16.8 C
London
Saturday, September 23, 2017
Home Tags Spearphishing

Tag: spearphishing

Phishing attempts directed at specific individuals or companies have been termed spear phishing. Attackers may gather personal information about their target to increase their probability of success. This technique is, by far, the most successful on the internet today, accounting for 91% of attacks.

But its role in the attack remains unclear Fresh research has shed new light on the devious and unprecedented cyber-attack against Ukraine's power grid in December 2015. A former intelligence analyst has warned that launching similar attacks is within the capabilities of criminals, or perhaps even hacktivist groups, since most of the key components are readily available online. Zach Flom, an intelligence analyst at threat intelligence firm Recorded Future and a former US DoD computer network defense analyst, has published a study on the BlackEnergy malware, noting a spike in activity prior to the Ukraine attack that left more than 200,000 people temporarily without power on December 23. "In 2014, shortly after being picked up by APT [advanced persistent threat] groups and becoming more modular, we see a large spike in references to the malware and its increasing usage in European countries, namely Ukraine," Flom notes. "Whether or not the attack was nation state-sponsored, the source code for most of the components that were used is available for purchase and download on the open Web," Flom writes. "It's no longer far fetched that a similar attack could be conducted by non-nation state-sponsored groups for criminal purposes." BlackEnergy has evolved from a "relatively simple" distributed denial-of-service attack tool of early 2007 to a highly capable blob of malware over the last eight years, according to Flom. The warning of potential future misuse of BlackEnergy comes days after a US government report concluded that the December 2015 power outage in Ukraine – which affected 225,000 customers – was caused by outside attackers. Representatives of the US Department of Homeland Security (DHS), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other US government agencies traveled to Ukraine to collaborate and gain more insight into the attack.

The Ukrainian government and the three impacted power utilities (named elsewhere as Prykarpattya, Oblenergo and Kyivoblenergo) collaborated with the investigation, which concluded that the assault involved a great deal of coordination and planning, culminating with an attempt to destroy evidence on field devices using wiper malware. The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks.

According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities.

During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections.

The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access. All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack.

The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. The whole incident has generated a great deal of interest because it's reckoned to represent the first time that hackers have successfully attacked a power grid.

For context, it's worth pointing out that outages caused by squirrels chewing through electricity cables and the like are commonplace.

A growing number of experts have come to regard the Ukraine energy utility attacks as the most significant malware-based hack attack since Stuxnet hobbled Iranian nuclear centrifuges back in 2010. BlackEnergy malware was discovered on the affected companies' computer networks, however it is important to note that ICS-CERT investigators reckon the precise role of the potent cyber-pathogen in the attack remains as yet unclear. Each company also reported that they had been infected with BlackEnergy malware, however we do not know whether the malware played a role in the cyber-attacks.

The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments.
It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated.
It is important to underscore that any remote-access Trojan could have been used, and none of BlackEnergy's specific capabilities were reportedly leveraged. A mining company and a large railway operator in Ukraine were also hit by BlackEnergy, so the run of attacks was far from limited to the power distribution sector.

The possible motivations of the hackers range from an attempt to disable Ukraine economically to a test of the power of their malware against real life targets. Russia is the obvious prime suspect in this malfeasance, and this is supported by plenty of circumstantial evidence, although nothing incontrovertible and certainly no smoking gun. Security researchers at the SANS Institute have put together a reaction to the ICS-CERT report ahead of their own forthcoming study, which will focus on how to defend against similar attacks on industrial control systems in future. Industrial control system security expert Robert M Lee argues that ICS-CERT unnecessarily hedged its bets in calling BlackEnergy a central vector of the attack. "ICS-CERT is very shy in stating that BlackEnergy3 was involved in the incident," Lee writes. "I understand their hesitation, but the use of BlackEnergy3 to harvest credentials in the impacted organizations was very clear from publicly available sources.

The malware, however, was not responsible for the outage.
It just enabled the attackers, as the SANS team and others in the community have said all along," he added. ® Sponsored: Why every enterprise needs an Internet Performance Management (IPM) Strategy
Imagine this scenario: Men in dressed in sharp-looking suits show up and claim to know details of your business and the kinds of security problems your organization has.

They are Windows networking experts and want to fix those issues that made a breach possible.Except those suits aren't being helpful.
Instead, they are likely from the Poseidon Group, a Brazilian cyber crime outfit that stealthily attacks organizations, steals information, and then manipulates the victims into hiring them to secure the network, said Kaspersky Lab researchers Juan Andres Guerrero-Saade, Santiago Pontiroli, and Dmitry Bestuzhev at the Kaspersy Lab Security Analyst Summit.

The group steals data from infected networks with a customized malware signed with digital certificates and containing a PowerShell agent.Poseidon uses a combination of custom malware and spear phishing in English and Portuguese to steal information.

The "treasure stealer" malware, also known as IGT, comes with a file deletion utility, a PowerShell agent, a SQL data compiler, and information gathering tools for stealing data such as user credentials, group management policies, and system logs.PowerShell lets the attackers execute the commands and to look like normal network activity while poking around.

The malware connects to a command-and-control server and sends information about the infected Windows system such as the operating system version, username, and hostname."By doing this, the attackers actually know what applications and commands they can use without alerting the network administrator during lateral movement and exfiltration," the researchers said.The Poseidon name reflects the fact the espionage group operates "on all domains: land, air, and sea," said Bestuzhev.

Command and control servers have been found inside Internet service providers providing Internet services to ships at sea by hijacking satellites. Other command and control servers have been found inside ISPs providing traditional wireless connections.

The group started hijacking satellites in 2013 to gain anonymity.Windows experts on the prowlThe attackers focused on group management policy and domain rules to get to know the network and use the uncovered information to create the backdoor.

After grabbing the data, the attackers delete the malware from the infected system. Since the malware has a very short life, Poseidon was able to evade detection for a long time. Researchers have found four versions of IGT so far.The attackers used WRI files, which is associated with Microsoft Write, an old text editor found in older versions of Windows.

The use of this obscure file extension was pretty clever, since many organizations specify their email policies to block attachments with extensions such as .exe.
Very few administrators would think to block .WRI, and most antivirus engines won't scan those files by default, the researchers said.The malware was also capable of hooking into older Windows operating systems, as researchers found references to drivers and hotfixes for Windows NT and Windows 95. Some of the targets in Latin America were still using these ancient operating systems, the researchers said.

This should be another reminder why organizations should not be using outdated systems.

Attackers will find unsupported and insecure systems and exploit the security flaws. The attackers are "experts in all things Windows," said Bestuzhev.The group sent highly targeted spear-phishing emails.
In one attack against an energy company in Kazakhstan, the targeted individual was looking to hire someone for a very specialized position, and the attackers sent a message highlighting specific skills relevant to the role. Once the victim opened the attachment, the malware connects to the command and control server to launch the actual data-stealing malware.Poseidon digitally signed its custom malware with rogue certificates. Researchers have found seven rogue certificates, and it appears the attackers sign the certificates with names of companies the target organization is likely to be familiar with.Poseidon's business practicesThe Poseidon Group is the very first commercial boutique cyber-espionage group based out of Brazil.

The fact that the malware executed only on Brazilian Portuguese Windows systems suggests Poseidon is based in Brazil so that attackers have close proximity to the organizations they plan to blackmail.

The command and control servers were also based in Brazil. Linguistics provided another clue to Poseidon's location.

The language used in the spear-phishing emails use speech patterns associated with Brazilian Portuguese, not the Portuguese spoken in Portugal, said Bestuzhev.

The Windows commands showed language preferences that helped narrow the area down to northern Brazil.Kaspersky researchers believe Poseidon is a commercial attack crew and not a state-sponsored actor.

The group doesn't care about uncovering specific business secrets, just "treasures," or information the organization would consider important and the criminals can monetize.For organizations who decline the security consulting offer, that's not the last they hear from the group.
If the company being blackmailed doesn't take up Poseidon's offer the first time, the group steals some more data and returns with a new offer at a later date."They wait a year to approach [you] again. 'Look what I found for you: Are you ready to work with me?'" said Bestuzhev.Poseidon also uses the stolen data to further the other side of its business, by using the information in various "shadow, but still legal" activities, said Bestuzhev.Kaspersky Lab researchers believe the group has been in operation since at least 2005 and has targeted at least 35 businesses across the financial, telecommunications, manufacturing, services, energy, and media industries. While victims have been found in the United States, France, Kazakhstan, United Arab Emirates, India, and Russia, Poseidon's primary focus is on Brazil-based organizations, or multi-national entities with operations in Brazil."Their techniques used to design attack components have evolved over the past 10 years," the researchers said. "The differences in various elements have made it difficult for researchers to correlate indicators and assemble the puzzle."
While the stereotypical phishing attack may be grammatically challenged, the popular attack method continues to be effective, according to Cloudmark's annual threat report. While phishing attacks have a reputation for being poorly written and fairly obvious in their attempts to con users, the attacks continue to be a problem for most companies, according to a security threat report published by Cloudmark on Feb. 11. Ninety-one percent of companies encountered phishing attacks in 2015, with the lion's share—84 percent—of companies claiming attacks successfully snuck past their security defenses, according to a survey of 300 U.S. and UK firms conducted as part of the report. A relatively simple attack—sending a message to the accounting department purportedly from the company CEO—has become quite popular, with 63 percent of companies having encountered the tactic. "Even though companies are taking actions, it is still one of the easiest ways in," Angela Knox, senior director of engineering and threat research for Cloudmark, told eWEEK. "It is much easier for someone to hack a human by going through email than to attempt to find a zero day." Phishing is a low-percentage game. Sending 10,000 emails to get one attachment opened or link clicked by an employee is still a success for the attackers. More targeted phishing, known as spearphishing, requires more of an attacker's time but also has a higher success rate. Phishing continues to be a primary method through which attackers infiltrate corporate networks—nearly 23 percent of recipients continue to open phishing email messages, and another 11 percent click on attachments, according to last year's Verizon Data Breach Investigations Report. Cloudmark noted that, despite the success of both forms of phishing, companies and hosting providers are not doing enough. Attacks such as the Swizzor malware campaign use phishing to distribute malware to potential victims. Like many other forms of malware, Swizzor uses a domain generation algorithm (DGA) to create pseudo-random domains from lists of words, dodging defenses that rely on static lists. In the survey, 93 percent of respondents stated that their company was at least "somewhat prepared" for phishing attacks. Only 36 percent of those polled thought their firm was very prepared. While some infrastructure providers are using technology to remove phishing emails before they can reach their customers, many service providers need to do more to combat the problem, Cloudmark stated in the report. When phishing attacks contain an URL-shortened link, for example, the user has no way to determine its veracity. URL-shortening services should filter out links that point to spam sites, but many do not, Cloudmark claims. Some providers, such as Twitter, have begun blocking shortened URLs that point to known malicious sites and currently has reduced the fraction of spam-related links using the Twitter URL shortening service to 2.6 percent. As a technology provider, Cloudmark unsurprisingly argues that training employees to be more resilient to attacks is a strategy that can only go so far. Most companies would rather have a good technology solution than a well-trained employee base, Knox said. "Training is the stop-gap measure that you use if the technology is not providing you defenses you can rely on," she said. "If the technology is protecting you, you don't need training."  
The continuing rivalry between India and Pakistan has spilled over into cyberspace, with activity peaking around nationalist holidays and sports fixtures. A study of recent real-world events and hacktivist operations by threat intelligence firm Recorded Future highlights the varied motives behind online malfeasance. Events including Indian Independence Day (15 August), Pakistan Independence day (15 August) to anniversaries of the Mumbai attacks by Islamist terrorists (26 November) and even India versus Pakistan cricket matches often coincide with increased cyber activity. “India and Pakistan’s independence days, which fall on August 15 and August 14 respectively, create a predictable pattern (at least over the past three years) of attacks and retaliatory strikes by the opposing hacker groups,” Recorded Future reports. Hacktivists have also been known to take up arms because of passions ignited by cricket, it adds. On March 2, 2014, Pakistan defeated India in a cricket match in the Asia Cup held in Dhaka, Bangladesh. The next day (March 3), in Meerut, India, 67 Kashmiri students at Swami Vivekanand Subharti University were suspended for having cheered for Pakistan and distributing sweets after their win. Then on March 5, 2014, the website of Swami Vivekanand Subharti University was hacked by a group claiming to be the Pakistan Cyber Army (AKA Bangladesh Cyber Army) in response to expelling pro-Pakistan students. Finally, on March 7, 2014 the sedition charges against expelled students are dropped but they could still face prosecution over the incident. A 1970 FIFA World Cup qualifier famously ignited existing tensions between El Salvador and Honduras to provoke a brief war in July 1969. Recorded Future’s research shows cricket can also spark off tensions. Hacktivists from the Pakistan Cyber Army (PCA) have targeted India since 2007. Government and private sites targeted by the PCA at various times have included the Indian Oil and Natural Gas Corporation, Indian Railways, the Central Bureau of Investigation, Central Bank of India, and the State Government of Kerala. Recorded Future has republished Facebook posts seemingly by member of the PCA that provide tutorials on how to set up phishing attacks. Individuals affiliated with the PCA may have skills including zero-day vulnerabilities, SQL injection, WEP cracking, and spear phishing, according to reports by Recorded Future and other threat intel experts, including ThreatConnect and FireEye. It’s far from all one-way traffic. Indian hackers took part in a revenge attack in response to the deadly 2 January attack on the Indian Air Force base in Pathankot. Indian hacker groups include the Indian Black Hats and the Mallu Cyber Soldiers. Methods used by these groups include SQL injection and PHP web application hacks. “There [are] many possible motivations and objectives of the cyber activities between India and Pakistan,” Recorded Future concludes. “These could range all the way from loosely affiliated hacktivist groups avenging attacks by defacing symbols and institutions to more coordinated state-sponsored attacks.” The threat analyst firm plans to look closer into state sponsored hacking in the sub-continent in a follow-up study. ® Sponsored: Building secure multi-factor authentication
By Barry Mattacott, marketing director, Wick Hill Group Are industrial control and SCADA (Supervisory Control and Data Acquisition) systems the new frontier, not just for cyber-crime but also for cyberwar? Until recently, when you were at war with a country, you sent in your bombers. First they hit the military targets. Once they had finished those off, they would hit infrastructure, with attacks designed to destroy industry and demoralise the civilian population. Electricity production, oil and gas, even water and waste services would all be targeted. However, nowadays, you don't need brute force to turn the lights off. This was recently demonstrated by hackers attacking The Ukraine, who succeeded in knocking out power supplies to up to 1.4 million residents through the social engineering attack known as spear phishing. An infected Word document was used to introduce BlackEnergy malware into critical systems. http://www.bankinfosecurity.com/ukrainian-power-grid-hacked-a-8779/op-1 It was also social engineering which introduced that classic piece of industrial control malware, Stuxnet. It is now widely believed that Stuxnet was originally developed by an American/Israeli alliance, specifically to attack the control systems within Iran's nuclear industry. It eventually destroyed around 20% of Iran's centrifuges. The belief is that it was introduced into their system via an infected USB stick. Statistically, 60% of found USB sticks get plugged straight in, with this rising to 90% if the USB stick has a recognizable logo on it. https://en.m.wikipedia.org/wiki/Stuxnet More recently, researchers revealed a vulnerability in the Chrysler Jeep which caused the virtual recall of 1.4 million vehicles. It was demonstrated that a hacker could wirelessly access the control systems of the Jeep with the potential to disable the brakes and steering. Although a recall notice was issued, owners were sent a USB stick that allowed them to apply an update themselves without the need to take the vehicles back to a dealer. Chrysler also implemented network level security protection to block the exploit on the Sprint cellular network that connects their cars to the Internet. http://www.wired.com/2015/07/jeep-hack-chrysler-recalls-1-4m-vehicles-bug-fix/ Let's not stop at cars, let's think big - The Great Train Robbery 21st Century style. Now they can steal the whole train! A hacking team has discovered vulnerabilities within the control systems used in train networks worldwide that could allow attackers to cause derailments and even steal a whole train. https://www.rt.com/usa/327514-absolutely-easy-hacking-train-systems/ Other worrying hacking incidents include The Slammer Worm, which affected critical infrastructure as diverse as emergency services, air traffic control, water systems, ATMs, electrical companies, and a nuclear power plant’s process computers and safety display systems. So why are these systems all so vulnerable? It’s probably due to a number of widely held misconceptions which were highlighted in research by Kaspersky Lab entitled ‘Five Myths of Industrial Control Systems Security.’ http://media.kaspersky.com/pdf/DataSheet_KESB_5Myths-ICSS_Eng_WEB.pdf Myth Industrial control systems are not connected to the outside world. Fact: Most industrial control systems have eleven connections to the Internet. Myth We are safe because we have a firewall. Fact Most firewalls allow "any" service on inbound rules. Myth Hackers don't understand SCADA. Fact More and more hackers are specifically investigating this area. Myth We are not a target. Fact Stuxnet showed us that just because you weren't the intended target of industrial hacking, doesn't mean you won't become a victim. Myth Our safety system will protect us. Fact The chances are that your safety and control is using the same operating system with the same vulnerabilities. ConclusionLittle recognised, dangerous, seriously disruptive, disabling, potentially lethal, and not widely defended against, industrial control and SCADA systems have the potential to be the new front line in modern warfare. Instead of brute force, countries can be softened up by the loss of essential infrastructure and services. Infrastructure providers, utility companies, transport companies and any organisation whose disruption could cause serious problems, as well as governments themselves, need to look much more seriously at how to defend against such cyber- attacks. Or there could be serious consequences for national security. About the author Barry Mattacott is marketing director of Wick Hill Group, which is based in Woking, Surrey and Hamburg Germany. Wick Hill Group is part of Rigby Private Equity (RPE), a subsidiary of Rigby Group Investments, an independent company within Rigby Group plc. Specialist distributor Zycko is also part of RPE, and in co-operation with Zycko, Wick Hill can offer a pan-European service which provides a common proposition and consistent delivery for vendor and reseller partners covering 13 countries. Users of products sourced through Wick Hill include most of the Times Top 1000 companies, in addition to many non-commercial organisations, government departments and SMEs across all business sectors. Through its channel partners, the company has delivered IT solutions to more than a million users world-wide. Wick Hill currently has offices in Woking, Surrey, with sister offices in Hamburg. ENDS For further press information, please contact Annabelle Brown on 01326 318212, email pr@wickhill.com, Wick Hill https://www.wickhill.com Source: RealWire
Cybercrooks are increasingly adopting tactics from more advanced hackers in order to steal millions of dollars from banks and other financial institutions. The first of the two cybercrime groups, dubbed Metel, are mostly active in Russia. The group’s typical modus operandi involves gaining control over machines inside a bank that have access to money transactions – for example, the bank’s call centre or its support computers. Once the group has achieved this aim it can automate the rollback of ATM transactions. The rollback capability ensures that the balance on debit cards remains the same regardless of the number of ATM transactions made. In the examples seen to date, the crooks steal money by driving around cities in Russia at night and emptying ATMs belonging to a number of banks, repeatedly using the same debit cards issued by the compromised bank. As the attackers empty ATM after ATM – Metel was found inside 30 organisations – the balances on the stolen accounts used to pull off the scam remained unaltered, allowing further withdrawals. “Our investigations revealed that the attackers drove around in cars in several cities in Russia, stealing money from ATMs belonging to different banks,” Kaspersky Lab said in a report. “With the automated rollback the money was instantly returned to the account, when the cash has already been dispensed from the ATM. The group worked exclusive at nights, emptying ATM cassettes at several locations.” “The bank’s clients were withdrawing from ATMs belonging to other banks and were able to cash out huge sums of money while the balances remained untouched. It was a surprise for the victim bank to hear from other banks when they tried to recoup the money withdrawn from their ATMs.” The ongoing scam has become the focus of a law enforcement investigation. Metel is the Russian word for blizzard. Hackers in the gang burrow their way into a financial organisations by either using cleverly crafted spear phishing emails laced with malware, or by luring victims into visiting compromised sites hosting the Niteris exploit kit. Either way malicious code is used to drop a backdoor onto compromised systems, making it relatively easy for hackers to either install secondary malware or pivot towards attacking more juicy targets on infiltrated networks. The hackers typically go after domain controllers before gaining access to support computers, their primary target. Super stealthy A second group – dubbed GCMAN, because the malware is based on code compiled on the GCC compiler – has also taken to using advanced hacking techniques more commonly associated with nation state-grade hackers. In some cases the group uses legitimate pen-testing tools, including VNC, Putty and Meterpreter, to pivot inside the compromised networks. The group gained a toehold on compromised networks via spear-phishing and a malicious RAR archive disguised as a Word document. Their ultimate target is typically access to computers used to transfer money to e-currency services. The group has learned over time to move slowly and take great pains in avoiding triggering alerts on detection systems inside the bank. Researchers at Kaspersky said that in one attack, the criminals had access to the network for 18 months before stealing any money. Once they did, they were transferring $200 payments per minute using the CRON scheduler to execute malicious scripts and move money to a money-mule account. Those transaction orders were sent to an upstream payment gateway, Kaspersky Lab said, and were never logged by the victimised bank’s internal systems. This is perhaps because $200 is the upper limit for anonymous payments in Russia. “The group used an MS SQL injection in commercial software running on one of bank’s public web services, and about a year and a half later, they came back to cash out. During that time they poked 70 internal hosts, compromised 56 accounts, making their way from 139 attack sources (TOR and compromised home routers),” Kaspersky Lab explained. “We discovered that about two months before the incident, someone was trying different passwords for an admin account on a banking server. They were really persistent. They were doing it only on Saturdays, only three tries per week, all in an effort to stay under the radar.” Carbanak is back Details of two new criminal operations that have borrowed heavily from targeted nation-state attacks were unveiled by security researchers at Kaspersky Lab on Monday during its Security Analyst Summit in Tenerife, Spain. The Kaspersky Lab researchers also published fresh research into the Carbanak gang, a group that stole $1bn from more than 100 financial companies last year, according to some estimates. The Kaspersky Lab team reckoned the Carbanak crew had brought down the shutters on their operation after they were outed a year ago. But last September, researchers at CSIS in Denmark spotted new Carbanak samples. Four months later, Kaspersky Lab found further Carbanak samples inside a telecommunications company and a financial organisation, providing secondary confirmation that the gang was back in business. In the months of its hiatus the group has moved beyond banks and is now targeting budgeting and accounting departments of a much wider range of organisations. “Attacks on financial institutions uncovered in 2015 indicate a worrying trend of cybercriminals aggressively embracing APT-style attacks,” said Sergey Golovanov, principal security researcher at the Global Research and Analysis Team, Kaspersky Lab. “The Carbanak gang was just the first of many: cybercriminals now learn fast how to use new techniques in their operations, and we see more of them shifting from attacking users to attacking banks directly.” Kaspersky Lab has released Indicators of Compromise (IOC) and other data to help organisations search for traces of these attack groups in their corporate networks. More details on these various scams can be found in a blog post by Kaspersky Lab’s ThreatPost news service here. ® Sponsored: Building secure multi-factor authentication
Kaspersky researchers Alexander Gostev and Vitaly Kamluk have found a malware gang that can drain ATMs of cash by compromising banks and reversing transactions. The duo say the gang has compromised 30 banks in Russia and likely more abroad with the malware called "Metel" or "Corkow". Gostev (@codelancer) and Kamluk (@vkamluk) say the attacks bear the sophisticated fingerprints typically left behind by state-backed groups. "The malware, used exclusively by the Metel group, infected the bank’s corporate network via e-mail and moved laterally to gain access to the computers within the bank’s IT systems," the pair say. "Having gained access to the bank operator’s money-processing system, the gang pulled off a clever trick by automating the rollback of ATM transactions. "This meant that money could be stolen from ATM machines via debit cards while the balance on the cards remained the same, allowing for multiple transactions at different ATM machines." The pair say the attacks begin with spear phishing attacks on bank employees using the Niteris or Cotton Castle exploit kit in a bid to get Metel installed on a target network. Once that beachhead is established, the group dive deep into networks until they reach the point at which transactions can be altered. Criminals would then move to third party bank ATMs and at night cash out from the victim bank an unlimited amount of times thanks to the ability to roll back transactions. Image: Kaspersky. One bank lost tens of thousands of dollars in one night of ATM cash-outs. Metel is not the only group the pair found. Another hacker outfit was detected pillaging financial institutions over weeks often sucking down US$200 into mule accounts in quick withdrawals. The mules would then day trip across Russia cashing out at ATMs. The GCMAN group, so-called because it uses the GCC compiler like Metel, also uses phishing to gain a beachhead on corporate networks uses administrative and security tools like Putty, VNC, and Meterpreter to pivot and gain greater attack surface and privileges. Those transactions are applied high up in the approval chain thanks to the network access gained such that it bypasses the bank's fraud warning systems. "Our [Kasperksy's] investigation revealed an attack where the group then planted a cron script into bank’s server, sending financial transactions at the rate of US$200 per minute," the pair say in analysis. "A time-based scheduler was invoking the script every minute to post new transactions directly to upstream payment processing system. This allowed the group to transfer money to multiple e-currency services without these transactions being reported to any system inside the bank." Image: Kaspersky. The pair also reported that the infamous Carbanak carder gang is back after a five month hiatus in which they were thought to have disbanded. It is now targeting new victims and even managed in one hack of a financial organisation to change the company ownership details. It is unclear how that falsified information will be used. ® Sponsored: Building secure multi-factor authentication
Banking malware is using techniques once reserved for state-sponsored hacking gangs.
The product is part of Dell's Endpoint Security Suite Enterprise, and comes after the vendor unveiled new security management for channel partners. As Dell has undergone its years-long transition from a PC box maker to a more complete enterprise IT solutions provider, officials have said that security has been a focus. The company has built up its security capabilities through such acquisitions as SecureWorks, SonicWall and Credant Technologies, and is in position to grow its portfolio even more through its planned $67 billion acquisition of EMC. The deal would include security vendor RSA, one of the companies in EMC's federated business model. John McClurg, vice president and chief security officer at Dell, has said that his company is among the top enterprise security vendors in the world. Dell officials this week made moves that move it security ambitions forward. On Feb. 4, the company announced a new post-boot BIOS verification solution that is aimed at protecting Dell's commercial PCs from malware during the boot process. The introduction of the addition to the company's Endpoint Security Suite Enterprise. Two days earlier, Dell officials unveiled a new identity and access management offering aimed at channel partners. Dell One Identity Safeguard for Privileged Passwords, available through the Dell Security channel, is designed to be a complement to partners' network security portfolios that can be offered to their customers. The goal is to offer end users—particularly midsize and smaller companies—complete network security protection from a single source, according to Dell officials. "Managing privileged passwords doesn't have to be a challenging process for organizations, and giving our global channel partners a solution that simplifies the management of highly sensitive privileged passwords complements the strong set of security solutions they already can offer," Patrick Sweeney, vice president of product management and marketing for Dell Security, said in a statement. Dell officials on Feb. 4 announced the availability of the Endpoint Security Suite Enterprise, which includes the integration of technology from Cylance that uses artificial intelligence and machine learning to more proactively prevent advanced persistent threats (APTs) and malware. Cylance's anti-virus technology can protect systems against zero-day attacks as well as targeted attacks, such a spear phishing and ransomware. Dell officials said the new offering stops 99 percent of malware and APTs, compared with a 50 percent success rate for competing solutions. The company highlighted the post-boot BIOS verification capabilities, which will be integrated onto Dell commercial PCs that come with the purchase of the Endpoint Security Suite Enterprise license. According to Dell officials, the new technology essentially enables businesses to compare and test a BIOS image from a Dell PC with one held by Dell in a BIOS lab. It's better to do the comparing and testing in a secure cloud environment rather than on an infected PC, they said. The technology initially will be available on Dell's commercial PCs that are powered by a 6th generation chipset from Intel. Those systems include Latitude PCs that were announced at the 2016 Consumer Electronics Show last month and other Precision, OptiPlex and XPS PCs and Venue Pro tablets. The new offering protects the firmware in the BIOS, which if attacked damage the performance of the PC. It's designed to make sure that the systems are secure every time users boot them up, according to Brett Hansen, executive director of data security solutions at Dell. "The growing complexity of BIOS-specific attacks, and with new malware variants possessing the ability to reinstall themselves within the BIOS, organizations need a more sophisticated way to know that their systems have not been compromised," Hansen said in a statement. The addition of the Dell One Identity Safeguard for Privileged Passwords solution for channel partners can help end users bring more protection to the vendor's SonicWall next-generation firewalls by locking down the passwords used for them, officials said. It includes an easy-to-use interface that offers support through a pre-hardened appliance to protect end users during installation and operations. Eventually the interface will be expanded to enable it to manage all Dell privileged management solutions, they said.