Research has revealed that banks, telecommunication companies and government organisations in Africa, the US, South America and Europe are among the top targets, with the GCMAN and Carbanak groups being the primary suspects.
Kaspersky Lab experts have discovered a series of “invisible” targeted attacks that use only legitimate software: widely available penetration-testing and administration tools as well as the PowerShell framework for task automation in Windows – dropping no malware files onto the hard drive, but hiding in the memory. This combined approach helps to avoid detection by whitelisting technologies, and leaves forensic investigators with almost no artefacts or malware samples to work with. The attackers stay around just long enough to gather information before their traces are wiped from the system on the first reboot.
At the end of 2016, Kaspersky Lab experts were contacted by banks in CIS which had found the penetration-testing software, Meterpreter, now often used for malicious purposes, in the memory of their servers when it was not supposed to be there. Kaspersky Lab discovered that the Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities.
The combined tools had been adapted into malicious code that could hide in the memory, invisibly collecting the passwords of system administrators so that the attackers could remotely control the victim’s systems. The ultimate goal appears to have been access to financial processes.
Kaspersky Lab has since uncovered that these attacks are happening on a massive scale: hitting more than 140 enterprise networks in a range of business sectors, with most victims located in the USA, France, Ecuador, Kenya, the UK and Russia.
In total, infections have been registered in 40 countries. It is not known who is behind the attacks. The use of open source exploit code, common Windows utilities and unknown domains makes it almost impossible to determine the group responsible – or even whether it is a single group or several groups sharing the same tools. Known groups that have the most similar approaches are GCMAN and Carbanak.
Such tools also make it harder to uncover the details of an attack. The normal process during incident response is for an investigator to follow the traces and samples left in the network by the attackers. And while data in a hard drive can remain available for a year after an event, artefacts hiding in the memory will be wiped on the first reboot of the computer. Fortunately, on this occasion, the experts got to them in time.
“The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware. That is why memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
The attackers are still active, so it is important to note that detection of such an attack is possible only in RAM, the network and registry – and that, in such instances, the use of Yara rules based on a scan of malicious files are of no use.
Details of the second part of the operation, showing how the attackers implemented unique tactics to withdraw money through ATMs will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, to be held from 2 to 6 April, 2017.
Kaspersky Lab products successfully detect operations using the above tactics, techniques and procedures. Further information on this story and Yara rules for forensic analysis can be found in the blog on Securelist.com.
Technical details, including Indicators of Compromise were also provided to customers of Kaspersky Intelligence Services.
Combatting attacks by groups like GCMAN or Carbanak requires a specific set of skills from the security specialist guarding the targeted organisation. During the Security Analysis Summit 2017, Kaspersky Lab’s top-notch specialists will be running exclusive security training sessions designed to help specialists detect sophisticated targeted attacks. Apply for training on “Hunting targeted attacks with Yara rules” here. Apply for training on Malware reverse engineering here.
Samsung unfolds the future
At the #Unpacked launch, Samsung delivered the world’s first foldable phone from a major brand. ARTHUR GOLDSTUCK tried it out.
Everything that could be known about the new Samsung Galaxy S10 range, launched on Wednesday in San Francisco, seems to have been known before the event.
Most predictions were spot-on, including those in Gadget (see our preview here), thanks to a series of leaks so large, they competed with the hole an iceberg made in the Titanic.
The big surprise was that there was a big surprise. While it was widely expected that Samsung would announce a foldable phone, few predicted what would emerge from that announcement. About the only thing that was guessed right was the name: Galaxy Fold.
The real surprise was the versatility of the foldable phone, and the fact that units were available at the launch. During the Johannesburg event, at which the San Francisco launch was streamed live, small groups of media took turns to enter a private Fold viewing area where photos were banned, personal phones had to be handed in, and the Fold could be tried out under close supervision.
The first impression is of a compact smartphone with a relatively small screen on the front – it measures 4.6-inches – and a second layer of phone at the back. With a click of a button, the phone folds out to reveal a 7.3-inch inside screen – the equivalent of a mini tablet.
The fold itself is based on a sophisticated hinge design that probably took more engineering than the foldable display. The result is a large screen with no visible seam.
The device introduces the concept of “app continuity”, which means an app can be opened on the front and, in mid-use, if the handset is folded open, continue on the inside from where the user left off on the front. The difference is that the app will the have far more space for viewing or other activity.
Click here to read about the app experience on the inside of the Fold.
Password managers don’t protect you from hackers
Using a password manager to protect yourself online? Research reveals serious weaknesses…
Top password manager products have fundamental flaws that expose the data they are designed to protect, rendering them no more secure than saving passwords in a text file, according to a new study by researchers at Independent Security Evaluators (ISE).
“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” says ISE CEO Stephen Bono. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
In the new report titled “Under the Hood of Secrets Management,” ISE researchers revealed serious weaknesses with top password managers: 1Password, Dashlane, KeePass and LastPass. ISE examined the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked. More than 60 million individuals 93,000 businesses worldwide rely on password managers. Click here for a copy of the report.
Password managers are marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead ISE found just the opposite.
Click here to read the findings from the report.