Mitigating Information Security Risks Financial CyberSecurity Threats Craig Schiller, CISSP-ISSMP, ISSAP EVP-IT Services & CIO Security Compliance Associates

Mitigating Information Security RisksMitigating Information Security Risks

Financial CyberSecurity ThreatsFinancial CyberSecurity Threats

Craig Schiller, CISSP-ISSMP, ISSAP

EVP-IT Services & CIO

Security Compliance Associates

by

©2021, Craig Schiller &Security Compliance Associates

2

AgendaAgenda

Today's presentation Brought to you by

http://www.washingtonpost.com/wp-srv/technology/interactives/555vid.html


3

About SCAAbout SCASecurity Compliance

Associates

• Since 2005, SCA has been a credit Union industry leading provider of information security Assessment and compliance services

• Focuses on a hands-on partnership approach, using continuous improvement in the assessment and reporting processes.

• Specializes in thorough, comprehensive assessments using industry best tools and methodologies including SANS Top 20, NIST, ISO, and PCI-DSS

• Service over 13% of the Top 200 Credit Unions• In addition to Standard Internal/External

Assessments, tracking regulator focus on Online Banking, Mobile banking, and Risk Analysis


4

Business Banking ThreatBusiness Banking ThreatPitfalls of Business Banking


5

The threat

Two of the most successful criminal operations (and the respective malware) are known as Clampi and Zeus. The operations have been in place for over a year, and have proven to be successful, difficult to stop, and damaging.

A public school district in Pennsylvania lost $700,000 in a two-day attack. A county government in Kentucky lost $415,000. Last Christmas a New York school district lost $3M of which .5M remained unrecovered as of 6-Jan.

http://www.pittsburghlive.com/x/pittsburghtrib/business/s_640015.html

http://www.internetidentity.com/Current/Zeus-Trojan-plus-funds-transfers-mean-big-losses.html

http://www.computerworld.com/s/article/9143144/FBI_investigating_online_New_York_school_district_theft


6

The threat


7

Rules have changedRules have changedPersons who conduct institutional/commercial online banking operations are being specifically targeted by the criminals.Standard desktop computer antivirus is not an effective defense because the attackers constantly morph the attacks to evade antivirus signatures.

Network defenses, such as firewalls and IDS/IPS, that rely on signatures are similarly ineffective.

Some attacks have successfully defeated two-factor authentication, a real-time trojan successfully bypassed a SecureID system to steal $447,000 using 27 different transactions to siphon off the funds.

Two-factor remains to be an effective defense against many other attacks.

http://www.technologyreview.com/computing/23488/


8

SpyEye/Zeus or Z-BotSpyEye/Zeus or Z-BotThe Zeus Trojan uses key-logging techniques to steal sensitive data

such as user names, passwords, account numbers and credit card numbers. It injects fake HTML forms into online banking login pages to steal user data. SpyEye now modifies online bank statements so the victim doesn’t know that money is being siphoned from their accounts. SpyEye/Zeus added investment firms and retail stores that offer credit cards to its list of targets. A new Zeus derivative has added a Man-in-the-Mobile attack.


9

Operation Aching MulesOperation Aching Mules


10


Mules were recruited from Russian and Eastern European citizens

They were given fake passport credentials

The passport credentials were used to establish bank accounts for the ACH transfers


11

Operation Aching MulesOperation Aching MulesNYPD detectives entered a Bronx bank in February to investigate a suspicious $44,000 withdrawal. International investigation began in Omaha, in May 2010 when fraudulent ACH payments were made to 46 bank accountsCyber-attacks began in Eastern Europe, sending apparently-benign email to computers at small businesses and municipalities in the US

Clicking on a link downloaded Zeus

The malware recorded their keystrokes as they logged into their bank accounts online

Hackers made unauthorized transfers of thousands of dollars at a time to receiving accounts controlled by the co-conspirators.

Once the victim/employee begins executing an online banking transaction on behalf of his or her employer, ZeuS invisibly also executes a fraudulent wire transfer, usually for $10,000 or less.


12


Money MulesReceiving accounts were set up by a "money mule organization" responsible for retrieving the proceeds of the malware attacks and transporting or transferring the stolen money overseas.

The money mule organization recruited individuals who had entered the United States on student visas, provided them with fake foreign passports, and instructed them to open false-name accounts at U.S. banks.

Once these false-name accounts were successfully opened and received the stolen funds from the accounts compromised by the malware attacks, the "mules" were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash.


13


U.S. authorities charged 92 Russians and Eastern Europeans who allegedly opened U.S. bank accounts expressly to receive cash transferred from hacked online banking accounts.

The defendants charged in Manhattan federal court include managers of and recruiters for the money mule organization, an individual who obtained the false foreign passports.

19 Eastern Europeans were arrested in the UK. The Ukrainian SBU arrested 5 key subjects of the investigation.

$70M over the last four years.


14

DDoS used to prevent recallDDoS used to prevent recall

In one case, the subjects used a Distributed Denial of Service (DDoS) attack against a compromised ACH third-party provider to prevent the provider and the bank from recalling the fraudulent ACH transfers before money mules could cash them out. These ACH transfers ranged from thousands to millions of dollars.


15

Exploitation of online banking credentialsExploitation of online banking credentials

The FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium sized businesses.

In a typical scenario, the attack vector is a "spear phishing" e-mail which containseither an infected file or a link to an infectious Web site. The e-mail recipientis generally a person within a company who can initiate funds transfers on behalfof the business, or a credential account holder (treasury management platforms typicallysupport both wires and Automated Clearing House (ACH) transfers).

Once the user opens the attachment, or navigates to the Web site, malwareis installed on the user's computer. The malware contains a key logger, which harveststhe user’s corporate online banking credentials. Shortly thereafter, the subjecteither creates another user account from the stolen credentials or directly initiatesa funds transfer masquerading as a legitimate user. These transfers haveoccurred through both the wire system and the ACH Network.

http://www.ic3.gov/media/2009/091103-1.aspx


16

Trojan attachmentTrojan attachment


17

Spearphishing with DownloadSpearphishing with Download

Spearphishingemail


18

Keystroke logger videoKeystroke logger video

Banking Trojan Captures User's Screen in Video Clip


19

Man in the Browser Attack - Man in the Browser Attack - TorpigTorpig

Torpig/Mebroot/Sinowal or Anserin Financial bot, Boot sector virus –re-imaged machines are re-infected as soon as the machine is re-booted. Uses Man-in-the-Browser attack.


20

RamnitRamnit

Morphed into a financial malware in 2011. Ramnit can infect Windows

executable files, HTML files, office files and possibly other file types.

The malware includes a Man-in-the-Browser (MitB) web injection

module, which enables Ramnit to modify web pages (client-side),

modify transaction content, insert additional transactions – all in a

completely covert manner invisible to both the user and host

application. Suspected to have incorporated code from Zeus.

Many new malware families are based on Public domain Zeus code

(e.g. Citadel, Ice IX, Neloweg).


21

Clampi/Ligats/Clampi/Ligats/Ilomo,RscanIlomo,Rscan

A trojan designed to steal credentials from infected systems. • This malware was used in the Slack Auto Parts $75,000 loss. • Uses psexec (from SysInternals) to spread across intranets. • Steals credentials for online banking sites as well as credentials stored locally. • To bypass firewalls, Clampi injects itself into IE for Command & Control traffic. • Like Zeus/SpyEye, Tunnels back through member’s computer to log into the victim’s account• "They are targeting {4600} institutions where users may enter data that might be useful in stealing money, such as utilities, retail, online casinos, banking, insurance, accounting services, credit bureaus," Joe Stewart


22

Classes of sites targeted by ClampiClasses of sites targeted by Clampi

Advertising networksUtilitiesEmail marketingStock brokeragesMarket research databasesOnline casinosRetailCareer sites InsuranceBankingCredit card companiesAccounting Services

Wire transfer servicesMortgage lendersConsumer databasesWebmailForeign Postal Services (Non-US) SoftwareMilitary/Gov information portalsRecommendation enginesISPsVarious News blogsFile upload sites


23

FeodoFeodo

Security researchers from FireEye identified this banking trojan, which is capable of launching man-in-the-browser (MITB) attacks and targets an unusually high number of financial institutions. In addition Feodo targets PayPal, Amazon, Myspace or Gmail

The malware is similar in concept and features to other banking trojans like ZeuS, SpyEye, Bugat or Carberp. It steals online banking credentials and other sensitive information by intercepting data inputted into Web forms, as well as injecting rogue HTML elements into pages.


24

Cridex, Carperb/Dapato Cridex, Carperb/Dapato Cridex has a database of 137 banks. The Banking plug-in control panel

contains the structure of the banks' web pages, so the Trojan can identify which valuable fields to send back to the command and control server.

The cyber criminals can create and change forms that are normally completed by the victim. The attacks started with several large spam campaigns by cyber criminals who had previously compromised hundreds of WordPress-based websites. The spam emails included embedded URL links or HTML attachments that trick the victim to browse those compromised websites. All these links eventually lead to web pages infected with the Phoenix exploit kit. This Trojan’s capability is basically similar to Zeus and SpyEye. It collects information from the user’s machine and sends it to the C&C server. The Cridex Trojan takes control of the victim’s machines and allows it to collect information and potentially make fraudulent transactions by manipulating the bank Web pages.

M86 Security Labs


25

Shylock malware Shylock malware platform platform Feb 2012 the Shylock malware platform

intorduced a fake financial institution chat. By combining MitB techniques of HTML and JavaScript, criminals are now able to bring live chat right to your browser.

The system couldn't identify your PC

You will be contacted by a representative of bank to confirm your personality.

Please pass the process of additional verification otherwise your account will be locked.

Sorry for any inconvenience, we are carrying about security of our clients.


26

Ice IXIce IXMalware developed using Zeus source code. Captures sensitive information on telephone

accounts belonging to the victims who happen to be customers of BT, TalkTalk and Sky. US banking customers have also been targeted by the scam.

The criminal organization can redirect the calls your financial institution makes to verify suspicious transactions – straight into the waiting handsets of professional criminal caller services.


27

Financial Malware Attack Financial Malware Attack VectorsVectors

OWASP Financial Malware List


2828

Advanced PersiAdvanced Persistent Threatstent Threat

APT is not malware, it is an attack paradigm. APT events are usually named for the campaign (e.g. Aurora, Titan Rain, RSA), not for the malware family they belong to. APT attacks have been around since before 2000.

They most closely resemble a black ops scenario. They can use old and new technology as needed to accomplish the desired objective.

Stuxnet

Flame


2929

Stuxnet overviewStuxnet overview

Stuxnet partial flow diagram

“the dangerously misleading expectation of complacent asset owners that something like Stuxnet can’t happen to them if they are not high-value military targets.”

Ralph Langner


3030

Stuxnet detail 1Stuxnet detail 1


3131



3232



3333



3434



35

Characteristics of the wormCharacteristics of the worm


36

Worm PropagationWorm Propagation


37

Exploitation techniquesExploitation techniques


38

Control System ExploitationControl System Exploitation

On any system with Siemens Step 7 software, Stuxnet modifies dlls so that users on Programming stations can’t see what Stuxnet has modified on Programmable Logic Controllers (PLCs).

Stuxnet confirms it can connect to an appropriately configured PLC, the starts one of three sequences to inject code to payloads into the PLC.

Two of the sequences sabotage the speed of the PLC (centrifuges)The third sequence prevents the PLC safety logic from alarming or overriding the changes made by Stuxnet.


39

Command and ControlCommand and Control

In case something goes wrong or if the instructions need to be changed:

Normal communications would use HTTP to communicate with one of two Command and Control servers. The firewalls in the recommended architecture would block any direct communications from the Process Control and Control Systems Networks.

All infected systems communicate using a P2P protocol using Windows Remote Procedure Calls. RPC is used by Windows file sharing, Windows printing spooling, OPC, and some Siemens proprietary data exchange protocols.


40

FlameFlame

Likely that Flame was created by the same organization that created Stuxnet.


41

Summary of Kaspersky’s Analysis of Flame’s Summary of Kaspersky’s Analysis of Flame’s C&CC&C

Largest and most complex attack toolkit to date, used primarily for cyber-espionage

The Flame C&C infrastructure, which had been operating for years, went offline immediately after Kaspersky Lab disclosed the discovery of the malware’s existence last week.

Currently there are more than 80 known domains used by Flame for C&C servers and its related domains, which have been registered between 2008 and 2012.

During the past 4 years, servers hosting the Flame C&C infrastructure moved between multiple locations, including Hong Kong, Turkey, Germany, Poland, Malaysia, Latvia, the United Kingdom and Switzerland.

The Flame C&C domains were registered with an impressive list of fake identities and with a variety of registrars, going back as far as 2008.

According to Kaspersky Lab’s sinkhole, infected users were registered in multiple regions including the Middle East, Europe, North America and Asia-Pacific.

The Flame attackers seem to have a high interest in PDF, Office and AutoCad drawings.

The data uploaded to the Flame C&C is encrypted using relatively simple algorithms. Stolen documents are compressed using open source Zlib and modified PPDM compression.

Windows 7 64 bit, which we previously recommended as a good solution against infections with other malware, seems to be effective against Flame.


42

Information gathered by FlameInformation gathered by Flame

Data gathered according to Symantec


43

Information gathered by FlameInformation gathered by Flame

Data gathered according to Symantec


44

Recommendations1. Make certain that systems used in performing financial transactions are protected by strict technical controls and receive periodic validation.2. Make certain that personnel involved in performing online financial transactions have the necessary security awareness and training. Those persons should receive targeted training on phishing and this threat.3. Have written policies defining the controlled environment in which online banking transactions can be conducted, e.g. what systems can be used, how they must be secured and maintained, required personnel training, etc.4. Routinely audit compliance with established technical controls and policies.5. All online banking operations should be conducted on special-use computers that are used SOLELY for financial transactions. No other use of the machine should be permitted - no e-mail, no web browsing, no general-purpose business use - nothing but institutional online financial institution transactions.

Educause.edu


45

Technical Recommendations-- Systems used for online banking:• Should have the least amount of software installed as necessary to

facilitate their business functions.• Should have Javascript and ActiveX disabled or specifically limited to

trusted sites.• Should be subject to a change management process for any work

that's to be done on the machine. Multiple-party approvals should be required.

• Should be examined monthly and routinely patched by professional institutional IT security staff. If the system is not examined or patched by a specific date of a month, business office folks should not use it until the IT security staff bring it up to date.

• Physical access to the machine should be tightly controlled.• The system should have a permanent and obvious distinguishing

mark, e.g. spray paint it orange, to insure there can be no mistaking that this is a special purpose machine.

• Any other intentional use of the machine should be a cause for disciplinary action.


46

How Do We Detect How Do We Detect Botnets?Botnets? Computer is

ExploitedBecomes a Bot

New Bot Rallys to let Botherder

know it’s joined the team

Retrieve the Anti A/V module

Secure the New Bot Client

Retrieve the Payload module

Listen to the C&C Server/Peer for

commands

Execute the commands

Report Result to the C&C Channel

On Command, Erase all evidence and abandon the

client

A/V Detection

Other Bot Clients

C & C

Download server

C & C

Download serverC & C

Possible traffic to victim

User Browsing Malicious Sites

Known MalwareDistribution sites

Known C&C sites

Security & FW logs

Abuse@ notices

User Complaint

Anomalous Protocol Detection

Botlike TrafficBad Behavior

Talking to Darknet


47

Technical & Policy Controls

• Two-factor authentication should be used for financial institution access were available. While two-factor authentication will not protect against all attacks it does provide protection against many.

• Application white-listing, e.g. on Windows (e.g. AppLocker) can offer significant protection.

• Don't make the machine part of a Windows domain. Administer the machine using a local administrator account.

• Place the machine on a separate VLAN, on a secure dedicated hard-wired network connection.

• Shut the machine down when not in use.• Implement very aggressive firewall and possibly proxy protections

for the system. All non-banking traffic should be denied.• Aggressively monitor traffic to and from the system

From the The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud:


48

User Notification

• Traditional Help Desk response to malware must be changed for financial malware.

• When financial malware is involved, infected users need to be asked if they used the infected computer for e-commerce, electronic banking, or investment activities.

• If yes, then they should be advised to contact their credit union, credit card company, or investment firm.

• They should change their account passwords, change their credit cards, and review their accounts for transactions that they did not make.

• Credit unions should provide financial malware awareness for members and employees.


49

DNS Changer eventUNITED STATES v. VLADIMIR TSASTSIN, ET AL.

FBI Operation Ghost Click – arrested 6 Estonian nationals that were operating the Rove criminal enterprise. The botnet infected 4 million computers including 500,000 in the US. The botnet included a dnschanger mechanism the replaced the default DNS server with one under the control of the criminal enterprise.

After the arrest the FBI worked with outside organizations to continue to operate the bogus DNS servers so that victims computers would not be affected. The Court ordered ISC to maintain these servers for 120 days. According to the FBI website, “The clean DNS servers will be turned off on July 9, 2012, and computers still impacted by DNSChanger may lose Internet connectivity at that time. “


50

DNS Changer eventChances are that some of your customers may be among those that are infected.

How to tell that you are infected.

Use ipconfig /all on the windows command line to determine the IP address of your DNS server

Use the IP address of the DNS server on the following website. http://www.dns-ok.us/


51

DNS Changer event

If the dns-ok-us website background is red, then you should have your computer re-imaged or have your computer reformatted and have the operating system installed.

This check and the mitigations steps should be completed before July 9, 2012.


52

Q&AQ&A

Questions?

Craig Schiller, CISSP-ISSMP, [email protected]

EVP-IT Services & CIOSecurity Compliance Associates

727.571.1141

www.scasecurity.com

Documents

Mitigating Information Security Risks Financial CyberSecurity Threats Craig Schiller, CISSP-ISSMP, ISSAP EVP-IT Services & CIO Security Compliance Associates