The ransomware threat continued to thrive with new variants, payloads and even using social media as a delivery platform. A vulnerability found in a German ISPs router caused havoc in late November with almost 1 million users knocked into darkness as the result of a recent increase in Mirai worm activity. Social engineering was brought into the spotlight again as the hospitality industry was targeted through customer service channels in order to compromise payment services. Data breaches also got their fair share of coverage in November with credit card information being stolen and the insider threat re-emerging to create headaches.
- The ransomware threat continues to bother internet users with a new Locky variant employing the use of .zzzzz extensions. This variant was first seen in late November and is delivered through office documents (mainly .xls and docm) containing an encrypted .dll payload that is unencrypted, dropped into the users /temp/ directory and executed by rundll32. This is different to the other variants of the ransomware that typically used macro embedded documents to retrieve the payload from the internet before executing. This threat can be better mitigated by ensuring that AV is up to date and where possible controls are in place to stop the execution of files from the /temp/ directory. Further to this, as most of these new variants are delivered emails from spoofed addresses, it acts as a reminder to review your domains and email servers’ SPF records and policies.
- November saw the re-introduction of social media messaging being used to compromise users through malicious image attachments containing ransomware. Dubbed ‘ImageGate’ by researchers at CheckPoint the attack uses Facebook and LinkedIn messaging services to spam and compromise users with Locky ransomware at scale. This attack leverages the trust of your social media friends and contacts to lure users into clicking on seemingly harmless files. The issue has since been patched, however, this serves as a reminder to always think before you click and when in doubt ask.
- Social engineering attacks leverage a user’s trust in order to get them to perform an action that negatively affects them. These attacks can range from simple phishing campaigns looking for easy money or passwords to complex multi-stage operations that aim to compromise internal networks for theft of sensitive information or destruction. One recent example of a complex social engineering operation was identified in November where actors possibly related to the Carbanak Gang targeted a number of hospitality companies in order to compromise payment systems to steal credit card information. The attacks were centralised around customer service call centres where attackers would claim to have issues in accessing online services. The attacker would then email the customer service staff containing malicious attachments and persist until the employee opened the attachment and downloaded the malware. This attack serves as a reminder to businesses to understand their external facing teams that have unvetted access to the public (service desks, HR, finance, legal, reception etc.) that could possibly be vulnerable to this sort of attack.
- On Friday the 25th of November, SFMTA’s Municipal Rail was infected by Mamba Ransomware. “Computer screens at MUNI stations displayed a message: “You Hacked, ALL Data Encrypted. Contact For Key(firstname.lastname@example.org)ID:681 ,Enter.” MUNI Spokesman Paul Rose spoke to the Examiner and noted that his agency was “working to resolve the situation,” but refused to provide additional details.
- In the last week of November, a large number of Deutsche Telekom customers had their routers infected with a computer worm which takes full control of the router. Once the worm has control of the device, it is joined to a network of other routers and IoT (Internet of Things) devices to be used in a botnet. These botnets are then used mainly for DoS (Denial of Service) attacks against public facing websites and other infrastructure. “More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai.
- The Madison Square Garden Company has announced that hackers spent up to a year harvesting credit card credentials of potentially millions of visitors as a result of the compromise of a payments processing system. Although the exact number of affected cards is unknown it was determined that cards used to buy merchandise, food, and drinks between November 9, 2015, and October 24, 2016, may have been affected. The incident itself was identified by banks noticing a trend of fraudulent transactions on cards that were used at MSG venues. On informing MSG an investigation was conducted into the network which revealed unauthorised third parties access the payment processing systems.
- UK network operator ‘Three’ experienced a suspected insider threat attack in which 3 were arrested after having accessed a database containing customer’s phone upgrade information as a means to intercept the delivery of new phone handsets.
Patches and Updates
- There is a live, actively exploited 0-Day vulnerability that has just had a patched released by Mozilla Firefox. The vulnerability is CVE-2016-9079. The patched version number is 50.0.2.
- Microsoft has released an overview of the number of ransomware based detection improvements that were implemented as part of the Windows 10 Anniversary Updates.
- Software made by Shanghai ADUPS Technology has been siphoning text messages and call records from cheap Android-based mobile smart phones and secretly sending the data to servers in China. ADUPS software is typically bundled with smart phones made by dozens of global wireless firms including ZTE, BLU, and Huawei. Most of these devices are very cheap in comparison to leading devices, partly due to these devices having on-screen advertisements.
- Big W has confirmed that it experienced a technical glitch in early November that resulted in customer information being pre-populated with other users’ information on its online store. Post investigation Big W announced that no passwords, bank or credit card details were compromised and that they were notifying the affected users.
- WordPress recently found and patched a major vulnerability that luckily was not being actively exploited. There was a remote code execution flaw found in an open-source PHP webhook within the WordPress update server, api.wordpress.org. This problem with the webhook is that it let developers supply their own hashing algorithm to verify that code updates are legitimate. “Given a weak enough hashing algorithm, attackers could brute-force attack the webhook with a number of guesses that wouldn’t trigger WordPress’s security systems.
- WordFence managed to come up with an algorithm that reduced the amount of guesses from 400,000 to only 100,000 guesses, with randomly generated keys, at the hash value of the shared secret key. That guessing would only take a few hours. With the door successfully battered down, attackers could then send URLs to the WordPress update servers, which would then push them out to all WordPress sites.”
- Deliveroo in the UK had a number of accounts hijacked and a number of fraudulent orders placed. Deliveroo are stating that their application was not in fact to blame for the hijacked. They are claiming that the cause of the fraudulent transactions is a result of users having the same username and password for multiple services/accounts and that another company must have been breached for the credentials./li>