Cyber Security Minorthread

[jimmy olsen]

Given the more or less constant hacking that goes on these days of banks, corporations and governments that cause damages in the tens of millions to billions of dollars, it's time for a megathread!

http://www.slate.com/articles/technology/safety_net/2015/02/_1_billion_bank_hack_how_to_fight_the_next_one.html

Good news! A major hack you don't have to worry about! Unless, that is, you happen to be an executive or security employee at one of the hundreds of banks targeted by the group that's come to be known as Carbanak or Anunak. If you are, then you have a problem, because these hackers, and no doubt others to come, aren't targeting banking consumers but the very internals of banks, silently monitoring their systems and subtly defrauding them. Unlike most cybercrime, this wasn't a holdup, but a bank heist—the kind that could ultimately affect both consumers and governments. And that's why we should all be paying attention.



Skill-wise, the attack is on the order of November's Sony Pictures hack. (So much for the FBI's claim that the Sony hack was unprecedentedly scary.) It was a long-term effort, professionally executed, and required a fair amount of organization and coordination to pull off. These aren't just script kiddies stealing people's credit card numbers. The hackers managed to compromise the systems of banks, but rather than immediately grabbing information and alerting their targets to their presence, they would quietly observe the inner workings and transactions for months. They were then in a position to subtly manipulate the system in order to cash out. According to a report from software-security company Kaspersky Lab, the hackers obtained up to $1 billion through dozens of attacks over the past two years.

There are several things worth noticing. First, the initial compromises of the systems were possibly the simplest and dumbest aspects of the attacks. The hackers would enter a system through the tried-and-true method of "phishing"—sending emails to employees that purport to come from a trusted sender inside the company. (This approach, attacking a specific organization, is called "spear phishing.") The employee opens an attachment in the email, which immediately compromises the system. These hacks used Windows and Office document files that, when opened, injected malware into the target's computer, more or less giving the hackers total control.
Advertisement

What they did with this control, however, was more sophisticated. The hackers monitored the keystrokes of the computer and took screenshots every 20 seconds, giving them a very clear picture of the daily internal workings of a bank. And instead of attacking customer accounts, which are more closely monitored for fraud, the hackers went after internal fund mechanisms. First, they inserted fake transactions into the SWIFT transfer network to distribute money to other banks and credit cards. Second, and rather ingeniously, they attacked ATMs directly. Seizing central control of the banks' ATMs, they set the terminals to spit out cash spontaneously, then had their accomplices ("money mules," as Kaspersky terms them) visit the ATMs at the right time to collect the dosh.

The exact scope of the attack is still up for debate. According to Kaspersky, the group targeted banks in 30 countries, though primarily in Russia, and Kaspersky suspects it obtained about $1 billion. A more detailed, earlier report from December from Group-IB and Fox-IT confined the attacks to Russia and placed the damage in the hundreds of millions.



In terms of efficiency, these attacks are vastly more impressive than most hackers can ever hope to achieve. Though the efforts required time, each individual compromise raked in $10 million. Each hack remained undetected for its duration, and some banks were compromised multiple times. Since nearly all of the money wasn't tied to any particular customer's account, the thefts were mostly invisible to consumers, so no individuals raised red flags. And with incidents like a Russian bank threatening a customer who successfully got it to accept his credit card terms, I don't think too many people are shedding tears for the poor financial institutions. Plus, consumers face bigger threats from the more recent Dyre and Dridex banking Trojans, which hijack browsers to obtain user credentials, even managing to defeat two-factor authentication in some cases.

For banks and other institutions, though, Carbanak's sophisticated attacks are scary for two reasons. (Brian Krebs reports that the same group may have also compromised Staples and Bebe to obtain credit card information, so it's not just banks.) Along with the Sony hack, these kinds of breaches entail obtaining long-term and in-depth access to targeted systems in order to cause the most damage (financial or otherwise). That means there are two facets of security that companies need to worry about.

First, there's that primitive initial compromise. It's somewhat embarrassing that a phishing attack can end up compromising more or less the entirety of a bank's systems, but that's exactly what happened here. There was no complicated exploit of some unknown security hole or cracking of passwords; an employee just needed to open an attachment file (usually a Word document) in a phishing email, which then exploited known vulnerabilities in unpatched Office software. These vulnerabilities were patched by Microsoft years ago (most recently in March 2014). At a minimum, banks need to keep their software updated with security fixes, but beyond that, they also need to scan all incoming attachments and clamp down on the ease with which employees open them.

The manipulation of the system that followed was on a whole other level. Until banks and other institutions can reliably keep their employees from opening bad links and files inside of phishing emails, they must simply assume they are quite vulnerable to attack. Since Carbanak/Anunak's attacks required weeks of monitoring before it could perform its high-stakes thefts, institutions need better internal auditing mechanisms to make sure their transactions are actually being performed by their employees, rather than by skillful remote hackers. It's better to assume your system is already compromised and look for evidence of unwanted manipulation than to have faith in a bulletproof outer shell, because let's face it, if you're getting compromised by phishing emails, you are a long way from bulletproof. This may even require setting up fake internal honeypots for thieves and other creative mechanisms, so banks can detect intrusions. Since hackers sometimes look to exploit existing latent malware already present on a network, injecting fake malware into bank networks could help catch hackers on first contact, like a reverse Trojan horse.

Banks have every incentive to keep these attacks quiet, given that they aren't keen on losing the confidence of their customers or of their investors. The comparative quiet around them should not be met with complacency. The potential upside for thieves is so great that a lot of evident skill is going into these hacks, resulting in what appears to be a growing arms race between institutions and hackers with increasingly sophisticated arrays of malware and botnets, not to mention tons of time and energy. From the looks of it, the banks are pretty far behind.

[viper37]

Lenovo users are at risk:
Lenovo installs adware on customers laptops and compromises all SSL
Superfish: stop using your Lenovo laptop now

A pretty shocking thing came to light this evening – Lenovo is installing adware that uses a "man-in-the-middle" attack to break secure connections on affected laptops in order to access sensitive data and inject advertising. As if that wasn't bad enough, they installed a weak certificate into the system in a way that means affected users cannot trust any secure connections they make – TO ANY SITE.
[...]
Superfish Features:

    Hijacks legitimate connections.
    Monitors user activity.
    Collects personal information and uploads it to it's servers
    Injects advertising in legitimate pages.
    Displays popups with advertising software
    Uses man-in-the-middle attack techniques to crack open secure connections.
    Presents users with its own fake certificate instead of the legitimate site's certificate.

Even if you don't have a Lenovo laptop bought between September 2014 and January 2015, you might want to check it for the presence of Superfish:
https://lastpass.com/superfish/

[Eddie Teach]

Given the more or less constant hacking that goes on these days of banks, corporations and governments that cause damages in the tens of millions to billions of dollars, it's time for a megathread!

Do we talk about it enough to keep the thread near the front page so people bump it instead of starting new threads though? Doubtful.

[Martinus]

Since when Tim can start megathreads?

[grumbler]

Since when Tim can start megathreads?

Since Poland cannot into space.

[CountDeMoney]

Fire bad.

[jimmy olsen]

Given the more or less constant hacking that goes on these days of banks, corporations and governments that cause damages in the tens of millions to billions of dollars, it's time for a megathread!

Do we talk about it enough to keep the thread near the front page so people bump it instead of starting new threads though? Doubtful.

The Austria and Hive megathreads aren't that active, yet they remain.

[Darth Wagtaros]

I met with Lenovo sales reps yesterday.  They had a lot of nothing to say about it.  That Superfish thing is one of the most heinous things I've seen in a while. Fake root certs???!

[Ed Anger]

Never trust chinese computer makers.

[DontSayBanana]

I met with Lenovo sales reps yesterday.  They had a lot of nothing to say about it.  That Superfish thing is one of the most heinous things I've seen in a while. Fake root certs???!

Brings back unpleasant memories of the Sony rootkit-based DRM from around 2000.

[viper37]

I met with Lenovo sales reps yesterday.  They had a lot of nothing to say about it.  That Superfish thing is one of the most heinous things I've seen in a while. Fake root certs???!

Brings back unpleasant memories of the Sony rootkit-based DRM from around 2000.

Sony managed to got back from it, I'm curious about Lenovo.

[Darth Wagtaros]

They will, I'm sure.  If only because a lot of people won't realize how fucked a fake root cert can leave you.

Chicoms are behind this. No doubt. 

[Siege]

Minorthread?

What the eff is going on here?

[Eddie Teach]

Minorthread?

What the eff is going on here?

People are finally listening to your complaints about threads with misleading titles.

[CountDeMoney]

Yeah, it's got nothing to do with minors or menorahs, so Siegy just goes into Reset Mode.