Yahoo Confirms Breach Affecting 500 Million Users

This week we hear that Yahoo Confirms Breach Affecting 500 Million Users and how Qadars Trojan Sets Sights on 18 UK Banks.

Breach

Yahoo Confirms Breach Affecting 500 Million Users

Internet giant Yahoo has admitted to a hack that occurred in 2014 that compromised at least half a billion of its users making it the largest data breach in history. The stolen information included names, email addresses, telephone numbers, birth dates, encrypted passwords, and in some cases, encrypted and unencrypted security questions and answers.

Based on an investigation, Yahoo believes that the compromise was a “state-sponsored actor,” but they did not name the country involved or how the company discovered the hack almost two years later.

Yahoo has urged users to change their passwords and is invalidating existing security questions.

References: Yahoo Hit in Worst Hack Ever, 500 Million Accounts Swiped | Yahoo Says Hackers Stole Data on 500 Million Users in 2014 | Yahoo Admits 500 Million Hit In 2014 Breach

 

Mitigation Strategies:

  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies
  • Log management could detect any suspicious user account activity. Making sure you have logs to produce two years later to track a malicious users activities
  • Netflow traffic may also reveal large data transfers and potential data leakage
  • FIM solution would detect any type of file modification or addition
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Deep Packet Forensic Analyzer would be key to investigation to track tha activities of the malicious actors.
  • Change your personal passwords that might you might use on yahoo or other portals that match your password
  • Change your secret questions and answers if using the two factor authentication on yahoo or other similar sites

Malware

Qadars Trojan Sets Sights on 18 UK Banks

The Qadars Trojan first made its appearance in 2013, and was configured to attack banks in France, Netherlands, Australia, Canada and the US. However, it has been recently updated to include UK financial institutions as well. Qadars has capabilities to support browser process hooking, form grabbing, cookie theft, web injection attacks, a DGA algorithm for hiding and connecting to its botnet, and a powerful ATS panel for real-time fraudulent transactions.

The updated code for Qadars displays a high level of sophistication, as it will show a Windows security update pop-up. Once the user agrees to install the update, the trojan leverages the click to bypass the Windows User Account Control (UAC) protection install to install a more intrusive module to gain better control of the PC.

References:  Qadars Trojan Targets 18 UK Banks | Qadars Trojan Returns Bigger and Badder Than Ever Before | Suspected Russia-based Stealth Banking Malware Qadars Trojan Sets Sights on 18 UK Banks

Mitigation Strategies:

  • Anti-virus would detect file infection on the local host
  • Netflow traffic may also reveal outbound connections to countries you may not do business in, which may be an indicator of malicious activity
  • Netflow traffic may also reveal large data transfers and potential data leakage
  • Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • Web filtration to prevent users from clicking on malicious websites
  • FIM solution would detect any type of file modification or addition

Top 20 Malicious IP Addresses

188.118.2.26 118.170.130.207
46.109.168.179 81.183.56.217
74.208.147.73 114.44.192.128
183.60.48.25 185.110.132.201
87.222.67.194 178.213.33.241
212.129.30.93 74.208.153.31
110.92.217.76 101.51.249.41
106.51.105.199 109.103.183.178
111.91.82.86 104.37.212.23
175.102.6.77 121.18.238.104

*IP addresses provided by Recorded Future.