August 2016 was an overall interesting month for cyber security with the annual conferences taking place in America, the Census providing some interesting lessons learnt and discussion; and the Olympics creating an interesting platform for malicious actors. In addition to this, the industry as a whole experienced a diverse range of new threats, breaches and success stories.
- Sophos have identified a trend where shortcut files (.LNK) have been used to hide ransomware downloaders. By using a shortcut file malicious actors are able to better mask malware by making the link appear benign. Users are reminded to always be wary of any links or attachments they receive in emails and when in doubt report it or have an extra opinion.
- US-based researcher Elie Bursztein presented his findings of a social experiment conducted at a US university where a number of USBs containing ‘phone home’ capabilities were dropped. Surprisingly 48% of the 297 USBs dropped were plugged into a computer and the phone home capabilities activated. When surveyed the majority of people who activated the USBs claimed to have been trying to return the USB to its rightful owner. This study highlights the level of trust that people have for USB devices and although the USBs used in the study were not actually malicious. It is important to always be wary as to the origin of a USB device, especially if they have been found or are free.
- It is believed that as a result of the increase in attention created by the Olympics has resulted in an increase in banking malware in Brazil. This is a good reminder as to how current events both globally and domestically can be used by malicious actors as a means to increase their chances in successful social engineering attacks.
- A new banking Trojan kit has been discovered being sold as a service that goes by the name of Scylex. This is likely to fill the gap in the malware as a service void created by the downfall of previously dominate trojans such as Zeus/SpyEye, Citadel and ZeroAccess. It is still unsure as to how operational or effective this new service is. However, if it is able to deliver on its promises it has the potential to wreck mayhem on financial institutions.
- Accountancy software providers The Sage Group experienced an incident in which a user used valid internal credentials to access a number of sensitive customer files. Unfortunately, as this is still an ongoing investigation it is uncertain as to the scale of the breach, however, there have been reports of an arrest in regards to this breach resulting in fraud charges. This incident highlights the reality of the risk that insider threats can pose to an organisation.
- This month 20 US hotels were identified as being infected with Point-of-Sale malware designed to harvest credit card information. These attacks continue to highlight how all devices on a network need to be considered and assessed from a security standpoint.With malicious actors becoming more creative and aware of the weakest points of an organisations information’s systems it is important to be aware of all hosts and their business importance within the scope of a network and to ensure that appropriate security and risk management controls are in place and adhered to.
Patches and Updates
- Microsoft Office patch MS16-099 resolved some issues that would allow remote code execution if a user opened a specially crafted document. These continue to be an issue, with common phishing emails claiming to be an invoice or a resume likely to make use of these exploits. Ensure these patches are deployed as soon as possible.
- In one of the most interesting security news events in recent history tools from the notorious ‘Equation Group’ which has been previously attributed to being an NSA backed threat actor were put up for auction in an underground forum by an actor known as ‘The Shadow Brokers’. The Shadow Broker initially floated the price of the tools to be 1 million bitcoin (roughly 580 million USD) which naturally drew a lot of suspicion and skepticism as to the legitimacy of the claim.As time continued and the tools up for auction were slowly released for proof of concept. The reality of the situation bean to set in with a number of large companies validating the legitimacy of the tools and exploits and subsequently releasing urgent patches to resolve the issue. Some of the companies who have released updates and comments include:
– Cisco – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp
– FortiNet – http://fortiguard.com/advisory/FG-IR-16-023
– Juniper – https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10605&actp=search
- Project Sauron also known as Strider is a high-level modular cyber-espionage platform believed to be part of an Advanced Persistent Threat (APT) campaign that has been documented in some detail in the below link. This cyber-espionage platform has been found to be attacking high profile targets in Government, Finance, Military, Telecommunications, and Scientific Research.
- Brisbane City Council have lost $450,000 AUD in a sophisticated spear-phishing scam where scammers pretending to be a legitimate professional services provider used a series of fake invoices to fraud the Brisbane City Council of just over $450,000 AUD thought 9 payments between the 13ht of July and the 16th of August. Unfortunately the likelihood of recovering the funds are low and law enforcement is currently pursuing the matter. Deloitte have also been engaged to conduct an investigation into the incident.Sadly this type of fraud is a constant threat and is most effective where financial payment controls and processes are less stringent or existing processes are being bypassed by staff. By ensuring outgoing payments are peer reviewed and structural separation of duties it is possible to better mitigate the risk of these scams being successful.