Weekly Executive Summary Week Ending July 22, 2016

Targeted Industries

• Telecommunications
• Internet Hosting
• Information Technology
• Software
• Banking

Active Threats

• Phineas Fisher
• Anonymous
• Inj3ct0r Team
• National Security Agency
• Lizard Squad

Major Events

• Banking Trojan “Lurk” Deployed Through Remote Desktop Software Ammyy Admin
• Internet Scan Reveals More Than 100 Critical Infrastructures Exposed Online
• Rio Olympics Opens Hacking Possibilities for Threat Actors
• Over 10,000 SAP HANA and SAP TREX Customers at Risk, Because of Critical Vulnerabilities

Conclusions

Banking Trojan “Lurk” Deployed Through Remote Desktop Software Ammyy Admin

A remote administration tool Ammyy Admin was being used to deliver malware through their main website. A banking trojan called Lurk was one of the malware, it has been around for five years, experts estimate that it has helped cybercriminals steal $45 million, and it has mostly been used to target Russian financial institutions. The malware can affect both Apple OS X and Microsoft Windows systems, where it will search and gather various banking information including passwords and other account details. Researchers at Kaspersky labs first spotted the malware on the website in early February 2016, where Ammyy developers were notified and cleaned up their systems. Though attackers must have still had access to or compromised the site again, because in April they started to deliver a modified version of Lurk specifically designed to target corporate networks.

Numerous businesses use remote desktop services to communicate with other employees through conferences and presentations, and employees may enjoy the convenience of completing work at home or just out of the office. Even system administrators tend to use these types of technologies to manage network computers and servers remotely, this may help to assist colleagues with IT problems or to configure network and firewall settings.

The Lurk trojan is usually delivered using watering hole attacks, which is a technique that cyber criminals use to target victims by studying what types of websites they go to often, and then planting malicious code on the website. It’s believed that cyber criminals were counting on the fact that many administrators wouldn’t become suspicious if security products detected a threat. Due to the fact that some antiviruses had flagged Ammyy software because the application had been leveraged for malicious purposes numerous times.
Source: Lurk Banking Trojan Delivered via Ammyy Website (SecurityWeek)

Internet Scan Reveals More Than 100 Critical Infrastructures Exposed Online

In the Fall of 2015 researchers at Wache of Berlin conducted an Internet scan of the IPv4 address space, with the intent to search for specific routers used by industrial control systems(ICS). But one researcher Tim Philipp Schafers started to uncover unauthenticated web applications used for ICS management interfaces that were available publicly online. The researchers noticed a pattern in the HTTP headers and wrote a python script to search for the pattern in the IPv4 public space. More than 100 systems turned up in the search results including hydropower plants, around half of them required authentication, while the rest didn’t require it and we’re administrator accessible.

Experts have been publishing advisories for years about the serious lack of security in supervisory control and data acquisition(SCADA) and ICS systems, and a simple shodan or custom search will clearly highlight this problem. Some of the most alarming finds from the Internet Wache’s report are the hydropower facilities, where three of the Human Machine Interface(HMI) systems were in Germany and one near Munich services 80,000 people with drinking water.  According to Wache researchers were able to read data from sensors on water consumption and other plant-related values. Then those values could be manipulated so that operators would believe processes were running normally even though they were not. And one plant has access to pumps which could make it possible to disrupt a city’s water supply.

Schafers says “awareness about security in ICS and SCADA systems remains low.”, and that services like Facebook are exceptionally secure because of their popularity but we need to be aware of these infrastructure systems that control our critical resources.
Source: Scan Reveals Hydropower Plants, Other Critical Infrastructure Exposed Online (ThreatPost)

Rio Olympics Opens Hacking Possibilities for Threat Actors

An event as big as the Olympics draws in thousands of spectators and the host country this year Rio de Janeiro is expected to spend more than $12 billion on the total cost. Sponsors such as Coca-Cola, McDonald’s, and Nike will be spending hundreds of millions of dollars to make sure their name is recognized at such an event. And security experts warn that cyber criminals will be taking advantage of these opportunities.  

Fraudulent sites are going to be a key area for hackers to use and are one of the most common ways Olympic customers are taken advantage of.  These fake sites target a specific organization by using the company’s name in the domain name, using a variation of spelling a brand, or using the organization’s name with an uncommon website extension(e.g. companyname.net, companyname.de, companyname.eu, etc). Another targeted area will be Mobile Applications. Due to the complexity of app stores, sponsoring organizations are experiencing more difficulties with monitoring their mobile presence. Fake applications for the 2016 games are already appearing in app stores around the world, and shady developers will try to get users to give their apps access to content on devices. Many major events tend to create mobile applications and when the event is over it’s never updated , this leaves an opportunity for threat actors to hack and exploit these legitimate applications.

Given Brazil’s notorious reputation of a large concentration of hackers, spectators and customers should be cautious in all of their Olympic transactions. According to Symantec’s 2016 Internet Security Threat report, Brazil ranks as the eighth country in the world for bot-based cybercrime. So companies should be cautious of employees who are traveling to the Olympics and connecting to the business with their personal mobile devices, they may have been infected and could introduce harmful malware into the company’s systems.
Source: Rio 2016: The world is watching, especially hackers, Experts warn of hacking threat at Rio Olympics (HelpNetSecurity, CNBC)

Over 10,000 SAP HANA and SAP TREX Customers at Risk, Because of Critical Vulnerabilities

A cloud-based business platform SAP HANA recently fixed 15 vulnerabilities that could allow a remote attacker to gain high-level privileges on a system and acquire unrestricted access to a company’s information. A “high-risk” vulnerability using an injection via an HTTP request bug and an SQL injection bug could allow a hacker to audit logs and hide any evidence of their attacks. Attackers could use a remote execution bug that would allow them to access and modify SAP data, though usually only one can be done at a time. When a user attempts to log into a SAP HANA database through the SQL interface and it fails they’re given a message “invalid username or password.”, but if they try to login and it fails but the username exists or is a locked username they get a different message. A hacker can then write a simple script to identify legitimate usernames in the system based on what error message is received.

SAP HANA uses in-memory database technology to speed up normal processes, this allows businesses to do real-time analytics on applications and databases. Large companies like Procter & Gamble, AmericanBergen, and Dell use SAP HANA’s platform in their business analytics to collect and process big data. Though it was released that 10,000 SAP customers were affected by these vulnerabilities, these customers are usually large businesses that have their own enormous set of customers.

In May 2016 the United States Computer Emergency Readiness Team(US-CERT) urged users of SAP to verify whether they were using outdated or misconfigured systems. A researcher at Onapsis Nahuel Sanchez, claims that the advisories posted by SAP are just the start of a long list of disclosures to come, and the company plans to disclose 40 vulnerabilities in both SAP and Oracle within the next month.    
Source: 15 Vulnerabilities in SAP HANA Outlined, Vulnerabilities affecting SAP HANA and SAP Trex put 10,000 customers at risk (ThreatPost, HelpNetSecurity)

Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cyber security and business strategies. In order for this website to serve the community, we need to know your concerns and questions about (for example) proper safeguards for the technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity.

Mail us at: uhwocscc@hawaii.edu