Cyber Threat Briefing - HITRUST...Iranian Hacking Group Defaces U.S. Municipal Websites Iranian Ministry’s Negotiations with Google Could Signal New Tactic in Internet Policy Iranians

Cyber Threat Briefing

Cyber Threat Intelligence and

Incident Coordination Center (C3)

January 10, 2014

© 2013 HITRUST, Frisco, TX. All Rights ReservedWritten permission required for further distribution.

• Introduction

• Monthly Production

• 2013 in Numbers

• Threat Updates

• Threat Actor Highlight: Qassam Cyber Fighters

• Trends and Outlook

• Discussion

Agenda

Monthly Production

Ad-Service Vulnerability Exposes 2.6B Mobile Users To AttackAdvanced Android Mobile Botnet May Have North Korean OriginsAndroid App Targets South Korean Banking Customers AnonGhost Defaces 300 Websites, Including Kenyan Oil Corporation Anonymous Campaign Names Financial, Energy Targets in OpGabonAnonymous Campaign Targets Dubai Banking and Government SitesAnother Vulnerability Found in OpenXApache Struts 2 Vulnerability in Qatar Airways WebsiteApple Technology Allows Location-Based AdvertisingAPT Actors Possibly Targeted Steel Manufacturer SSABAPT Group Targets New Vulnerability in Japanese Word-Processing ProgramAudio Signals Can Transfer Data Between Unconnected ComputersAustralian Government Data, PII Discovered on Resold USB DrivesBlog Comment Service Vulnerability Exposes Anonymous Users’ Email AddressesChinese APT Maudi Campaign Utilizes New Dropper But Leverages Old Malware and C2Chinese APT Targeted European Foreign Ministries Ahead of G-20 SummitChinese Bank May Work With Hackers To Retaliate for DefacementChinese Central Bank Attacked Following Bitcoin Regulations CryptoLocker Infects Government, Personal Computers in India CryptoLocker Variant Suggests the Rise of Copycat RansomwareCustomer Data Stolen From Los Angeles Healthcare Center Cybercriminals Exploit Vulnerabilities in South Korean E-Commerce WebsitesCybercriminals Increasingly Target Bitcoins as its Profile, Popularity Rise Cybercriminals Manipulate South Korean Government Procurement System Cybercriminals Offer OPSEC Training CourseCybercriminals Steal 1.65M by Intercepting Email Messages Cybercriminals Update Citadel Trojan To Target Virtual Currency Websites Fake Financial Website Mimics Legitimate Certificate To Deliver Malware Gang Arrested for Using Online Carding Forums To Steal USD 2M Hacker Attempts To Extort Bitcoins From Israeli BanksHackers Target Blogging Service Users with Fake Browser Extension to Steal User DataHacktivist Group Breaches U.S. Biomedical, Ukrainian Websites Hacktivist Website Leaks Israeli Resumes Allegedly Stolen by OpIsraelHacktivists Announce OpWorldCup CampaignHacktivists Target Angolan Websites To Protest Alleged Anti-Muslim Activities Hesperbot Trojan Updated To Steal Bitcoins, Target New RegionsHewlett-Packard Operations Orchestration Central Contains XSS VulnerabilityHuawei CEO Announces Plans To Leave U.S. MarketInspector General Report Details Department of Energy Hack

3

Bold titles are highlighted in this briefing

Iran Launches Domestically Produced Cyber-Defense System Iranian Company Unveils Domestic Antivirus SoftwareIranian Government Could Use Local Hackers To Target the U.S. Energy SectorIranian Hacking Group Defaces U.S. Municipal Websites Iranian Ministry’s Negotiations with Google Could Signal New Tactic in Internet PolicyIranians Government Arrests 16 for Alleged Cybercrimes, Debates Domestic Cyber PolicyIslamic Cyber Resistance Leaks Data in Response to Hizballah Commander’s Death Japanese Officials Seeking Offensive Cyber CapabilitiesLargely Undetectable Malware Steals Credit Card Data From ServersLulzSec Peru Breaches Peruvian Ministry of Interior, Leaks Sensitive Government EmailsMalware Compromises 90,000 Patient Records Message App Accessible in Saudi Arabia Despite Government BanMessaging Application Blocked Amidst Iranian Cyber Policy DebateMicrosoft Vulnerability Allows Unauthorized Access to SharePoint Mobile Advertising Software Exposes Smartphone Users to Security Risks NatWest Website Disrupted in Cyber AttackNew Botnet Scans for SQLi Vulnerabilities New Malware Kit Promises Functionality for Low CostNew Virtual Currency Targeted by CybercriminalsNewly Discovered Malware Uses Tor for AnonymityNorth Korean Defector Group Leader Likely Hacked by North Korean AttackersPatient Data Exposed in Dental File Leak Point-of-Sale Botnet Infects U.S. BusinessesPolish Citizen Arrested for ATM Skimming in MalaysiaPony Botnet Steals 2 Million Credentials Qatar Holds First Domestic Cyber Exercise Report Suggests Chinese Hackers Penetrated U.S. Federal Election Commission Servers Russian Cybercriminals Use Local Banks as Test Beds Russian Government Elevates Security Agency’s Cyber Defense RoleSCADA Vulnerability Discovered SEA Gives Live InterviewSEA Will Give First Live InterviewSecurity Researcher Identifies CryptoLocker WorkaroundSilk Road 2.0 Operators Arrested, Potentially Ending SiteSophisticated Malware Exploits Windows XP VulnerabilitySpanish Police Arrests Provide More Insight Into Unlimited Operation NetworkStudents Breach High School, Medical Testing Service’s IT systemsSyrian and Lebanese Data Centers Offer Bulletproof Hosting Syrian Hacker Defaces Indian Government Websites


Monthly Production (continued)

4 © 2013 HITRUST, Frisco, TX. All Rights ReservedWritten permission required for further distribution.

Target Stores Nationwide Experience Massive DataTeamBerserk Returns and Commences AttacksTeslaTeam Targets Government, News Websites Tunisia Forms New Telecommunications Agency Turkish Hacktivist Group Breaches Vodafone Iceland Turkish Hacktivists Deface OpenSSL SiteTwo Bank Employees Steal, Resell South Korean Customers’ DataU.K. Government Introduces Cybersecurity Standard for ContractorsU.S. Casino Operator Reports Customer Data BreachU.S. Government Charges First Cybercrime Defendant With Federal RacketeeringVBScript Malware Increases Significantly in Latin AmericaVulnerabilities Discovered in Santander Bank’s Bill-Payment Site and AppWashington Post Attributes Compromise of Company Servers to Possible Chinese APT Web Browser Exposes Website Login Credentials Windows and Adobe Reader Vulnerabilities Allow System AccessWord Processing Program Used in Cyber-Espionage Campaign Against South KoreaZeroAccess Botnet Partially Dismantled

2013 in Numbers

• 6.7M individuals’ records potentially exposed by 133 data breaches – up from 2.7M/160 in 2012

• Fewer breaches are exposing more data

– Desktop computer theft: 4M records

– Laptop computer theft: 729,000 records

– Patient record microfiche found in park: 277,000

– Inappropriate email: 188,000 records

– Desktop computer theft: 840,000 records

– Malware: 90,000 records

• So, while the cyber threat is real, the most damage still occurs because of insufficient physical security, failure to enforce policies


Threat Updates

6

• Fake Financial Website Mimics Legitimate Certificate To Deliver Malware • New Malware Kit Promises Functionality for Low Cost• Malware Compromises 90,000 Patient Records• Android App Targets South Korean Banking Customers• Pony Botnet Steals 2 Million Credentials• Cybercriminals Steal 1.65M by Intercepting Email Messages• Ad-Service Vulnerability Exposes 2.6B Mobile Users To Attack• SCADA Vulnerability Discovered• Hacktivist Group Breaches U.S. Biomedical, Ukrainian Websites• Sophisticated Malware Exploits Windows XP Vulnerability• Cybercriminals Update Citadel Trojan To Target Virtual Currency Websites• ZeroAccess Botnet Partially Dismantled• TeamBerserk Returns and Commences Attacks• Mobile Advertising Software Exposes Smartphone Users to Security Risks• Patient Data Exposed in Dental File Leak• Customer Data Stolen From Los Angeles Healthcare Center• Blog Comment-Service Vulnerability Exposes Anonymous Users’ Email Addresses• Largely Undetectable Malware Steals Credit Card Data From Servers• Web Browser Exposes Website Login Credentials• New Botnet Scans for SQLi Vulnerabilities• Target Stores Nationwide Experience Massive Data Breach• Hewlett-Packard Operations Orchestration Central Contains XSS Vulnerability• Advanced Android Mobile Botnet May Have North Korean Origins • Microsoft Vulnerability Allows Unauthorized Access to SharePoint • Newly Discovered Malware Uses Tor for Anonymity• Silk Road 2.0 Operators Arrested, Potentially Ending Site


Fake Financial Website Mimics Legitimate Certificate

To Deliver Malware

• Trustfinancial<dot>org is serving up forged certificates– To view “loan decision document,” users must install a “secure loan

viewer”

– MS identifies the certificate as verified by Access Financial Resources (a real company)

– “viewer” injects malware

• Malware “signed” with real or forged certificates up 50%– 1.5M new samples in 3Q 2013

– Many certificates are stolen and re-used

– But creation of phony companies and forgery of certificates is on the rise

– In June, criminals registered malware under Adobe Systems, allowing them to use Abode’s valid certificates to sign their malware


New Malware Kit Promises Functionality for Low Cost

• Atrax is on the loose

– Basic kit starts at only USD 250; includes C&C access

– Cheap add-ons for DDoS, form grabbing, plug-in stealing, Bitcoinmining

– Entire suite costs < USD 900 (Blackhole Exploit Kit is now down to USD 1500/year)

• Once again, the barrier to entry into cyber crime has been lowered

– As more capable tools become more widely available at lower prices, the growth in cyber crime could be exponential

– Increase in the use of Tor (as Atrax does) reduces opportunities for detection


Malware Compromises 90,000 Patient Records

• Malicious email attachment opened by just one employee

– Unidentified malware (probably a RAT) infected one machine

– Threat actors took control of the machine

• Patient records did not appear to be the primary target

– But threat actors had access to a wide range of patient data

– Encryption, if there was any, was ineffective in a situation like this, as threat actors had “legitimate” user privileges

• Points to potential need to segregate systems storing patient data from systems with Internet access

– But then how to you provide patients with online access to their records?


Android App Targets South Korean Banking Customers

• KorBanker appears to be a legitimate Google Play app

– Takes admin control of Android smartphones

– Can be used to download other (malicious) apps

– Replaces legitimate online banking apps with credential-stealing malware

• Today, Korea… tomorrow, where else?

• Today, banking… tomorrow, who else?

• Point to the need to be especially aware of Android users accessing mobile sites


Pony Botnet Steals 2 Million Credentials

• One Pony botnet controller is storing 2M credentials

– Mostly from Facebook, Google, Yahoo

– Also ADP, SSH accounts, RDP accounts

• Botnet delivers keylogging malware

– Reverse proxy C&C communication makes discovery difficult

– Russian language botnet malware has been around for a decade

• These credentials are of particular concern

– How many Facebook, Google, Yahoo users reused their credentials on your site?

– How many sites allow sign-in via Facebook?

– ADP credentials could be used to steal from payroll accounts –what’s your wallet in?


Cybercriminals Steal 1.65M by Intercepting Email

Messages

• Messages with overseas suppliers intercepted & spoofed

– Payments to suppliers were redirected to criminals

– Three Seattle-area companies lost USD 1.65M

• Similar “man-in-the-middle” attacks resulted from breaches of Chinese suppliers’ servers

– Reported attacks in 2013 in the USA, New Zealand, and Middle East suggest this is an on-going operation

– No single industry targeted – just companies with suppliers in China


Ad-Service Vulnerability Exposes 2.6B Mobile Users To

Attack

• inMobi serves up ads for about 2,000 Google Play aps

– Uses unencrypted TCP/IP to send and receive data

– Vulnerable to man-in-the-middle interception and malware download

– Malware steals data, accesses social media

– More than 2.56B mobile devices are vulnerable

• Yet another example of the dangers of mobile access to corporate sites and networks


SCADA Vulnerability Discovered

• Input-validation vulnerability in Elecsys Director allows unauthorized input

– Could be used to overload SCADA networks

– ED commonly used in power systems automation (building power controls)

– Physical facilities – including data centers – could be at risk

• It pays to know who’s managing your environment and how

– Remote control of buildings (e.g., power, HVAC, access) is becoming more common to achieve economies of scale over multiple properties

– Vulnerabilities also found in Siemens, Johnson Controls, others


Hacktivist Group Breaches U.S. Biomedical, Ukrainian

Websites

• r00ts3curity breached five websites, including JHU Dept of Biomedical Engineering

– Also breached a dentist’s office

– Leaked PII from JHU

• No evidence that JHU was specifically targeted

– Likely used SQLi on targets of opportunity

– Breaches & leaks were inconsistent with this Anonymous-affiliated group’s stated objectives


Sophisticated Malware Exploits Windows XP

Vulnerability

• Unnamed malware is simultaneously exploiting Windows XP and Adobe vulnerabilities

– Downloaded malware infects multiple browsers

– Evades detection and analysis

– C&C server IP resolves to UK

– Memory dumps uploaded to C&C servers via HTTP POST

• A reminder of the dangers of using older – generally less-secure – systems

– There’s a high probability that not every zero-day in legacy software has been discovered

– XP targeting likely to increase after MS drops support in April


Cybercriminals Update Citadel Trojan To Target Virtual

Currency Websites

• Bitcoin value increase has resulted in increased targeting – by both mining bots and thieves

– Bitcoin exchanges heavily targeted

– Now a “conventional” banking trojan – Citadel – has been modified to steal Bitcoins and other virtual currency

• New Citadel captures screenshots of virtual currency sites

– No credentials compromised

– Likely reconnaissance for future attacks


ZeroAccess Botnet Partially Dismantled

• A major portion of the ZeroAccess botnet has been taken down by FBI, Interpol, and MS

– IP traffic to 18 C&C addresses blocked

– Servers for 49 ZeroAccess domains seized

• ZeroAccess mainly spreads malware for Bitcoin mining and click fraud via infected search engines

– More than 1.9 million computers infected

• C&C infrastructure likely to be reconstituted soon

– A good botnet is a joy forever (to some) – witness Cutwail


TeamBerserk Returns and Commences Attacks

• TeamBerserk returned online on 6 December

– No specific targets named – “corporations & governments”

– First attack (on 10 Dec) was against a Texas court, ostensibly to gain access to FBI’s Criminal Justice Information System (unsubstantiated)

• Earlier targets included HITRUST (May 2013)

– Rely heavily on SQLi

– No evidence that healthcare is specifically targeted


Mobile Advertising Software Exposes Smartphone

Users to Security Risks

• Widdit mobile advertising software is exposing Android users to MitM attacks

– WiFi hotspot compromises can enable malware infection via Widdit download

– Like inMobi, Widdit uses unencrypted communications

– Unlike inMobi, Widdit directly accesses a wider variety of functions

• Google removed 1,100 apps using Widdit SDK from Google Play store, but >500 remain


Patient Data Exposed in Dental File Leak

• PII for more than 10k patients leaked on a file-sharing website

– Dentrix practice-management database breached

– 20 years’ worth of PII stolen, along with the software

• Theft was in Fall 2012 (or that’s when the target knew about it)

– But data wasn’t leaded until December 2013

• Intent and threat vector unknown

– PII theft is usually for fraud

– Dentrix is very common system – this attack could presage more

– Continuing trend for less-accomplished threat actor to attack small – often less well-protected – enterprises


Customer Data Stolen From Los Angeles Healthcare

Center

• Malware installed an center’s computers

– Undiscovered for more than seven weeks

– 59k patients’ PII stolen

– PHI theft unconfirmed

• Expect continued targeting of smaller organizations


Blog Comment-Service Vulnerability Exposes

Anonymous Users’ Email Addresses

• Disqus vulnerability allows discovery of posters’ email addresses

– Even anonymous posts

– Feature intended for use by authorized API users exploited

– Not a system breach per se, but unauthorized access to a feature that is not locked down

• Two notes:

– Third-party service providers could be your weakest link

– This could be the beginning of a phishing expedition


Largely Undetectable Malware Steals Credit Card Data

From Servers

• “ISN” infects web servers and steals ecommerce data

– Installed as an MS Internet Information Services (IIS) module

– IIS used in estimated 160M servers

– Exploits a ColdFusion vulnerability

– Unaffected by HTTPS security – it steals the data from the server, not communications

– Undetected by most anti-virus products

• Although only observed stealing credit card data on ecommerce sites, could be used to steal any user-input data from any website


Web Browser Exposes Website Login Credentials

• Safari stores credentials in unencrypted .plist file

– Used to restore last browsing session if required

– Stores credentials for any/all websites open when Safari is shut down

• Exploitation, however, requires (local or remote) access to the machine

– No patch has been issued; unknown is one is contemplated

– No known malware exists to attempt to exploit this vulnerability, but it’s likely only a matter of time


New Botnet Scans for SQLi Vulnerabilities

• Advanced Power botnet is scanning for SQLi vulnerabilities

– Has compromised more than 12k machines since May

– Has discovered almost 2k web pages with vulnerabilities(other scans by individuals using freely available tools have in fact discovered many more vulnerable pages than this)

– Distributed as an apparently legitimate Firefox add-on (which has been blocked)

– Also has other, unactivated capabilities, such as credential theft

• Likely precursor to attacks on interesting and vulnerable websites


Target Stores Nationwide Experience Massive Data

Breach

• Second-largest detected credit card theft hit Target during holiday shopping

– About 40k of chain’s 60k POS terminals infected with malware

– About 40M credit card records stolen

• “Track 2” credit card data includes card number and expiration date

– May include PIN and/or CVV data at issuer’s discretion

– Target confirmed that encrypted PIN data was stolen

• Cards were being sold on rescator<dot>la – since moved

– Being released for sale in batches of 150k-500k

– As cards “age” they are being moved to discount sites


Hewlett-Packard Operations Orchestration Central

Contains XSS Vulnerability

• HP OO XSS vulnerability allows creation of admin accounts

– Threat vector is phishing or watering hole with malicious iframe

– Patch issued on December 11

• HP OO used for IT process automation

– Potentially gives access to web servers, databases, middleware


Advanced Android Mobile Botnet May Have North

Korean Origins

• MisoSMS is spreading among Android phones in Asia

– Google Vx malware appears to be a valid settings app

– Steals text message data and emails it to C&C servers in China

– Assessed to be North Korean espionage campaign

• Google Vx has been used in at least 64 mobile botnet campaigns

– Linked to more than 450 malicious email accounts


Microsoft Vulnerability Allows Unauthorized Access to

SharePoint

• MS Office 365 users’ tokens vulnerable when accessing SharePoint

– Threat vector is generally phishing email

– Stolen tokens allow threat actors to “legitimately” access any SharePoint site (i.e., token takes the place of password)

– Also allows access to other MS Office server sites (e.g., SkyDrivePro)

• Although a patch was issued in December, successful attacks continue


Newly Discovered Malware Uses Tor for Anonymity

• ChewBacca delivers Tor with a key logger

– Keystrokes are stored in system.log

– Log file is emailed to C&C server via Tor

– Probably being used to steal credentials and/or PII

– Threat vector unknown, probably phishing

• Pros and cons of Tor

– Provides a high degree of anonymity for threat actors

– Limited infrastructure often makes connections slow, unstable


Silk Road 2.0 Operators Arrested

• Three more individuals arrested in connection with Silk Road underground marketplace

– Two were Silk Road admins

– One administered the Silk Road forum

– Salaried positions (!)

– All three are suspected of setting up Silk Road 2.0

• Silk Road 2.0 likely to be shut down

– Users told to remove Bitcoins

– Likely to be replaced by new platform using I2P instead of Tor

– Meanwhile, other Tor markets thrive (Budster, TorMarket, Ramp) and I2P markets are growing (TheMarketPlace, Modern Culture)


Threat Actor Highlight: Qassam Cyber Fighters

33

• Background and motivations

– Iranian group masquerading as pro-Islam Arabs

– Likely retaliation for U.S.-led economic sanctions against Iran

• Capabilities and Targeting

– Conducted massive DDoS attacks against U.S. financial institutions Sep 2012-July 2013

– Use custom-made botnet malware to leverage web server zombies

• Future Attacks and Their Impact

– Disappeared last summer, but may pop up again or be replaced by another “pop-up group”

– Depends upon state of U.S.-Iran relations

– Have reportedly been scanning infrastructure, especially energy


Trends and Outlook

• Enhanced Iranian Cyber Attack Capabilities Likely To Target Regional Rivals Rather Than United States in Near Future

• Saudi Arabia’s Planned Investments Carry Risk

• Political Instability in North Korea May Lead to Cyber Attacks Against South Korea

• Continued fall-out from Target breach (which may have gone on much longer than announced)

• Calendar– 1 February: Anonymous’ International Day of Privacy – 7–23 February: Winter Olympic Games in Russia– 24–28 February: RSA Conference 2014 in San Francisco– 21 March: Nowrooz, the Persian New Year celebration, begins– 7 April: AnonGhost claims another round of OpIsrael will begin


Discussion

• Share threat indicators, incidents, and events


For More Information

Visit http://hitrustalliance.net/c3/


http://hitrustalliance.net/c3/

Documents

Cyber Threat Briefing - HITRUST...Iranian Hacking Group Defaces U.S. Municipal Websites Iranian Ministry’s Negotiations with Google Could Signal New Tactic in Internet Policy Iranians