  The systems and internetworks are just too complex, too many moving parts, too many variables, too many weak links in the chain.  We have all been lucky, swimming in the shark tank, and now it’s a feeding frenzy in the criminal underground.

A big part of the problem is that employees simply have too much access.  The best thing we can do to secure the enterprise is the same old stuff we’ve been talking about for years.  So what are you doing about these recent attacks? Continue reading

Protect Your Banking Session

If you use your computer for online banking, you should seriously consider grabbing the free Rapport product from Trusteer.  Trusteer has partnered with just about 100 financial institutions, as well as PayPal and eBay, to bring you a special tool that ensures your transactions are confidential and correct.  Rapport is a specialized security product for Windows and Mac targeting financial malware.  It is not a “conventional” anti-virus product, it works alongside your A/V, securing the communications between the user and Rapport-protected web sites, defeating keyloggers and other common banking malware.

If you haven’t received an invitation from your bank to download and install Rapport, expect one soon.  Ensure that you download it from a REAL bank, or from Trusteer’s website.  Also, it’s a good idea to install it on a clean computer.  I would back-up my data files and install my operating system, patches, and security tools fresh, if I wanted to be certain that my system was protected from malware.  Several Canadian banks have already adopted Rapport, and links to the end-user installs are present on their web sites.  Fraud costs banks A LOT of money, and those costs are passed to their customers, in part through fees and service charges.  If your bank doesn’t have this or a similar product in place, you might want to ask them why.

The secure browsing software solution works in the background and doesn’t require changes in user behavior.  Online banking and use of the internet can continue as usual.  Rapport only pop’s up to provide alerts when potential threats are detected, and is otherwise transparent.  Rapport combats malware with 2 layers of defense.  One layer attempts to prevent banking malware from infecting the computer.  It works outside of the browser and looks for typical malware installer behavior.  Since many of these banking malware agents are built from a small number of special kits, they will exhibit common characteristics, code-base, and behaviros.  It is not impossible to by-pass this layer of protection, so the second layer backs it up.

The second layer of defense assumes that the system IS already infected, and protects the communications between the user and the bank from the malware’s interception and manipulation attempts from inside the browser.  It will block the behaviors typical of financial malware, for example, feeding junk characters to a keylogger, interfering with screen captures, and avoiding password capture.  All data in the Rapport monitored session is encrypted, from the keyboard to the bank.  Rapport also ensures that the address of the bank is correct as well, to protect against spoofing and phishing attacks.  If you type your bank username into a site other than your bank’s site, you will be warned.

I have had Rapport installed on several systems, have never had a problem with it, and I have used it with a variety of operating systesm, browsers, and security products.  No conflicts, no errors, no problems.  This is a FREE product (that your bank is subsidizing).  Get it, use it, love it, forget it.  Until it saves your butt!

Participating Canadian Banks:

A complete list of banks worldwide using this technology is available here: http://www.trusteer.com/solutions/financial-institutions-0

IMF Network Breached

The New York Times reports that the International Monetary Fund (IMF) has been hit with “a large and sophisticated cyberattack whose dimensions are still unknown.”  The IMF manages financial crises around the world, and is a repository of highly confidential information about the fiscal condition of many nations.  Its staff and board of directors were advised about the attack on Wednesday, but it did not make a public announcement.

Several senior officials said it was both sophisticated and “a very major breach”.  The compromise appears to have occurred several months ago.  Because the fund has been at the center of economic bailout programs for Portugal, Greece and Ireland, and possesses sensitive data on other countries on the brink of crisis, its database contains potentially market-changing information.  It also includes communications with national leaders as they negotiate behind the scenes.  It remains unclear precisely what information was accessed.   The World Bank, an international agency focused on economic development, cut the computer link that allows the two institutions to share information.  The drastic containment step was taken out of “an abundance of caution” until the severity and nature of the attack is understood.  The World Bank has since resumed its normal operations and says it has seen no evidence of any attacks.

No information is available regarding the origins of the attack, a delicate subject because most nations are members of the fund.  The attacks may have been made enabled through “spear phishing,” where specific people are researched and targeted through emails and social engineering, fooled into clicking on a malicious link or running a program that provides access to the network.  It is also possible that the attack was less specific, a case in which an intruder was testing the system to see what could be attacked, or a random lucky malware infection.

Beware “MS-Update” Fake AV

Sophos is reporting that Fake AV distributors are reamping up efforts to deploy their malicious wares by closely imitating the Microsoft Update site in a bid to take advantage of the monthly patch cycle.  Be very wary of any alerts that pop up in your web browser.  You should only trust security alerts in your browser if you initiated a check with Microsoft, Adobe, Sophos or any other vendor for updates to their software.

In this particular attack, victims are being told to install the fake updates urgently, with attackers claiming that “This installation is essential for the normal work of your system. Critical update is needed.”  Here is a message enticing users to download the Fake AV and infect their machine, errors and all:

“After the download, this tool is run only once checking your whole system for infection. It removes any infection found, any specific, prevalent malicious programs such as Blaster, Sasser and Mydoom. When an infection is found this tool displays a status report with the next computer start. This tool is necessary for you computer to make your system being protected from hi-jacking and its download is crucial if you value your personal data and your privacy.”

Victims tricked into downloading this Fake AV will end up infecting their computers with a potential array of malicious programs.

Citi Bank Breach Affects 200k Customers

A little late, but the interviews have kept me busy.  Citigroup has acknowledged that a computer breach may have given hackers access to hundreds of thousands of bank card customers’ data.  The US bank revealed details of the breach on Wednesday, discovered in early May through routine monitoring.  The breach occurred at Citi Account Online, used by its customers to manage their cards, compromising the names, account numbers and contact information of some 200,000 customers.

The bank did not reveal how the intrusion occurred, but says that it “has implemented enhanced procedures to prevent a recurrence of this type of event”, has contacted law enforcement and tightened its fraud detection procedures.  It remains unclear whether any customers reported suspicious transactions.  Citi Bank is reaching out to customers, warning them about the possibility of being targeted with spear phishing emails and downloading banking Trojans and other malware.

As a result of this and other recent breaches, major US banks are coming under increasing pressure from regulators to improve the security of customer accounts.  While Citigroup insisted the breach had been limited, many are calling it the largest direct attack on a major US financial institution, and say that it could prompt an overhaul of the banking industry’s data security measures.

The Federal Deposit Insurance Corp, the nation’s primary regulator, is preparing new measures on data security.  Its chairman Sheila Bair said on Thursday she may ask “some banks to strengthen their authentication when a customer logs onto online accounts.”


Sophos 2011 Security Threat Report

Sophos’ threat experts see 30,000 new malicious URLs each day.

70% of these sites are legitimate websites that have been compromised.

Their 2011 Security Threat Report has been released detailing the battle against malware.

It describes the significant threats of 2010, what to watch for in 2011, and more importantly, what you need to do to get ahead of the threats.

  • .
  • One of the more persistent threats of the year was fake anti-virus, also commonly known as “scareware” or “rogueware.”  In this widespread practice, software is introduced into a victim’s computer system, through an interface closely resembling—and in some cases directly impersonating—genuine security solutions.   Criminals are using this ploy to drain bank accounts and completely take over identities.
  • The search engine is our gateway to the web, and crooks are skilled at manipulating search results from the popular engines such as Google, Bing and Yahoo! to lure victims to their malicious pages.   These pages host security risks and browser exploits just waiting to infect users who are directed to these sites. There’s also the abuse of legitimate search engine optimization (SEO) techniques. Legitimate SEO techniques are regularly used as marketing tools, but when SEO is abused by the bad guys, and supplemented by more devious methods, it’s known as “SEO poisoning”. With SEO poisoning, search engine results are poisoned to drive user traffic to the rogue site.  Google reported that up to 1.3% of their search results are infected . You’re directed to a bad page through a poisoned search.  Once a victim is lured to the desired webpage, they’re redirected to a rogue or compromised site.  On these sites, criminals infect users’ machines with malware or push fake goods and service while attempting to steal personal information.
  • Facebook recorded half a billion active users, making it not only the largest social networking site, but also one of the most popular destinations on the web.  Young people are less likely to use email, and more apt to communicate through Facebook, Twitter or other social sites.  Unsurprisingly, scammers and malware purveyors targeted this massive and committed user base , with diverse and steadily growing of attacks throughout 2010.  One of the more common types of attack hitting Facebook users is “clickjacking,”.  These attacks use maliciously created pages where the true function of a button is concealed beneath an opaque layer showing something entirely different.  Often sharing or “liking” the content in question sends the attack out to contacts through newsfeeds and status updates, propagating the scam.

Other areas that are assessed and reported on are passwords, and spam.  It’s a good report, well worth the read.

Spoofed LinkedIn Invite = Malware

According to M86 Labs, malware scammers are targeting LinkedIn users with legitimate-looking messages that appear to come from the social networking site:

The scammers have used the actual LinkedIn email template and modified it to suit their needs, changing the link behind the confirmation button.  Simply hovering the mouse over the button reveals that the destination URL is not on LinkedIn, but on the salesforceappi.com (not to be confused with the legitimate salesforceapi.com domain).

For those unfortunate users who follow the link, the “BlackHole” exploit kit at the destination server tries to exploit a number of vulnerabilities in order to load up malware.  The bulk of the successful exploits appear to exploit Java and PDF reader vulnerabilities.

Lessons learned from this attack campaign include, don’t click that link!  Even if it looks familiar.  Instaed, open up your own browser window and visit the site yourself.  Legitimate invites will be present in your LinkedIn inbox.  Also, keep your software up to date!  One vulnerability is all that the bad guys need.  Once you have been had, it is difficult to undo the damage.

Beware Email Frauds

The FBI is warning against common “News of The Moment” scams, where hot topics are abused to spread malware.  This sort of attack will often use cross site scripting (XSS), which allows an attacker to execute code on the target website within a user’s browser using crafted values in the target site’s URL, web forms, or in cases where sites allow users to place material directly in posted content.  These scams are not likely to go away anytime soon, and are increasing in their sophistication and cleverness.

Recently, social networking site users have fallen victim to “self” infecting XSS attacks where they actually perform the attack themselves by following directions to view the latest Osama bin Laden video.  Before users can view the video, they must complete a “5 second security check.”  Instructions to follow a few keyboard shortcuts allow users to cut and paste malicious code directly into their browser’s URL without any indications it is a viral scam.

They are also warning on scams misrepresenting the Financial Crimes Enforcement Network of The United States Department of the Treasury.  Perpetrators will commonly use the names of various government agencies or officials to legitimize their scams.  Most recently, there have been several complaints in which victims reported receiving an e-mail or phonecall claiming to be from the U.S. Department of the Treasury stating their lost funds, which were stolen and diverted to a foreign account registered in their name, have been recovered.  The e-mail advised them to cease all money transactions, especially overseas, and to respond to the e-mail so the lost funds could be returned.

The e-mail further stated the US government is making adequate arrangements to ensure outstanding beneficiaries receive their funds.  The e-mail is signed by James H. Freis, Deputy Director of the Financial Crimes Enforcement Network, and requires victims to provide personally identifiable information that could potentially result in identity theft.

The U.S. Department of the Treasury posted a scam alert on their website on April 13, 2011, stating they do not send unsolicited requests, do not seek personal or financial information from members of the public by e-mail, and recommend that recipients do not respond to these messages. The alert further provides links for victims to report solicitations claiming to be from the U.S. Treasury.

Beware: NACHA Spam Scam

NACHA manages the development, administration, and governance of the ACH (Automated Clearing House) Network, the backbone for the electronic movement of money and data.  The ACH Network provides direct consumer, business, and government payments, facilitating billions of payments annually, such as Direct Deposit and Direct Payment.  As a not-for-profit association, NACHA represents nearly 11,000 financial institutions via 17 regional payments associations and direct membership.

NACHA continues to be spoofed in sustained and evolving phishing attacks in which consumers and businesses are receiving emails that appear to come from NACHA.  The attacks are occurring with greater frequency and increasing sophistication.  Perpetrators may also be exploiting email addresses recently stolen from Epsilon.  Remain vigilent, and do not fall prey to these scammers.

The email that I received appears in the following form:

These fraudulent emails typically make reference to an ACH transfer, payment, or transaction and contain a link or attachment that infects the computer with malicious code when clicked on by the email recipient.  The contents of these fraudulent emails vary, with more recent examples including a counterfeit NACHA logo (the above sample shows a logo placeholder) and the citation of NACHA’s physical mailing address and telephone number.  The link in my sample was obfuscated using a URL shortening service to hide its actual destination.

NACHA itself does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. NACHA does not send communications to persons or organizations about individual ACH transactions that they originate or receive.

Do not to open attachments or follow Web links in these or other unsolicited emails from unknown parties or from parties with whom you do not normally communicate, or that appear to be known but are suspicious or otherwise unusual.  Forward suspected fraudulent emails appearing to come from NACHA to abuse@nacha.org to aid in their efforts with security experts and law enforcement officials to pursue the perpetrators.

If you did click on the link or open an attachment from a similar email, malicious code is detected, or suspected on a computer, consult with a computer security or anti-virus specialist to remove the malicious code or re-install a clean image of the computer system.  To protect yourself, always use anti-virus software and ensure that the virus signatures are automatically updated frequently.  Ensure that the computer operating systems and common software application security patches are installed and current.