PwC Weekly
Security Report
This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information.
Malware
ATMs targeted with improved
‘Skimer’ malware
Threats and vulnerabilities
Indian organisations targeted in Suckfly attacks
Encryption
Hmmm, where should I dump those unencrypted password files? I know—OneDrive
Top story
LinkedIn hack tops a whopping
100 million users
Malware Threats and Encryption Top story vulnerabilities
ATMs targeted with improved ‘Skimer’
malware
Researchers at Kaspersky Lab have come across a new and improved version of an old piece of malware that allows cybercriminals to steal money and payment card data from ATMs.
The threat, dubbed “Skimer” and detected by Kaspersky Lab products as Backdoor.
Win32.Skimer, has been around since 2009 and it was one of the first pieces of malware designed to allow direct interaction with ATMs.
Kaspersky Lab has identified 49 variants of the malware, 37 of which are designed to target ATMs from a single manufacturer. The latest version, discovered in early May, is more difficult to analyze.
According to researchers, both the infector and the dropper are packed with Themida, a legitimate packer that has been abused by many malware developers in the past decade.
Once executed, the malware drops a file named netmgr.dll on the system. If the file system is FAT32, the file is dropped in the System32 folder, and if it’s NTFS, the file is placed in the NTFS data stream corresponding to an executable named SpiService.exe. This is an executable file associated with XFS, a piece of middleware that provides a client-server architecture for devices used in the financial industry.
Skimer then adds a new LoadLibrary call to SpiService.exe so that the malicious netmgr.dll library is loaded into the XFS service after the malware reboots the infected ATM. This provides the malware complete access to the XFS, allowing it to interact with the device. It’s worth noting that SpiService.exe is a service specific to Diebold machines.
By packing the malware components and by placing the malicious library in an NTFS data stream, Skimer developers most likely want to prevent researchers from conducting a forensic analysis of the threat, noted Kaspersky researcher Sergey Golovanov.
Source:
http://www.securityweek.com/
atms-targeted-improved-skimer-malware Attackers can control the malware by inserting two types of cards that have specially crafted Track 2 data into the infected machine. One of the cards is designed for executing commands hardcoded in Track 2, while the other allows attackers to launch one of 21 predefined commands using the PIN pad and the malware interface.
Our perspective
We recommend that customers having Diebold ATMs deploy additional security measures, including enhanced monitoring, given the targeted
campaign being conducted right now.
A one-time security review, including antivirus scan and verification of the application white list, is strongly advised.
Suckfly conducted long-term espionage campaigns against government and commercial organizations in India.
In March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates.
Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-profile targets, including government and commercial organizations. These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.
While there have been several Suckfly campaigns that infected organizations with the group’s custom malware Backdoor. Nidiran, the Indian targets show a greater amount of post-infection activity than targets in other regions. This suggests that these attacks were part of a planned operation against specific targets in India.
Campaign activity in India
The first known Suckfly campaign began in April of 2014. During our investigation of the campaign, we identified a number of global targets across several industries who were attacked in 2015. Many of the targets we identified were well known commercial organizations located in India. These organizations included:
One of India's largest financial organizations A large e-commerce company
The e-commerce company's primary shipping vendor
One of India's top five IT firms
A United States healthcare provider's Indian business unit
Two government organizations
Suckfly spent more time attacking the government networks compared to all but one of the commercial targets. Additionally, one of the two government organizations had the highest infection rate of the Indian targets. Figure 1 shows the infection rate for each of the targets.
Indian organisations targeted in Suckfly attacks
Indian government org #2 is responsible for implementing network software for different ministries and departments within India's central government. The high infection rate for this target is likely because of its access to technology and information related to other Indian
government organizations.
Our perspective
Advanced persistent threat (APT) attacks can be prevented to a
reasonable extent by ensuring a very high level of end user awareness. A high level of end user awareness is especially required in key organisation roles dealing with extremely sensitive information susceptible to espionage activities. In addition, anti-APT solutions deployed at the perimeter layer can provide the required detect and prevent capability at the
technology layer.
Source:
http://www.symantec.com/connect/blogs/indian -organizations-targeted-suckfly-attacks
Malware Threats and Encryption Top story
vulnerabilities
Encryption, corporates have heard of it Enterprises are routinely storing corporate password files in the cloud through Microsoft’s OneDrive backup technology.
OneDrive is the most common Office 365 application, with 79.1 per cent of organisations using it, according to a study by cloud control tech vendor Skyhigh Networks. The average corporate OneDrive service contains 204 unencrypted files labelled “passwords”.
This risky practice has actually increased over the last few months. Corporates averaged 143
“password” files uploaded to OneDrive in Q3 2015.
The amount of sensitive data being stored on OneDrive in general is increasing, Skyhigh reports.
Around one in six (17.1 per cent) of stored files contain sensitive data, which consists of confidential data (9.4 per cent), personal (4.1 per cent), health (1.9 per cent) and payment (1.7 per cent) information.
Skyhigh Networks’ Nigel Hawthorn said the wide range of available applications makes Microsoft Office 365 a popular corporate option.
Increased usage of the technology has not, unfortunately, been accompanied with greater security awareness. “Businesses and employees are still taking a relaxed approach to document security, especially when you consider the high frequency of threats,” said Hawthorn. “You would hope that the spate of high-profile data breaches would make enterprises sit up and take notice about the need for encryption, but the amount of unencrypted sensitive data stored on OneDrive is increasing.”
He added: “More than half of documents across all cloud services that contain sensitive data are stored in Microsoft Office formats. This
percentage will only increase as OneDrive becomes more tightly integrated to the rest of the suite. Therefore, it’s imperative for businesses to educate their employees about how to safely store documents in the cloud."
Hawthorn concluded that the need for employee training is particularly acute in heavily regulated industries such as financial services or healthcare, two of the biggest users of Office 365.
Hmmm, where should I dump those unencrypted password files? I know—
OneDrive
Source:
http://www.theregister.co.uk/2016/05/18/
oneback_password_backup_rife/
such as financial services or healthcare, two of the biggest users of Office 365.
Skyhigh Networks' technology allows
organisations to monitor employee cloud use and lock down banned apps. The security vendor’s report on Microsoft Office 365 usage in the enterprise, published on Wednesday here, is based on real life data from more than 600 enterprises and 27 million users.
The study found that the occurrence of Office 365-related threats is common, 71.4 per cent of companies have at least one compromised account each month, 57.1 per cent have at least one insider threat and 45.9 per cent have at least one privileged user threat. ®
Our perspective
Encryption of confidential data in motion is now a standard across the industry. Given the growing incidents of data breaches, including data saved on external cloud storage providers, it is highly recommended to have adequate encryption technology deployed for securing confidential data at rest as well. Organisations must have a formal policy for storing and accessing privileged identity
information.
Malware Encryption Top story
Threats and vulnerabilities
The 2012 hack of LinkedIn is coming back to haunt the social media company again. It says that an additional data dump stemming from the breach has been leaked online—containing credentials for more than 100 million LinkedIn members.
“Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations…from that same theft in 2012,” the company said in a posting. “We have no indication that this is as a result of a new security breach.”
LinkedIn said that it was taking “immediate steps”
to invalidate the passwords of the accounts
impacted, and that it’s contacting those members to reset their passwords.
In 2012, LinkedIn admitted that it was the victim of an unauthorized access and disclosure of what it said was 6.5 million members' passwords on a Russian hacker site. At the time, its immediate response included a mandatory password reset for all accounts believed to have been compromised as a result of the unauthorized disclosure.
A class-action suit was filed (and later dismissed) that brought to light some of the company’s security practices. Specifically, the complaint alleged that LinkedIn failed to use a combination of hashing and salting to secure user passwords, resulting in the exposure of passwords to hackers.
“LinkedIn violated its own User Agreement and Privacy Policy by failing to utilize long-standing industry standard protocols and technology to protect Plaintiff and the Class members’ PII [personally identifiable information]’, the complaint alleged.
“LinkedIn failed to use a modern hashing and salting function, and therefore drastically exacerbated the consequences of a hacker bypassing its outer layer of security,” the petition added.
Since then, the company has gotten more with the program. It now has hashed and salted every password in the database, and has implemented protection tools such as email challenges and dual factor authentication. However, the fact that it didn’t realize the extent of the breach sparked some concern in the security community.
"The revelation of the magnitude of this breach is very disturbing,” said Brad Taylor, CEO, Proficio, via email. “First, has LinkedIn been fully
transparent with its users? Hopefully, users changed their passwords on the initial disclosure, but in the light of this news a stronger response should have ensued. Second, if LinkedIn is only now discovering the scale of data that was exfiltrated from their systems, what went wrong with the forensic analysis that should have discovered this?”
LinkedIn hack tops a whopping 100 million users
Source:
http://www.infosecurity-magazine.com/
news/linkedin-hack-tops-a-whopping-100/
tax services. Find out more and tell us what matters to you by visiting us at www.pwc.com
In India, PwC has offices in these cities: Ahmedabad, Bengaluru, Chennai, Delhi NCR, Hyderabad, Kolkata, Mumbai and Pune. For more information about PwC India's service offerings, visit www.pwc.com/in PwC refers to the PwC International network and/or one or more of its member firms, each of which is a separate, independent and distinct legal entity in separate lines of service. Please see www.pwc.com/structure for further details.
©2016 PwC. All rights reserved
For any queries, please contact:
Sivarama Krishnan
[email protected] Amol Bhat
© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopers Private Limited (a limited liability company in India having Corporate Identity Number or CIN : U74140WB1983PTC036093), which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity.
KS6441
