In the past month, Cytegic’s CIAC has observed the following events and developments which are either indicators of trends, independent significant issues, or are important enough to inform our customers:
PWC’s Global State of Information Security 2015
A recent survey by PWC, called Global State of Information Security 2015, revealed some interesting conclusions. For once, the total number of security incidents, among the surveyed companies grew 48% over 2013. These attacks led to an increase in annual financial costs of investigating and mitigating, especially among large organizations. Moreover, according to PWC the number of respondents reporting losses of $20 million or more almost doubled over 2013. But, despite the rise in attacks and the costs of mitigation, the average information security budget declined by 4%, unlike the previous trend. And, to add to this, in most of the organization, the board of directors remains in the dark when it comes to security planning.
All these conclusions emphasize the fact that organizations, especially large ones, need a single strategic-level cyber-security management solution, which will allow them to have a constant and clear view of their security status, and at the same time allow them to invest their money where it counts.
Bash Shellshock Vulnerability
This month, researchers have uncovered a critical vulnerability (CVE-2014-6271) in the GNU Bourne Again Shell (Bash), the text-based, command-line utility on multiple Linux and Unix operating systems. The vulnerability is critical due to the widespread use of this system globally. According to security reporter Brian Krebs, it was discovered that if Bash is set up to be the default command line utility on systems, it opens those systems up to specially crafted remote attacks via a range of network tools that rely on it to execute scripts. Despite several different patches already issued, attackers are exploiting this vulnerability to perform large-scale DDoS and Remote Code Execution attacks. More severe is the fact that several worms have been discovered which use this vulnerability to install malware on vulnerable systems. Shellshock has been compared to Heartbleed, due to the widespread nature and potential damage, but in fact, unlike Heartbleed, which only allows attackers to read sensitive information from vulnerable web servers, Shellshock potentially lets attackers take control over exposed systems.
POS Malware Still a Major Concern
POS malware and POS targeted attacks have been a major issue in the past year, especially since the large-scale Target breach at the end of 2013. As we assessed, this month we continued to see large-scale POS attacks in the US, against retailers and restaurants. This is due to the large amount of credit and debit card activity in these sectors. The attacks exposed this month amounted to more financial data being compromised than the Target attack, making this month a bad month for American costumers. Among the main incidents this month were the attacks on Home Depot, on a POS vendor for hundreds of US restaurants and on a POS vendor for Goodwill Industries.
Attacks on Banks and Banking Trojans
For years, banks and financial firms have been a highly lucrative and valuable target for financial hackers, mainly targeting their capital. In the recent years, largely due to the fact that banks took the lead on cyber-security, financial hackers shifted their sights to attack the bank’s customers and the transactions, rather than the bank itself. This shift led to the sharp rise in banking trojans, which target customers in order to steal credentials and then transfer money to their accounts or send mules to draw cash at ATMs. This month, we have seen some significant incidents which come to show that while most attackers shifted their focus, direct attacks on the banks’ systems still occur and are extremely dangerous to banks.
Researchers at Trusteer have uncovered a cyber-espionage campaign against petrochemical companies in the Middle-East. What was interesting about this campaign was the reuse of the old and familiar Citadel banking trojan, which was originally built to steal money. According to the company, the trojan was repurposed to target specific URLs, such as the companies’ webmail, and “ambush” users before beginning to record credentials and send them to a C&C server. These credentials were later used to read and send messages, and preform spear-phishing attacks against interesting individuals.