The Emotet trojan recently turned from a major cybersecurity threat to a laughingstock when its payloads were replaced by harmless animated GIFs. Taking advantage of a weakness in the way Emotet malware components were stored, white-hat hackers donned their vigilante masks and sabotaged the operations of the recently revived cyberthreat. While highly effective as well as somewhat humorous, the incident should not distract attention from two unavoidable truths.
History of Emotet and the threat it presents
First identified in 2014, version one of Emotet was designed to steal bank account details by intercepting internet traffic. A short time after, a new version of the software was detected. This version, dubbed Emotet version two, came packaged with several modules, including a money transfer system, malspam module, and a banking module that targeted German and Austrian banks. Last year, we saw reports of a botnet-driven spam campaign targeting German, Polish, Italian, and English victims with craftily worded subject lines like “Payment Remittance Advice” and “Overdue Invoice.” Opening the infected Microsoft Word document initiates a macro, which in turn downloads Emotet from compromised WordPress sites.
After a relative quiet start to 2020, the Emotet trojan resurfaced suddenly with a surge of activity in mid-July. This time around, the botnet’s reign of terror took an unexpected turn when the payloads its operators had stored on – poorly secured WordPress sites – were replaced with a series of popular GIFs. Instead of being alerted of a successful cyberattack, the respective targets received nothing more alarming than an image of Blink 182, James Franco, or Hackerman.
Whilst this is all in good fun, the question remains: what if the white hats had left their masks in the drawer instead of taking on the Emotet trojan? And what about the countless other malware attacks that continue unimpeded, delivering their payloads as intended?
A view into the encryption blind spot with SSL interception (SSL inspection)
Malware attacks such as Emotet often take advantage of a fundamental flaw in internet security. To protect data, most companies routinely rely on SSL encryption or TLS encryption. This practice is highly effective for preventing spoofing, man-in-the-middle attacks, and other common exploits from compromising data security and privacy. Unfortunately, it also creates an ideal hiding place for hackers. To security devices inspecting inbound communications for threats, encrypted traffic appears as gibberish—including malware. In fact, more than half of the malware attacks seen today are using some form of encryption. As a result, the SSL encryption blind spot ends up being a major hole in the organisation’s defence strategy.
The most obvious way to address this problem would be to decrypt traffic as it arrives to enable SSL inspection before passing it along to its destination within the organisation—an approach known as SSL interception. But here too, problems arise. For one thing, some types of data are not allowed to be decrypted, such as the records of medical patients governed by privacy standards like HIPAA, making across-the-board SSL decryption unsuitable. And for any kind of traffic, SSL decryption can greatly degrade the performance of security devices while increasing network latency, bottlenecks, cost, and complexity. Multiply these impacts by the number of components in the typical enterprise security stack—DLP, antivirus, firewall, IPS, and IDS—and the problem becomes clear.
How efficient SSL inspection saves the day
With many organisations relying on distributed per-hop SSL decryption. A single SSL inspection solution can provide the best course of action by decrypting traffic across all TCP ports and advanced protocols like SSH, STARTTLS, XMPP, SMTP and POP3. Also, this solution helps provide network traffic visibility to all security devices, including inline, out-of-band and ICAP-enabled devices.
Whilst we should celebrate the work of the white hats who restrained Emotet, it is not every day that a lethal cyber threat becomes a matter of humour. But having had a good laugh at their expense, we should turn our attention to making sure that attacks like Emotet have no way to succeed in the future—without the need to count on vigilante justice - this is where SSL inspection can really save the day.
COVID-19 has reshaped the global cyberthreat landscape. While cyberattacks have been on the rise, the surge in frequency and increased threat sophistication is notable. The latest VMware Carbon Black Global Incident Threat Report, Extended Enterprise Under Threat – Global Threat Report series, found cybercriminals have seized the opportunity, taking advantage of the global disruption to conduct nefarious activity.
COVID-19 has Exacerbated pre-existing Cyber Threats
The VMware Carbon Black latest global survey of Incident Response (IR) professionals found that COVID-19 has exacerbated pre-existing cyberthreats. From counter incident response and island hopping to destructive attacks. Remote work then compounds this bringing additional cybersecurity challenges as employees access critical data and applications from their home networks or with personal devices outside of the corporate perimeter. Cybercriminals are also targeting the cloud, which organisations rely on to enable remote work. If you’re a cybercriminal, the pool of people you can trick now is exponentially larger, simply because we are in a global disaster.
As the threat landscape transforms and expands, the underlying methodologies behind the attacks have remained relatively consistent. Attackers have just nuanced their threat strategies. For example, last Christmas, the number one consumer purchase was smart devices, now they’re in homes that have fast become office spaces. Cybercriminals can use those family environments as a launchpad to compromise and conduct attacks on organizations. In other words, attackers are still island hopping – but instead of starting from an organisation’s network and moving along the supply chain, the attack may now originate in home infrastructures.
Next-Generation Cyberattacks require Next-Generation IR
While more than half (53%) of the IR professionals reported encountering or observing an increase in cyberattacks exploiting COVID-19, this isn’t a one-sided battle and there is much security teams can do to fight back.
Next-generation cyberattacks – with adversaries increasingly working to maintain persistence on systems – call for next-generation IR, especially as corporate perimeters across the world breakdown. To this point, here are seven key steps that security teams can take to fight back:
- Gain better visibility into your system’s endpoints: Doing so can empower security teams to be proactive in their IR – rather than merely responding to attacks once they come, they can hunt out prospective threats. This is increasingly important in today’s landscape, with more attackers seeking to linger for long periods on a network and more vulnerable endpoints online via remote access.
- Establish digital distancing practices: People working from home should have two routers, segmenting traffic from work and home devices. They should have a room free of smart devices for holding potentially sensitive conversations. And they should restrict sensitive file sharing across insecure applications, like video conferencing tools.
- Enable real-time updates, policies and configurations across the network: This may include updates to VPNs, audits or fixes to configurations across remote endpoints and other security updates – even when outside the corporate network. It’s important to keep in mind the security architecture when making these changes, otherwise, things get changed without having the proper controls in place to react.
- Enhance collaboration between IT and security teams – and make IT teams more cybersecurity savvy: As noted, 92% of IR professionals agree that a culture of collaboration between IT and security teams will improve enterprise security and response to cyber risks. This is especially true under the added stress of the pandemic. Alignment should also help elevate IT personnel to become experts on their own systems, whether it’s training them to threat hunt on a Windows box or identify anomalous configurations on certain SaaS applications.
- Expand Cyber-Threat Hunting: Threat hunting provides ground truth and context which is essential for defence. Situational awareness is dependent on ground truth which is based in the assumption of breach. One must proactively explore their environment for abnormal activity. The cadence of threat hunting must be increased, and the scope should extend to the information supply chain as well as Senior Executives laptops as they work from home.
- Integrate Security Controls: Integration allows organisations to uniquely see across traditional boundaries/silos providing richer telemetry and allowing for defenders to react seamlessly.
- Remember to communicate: Now more than ever, organizations must motivate IT and SECops to get on the same page and prioritize change management while maintaining clear lines of communication – about new risk factors (application attacks, OS exploitation, smart devices, file-sharing applications, etc.), protocols and security resources.
|Crime Dot Com: From Viruses to Vote Rigging, How Hacking Went Global|
It is believed that 1 out of every 36 mobile devices has been compromised by a mobile app security breach. And with more than 5 billion mobile devices globally, you do the math.
The news that a consumer-facing application or business has experienced a security breach is a story that breaks far too often. As of late, video conferencing apps like Zoom and Houseparty have been the centre of attention in the news cycle.
As apps continue to integrate into the everyday life of our users, we cannot wait for a breach to start considering the efficacy of our security measures. When users shop online, update their fitness training log, review a financial statement, or connect with a colleague over video, we are wielding their personal data and must do so responsibly.
Let’s cover some of the ways hackers access sensitive information and tips to prevent these hacks from happening to you.
The Authentication Problem
Authentication is the ability to reliably determine that the person trying to access a given account is the actual person who owns that account. One factor authentication would be accepting a username and password to authenticate a user, but as we know, people use the same insecure passwords and then reuse them for all their accounts.
If a hacker accesses a user’s username and password, even if through no fault of yours, they are able to access that user’s account information.
Although two-factor authentication (2FA) can feel superfluous at times, it is a simple way to protect user accounts from hackers.
2FA uses a secondary means of authenticating the user, such as sending a confirmation code to a mobile device or email address. This adds another layer of protection by making it more difficult for hackers to fake authentication.
Consider using services that handle authentication securely and having users sign in with them. Google and Facebook, for example, are used by billions of people and they have had to solve authentication problems on a large scale.
Reverse engineering is when hackers develop a clone of an app to get innocent people to download malware. How is this accomplished? All the hacker has to do is gain access to the source code. And if your team is not cautious with permissions and version control systems, a hacker can walk right in unannounced and gain access to the source code along with private environment variables.
One way to safeguard against this is to obfuscate code. Obfuscation and minification make the code less readable to hackers. That way, they’re unable to conduct reverse engineering on an app. You should also make sure your code is in a private repository, secret keys and variables are encrypted, and your team is aware of best practices.
If you’re interested in learning more ways hackers can breach mobile app security, check out the infographic below from CleverTap.
Authored by Drew Page Drew is a content marketing lead from San Diego, where he helps create epic content for companies like CleverTap. He loves learning, writing and playing music. When not surfing the web, you can find him actually surfing, in the kitchen or in a book.
FireEye Labs recently discovered a malicious phishing domain designed to steal a variety of information – including credentials and mobile numbers – from customers of several banks in India. Currently, we have not observed this domain being used in any campaigns. The phishing websites appear to be in the earlier stages of development and through this post we hope users will be able to identify these types of emerging threats in the future.
FireEye phishing detection technology identified a newly registered domain, “csecurepay[.]com”, that was registered on Oct. 23, 2016. The website purports to offer online payment gateway services, but is actually a phishing website that leads to the capturing of victim logon credentials – and other information – for multiple banks operating in India.
Prior to publication, FireEye notified the Indian Computer Emergency Response Team.
Phishing Template Presentation and Techniques
When navigating to the URL, the domain appears to be a payment gateway and requests that the user enter their bank account number and the amount to be transferred, as seen in Figure 1. The victim is allowed to choose their bank from a list that is provided.
Figure 1: Bank information being requested
By looking at the list, it is clear that only Indian banks are being targeted at this time. A total of 26 banks are available and these are named in the Appendix.
The next website requests the victim to enter their valid 10-digit mobile number and email ID (Figure 2), which makes the website appear more legitimate.
Figure 2: Personal information being requested
The victim will then be redirected to the spoofed online banking page of the bank they selected, which requests that they log in using their user name and password. Figure 3 shows a fake login page for State Bank of India. See the Appendix for more banks that have spoofed login pages.
Figure 3: Fake login page for State Bank of India
After entering their login credentials, the victim will be asked to key in their One Time Password (OTP), as seen in Figure 4.
Figure 4: OTP being requested
Once all of the sensitive data is gathered, a fake failed login message will be displayed to the victim, as seen in Figure 5.
Figure 5: Fake error message being displayed
Credit and Debit Card Phishing Website
Using the registrant information from the csecurepay domain, we found another domain registered by the phisher as “nsecurepay[.]com”. The domain, registered in latest August 2016, aims to steal credit and debit card information.
The following are among the list of cards that are targeted:
1. ICICI Credit Card
2. ICICI Debit Card
3. Visa/Master Credit Card
4. Visa/Master Debit Card
5. SBI Debit Card Only
At the time of this writing, the nsecurepay website was producing errors when redirecting to spoofed credit and debit card pages. Figure 6 shows the front end.
Figure 6: Nsecurepay front end
Phishing has its own development lifecycle. It usually starts off with building the tools and developing the “hooks” for luring victims into providing their financial information. Once the phishing website (or websites) is fully operational, we typically begin to see a wave of phishing emails pointing to it.
In this case, we see that phishing websites have been crafted to spoof multiple banks in India. These attackers can potentially grab sensitive online banking information and other personal data, and even provided support for multifactor authentication and OTP. Moreover, disguising the initial presentation to appear as an online payment gateway service makes the phishing attack seem more legitimate.
FireEye Labs detects this phishing attack and customers will be protected against the usage of these sites in possible future campaigns.
Fake login pages were served for 26 banks. The following is a list of some of the banks:
-Bank of Baroda - Corporate
-Bank of Baroda - Retail
-Bank of Maharashtra
Figure 7: HDFC Bank fake login page
-Jammu and Kashmir Bank
-Lakshmi Vilas Bank - Corporate
-Lakshmi Vilas Bank - Retail
-State Bank of Hyderabad
-State Bank of India
-State Bank of Jaipur
-State Bank of Mysore
-State Bank of Patiala
-State Bank of Bikaner
-State Bank of Travancore
-Tamilnad Mercantile Bank
-United Bank of India