Why Vawtrak v2 could be the next major banking Trojan

by Neira JonesNon-Executive Director Cognosec, Partner Global Cyber Alliance

Think more like a criminal…

This came to my attention through the excellent report produced by cyber threat intelligence provider Blueliv, and made me think that whilst we all have seen the statistics related to the various types malware and the innovative methods criminals use to get to their targets, basic security principles are rarely followed, in favour of quick time to market or other economic imperatives.

Indeed, all the recent spectacular cyber attacks on banks and other infrastructure providers shouldn’t have come as a surprise: all were caused by lax security and governance practices at some point in the value chain. And we should worry: with the world population now reaching 7.4 billion and Gartner predicting that there will be 6.4 Billion Connected “Things” in use by the end of 2016 (24 Billion by 2020), it is undeniable that human behaviours are changing at a staggering pace.

Consumer adoption of different modes of interaction (mobile devices, wearables, IoT, etc.) and different channels (websites, social networks, TV and other media, etc.) suggests the need for speed and modern infrastructures. And yet the cybercriminals are years ahead of the mass market, having adopted robust supply and demand operating models and realized the value of industry-wide information sharing while the rest of us were trying to figure out what we should tweet. 

As the world becomes increasingly mobile and digital, the challenges faced by businesses and their security and fraud professionals must not be underestimated. Indeed, the more and the faster we connect, digitise, innovate and share information, the more risks and threats are introduced as criminals also connect, digitise, innovate and share information. More than a third of global online transactions are now mobile; it is frightening to see that most companies do nothing to protect their mobile apps (or indeed their APIs). We have also recently seen how the IoT can be harvested to launch massive DDoS attacks.

It is undeniable that the hyper-connected world has brought with it the demise of the traditional network perimeter, which we all knew very well how to defend. It is no longer sufficient to batten down the hatches: looking outside the traditional perimeter for behaviours and anomalies as well as learning from and collaborating with others are now essential elements of modern threat intelligence.

Why Vawtrak v2 could be the next major banking Trojan

By Neira Jones

The evolution of cybercrime and the increased sophistication of attackers, who are constantly developing efficient methods of distributing, sharing and monetising their efforts show us that organisations still need to fix the basics and organise themselves more effectively to combat threats. In other words, whilst trying to keep pace with technology advancements, businesses haven’t kept up pace with criminals and are still, in the main, reluctant to share information across industries and sectors to strengthen our defenses as a whole.

I wanted to work with the Blueliv Threat Intel Labs team to dig deeper into the notion of collaboration within the industry. Experts on Vawtrak v2, this is their view of the biggest challenge currently facing organisations across all sectors:

What we can learn from drunken Russians: it’s all about trust and cooperation…

I know very well that attribution is a very difficult (and sometimes dangerous) thing, so I’m not pointing fingers… I simply couldn’t resist the translation for Moskalvzapoe (defined by Blueliv as two different words; ‘Moskal’ which is an ethnic slur for Russian, and Zapoe, which means drunk.), the organized cybercrime gang allegedly behind the crimeware-as-a-service distribution of the Vawtrak v2 malware.

It is true that financial services institutions generally have a lot of controls and governance already in place as they have always been exposed to threats, and are therefore far more able to cope than firms in other industries because of the resources and knowledge at their disposal. Whilst healthcare, retail and hospitality are seemingly far easier targets, this is no reason

Why Vawtrak v2 could be the next major banking TrojanNeira Jones, Non-Executive Director Cognosec, Partner Global Cyber Alliance

1

“We’ve seen this happen again and again. Traditional firewalls, IDS, and antivirus mechanisms cannot keep up with the techniques developed by the threat actors. DGAs (Domain Generation Algorithms) defeat the purpose of blacklisting in firewalls, different techniques (such as packers, a type of software used to obfuscate the entire malware binary), are being developed faster than AV firms can develop counter-mechanisms to detect them. The only solution left to try and combat this menace is to do as they do; share information.”

for banks to become complacent: technology innovations in mobile, IoT, artificial intelligence and social media all create new business opportunities, but also bring along new risks and threats that financial services institutions should be ready to mitigate and combat.

Indeed, we all remember the spectacular SWIFT hack, and the more recent Tesco Bank attack. Unfortunately, whilst organisations continue to present themselves as easy targets to criminals, these attacks will still make the news. Time and time again, criminals will infiltrate the organisation’s internal networks for months in order to gather information necessary to the attack, allowing them to study the internal processes and controls implemented by the business, and then harvest data which is then used to perform fraudulent activities. Indeed, the Blueliv report highlights that the cybercriminal groups behind the Vawtrak v2 banking Trojan (Moskalvzapoe and Vawtrak) maintain two different infrastructures: one dedicated exclusively to the spam distribution mechanism, and the other purely for the maintenance and control of Vawtrak and the reporting of the stolen data. This proves once again that cybercrime is a highly profitable and efficient industry that invests in talent, technology and research, and cooperation enables it to build large scale communication networks to run increasingly sophisticated criminal infrastructures supporting the global distribution of malware.

It is only unfortunate that it takes massive public exposure to see positive action, but Gottfried Leibbrandt, CEO at SWIFT, rightly said “the security of global banking can only be ensured collectively”. The SWIFT Board approved funding for the security programme at the beginning of June 2016 and has made several positive moves since then. Lack of information security hygiene, adequate risk management, threat intelligence and cooperation, governance and effective incident response are generally always the root cause. However, we can see a change in this area with many willing to cooperate such as the Cyber Defence Alliance, as well as many others.

Data and cooperation will be key; the golden combination favoured by Blueliv in the collective fight against cybercrime.

Regulators, friends or foe?...

In the last couple of years, we have seen a marked change in the way regulations have evolved. Most notably in Europe, the Payments Services Directive 2 (PSD2) is the first set of regulation in financial services that explicitly specifies both information security and strong authentication requirements

for regulated organisations. In the United States, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have also set out new plans to strengthen the way they oversee big banks in a bid to protect the country’s financial system in the event of a major cyber attack or technology failure, covering both American and foreign banks operating in the country as well as market infrastructure companies. Many other countries have similar initiatives. In addition, we have the EU General Data Protection Regulation, and the 4th Anti-Money Laundering Directive. When these regulations are looked at together, it becomes apparent that there are many synergies and potential overlaps, as well as a distinct convergence between cyber security and fraud/financial crime prevention, a trend which must be welcomed.

To make sense of it all, businesses should approach these regulations holistically, not as separate distinct programmes, as much efficiency can be derived. It is also apparent that regulators have been far more active in the last 18 months with their enforcement actions. Aside from regulators, those that provide market infrastructure have also a role to play. For example, SWIFT, following the 2016 attacks, are clamping down on their members by “naming and shaming” banks who fail to meet security standards, not a position one wants to find themselves in… And of course, card schemes (e.g. Mastercard, Visa) have always had strict requirements on their members regarding security and fraud prevention as part of their operating regulations. These regulations will drive corporate behavioural change in the right direction. In addition, whilst threat intelligence is not a regulatory requirement per se, it enables efficient risk management processes, which is an essential part of all regulations.

Look inside as well as outside…

Blueliv’s report concludes that Moskalvzapoe’s main objective is malware distribution, and we can believe this given the continued success of email social engineering campaigns (after all, the payload will be delivered via email and we all know that at some point, a user will click on that link or open that attachment…). In other words, security awareness is still generally poor, but it is perversely encouraging that the numerous media worthy data breaches of recent times are increasingly putting cyber security on the Board agenda, as well as on the regulators’ radar. This will hopefully encourage a holistic a layered security posture encompassing not only Technology, but also Process and People. I am also very excited about the recent developments on Threat Intelligence

Why Vawtrak v2 could be the next major banking TrojanNeira Jones, Non-Executive Director Cognosec, Partner Global Cyber Alliance

2

and Machine Learning, Behavioural Analytics, Deception Technologies, Digital Identity, Mobile (& Mobile API) Security, Insider Threat Management, and of course Email Security/ Authentication (DMARC is a particular favourite of mine, and the Global Cyber Alliance, a not-for pro�t organisation, is doing great work in that space) to combat social engineering and what I like to call Corporate Identity Theft .

Fix that stool…

In conclusion, whilst a sweeping generalisation would not be appropriate as attitudes to cyber security vary across industries, there is still a general lack of cohesiveness and holistic approach to cyber and information security.

First of all, organisations must address that permanently Wobbly Three Legged Stool, our beloved triad: , Integrity, Availability). We’ve been pretty good at the “C” and the “A”, but the “I” has somewhat traditionally been left behind... Data loss and business disruption threats are well understood, but data manipulation prevention is still a poor third.

Secondly, businesses must not forget that other constantly Wobbly Three Legged Stool, our even more beloved PPT (People, Process, Technology). We’ve been pretty good at the “T”, but the two “Ps” are always neglected. With the increasingly complex regulatory landscape (e.g. GDPR, NIS Directive and PSD2, and others), the two “Ps” are now getting more focus, which is a good thing.

To reiterate the key take outs from Blueliv’s Chasing Cybercrime report, organizations need to combine external and targeted intelligence with internal knowledge to complement and prepare their existing security infrastructure to defend against evolving cyberthreats. Financial services institutions need to share information and intelligence not only across their own industry sector but also with other sectors, law enforcement and their own customers and suppliers.

Regardless of industry, information security always comes down to common sense and a few principles need to be followed: ensuring that personal data is safe, ensure that systems only collects the data they need, prevent unauthorised access to the data, prevent corruption of the data whether at rest or in transit. Of course, all of this needs to be applied within the context of an enlightened risk management framework, with the appropriate governance, operational processes and culture to support it.

In the meantime, let’s all be prepared for Vawtrak v2, read and share the report…

ABOUT BLUELIV

Blueliv is a leading cyber threat intelligence provider with a world-class in-house Labs team. We scour the web to deliver fresh, automated and actionable threat intelligence to organizations across multiple industries to protect their networks from the outside in.

Our scalable cloud-based platform turns global threat data into actionable intelligence, enabling organizations to save time and resource by improving their incident response performance and empowering their Security Operations team with real-time intelligence. Quantify and qualify malicious attack vectors with our plug and play MRTI feed; delivered in STIX/TAXII standard, integration is easy. Start detecting external threats and

Follow us:twitter.com/bluelives.linkedin.com/company/blueliv

Read our blog: blueliv.com/blog-news/

Why Vawtrak v2 could be the next major banking TrojanNeira Jones, Non-Executive Director Cognosec, Partner Global Cyber Alliance

3

NEIRA JONES

made Neira believe in change through innovation & partnerships. Neira is regularly invited to advise organisations of all sizes on payments, cybercrime, risk, information security, regulations (e.g. PSD2, GDPR, etc.) and digital innovation where she always strive to demystify the hype surrounding these issues... Neira likes engaging on social media and regularly addresses global audiences on these topics as a keynote speaker or chair person. Neira has received multiple industry awards, is a bit of a geek, a proud technophile and loves cars.

twitter.com/neirajones linkedin.com/in/neirajones