14 September 2018
How Hackers Compromised 380,000 British Airway Customer Payments
A British Airways data breach that exposed as least 380,000 card payments was caused by a card-skimming malware that customers were inadvertently exposed to through the airline’s website and mobile app, according to research from security firm RiskIQ. British Airways announced last week that hackers had breached the company’s system, compromising hundreds of thousands of card payments. The statement, from the airline’s parent company IAG, said the attack on the site and app began on August 21 and was stopped on September 5. The company said passport and travel information were not included in the hack. A company spokesperson told Gizmodo at the time that a third-party first discovered the concerning activity and alerted British Arlines, prompting a response and investigation. RiskIQ told Gizmodo that when it discovered the breach, it shared its findings with FBI and the UK’s National Crime Agency, which then alerted British Airways. Tuesday morning, RiskIQ released a report on its investigation into the breach. The analysis, written by threat researcher Yonathan Klijnsma, shows that hackers compromised the company’s website and app with a card-skimming malware in late August. After this breach, customers who bought plane tickets online had their credit card information scanned and sent to a fraudulent site operated by a server in Romania. This data included email addresses, names, billing addresses, and bank card information. Similarities between this breach and the Ticketmaster breach in June led RiskIQ researchers to believe that British Airways was attacked by the same group—Magecart. Since Magecard formed in 2015, the collective has been accused of installing card-skimming malware on thousands of sites. “Based on recent evidence, Magecart has now set their sights on British Airways, the largest airline in the UK,” the RiskIQ report reads.
This is the NCSC's guidance for anyone who thinks they may have been affected:
- If you've used the BA website or mobile application to purchase services while the data was at risk (21st Aug-5th Sept) we recommend that you contact your bank
- Ensure your passwords are secure. If you have been affected you may want to consider changing passwords for key accounts such as banking. See Cyber Aware's advice on creating a good password that you can remember, or read the NCSC’s blog post for help on using a password manager . You should also monitor your financial accounts for any suspicious transactions
- If you receive any suspicious phone calls, emails or text messages then report these to Action Fraud
- In general, it is advised you make use of two-factor authentication (2FA) on important accounts – even SMS-based two-factor is better than none. The benefit of this is that even if someone does obtain an account password then they would still not be able to access due to this extra security measure
- Now would also be a good time to check if your account has appeared in any other public data breaches. Visit https://haveibeenpwned.com , enter your email address and go from there
Kronos malware exploits Office bug to hijack your bank account
Kronos, also known as the "father of Zeus," is a particularly pernicious form of malware which simply will not go away. Zeus, Gozi, and Citadel are well-known Trojans which focus their efforts on the theft of financial credentials which can be used by threat actors to compromise online bank accounts, conduct identity theft, or collect data which is later sold in credential dumps on the Dark Web. In Greek mythology, Kronos is Zeus' father. In the world of black hat cybersecurity tools, a somewhat similar relationship appears to exist -- a connection prompted by Kronos injection files that are specifically crafted by the malware's developer to be compatible with Zeus variants. First uncovered in Russian underground forums in 2014, Kronos comes with a premium price tag of $7000, as well as a one-week "trial" option for $1000. The Kronos developers, in return for these payments, promise constant updates, bug fixes, and the development of new modules. According to Securonix researchers, the malware has just received one of the promised updates. On Tuesday, the cybersecurity firm published new research into the malware, saying that the latest Kronos variant, also known as Osiris, was discovered in July this year. Three distinct, separate campaigns are already underway in Germany, Japan, and Poland which utilize the Trojan. The primary infection vector is phishing campaigns and fraudulent emails, as well as exploit kits such as RIG. The malicious emails contain crafted Microsoft Word documents or RTF attachments with macros that drop and execute obfuscated VB stagers. The documents exploit CVE-2017-11882, a buffer flow vulnerability in the Microsoft Office Equation Editor Component which was discovered back in 2017. If a target system has not been patched, the bug permits the execution of arbitrary code.
OilRig APT Continues Its Ongoing Malware Evolution
OilRig, an APT group believed to have ties to Iran, has been spotted in yet another campaign in the Middle East – this time targeting victims within an undisclosed government using an evolved variant of the BondUpdater trojan. The group, which is also called Cobalt Gypsy, Crambus, Helix Kitten or PT34, was recently spotted using a reboot of the OopsIE trojan to mine information from other entities in the Middle East. Believed to be a state-sponsored group under the auspices of to the Iranian intelligence agency and the Islamic Revolutionary Guard Corps (IRGC), OilRig’s primary purpose appears to be espionage efforts targeted at financial, aviation, infrastructure, government and university organizations in the MidEast region. As in the case of the OopsIE-driven attacks, this latest campaign uses an iteration of a previously identified homegrown tool. Palo Alto’s Unit 42 has observed OilRig using spear-phishing emails to deliver an updated version of BondUpdater, a PowerShell-based trojan first used by the group in mid-November 2017. “The BondUpdater trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands,” Unit 42 researchers said in a breakdown of the campaign posted Thursday. “BondUpdater, like other OilRig tools, uses DNS tunneling to communicate with its C2 server…[but] it now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.” Unit 42 observed a highly targeted phishing email sent to “a high-ranking office in a Middle Eastern nation” containing a malicious document with a macro responsible for installing a new variant of BondUpdater. Upon examination, Unit 42 saw that the malware’s installation process involves a VBScript that creates a scheduled task designed to execute every minute, for the sake of persistence. Once established on a targeted machine, BondUpdater was also found to have a new lock file that is used to determine how long the main PowerShell process has been executing; if it has been running for more than 10 minutes, the script will stop the process and delete the lock file, paving the way for a renewed execution of the PowerShell script.
Email scam: Nigerian 'ran ring from Sydney detention centre'
The New South Wales Police has charged four members of an alleged fraud syndicate, as part of an ongoing investigation into business email compromise (BEC) scams run across the state. Strike Force Woolana investigators, assisted by Australian Border Force (ABF), executed three search warrants at the Villawood Immigration Detention Centre on Thursday morning, seizing 16 mobile phones, numerous SIM cards, identification information, and various electronic storage devices. He was charged specifically with knowingly direct activities of criminal group, two counts of knowingly dealing with proceeds of crime, and possessing identity info to commit an indictable offence. Strike Force Woolana was earlier this year stood up by the State Crime Command's Cybercrime Squad to investigate organised criminal syndicates involved in fraudulent activities, including BEC, identity theft, romance scams, and the fraudulent sale of goods. Leading up to the arrest at Villawood, the strike force had charged three others over their involvement in the alleged fraud ring. Search warrants were executed shortly after each arrest, which resulted in the seizing of computers, electronic storage devices, mobile phones, SIM cards, and documentation, as well as a vehicle believed to have been purchased with proceeds of crime. Police will allege in court that the three individuals were involved in the laundering of more than AU$480,000, AU$90,000, and AU$17,000, respectively, all fraudulently obtained through business email compromises.
Sly malware author hides cryptomining botnet behind ever-shifting proxy service
Without a doubt, botnets focused on cryptocurrency mining operations have been one of the most active forms of malware infections in 2018. New botnets are appearing left and right if we are to believe security researchers from Chinese security firm Qihoo 360, who said this week that they are discovering new instances on a daily basis. Not all of them may be profitable, as a recent Malwarebytes report has shown, but that doesn't stop cyber-criminals from trying. Although most botnets are a carbon copy of one another, once in a while researchers spot one that stands out above the crowd. This week, the cryptomining botnet that took the crown in terms of creativity was one discovered by the Netlab team at Qihoo 360. And according to the Netlab team, the thing that stood out about this botnet was that instead of letting infected bots connect to a remote server via a direct connection, its authors were using the ngrok.com service instead. For readers unaware of ngrok, this site is a simple reverse proxy used to let Internet-based users connect to servers located behind firewalls or on local machines that don't have a public IP address. The service is very popular with enterprises because it allows employees a way to connect to corporate intranets. The service is also used by home users, usually freelance developers, to let customers preview applications that are under development. In most cases, a user hosts a server on his local machine, registers with ngrok, and gets a public URL in the form of [random_string].ngrok.io that he then shares with a customer or friend to let him preview an ongoing project. According to Netlab researcher Hui Wang, at least one cryptomining botnet operator is also familiar with this service and has been using it to host a command and control (C&C) server behind ngrok's proxy network. But besides anonymity, the botnet operator also appears to have indirectly gained a resilience against any attempted takedowns of his C&C server.
Kernel exploit discovered in macOS Webroot SecureAnywhere antivirus software
A severe vulnerability discovered in the Webroot SecureAnywhere antivirus software allows attacks to take place at the kernel level. On Thursday, researchers from the Trustwave SpiderLabs team revealed the flaw, which impacts the macOS version of the software. Webroot's SecureAnywhere solution is a paid endpoint protection program which offers "full-scale antivirus security at an affordable price." The vulnerability, CVE-2018-16962, is a memory corruption bug which has been caused by an arbitrary user-supplied pointer which can be read from and "potentially written too," according to Trustwave. If particular conditions in the memory function of SecureAnywhere are met, attackers are gifted with a write-what-where kernel opening, allowing them to execute arbitrary code in this core element. The saving grace with this kernel-level attack is that threat actors need local access to exploit the security flaw. If the vulnerability had permitted remote attacks, this would have been far more serious and would have given cyberattackers an almost limitless means to compromise the software. "While macOS is an important target for attackers, the installation base of Windows still outpaces Mac," the researchers say, "It's also local only, not remote, so an attacker needs to be logged into a vulnerable Mac or convince a logged-in user to open the exploit via social engineering." Trustwave says that after reporting the issue, Webroot quickly resolved the vulnerability. It is recommended that macOS users of Webroot SecureAnywhere enable automatic updates to receive the security patch or manually upgrade to version 18.104.22.168.
Visit cyber.qa.com for more information on how they can help solve the Cyber Security skills gap.