Weekly Executive Summary Week Ending August 5, 2016

Targeted Industries

• Software
• Information Technology
• Healthcare
• Banking
• Media and Entertainment

Active Threats

• Anonymous
• CtrlSec
• Anonymous Guatemala
• Inj3ct0r Team
• Poodle Corp

Major Events

• Researchers at Black Hat Conference Use Stolen EMV Card Data to Hack ATM’s
• Apple Has Announced That It Will Be Offering Up to $200,000 in a Long-Awaited Bug Bounty Program
• “Zeus Panda” Banking Trojan Targets 10 Major Brazilian Banks
• Banner Health Breach Leaves Personal Data of 3.7 Million Individuals Exposed

Conclusions

Researchers at Black Hat Conference Use Stolen EMV Card Data to Hack ATM’s

EMV(Europay, MasterCard, Visa) cards or chip-and-PIN cards are thought to be much more secure than their magnetic counterparts, and have been used for years in Europe. Though this idea was tested by Researchers at Rapid7 at the 2016 Black Hat conference. With magnetic strip cards, criminals will use skimmers on ATMs to obtain data, hack into point-of-sale systems, or just purchase the data from cybercrime marketplaces. This data will  then be encoded onto blank cards and can be used to make purchases or withdrawals from cash machines. The data achieved by these methods is valid until the issuer cancels the payment card, and this could be a long time considering the fact that many breaches aren’t found till many months after they’ve happened. EMV cards, on the other hand, have data stored on them that is dynamic and only valid for a very short period of time. This lead researchers to believe that this type of data will be available on underground markets for sale, though the sellers will need to attach transaction timeframes to ensure the data is still valid.

Weston Hecker a researcher at Rapid7 managed to build a machine that can be used to get an ATM to dispense cash from the accounts of EMV cardholders. His device would use a shimming device(essentially a skimmer device for EMV cards) to send data remotely to another device that is called “La-Cara” which costs around $2000 to build and is placed into an ATM machine. Once the data has been transmitted in real-time from the compromised PoS system to the La-Cara system an attacker is able to withdraw money from a victim’s card, Rapid7 has determined that the method can get the ATM to dispense between $20,000 and $50,000 in only 15 minutes.

Source: Researchers Bypass CHIP-and-PIN Protections at Black Hat, New ATM Hacking Method Uses Stolen EMV Card Data (Threatpost, SecurityWeek)

Apple Has Announced That It Will Be Offering Up to $200,000 in a Long-Awaited Bug Bounty Program

Ivan Krstić the head of security engineering and architecture for Apple announced at Black Hat USA 2016 that the company would finally be offering a bug bounty program in September 2106.  This program will be a little different at its launch because only a few dozen selected researchers will be asked to participate, rather than being open to the public. Bug reports from other bug hunters can be submitted, but may only be reviewed if the flaw is deemed critical enough. Apple will pay up to $200,000 for flaws and vulnerabilities found in iOS or iCloud, this is based on severity and the exploitability of the bug.

There have been reports that the FBI has paid a bug hunter for a zero-day exploit, which allowed them to access the encrypted contents of the iPhone of the San Bernardino gunman. A team of researchers from the John Hopkins discovered a zero-day flaw in Apple’s iOS encryption. These might be some of the reasons that Apple has decided to offer bug bounties like its larger competitors Microsoft and Google.

Source: Apple Finally Announces Bug Bounty Program, Apple Offers up to $200,000 in Bug Bounty Program (HelpNetSecurity, SecurityWeek)

Zeus Panda Banking Trojan Targets 10 Major Brazilian Banks

A variant of the infamous Zeus malware now being called Panda is a modified version of the banking trojan, it has been altered to target Brazilian banks and other locally popular services. IBM researchers found key indicators that Panda is targeting Brazil in its configuration file like URLs of major local banks, the malware tried to infect users who access delivery services for a Brazilian supermarket chain, local law enforcement websites, and local network security hardware vendors.

Some capabilities of the malware are its ability to steal login credentials and inject malicious code into ongoing web sessions, by showing bogus web forms for users to fill out with sensitive information. IBM believes that the group behind this campaign is probably well-organized, a professional cybercrime outfit, and at least some members are located in Brazil. The cyber gang distributes the Trojan via exploit kits and spam emails which carry booby-trapped Word documents.

TechCrunch recommends that you should not open strange attachments or follow suspicious links to avoid Trojans like Panda. And that it takes vigilance and savvy IT to keep these types of attack at bay.

Source: Zeus Panda variant targets Brazilians, wants to steal everything, Banking Trojan Zeus Panda shambles into Brazil ahead of Olympics (HelpNetSecurity, TechCrunch)

Banner Health Brech Leaves 3.7 Million Individuals Exposed

One the largest non-profit healthcare systems Banner Health is warning 3.7 million patients, staff, and food and beverage customers that their personal data may have been stolen in a security breach that started on June 23. The breach was discovered on July 7. Attackers had gained access to the systems that process payment card data in some of their food and beverage outlets. It’s possible that anyone who bought anything from certain outlets by a payment card between June 23 and July 7 could be affected. Further investigations led to the discovery that attackers gained access to systems holding patient and health plan information. Banner stated that they “immediately launched an investigation, hired a leading forensics firm, took steps to block the cyber attackers and contacted law enforcement.” , but they didn’t specify which forensic firm.

In recent years PHI(Protected health information) is more lucrative than credit card data, mostly because payment cards are relatively easy to change and identities are much more difficult to change. For this reason PHI has a higher resale value in the black market and is becoming more sought after.  

Source: 3.7 Million Exposed in Banner Health Breach (SecurityWeek)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cyber security and business strategies. In order for this website to serve the community, we need to know your concerns and questions about (for example) proper safeguards for the technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity.

Mail us at: uhwocscc@hawaii.edu