Is "Xmaker" the new “TrickLoader”?
Overview During November of 2015, the Dyre banking Trojan, which was very prolific at the time and targeted countless financial institutions worldwide, vanished from the wild almost overnight. It was only during February of 2016 that the announcement was made that Russian authorities had arrested most of the gang that was operating the Dyre banking Trojan. (Reference: http://www.reuters.com/article/us-cybercrime-russia-dyre-exclusive-idUSKCN0VE2QS) Since then, nothing was heard from the actors behind Dyre, but it has been speculated that members of the Dyre gang which managed to avoid arrest by the Russian authorities have been integrated into other cybercrime gangs. During September of 2016 a new breed Malware has surfaced, calling itself “TrickBot”, which shares some similarities with Dyre. Among these similarities are a similar loader, similar encryption and decryption routines, and similar structure of the configuration files. (Reference: http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html) However, it is lacking Dyre’s extensive Command and Control infrastructure, it’s also missing some of the modules that were present in Dyre such as SOCKS and VNC, and the coding style looks different from Dyre’s. TrickBot still appears to be a work-in-progress, doing little to hide its presence on an infected system. One interesting fact is that trickbot’s requests to its C2 servers contain easily identifiable User-Agent strings such as “TrickLoader” and “BotLoader”: (Example: https://www.reverse.it/sample/2c4eab037c37b55780cce28e48d930faa60879045208ae4b64631bb7a2f4cb2a?lang=en#http-traffic ) TrickBot’s Configuration and capability changes During the past few months trickbot is evolving rapidly add constantly adding capabilities, targeted entities, and upgrading its version number. Version 1000002: Initial samples of trickbot started to surface in Virus Total at around august 2016: Related md5s: · 38503c00be6b7f7eeb5076c0bd071b4c · bf621ef7e98047fea8c221e17c1837b8 · 0804499dba4090c439e580f5693660e0 · e4a8dc8fd08d4f65a68d0a40e2190c70 On the 15 th of October 2016, Fidelis Threat Researcher Jason Reaves publishes an analysis of the new trickbot malware. The analyzed sample was shown to be version 1000002: http://www.threatgeek.com/2016/10/trickbot-the-dyre-connection.html this version included the following “modules”: · systeminfo – responsible for grabbing system data · injectDll32 – responsible for browser injections The only method of injection in this version was “dynamic injects” which was implemented in a very similar to Dyre’s dynamic (“server side”) injects - https://devcentral.f5.com/s/articles/dyre-presents-server-side-web-injects Version 1000003: On the 24 th of October 2016, Independent Researcher @hasherezade published a detailed analysis of the trickbot malware which has advanced it's configuration to version 1000003: https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/ On the 25 th of October 2016, ASERT analysts publish insights regarding the methodologies used to initially distribute TrickBot: https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/ Version 1000005: On the 7 th of November 2016, F5 Researchers Julia Karpin, Shaul Vilkomir-Preisman, and Anna Dorfman report updates to trickbot, which advanced to version 1000005: https://f5.com/about-us/news/articles/little-trickbot-growing-up-new-campaign-22790 The new version added new targeted entities, modified the configuration structure, and added a new method of browsers injections - static injects (AKA "redirects") which again, is very similar to Dyre’s static injects. Version 1000007: Version 1000007 of trickbot expanded its target list a bit more as described here: https://f5.com/about-us/news/articles/trickbot-now-targeting-german-banking-group-sparkassen-finanzgruppe-23630 Version 1000009: On the 30 th of November 2016, Version 1000009 of trickbot adds a new "mailsearcher" module: This new module has its own configuration settings: And its own C2 server IP address: The main functionality of the mailsearcher module is: · Traversal over all files in all drives in the system · Comparing their file extensions to the following list: · Creating an http connection with the user agent “KEFIR!” · Sending information over that connection in the following URL format: IP-ADDRESS/GROUP-ID/CLIENT-ID/send/ (client-id information was stripped out in this screenshot) Additionally, it changed its User-Agent header from "TrickLoader" and “BotLoader” to "Xmaker": (client-id information was stripped out in this screenshot) Another example of the changed User-Agent header can be seen here: (Example: https://www.hybrid-analysis.com/sample/3bf7d98b2fede6512fa2f5d5423a3e3b93a2ed357d2112bcadde751765bdb505?environmentId=100&lang=en#http-traffic ) On the 5 th of December 2016, Version 1000009 of trickbot adds a few more targets to its static inject ("redirects") targeted entity list. Shifting from the initial focus on dynamic injections to redirect attacks. This is an interesting shift, as the Dyre Malware had the opposite shift while it was active (it first introduced static injections and only after it shifted to dynamic injections) Related md5s: · 46ffaa075dd586a6f93a4d26a2431355 · 1c8ea23e2892c4c7155c9f976c6e661d · 26992865a2ae96ed48df8ddfc7223a13 Version 1000010: On the 6 th of December 2016, Version 1000010 of TrickBot several more previously untargeted banks in Australia and New Zealand, as well as several Singapore banks to target list – which were not previously targeted at all. This version also adds an Indian bank to the target list – again, previously not targeted at all. Related md5: · 52cab07e1a41e68bd2793a37ba04d270 Conclusion TrickBot is an example of a malware which is currently in an active development mode, and is constantly changing and adding capabilities. Its Authors are clearly trying to replicate Dyre’s capabilities and structure. We suggest to keep a close eye on its evolvements and prepare ourselves to the threats that is may pose to the security of our users.Complying with PCI DSS–Part 1: Build and Maintain a Secure Network
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. Over the next several blogs, we’ll explore how F5 can help organizations gain or maintain compliance. Today is Build and Maintain a Secure Network which includes PCI Requirements 1 and 2. PCI DSS Quick Reference Guide, October 2010 The PCI DSS requirements apply to all “system components,” which are defined as any network component, server, or application included in, or connected to, the cardholder data environment. Network components include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP servers. Applications include all purchased and custom applications, including internal and external web applications. The cardholder data environment is a combination of all the system components that come together to store and provide access to sensitive user financial information. F5 can help with all of the core PCI DSS areas and 10 of its 12 requirements. Requirement 1: Install and maintain a firewall and router configuration to protect cardholder data. PCI DSS Quick Reference Guide description: Firewalls are devices that control computer traffic allowed into and out of an organization’s network, and into sensitive areas within its internal network. Firewall functionality may also appear in other system components. Routers are hardware or software that connects two or more networks. All such devices are in scope for assessment of Requirement 1 if used within the cardholder data environment. All systems must be protected from unauthorized access from the Internet, whether via e-commerce, employees’ remote desktop browsers, or employee email access. Often, seemingly insignificant paths to and from the Internet can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. Solution: F5 BIG-IP products provide strategic points of control within the Application Delivery Network (ADN) to enable truly secure networking across all systems and network and application protocols. The BIG-IP platform provides a unified view of layers 3 through 7 for both general reporting and alerts and those required by ICSA Labs, as well as for integration with products from security information and event management (SIEM) vendors. BIG-IP Local Traffic Manager (LTM) offers native, high-performance firewall services to protect the entire infrastructure. BIG-IP LTM is a purpose-built, high-performance Application Delivery Controller (ADC) designed to protect Internet data centers. In many instances, BIG-IP LTM can replace an existing firewall while also offering scalability, performance, and persistence. Running on an F5 VIPRION chassis, BIG-IP LTM can manage up to 48 million concurrent connections and 72 Gbps of throughput with various timeout behaviors and buffer sizes when under attack. It protects UDP, TCP, SIP, DNS, HTTP, SSL, and other network attack targets while delivering uninterrupted service for legitimate connections. The BIG-IP platform, which offers a unique Layer 2–7 security architecture and full packet inspection, is an ICSA Labs Certified Network Firewall. Replacing stateful firewall services with BIG-IP LTM in the data center architecture Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters. PCI DSS Quick Reference Guide description: The easiest way for a hacker to access your internal network is to try default passwords or exploits based on the default system software settings in your payment card infrastructure. Far too often, merchants do not change default passwords or settings upon deployment. This is akin to leaving your store physically unlocked when you go home for the night. Default passwords and settings for most network devices are widely known. This information, combined with hacker tools that show what devices are on your network, can make unauthorized entry a simple task if you have failed to change the defaults. Solution: All F5 products allow full access for administrators to change all forms of access and service authentication credentials, including administrator passwords, application service passwords, and system monitoring passwords (such as SNMP). Products such as BIG-IP Access Policy Manager (APM) and BIG-IP Edge Gateway limit remote connectivity to only a GUI and can enforce two-factor authentication, allowing tighter control over authenticated entry points. The BIG-IP platform allows the administrator to open up specific access points to be fitted into an existing secure network. BIG-IP APM and BIG-IP Edge Gateway offer secure, role-based administration (SSL/TLS and SSH protocols) and virtualization for designated access rights on a per-user or per-group basis. Secure Vault, a hardware-secured encrypted storage system introduced in BIG-IP version 9.4.5, protects critical data using a hardware-based key that does not reside on the appliance’s file system. In BIG-IP v11, companies have the option of securing their cryptographic keys in hardware, such as a FIPS card, rather than encrypted on the BIG-IP hard drive. The Secure Vault feature can also encrypt certificate passwords for enhanced certificate and key protection in environments where FIPS 140-2 hardware support is not required, but additional physical and role-based protection is preferred. Secure Vault encryption may also be desirable when deploying the virtual editions of BIG-IP products, which do not support key encryption on hardware. Next: Protect Cardholder Data psComplying with PCI DSS–Part 5: Regularly Monitor and Test Networks
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and today is Regularly Monitor and Test Networks which includes PCI Requirements 10 and 11. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network, Part 2:Complying with PCI DSS–Part 2: Protect Cardholder Data, Part 3: Complying with PCI DSS–Part 3: Maintain a Vulnerability Management Program and Part 4: Complying with PCI DSS–Part 4: Implement Strong Access Control Measures. Requirement 10: Track and monitor all access to network resources and cardholder data. PCI DSS Quick Reference Guide description: Logging mechanisms and the ability to track user activities are critical for effective forensics and vulnerability management. The presence of logs in all environments allows thorough tracking and analysis if something goes wrong. Determining the cause of a compromise is very difficult without system activity logs. Solution: The spirit of this requirement is to ensure appropriate systems generate logs, with implementation and monitoring of log aggregation and correlation systems. The ability to monitor and log all user sessions and requests for access to sensitive information, such as cardholder data and Social Security numbers, is critical to any security environment. F5 offers a suite of solutions that are session-based, not packet-based. With this full reverse proxy architecture, the BIG-IP platform has the ability to manage full user sessions, regardless of the transport mechanism or network, and match those user sessions to specific data actions, supplying log data and a full audit trail from the user to the data. This allows F5 application security devices to ensure the confidentiality, integrity, and availability of all application data on the network. All F5 products support remote logging, allowing logs to be pushed to secure networks and devices for archiving. In addition, the TMOS architecture can manage isolated, secure logging networks in conjunction with the application networks, using features such as mirrored ports, VLANs, and virtualized administrative access. Protecting network resources and application data 24 hours a day, seven days a week, without affecting network performance, is a core function and the foundation of all F5 security products. Requirement 11: Regularly test security systems and processes. PCI DSS Quick Reference Guide description: Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security is maintained over time. Testing of security controls is especially important for any environmental changes such as deploying new software or changing system configuration. Solution: The spirit of this requirement is to ensure that the complying organization itself tests its security system and processes. Since F5 does not offer a penetration testing service, this is one of just two PCI DSS requirements that F5 products cannot significantly address. Next: Maintain an Information Security Policy psComplying with PCI DSS–Part 3: Maintain a Vulnerability Management Program
According to the PCI SSC, there are 12 PCI DSS requirements that satisfy a variety of security goals. Areas of focus include building and maintaining a secure network, protecting stored cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining information security policies. The essential framework of the PCI DSS encompasses assessment, remediation, and reporting. We’re exploring how F5 can help organizations gain or maintain compliance and today is Maintain a Vulnerability Management Program which includes PCI Requirements 5 and 6. To read Part 1, click: Complying with PCI DSS–Part 1: Build and Maintain a Secure Network and Part 2: Complying with PCI DSS–Part 2: Protect Cardholder Data Requirement 5: Use and regularly update antivirus software or programs. PCI DSS Quick Reference Guide description: Vulnerability management is the process of systematically and continuously finding weaknesses in an entity’s payment card infrastructure system. This includes security procedures, system design, implementation, or internal controls that could be exploited to violate system security policy. Solution: With BIG-IP APM and BIG-IP Edge Gateway, F5 provides the ability to scan any remote device or internal system to ensure that an updated antivirus package is running prior to permitting a connection to the network. Once connections are made, BIG-IP APM and BIG-IP Edge Gateway continually monitor the user connections for a vulnerable state change, and if one is detected, can quarantine the user on the fly into a safe, secure, and isolated network. Remediation services can include a URL redirect to an antivirus update server. For application servers in the data center, BIG-IP products can communicate with existing network security and monitoring tools. If an application server is found to be vulnerable or compromised, that device can be automatically quarantined or removed from the service pool. With BIG-IP ASM, file uploads can be extracted from requests and transferred over iCAP to a central antivirus (AV) scanner. If a file infection is detected, BIG-IP ASM will drop that request, making sure the file doesn’t reach the web server. Requirement 6: Develop and maintain secure systems and applications. PCI DSS Quick Reference Guide description: Security vulnerabilities in systems and applications may allow criminals to access PAN and other cardholder data. Many of these vulnerabilities are eliminated by installing vendor-provided security patches, which perform a quick-repair job for a specific piece of programming code. All critical systems must have the most recently released software patches to prevent exploitation. Entities should apply patches to less-critical systems as soon as possible, based on a risk-based vulnerability management program. Secure coding practices for developing applications, change control procedures, and other secure software development practices should always be followed. Solution: Requirements 6.1 through 6.5 deal with secure coding and application development; risk analysis, assessment, and mitigation; patching; and change control. Requirement 6.6 states: “Ensure all public-facing web applications are protected against known attacks, either by performing code vulnerability reviews at least annually or by installing a web application firewall in front of public-facing web applications.” This requirement can be easily met with BIG-IP ASM, which is a leading web application firewall (WAF) offering protection for vulnerable web applications. Using both a positive security model for dynamic application protection and a strong, signature-based negative security model, BIG-IP ASM provides application-layer protection against both targeted and generalized application attacks. It also protects against the Open Web Application Security Project (OWASP) Top Ten vulnerabilities and threats on the Web Application Security Consortium’s (WASC) Threat Classification lists. To assess a web application’s vulnerability, most organizations turn to a vulnerability scanner. The scanning schedule might depend on a change in control, as when an application is initially being deployed, or other triggers such as a quarterly report. The vulnerability scanner scours the web application, and in some cases actually attempts potential attacks, to generate a report indicating all possible vulnerabilities. This gives the administrator managing the web security devices a clear view of all exposed areas and potential threats to the website. Such a report is a moment-in time assessment and might not result in full application coverage, but should give administrators a clear picture of their web application security posture. It includes information about coding errors, weak authentication mechanisms, fields or parameters that query the database directly, or other vulnerabilities that provide unauthorized access to information, sensitive or not. Otherwise, many of these vulnerabilities would need to be manually re-coded or manually added to the WAF policy—both expensive undertakings. Simply having the vulnerability report, while beneficial, doesn’t make a web application secure. The real value of the report lies in how it enables an organization to determine the risk level and how best to mitigate the risk. Since recoding an application is expensive and time-consuming and may generate even more errors, many organizations deploy a WAF like BIG-IP ASM. A WAF enables an organization to protect its web applications by virtually patching the open vulnerabilities until developers have an opportunity to properly close the hole. Often, organizations use the vulnerability scanner report to either tighten or initially generate a WAF policy. While finding vulnerabilities helps organizations understand their exposure, they must also have the ability to quickly mitigate those vulnerabilities to greatly reduce the risk of application exploits. The longer an application remains vulnerable, the more likely it is to be compromised. For cloud deployments, BIG-IP ASM Virtual Edition (VE) delivers the same functionality as the physical edition and helps companies maintain compliance, including compliance with PCI DSS, when they deploy applications in the cloud. If an application vulnerability is discovered, BIG-IP ASM VE can quickly be deployed in a cloud environment, enabling organizations to immediately patch vulnerabilities virtually until the development team can permanently fix the application. Additionally, organizations are often unable to fix applications developed by third parties, and this lack of control prevents many of them from considering cloud deployments. But with BIG-IP ASM VE, organizations have full control over securing their cloud infrastructure. BIG-IP ASM version 11.1 includes integration with IBM Rational AppScan, Cenzic Hailstorm, QualysGuard WAS, and WhiteHat Sentinel, making BIG-IP ASM the most advanced vulnerability assessment and application protection on the market. In addition, administrators can better create and enforce policies with information about attack patterns from a grouping of violations or otherwise correlated incidents. In this way, BIG-IP ASM protects the applications between scanning and patching cycles and against zero-day attacks that signature-based scanners won’t find. Both are critical in creating a secure Application Delivery Network. BIG-IP ASM also makes it easy to understand where organizations stand relative to PCI DSS compliance. With the BIG-IP ASM PCI Compliance Report, organizations can quickly see each security measure required to comply with PCI DSS 2.0 and understand which measures are or are not relevant to BIG-IP ASM functions. For relevant security measures, the report indicates whether the organization’s BIG-IP ASM appliance complies with PCI DSS 2.0. For security measures that are not relevant to BIG-IP ASM, the report explains what action to take to achieve PCI DSS 2.0 compliance. BIG-IP ASM PCI Compliance Report Finally, with the unique F5 iHealth system, organizations can analyze the configuration of their BIG-IP products to identify any critical patches or security updates that may be necessary. Next: Implement Strong Access Control Measures psIdentity Theft Roundup
I’m on a ID fraud kick lately and there are quite a few stories of late about identity theft. Here are just a few: House Approves Red Flags Exemptions – In January 2008, the Red Flag Rule went into existence which said that organizations (mainly banks and financial institutions) that extend credit to have a written Identity Theft Prevention Program designed to detect identity fraud on a day to day basis. This new bill would except certain businesses like physicians and hospitals from having to abide by the rule. Sen. Dodd (D-Conn) said that the bill, ‘makes clear that lawyers, doctors, dentists, orthodontists, pharmacists, veterinarians, accountants, nurse practitioners, social workers, other types of healthcare providers and other service providers will no longer be classified as 'creditors' for the purposes of the Red Flags Rule just because they do not receive payment in full from their clients at the time they provide their services, when they don't offer or maintain accounts that pose a reasonably foreseeable risk of identity theft.’ So if you don’t have a foreseeable risk of ID theft, I guess you don’t have to pay attention. Minn. man pleads guilty in ND identity-theft case – 20 felonies, 19 counts of ID theft, 1 theft charge and a 28 year old only gets a year in jail and 5 years probation. He stole the SSN and names of 49 people. Military at high risk for identity theft – Did you know that military personnel are required to use their SSN for silly things like checking out a basketball at a gym or to identify their laundry bag? I didn’t and it is becoming a problem since most locations do not take ‘care’ of that personal info. Fla woman stole identity, paid for breast implants – You might remember this one where a woman in Miami stole someone’s identity and used fake credit cards to get her fake, well, you know. She also racked up $20,000 in new furniture. She got 30 months in a federal pen for that one. If you were wondering, she said she needed them since her old ones were giving her breathing problems. Kent couple arrested for identity theft, prescription forgeries – While investigating a prescription forgery ring, Kent Police uncovered a nice little counterfeiting operation run out of an apartment building. Since the suspect was a convicted felon with a firearm, SWAT arrived and took the couple without incident. Wait, fake prescriptions here and a new law that says medical facilities can pass on Red Flag? Hum. Man arrested in financial identity theft – It’s not just strangers getting hit – here a 20 year old opened a credit card account in his grandparent’s names and just added himself as an authorized user. $4000 worth of cigs, alcohol and electronic equipment later, he was in jail. Queens D.A. Warns: Beware New ID Theft – At least in New York, thieves are using what’s called a ‘spoof card’ to get personal information. Spoof cards are like calling cards but allows the caller to enter whatever number they want on the receiver’s caller ID. Oh, a call from the bank. They act/sound all authoritative on the phone and people spill the info. This is a great opportunity to turn the tables – ask the caller to validate a piece of information. To validate the caller, ask a couple questions that the bank usually asks you like, last transaction or first dog’s name. Or, just say, ‘I’ll call you back at the number on your web site.’ ID theft alleged at Libertyville driver's license facility – A 22 year employee at an Illinois driver’s license facility gets caught giving other’s personal information to thieves. Those thieves then opened credit card accounts with the info. He’s facing 3 years in prison but shows just how slippery your personal info is in the hands of others. More to come… ps twitter: @psilvasThe New Wallet: Is it Dumb to Carry a Smartphone?
When I was a teenager, I used to have one of those cool nylon surfer wallets with the Velcro close, you remember those don’t ya? While pumping diesel (had a VW Rabbit) one day at an old Gulf station, I left the wallet on top of the car and drove off. Realizing that my wallet was not snug in the sun visor when I got home, I retraced my path and found it - parts of it - scattered all over Route 1. Luckily, I got most of my belongings back but had that sickened feeling of almost losing my most precious possession at the time, my fake I……um, my driver’s license. I then got a leather wallet and shoved so many things in there I could have been mistaken for George Costanza, not to mention the hole that evolved right at the bottom point of my back pocket. Not liking the bump on my butt, I eventually moved to ‘money-clip’ type holders, you know those money holder things you carry in your front pocket. I felt ‘safer’ knowing it was in my front pocket and I only carried the essentials that I needed, rather than the reams of receipts I’d have in my wallet. When I was younger, I’d use tie clips, metal binder clips, and other things until I got a nice Harley-Davidson one which holds credit cards and clips currency. I’d still feel sick if I lost it however. Not having a wallet, purse, money clip or other currency container at all, may eventually be our new reality. You see, our smartphones are starting to carry all that digital information for us and according to a recent CNNMoney article, our smartphones are becoming one of our most dangerous possessions. We can do banking, make payments, transfer money, use the phone for loyalty card swipes along with credit card transactions. At the same time, mobile users more vulnerable to phishing attacks, some banking apps for Android, iPhone expose sensitive info, Android Trojan Emerges In U.S. Download Sites and how IPv6: Smartphones compromise users' privacy. We knew it would eventually happen but the crooks are now adapting to the explosive mobile growth, the rise of mobile banking and our never ending connection to the internet. Don’t get me wrong, like many of you, I love having email, contacts, calendar and entertainment at my fingertips along with the convenience of having all my stuff with me; but the chances of losing much more greatly increase since you have the equivalent, or even more, of all your credit cards, personal and private information and other sensitive stuff right on your smartphone. Sure there are backup programs but how many of you actually backup your computer on a weekly basis? How many have wipe or lock software installed to destroy everything on the smartphone if it is stolen? How many have tracking software if it is lost? How many have your actual home address in the GPS navigator so the offender can find where you live and visit while you are away? How many have sensitive corporate information stored on the smartphone since you use it for both personal and business use? Now I’m starting to spook myself. Many people will willingly trade some personal info for personal convenience. You might never give a total stranger your home address and phone number but if they add, ‘in exchange, we’ll give you this branded card and you’ll get 10% off every purchase,’ more than likely, we’ll turn that personal info over. If you understand that every purchase will be scanned, sent to a database and used for marketing or as the merchant describes, to ‘provide you with the best service and offerings,’ then you might accept that. If you accept and understand the risks of doing mobile banking, transferring money, making payments and carrying around your entire life on your mobile device….and take actions to mitigate those risks, like using encryption, backups, wipe/locate software, antivirus, OS updates and other mobile security precautions along with practicing the same discretion as you would with your home computer (like not clicking links from strangers) then you should stay relatively safe. Unless, of course, you leave that digital wallet on the top of your vehicle and drive off. ps Resources Android Trojan Emerges In U.S. Download Sites Sophisticated New Android Trojan "Geinimi" Spreading in China Chinese crack down on 'money-sucker' Androids Your most dangerous possession? Your smartphone IPv6: Smartphones compromise users' privacy Mobile users more vulnerable to phishing attacks Report: Banking Apps for Android, iPhone Expose Sensitive Info Make Sure Your Smartphone Payments Are Secure F5 BIG-IP Edge Client App F5 BIG-IP Edge Portal App Securing iPhone and iPad Access to Corporate Web Applications – F5 Technical Brief Audio Tech Brief - Secure iPhone Access to Corporate Web ApplicationsAchtung! TrickBot!
TrickBot does not rest. Following the recent addition of its first targeted US-based bank, a new version of the malware has been spotted in the wild. Now in its 11th incarnation, TrickBot has expanded its ever growing target portfolio yet again – this time increasing its focus on Germany. Figure 1 – TrickBot configuration, showing its most recent version upgrade While previously TrickBot’s focus in Germany was distinctly on Sparkassen Finanzgruppe, this latest version now includes more previously untargeted financial institutions in Germany. Figures 2-7 – TrickBot Dynamic Webinject configuration snippets showing some of its recently added targets in Germany TrickBot continues to evolve rapidly, constantly adding targets and using varying techniques to pose an ever increasing risk to online banking users and financial institutions in multiple regions across the globe. Recent TrickBot malware sample MD5s: c044f4a710f3a0b1997a4470145677ea, 07df1af1c3b8c33df61ff4f3f07f3f54 VirusTotal links: https://www.virustotal.com/en/file/f560268063ab5a2104482937212f75714a55da680d50efe4c20b1a80b29a6e8f/analysis/ https://www.virustotal.com/en/file/05389e4a60b59cb6b4d4ebe959837441b4fbbb71dd17cac77778d8973b480a26/analysis/ Analysis links: https://www.hybrid-analysis.com/sample/05389e4a60b59cb6b4d4ebe959837441b4fbbb71dd17cac77778d8973b480a26?environmentId=100 https://www.hybrid-analysis.com/sample/f560268063ab5a2104482937212f75714a55da680d50efe4c20b1a80b29a6e8f?environmentId=100 References: TrickBot targets its first US bank - https://devcentral.f5.com/s/articles/malware/trickbot-targets-its-first-us-bank-24713 TrickBot targeting Sparkassen Finanzgruppe - https://f5.com/labs/articles/threat-intelligence/malware/trickbot-now-targeting-german-banking-group-sparkassen-finanzgruppe-24420 Review of TrickBots rapid evolution - https://devcentral.f5.com/s/articles/malware/is-xmaker-the-new-trickloader-24372CloudFucius Tunes into Radio KCloud
Set the dial and rip it off – all the hits from the 70s, 80s, 90s and beyond – you’re listening to the K-Cloud. We got The Puffy & Fluffy Show to get you going in the morning, Cumulous takes you through midday with lunchtime legion, Mist and Haze get you home with 5 o’clock funnies and drive-time traffic while Vapor billows overnight for all you insomniacs. K-Cloud; Radio Everywhere. I came across this article which discusses Radio’s analogue to digital transition and it’s slow but eventual move to cloud computing. How ‘Embracing cloud computing requires a complete rethinking of the design, operation and planning of a station’s data center.’ Industries like utilities, technology, insurance, government and others are already using the cloud while the broadcast community is just starting it’s exploration, according to Tom Vernon, a long-time contributor to Radio World. Like many of you, I grew up listening to the radio (music, I’m not that old) and still have a bunch of hole-punched record albums for being the 94th caller. I listened to WHJY (94-HJY) in Providence and still remember the day in 1981 when it switched from JOY, a soft, classical station to Album-Orientated Rock. Yes, I loved the hair-metal, arena rock, new wave, pop and most what they now call classic rock. It’s weird remembering ‘Emotional Rescue’ and ‘Love Rollercoaster’ playing on the radio as Top 40 hits and now they are considered ‘classics.’ Um, what am I then?!? That article prompted me to explore the industries that have not embraced the cloud, and why. Risk adverse industries immediately come to mind, like financial and health care. There have been somewhat contradictory stories and surveys recently indicating both that, they are hesitant to adopt the cloud and ready to embrace the cloud. A survey by LogLogic says that 60% of the financial services sector felt that cloud computing was not a priority or they were risk-averse to cloud computing. This is generally an industry that historically has been an early adopter of new technologies. The survey indicates that they will be spending IT dollars on ‘essential’ needs and that security questions and data governance concerns is what’s holding them back from cloud adoption. About a week later, results from a survey done by The Securities Industry and Financial Markets Association (SIFMA) and IBM reports that there is now a strong interest in cloud computing after a couple years of reluctance. The delay was due to the cost of implementing new technologies and the lack of talent needed to mange those systems. Security is not the barrier that it once was since their cloud strategies include security ramifications. They better understand the security risks and calculate that into their deployment models. This InformationWeek.com story says that the financial services industry is indeed interested in cloud computing, as long as it’s a Private Cloud. The one’s behind the corporate firewall, not Public floaters. And that security was not the real issue, regulations and compliance with international border laws were the real holdback. In the healthcare sector, according to yet another survey, Accenture says that 73% said they are planning cloud movements while nearly one-third already have deployed cloud environments. This story also says that ‘healthcare firms are beginning to realize that cloud providers actually may offer more robust security than is available in-house.’ Is there a contradiction? Maybe. More, I think it shows natural human behavior and progression when facing fears. If you don’t understand something and there is a significant risk involved we’ll generally say, ‘no thanks’ to preserve our safety and security. As the dilemma is better understood and some of the fears are either addressed or accounted for, the threat level is reduced and progress can be made. This time around, while there are still concerns, we are more likely to give it a try since we know what to expect. A risk assessment exercise gives us the tools to manage the fears. Maybe the threat is high but the potential of it occurring is low or the risk is medium but we now know how to handle it. It’s almost like jumping out of a plane. If you’ve never done it, that first 3000ft tethered leap can be freighting – jumping at that height, hoping a huge piece of fabric will hold and glide you to a safe landing on the ground. But once you’ve been through training, practiced it a few times, understand how to deploy your backup ‘chute and realize the odds are in your favor, then it’s not so daunting. This may be what’s happening with risk averse industries and cloud computing. Initially, the concerns, lack of understanding, lack of visibility, lack of maturity, lack of control, lack of security mechanisms and their overall fear kept these entities away, even with the lure of flexibility and potential cost savings. Now that there is a better understanding of what types of security solutions a cloud provider can and cannot offer along with the knowledge of how to address specific security concerns, it’s not so scary any more. Incidentally, I had initially used KCLD and WCLD for my cloud stations until I realized that they were already taken by real radio stations out of Minnesota and Mississippi. And one from Confucius: Everything has its beauty but not everyone sees it. ps The CloudFucius Series: Intro, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12TrickBot targets its first US bank
The latest arrival to the banking malware scene, and successor to the infamous Dyre Trojan continues to evolve. TrickBot previously targeted banks and businesses in Australia, New Zealand, Germany, UK, Ireland, Canada, India and Singapore. In a recent update, this list has now expanded to include The United States. Figure 1 – Map showing TrickBot’s global target distribution Figure 2 – TrickBot configuration snippet showing newly added US based target. TrickBot’s target tally now includes a total of 225 unique banking and business related URLs. While this is still a far cry from vast numbers of banks and businesses targeted by Dyre globally, this number is very likely to grow in the future as the malware’s authors are constantly increasing their target tally and continue to improve their malware with new features and abilities. A previous review of TrickBot’s rapid evolution can be found here: https://devcentral.f5.com/s/articles/malware/is-xmaker-the-new-trickloader-24372 TrickBot sample MD5: 5abea77ce54fc029151a524ff1d428f VirusTotal link: https://www.virustotal.com/en/file/554132df407db525382baceb43fc0804839592fbd7038ffcd0e3736119d37be2/analysis/ Analysis link: https://www.hybrid-analysis.com/sample/554132df407db525382baceb43fc0804839592fbd7038ffcd0e3736119d37be2?environmentId=100
