Welcome to this week's installment of Rehashed, your weekly recap of the news, as well as other topics of interest, for the week ending May 14, 2016. Today, we're talking about Ransomware, North Korea, Walmart, and more.
CryptXXX Ransomware engineered to stop Kaspersky from helping
The developers of CryptXXX have updated their code and pushed it to production. The changes are cosmetic, but include a full screen lockout that prevents the victim from using the system and new code that stops Kaspersky's CryptXXX decryption tool from working.
Kaspersky didn't waste any time, they pushed an update of their own and countered the CryptXXX changes. Their tool will once again decrypt infected systems.
Card breach at Walmart in Virginia
Where there's smoke, there's usually a fire. In this case, let's hope it isn't true, because if it is, that would be a nightmare.
Last weekend, the Fredericksburg Police Department warned consumers in Central Park that their local Walmart had compromised card readers at an unknown number of checkout stations. Walmart confirmed the law enforcement agency's report. Police believe that the criminals behind the theft are using overlay skimmers.
North Korea named as top suspect in South Korean DIB hack
South Korea's Defense Security Command released a statement that they've opened an investigation into the April 20 hacking at Hanjin Heavy Industries & Construction Co. As expected, they blamed DPRK for the attack, and DPRK issued a strong denial.
The day that story ran, I wrote that the timing seemed odd. That's because I've been hearing whispers from incident responders that Lazarus (a suspected hacking group out of DPRK that is known for targeting DIB, finance, and media) was active again. Lazarus is also the group suspected of hitting Sony in 2014.
A few days later, BAE Systems released a report that a second financial institution using SWIFT had been compromised. In that report, they note several artifacts in the malware mirror those used during Operation Blockbuster (Sony Pictures hack), attributing it to Lazarus.
If you use 7-Zip or bundle it, check to ensure you're using the latest version
7-Zip was patched this week, after researchers found flaws that could allow code execution. The problem, discovered by Cisco's Talos security team, highlights a common risk when it comes to using 3rd-party code – namely that flaws in that external source could impact your own product if you're not vigilant when it comes to updates.
Staffers walking out with personal banking records at FDIC
The FDIC says that about 160,000 personal bank records have walked out of the agency in recent months, after departing employees stored them on thumb drives and left. One of the cases where a staffer took personal data is the subject of a criminal investigation.
Other items of note:
SAP vulnerabilities return from the past
CSO's Dave Lewis has written a brief on the recent issues with SAP, also known as the big box that contains hundreds of consultants.
Microsoft patches flaws used to compromise POS systems
This month's Patch Tuesday addressed a vulnerability that was being used in targeted Phishing campaigns. The previously unknown elevation of privilege (EoP) vulnerability enabled the attackers to compromised more than 100 organizations across North America with a POS memory-scraping tool. (See MS16-039)
Microsoft also published their SIR
If you haven't read it yet, Microsoft released their Security Intelligence Report last week.
According to the data, the number of systems that were impacted by Malware in the second half of 2015 increased to 20.5%, which represents a jump of 5.5% from the previous six months. Moreover, the report shows that exploit kits were four of the ten most commonly encountered exploits during the second half of 2015.
From time to time, Centripetal Networks will send me a redacted overview of the attacks and various other threats that their customers face.
The latest report pulls together a sample of incidents from April 1 through April 28, 2016. I thought I'd share some of the items as a reminder that most successful attacks start with a small, seemingly innocent event, which then spirals out of control.
- Phishing emails spoofing a company's CEO. This has become a rather common theme lately, which is troubling, because people can be trained to spot this – especially if the attack is generated in batches from a crime kit.
- There were also incidents of SMTP scanning (successful connections), which is great for criminals looking to launch spam runs. Not only will this company have a spam problem to deal with, but they have weak easily guessable passwords at play too.
- There were observed Rogue Anti-Virus attempts, and other malicious website visits recorded (including two domains hijacked by the Nuclear Exploit Kit), along with hundreds of brute force attempts on SSH (port 22). Another odd item in the list was a block on one network to a website that claims to sell software to record Facebook Messenger communications.
- There were visits logged to kronos[.]com, which at the time was compromised and being used to stage a watering hole attack. Fortunately, there was nothing in the logs to suggest the visit concluded with a compromised host. The attack itself has been tied to a group out of Iran.
Note: A publishing error on my part led to this article running a day early. Please, enjoy this look into the future with my complements.
See you next week!