Threat Report Monthly Wrap Up
November 2015

In this monthly report we hear about the most impactful data breaches, malware discoveries, and web and cloud security trends from the month of November 2015.

Breaches

VTech Data Breach

Personal information of approximately 5 million parents and more than 200,000 children was exposed after Chinese company, VTech, was hacked. This is the fourth largest consumer data breach to date.

VTech is a Hong Kong-based global supplier of electronic learning products for children ranging from infant to preschool and the world’s largest manufacturer of cordless phones. The breached data included names, email addresses, passwords, and home addresses of parents who purchased products sold by VTech.

Hackers gained root access with full authorization and control to VTech’s database by using a SQL injection—an old, yet extremely effective, method of attack where hackers insert malicious commands into a website’s form, tricking it into returning other data. 
The hacker claiming responsibility stated he has no intentions of using the data.

Reference: One of the Largest Hacks Yet Exposes Data on Hundreds of Thousands of Kids

Mitigation Strategies:

  • Monitor Intrusion Detection System (IDS) signatures to detect the attempted malware communications seeking instructions or callbacks from command and control infrastructure.
  • IDS signatures would detect the intrusion and possible data leakage.
  • Utilize proper log management could detect any suspicious user account activity.
  • Use network traffic analysis to inspect for suspicious or malicious activity and detect the presence of data exfiltration.

Hilton Hotels & Resorts Data Breach 

On November 24, Hilton Worldwide confirmed an unknown attacker had broken into its point of sale (POS) systems and stolen data, such as card names, expiration dates and security codes belonging to an unspecified number of credit and debit cardholders. 

Hilton reported personal identification numbers (PIN) or addresses were not compromised.  They cannot confirm when the attackers exploited their POS systems, but they know it happened within a sixteen-week period from November 18 to December 5, 2014 or April 21 to July 27, 2015. 

Hackers are using POS Malware to steal customer payment data.  It exploits a flaw in the security of how credit card data is processed.  While credit card data is encrypted during the payment authorization, it’s not encrypted while the payment is actually being processed when the credit card is swiped.

Reference: Hilton Data Breach Focuses Attention on Growing POS Malware Threat | Hilton Worldwide Has Identified and Taken Action to Eradicate Malware

Mitigation Strategies:

Malware

Point of Sale (POS) Malware

Point of sale systems are popular targets for cyber criminals due to their role in the processing of financial transactions.  POS malware steals customer payment data, exploiting a gap in the security of how credit card data is handled.

The malware attempts to steal formatted data, known as tracks, stored on a credit card’s magnetic stripe.  Hackers then re-encode the track data onto counterfeit cards.  Malware that targets track data leverages the need for this data to be stored in the memory of a running program in a decrypted state for transaction authorization to occur. 

Although POS malware is less sophisticated than malware like banking Trojans, due to the Christmas holiday period and the increase of credit card use, POS malware is very effective. 

Reference: The POS Malware Epidemic: The Most Dangerous Vulnerabilities and Malware

Mitigation Strategies:

Malware Disguised as WhatsApp Update

The Association of Banks (ABS) in Singapore alerted mobile bank consumers of malicious malware that disguises itself either as a software update for Android users or a service for updating WhatsApp. 

WhatsApp is a cross-platform mobile messaging application, allowing users to exchange messages without paying for SMS.  The malware also disguises itself as an operating system update, specifically for the battery management module, and advertises more uptime for Android smartphones.

In both scenarios, the malware asks the user to download an update.  The exploit is done once the download is initiated, but NOT before the malware requires you to enter your credit card information.  

Reference: How to avoid the mobile banking malware disguised as a WhatsApp update | Association of Banks warns of malware targeting Android smartphones

Mitigation Strategies:

  • Always initiate updates through the official app store or when prompted by the phone as a system update.
  • Pop-up windows on smartphones are rarely good news.  Close them immediately
  • Sound the alarm if the app update is asking for specific details, such as credit card information or social security number.  NO App developer will ever ask for that information through your smartphone.
  • Do not jailbreak your smartphone.

Cloud Security

The Necessary, Proactive Approach to Security 

According to a market analyst report, security is one of the top concerns for organizations considering moving to cloud computing.  Cloud providers know they are targets for attacks more than single-user data centers. By simply averaging the cost of security over a large number of customers, a good cloud providing company can afford to spend more on safeguarding customer data than the majority of private datacenters.

Successful cloud providers employ people who truly understand security, while building dedicated security teams to plan and implement broad-scale security policies, which are monitored by a team of cybersecurity professionals who can react to any security incident, such as a denial-of-service attack.

Because cybersecurity professionals take proactive approaches to ensuring data security, the odds of a security breach are significantly reduced.  Because cloud providers know they are at great risk of attack, they tend to better prepare for breaches than individual private datacenters, allowing businesses to feel confident their data is secure in the cloud.

Reference: Are you worried about cloud security?

 

 

Web Security

Thai Government Victim of DDoS Attack

The Thai government was attacked with a powerful DDoS attack by the hacking group Anonymous, which brought down their network, along with the country’s Ministry of Information Communication and Technology (ICT) and leaked information about Thailand’s police officers.

What makes this particular DDoS different than other DDoS attacks is that it was not the work of a botnet but the result of users continuously refreshing the aforementioned webpages associated with the DDoS, making the servers crash.

Anonymous activists using hashtag #OpSingleGateway, executed a coordinated series of cyber attacks against the Thai government sector, for the purpose of drawing national and international attention to the government’s Internet censorship plans. 

Thailand has been preparing to funnel all the country’s Internet connections through one single Internet gateway, giving reason to believe the Thai government will fully control, filter and spy on Internet traffic.

The Thai government says the single gateway is simply an attempt to cut down costs; however, Thais fear this might be the first step in creating what’s called “The Great Firewall of Thailand,” an Internet sniffing and filtering system, similar to the “The Great Firewall of China.”

Reference: Anonymous Hacks Thai Police, #OpSingleGateway Still Alive | Thai Government Websites Hit by DDoS Attacks Following Plan to Restrict Internet Access

Honeypot Data - Top 20's

IP Addresses
111.206.116.217 - NEW
46.166.161.166 - NEW
94.141.162.45 - NEW
185.8.107.161 - NEW
117.21.176.242 - NEW
88.198.41.86 - NEW
46.166.173.89 - NEW
91.214.202.67 - NEW
79.141.162.16 - NEW
51.254.221.95 - NEW
213.184.127.43 - NEW
41.224.75.180 - NEW
195.154.237.149 - NEW
89.38.209.50 - NEW
217.170.203.202 - NEW
94.242.222.40 - NEW
84.245.33.104 - NEW
195.154.237.149 - NEW
173.244.197.140 - NEW
91.214.202.67 - NEW
Most Attacked Usernames / Passwords
root/admin
root/123456]
admin/admin
root/root
admin/(blank password)
ubnt/ubnt
support/support
admin/password
root/ (blank password)
root/default
root/administrator
root/123456
root/654321
root/zaq1xsw2
root/1234
root/aaaaaa
root/a123456
root/123654
root/qwerty
admin/default
Most Attacked Ports
445 Microsoft Directory Service
23 Telnet
22 Secure Shell (SSH)
25 SMTP
3389 Remote Desktop Protocol
139 NetBIOS Session Service
80 HTTP
8080 HTTP Alternative (Proxy)
110 HTTP Alternative (Proxy)
3128 Squid Proxy
3306 MySQL
1433 Micorosft SQL Swerver
443 HTTPS
21 FTP
1080 LDAP
3268 Global Catalogue LDAP
9999 Abyss Web Server
135 RPC Locator
143 IMAP
5000 Universal Plug ‘N Play (UPnP)