Upload
denis-murphy
View
220
Download
0
Tags:
Embed Size (px)
Citation preview
Mitigating Information Security RisksMitigating Information Security Risks
Financial CyberSecurity ThreatsFinancial CyberSecurity Threats
Craig Schiller, CISSP-ISSMP, ISSAP
EVP-IT Services & CIO
Security Compliance Associates
by
©2021, Craig Schiller &Security Compliance Associates
2
AgendaAgenda
Today's presentation Brought to you by
©2021, Craig Schiller &Security Compliance Associates
3
About SCAAbout SCASecurity Compliance
Associates
• Since 2005, SCA has been a credit Union industry leading provider of information security Assessment and compliance services
• Focuses on a hands-on partnership approach, using continuous improvement in the assessment and reporting processes.
• Specializes in thorough, comprehensive assessments using industry best tools and methodologies including SANS Top 20, NIST, ISO, and PCI-DSS
• Service over 13% of the Top 200 Credit Unions• In addition to Standard Internal/External
Assessments, tracking regulator focus on Online Banking, Mobile banking, and Risk Analysis
©2021, Craig Schiller &Security Compliance Associates
4
Business Banking ThreatBusiness Banking ThreatPitfalls of Business Banking
©2021, Craig Schiller &Security Compliance Associates
5
The threat
Two of the most successful criminal operations (and the respective malware) are known as Clampi and Zeus. The operations have been in place for over a year, and have proven to be successful, difficult to stop, and damaging.
A public school district in Pennsylvania lost $700,000 in a two-day attack. A county government in Kentucky lost $415,000. Last Christmas a New York school district lost $3M of which .5M remained unrecovered as of 6-Jan.
©2021, Craig Schiller &Security Compliance Associates
6
The threat
©2021, Craig Schiller &Security Compliance Associates
7
Rules have changedRules have changedPersons who conduct institutional/commercial online banking operations are being specifically targeted by the criminals.Standard desktop computer antivirus is not an effective defense because the attackers constantly morph the attacks to evade antivirus signatures.
Network defenses, such as firewalls and IDS/IPS, that rely on signatures are similarly ineffective.
Some attacks have successfully defeated two-factor authentication, a real-time trojan successfully bypassed a SecureID system to steal $447,000 using 27 different transactions to siphon off the funds.
Two-factor remains to be an effective defense against many other attacks.
©2021, Craig Schiller &Security Compliance Associates
8
SpyEye/Zeus or Z-BotSpyEye/Zeus or Z-BotThe Zeus Trojan uses key-logging techniques to steal sensitive data
such as user names, passwords, account numbers and credit card numbers. It injects fake HTML forms into online banking login pages to steal user data. SpyEye now modifies online bank statements so the victim doesn’t know that money is being siphoned from their accounts. SpyEye/Zeus added investment firms and retail stores that offer credit cards to its list of targets. A new Zeus derivative has added a Man-in-the-Mobile attack.
©2021, Craig Schiller &Security Compliance Associates
9
Operation Aching MulesOperation Aching Mules
©2021, Craig Schiller &Security Compliance Associates
10
Operation Aching MulesOperation Aching Mules
Mules were recruited from Russian and Eastern European citizens
They were given fake passport credentials
The passport credentials were used to establish bank accounts for the ACH transfers
©2021, Craig Schiller &Security Compliance Associates
11
Operation Aching MulesOperation Aching MulesNYPD detectives entered a Bronx bank in February to investigate a suspicious $44,000 withdrawal. International investigation began in Omaha, in May 2010 when fraudulent ACH payments were made to 46 bank accountsCyber-attacks began in Eastern Europe, sending apparently-benign email to computers at small businesses and municipalities in the US
Clicking on a link downloaded Zeus
The malware recorded their keystrokes as they logged into their bank accounts online
Hackers made unauthorized transfers of thousands of dollars at a time to receiving accounts controlled by the co-conspirators.
Once the victim/employee begins executing an online banking transaction on behalf of his or her employer, ZeuS invisibly also executes a fraudulent wire transfer, usually for $10,000 or less.
©2021, Craig Schiller &Security Compliance Associates
12
Operation Aching MulesOperation Aching Mules
Money MulesReceiving accounts were set up by a "money mule organization" responsible for retrieving the proceeds of the malware attacks and transporting or transferring the stolen money overseas.
The money mule organization recruited individuals who had entered the United States on student visas, provided them with fake foreign passports, and instructed them to open false-name accounts at U.S. banks.
Once these false-name accounts were successfully opened and received the stolen funds from the accounts compromised by the malware attacks, the "mules" were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash.
©2021, Craig Schiller &Security Compliance Associates
13
Operation Aching MulesOperation Aching Mules
U.S. authorities charged 92 Russians and Eastern Europeans who allegedly opened U.S. bank accounts expressly to receive cash transferred from hacked online banking accounts.
The defendants charged in Manhattan federal court include managers of and recruiters for the money mule organization, an individual who obtained the false foreign passports.
19 Eastern Europeans were arrested in the UK. The Ukrainian SBU arrested 5 key subjects of the investigation.
$70M over the last four years.
©2021, Craig Schiller &Security Compliance Associates
14
DDoS used to prevent recallDDoS used to prevent recall
In one case, the subjects used a Distributed Denial of Service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out. These ACH transfers ranged from thousands to millions of dollars.
©2021, Craig Schiller &Security Compliance Associates
15
Exploitation of online banking credentialsExploitation of online banking credentials
The FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses.
In a typical scenario, the attack vector is a "spear phishing" e-mail which containseither an infected file or a link to an infectious Web site. The e-mail recipientis generally a person within a company who can initiate funds transfers on behalfof the business, or a credential account holder (treasury management platforms typicallysupport both wires and Automated Clearing House (ACH) transfers).
Once the user opens the attachment, or navigates to the Web site, malwareis installed on the user's computer. The malware contains a key logger, which harveststhe user’s corporate online banking credentials. Shortly thereafter, the subjecteither creates another user account from the stolen credentials or directly initiatesa funds transfer masquerading as a legitimate user. These transfers haveoccurred through both the wire system and the ACH Network.
©2021, Craig Schiller &Security Compliance Associates
16
Trojan attachmentTrojan attachment
©2021, Craig Schiller &Security Compliance Associates
17
Spearphishing with DownloadSpearphishing with Download
Spearphishingemail
©2021, Craig Schiller &Security Compliance Associates
18
Keystroke logger videoKeystroke logger video
Banking Trojan Captures User's Screen in Video Clip
©2021, Craig Schiller &Security Compliance Associates
19
Man in the Browser Attack - Man in the Browser Attack - TorpigTorpig
Torpig/Mebroot/Sinowal or Anserin Financial bot, Boot sector virus –re-imaged machines are re-infected as soon as the machine is re-booted. Uses Man-in-the-Browser attack.
©2021, Craig Schiller &Security Compliance Associates
20
RamnitRamnit
Morphed into a financial malware in 2011. Ramnit can infect Windows
executable files, HTML files, office files and possibly other file types.
The malware includes a Man-in-the-Browser (MitB) web injection
module, which enables Ramnit to modify web pages (client-side),
modify transaction content, insert additional transactions – all in a
completely covert manner invisible to both the user and host
application. Suspected to have incorporated code from Zeus.
Many new malware families are based on Public domain Zeus code
(e.g. Citadel, Ice IX, Neloweg).
©2021, Craig Schiller &Security Compliance Associates
21
Clampi/Ligats/Clampi/Ligats/Ilomo,RscanIlomo,Rscan
A trojan designed to steal credentials from infected systems. • This malware was used in the Slack Auto Parts $75,000 loss. • Uses psexec (from SysInternals) to spread across intranets. • Steals credentials for online banking sites as well as credentials stored locally. • To bypass firewalls, Clampi injects itself into IE for Command & Control traffic. • Like Zeus/SpyEye, Tunnels back through member’s computer to log into the victim’s account• "They are targeting {4600} institutions where users may enter data that might be useful in stealing money, such as utilities, retail, online casinos, banking, insurance, accounting services, credit bureaus," Joe Stewart
©2021, Craig Schiller &Security Compliance Associates
22
Classes of sites targeted by ClampiClasses of sites targeted by Clampi
Advertising networksUtilitiesEmail marketingStock brokeragesMarket research databasesOnline casinosRetailCareer sites InsuranceBankingCredit card companiesAccounting Services
Wire transfer servicesMortgage lendersConsumer databasesWebmailForeign Postal Services (Non-US) SoftwareMilitary/Gov information portalsRecommendation enginesISPsVarious News blogsFile upload sites
©2021, Craig Schiller &Security Compliance Associates
23
FeodoFeodo
Security researchers from FireEye identified this banking trojan, which is capable of launching man-in-the-browser (MITB) attacks and targets an unusually high number of financial institutions. In addition Feodo targets PayPal, Amazon, Myspace or Gmail
The malware is similar in concept and features to other banking trojans like ZeuS, SpyEye, Bugat or Carberp. It steals online banking credentials and other sensitive information by intercepting data inputted into Web forms, as well as injecting rogue HTML elements into pages.
©2021, Craig Schiller &Security Compliance Associates
24
Cridex, Carperb/Dapato Cridex, Carperb/Dapato Cridex has a database of 137 banks. The Banking plug-in control panel
contains the structure of the banks' web pages, so the Trojan can identify which valuable fields to send back to the command and control server.
The cyber criminals can create and change forms that are normally completed by the victim. The attacks started with several large spam campaigns by cyber criminals who had previously compromised hundreds of WordPress-based websites. The spam emails included embedded URL links or HTML attachments that trick the victim to browse those compromised websites. All these links eventually lead to web pages infected with the Phoenix exploit kit. This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. The Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.
M86 Security Labs
©2021, Craig Schiller &Security Compliance Associates
25
Shylock malware Shylock malware platform platform Feb 2012 the Shylock malware platform
intorduced a fake financial institution chat. By combining MitB techniques of HTML and JavaScript, criminals are now able to bring live chat right to your browser.
The system couldn't identify your PC
You will be contacted by a representative of bank to confirm your personality.
Please pass the process of additional verification otherwise your account will be locked.
Sorry for any inconvenience, we are carrying about security of our clients.
©2021, Craig Schiller &Security Compliance Associates
26
Ice IXIce IXMalware developed using Zeus source code. Captures sensitive information on telephone
accounts belonging to the victims who happen to be customers of BT, TalkTalk and Sky. US banking customers have also been targeted by the scam.
The criminal organization can redirect the calls your financial institution makes to verify suspicious transactions – straight into the waiting handsets of professional criminal caller services.
©2021, Craig Schiller &Security Compliance Associates
27
Financial Malware Attack Financial Malware Attack VectorsVectors
OWASP Financial Malware List
©2021, Craig Schiller &Security Compliance Associates
2828
Advanced PersiAdvanced Persistent Threatstent Threat
APT is not malware, it is an attack paradigm. APT events are usually named for the campaign (e.g. Aurora, Titan Rain, RSA), not for the malware family they belong to. APT attacks have been around since before 2000.
They most closely resemble a black ops scenario. They can use old and new technology as needed to accomplish the desired objective.
Stuxnet
Flame
©2021, Craig Schiller &Security Compliance Associates
2929
Stuxnet overviewStuxnet overview
Stuxnet partial flow diagram
“the dangerously misleading expectation of complacent asset owners that something like Stuxnet can’t happen to them if they are not high-value military targets.”
Ralph Langner
©2021, Craig Schiller &Security Compliance Associates
3030
Stuxnet detail 1Stuxnet detail 1
©2021, Craig Schiller &Security Compliance Associates
3131
Stuxnet detail 2Stuxnet detail 2
©2021, Craig Schiller &Security Compliance Associates
3232
Stuxnet detail 3Stuxnet detail 3
©2021, Craig Schiller &Security Compliance Associates
3333
Stuxnet detail 4Stuxnet detail 4
©2021, Craig Schiller &Security Compliance Associates
3434
Stuxnet detail 5Stuxnet detail 5
©2021, Craig Schiller &Security Compliance Associates
35
Characteristics of the wormCharacteristics of the worm
©2021, Craig Schiller &Security Compliance Associates
36
Worm PropagationWorm Propagation
©2021, Craig Schiller &Security Compliance Associates
37
Exploitation techniquesExploitation techniques
©2021, Craig Schiller &Security Compliance Associates
38
Control System ExploitationControl System Exploitation
On any system with Siemens Step 7 software, Stuxnet modifies dlls so that users on Programming stations can’t see what Stuxnet has modified on Programmable Logic Controllers (PLCs).
Stuxnet confirms it can connect to an appropriately configured PLC, the starts one of three sequences to inject code to payloads into the PLC.
Two of the sequences sabotage the speed of the PLC (centrifuges)The third sequence prevents the PLC safety logic from alarming or overriding the changes made by Stuxnet.
©2021, Craig Schiller &Security Compliance Associates
39
Command and ControlCommand and Control
In case something goes wrong or if the instructions need to be changed:
Normal communications would use HTTP to communicate with one of two Command and Control servers. The firewalls in the recommended architecture would block any direct communications from the Process Control and Control Systems Networks.
All infected systems communicate using a P2P protocol using Windows Remote Procedure Calls. RPC is used by Windows file sharing, Windows printing spooling, OPC, and some Siemens proprietary data exchange protocols.
©2021, Craig Schiller &Security Compliance Associates
40
FlameFlame
Likely that Flame was created by the same organization that created Stuxnet.
©2021, Craig Schiller &Security Compliance Associates
41
Summary of Kaspersky’s Analysis of Flame’s Summary of Kaspersky’s Analysis of Flame’s C&CC&C
Largest and most complex attack toolkit to date, used primarily for cyber-espionage
The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware’s existence last week.
Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012.
During the past 4 years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom and Switzerland.
The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.
According to Kaspersky Lab’s sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America and Asia-Pacific.
The Flame attackers seem to have a high interest in PDF, Office and AutoCad drawings.
The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.
Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame.
©2021, Craig Schiller &Security Compliance Associates
42
Information gathered by FlameInformation gathered by Flame
Data gathered according to Symantec
©2021, Craig Schiller &Security Compliance Associates
43
Information gathered by FlameInformation gathered by Flame
Data gathered according to Symantec
©2021, Craig Schiller &Security Compliance Associates
44
Recommendations1. Make certain that systems used in performing financial transactions are protected by strict technical controls and receive periodic validation.2. Make certain that personnel involved in performing online financial transactions have the necessary security awareness and training. Those persons should receive targeted training on phishing and this threat.3. Have written policies defining the controlled environment in which online banking transactions can be conducted, e.g. what systems can be used, how they must be secured and maintained, required personnel training, etc.4. Routinely audit compliance with established technical controls and policies.5. All online banking operations should be conducted on special-use computers that are used SOLELY for financial transactions. No other use of the machine should be permitted - no e-mail, no web browsing, no general-purpose business use - nothing but institutional online financial institution transactions.
Educause.edu
©2021, Craig Schiller &Security Compliance Associates
45
Technical Recommendations-- Systems used for online banking:• Should have the least amount of software installed as necessary to
facilitate their business functions.• Should have Javascript and ActiveX disabled or specifically limited to
trusted sites.• Should be subject to a change management process for any work
that's to be done on the machine. Multiple-party approvals should be required.
• Should be examined monthly and routinely patched by professional institutional IT security staff. If the system is not examined or patched by a specific date of a month, business office folks should not use it until the IT security staff bring it up to date.
• Physical access to the machine should be tightly controlled.• The system should have a permanent and obvious distinguishing
mark, e.g. spray paint it orange, to insure there can be no mistaking that this is a special purpose machine.
• Any other intentional use of the machine should be a cause for disciplinary action.
©2021, Craig Schiller &Security Compliance Associates
46
How Do We Detect How Do We Detect Botnets?Botnets? Computer is
ExploitedBecomes a Bot
New Bot Rallys to let Botherder
know it’s joined the team
Retrieve the Anti A/V module
Secure the New Bot Client
Retrieve the Payload module
Listen to the C&C Server/Peer for
commands
Execute the commands
Report Result to the C&C Channel
On Command, Erase all evidence and abandon the
client
A/V Detection
Other Bot Clients
C & C
Download server
C & C
Download serverC & C
Possible traffic to victim
User Browsing Malicious Sites
Known MalwareDistribution sites
Known C&C sites
Security & FW logs
Abuse@ notices
User Complaint
Anomalous Protocol Detection
Botlike TrafficBad Behavior
Talking to Darknet
©2021, Craig Schiller &Security Compliance Associates
47
Technical & Policy Controls
• Two-factor authentication should be used for financial institution access were available. While two-factor authentication will not protect against all attacks it does provide protection against many.
• Application white-listing, e.g. on Windows (e.g. AppLocker) can offer significant protection.
• Don't make the machine part of a Windows domain. Administer the machine using a local administrator account.
• Place the machine on a separate VLAN, on a secure dedicated hard-wired network connection.
• Shut the machine down when not in use.• Implement very aggressive firewall and possibly proxy protections
for the system. All non-banking traffic should be denied.• Aggressively monitor traffic to and from the system
From the The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud:
©2021, Craig Schiller &Security Compliance Associates
48
User Notification
• Traditional Help Desk response to malware must be changed for financial malware.
• When financial malware is involved, infected users need to be asked if they used the infected computer for e-commerce, electronic banking, or investment activities.
• If yes, then they should be advised to contact their credit union, credit card company, or investment firm.
• They should change their account passwords, change their credit cards, and review their accounts for transactions that they did not make.
• Credit unions should provide financial malware awareness for members and employees.
©2021, Craig Schiller &Security Compliance Associates
49
DNS Changer eventUNITED STATES v. VLADIMIR TSASTSIN, ET AL.
FBI Operation Ghost Click – arrested 6 Estonian nationals that were operating the Rove criminal enterprise. The botnet infected 4 million computers including 500,000 in the US. The botnet included a dnschanger mechanism the replaced the default DNS server with one under the control of the criminal enterprise.
After the arrest the FBI worked with outside organizations to continue to operate the bogus DNS servers so that victims computers would not be affected. The Court ordered ISC to maintain these servers for 120 days. According to the FBI website, “The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time. “
©2021, Craig Schiller &Security Compliance Associates
50
DNS Changer eventChances are that some of your customers may be among those that are infected.
How to tell that you are infected.
Use ipconfig /all on the windows command line to determine the IP address of your DNS server
Use the IP address of the DNS server on the following website. http://www.dns-ok.us/
©2021, Craig Schiller &Security Compliance Associates
51
DNS Changer event
If the dns-ok-us website background is red, then you should have your computer re-imaged or have your computer reformatted and have the operating system installed.
This check and the mitigations steps should be completed before July 9, 2012.
©2021, Craig Schiller &Security Compliance Associates
52
Q&AQ&A
Questions?
Craig Schiller, CISSP-ISSMP, [email protected]
EVP-IT Services & CIOSecurity Compliance Associates
727.571.1141
www.scasecurity.com