Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

GLOBAL Threat Intelligence Report AUGUST 2014

with one comment

GLOBAL Threat Intelligence Report – AUGUST 2014

Executive Summary

Globally August 2014 was much of the same as we have seen in the previous months. The norm today is to see large corporations admit that they have been hacked and lost data, malware is consistently being released in the wild, and personal data has been stolen and is for sale in the darknet. This report covers the following stories that can be seen as indicative of what is happening in the world today and could affect your organization. These incidents should be looked at as potentially happening in your environment and as such any mitigations that would have prevented these from happening should be implemented in your network.

This month’s global threat indicators are:

  • JP Morgan hacked and data manipulated
  • Traffic lights are easily hacked and manipulated
  • SONY was DD0S’d again
  • Hacking victims become targets of the federal government
  • CHS Medical loses patient data to an alleged APT attack
  • The Nuclear Regulatory Committee was hacked and data stolen by nation state actors
  • A study of Black POS and Backoff POS malware
  • Carbon Grabber hits EU auto makers
  • Poisoned Hurricane APT malware uses Hurricane Electric
  • Taiwan claims to be the testing ground for Chinese APT attacks

Global Threats

JP Morgan Hacked Allegedly by Russia

JP Morgan lost gigabytes of sensitive data during a mid-August cyberattack that also targeted other top U.S. banks, according to sources familiar with the investigation of the hacking. ~Gantdaily.com

http://online.wsj.com/articles/fbi-probes-possible-computer-hacking-incident-at-j-p-morgan-1409168480
http://gantdaily.com/2014/08/28/jp-morgan-loses-data-fbi-suspects-russians-behind-hacking/
http://arstechnica.com/security/2014/08/the-long-game-how-hackers-spent-months-pulling-bank-data-from-jpmorgan/

Analysis:

The attack was carried out by actors alleged to be from Russia and there is talk of state sponsorship. As the investigation goes on nothing much has been released about the malware (if any) used nor the names of the possible players involved. However, if this attack was carried out by a nation state backed actor it is a paradigm shift for the US and corporations in general.
The purpose of this attack seems to have been to manipulate funds within the bank for certain accounts and not for criminal purposes common to hacking of this type. The attack was quiet and thorough which speaks to the nation state backing and also may in fact be a message from Russia over sanctions by the US. This type of attack would be a new chapter in the hacking going on to date in that it would be a nation state able to manipulate the US markets through attacks on banking infrastructure.

Hacking Traffic Lights and Infrastructure

“Our attacks show that an adversary can control traffic infrastructure to cause disruption, degrade safety, or gain an unfair advantage,” writes the research team led by computer scientist J. Alex Halderman.
“With the appropriate hardware and a little effort, [a hacker] can execute a denial of service attack to cripple the flow of traffic in a city, cause congestion at intersections by modifying light timings, or even take control of the lights and give herself clear passage through intersections,” according to the researchers’ findings.
http://time.com/3146147/hacking-traffic-lights-is-apparently-really-easy/

Analysis:

While this type of attack has been portrayed in movies for quite some time it is now a reality and a potential security nightmare for the country. Attacking infrastructure like the traffic systems could be a prelude to larger kinetic attacks on the country or localized to a specific target area. One has to consider that this is just one step in a larger direction toward attacks on infrastructures that could be used by terrorists or criminals for other purposes. Being that this hack was carried off by a small team with a nominal amount of capital used to do it, this should be a concern for the country.

Sony PSN DD0S and Lizard Squad

Sony was attacked with a DD0S (Distributed Denial of Service) that took their systems offline for hours. The attackers call themselves the “Lizard Squad” and to date they are still at large. The group also was able to obtain information about a Sony exec flying on a commercial airline that they then used to phone in a bomb threat concerning that executive and flight.
http://www.forbes.com/sites/insertcoin/2014/08/27/fbi-hunted-hacking-group-continues-attacks-targets-twitch/

Analysis:

Lizard Squad generally seems to be a bunch of kids and the real author of the DD0S on Sony was another actor altogether. FamedGod is another entity online who claims that he was the one who attacked Sony and he did so because they are still not secure even after they were hacked in 2013. FamedGod posted some information that seems to lend credence to his being the arbiter of this attack on Sony and does have a valid point about the insecurity of the Sony networks still post their hack in 2013 which leaked user details including credit cards that had been improperly stored by Sony on their network.
In the final analysis however, it is a truism that DD0S is not going away and can be aimed at any system at the whim of any kid with the money to pay for a botnet. This should be the real takeaway and all corporations should have some mitigation in place to protect their presence online from DD0S.

Hacking Victims Become Federal Targets

What do you do if you’re a company that gets hacked, and the Federal Trade Commission treats you like a criminal? That was the quandary facing Wyndham Hotels after the FTC claimed a data security breach gave it the right to supervise the company’s IT department. Thus began the latest episode of the Obama Administrations’s habit of using vague laws to justify regulatory schemes that Congress never intended. More than 40 companies have already acquiesced to the FTC’s data security overreach—often small companies without the means to fight—but Wyndham to its credit is pushing back.
http://online.wsj.com/articles/wsj-hacking-victims-become-federal-targets-1408318038

Analysis:

As hacking incidents increase within large corporations and they get reported it is likely that the government will look to sanction companies that are not in compliance with security best practices. In the Wyndham case, it seems that the FTC feels obliged to regulate the activities of the network and security teams at the hacked company in order to insure best practices are followed. This of course is a new and troubling occurrence but not unforeseen as the government tries to regulate the security space.
This is a heads up for all companies that may handle PII, PCI, or HIPAA data should a compromise occur and lawsuits ensue. The government may want in as well on the remediation and oversight of the security and operations of the company.

CHS Hospital Systems Hacked and Leaked Patient Data

Community Health Systems, which operates 206 hospitals across the United States, announced on Monday that hackers recently broke into its computers and stole data on 4.5 million patients.

Hackers have gained access to their names, Social Security numbers, physical addresses, birthdays and telephone numbers. Anyone who received treatment from a physician’s office tied to a network-owned hospital in the last five years or was merely referred there by an outside doctor is affected.
http://money.cnn.com/2014/08/18/technology/security/hospital-chs-hack/

Malware sigs for what was used in CHS

Analysis:

While not much has been put out through the media there are certain areas where data has been released on the malware involved in this hack. The following links below are for samples sent to malwr.com before they shut down. Both of these show the same type of malware used and the hashes match for the family APT-18 was using.
https://malwr.com/analysis/Zjg2MDhkZjIyNDg4NDNhYTk0MTYzMWRhYjc2MTM3OTE/
https://malwr.com/analysis/Y2VlNDY0NmI3NjE0NDRiYjk1YmMxYTVkNjIyZjZlZGU/

Analysis:

The CHS hack has allegedly been pinned on a Chinese APT (Advanced Persistent Threat) known to the community as APT-18. However, the modus operandi of APT-18 does not fit well with what was stolen from CHS. Additionally, there is evidence that the CHS networks had many issues that allowed for numerous other types of infections to be ongoing within it’s confines that allowed for easy access for hackers. Instances of “Code Red” and other malware from many years ago has been seen beaconing from their IP space.
Whether or not the APT were involved though, the networks there were in a poor state specifically with regard to patching. As is common with Medical networks they are often not patched well because of the antiquated programs that run on them and disallow for proper patching. Overall the assessment here is that the network and their security practices were sub best practices and thus allowed for easy access to patient records even with HIPAA regulations.

Nuclear Regulatory Commission Hacked

Nuclear Regulatory Commission computers within the past three years were successfully hacked by foreigners twice and also by an unidentifiable individual, according to an internal investigation. One incident involved emails sent to about 215 NRC employees in “a logon-credential harvesting attempt,” according to an inspector general reportNextgov obtained through an open-records request. The phishing emails baited personnel by asking them to verify their user accounts by clicking a link and logging in. The link really took victims to “a cloud-based Google spreadsheet.”
http://www.defenseone.com/technology/2014/08/foreign-government-agents-suspected-hacking-us-nuclear-regulator/91856/

Analysis:

The NRC hack is common to the type of APT activities we have seen in the news over the last few years. In this case the NRC was phished with emails containing links to a Google Drive spread sheet that infected their systems with malware. This is a common attack today and should be covered in any respectable security awareness program but often still is the key to hackers getting into systems. Had the users checked the links to start or had thought better of logging into a site to verify an account then the compromise may not have happened at all.
All users should be aware of what phishing looks like and the tactics that the phishers use to trick people into compromise. In this case this is a nation state actor (likely China) and is par for the course today.

Crimeware

Backoff POS and BlackPOS

The “Backoff” POS (Point Of Sale) malware is a new version of skimming software that was used in a recent attack on the SuperValu grocery chain. This malware get’s it’s name from the word “backoff” in the code. BlackPOS is another malware that was created by the Rescator/Lampeduza network for their attacks on Target and now Home Depot. This also get’s it’s name from code snippets and the actual name being used on the Russian hacking/carding boards that sell it and the data that has been stolen.
http://threatpost.com/secret-service-warns-1000-businesses-hit-by-backoff-pos-malware
https://www.us-cert.gov/ncas/alerts/TA14-212A

Analysis:

These types of malware are common to this type of crime today because in the US we do not have the “chip and pin” technology that would prevent this attack from succeeding. Both of these pieces of malware have been bespoke for the crews that are using them and attack the actual interfaces for the POS device. When a card is scanned by the POS this malware scrapes the memory of the machine and captures the card numbers and the pin during the transaction. It then sends that data to an aggregator (compromised machines in the network) for exfiltration to servers usually in the Baltics.
Given that this type of attack now has leaked millions of cards (including a new Home Depot leak ongoing today) we can expect that retailers and banks in the US will soon be looking to upgrade the infrastructure here to a chip and pin system to stop this from happening. Banks in the US are already feeling the pinch from these attacks and are pushing behind the scenes for these changes.
Addendum: It has been reported by the FBI that as many as 1000 companies may in fact be compromised with these types of malware and actively being used to steal credit and debit cards.

Carbon Grabber Hits Automotive Industry

Europe’s automotive supply chain is being targeted by a malware campaign connected to the increasingly popular Carbon Grabber crimeware kit, researchers at Symantec have warned. At first glance, what Symantec uncovered earlier this month when investigating a spam campaign spreading malicious attachments looks relatively innocuous, one of dozens of such incidents security firms pick up on in any given month.
The giveaway that there is more to this one is the unusual level of targeting which aims more than half of all spam at the at the car rental, insurance, commercial transport, and second-hand commercial and agricultural vehicle sales sectors in Germany, The Netherlands, Italy and to a lesser extent, the UK
http://news.techworld.com/security/3539706/carbon-grabber-campaign-hunts-for-automotive-industry-logins/

Analysis:

The Carbon Grabber is a part of a larger supply chain attack and may be the work of a nation state actor. The initial attack gets the user to install software that in turn starts to mine data within their corporate network. Black Carbon then steals credentials and sends them to a C&C server. This attack is ongoing and more may come from this in the near future. However, this is a common 2 stage attack against companies in order to steal their secrets with the primary attack coming from a phishing campaign. The novelty here is that it is using spam campaigns and directed targeting (cars and rentals) to obtain their objectives.

APT Activities

Poisoned Hurricane

“We found that anyone could register for a free account with Hurricane Electric’s hosted DNS service. Via this service, anyone with an account was able to register a zone and create A records for the registered zone and point those A records to any IP address they so desired. The dangerous aspect of this service is that anyone was able to hijack legitimate domains such as adobe.com. Although these nameservers are not recursors and were not designed to be queried directly by end users, they were returning results if queried directly for domains that were configured via Hurricane Electrics public DNS service.

Furthermore, Hurricane Electric did not check if zones created by their users were already been registered or are otherwise legitimately owned by other parties.” ~Fireeye
http://www.fireeye.com/blog/technical/targeted-attack/2014/08/operation-poisoned-hurricane.html

Analysis:

The use of Hurricane Electric’s loose network has long been a staple for malware and APT activities. The fact that you could use their permissive DNS services only added to the ability of malware campaigns to effectively obfuscate their attacks and to exfiltrate data more easily. It is important as a company or security group to monitor your DNS traffic to insure that you are not compromised and beaconing traffic to bad actors and thus losing your data.

Taiwan: Testing Ground for China’s APT

http://thediplomat.com/2014/08/taiwan-complains-of-severe-cyber-attacks-from-china/

Analysis:

Taiwan has made a claim that they are the firing test ground for China’s APT activities.  This would make sense from the standpoint that now Taiwan is under Chinese control (for the most part but is still called Free Taiwan by many) If indeed the case, then the malware and hacking techniques could be possibly seen being tested in Taiwan and thus perhaps an intelligence boon for the US and other countries were we to be able to see that traffic as it happens.

Editable DOC file for DOWNLOAD to use for your organization

Written by Krypt3ia

2014/09/11 at 21:25

Posted in Threat Intel

One Response

Subscribe to comments with RSS.

  1. These are really good. Please continue them. I get monthly reports from some vendors, but they are typically lacking in some regard.

    security412

    2014/09/12 at 02:39


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: