bank_safe_ffiec_tinba

This past week was characterized by the FFIEC releasing a warning to financial institutions to make some changes in the security of their customers’ data, and the Tinba banking Trojan galloping its way into larger banks in Russia and Japan. Patagonia, an outdoor clothing retailer is feeling the cold from a recent breach.  The brighter side is that Cyber Threat Alliance is taking a chip out of the ransomware avalanche and narrowed the CryptoWall attackers to one group, but not before the attackers accumulated 325 million from victims.

Highlighting the cyber-security news from the past week in a 120 sec. read. Starting now.

Threat Landscape

FFIEC releases statement on the increasing frequency & severity of cyber attacks involving extortion hitting financial institutions.

http://www.ffiec.gov/press/pr110315.htm

Why is this signficant?

  1. Due to the monetary value that financial institutions hold, they will always be a on cyber attack hit lists. 
  2. The officials are stepping in and taking an active part by encouraging financial institutions to notify law enforcement and their primary regulator or regulators of a cyber attack involving extortion.

Malware

Tinba 2.0, a banking trojan aka “Tiny Banker” or "Zusy", is now targeting banks in Russia and Japan.  Tinba is known for its small code, sometimes as little as 20 kilobytes. It uses Man in The Browser (MiTB) techniques to fool customers of banking websites, in turn stealing their banking credentials.

https://threatpost.com/new-tinba-variant-spotted-targeting-russian-japanese-banks/115257/

Why is this signficant?

  1. Tinba appeared in the wild in 2014 and was found to uninstall itself if Cyrillic alphabet of Russian origin was found in the targeted system.  Interestingly, SecureWorks researchers have found 32,805 IP addresses that are related to Tinba 2.0, whereas 34.5 % are stemming from Russia.
  2. Tinba 2.0 is the latest version of Tinba showing to be different than previous versions by:  "primarily spread through spam email and exploit kits like Neutrino, Angler, and Nuclear. The malware is multi-faceted, comes complete with a list of domain names, RSA keys, and request paths, and has led to tens of thousands of active malware infections.  2.0 also uses a more sophisticated domain generation algorithm, which makes it mitigation tougher. The most recent version uses four hard-coded TLDs (top level domains) instead of one, to generate 400 possible domains, instead of 1,000. The malware also has a RSA signature mechanism that verifies whether or not the command and controller it communicates with is legitimate."
  3. Researchers are reporting that "there’s now more than a dozen groups running Tinba 2.0 botnets”.

** Customers of enSilo are protected from Tinba 2.0** 

Breaches

The website of Patagonia Australia, a localized website of the outdoor clothing retailer, has reported that they were compromised between August 4 &September 12. Six hundred customers that made purchases from the site during this time could be at risk of having their banking details stolen, while another 12,500 additional customers may have had personal details compromised.

 http://www.abc.net.au/news/2015-10-27/patagonia-website-hacked-600-customers-bank-details-at-risk/6888196

Why is this signficant?

  1. This is one more attack on retailers. Although not clarified on how the attack took place (through malware, a website vulnerability, etc.),  retailers are constantly reminded that their reputation is running on the lines of: how safe is their customer data?
  2. While this breach seems to be confined to the site, it also serves a reminder to the cost of  a breach for retailers. A breach at a retailer directly impacts the retailer's revenue - whether it is the website going down, or taking the PoS system offline at a certain  location. Putting figures to such loss, at a large retailer a PoS device can generate up to $100K a day. 

Ransomware

The CyberThreat Alliance has released a report indicating that the CryptoWall attackers have implemented 49 different campaigns, with attempts to infect 406,887 users mostly located in North America.  

http://news.softpedia.com/news/cryptowall-3-0-ransomware-operators-made-325-million-495582.shtml

Why is this signficant?

  1. The Cyber Threat Alliance has narrowed down that the majority of attacks are linked to one Bitcoin account, which means that there is one group behind the campaign of attacks.
  2. The researchers have also concluded that the group made earning from the campaign that accumulated to $325 million / €295 million. 
  3. Researchers have reported just over 4,000 variants of CrytoWall stemming from 839 C&C servers.  Hopefully, the researchers will be able to locate the  encryption keys for CryptoWall 3.0, enabling the decryption of files for all those victims.