The Cosmos Bank's Website Compromised

This week, the Alert Logic ActiveIntelligence team highlights how The Cosmos Bank Website was Compromised with RIG Exploit Kit and how a Patched Windows Zero Day is Under Attack.

Breach

Cosmos Bank Website Compromised with RIG Exploit Kit

The Cosmos Bank website was compromised with the infamous RIG exploit kit which was delivering ‘Cerber Ransomware’. As a result, all visitors to their website are being automatically infected. Cosmos Bank was established in 1906. Headquartered in Pune, it is hailed as one of the oldest Urban Co-operative Banks in India.

Cosmos Bank was informed about this security breach as of March 20, 2017. But there has been no action taken. As of today, the website is still infected with the Exploit Kit, and if you are curious to open the website, we will strongly recommend that you don’t do it. Your system may get hacked by a dangerous ransomware.

References: Cosmos Bank’s Website Compromised by ‘Cerber Ransomware’: Quick Heal Report | Cosmos Bank Website Compromised with RIG Exploit Kit Which Drops Cerber Ransomware | Cosmos Bank’s Website Compromised With RIG Exploit Kit; Cerber Ransomware Infects Website Visitors! 

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition activity
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Web application firewall management and advanced anomaly detection.

Malware

Patched Windows Zero Day Under Attack

A Zero Day vulnerability patched earlier this month by Microsoft has been under attack since last summer, researchers said. The flaw was exploited in the AdGholas malvertising campaign and was then implemented in the Neutrino exploit kit. Microsoft fixed a boatload of vulnerabilities with the March patch updates, which included three flaws already undergoing exploitation. 

The vulnerability could allow information disclosure if a user visits a malicious website. However, in all cases an attacker would have no way to force a user to click a specially crafted link. An attacker would have to convince a user to click the link, typically by way of an enticement in an email or Instant Messenger message. The attacker could also be able to detect the type of security software running on the targeted system, especially solutions that analyze malware.

References: CVE-2017-0022 Deployed in AdGholas Malvertising and Neutrino EK | Security Update for Microsoft XML Core Services | Microsoft XML Core Services CVE-2017-0022 Information Disclosure Vulnerability

Mitigation Strategies:

This Week's Suspicious IP Addresses

61.177.172.37 61.177.172.19
166.111.77.32 188.118.2.26
81.183.56.217 46.109.168.179

*IP addresses provided by Recorded Future.