Home » malware

Tag: malware

File Integrity Monitoring Could Save Your Company

File Integrity Monitoring and How It Could Save Your Company

With the increase in data breaches, the data security world is a much scarier place today. According to the most recent stats from ITRC (Identity Theft Resource Center), 2017 was a record breaking year for data breaches, and 2018 is already on pace to be more of the same. So with threats coming left and right, what steps can you take to better protect your assets? Enter File Integrity Monitoring.

Seconds of Damage, Months of Recovery

In many cases, you may not know for a long time you have been compromised. According to CNBC, most companies aren’t aware of a breach until weeks after it has happened. This is likely due to the speed in which the incident occurs. The attacker is there and gone in seconds. Verizon’s 2016 Data Breach Investigations states that 93 percent of cases where data was stolen, systems were compromised in minutes or less, but in over 80 percent of cases, victims didn’t find the breach for weeks or more. This kind of damage to your business and reputation can take months, if not years, to repair.

Hackers Often Leave a Trail

So back to File Integrity Monitoring and why it is so critically important. File Integrity Monitoring (FIM) is the first line of defense of any organization wishing to protect its assets and data. To explain further, once a breach is under way in your network, the attacker will often do one or more of the following.

  • Modify critical systems, application binaries and configuration files
  • Access or modify data files
  • Modify or delete any log data to hide their tracks

The research done by Verizon analyzed more than 100,000 incidents and 2,260 breaches. They found that more than 90 percent of the breaches will fall into this same pattern. By having a FIM system in place, you’ll be able to monitor for these subtle changes and be instantly alerted if any of the above events have been detected.

File Integrity Monitoring Sniffs Out the Breadcrumbs

File Integrity Monitoring is such a valuable tool that we consider it a vital part of the Advanced Security Package. FIM will run every day at an inspection time determined by you and will watch for any changes within your network. A digest of the inspection report can then be emailed to you on a daily or weekly basis. Additionally, another helpful feature is a heatmap data visualization, which helps you quickly assess the state of your network. Events on this heatmap can be filtered by severity in order to help you focus on the most important events in your environment.

You Don’t Need a Fortress

A further quote from the Verizon study really drives this home. “There’s no such thing as an impenetrable system, but often even a half-decent defense will deter many cybercriminals — they’ll move on and look for an easier target. Sadly, many organizations fail to achieve even that modest ambition.”

Sometimes, it’s not about the size of your castle. It’s more about the size of your moat.

Put FIM in Place Today

File Integrity Monitoring is something that is available to all Wind River customers as part of the Advanced Security Package. If you’re interested in learning more or you’re an existing customer looking to get these tools in place, feel free to contact us today. We believe in creating Security First environments and delivering these capabilities in a way that saves you money.

How-Do-I-Protect-Against-Ecommerce-Malware

How Can I Protect Myself From Ecommerce Malware?

In a recent blog post, we discussed your likelihood of suffering a data breach, referencing some of the more recent statistics from the ITRC (Identity Theft Resource Center) 2017 Executive Summary. As the summary points out, data breaches are on the rise, and one of the more insidious methods is through a form of hacking known as ecommerce malware.

Overall, hacking is the number one cause for a data breach, but what exactly is hacking? The term “hacking” is actually an umbrella term that includes breach methods such as phishing, skimming and malware.

Recently, Visa came out with a security bulletin entitled “Protect Against Ecommerce Malware.” While most people are surprised to hear that ecommerce malware is a form of hacking, it is a method that is becoming much more widespread and deadly. This type of malware generally targets the website itself and not the user who visits the website.

Ecommerce malware is like an “online payment data skimmer” designed to capture personal information so it can be used and/or sold illegally. To install the code, the attacker must gain access to your ecommerce server. Most commonly, access is obtained by guessing administrator credentials or using stolen information. That may sound like a tall order until you look further at the ITRC study. Unauthorized Access makes up 10.8% of all breaches.

Additionally, Unauthorized Access can be used for more than just installing ecommerce malware. It can be used for a host of other techniques that cause damage. Between these two reports, it’s becoming even more apparent why you need to have strategies and tools to combat these types of attacks and maintain a Security First mindset.

The best way to fight hackers is by having some ethical hackers on your side. The SpiderLabs team at Trustwave are those ethical hackers. They leverage a Global Threat database and are a significant reason why Trustwave won Best Managed Security Service at the 2017 SC Awards as well as being named a “leader” in Gartner’s Magic Quadrant for Managed Security Services.

Wind River has partnered with Trustwave and the SpiderLabs team to create the Advanced Security Package, a toolkit designed to help our customers be Security First. Web Malware Monitoring and Remote Access Security, two of the 13 tools included in the package, were designed specifically to counter Unauthorized Access and ecommerce malware attacks. If you’d like to learn more, contact us today.

What-Are-My-Odds-of-a-Data-Breach

Seriously, What Are My Odds of a Data Breach?

Unfortunately, your chances of experiencing a data breach are growing each year. In fact, the trends and shifts in awareness pertaining to data security are frightening to watch unfold. I read a recent study that polled adults in the US, UK and Australia that asked if the number of criminals trying to steal personal information is increasing. Not surprisingly, the survey indicated that 85% of respondents felt that it was.

We recently discussed why having a “Security First” mindset and approach is important, and as we look at what is happening with breaches, the importance is highlighted even more.

According to the ITRC (Identity Theft Resource Center), cyberattacks and breaches have grown both in frequency and in the amount of losses sustained. Here are some of the statistics as noted in their 2017 Executive Summary.

  • Breaches again hit a new record in 2017, with 1,579 breaches tracked, up 44.7 percent from 1,091 in 2016, as businesses and government entities move toward timely reporting
  • The number of records exposed rose to about 179 million, compared with 37 million in 2016
  • Businesses saw 870 breaches (55% of the total)
  • Medical/healthcare organizations were affected by 374 breaches (23.7 percent of total breaches)
  • Banking/Credit/Financial saw 134 breaches (8.5%)

For a more detailed breakdown, you can see the year-over-year data breach numbers by sector and category.

Another key statistic from the report indicates that 59.3% of breaches were from hacking. Hacking includes methods such as phishing, malware and skimming.

With the number of breaches increasing and hacking being the number one method, it is clear that one area of your defense strategy needs to focus on identifying and mitigating the damage as quickly as possible.

Part of our “Security First” approach is to help arm all of our customers with additional ways to keep their customer or patient data safe. Our goal this year is to educate our customers about data breach risks and how they can start down the path to be “Security First.” An important component of that process will be encouraging them to take advantage of the security and monitoring tools in our Advanced Security Package.

If you’d like more information about other issues we see becoming more prevalent in the market, feel free to contact us or read about the dangers of ecommerce malware.

Malicious Software Warning from the US Government to All Retailers

It was publically reported yesterday that the U.S. Department of Homeland Security(DHS) warned retailers about a type of malicious software attacking point-of-sales systems, dubbed “Backoff,” that is said to be undetectable by most types of anti-virus software.
“Backoff” is a family of point-of-sale malware first identified in October 2013 with capabilities that include scraping memory for track data, logging keystrokes and injecting malicious stub into explorer.exe files, reported DHS.

The warning also stated that attackers use publicly available tools to find businesses that use remote desktop applications (which offer the user the convenience and efficiency of connecting to a computer from a remote location), then gain access to an administrative account to insert the malware. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution.

After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (POS) malware and subsequently infiltrate consumer payment data via an encrypted POST request. In other words; It identifies merchants using remote access software and then attempts to brute force (systematically guess) administrative credentials. Once the credentials have been compromised, it installs malware at the POS that then exports credit card data to the bad guys.

The key is to ensure that you are using strong credentials (username/password) particularly if using remote access software which is the attack vector of this malware. The DHS warned that such malware put both the business and consumer at risk, exposing data including names, credit card numbers, email addresses, mailing address and phone numbers.

At the time of discovery and analysis, the malware variants had low to 0% anti-virus detection rates, which means that fully updated anti-virus engines on fully patched computers could not identify the malware as malicious!

To quote the Department of Homeland Security directly, they warn “These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts.”

**Again, the moral of the story/warning is to ensure that you are using strong credentials (username/password) particularly if using remote access software which is the attack vector of this malware.

Visa Issues Malware Alert

Visa recently released the specific malware alert shown below that primarily effects integrated POS systems. It includes information on how to potentially identify this specific malware within IT networks.

Primary audience: IT, Information Security, Incident Response

 

Summary

Chewbacca is a relatively new variation of malware (Trojan.Win32.Fsysna.fej) targeting Point of Sale (POS) systems that run on Microsoft Windows. Chewbacca utilizes keylogger and memory scraping/parsing functionality. The malware is privately utilized, meaning that it is not currently distributed through online criminal forums and therefore is not known to be widely available. Since approximately October 2013, the malware has been linked to several dozen merchant compromises.
Distribution and Installation
Since the Chewbacca malware is private at the moment (i.e. being used by a limited number of criminals), it is not yet clear how the malware is disseminated or what the total potential number of victims may be. Analysis of current samples indicates that the Chewbacca malware installs a copy of itself in the Windows startup folder, as a file named “spoolsv.exe.” Clearly, the file name disguises the Trojan as a Windows Print Spooler service executable, and placement in the Startup folder causes it to run automatically at Windows startup. It should be noted that unlike some malware, Chewbacca currently has no persistence mechanism and thus deleting the malicious spoolsv.exe executable and rebooting the infected machine will remove the malware.

Data-stealing capability
Chewbacca features two distinct data-stealing mechanisms: a generic keylogger and a memory scanner designed to specifically target POS systems. The memory scanner dumps a copy of a running process’s memory and searches it using simple regular expressions for credit and debit card magnetic stripe data (track 1 and track 2). If a card number is found, the malware extracts it and enters it into a log. Extracted magnetic stripe data is stored within the “system.log” file inside the user’s %temp% folder.

Network traversal and data exfiltration
One of the important innovations associated with the Chewbacca malware is that communication between an infected machine and the Command and Control (C2) server is handled through the TOR (The Onion Router) network. Using a network of encrypted relay systems, it is designed to conceal a user’s identity along with the contents of his communications. Tor often communicates over TCP 443 and it can be difficult to distinguish from normal TLS network traffic. All communications are encrypted, concealing the real IP address of the malware’s C2 server(s), which makes network detection more difficult.

For Chewbacca to function properly on the TOR network, it requires a TOR proxy application, which is installed on the infected machine. It is here, on the POS system, where the best opportunity for detection exists. In addition to identifying the TOR client application itself (tor.exe) on a POS system, it is possible to detect TOR running on a Windows system by issuing “netstat –nt” from a Windows command prompt. Look for the TOR listener, typically running on TCP 9050.

Mitigation
Visa requires participants in the payment system to comply with all PCI-DSS requirements and we recommend taking the following preventative steps to address this specific threat:

• Prevent the use of TOR on POS systems. This can be done by adding TOR and its components (Tor, Vidalia, TOR Browser) to antivirus solutions and application blacklisting controls. Network filtering, particularly outbound traffic from POS systems, can also be used to disable the malware’s ability to exfiltrate data.

• Control the Windows Administrator account. Data-stealing malware (like Chewbacca) requires Administrator-level permission in order to perform memory-scanning and key logging functions. Make it more difficult for malware to gain Administrative privileges.

• Assign a strong password for all accounts on the POS system.

• Create a unique local Administrator password for each and every POS system.

• Do not allow users to be local Administrators on a POS system.

• Change password frequently (at least every 90 days).

• Ensure the POS system functions as a single purpose machine. To reduce the risk of malicious software infection, disallow all applications and services (i.e. Internet browsers, email clients) that are not directly required as part of the POS’s core functionality in processing payments.

• Keep operating system patch levels up to date. For Windows, this means ensuring Windows Update is functioning and automatically applying monthly security patches.

• Restrict permissions on Windows file sharing or disable file sharing altogether. Unless absolutely necessary, Visa recommends disabling file sharing on POS systems. Microsoft has published instructions on how to disable simple file sharing and set permissions on shared folders.

Technical Threat Indicators
IOC
Type
Notes
%ALLUSERSPROFILE%\Start Menu\Programs\startup \spoolsv.exe
Filename
Attempt by the actors to hide the malware as a standard printer spooler application
%TEMP%\system.log
Filename
After installation, the key logger creates this file, logging keyboard events and windows focus changes
ekiga.net
Domain
Spoolsv.exe requests the public IP of the victim via a publicly accessible service at hxxp://ekiga.net/ip (which is not related to the malware)
86.64.162.35
IP
ekiga[.net] resolves to this IP. This is a legitimate service utilized by the malware to request the public IP of the victim
Mozilla / 4.0 (compatible; Synapse)
Non-Standard User Agent
Upon execution Chewbacca performs an external IP lookup by doing a GET request to ekiga[.]net, a legitimate service that replies with the IP address the request is sent from. The GET request is constructed with a non-standard User-Agent.
%TEMP%\tor.exe
Filename
Tor v0.2.3.25 is dropped as “tor.exe” to the user’s Temp and runs with a default listing on “localhost:9050”
5ji235jysrvwfgmb.onion
C2
Chewbacca performs a memory scan on running processes with the following regular expressions and uploads the results via hxxp://ji235jysrvwfgmb.onion/recvdata.php
21f8b9d9a6fa3a0cd3a3f0644636bf09
MD5
Chewbacca binary is a PE32 executable compiled with Free Pascal 2.7.1 (the version dated 22.10.2013). The 5 MB file contains Tor 0.2.3.25 as well.
0392f25130ce88fdee482b771e38a3eaae90f3e2
SHA1
Chewbacca binary is a PE32 executable compiled with Free Pascal 2.7.1 (the version dated 22.10.2013). The 5 MB file contains Tor 0.2.3.25 as well.
31d4e1b2e67706fda51633b450b280554c0c4eb595b3a0606ef4ab8421a04dc9
SHA256
Chewbacca binary is a PE32 executable compiled with Free Pascal 2.7.1 (the version dated 22.10.2013). The 5 MB file contains Tor 0.2.3.25 as well.
Additional Resources
This malware targets Windows-based POS systems, including Windows XP. It should be noted that Microsoft’s support ends in April 2014 for Windows XP and January 2016 for Windows XP Embedded operating systems. POS applications built on these platforms will be placed at increased risk.

To report a data breach, contact Visa Fraud Control:
• USFraudControl@visa.com

For more information, please contact Visa Risk Management: cisp@visa.com