Threat Report Monthly Wrap Up
September 2015

In this monthly report, we hear about the most impactful data breaches, malware discoveries, and web and cloud security trends from the month of September 2015.

Breaches

Hilton Worldwide Faces Potential POS Data Breach  

Hilton Hotels, a world resort and hotel franchise, is investigating a possible large-scale financial data breach that may have led to multiple cases of credit card fraud. The apparent breach originated at point-of-sales (PoS) terminals in coffee bars, gift shops, and restaurants of Hilton Hotel and franchise properties worldwide. The breach does not seem to be related to their guest reservation systems.

The number of Hilton properties affected is unknown; however, flagship properties Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts have been identified as being compromised.         

Hotels are attractive targets due to the volume of sensitive cardholders that traverse through their locations and the decentralized nature of their information systems and networks. Depending on the hotel size, facilities have multiple touch points for credit cards, ranging from the front desk to Wi-Fi to the corporate data center.

The dispersed networks and entry points afford cybercriminals the opportunity to target large amounts of customers in order to steal personally identifiable information (PII) and sensitive financial data.

It is recommended customers limit the use of payment cards at these types of facilities and to review bank statements and credit reports to identify and report fraudulent activity on their accounts.

Reference: Hilton hotels in credit-card stealing malware infection scare

Mitigation Strategies:

  • Monitor Intrusion Detection System (IDS) signatures to detect the attempted malware communications seeking instructions or callbacks from command and control infrastructure.
  • Proper log management could detect any suspicious user account activity.
  • Use network traffic analysis to inspect for suspicious or malicious activity and detect the presence of data exfiltration.

Kmart of Australia Product Order System Compromised 

Discount retailer Kmart of Australia suffered a data breach of their online product order system that exposed customers’ personally identifiable information (PII). Credit card data was not compromised but PII data such as names, email addresses, billing and delivery addresses, product purchases, and telephone numbers were exposed. Reportedly, the breach only affected online shoppers of Kmart Australia. Kmart Australia has no relation to Kmart located in the United States.   

Consumer PII is sold by hackers in Darkweb marketplaces for targeted social engineering attacks such as spearphishing campaigns. These campaigns package stolen PII into convincing email messages directed at their target(s) that include descriptive information such as full name, home address, and phone number in order to entice the recipient to click on a URL or download a malicious file. 

Upon learning about a breach at frequented store, consumers, at a minimum, should change their passwords.  Security professionals are advised to continuously monitor their networks for suspicious activity and implement appropriate mitigations steps to prevent attackers from exploiting vulnerabilities and infiltrating corporate networks to steal intellectual property and sensitive customer data.

Reference: Kmart online customers' information hacked in security breach

Mitigation Strategies:

Malware

Third Party Malvertising Betrays Adult Websites 

The malvertising[1] attack saga continues as attackers turn their sights toward adult websites. A recent campaign targeted websites Xhamster, PornHub, and YouPorn; combined, these sites have 1.3 billion monthly visitors. In at least one case, attackers used a major advertising company that specializes in adult website ads as a platform for storing and distributing malvertisements on legitimate websites.

These ads had controls to determine if the user was legitimate; if users were identified as vulnerable, they would be redirected to landing pages hosting an exploit kit. However, users resembling researchers, virtual machines, and debuggers would not be redirected.       

The use of malicious advertisements or “malvertisements” as an attack vector has increased by 260% in the first half of 2015 compared to the equivalent period in 2014. In the last two months alone, companies like Yahoo, AOL, Forbes and other high profile websites have fallen victim to malvertising attacks targeting unwitting users. 

These types of attacks are difficult to detect and remove because they are delivered through ad networks, allowing attackers to exploit specific, large populations of users with minimal effort.

Reference: Malvertising attacks target PornHub, YouPorn



[1]Malvertising refers to criminally-controlled advertisement that appears legitimate but spreads malware using a tiny piece of code hidden deep in the ad, which redirects a victim’s computer to criminal servers hosting exploit packages.

Mitigation Strategies:

  • Users can install browser plugin Ghostery and disable or remove unnecessary plugins like Java and Shockwave
  •  Monitor Intrusion Detection System (IDS) signatures to detect the attempted malware communications seeking instructions or callbacks from command and control infrastructure.
  • Proper log management could detect any suspicious user account activity.
  • Use network traffic analysis to inspect for suspicious or malicious activity and detect the presence of data exfiltration.

Tinba Trojan Customized to Attack Romanian Banks

The latest version of the Tinba (also known as TinyBanker) Trojan has been customized to target Romanian financial institutions. In July 2014, the source code appeared on an underground forum and attackers continue to add features to make this Trojan even more powerful; depending on the version, the size of the Trojan can range from 20k to 200k. Researchers have seen four versions of the Trojan in the wild with at least two versions developed by the same person or group. 

An interesting feature of the some of these versions is the supporting infrastructure, which can host different types of malware. First, encryption between the CnC server and Trojan makes it difficult for law enforcement or security researchers to spoof communications.

Additionally, if the built in CnC servers are unavailable, the Trojan can use an algorithm to generate thousands of possible backup domains as a possible hosts. If the criminal gang behind the infrastructure were to lose access to the CnC servers, an alternate could be quickly identified using a server with domain names that meet the criteria of the algorithm.

The resilient and open nature of the code makes it easier for different actors to redesign the malware to bypass security mechanisms to infect banking websites.  Typically, once the user is infected with the Trojan, it will lay dormant until the user navigates to the compromised website; then, it is activated and deploys the malicious payload.

The Trojan launches web injections disguised as financial communications, requesting login credentials, personal information, or permission to transfer funds. It may also warn users that extra money has been accidentally transferred into their account and it must be refunded immediately.

Reference: Tinba Trojan Sets Its Sights on Romania

Mitigation Strategies:

Cloud Security

Digitization of Medical Records Creates Fraud Opportunities

Medical identity theft has been a growing problem for the last several years. In a survey sponsored by ID Experts, 91 percent of healthcare organizations surveyed suffered an attack that resulted in data loss. Due to the amount of information that is located in electronic healthcare records, an attacker can get as much as $60-$70 dollars per record on the black market. According to the FBI, this is much more than credit card or social security numbers alone.

United States congressional acts such as the Affordable Health Care Act and the American Recovery and Reinvestment Act mandate that health records are stored digitally in an effort to make the healthcare system more efficient. Much of this information is migrating to cloud computing environments and this, along with other changes, has provided attackers with more targetable opportunities to commit fraud.

The healthcare industry is at least 10 years behind in terms of protecting consumer information compared to the financial services sector. Regulatory mandates to expedite the digitization of medical records and lack of investment in cybersecurity make the healthcare industry fertile land for cybercriminals and state-sponsored actors to exploit vulnerabilities and receive high rates of return on their hacking investments.

Reference: Why Medical Theft is Rising and How to Protect Yourself

Web Security

RansomWeb and Ransomware Team Up for Data Hostage 

In 2015, we have witnessed a shift in cybercriminal tactics, as they have ventured into new territory by specifically targeting web applications for exploitation. The new tactic is called RansomWeb[1], which bears the same characteristics as the more commonly known Ransomware[2]. With Ransomware, a user becomes infected with a Trojan that encrypts files on the hard drive. Then, the attacker demands money from the victim in exchange for the security keys necessary to decrypt the files.

During a RansomWeb attack, an attacker will compromise a web application and remain idle before making noticeable changes or moving large quantities of data. They will configure the website to store some or all of its data in its database using an encrypted format. To unwitting users and administrators of the web application, everything is operating normally. After an extended amount of time, the attacker removes the keys needed to encrypt or decrypt the data, causing the database to become unusable. Soon afterwards, the website owners will receive an email requesting payment for the key in order to unlock the data.      

Reference: RansomWeb: Emerging website threat that may outshine DDoS, data theft, and defacements?



[1]RansomWeb is a new type of threat that installs a malicious piece of code inside a web application holding the site hostage until a “ransom” fee is paid.

[2]Ransomware is a form of malware in which rogue software code effectively holds a user's computer hostage until a "ransom" fee is paid.

Honeypot Data - Top 20's

IP Addresses
106.51.238.74
58.49.58.61 - NEW
115.159.86.48 - NEW
218.246.34.99 - NEW
158.85.253.245 - NEW
82.221.128.206
76.10.175.66 - NEW
91.142.253.133 - NEW
118.98.104.21 - NEW
84.245.33.104
115.159.64.220 - NEW
213.246.49.97 - NEW
174.36.80.49 - NEW
37.61.201.161 - NEW
66.76.174.2 - NEW
221.176.224.90 - NEW
118.238.227.101 - NEW
148.247.67.22 - NEW
73.179.208.124 - NEW
89.38.209.57 - NEW
Most Attacked Usernames / Passwords
root/admin
root/123456]
admin/admin
root/root
admin/(blank password)
ubnt/ubnt
root/(blank password)
admin/password
root/default
root/administrator
root/123456
root/654321
root/zaq1xsw2
root/qazwsx
root/aaaaaa
root/a123456
root/qwerty
root/888888
root/11111111
root/pass123
Most Attacked Ports
445 Microsoft Directory Service
139 NetBIOS Session Service
25 SMTP
22 Secure Shell (SSH)
23 Telnet
110 POP3
3389 Remote Desktop Protocol
80 HTTP
3306 MySQL
8080 HTTP Alternate (Proxy)
135 RCP Locator
3128 Squid Proxy
1433 Microsoft SQL Server
443 HTTPS
21 FTP
1080 Socks (Proxy)
1111 LM Social Server
143 IMAP2
9999 Abyess Web Server
5000 UPnP