Dashboard Global

ASERT Security Intelligence

Summary: This week, we cover threat dynamics of the Bangladesh Bank compromise and projected risks to other financial institutions based on the capabilities of threat actor activity. While numerous actors are taking aim at banking infrastructure at any given time (the Carbanak-wielding threat actors, and many others), the compromise is apparently not the only one of its kind in recent months. Financial institutions should be on the alert, as news of the breach has potentially inspired other actors. The malware is also available and can help show the way and speed time to execution. Threat actors will continue to target financial chokepoints with increasing sophistication relative to the defense in place. Therefore, robust evolving defense in such environments is a must.Verizon's Annual Data Breach Investigations Report covering numerous incidents from 2015 has been released. Organizations tasked with defense or security governance should be well aware with this report and should consider incorporating its lessons. Financial firms were most widely impacted in 2015. The hotel/hospitality market saw the second largest amount of confirmed breaches, 282, and healthcare sector compromises totaled 115.Another APT actor group, dubbed PLATINUM, has demonstrated advanced capabilities across many targets of interest in Southeast and South Asia. Using multiple 0day exploits, carefully created spearphish, port knocking, and customized stealthy malware, this resourceful group has gone to great lengths to stay undetected. Aside from some press in 2013 and most recently being outed by Microsoft, there has been very little published about their activities. Defense against such adversaries requires a significant investment in the proper staff, infrastructure, training and governance. In this weeks ransomware update, we learn that a rash of ransomware-like malware has been recently compromising many Android smartphones using a vulnerability from the Hacking Team leak and other exploit code. Ransomware is projected to continue its awful proliferation, wreaking havoc and financial misfortune to those unprepared for the continuing wave.Several data breaches have occurred recently. Due to the large amount of sensitive data that is poorly protected from either opportunistic or targeted threat actors, data breaches will continue. Breaches are common enough that many organizations have streamlined their incident response processes to reduce the pain, although data breaches are never a pleasant experience.

Title: Threat Dynamics of the Bangladesh Bank Compromise and Future Risks
Severity Level: Normal Severity
Published: Thu, 28 Apr 2016 23:19:04 +0000
In February of 2016 a complex exploitation campaign launched by unknown threat actors was responsible for the penetration, compromise, and attempted theft of nearly one billion dollars (only $81 million dollars was actually stolen, thanks to an employee noticing a spelling error). In April, the Threat Intelligence team at BAE systems published information about malware that shows very strong associations with the bank and is likely to have been used during the operation [http://baesystemsai.blogspot.co.uk/2016/04/two-bytes-to-951m.html]. Inadequate security at the banking institution has been reported to be a factor, however banking officials have pointed the finger towards SWIFT as well. In any case, the compromise is a serious blow and provides numerous "lessons learned" moments. It is not just the banking institutions that are viewing this as a "wake up call". Threat actors (perhaps the same group) have apparently used the same Tactics, Techniques and Procedures (TTPs) to compromise other banking systems as recently reported by Reuters [http://www.reuters.com/article/us-cyber-banking-swift-exclusive-idUSKCN0XM2DI]. Banking institutions need to be on the lookout and increase their vigilance.
Source: Malware ‘used as part of a wider toolkit’ in Bangladesh Bank attack

Title: Stealthy PLATINUM Threat Actors Demonstrate Advanced Capabilities
Severity Level: Normal Severity
Published: Thu, 28 Apr 2016 23:19:04 +0000
An advanced threat group dubbed "PLATINUM" by Microsoft has been observed targeting "governmental organizations, intelligence agencies, defense institutes and telecommunication providers in South and Southeast Asia" [http://thehackernews.com/2016/04/windows-hotpatching-malware.html] since at least 2009. In addition to 0day exploit code and other stealthy techniques, the group uses an in-memory Microsoft patching technique called hotpatching to inject malicious code into running systems. This hotpatch technique can be used on Windows Server 2003 Service Pack 1, Windows Server 2008, Windows Server 2008 R2, Windows Vista, and Windows 7, but not the newer versions of Windows. If the hotpatch technique fails, typical memory injection tactics are used instead. ASERT is currently investigating the malware and threat activity further.
Source: PLATINUM Hackers Hijack Windows Hotpatching to Stay Hidden

Title: Breaches You Need to Know About
Severity Level: Normal Severity
Published: Thu, 28 Apr 2016 23:19:04 +0000
Data breaches are a global phenomena just like ransomware with threat actors targeting these large data repositories for various reasons. Four major breach announcements were released over the last seven days, one impacting 7 million Minecraft users, another focused on banking in Qatar, the third data breach occurring at a gold mining firm in Canada and the fourth, a Mexican voter registration data for over 80 million exposed in a misconfigured database.
Source: 7 million unsalted MD5 passwords leaked by Minecraft community Lifeboat

Title: Ransomware Update
Severity Level: Normal Severity
Published: Thu, 28 Apr 2016 23:19:04 +0000
Ransomware saw an approximately 16% growth in 2015 and is likely to see exponential growth in 2016. This week researchers uncovered a new mobile ransomware requiring absolutely no user interaction to install, likely marking the first successful mobile malware of its kind. And in the good news department, ransomware likely developed and pushed out by Angler Exploit Kit developers has apparent flaws that enable successful free decryption.
Source: Android Ransomware Dropped via Towelroot, Hacking Team Exploits | Secu ...

[more]

Alpha Testing the AlphaLeon HTTP Bot

ASERT was initially alerted about an emerging threat called AlphaLeon by Deep & Dark Web intelligence provider Flashpoint in August 2015. It caught and kept our interest because it sounded like it could be a new “banker” malware family. While it took some time to find samples of the malware in the wild, this post […]
Wed, 09 Mar 2016 15:21:37 +0000

Estimating the Revenue of a Russian DDoS Booter

At the end of 2014, ASERT presented research where we mapped some DDoS booter advertisements on Russian language forums to their behind-the-scenes DDoS botnet infrastructures. For this post, we will follow up on that research a bit by looking at another one of these mappings and trying to estimate the revenue generated by the DDoS […]
Wed, 02 Mar 2016 11:00:15 +0000

Dumping Core: Analytical Findings on Trojan.Corebot

Download the full report here. The Corebot banking trojan was initially discovered and documented last year by researchers at Security Intelligence. Since then, it has evolved rapidly and, in terms of capabilities such as browser-based web injections, it is now similar to the dominant banking malware such as Zeus, Neverquest, and Dyreza although its actual impact to date is […]
Wed, 10 Feb 2016 11:00:54 +0000

The Big Bong Theory: Conjectures on a Korean Banking Trojan

Download the full report here. ASERT has been analyzing samples of a banking trojan targeting South Korean financial institutions. We call the banker “Big Bong” and provide, in this threat intelligence report, an in-depth behavioral analysis of the malware from builder to bot and from installation to exfiltration including obfuscation techniques, certificate use, and VPN-based […]
Wed, 10 Feb 2016 11:00:16 +0000

Uncovering the Seven Pointed Dagger

The full report “Uncovering the Seven Pointed Dagger: Discovery of the Trochilus RAT and Other Targeted Threats” can be downloaded here. Threat actors with strategic interest in the affairs of other governments and civil society organizations have been launching targeted exploitation campaigns for years. Typically, these campaigns leverage spear phishing as the delivery vector and often […]
Mon, 11 Jan 2016 11:00:24 +0000

[more]

01

Top Attacks   (past 24 hours) ↑ ↓ _

Description Attacks per subnet Change from yesterday CVE Percentage
VNC network scanning activity 721.97 -92.8 %
80.7%
ntpdx overflow attempt 58.98 -85.1 % CVE-2001-0414
6.6%
SSH brute-force login attempts 26.97 -94.3 %
3.0%
MYSQL brute-force login attempts 22.74 -93.2 %
2.5%
ping attempt 16.38 -93.0 %
1.8%
[more]
 
Description Attacks per subnet Change from yesterday CVE Percentage
SIP TCP/IP message flooding directed to SIP proxy 0.31 +100.0 %
0.0%
Other 0.72 N/A
0.1%
POLICY Outbound TFTP Read Request 13.33 -28.2 %
1.5%
[more]
 
02

Top Scanned Services   (past 24 hours) ↑ ↓ _

Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5060 (sip) 336.45 kB -80.0 % CVE-2006-0189
29.0%
TCP/5900 309.96 kB -90.9 % CVE-2006-4309
26.7%
TCP/23 (telnet) 79.16 kB -91.4 % CVE-2007-0956
6.8%
UDP/53413 35.74 kB -91.5 %  
3.1%
UDP/123 (ntp) 32.25 kB -67.7 % CVE-2001-0414
2.8%
[more]
 
Description Traffic per subnet Change from yesterday Latest CVE Percentage
UDP/5000 (commplex-main) 14.79 kB +inf %  
1.3%
TCP/110 (pop3) 8.17 kB +inf % CVE-2004-2375
0.7%
UDP/1900 (ssdp) 6.36 kB +inf % CVE-2006-3687
0.5%
TCP/443 (https) 5.95 kB +inf % CVE-2007-5135
0.5%
UDP/514 (syslog) 5.88 kB +inf %  
0.5%
[more]
 
03

Top Threat Sources   (past 24 hours) ↑ ↓ _

Country Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
US (United States) 1 93 153.60 kB 3 14456 964
CA (Canada) 2 5 188.64 kB 0 1066 44
DE (Germany) 3 15 150.47 kB 1 980 87
CN (China) 4 26 131.44 kB 1 398 181
KR (South Korea) 5 221 104.41 kB 1 35 686
TW (Taiwan) 6 204 89.21 kB 0 130 43
GB (Great Britain) 7 1 5.35 kB 1 2383 88
NL (Netherlands) 8 16 58.75 kB 2 367 119
AU (Australia) 9 0 1.28 kB 0 1410 96
JP (Japan) 10 112 35.23 kB 1 0 46
RO (Romania) 11 0 11.32 kB 0 752 31
EU (European Union) 12 21 16.66 kB 0 539 17
BR (Brazil) 13 0 7.56 kB 0 86 344
TR (Turkey) 14 0 7.61 kB 0 616 3
FR (France) 15 0 8.71 kB 10 372 91
RU (Russian Federation) 16 1 9.94 kB 0 336 26
SG (Singapore) 17 0 224.32 B 1 627 18
PL (Poland) 18 2 1.13 kB 0 633 0
CH (Switzerland) 19 1 1.12 kB 0 183 171
UA (Ukraine) 20 0 965.42 B 0 464 6
 
ASN Rank Attacks per subnet Scans per subnet Botnets Phishing DoS
AS26496 (AS-26496-GO-DADDY-COM-LLC) 1 0 0 B 0 5443 0
AS6428 (CDM) 2 0 176.13 kB 0 0 0
AS17716 (NTU-TW) 3 203 80.36 kB 0 0 0
AS32953 (MHCV-AS1) 4 0 0 B 0 2287 0
AS9318 (HANARO-AS) 5 160 70.83 kB 0 0 63
AS4134 (CHINANET-BACKBONE) 6 7 56.63 kB 1 115 29
AS8972 (PLUSSERVER-AS) 7 0 62.30 kB 0 0 0
AS6805 (TDDE-ASN1) 8 0 61.86 kB 0 0 0
AS7203 (Unknown) 9 0 46.74 kB 0 0 0
AS29073 (QUASINETWORKS) 10 15 44.35 kB 1 0 10
AS24446 (NETREGISTRY-AS-AP) 11 0 0 B 0 1197 0
AS46606 (UNIFIEDLAYER-AS-1) 12 0 0 B 0 1159 0
AS39572 (Unknown) 13 0 0 B 0 1049 0
AS4837 (CHINA169-BACKBONE) 14 2 27.64 kB 0 48 27
AS47583 (HOSTINGER-AS) 15 0 0 B 0 841 0
AS3786 (LGDACOM) 16 51 22.92 kB 0 0 21
AS15169 (GOOGLE) 17 0 0 B 0 253 243
AS17506 (UCOM) 18 72 22.32 kB 0 0 0
AS24961 (MYLOC-AS) 19 11 17.53 kB 0 87 0
AS33182 (DIMENOC) 20 0 0 B 0 587 0