Weekly Executive Summary Week Ending September 9, 2016

By Joseph Lorenz on September 9, 2016

Targeted Industries

  • Software
  • Media and Entertainment
  • Information Technology
  • Telecommunications
  • Manufacturing

 

Active Threats

  • National Security Agency
  • Anonymous
  • CtrlSec
  • Cracka With Attitude
  • Armada Collective

 

Major Events

  • Linux Trojan Backdoor ‘Mirai’ Targets IoT Devices
  • Ransomware Disguises Itself as Phony Government Agency
  • Russian Web Portal Rambuler.ru Hacked and 100 Million Users Exposed
  • Customers Can Open New HSBC Bank Accounts With Selfies

 

Conclusions

Linux Trojan Backdoor ‘Mirai’ Targets IoT Devices

A new Linux Trojan backdoor is targeting Internet of Things (IoT) devices it has been dubbed Linux/Mirai. Earlier variants of the Malware have been seen in the market under other names like Gafgyt, Lizkebab, BASHLITE and Torlus.

The back door is able to infect system’s via SSH or Telnet, if the system uses the default passwords. Once shell access is gained to the device, the attacker would execute the malware(sometimes without the use of parameters). The malware opens the /etc/watchdog file in a read-write state and changes the working directory to the root directory. The backdoor uses PF_INET socket and is opens UDP/53 port to access Google DNS server at 8.8.8.8 to establish a connection. The backdoor is contains a scanner function that allows it to find and infect other nodes with accessible telnetd.

Mirai uses multiple tactics in its attempts to evade detection and stay hidden. One, is that it delays the launch of its operations to evade early detection. The malware will just wait until it is sure the opened backdoor port is up and being used. Finally, the trojan will delete itself from the infected device, while the malicious process is still running.   

Researchers at MalwareMustDie say that a string spotted in the Mirai code “/dvrHelper” suggest it’s targeting DVRs and IP cameras. But the malware could also allow attackers to access unattended Linux servers. The backdoor is thought to be the next generation of BASHLITE, which is a botnet that has recently been found infecting millions of IoT devices.
Source: Mirai Linux Backdoor Targets IoT Devices, Mirai trojan aims to hit Linux-based IoT devices(Security Week, OpenSourceForU)


Ransomware Disguises Itself as Phony Government Agency

Security researcher MalwareHunterTeam has discovered a new type of threat known as the CryLocker Ransomware. It pretends to be from a fake organization called the Central Security Treatment Organization, and contains a seal that borrows the crest, branches, and stars from the FBI logo and the eagles head from the CIA logo. When a computer is infected with the Ransomware it will encrypt a victim’s data and apply the .cry extension to the encrypted files. From there a user is demanded to pay approximately 1.1 bitcoins or $ 625 USD, where they would then receive a decryption key to retrieve their data. The ransomware is still being analyzed, but it is known that the malware has infected 8,000 victims in almost two weeks.

The malware uses the UDP protocol to relay information about the infected machine which include its Windows version, bit type, which service pack is installed, the computer’s name, and CPU type to over 4,000 IP addresses. According to security researchers, this is an attempt to to make it more difficult for authorities to pinpoint the command and control servers location. In addition to the UDP protocol, the Ransomware uses Imgur and Google Maps to carry out the attack. The malware will collects all the data sends it to the IP addresses and embeds it in a PNG image file, and uploads it to to an Imgur photo gallery. The Google Maps API is used to determine the Service Set Identifier(SSID) of packets sent by any nearby wireless networks.

While actual discovery of the malware didn’t occur until Sept. 1 2016, it appears that the developer behind Cry, began testing the Ransomware several days before it was actually discovered.
Source: CRY RANSOMWARE USES UDP, IMGUR, GOOGLE MAPS, The CryLocker Ransomware Communicates using UDP and stores data on Imgur.com(Threatpost, BleepingComputer)


Russian Web Portal Rambler.ru Hacked and 100 Million Users Exposed

One of Russia’s largest web portals named Rambler.ru, which offers web searches, news aggregation, email, e-commerce, and other services has suffered a breach. It has been confirmed by LeakedSource, and the breach has affected nearly 100 million users of the site. The leak contains 98,167,935 records, with each of them containing a username, password, ICQ number, and some other internal data.

At the time of the breach Rambler stored it’s passwords in clear text, and this revealed numerous users using passwords that are extremely predictable.  Some of the most common ones included “asdasd”, “asdasd123”, “123456”, and “000000”. The same individual who provided the data dump from the 2012 Last.fm breach(that affected 43 million accounts), has come forth and given LeakedSource the the data dump from Rambler. The hack that resulted in this leaked data has been dated back to February 17th 2012, making it the latest of recently revealed hacks that date back to 2012.
Source: Rambler.ru hack: Passwords of nearly 100 million users exposed, 100 Million Accounts Stolen From Russian Web Portal Rambler(HelpNetSecurity, SecurityWeek)


Customers Can Open New HSBC Bank Accounts With Selfies

Hongkong and Shanghai Banking Corporation (HSBC) is adopting smartphone-based biometrics as  a form of user authentication. Related companies adopting similar techniques include MasterCard(selfie), Barclays(voice), and Bank of Montreal (selfie or fingerprint).

Customers of the company can open new accounts by taking a selfie picture in an attempt to verify their identity. A photo ID uploaded by a customer from either a driver’s licence or passport, is then compared to the selfie of the customer using facial recognition software in the mobile application.

This change is intended to simplify and speed up the process of opening a new account using a mobile device. And the company states that almost half of their business accounts are opened online. Biometric security is becoming more common, because it’s more convenient for customers, and the technology has become a lot more affordable.  Though these biometric techniques come with their own list of flaws. According to researchers at SecurityWeek, these technologies have been prone to false positives historically.  
Source: HSBC customers can open new bank accounts using a selfie, HSBC Allows Selfies for User Authentication(CNBC, HelpNetSecurity)


Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cyber security and business strategies. In order for this website to serve the community, we need to know your concerns and questions about (for example) proper safeguards for the technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity.

Mail us at: uhwocscc@hawaii.edu