Qadit Blog

Researchers at Menlo Labs uncovered a malicious email campaign targeting employees of banks and financial services companies abusing Google Cloud Storage.

The campaign targeted organizations in the US and the UK, the attackers have been abusing Google Cloud Storage to deliver payload.

The spam campaign uses messages including links that point to archivefiles such as .zip or .gz. Attackers attempt to trick victims into clicking on the malicious links. Threat actors hosted the malicious payloads on storage.googleapis.com, which is associated with Google Cloud Storage service. The payload belongs to the Houdini and QRat malware families.

With this attack scheme, threat actors are able to bypass security controls in place within targeted organizations.

“In all of these cases, the malicious payload was hosted on storage.googleapis.com, the domain of the Google Cloud Storage service that is used by countless companies. Bad actors may host their payloads using this widely trusted domain as a way to bypass security controls put in place by organizations or built into commercially security products.” reads the analysis published by security researchers at Menlo.

“It’s an example of the increased use of “reputation-jacking”—hiding behind well-known, popular hosting services to help avoid detection. “

These attackers likely used malicious links rather than malicious attachments because of the combined use of email and the web to infect victims with this threat. Many security solution are able to detect malicious attachments but identify malicious URLs only if they included in a blacklist.

The attackers leveraged two types of payloads to compromise the victims, VBS scripts and JAR files. Experts analyzed some malicious VBS scripts that were highly obfuscated and were likely created by one of the builder available in the cybercrime underground.

The experts analyzed three scripts which belong to the Houdini malware family. The codes were highly obfuscated with three nested levels of obfuscated VBScript and encoded using Base64 encoding. Researchers discovered that they used the same C2 domain (pm2bitcoin[.]com) and secondary C2 (fud[.]fudcrypt[.] com ).

Researchers noticed the same string “<[ recoder : houdini (c) skype : houdini-fx ]>” appears in the last level of obfuscated VBScript and all download a JAR file.

One of the files belongs to the Houdini/jRATmalware family, meanwhile other JAR files belong to the QRat malware family.

“The Financial Services vertical continues to be a very attractive target for attackers, and Remote Access Trojans (RATs) play an important role in gaining control over a compromised machine within an enterprise. Novel ways of gaining endpoint access are always being developed, and will continue to evolve.” Menlo Labs concludes.

“Financial Services companies can expect to be the target of even more sophisticated malware and credential phishing attacks,”

Today’s AI cannot replace humans in cybersecurity but shows promise for driving efficiency and addressing talent shortage, a new report by ProtectWise has shown.

Penetration of AI-enabled security products based on number of security alerts received on a typical day

Conducted by Osterman Research, the study explores usage trends and sentiments toward AI among more than 400 U.S. security analysts in organizations with 1000 or more employees.

Key takeaways

Nearly three quarters of respondents have already implemented at least one product that uses AI, but findings uncovered mixed results and a learning curve that needs to be addressed in order to use AI at higher levels of sophistication and effectiveness.

“A lot of hype and confusion exists around AI and its role in the cybersecurity industry,” said Gene Stevens, CTO, ProtectWise. “In its current state, AI is a tool for driving efficiencies and addressing staffing needs, but it is not going to replace human intelligence any time soon. AI is well positioned today to create machine-accelerated humans: an army of hunters and responders who use a wide array of expert systems to help unearth and prioritize critical threats. In the future, AI will only become more valuable as the industry develops products that improve ease of use and capitalize on AI’s efficiency differentiators.”

Top findings from the report include:

• AI is already widely adopted – AI has already established a strong foothold, with 73 percent of respondents reporting they have implemented security products that incorporate at least some aspect of AI. Most organizations find AI’s ability to improve the efficiency of security staff members and make investigation of alerts faster as top priorities. Organizations with a higher proportion of AI-enabled security products are larger than those with less AI, and they have larger security teams.
• Executives, not the people who manage security, are the biggest advocates for AI – Fifty-five percent of respondents suggested that the strongest advocates for AI-based security products in their organization are IT executives, while 38 percent identified non-IT executives as the biggest internal champion.
• AI is yielding some real benefits – Overall, 60 percent of organizations perceive that AI makes investigations of alerts faster and the same proportion consider that AI improves the efficiency of their security staff. Moreover, nearly one-half of organizations view AI as beneficial for automating initial triage and for optimizing threat identification.
• AI-powered security products are weighed down by mixed results post deployment – According to respondents: 46 percent agree that rules creation and implementation are burdensome; and 25 percent said that they do NOT plan to implement additional AI-enabled security solutions in the future
• There is still work to do. More than half of all respondents believe that: AI doesn’t stop zero-days and advanced threats (61 percent); it focuses more on malware than exploits (51 percent); it delivers inaccurate results (54 percent); it’s difficult to use (42 percent); and AI-based products are more expensive than traditional ones (71 percent). The most important differentiator for AI-enabled security products when compared to traditional security products is their ability to automatically block threats, while automatic remediation or isolation is viewed as the least important feature of AI-enabled products.

“All of these findings imply that AI is still in its early stages and we have yet to see its full potential,” said Michael Osterman, principal analyst of Osterman Research. “But AI-based products offer significant promise for improving the speed of processing alerts and that it might at least be a ‘silver-plated’ bullet in addressing the cybersecurity skills shortage.”

Ireland, France, Germany and UK Report Increases Since Privacy Law Took Effect

Privacy watchdogs in Europe say they are continuing to see an increase in data breach reports as well as privacy complaints.

See Also: Fraud Prevention for Banks: Top 10 Tech Requirements to Evaluate

That should be no surprise, because the EU on May 25 began enforcing its General Data Protection Regulation. Among its provisions, GDPR requires organizations that suffer a breach that may have exposed Europeans’ personal information to notify relevant authorities.

The number of data breach reports filed since GDPR went into effect has hit about 3,500 in Ireland, over 4,600 in Germany, 6,000 in France and 8,000 in the U.K.

GDPR also gives Europeans the ability to file class-action lawsuits against breached organizations, and some law firms have already been exploring these types of actions.

And under article 77 of GDPR – "Right to complain to a supervisory authority" – Europeans can also file complaints with regulators about organizations’ data protection practices, as they were also able to do before enactment of the new regulation. Regulators say these complaints have also been increasing.

Numerous national data protection authorities say they have seen an increase in both complaints as well as breach reports. But as information security expert Brian Honan has told Information Security Media Group, the increase in data breach reports does not mean there has been a surge in data breaches.

"What we are seeing is an increase in the reporting of the breaches that are happening," according to Honan, who heads Dublin-based cybersecurity firm BH Consulting. "So there is not necessarily an increase in the number of breaches since May 25, but rather we now have better visibility on data breaches."

Here’s a sample of what European privacy watchdogs have been seeing.

Ireland: DPC

Ireland’s DPA, the Data Protection Commission, tells ISMG that as of Monday, it’s received 2,476 complaints and 3,495 breach reports, although they involve both pre-GDPR and post-GDPR cases. "We have received complaints and breach notifications that relate to issues that occurred both post and pre-GDPR, and the pre-GDPR [before May 25] cases are therefore dealt with under the old legislation," says Graham Doyle, the head of communications.

Complaints:

• Total complaints received: 2,476
• GDPR applies: 1,575
• Old legislation applies: 901

Breach reports:

• Total breach reports: 3,495
• GDPR applies: 3,105
• Old legislation applies: 390

In 2017, the DPC received an average of 230 data breach reports and 220 complaints per month. Since GDPR came into effect, however, it’s seen a monthly average of 500 breach reports and 354 complaints.

"As you can see, there has been a significant increase in the volumes of both breaches and complaints to the DPC since May 25," Doyle says.

Germany: BfDI

Germany’s DPA, the Federal Commissioner for Data Protection and Freedom of Information, or BfDI, tells ISMG that as of Oct. 31, it received:

• Complaints: 1,914;
• Data breach notifications: 4,667.

In some cases, breach reports and complaints may be filed with any of the DPAs in Germany’s 16 federal states. As of Sept. 5, BfDI says the total numbers seen across all federal and state DPAs included:

• Complaints: 11,017;
• Data breach notifications: 6,156.

France: CNIL

France’s DPA, the Commission nationale de l’information et des libertés, aka CNIL, tells ISMG that since GDPR enforcement began on May 25, through Nov. 23, it has received:

• Data breach notifications: 1,000;
• Data protection complaints: 6,000.

In the first two months following GDPR going into effect, CNIL received an average of 27 data protection complaints per day, but since then, the average has risen to 36 per day.

United Kingdom: ICO

Earlier this month, the U.K.’s DPA, the Information Commissioner’s Office, said that it’s now seeing about 41 data breach reports get filed per day.

U.K. Information Commissioner Elizabeth Denham told a privacy conference in Wellington, New Zealand, on Dec. 5 that the ICO has seen the total number of data security complaints increase from 9,000 in the six months before GDPR took effect to 19,000 in the six months after.

Since May 25, the ICO also received more than 8,000 data breach reports,she said.

The ICO says the increase in complaints was expected because of the number of high-profile organizations that have been breached in recent months, including Currys, Marriott and Superdrug.

One-Stop Shop

While each of the 28 EU member nations has its own DPA, expect to hear much more from Ireland’s Data Protection Commissioner. That’s because it will be taking the lead on numerous high-profile privacy investigations since many U.S. technology giants – including Facebook, Microsoft, Twitter, and soon Google – having chosen the country as the sight of their European headquarters.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of a "one-stop shop" mechanism. This enables organizations that have a presence across different EU member nations to be subject to regulatory oversight by just one supervisory authority, rather than being subject to regulation by the supervisory authorities of each nation in which they have a business presence. The supervisory authority in the nation of the organization’s "main establishment" takes on the role of lead supervisory authority.

For any organization that doesn’t qualify for the one-stop-shop mechanism, but is the subject of a privacy complaint under GDPR, the data protection authority in whichever country where the complaint gets raised takes the lead if it determines that an investigation would be warranted.

First GDPR Fines Still to Come

Beyond bringing mandatory notifications for many types of breach to Europe, GDPR is also a big deal because of the potential penalties that regulators can impose on organizations that fail to take privacy seriously.

Organizations that violate GDPR face fines of up to 4 percent of their annual global revenue or €20 million ($22.7 million) – whichever is greater – as well as other potential sanctions, including losing their ability to process personal data.

Separately, organizations that fail to comply with GDPR’s reporting requirements also face fines of up to €10 million ($11.3 million) or 2 percent of annual global revenue.

Many regulators have been clear that they don’t plan to use the threat of massive GDPR fines punitively. But at the same time, organizations that fail to take Europeans’ privacy rights seriously, or worse, engage in criminal behavior and attempt to cover it up, may find themselves at the receiving end of a serious European privacy enforcement smackdown.

So far, regulators have yet to bring GDPR fines to bear on an organization that was breached since May 25. In general, DPAs’ investigations into major breaches tend to take about a year. So it’s a safe bet that any major GDPR penalties won’t be seen until mid-2019, at the earliest.

Fitness-tracking apps use dodgy in-app payments to steal money from unaware iPhone and iPad users.

Multiple apps posing as fitness-tracking tools were caught misusing Apple’s Touch ID feature to steal money from iOS users. The dodgy payment mechanism used by the apps is activated while victims are scanning their fingerprint seemingly for fitness-tracking purposes.

There are many apps that promise to assist users on the way to a healthier lifestyle. The bogus apps were, until recently, available in the Apple App Store. The apps were called “Fitness Balance app” and “Calories Tracker app”, and at first glance appeared to put users on the road to fitness – they could calculate the BMI, track daily calorie intake, or remind users to drink more water. These services, however, came with an unexpectedly hefty price tag, according to Reddit users.

After a user fires up any of the above mentioned apps for the first time, the apps request a fingerprint scan to “view their personalized calorie tracker and diet recommendations” (Figure 1). Only moments after the user complies with the request and places their finger on the fingerprint scanner, the apps then display a pop-up showing a dodgy payment amounting to 99.99, 119.99 USD or 139.99 EUR (Figure 2).

This pop-up is only visible for about a second, however, if the user has a credit or debit card directly connected to their Apple account, the transaction is considered verified and money is wired to the operator behind these scams.

Based on the user interface and functionality, both apps are most likely created by the same developer. Users have also posted videos of “Fitness Balance app” and “Calories Tracker app” on Reddit.

Figure 1 – Scam apps in Apple’s App Store require users to scan their fingers for fitness tracking (Image source: Reddit)

Figure 2 – Dodgy payment popping up in “Fitness Balance app” and “Calories Tracker app” (Image source: Reddit)

If users refuse to scan their finger in “Fitness Balance app”, another pop-up is displayed, prompting them to tap a “Continue” button to be able to use the app. If they comply, the app tries to repeat the dodgy payment procedure.

Despite its malicious nature, the “Fitness Balance app” received multiple 5-star ratings, had an average rating of 4.3 stars and received at least 18 mostly positive user reviews. Posting fake reviews is a well-known technique used by scammers to improve the reputation of their apps.

Victims already reported both of these apps to Apple, which led to their removal from the market. Users even tried to directly contact the developer of “Fitness Balance app”, but only received a generic response promising to fix the reported “issues” in the upcoming version 1.1 (Figure 3).

Figure 3 – Users who directly contacted the developer received what seems to be an automatic reply

What can users do to avoid similar threats?

As Apple doesn’t allow security products in its App Store, users need to rely on the security measures implemented by Apple.

On top of that, ESET advises users to always read reviews by other users. As positive feedback is easily faked, negative reviews are more likely to reveal the true nature of the app.

iPhone X users can also activate an additional feature called “Double Click to Pay”, which requires them to double-click the side button (Figure 4) to verify a payment.

Figure 4 – The side button verification feature in premium iPhone X

Those who already fell victim to this scam can also try to claim a refund from the Apple App Store.