Our January 2014 Intelligence Update

In the past month, Cytegic’s CIAC has observed the following events and developments which are either indicators of trends, independent significant issues, or are important enough to inform our customers:

Target Data Breach Saga Continues: In the aftermath of the Target data breach, which we have been covering, we can now say that it is truly one of the largest breaches in US history, with over 110 million customers PII compromised. After a thorough investigation, it is now clear that the point-of-sale malware used in the attack was called BlackPOS, which was developed by Russian hackers. Besides the publication regarding BlackPOS as the main malware implemented by the hackers, several reports suggest a much more sophisticated attack vector.  The company itself declared that the hackers compromised their systems by using stolen vendor credentials. It now seems that the vendor was heating, refrigeration and AC contractor Fazio Mechanical Services. In addition, security expert Brian Krebs showed that the attackers leveraged administrator privileges in an IT management software suite called “Performance Assurance for Microsoft Servers”.  Cytegic has raised the flag several months ago, emphasizing the rising trend in the use of POS malware and the threat it holds to large organizations.

S. Koreans and Germans Exposed: As a continuation of the previous case, Cytegic followed two major breaches and PII thefts in S. Korea and Germany. In S. Korea, a privileged IT employee of a credit rating firm (Korea Credit Bureau) was able to systematically copy and leak credit-card details of over 20 million Koreans (roughly 2/5 of the country’s population; up to 104 million credit cards were actually compromised). The data was stolen using a USB drive from the internal servers of three credit card firms, which he worked for as a consultant. This breach could have been prevented or minimalized if the firms implemented better Vendor Management and Data Loss Prevention tools.

In Germany, unknown hackers, probably of eastern-European origin, were able to compromise, for at least 6 months, up to 16 million email accounts, using a dedicated botnet. Included in the breach are email addresses and passwords belonging to employees at all of Germany’s ministries and some members of parliament.

#OpIsraelBirthday – what does Anonymous have planned for Israel this year: A great number of Anonymous and Anonymous-affiliated members and groups (such as AnonGhost) have declared a “call to arms” to mark the first “birthday” of #OpIsrael, on April 7th, 2014. The hackers declared that they intend to “take Israel off the internet”. Most of the hackers involved are of Arab and Muslim origin and were somewhat active against Israeli sites throughout the year.

Israeli banks, financial institutions, government and high-profile sites are at an elevated threat level, which will peak on April 7th. In addition, we believe that American institutions are also at risk, as well as foreign companies which operate in Israel. As in last year’s campaign, we foresee a wave of DDoS and defacement attacks, starting as soon as late March and peaking on April 7th. In most cases the attackers use DDoS tools (LOIC, HOIC which implement UDP, SYN and HTTP floods), Phishing, SQL Injections, DNS redirections and Cross-Site Scripting (XSS).

Telecom Hacks Resurfacing: Throughout 2013 we have seen several high profile attacks on Telecom companies in USA, Europe and East Asia, though near the end of the year the trend subdued. With the beginning of 2014, we have followed attacks on French telecom company Orange, T-Mobile, Bell-Canada and Turkish “Turkcell”. In all of the attacks, the hackers intended to steal and leak large amounts of client information, including names, email, SSN, driver’s license and more.

NTP abuse to perform massive DDoS attacks: Researchers at Symantec have identified a new and interesting DDoS attacks, leveraging the Network Time Protocol. Attackers have been using this protocol to perform DDoS attacks similar to DNS reflection attacks. By sending small spoofed 8-byte UDP packets to the vulnerable NTP Server, attackers are able to direct large amount of traffic to their desired target’s IP. The relevant CVE is – CVE-2013-5211.

Internet-of-Things attack – now a real threat: Researchers at Proofpoint have uncovered a sophisticated attack leveraging the IoT. The said attack leveraged some 100,000 gadgets and household appliances, all connected to the internet through home routers. This attacks holds might a first glimpse into new attack vectors in the near future. As the IoT expands, the threat of hackers misusing it grows and what was strictly laptop and desktop’s share in the past is quickly changing. Attackers now have the possibility to even turn “smart” refrigerators into botnet owned devices.

Leave a Reply

Your email address will not be published. Required fields are marked *