Research has revealed that banks, telecommunication companies and government organisations in Africa, the US, South America and Europe are among the top targets, with the GCMAN and Carbanak groups being the primary suspects.
Kaspersky Lab experts have discovered a series of “invisible” targeted attacks that use only legitimate software: widely available penetration-testing and administration tools as well as the PowerShell framework for task automation in Windows – dropping no malware files onto the hard drive, but hiding in the memory. This combined approach helps to avoid detection by whitelisting technologies, and leaves forensic investigators with almost no artefacts or malware samples to work with. The attackers stay around just long enough to gather information before their traces are wiped from the system on the first reboot.
At the end of 2016, Kaspersky Lab experts were contacted by banks in CIS which had found the penetration-testing software, Meterpreter, now often used for malicious purposes, in the memory of their servers when it was not supposed to be there. Kaspersky Lab discovered that the Meterpreter code was combined with a number of legitimate PowerShell scripts and other utilities.
The combined tools had been adapted into malicious code that could hide in the memory, invisibly collecting the passwords of system administrators so that the attackers could remotely control the victim’s systems. The ultimate goal appears to have been access to financial processes.
Kaspersky Lab has since uncovered that these attacks are happening on a massive scale: hitting more than 140 enterprise networks in a range of business sectors, with most victims located in the USA, France, Ecuador, Kenya, the UK and Russia.
In total, infections have been registered in 40 countries. It is not known who is behind the attacks. The use of open source exploit code, common Windows utilities and unknown domains makes it almost impossible to determine the group responsible – or even whether it is a single group or several groups sharing the same tools. Known groups that have the most similar approaches are GCMAN and Carbanak.
Such tools also make it harder to uncover the details of an attack. The normal process during incident response is for an investigator to follow the traces and samples left in the network by the attackers. And while data in a hard drive can remain available for a year after an event, artefacts hiding in the memory will be wiped on the first reboot of the computer. Fortunately, on this occasion, the experts got to them in time.
“The determination of attackers to hide their activity and make detection and incident response increasingly difficult explains the latest trend of anti-forensic techniques and memory-based malware. That is why memory forensics is becoming critical to the analysis of malware and its functions. In these particular incidents, the attackers used every conceivable anti-forensic technique; demonstrating how no malware files are needed for the successful exfiltration of data from a network, and how the use of legitimate and open source utilities makes attribution almost impossible,” said Sergey Golovanov, Principal Security Researcher at Kaspersky Lab.
The attackers are still active, so it is important to note that detection of such an attack is possible only in RAM, the network and registry – and that, in such instances, the use of Yara rules based on a scan of malicious files are of no use.
Details of the second part of the operation, showing how the attackers implemented unique tactics to withdraw money through ATMs will be presented by Sergey Golovanov and Igor Soumenkov at the Security Analyst Summit, to be held from 2 to 6 April, 2017.
Kaspersky Lab products successfully detect operations using the above tactics, techniques and procedures. Further information on this story and Yara rules for forensic analysis can be found in the blog on Securelist.com.
Technical details, including Indicators of Compromise were also provided to customers of Kaspersky Intelligence Services.
Combatting attacks by groups like GCMAN or Carbanak requires a specific set of skills from the security specialist guarding the targeted organisation. During the Security Analysis Summit 2017, Kaspersky Lab’s top-notch specialists will be running exclusive security training sessions designed to help specialists detect sophisticated targeted attacks. Apply for training on “Hunting targeted attacks with Yara rules” here. Apply for training on Malware reverse engineering here.
Revealing the real cost of ‘free’ online services
A free service by Finnish cybersecurity provider F-Secure reveals the real cost of using “free” services by Google, Apple, Facebook, and Amazon, among others.
What do Google, Facebook, and Amazon have in common? Privacy and identity scandals. From Cambridge Analytica to Google’s vulnerability in Google+, the amount of personal data sitting on these platforms is enormous.
Cybersecurity provider F-Secure has released a free online tool that helps expose the true cost of using some of the web’s most popular free services. And that cost is the abundance of data that has been collected about users by Google, Apple, Facebook, Amazon Alexa, Twitter, and Snapchat. The good news is that you can take back your data “gold”.
F-Secure Data Discovery Portal sends users directly to the often hard-to-locate resources provided by each of these tech giants that allow users to review their data, securely and privately.
“What you do with the data collection is entirely between you and the service,” says Erka Koivunen, F-Secure Chief Information Security Officer. “We don’t see – and don’t want to see – your settings or your data. Our only goal is to help you find out how much of your information is out there.”
More than half of adult Facebook users, 54%, adjusted how they use the site in the wake of the scandal that revealed Cambridge Analytica had collected data without users’ permission.* But the biggest social network in the world continues to grow, reporting 2.3 billion monthly users at the end of 2018.**
“You often hear, ‘if you’re not paying, you’re the product.’ But your data is an asset to any company, whether you’re paying for a product or not,” says Koivunen. “Data enables tech companies to sell billions in ads and products, building some of the biggest businesses in the history of money.”
F-Secure is offering the tool as part of the company’s growing focus on identity protection that secures consumers before, during, and after data breaches. By spreading awareness of the potential costs of these “free” services, the Data Discovery Portal aims to make users aware that securing their data and identity is more important than ever.
A recent F-Secure survey found that 54% of internet users over 25 worry about someone hacking into their social media accounts.*** Data is only as secure as the networks of the companies that collect it, and the passwords and tactics used to protect our accounts. While the settings these sites offer are useful, they cannot eliminate the collection of data.
Koivunen says: “While consumers effectively volunteer this information, they should know the privacy and security implications of building accounts that hold more potential insight about our identities than we could possibly share with our family. All of that information could be available to a hacker through a breach or an account takeover.”
However, there is no silver bullet for users when it comes to permanently locking down security or hiding it from the services they choose to use.
“Default privacy settings are typically quite loose, whether you’re using a social network, apps, browsers or any service,” says Koivunen. “Review your settings now, if you haven’t already, and periodically afterwards. And no matter what you can do, nothing stops these companies from knowing what you’re doing when you’re logged into their services.”
***Source: F-Secure Identity Protection Consumer (B2C) Survey, May 2019, conducted in cooperation with survey partner Toluna, 9 countries (USA, UK, Germany, Switzerland, The Netherlands, Brazil, Finland, Sweden, and Japan), 400 respondents per country = 3600 respondents (+25years)
WhatsApp comes to KaiOS
By the end of September, WhatsApp will be pre-installed on all phones running the KaiOS operating system, which turns feature phones into smart phones. The announcement was made yesterday by KaiOS Technologies, maker of the KaiOS mobile operating system for smart feature phones, and Facebook. WhatsApp is also available for download in the KaiStore, on both 512MB and 256MB RAM devices.
“KaiOS has been a critical partner in helping us bring private messaging to smart feature phones around the world,” said Matt Idema, COO of WhatsApp. “Providing WhatsApp on KaiOS helps bridge the digital gap to connect friends and family in a simple, reliable and secure way.”
WhatsApp is a messaging tool used by more than 1.5 billion people worldwide who need a simple, reliable and secure way to communicate with friends and family. Users can use calling and messaging capabilities with end-to-end encryption that keeps correspondence private and secure.
WhatsApp was first launched on the KaiOS-powered JioPhone in India in September of 2018. Now, with the broad release, the app is expected to reach millions of new users across Africa, Europe, North America, Southeast Asia, and Latin America.
“We’re thrilled to bring WhatsApp to the KaiOS platform and extend such an important means of communication to a brand new demographic,” said Sebastien Codeville, CEO of KaiOS Technologies. “We strive to make the internet and digital services accessible for everyone and offering WhatsApp on affordable smart feature phones is a giant leap towards this goal. We can’t wait to see the next billion users connect in meaningful ways with their loved ones, communities, and others across the globe.”
KaiOS-powered smart feature phones are a new category of mobile devices that combine the affordability of a feature phone with the essential features of a smartphone. They meet a growing demand for affordable devices from people living across Africa – and other emerging markets – who are not currently online.
WhatsApp is now available for download from KaiStore, an app store specifically designed for KaiOS-powered devices and home to the world’s most popular apps, including the Google Assistant, YouTube, Facebook, Google Maps and Twitter. Apps in the KaiStore are customised to minimise data usage and maximise user experience for smart feature phone users.
KaiOS currently powers more than 100 million devices shipped worldwide, in over 100 countries. The platform enables a new category of devices that require limited memory, while still offering a rich user experience.
* For more details, visit: Meet The Devices That Are Powered by KaiOS
* Also read Arthur Goldstuck’s story, Smart feature phones spell KaiOS