TalkTalk Website Hacked: 4 Million Customer Records Stolen

This week, we hear the latest on the TalkTalk website breach and the details of the Tinba Banking Trojan family.

Breach

TalkTalk Website Hacked, 4 Million Customer Records Stolen

TalkTalk, the U.K.-based telecommunications company, admitted on October 22 that it suffered its third major cyber attack in the last 12 months, resulting in data theft of 4 million customers. TalkTalk representatives stated that the majority of stolen customer data was unencrypted and included names and addresses, dates of birth, email addresses, telephone numbers, account information, credit card data, and bank details. 

Multiple press outlets credited the attack to Islamic hackers using Distributed Denial of Service (DDoS) attacks to overwhelm the company's website.  A DDoS attack would need to have been used as part of a broader attack strategy, as it alone would not have allowed the attackers to steal any information. Independent verification of the incident and perpetrators revealed that an unknown hacker collective using the handle "Th3 W3b 0f H4r4m” posted a sample of TalkTalk’s customers’ records on Pastebin.

Following this recent incident, TalkTalk customers will be hard pressed to believe company claims that their website and databases are secure and protected from further exploitation. 

 

References: TalkTalk Hacked: 4M Customer Records Stolen in Attack Linked to Islamic Cyberterrorism | TalkTalk Help: Website Attack Affecting Our Customers

Mitigation Strategies:

Malware

Analysis of Tinba Banking Trojan Family

The Tinba banking Trojan family, also known as Tiny Banker, Zusy or Hunter, has been in existence since 2012 and was named by CSIS group researcher Peter Kruse due to its small size (20 KB). The family was updated and integrated into five Exploit Kits (Angler, Blackhole, HanJuan, Nuclear and RIG) and in late 2014 configured with anti-analysis techniques. The family is on its fourth version.

The family became known to the cyber security community in 2012 when attackers leveraged it in a campaign targeting banks in Turkey. During this campaign, Tinba was delivered by the Blackhole Exploit Kit (EK) and was capable of a Man in The Browser attack and web injections.

Tinba has a wide variety of country and financial institution targets. In mid-2014, the source was leaked leading to version two and three. Attackers expanded their scope in late 2014 and mid-2015 to include European commercial banks, insurance, and dating website customers.

Known Country Targets Include:

  • Turkey (2012)
  • Czech bank customers (September 2014)
  • Italy (May 2015)
  • Germany (May 2015)
  • Netherlands (May 2015)
  • Poland (May 2015)
  • Romania (v3, July 2015)

References:  Tinba: World's Smallest Malware Has Big Bag of Nasty Tricks |  Tinba Variant Aimed at U.S, International Banks | Updated Rig Exploit Kit Closing In On 1 Million Victims

 

Mitigation Strategies:

  • 24x7 Security Monitoring to provide anomaly detection
  • Intrusion Detection System (IDS) signatures to detect the malware attempting specifically observed call back information
  • Implement SNORT rules to detect the Tinba Trojan check-in from multiple variants:
    • alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Tinba Genericcheckin";   flow:established,to_server; content:"POST"; depth:5;pcre:"/\/[A-Za-z0-9]{2,30}\//R"; content:"Content-Length: 157";content:!"Referer|3a|"; http_header; content:!"Mozilla"; http://www.scmagazine.com/tinba-variant-aimed-at-us-international-banks/article/371924/http_header;sid:1;rev:1;)
  • Network traffic analysis to detect data exfiltration

Top 20 IP Addresses

221.231.6.246 - NEW 23.91.97.161 - NEW
63.128.163.22 - NEW 63.128.163.20 - NEW
63.128.163.28 - NEW 63.128.163.23 - NEW
63.128.163.27 - NEW 108.59.8.142 - NEW
63.128.163.26 - NEW 63.128.163.21 - NEW
63.128.163.29 - NEW 63.128.163.25 - NEW
63.128.163.18 - NEW 176.10.98.132 - NEW
95.141.31.18 - NEW 79.141.165.41 - NEW
46.17.57.175 - NEW 79.141.165.52 - NEW
185.8.107.162 - NEW 95.211.205.69 - NEW