Weekly Executive Summary Week Ending October 7, 2016
By Joseph Lorenz on October 7, 2016
Targeted Industries
- Software
- Information Technology
- Media and Entertainment
- Telecommunications
- Business Services
Active Threats
- National Security Agency
- CtrlSec
- APT28 Fancy Bear
- Shadow Brokers
- Anonymous
Major Events
- Iran-linked Threat Group Targets Government Organizations
- MarsJoke Ransomware Encryption Broken by Researchers at Kaspersky Labs
- Web-Based Keylogger Used to Steal Card Data from eCommerce Sites
- Vulnerabilities in Insulin Pump Could be Exploited to Trigger an Overdose
Conclusions
Iran-linked Threat Group Targets Government Organizations
An Iran-linked threat group who has been observed attacking organizations in Saudi Arabia has improved it’s malware tools and has expanded its target list to consist of other countries. Palo Alto network researchers reported observing attacks that were launched by a threat actor against financial institutions and technology companies in Saudi Arabia in May 2016.
The campaign which has been named OilRig has consisted of weaponized Microsoft Excel spreadsheets that are being tracked as “Clayside” documents and are combined with a backdoor that is dubbed “Helminth”. Other attacks that were aimed at banks in May have also been documented by FireEye researchers. According to researchers at Palo Alto Networks based on the analysis of the group’s activities, it has also targeted a company in Qatar and government agencies in the United States, Israel, and Turkey. The threat actor behind OilRig is using spear-phishing attacks and uses malicious macro-based Excel documents to deliver the backdoor Helminth. There are two types of Helminth, one which relies on VBScripts and PowerShell scripts, and the other which is distributed as an executable file. The executable file is delivered by a trojan named “HerHer” and has the capability of logging keystrokes.
Researchers have found numerous clues and indicators that point to an Iran-based actor, although they admit that the data can be easily forged. On of these indicators is Persian language being used in the malware samples and information associated with the C&C domains. Palo Alto Networks also discovered an IP address that has been mentioned by another security company Symantec last year. In that report, it describes the activities of two Iran-based threat groups dubbed Cadelle and Chafer that appear to be linked to these recent events.
Source: Iran-Linked Attackers Target Government Organizations, Apparently Linked Iran Spy Groups Target Middle East(SecurityWeek)
MarsJoke Ransomware Encryption Broken by Researchers at Kaspersky Labs
The MarsJoke ransomware that has just recently been discovered has a weakness in its encryption which has allowed Kaspersky Lab security researchers to create a decryptor to help users recover their data for free. Though it was first spotted in late August this ransomware gained more attention last week with its first large-scale spam distribution campaign. MarsJoke has also been referred to as Polygot and the malware has copied the previously establishes CTB-Locker ransomware and it’s mainly targeting government agencies and educational institutions.
Analysis of the malware showed security researchers that it mimicked all of the features of the CTB-Locker including a graphical interface window, language switch, encryption algorithms, sequence of actions for requesting the encryption key, payment page, and desktop wallpapers. The analysis also revealed that the malware performs a three-stage encryption. In the first stage it places the file in a password-protected ZIP archive with the name of the original file but it has the extension “a19”. It then encrypts the archive with the AES-256-ECB algorithm and changes the extension to “a19”. Finally, it deletes the original file and the a19 archive and changes the “a19” extension to the original file’s extension. Researchers say that the biggest mistake developers of the ransomware made were in the way they implemented its pseudo-random number generator used to generate its AES key. A weak random string in the key generator allowed them to search for a set of possible keys, this could be produced by the generator in just a few minutes on a standard PC. This allowed researchers to take advantage of the developer’s mistake, calculate the AES key for an encrypted file and break MarsJoke encryption.
Last week researchers at Kaspersky lab added MarsJoke or Polygot decryption keys to it’s Rannoh Decryptor which will also decrypt files that were encrypted with Rannoh. Users can go to www.nomoreransom.org, which is a campaign setup by private and public institutions joining forces to fight the war against ransomware to get this free decryption tool.
Source: Researchers Break Encryption of MarsJoke Ransomware, RESEARCHERS BREAK MARSJOKE RANSOMWARE ENCRYPTION(SecurityWeek, Threatpost)
Web-Based Keylogger Used to Steal Card Data from eCommerce Sites
According to researchers, more than 100 popular sites have been compromised with web-based keyloggers, they are being used to steal credit card data as it is entered by users into online checkout forms. RiskIQ and ClearSky are in collaboration with the research and have said that some of the eCommerce sites impacted are Everlast Worldwide, the Australian ecommerce site for apparel giant Guess and Fidelity Investments’ FidelityStore, a site maintained by a third-party firm SwervePoint.
These attacks are being monitored as the “Magecart” campaign. JavaScript code that has been injected into these sites by attackers captures information entered by users when filling out purchase forms. This is done by acting as a man-in-the-middle (MitM) attack between the victim and the checkout page. In some cases, the malware will add phony form fields to the page to try and trick a victim into giving the attacker more information. The collected data is exfiltrated over HTTPS protocol to a server that is controlled by the attacker. Loading the keylogger from an external source instead of injecting it directly into the compromised site, allows attackers to easily update the malware without the need to re-infect the site.
While web-based keyloggers and credit card stealers aren’t uncommon, RiskIQ experts believe that these types of attacks are on the rise. Just since March, the threat actors behind this campaign have grown more sophisticated, using bulletproof hosting and attacking a wider range of eCommerce platforms.
Source: Card Data Stolen From eCommerce Sites Using Web Malware, WEB-BASED KEYLOGGER USED TO STEAL CREDIT CARD DATA FROM POPULAR SITES, RiskIQ Findings – PDF(SecurityWeek, Threatpost, RiskIQ)
Vulnerabilities in Insulin Pump Could be Exploited to Trigger an Overdose
Patients and users of Johnson & Johnson insulin pumps are being warned this week that vulnerabilities that exist in the devices could be exploited to trigger an overdose. These bugs exist in OneTouch Ping which is a medical device that was manufactured by Animas Corp. The device manufacturer and a cyber security researcher from Rapid 7 Jay Radcliffe(who discovered the flaw) are stressing that the probability of the flaws being exploited in the wild are relatively low, because an attacker would need to be within close proximity to the device and the have to have the technical knowledge of exploiting it.
The devices wireless RF protocol uses clear text to communicate, and this is where the vulnerabilities stem from. This means that an attacker who was sniffing for the 900 MHz band could get information about a patient, like their blood glucose results or insulin dosage data. A nearby attacker could use the protocol to spoof the devices blood glucose meter and cause unauthorized insulin injections, and this could potentially lead to a hypoglycemic reaction. According to the researcher, another flaw is in the pairing process of the remote and the device, the remote uses the same five packets to generate a key each time, though this makes encryption impossible and makes it much easier to sniff keys. Because of the way the pump and the remote communicate with each other there is no way to prevent replay attacks, where valid data transmissions can be maliciously repeated or delayed. The final vulnerability is the lack of replay prevention if the attacker used a radio transmission equipment they could potentially carry out an attack from one to two kilometers away.
Source: VULNERABILITIES IN INSULIN PUMPS CAN LEAD TO OVERDOSE, Insulin Pump Vulnerable to Hacking, Johnson & Johnson Warns(Threatpost, NBC News)
Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cyber security and business strategies. In order for this website to serve the community, we need to know your concerns and questions about (for example) proper safeguards for the technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity.
Mail us at: uhwocscc@hawaii.edu
-
Hackers Steal $500,000 from Australian Super Funds
Hackers Steal $500,000 from Australian Super Funds
4/11/2025 -
U.S. Department of Justice Seizes 8.2 Million in Cryptocurrency
U.S. Department of Justice Seizes 8.2 Million in Cryptocurrency
4/4/2025 -
Interpol Arrests Over 300 for Cyber Crimes in Africa
Interpol Arrests Over 300 for Cyber Crimes in Africa
4/4/2025