Dyre Wolf

Dyre Wolf is an ongoing and complex attack that combines multiple types of attacks into one large scam that has managed to make the attackers millions of dollars from companies. The attack consists of an initial spear phishing attack on a company. Contained within the email is an installer that will install the program upatre that is commonly disguised as pdf or some other file type. Once installed the attacker is allowed access to the computer by the installed software. The attacker installs Dyre onto the victims computer which allows the attacker to modify information when he chooses. The attack really ramps up when the victim goes to log into the bank. Dyre allows the attacker to modify the page returned to show a fake phone number and a message telling the user to call the number to resolve the issues. At this point it is up to the attacker to use social engineering to coerce the proper banking information out of the user. Once this happens the attacker will go and transfer the money to an account that is offshore commonly. Then the attacker will run a DDoS attack against the company to try and throw the company off from what happened and slow the companies ability to figure out who the attacker was.

Some steps to help prevent this would include making sure that people know to report anything that seems suspicious. Run mock phishing attacks against your users to help train them to look for the suspicious emails.

Samuel Mosher

http://securityintelligence.com/dyre-wolf/#.VTVUByFVhBc

http://phishme.com/evolution-upatre-dyre/

Android SMS Malware

According to SOPHOS’ ‘naked security’ blog, there are fake Android Applications making the rounds, which uses SMS (Text messages) to act similarly to a worm and infect as many people as possible. Applications such as ‘Heart App’ and ‘Self-time’ have been discussed and fixed previously, but the most recent malicious app (as of March 6th) goes by the name Gazon.

So how does one become infected by Gazon? It starts with having a friend (or other contact) that has been infected with it already. You would receive an SMS from this person which would contain an introduction, some message stating that they are sending you an amazon gift card, followed by a ‘link’ to where you can claim it. These links are usually obscured by URL shortening services such as Bitly, so they generally wouldn’t look like a normal domain name. If you were to follow this link, it would direct you to download and install Gazon, masquerading as an Amazon Rewards Application. Upon downloading and running this app, every contact that a user has becomes a viable target, as Gazon doesn’t limit itself to the amount contacts it will attempt to reach like Heart App and Self-time do. On top of this, pop-up ads will be displayed when using browsers, advertising games, vouchers and rewards (according to the article).

There are two things that I find interesting about this ordeal. The first is that this this app is not certified by Google, and thus does not appear on the Google Play store. The only way that this app can spread is through SMS, meaning that if you’ve ever gotten a message similar to this, than one of your contacts has fallen for this tactic and downloaded it. Furthermore, I could not find an ‘Amazon Rewards’ app on the Google Play store, legitimate or otherwise, meaning that its likely no such application exists. The second thing that I found interesting is how many ways that infection could be avoided with this app, which are not taken by the victims. For example, simply responding to the message by asking the contact what its all about would likely result in the contact confirming its spam. Similarly, someone upon being prompted to download the app could look it up on Google Play to check its legitimacy, and find that it is not legitimate. However, neither of these actions are taken, and thus the worm has proceeded to spread quickly.

The author of the malicious app has yet to be identified. Previous iterations of these kinds have apps are able to be tracked, such as the Heart App which was traced to a bored Chinese college student, but it depends on how well the authors are attempting to stay hidden. On that note the Self-time App, which is close to half a year old at this point, still has not been traced to any definitive creator.

Written By Jeff Gruttadauria

Articles Used:

https://nakedsecurity.sophos.com/2015/03/06/gazon-android-virus-smses-everyone/

https://nakedsecurity.sophos.com/2014/06/29/anatomy-of-an-android-sms-virus-watch-out-for-text-messages-even-from-your-friends/

https://nakedsecurity.sophos.com/2014/08/11/android-heart-app-virus-spreads-quickly-author-arrested-within-17-hours/

Tabloid Phone Hacking

Scores of celebrities are claiming damages from Mirror Group Newspapers resulting from phone and voice mail hacking incidents.  Address books, messages, and voice mails were stolen, and stories were published using the information.  Four Sunday Mirror journalists have been arrested, and in November of 2014, former Sunday Mirror investigations editor Graham Johnson pleaded guilty to intercepting voicemail messages.  He was the second Mirror Group Newspapers journalist to admit to phone hacking.

In September of 2014 the owner and publisher of the Daily Mirror and the Sunday Mirror, Trinity Mirror admitted that some of its “journalists” had been involved in phone hacking, and apologized for the unlawful activity.  MGM also printed the following apology:

“It was unlawful and should never have happened, and fell far below the standards our readers expect and deserve.  We are taking this opportunity to give every victim a sincere apology for what happened.”

MGN has informed its shareholders that it would set aside funds to pay for the cost of settling phone hacking claims as costs have exceeded initial estimates.  Both criminal and civil penalties are expected.

As I dug into this story I found that this was more widespread.  It would appear that journalists began to rely on phone hacking to make news throughout the 2000s.  Several resources were used including black hat hackers and private investigators.  One journalist admitted to hacking one hundred celebrities every day for eighteen months.

http://www.bbc.com/news/uk-england-24059941

http://en.wikipedia.org/wiki/List_of_alleged_victims_of_the_News_International_phone_hacking_scandal

Bill Edwards

Phishing Leads to Man-In-The-Middle Attacks

Krebs on Security reported that a security company called Proofpoint had detected a 4 week-long targeted phishing campaign against customers of one of Brazil’s largest ISPs who use two routers (UTStarcom and TP-Link) that are commonly used on that ISP. The emails pretended to be an account/billing message from the ISP with a link to a fake site that looked like the ISP’s site. The fake site used a cross-site request forgery exploit to start a brute force attack against the victim’s router administrator login page using default usernames and passwords for the two brands of routers. Once the script had successfully logged in it would change the router’s primary DNS (Dynamic Name Server) address to the criminal’s own malicious DNS. This allows the crooks to monitor all web traffic, hi-jack search results and redirect the victim from legitimate sites to look-alike spoofs that steal authentication credentials and sensitive data like usernames, passwords and credit card info. This could also lead to the installation of other malware.

dnshijack-600x162
I
mage of malicious iframe scripts used to hi-jack the router and DNS

This type of  attack is especially dangerous because it can bypass antivirus and security tool detection and can even lead to the router and hosts becoming part of a bot-net.

The important take away from this attack is that users need to change the default usernames and passwords on their routers and take precautions against falling victim to phishing attacks.

Sources:
http://krebsonsecurity.com/2015/02/spam-uses-default-passwords-to-hack-routers/
https://www.proofpoint.com/us/threat-insight/post/Phish-Pharm

Author: Charles Leavitt

Attack on German Industrial Plant Reminiscent of Stuxnet

On December 17th, 2014, the German Federal Office for Information Security reported on an attack on an industrial iron plant. The official report explained that through targeted email phishing and subsequent social engineering, attackers were able to gain access to the plant’s outward Windows-based system. From there, attackers were able to access production networks and cause serious issues with system controls, resulting in furnaces being unable to shut down properly and causing serious damage to the entire system.

This attack shares many similarities with the Stuxnet worm, which caused issues with a number of Iranian nuclear plants in June 2010. The worm, which the US and Israel have since claimed credit for, was typically installed via an infected flash drive. Using four different zero-day exploits, Stuxnet would propagate and conceal itself throughout the network, searching for compromised control units and modifying their code whenever possible. Stuxnet caused irreparable damage to the uranium refinement centrifuges of over one fifth of Iran’s nuclear plants before being resolved.

German officials say they do not know the reason behind this attack at present, but that they are investing this and a number of related incidents thoroughly. A number of security experts note that an official statement about an attack of this magnitude is uncommon, and may indicate a paradigm shift in the way governments handle cyber-to-physical attacks.

– Jacob Ryder

Sources: