Upload
others
View
5
Download
1
Embed Size (px)
Citation preview
10/30/2018
1
Cryptocurrency, Cybercrime & the DarkwebSBS CYBERSECURITY
CHAD KNUTSON
©2018 SBS CyberSecurity, LLC www.sbscyber.com 1
Contact Information
• Chad Knutson◦ President SBS Institute◦ CISSP, CISA, CRISC◦ [email protected]
• Robb Nielsen◦ Senior Account Executive◦ 712‐369‐0139◦ [email protected]
• SBS Institute◦ 605‐269‐0909◦ [email protected]
©2018 SBS CyberSecurity, LLC www.sbscyber.com 2
10/30/2018
2
• Cryptocurrency and its impacts
• Cybercrime fraud trends in community banking
• Different dark parts of the internet
• Buying and selling cybercrime
• Education and Awareness
Agenda
©2018 SBS CyberSecurity, LLC www.sbscyber.com 3
CybercrimeSHIFT FROM TRADITIONAL CRIME TO TECHNOLOGY
©2018 SBS CyberSecurity, LLC www.sbscyber.com 4
10/30/2018
3
Technology & Cybercrime
New Products/Services◦ Mobile Solutions Mobile Cash Management Mobile Payments Mobile Capture
◦ Virtualization◦ Electronic Payments◦ Cloud◦ Online Account Opening◦ Interactive Teller Machines
Technology Cybercrime
Financial Institution
CustomerThird Party
©2018 SBS CyberSecurity, LLC www.sbscyber.com 5
• ROI Analysis◦ Average cash in ATM?◦ Average jail time?
Technology Bank Robbery
©2018 SBS CyberSecurity, LLC www.sbscyber.com 6
10/30/2018
4
The GIOC received credible information that bad actors are activating cash out crews to attack Diebold front loading ATMs, specifically 500 and 700 series, using Ploutus Dmalware around the United States in the next 10 days. ATMs running Windows XP are particularly vulnerable. It is recommended that ATMs operate an up to date version of Windows 7 to defeat this specific type of attack. At least one attempted attack, as outlined below, occurred in Louisiana in the last 24 hours.
The targeted stand‐alone ATMs are routinely located in pharmacies, big box retailers, and drive thru ATMs. During previous attacks, fraudsters dressed as ATM technicians and attached a laptop computer with a mirror image of the ATM’s operating system along with a mobile device to the targeted ATM. The attackers use an endoscope to obtain access to the ATM’s toggle to sync their laptop computer with the security features of the ATM. Once this is complete, the ATM is controlled by the fraudsters. The ATM will appear to be Out of Service to potential customers. At this point, cash out crews communicate with co‐conspirators remotely controlling the ATMs to initiate the ATM cash withdrawals. In previous Ploutus D attacks, the ATM continuously dispensed at a rate of 40 bills every 23 seconds. Once the dispense cycle starts, the only way to stop it is to press cancel on the keypad or the cassette runs out of cash. The cash out crew/money mule takes the dispensed cash and places it in a large bag. After the cash is taken from the ATM and the mule leaves, the technicians return to the site and remove their equipment. The last thing the fraudsters do before leaving the site is to plug the Ethernet cable back in.
The following pages, obtained from a private partner with knowledge of this style of attack, contain a detailed description of the steps taken by the fraudsters to perpetrate this attack.
Please reach out to the GIOC at [email protected] if your office receives credible information relating to this attack.
Any questions relating to this alert can be directed to ATSAIC Matt O’Neill, 202‐406‐6242, [email protected].
Link
©2018 SBS CyberSecurity, LLC www.sbscyber.com 7
FBI Unlimited Operations
©2018 SBS CyberSecurity, LLC www.sbscyber.com 8
10/30/2018
5
• Global Automated Teller Machine (ATM) cash‐out scheme
• Unlimited operations compromise a financial institution or payment card processor
• With malware to access bank customer card information
• Then exploit network access, enabling large scale theft of funds from ATMs
FBI Unlimited Operations
©2018 SBS CyberSecurity, LLC www.sbscyber.com 9
• Unlimited operations have resulted in the theft of at least $2.5 million since 2016 in the United States alone.
• Historic compromises have included small‐to‐medium size financial institutions, likely due to less robust implementation of cyber security controls, budgets, or third‐party vendor vulnerabilities.
• The FBI expects the ubiquity of this activity to continue or possibly increase in the near future.
FBI Unlimited Operations
©2018 SBS CyberSecurity, LLC www.sbscyber.com 10
10/30/2018
6
https://www.us‐cert.gov/ncas/alerts/TA18‐275A©2018 SBS CyberSecurity, LLC www.sbscyber.com 11
• Department of Homeland Security (DHS)
• Department of the Treasury (Treasury)
• Federal Bureau of Investigation (FBI)
• Identified malware and other indicators of compromise (IOCs)
• North Korean government
• Activity related to Automated Teller Machine (ATM) cash‐out scheme◦ U.S. Government calls this campaign “FASTCash.”
Alert TA18‐275A
©2018 SBS CyberSecurity, LLC www.sbscyber.com 12
10/30/2018
7
• Implement separation of duties or dual authorization procedures for account balance or withdrawal increases above a specified threshold.
• Implement application whitelisting to block the execution of malware.
• Block execution of files from TEMP directories, from which most phishing malware attempts to execute.
• Monitor, audit, and limit administrator and business critical accounts with the required access and authority to modify the account attributes mentioned above.
FBI: Bank Controls
©2018 SBS CyberSecurity, LLC www.sbscyber.com 13
• Implement an update and patch management cycle.
• Install and regularly update anti‐virus or anti‐malware software on hosts.
• Implement an incident management system, and prepare an incident response plan for rapid deployment in case of a cyber intrusion.
• Implement strong password requirements and two‐factor authentication using a physical or digital token when possible for local administrators and business critical roles to inhibit lateral movement.
FBI: Bank Controls
More Controls in FBI and US‐Cert Guidance.
©2018 SBS CyberSecurity, LLC www.sbscyber.com 14
10/30/2018
8
ATM Fraud2) Magstripe Shimmer
1) Traditional Magstripe Skimmer
5) EMV Shimmer
3) Drill to insert USB w/ Malware or Mobile Device
4) Hacker in the network
©2018 SBS CyberSecurity, LLC www.sbscyber.com 15
Criminal Types
©2018 SBS CyberSecurity, LLC www.sbscyber.com 16
10/30/2018
9
Advanced Persistent Threat
©2018 SBS CyberSecurity, LLC www.sbscyber.com 17
Equifax Issues
©2018 SBS CyberSecurity, LLC www.sbscyber.com 18
10/30/2018
10
Asset‐Based Risk Assessment Web Application Firewall? Separate Database/Webserver
Patch Management
Change Control and Vulnerability Exception Process
Incident Response Program
Internal Vulnerability Assessment
External Web Application Testing
Equifax Lessons Learned
©2018 SBS CyberSecurity, LLC www.sbscyber.com 19
NotPetya Ransomware
©2018 SBS CyberSecurity, LLC www.sbscyber.com 20
10/30/2018
11
• World's largest container shipping business, 15% of global shipping
• NotPetya infection attacked their global network and forced operations to halt in 76 ports world wide
• Business volumes were affected for a couple weeks
• Email system was down and resorted to personnel cellphones and WhatsApp
• $200‐300 million financial impact
• 4,000 computers and 45,000 workstations rebuild
Maersk
Source
©2018 SBS CyberSecurity, LLC www.sbscyber.com 21
©2018 SBS CyberSecurity, LLC www.sbscyber.com 22
10/30/2018
12
• Cryptojacking is defined as the secret use of your computing device to mine cryptocurrency.
• Malware installed on a system can utilize the hardware for mining operations.
• Some browser based instances do not require malware to be installed. Source
Cryptojacking
©2018 SBS CyberSecurity, LLC www.sbscyber.com 23
Ransomware Training ‐ Employee (Slides and Video)
Ransomware Training ‐ Executive (Slides and Video)
Ransomware Incident Response Plan
Ransomware Policy
Ransomware Procedures
Ransomware Awareness Poster
https://sbscyber.com/products/toolkits/
Ransomware Toolkit
©2018 SBS CyberSecurity, LLC www.sbscyber.com 24
10/30/2018
13
Data Breaches
Source
©2018 SBS CyberSecurity, LLC www.sbscyber.com 25
Have I Been Pwned
©2018 SBS CyberSecurity, LLC www.sbscyber.com 26
10/30/2018
14
Finding Exploits
©2018 SBS CyberSecurity, LLC www.sbscyber.com 27
Darkweb
©2018 SBS CyberSecurity, LLC www.sbscyber.com 28
10/30/2018
15
Types of Internet
Less then 4%
©2018 SBS CyberSecurity, LLC www.sbscyber.com 29
©2018 SBS CyberSecurity, LLC www.sbscyber.com 30
10/30/2018
16
Tor Network
©2018 SBS CyberSecurity, LLC www.sbscyber.com 31
TOR Browser
©2018 SBS CyberSecurity, LLC www.sbscyber.com 32
10/30/2018
17
Tails Virtual Machine
©2018 SBS CyberSecurity, LLC www.sbscyber.com 33
©2018 SBS CyberSecurity, LLC www.sbscyber.com 34
10/30/2018
18
©2018 SBS CyberSecurity, LLC www.sbscyber.com 35
• Undercover
• Hacking
• Tor Nodes
• Information Breadcrumbs
• Follow the Money
• Postal System
• Source
Takedown
©2018 SBS CyberSecurity, LLC www.sbscyber.com 36
10/30/2018
19
• Sale of Illegal Drugs & Services
• 1.2B USD worth of Bitcoin (80M commission)
• 6 drug overdose deaths linked
• Life sentence for the Dread Pirate Roberts
• 1.5m buyers, 3800 vendors
• 1/2011 - 9/2013
• Source
Silk Road
©2018 SBS CyberSecurity, LLC www.sbscyber.com 37
• December 2014 Launch
• Takedown July 5, 2017
• Over 40,000 vendors
• 10x the size of Silk Road
• Source
Alpha Bay
©2018 SBS CyberSecurity, LLC www.sbscyber.com 38
10/30/2018
20
• Two administrators arrested in June 2017
• 1,800 vendors selling drugs
• Netherlands Police
• 1,000 bitcoins confiscated (2M dollars)
• 10,000 foreign addresses of buyers were passed on to Europol
• Source
• Dream Market Grew (oldest and now biggest)
Hansa Market
©2018 SBS CyberSecurity, LLC www.sbscyber.com 39
• Block TOR protocol
• Block VPN
• SSL Decryption
• Application Control
• Local Software Restrictions◦ TOR Browser◦ Virtualization Software
• Network segmentation
• Geo IP Filtering
• Monitoring/Alerting (IOC)
Darkweb Protections
©2018 SBS CyberSecurity, LLC www.sbscyber.com 40
10/30/2018
21
Darkweb Funds
©2018 SBS CyberSecurity, LLC www.sbscyber.com 41
• Prices have steadily increased
• 1,300 cryptocurrencies worldwide
• Attraction: uncontrolled and booming
• 1 in 3 millennials will own by end of 2018 (5% now)
Cryptocurrencies
©2018 SBS CyberSecurity, LLC www.sbscyber.com 42
10/30/2018
22
Bitcoin
©2018 SBS CyberSecurity, LLC www.sbscyber.com 43
• Since 2008, value grew expect for 2014
• First Purchase 10,000 Bitcoin for a pizza
• Bitcoin is untraceable… Sort of…
• There will only ever be 21 million bitcoins
• Lose your Bitcoin private key, you lose your bitcoins
• Can’t be banned
• https://coinsutra.com/bitcoin‐facts/
Bitcoin
©2018 SBS CyberSecurity, LLC www.sbscyber.com 44
10/30/2018
23
• https://blockchain.info/
Tracking Bitcoin
©2018 SBS CyberSecurity, LLC www.sbscyber.com 45
• Overstock
• Microsoft
• Virgin Galactic
• eGifter (gift cards)
• Tesla
• Expedia
• Newegg
• CheapAir
Retailers
https://99bitcoins.com/who‐accepts‐bitcoins‐payment‐companies‐stores‐take‐bitcoins/
©2018 SBS CyberSecurity, LLC www.sbscyber.com 46
10/30/2018
24
Flight to Austin
©2018 SBS CyberSecurity, LLC www.sbscyber.com 47
Education
©2018 SBS CyberSecurity, LLC www.sbscyber.com 48
10/30/2018
25
• Conference Events◦ Hot Topics and ideas to pursue further www.iowabankers.com
◦ Interact with vendors and peers
• Webinars◦ Select topics needed to fill knowledge Gaps
◦ Online offers a flexible schedule and many options www.iowabankers.com
• Seminars◦ Select topics needed to fill knowledge Gaps
◦ Onsite event with peers of similar knowledge interest.
• Certification Programs◦ ISC2: CISSP https://www.isc2.org/
◦ ISACA: CISM, CISA https://www.isaca.org
◦ SBS: https://www.sbscyber.com/sbsinstitute/certifications/
• In‐house Training Options◦ Specific training for employees and customers
• College/University Options◦ Cybersecurity, Information Assurance
Ongoing Training (role‐specific)
Role Based
ISO
Network Admin
Internal Audit
Compliance
©2018 SBS CyberSecurity, LLC www.sbscyber.com 49
• Board/Senior Management
• Employees
• Customers
Ongoing Training
Annual Training?
©2018 SBS CyberSecurity, LLC www.sbscyber.com 50
10/30/2018
26
• Annual Cybersecurity Training◦ Board / Executive Team Training◦ Employee Training◦ Customer
• Acceptable Use Training
• Policy & Procedure Training
• Social Engineering Testing/Training
• Regular/Monthly Email Updates
• Threat Alerts
Education and Awareness
securingthehuman.org
©2018 SBS CyberSecurity, LLC www.sbscyber.com 51
Employee & Customer: Continual Education
• Share Articles and Example Threats
• Posters
• Computer Desktop Images or Screensavers
• Online Learning Management System with quarter or monthly training
• Phish Tank
• Continual Employee Contact
• October Security Awareness Month
• Social Engineering Tests
• Weekly or Monthly Phishing Tests/Training
• Involvement in education high school and community folks
https://sbscyber.com/education/free‐downloads
©2018 SBS CyberSecurity, LLC www.sbscyber.com 52
10/30/2018
27
Metrics
4% will click on every phishing email
Verizon DBIR
©2018 SBS CyberSecurity, LLC www.sbscyber.com 53
• Internet and External Auditing
• Test your people
• Check effectiveness of training program
• Types Include:◦ Phishing Emails
◦ Phone Impersonation
◦ Physical Impersonation
◦ Dumpster Diving
Social Engineering
©2018 SBS CyberSecurity, LLC www.sbscyber.com 54
10/30/2018
28
Contact Information
• Chad Knutson◦ President SBS Institute◦ CISSP, CISA, CRISC◦ [email protected]
• Robb Nielsen◦ Senior Account Executive◦ 712‐369‐0139◦ [email protected]
• SBS Institute◦ 605‐269‐0909◦ [email protected]
©2018 SBS CyberSecurity, LLC www.sbscyber.com 55