Hackers target financial firms hosting malicious payloads on Google Cloud Storage

Researchers at Menlo Labs uncovered a malicious email campaign targeting employees of banks and financial services companies abusing Google Cloud Storage.

The campaign targeted organizations in the US and the UK, the attackers have been abusing Google Cloud Storage to deliver payload.

The spam campaign uses messages including links that point to archivefiles such as .zip or .gz. Attackers attempt to trick victims into clicking on the malicious links. Threat actors hosted the malicious payloads on storage.googleapis.com, which is associated with Google Cloud Storage service. The payload belongs to the Houdini and QRat malware families.

With this attack scheme, threat actors are able to bypass security controls in place within targeted organizations.

“In all of these cases, the malicious payload was hosted on storage.googleapis.com, the domain of the Google Cloud Storage service that is used by countless companies. Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products.” reads the analysis published by security researchers at Menlo.

“It’s an example of the increased use of “reputation-jacking”—hiding behind well-known, popular hosting services to help avoid detection. “

These attackers likely used malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many security solution are able to detect malicious attachments but identify malicious URLs only if they included in a blacklist.

The attackers leveraged two types of payloads to compromise the victims, VBS scripts and JAR files. Experts analyzed some malicious VBS scripts that were highly obfuscated and were likely created by one of the builder available in the cybercrime underground.

The experts analyzed three scripts which belong to the Houdini malware family. The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com ).

Researchers noticed the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR file.

One of the files belongs to the Houdini/jRATmalware family, meanwhile other JAR files belong to the QRat malware family.

“The Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. Novel ways of gaining endpoint access are always being developed, and will continue to evolve.” Menlo Labs concludes.

“Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks,”

The benefits and limitations of AI in cybersecurity

Today’s AI cannot replace humans in cybersecurity but shows promise for driving efficiency and addressing talent shortage, a new report by ProtectWise has shown.

Penetration of AI-enabled security products based on number of security alerts received on a typical day

AI cybersecurity benefits limitations

Conducted by Osterman Research, the study explores usage trends and sentiments toward AI among more than 400 U.S. security analysts in organizations with 1000 or more employees.

Key takeaways

Nearly three quarters of respondents have already implemented at least one product that uses AI, but findings uncovered mixed results and a learning curve that needs to be addressed in order to use AI at higher levels of sophistication and effectiveness.

“A lot of hype and confusion exists around AI and its role in the cybersecurity industry,” said Gene Stevens, CTO, ProtectWise. “In its current state, AI is a tool for driving efficiencies and addressing staffing needs, but it is not going to replace human intelligence any time soon. AI is well positioned today to create machine-accelerated humans: an army of hunters and responders who use a wide array of expert systems to help unearth and prioritize critical threats. In the future, AI will only become more valuable as the industry develops products that improve ease of use and capitalize on AI’s efficiency differentiators.”

Top findings from the report include:

  • AI is already widely adopted – AI has already established a strong foothold, with 73 percent of respondents reporting they have implemented security products that incorporate at least some aspect of AI. Most organizations find AI’s ability to improve the efficiency of security staff members and make investigation of alerts faster as top priorities. Organizations with a higher proportion of AI-enabled security products are larger than those with less AI, and they have larger security teams.
  • Executives, not the people who manage security, are the biggest advocates for AI – Fifty-five percent of respondents suggested that the strongest advocates for AI-based security products in their organization are IT executives, while 38 percent identified non-IT executives as the biggest internal champion.
  • AI is yielding some real benefits – Overall, 60 percent of organizations perceive that AI makes investigations of alerts faster and the same proportion consider that AI improves the efficiency of their security staff. Moreover, nearly one-half of organizations view AI as beneficial for automating initial triage and for optimizing threat identification.
  • AI-powered security products are weighed down by mixed results post deployment – According to respondents: 46 percent agree that rules creation and implementation are burdensome; and 25 percent said that they do NOT plan to implement additional AI-enabled security solutions in the future
  • There is still work to do. More than half of all respondents believe that: AI doesn’t stop zero-days and advanced threats (61 percent); it focuses more on malware than exploits (51 percent); it delivers inaccurate results (54 percent); it’s difficult to use (42 percent); and AI-based products are more expensive than traditional ones (71 percent). The most important differentiator for AI-enabled security products when compared to traditional security products is their ability to automatically block threats, while automatic remediation or isolation is viewed as the least important feature of AI-enabled products.

“All of these findings imply that AI is still in its early stages and we have yet to see its full potential,” said Michael Osterman, principal analyst of Osterman Research. “But AI-based products offer significant promise for improving the speed of processing alerts and that it might at least be a ‘silver-plated’ bullet in addressing the cybersecurity skills shortage.”

GDPR: EU Sees More Data Breach Reports, Privacy Complaints

Ireland, France, Germany and UK Report Increases Since Privacy Law Took Effect

GDPR: EU Sees More Data Breach Reports, Privacy Complaints

Privacy watchdogs in Europe say they are continuing to see an increase in data breach reports as well as privacy complaints.

See Also: Fraud Prevention for Banks: Top 10 Tech Requirements to Evaluate

That should be no surprise, because the EU on May 25 began enforcing its General Data Protection Regulation. Among its provisions, GDPR requires organizations that suffer a breach that may have exposed Europeans’ personal information to notify relevant authorities.

The number of data breach reports filed since GDPR went into effect has hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K.

GDPR also gives Europeans the ability to file class-action lawsuits against breached organizations, and some law firms have already been exploring these types of actions.

And under article 77 of GDPR – "Right to complain to a supervisory authority" – Europeans can also file complaints with regulators about organizations’ data protection practices, as they were also able to do before enactment of the new regulation. Regulators say these complaints have also been increasing.

Numerous national data protection authorities say they have seen an increase in both complaints as well as breach reports. But as information security expert Brian Honan has told Information Security Media Group, the increase in data breach reports does not mean there has been a surge in data breaches.

"What we are seeing is an increase in the reporting of the breaches that are happening," according to Honan, who heads Dublin-based cybersecurity firm BH Consulting. "So there is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."

Here’s a sample of what European privacy watchdogs have been seeing.

Ireland: DPC

Ireland’s DPA, the Data Protection Commission, tells ISMG that as of Monday, it’s received 2,476 complaints and 3,495 breach reports, although they involve both pre-GDPR and post-GDPR cases. "We have received complaints and breach notifications that relate to issues that occurred both post and pre-GDPR, and the pre-GDPR [before May 25] cases are therefore dealt with under the old legislation," says Graham Doyle, the head of communications.

Complaints:

  • Total complaints received: 2,476
  • GDPR applies: 1,575
  • Old legislation applies: 901

Breach reports:

  • Total breach reports: 3,495
  • GDPR applies: 3,105
  • Old legislation applies: 390

In 2017, the DPC received an average of 230 data breach reports and 220 complaints per month. Since GDPR came into effect, however, it’s seen a monthly average of 500 breach reports and 354 complaints.

"As you can see, there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25," Doyle says.

Germany: BfDI

Germany’s DPA, the Federal Commissioner for Data Protection and Freedom of Information, or BfDI, tells ISMG that as of Oct. 31, it received:

  • Complaints: 1,914;
  • Data breach notifications: 4,667.

In some cases, breach reports and complaints may be filed with any of the DPAs in Germany’s 16 federal states. As of Sept. 5, BfDI says the total numbers seen across all federal and state DPAs included:

  • Complaints: 11,017;
  • Data breach notifications: 6,156.

France: CNIL

France’s DPA, the Commission nationale de l’information et des libertés, aka CNIL, tells ISMG that since GDPR enforcement began on May 25, through Nov. 23, it has received:

  • Data breach notifications: 1,000;
  • Data protection complaints: 6,000.

In the first two months following GDPR going into effect, CNIL received an average of 27 data protection complaints per day, but since then, the average has risen to 36 per day.

United Kingdom: ICO

Earlier this month, the U.K.’s DPA, the Information Commissioner’s Office, said that it’s now seeing about 41 data breach reports get filed per day.

U.K. Information Commissioner Elizabeth Denham told a privacy conference in Wellington, New Zealand, on Dec. 5 that the ICO has seen the total number of data security complaints increase from 9,000 in the six months before GDPR took effect to 19,000 in the six months after.

Since May 25, the ICO also received more than 8,000 data breach reports,she said.

The ICO says the increase in complaints was expected because of the number of high-profile organizations that have been breached in recent months, including Currys, Marriott and Superdrug.

One-Stop Shop

While each of the 28 EU member nations has its own DPA, expect to hear much more from Ireland’s Data Protection Commissioner. That’s because it will be taking the lead on numerous high-profile privacy investigations since many U.S. technology giants – including Facebook, Microsoft, Twitter, and soon Google – having chosen the country as the sight of their European headquarters.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of a "one-stop shop" mechanism. This enables organizations that have a presence across different EU member nations to be subject to regulatory oversight by just one supervisory authority, rather than being subject to regulation by the supervisory authorities of each nation in which they have a business presence. The supervisory authority in the nation of the organization’s "main establishment" takes on the role of lead supervisory authority.

For any organization that doesn’t qualify for the one-stop-shop mechanism, but is the subject of a privacy complaint under GDPR, the data protection authority in whichever country where the complaint gets raised takes the lead if it determines that an investigation would be warranted.

First GDPR Fines Still to Come

Beyond bringing mandatory notifications for many types of breach to Europe, GDPR is also a big deal because of the potential penalties that regulators can impose on organizations that fail to take privacy seriously.

Organizations that violate GDPR face fines of up to 4 percent of their annual global revenue or €20 million ($22.7 million) – whichever is greater – as well as other potential sanctions, including losing their ability to process personal data.

Separately, organizations that fail to comply with GDPR’s reporting requirements also face fines of up to €10 million ($11.3 million) or 2 percent of annual global revenue.

Many regulators have been clear that they don’t plan to use the threat of massive GDPR fines punitively. But at the same time, organizations that fail to take Europeans’ privacy rights seriously, or worse, engage in criminal behavior and attempt to cover it up, may find themselves at the receiving end of a serious European privacy enforcement smackdown.

So far, regulators have yet to bring GDPR fines to bear on an organization that was breached since May 25. In general, DPAs’ investigations into major breaches tend to take about a year. So it’s a safe bet that any major GDPR penalties won’t be seen until mid-2019, at the earliest.

Scam iOS apps promise fitness, steal money instead

Fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users.

Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes.

There are many apps that promise to assist users on the way to a healthier lifestyle. The bogus apps were, until recently, available in the Apple App Store. The apps were called “Fitness Balance app” and “Calories Tracker app”, and at first glance appeared to put users on the road to fitness – they could calculate the BMI, track daily calorie intake, or remind users to drink more water. These services, however, came with an unexpectedly hefty price tag, according to Reddit users.

After a user fires up any of the above mentioned apps for the first time, the apps request a fingerprint scan to “view their personalized calorie tracker and diet recommendations” (Figure 1). Only moments after the user complies with the request and places their finger on the fingerprint scanner, the apps then display a pop-up showing a dodgy payment amounting to 99.99, 119.99 USD or 139.99 EUR (Figure 2).

This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams.

Based on the user interface and functionality, both apps are most likely created by the same developer. Users have also posted videos of “Fitness Balance app” and “Calories Tracker app” on Reddit.

Scam iOS apps

Figure 1 – Scam apps in Apple’s App Store require users to scan their fingers for fitness tracking (Image source: Reddit)

Scam iOS apps

Figure 2 – Dodgy payment popping up in “Fitness Balance app” and “Calories Tracker app” (Image source: Reddit)

If users refuse to scan their finger in “Fitness Balance app”, another pop-up is displayed, prompting them to tap a “Continue” button to be able to use the app. If they comply, the app tries to repeat the dodgy payment procedure.

Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.

Victims already reported both of these apps to Apple, which led to their removal from the market. Users even tried to directly contact the developer of “Fitness Balance app”, but only received a generic response promising to fix the reported “issues” in the upcoming version 1.1 (Figure 3).

Scam iOS apps

Figure 3 – Users who directly contacted the developer received what seems to be an automatic reply

What can users do to avoid similar threats?

As Apple doesn’t allow security products in its App Store, users need to rely on the security measures implemented by Apple.

On top of that, ESET advises users to always read reviews by other users. As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.

iPhone X users can also activate an additional feature called “Double Click to Pay”, which requires them to double-click the side button (Figure 4) to verify a payment.

Scam iOS apps

Figure 4 – The side button verification feature in premium iPhone X

Those who already fell victim to this scam can also try to claim a refund from the Apple App Store.

A New Banking Malware Disguises as Security Module Steals Your Banking Credentials

Unique Banking Malware

A new unique banking malware dubbed CamuBot poses itself like a security module from the bank to gain victim’s trust and tempt them into installing the malware on their device.

The threat actor’s actively targeting the companies and public sector organizations using a number of social engineering techniques to bypass the security controls.

Security researchers from IBM spotted the CamuBot malware is more sophisticated and designed with a new code. It is different from the common banking trojans and it is blended with a number of social engineering techniques for device take over.

Unique Banking Malware Targets Business Bank Account Customers

The attack start’s with some basic reconnaissance, they use to call the person who is holding the Business Bank Account and identify them as the bank employee and ask the victim’s to navigate to the URL to ensure their security module is up to date.

It is a fake page to trick the victim’s so it comes up as negative and ask’s them to install a new security module. Also, it advises the victim’s to run the security module as an admin user and to close any other running programs.

To gain user’s trust it shows the banking logo and the modules install into the victim’s device silently. It also establishes a proxy module and add’s itself into the firewall to make it appear trusted.

The executable, name of the file and the URL are not a static one, they continue to change for every installation. Communication established through Secure Shell (SSH)-based SOCKS proxy.

Once the installation completed it pop-up a screen and redirects victim’s to a phishing page that designed like a banking portal. The phishing page asks victim’s to input his or her credentials and attackers make use of it. Attackers hang up after the account takeover.

According to IBM X-Force researchers, if there is any endpoint the malware is used to install additional drivers for the device, then attackers ask to enable remote sharing if the victim authorizes then it enables attackers to intercept to intercept one-time passwords. By having the one-time passwords the attackers can initiate a fraudulent transaction.

The delivery of CamuBot is personalized, at this time, CamuBot targets business account holders in Brazil and not in any other geographies said X-Force researchers.

Virus-free. www.avg.com

Mac App Store apps caught stealing user data

https://mspoweruser.com/wp-content/uploads/2017/11/MacBook-Pro-VS-Surface-Book.jpg

App stores, especially Apple’s, have a reputation regarding security. That reputation took a hit over the weekend with the revelation that some of the most popular Mac App Store apps were gathering ng up user data and remotely uploading them to the developer’s servers.

The apps which appeared to originate from Trend Micro (in hindsight, scummy unaffiliated developers), included apps like Unarcvhers and Cleaner, intended to help users unzip files or clean up their desktop ended up gathering browsing data and installed app data, collating it into a zip file and uploading to a remote server. At no point was user consent requested, nor where users alerted that this happening behind the scenes.

After this came to light, Apple pulled the apps from the store. It is unknown how many users downloaded these ‘tools’ and had their data scraped over the lifetime of the apps.

A similar situation happened in the then Windows-Store with Torrenty, an app which would install adware once downloaded, It slipped past app store verification but was struck down once media reports brought it under scrutiny.

Despite cases like this, however, App Stores are safer than the wild internet as curtain — even one that is many times perfunctory — can still screen dangerous apps more often than not.

Virus-free. www.avg.com

Manufacturing industry at greater risk of cyberattacks

Industrial internet of things

Manufacturing businesses are seeing higher-than-normal rates of cyberattack-related reconnaissance and lateral movement activity.

This is due to the convergence of IT with IoT devices and Industry 4.0 initiatives, according to a new report from AI-powered attack detection specialists Vectra

"The disconnectedness of Industry 4.0-driven operations, such as those that involve industrial control systems, along with the escalating deployment of industrial internet-of-things (IIoT) devices, has created a massive, attack surface for cybercriminals to exploit," says Chris Morales,head of security analytics at Vectra.

State

affiliated attackers accounted for 53 percent of attacks on manufacturing,according to the 2018 Verizon Data Breach Industry report. The most common types of data stolen were personal (32 percent), secrets (30 percent) and credentials (24 percent).

Analysis of data from Vectra’s Cognito threat detection and hunting platform shows a much higher volume of malicious internal behaviours in manufacturing, which is a strong indicator that attackers are already inside the network. There is also an unusually high volume of reconnaissance behaviour, which indicates that attackers are mapping out manufacturing networks in search of critical assets. A high level of lateral movement is another strong indicator that the attack is proliferating inside the network.

The study shows a growth in data smuggling — where an internal host device controlled by an outside attacker acquires a large amount of data from one or more internal servers and then sends a payload to an external system — between January and June too.

HP plugs critical RCE flaws in InkJet printers

HP has plugged two critical vulnerabilities (CVE-2018-5924, CVE-2018-5925) affecting many of its InkJet printers and is urging users to implement the provided firmware updates as soon as possible.

HP InkJet printer vulnerabilities

The vulnerabilities, discovered and reported by a still unnamed third-party researcher, can be triggered via a maliciously crafted file sent to an affected device. Such a file can cause a stack or static buffer overflow, which could allow remote code execution.

The list of affected devices is long and encompasses the Pagewide Pro, DesignJet, OfficeJet, DeskJet and Envy product lines.

Updates can be downloaded and installed directly from the printer or from the HP website (instructions on how to do it can be found here).

HP’s print security bug bounty program

The company did not mention whether the vulnerabilities it plugged were flagged as part of the newly revealed bug bounty program it launched with Bugcrowd in May, but it’s likely that they were.

For the moment, the program is still private.

According to CSO Online, 34 researchers were invited to participate in it. They have been told to limit their efforts to endpoint devices (all HP enterprise printers) and to concentrate on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws.

Vulnerability reporting is to be done through Bugcrowd, which will verify bugs and reward researchers based on the severity of the flaw and awards up to $10,000.

“Reporting a vulnerability previously discovered by HP will be assessed, and a reward may be offered to researchers as a good faith payment,” HP noted.

Shivaun Albright, HP’s Chief Technologist of Print Security, said that the company is already keeping security in mind while developing printers, but they want to see whether they have missed anything.

Citing Bugcrowd’s most recent State of Bug Bounty Report, HP pointed out that the top emerging attackers are focused on endpoint devices, and the total print vulnerabilities across the industry have increased 21 percent during the past year.

Virus-free. www.avg.com

Top 10 list of dark web activities that indicate a breach

Research analysts at Terbium Labs released a list of the most common activities seen on the Dark web indicate a breach, or other unwanted incident, has taken place.

dark web activities

Despite increased security budgets and better defences, organizations are losing the battle against cyber attacks. According to the 2018 cost of Data Breach Study: Global Overview by Ponemon Institute and IBM Security, data breaches continue to be costlier and result in more consumer records being lost or stolen, year after year.

This year the report found that the average total cost of a data breach ($3.86 million), the average cost for each lost or stolen record ($148), and the average size of data breaches have all increased beyond the 2017 report averages. In fact, the costs of the largest breaches can reach into the hundreds of millions of dollars in damage. Ultimately, the inevitability of attacks and ongoing risk exposure of sensitive data has prompted organizations to seek new ways to proactively monitor for lost or stolen data.

The following top 10 list outlines activities, in no particular order, that take place on the dark web that organizations should be most watchful of:

1. Doxing of VIP. Dark web and clear web sites like Pastebin are a dumping ground for personal, financial, and technical information with malicious intent.

2. Full PANs, BINs, payment cards for sale. There is a robust economy for payment cards on the dark web. Sellers update markets with new cards regularly, sometimes daily.

3. Guides for opening fraudulent accounts. The dark web offers guides for sale containing detailed, step-by-step instructions on how to exploit or defraud an organization. The appearance of the guide has a dual impact: fraudsters learn how to take advantage of an organization’s systems and processes and the criminals’ attention is focused on the target company.

4. Proprietary source code. A leak of source code can enable competitors to steal intellectual property and allow hackers to review the code for potential vulnerabilities to be exploited.

5. Dump of a database. Third-party breaches can put organizations at risk by revealing employee credentials that can unlock other accounts or provide fodder for phishing attacks.

6. Template to impersonate a customer account. The dark web is full of account templates that allow fraudsters to pose as customers of financial institutions, telecommunications companies and other service providers. These templates are then used to solicit loans, open accounts, or as part of a broader scheme for identity theft or fraud.

7. Connections between employees and illicit content. Posts doxing individuals who engage in illegal activities on the dark web, such as child exploitation, can draw undue negative attention to their employers or affiliated organizations.

8. W2s and tax-fraud documents. Before tax season each year there is a rush of activity on the dark web gather compromised identity information in order to file fraudulent tax returns before the legitimate taxpayer can. This tax fraud is enabled by the sale of W2s and other tax fraud-specific documents, which can be tied back to the employers where those documents came from originally.

9. Secure access and specialty passes: While most of the materials on the dark web are for generalized personal information, vendors sometimes offer special access materials. These can range from the benign, e.g., amusement park tickets, to the more concerning, e.g., military IDs.

10. Inexpert dark web searching. Security vendors not properly immersed in the dark web can expose an organization to harm by simply searching for information related to the company. For example, one security vendor searched for a CISO’s name so many times on the now-defunct dark web search engine, Grams, that the full name made it to the front page “trending” section of the site.

Google bans cryptocurrency mining apps from the official Play Store

Google has updated the Play Store Developer Policy page to ban mobile mining apps that mine cryptocurrencies using the computational resources of the devices.

Due to the surge in cryptocurrency prices, many legitimate websites and mobile apps are increasingly using cryptocurrency miners.

Following Apple’s decision of banning cryptocurrency mining apps announced in June, also Google has updated the Play Store Developer Policy page to ban mobile apps that mine cryptocurrencies using the computational resources of the devices.

“We don’t allow apps that mine cryptocurrency on devices,” reads the entry included in the policy.

Google will start to remove any app from the official Play Store that uses a device’s resources for mining operations, but it clarified that “apps that remotely manage the mining of cryptocurrency” are not included in the ban.

Mining activities have a dramatic effect on the performance of the device and in some cases, it could also damage it by causing overheat or destroy batteries.

In December, experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.

mining apps

Google banned cryptocurrency mining extensions from its Chrome Web store after finding many of them abusing users’ resources without consent.

Since January, Facebook also banned ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, and cryptocurrency.