A roundup of this month’s InfoSec headlines

Ian Trump

Flash… a-ah…
Kicking off this month’s inbox is the Advanced Persistent Threat (APT) that is Adobe’s Flash. US Cert announced more than 15 vulnerabilities, and you know it’s bad when yours truly gets a call from a security monthly looking for a quote. I said that if there is “no business reason for Flash on workstations and servers it’s an advanced persistent threat to your business”. The publication felt that might be a little harsh so I said, “Having Adobe Flash on a Workstation or Server with no valid business reason is the cyber equivalent of giving a loaded gun to a five year old.” They went with my first quote.

Given what arrived into my inbox can you really blame me for such a passionate response?

On February 10, 2015, iSIGHT Partners disclosed details behind a cyber espionage campaign using the popular Forbes.com website, and others around the globe, in watering-hole style attacks. This campaign involved the exploitation of two zero-day vulnerabilities – one in Adobe Flash and one in Microsoft Internet Explorer, which was patched as part of the 2.10.15 “Patch Tuesday” cycle.

No lovin’ for Lenovo
I can’t even describe the anger I have for Lenovo this month. SuperFish was a colossally stupid move on the part of Lenovo It incurred the wrath of the Internet, which resulted in a DNS hijack of the Lenovo website and a DDOS on SuperFish itself. I want this to go to court. I want Lenovo to admit it tried to monetize the one-time sale of hardware by loading “crap-ware” and I want punitive damages. We will see. A class action is in the works and a quick Google search yields a never-ending result of condemnation of Lenovo. I hope it hurts. I never want to see a pre-loaded Man In The Middle Attack (MitM) bundled in a hardware product ever again.

From SuperFish to Super Phish…
The cheery news continued with this little tidbit from the Australian Publication CSO Online. Businesses around the world lost a total of US$453 million (A$347.4 million) as a result of phishing attacks during December 2014, according to a new report by RSA. The Monthly Online Fraud Report – January 2015 found that there were 46,747 phishing attacks worldwide in December, a 24% decrease from the 61,278 attacks recorded in November 2014.

Are you kidding me, $453 million in one month? And this was down by 24% from November 2014? What are we doing!? Are we even trying to stop the bad guys? I’m demoralised.

One Anthem you don’t want to be singing…
Meanwhile, Anthem (a vast US Health insurance company) acknowledged a breach of one of its systems that compromised a massive amount of customer and employee data.

You know it’s going to get interesting when a planeload of Mandiant consultants lands on your doorstep. Apparently, around 80 million customer records were potentially affected because their records may be included in the database that was hacked. The FBI is already finger-pointing at China’s Deep Panda outfit. Let the lawsuits begin. This is a 2-for-1 data breach and demonstrates the dangers of so-called business-to-business connections when a business partner drops the ball.

Holy s***, Batman…
Moving on… In the real life meets cyber life category, Trend Micro continued its strong tradition of research on 15 February with the publishing of a research report on an ongoing malware campaign that targets Israeli victims, and leverages network infrastructure in Germany. The campaign has strong attribution ties to Arab parties located in the Gaza Strip – the attacks were designated Operation Arid Viper & Operation Advtravel.

Not to be upstaged by Trend Micro on the 16 February, Researchers from Kaspersky Lab gave details of the so-called Equation Group (NSA TAO according to rumors), a hacking operation that they describe as the most sophisticated attack group they have seen thus far of the approximately 60 such groups they currently track. This group Pwnd the firmware of hard drives – rocking the infosec world with an attack that is both tremendously complicated and specifically targeted at air gapped systems. A collective “holy sh**” hit the infosec twitter-sphere.

On 19 February, The Kaspersky Lab Global Research and Analysis Team announced the discovery of Desert Falcons, a cyber-espionage group targeting multiple high-profile organizations and individuals from Middle Eastern countries. Kaspersky Lab said its experts consider this actor to be the first known Arabic group of cyber mercenaries to develop and run full-scale cyber-espionage operations. In total Kaspersky Lab experts were able to find signs of more than 3,000 victims in 50+ countries, with more than one million files stolen.

The Intercept dropped a huge story on the The Gemalto hack, attributed to US National Security Agency (NSA) and the UK Government Communications Headquarters (GCHQ). The hack was detailed in a 2010 GCHQ document leaked by former NSA contractor Edward Snowden, however Gemalto has denied they were hacked, only later to admit that they might have been hacked, but the SIM information was not disclosed. Confusion remains about both the extent of the hacking and what was disclosed – clearly taking a page from the Sony response to data breach.

Big bucks…
Analysis of the Carbanak Report ($300m to $1bn loss targeting the Banking Industry) was really interesting and has become a text-book case of IT admin failure.

From the report: “All observed cases used spear phishing emails with Microsoft Word 97 – 2003 (.doc) files attached or CPL files. The doc files exploit both Microsoft Office (CVE- 2012-0158 and CVE-2013-3906) and Microsoft Word (CVE- 2014-1761).”

It would appear that all the victims in this case were not patched and updated. In the first case the patch was available two years ago, and in the last case the patch was issued in April 2014.

From the report: “There is evidence indicating that in most cases the network was compromised for between two to four months.”

This indicates that the worst-case scenario is that the banks in question had six months to deploy the appropriate patches but failed to do so.

I have a different theory: a whole bunch of banks relied on their perimeter security to keep them safe. I think 80% of victims – Russian banks – had a cavalier attitude towards licensed software and specifically Microsoft Office. I think a “super team” of Russian and Chinese criminals targeted them because the team knew the end point vulnerabilities. I also submit that the “super team” knew that financial data, customer data may have been encrypted, so the natural attack surface would be to impersonate legitimate banking activity on protected systems and transfer the money away, mimicking day-to-day operations.

That’s the sort of month it’s been. At SC Congress in London the quote that resonated with me the most was: “If we thought 2014 was unprecedented in terms of data breach we’re off to a great start in 2015.”

Good thing the Bar was free.

Keep Patching…


Want to know more about security? Then check out the videos serious by our security lead, Ian Trump…