hotpatching.jpg

This week introduced Microsoft's "hotpatching" technique being recycled and maliciously manipulated into an intrusion method from a cyber criminal team, Platinum. FIN6 another malicious team is back, tapping back into retail/hospitality PoS systems stealing credit card credentials and we can always count on the VDBIR for interpreting the cyber security industry and releasing the statistics that are always in favor of the cyber criminals.  

Highlighting the cyber-security news from the past week in a 120 sec. read. Starting now.

 


Malware

1. Microsoft's Windows Defender Advanced Threat Hunting team discovered a cyber criminal team, Platinum.  These cyber criminals seemed to be lurking for an extended time going undetected by using a highly undetectable method of "hotpatching".

why is this signficant?


  • The method of hotpatching was developed in 2003 by Microsoft, to patch Windows Servers without having to reboot them.  Essentially,  Microsoft developed a tool to  patch against vulnerabilities and now Platinum is using this very tool to lurk in the deep areas of operating systems.  Hotpatching was phased out for Windows 8 and later versions due to no one using it.
  • Platinum seems to be an organised and a well funded group seeking information that could benefit a government entity.  Ironically, malicious groups are increasingly using existing tools/features that are supposed to be protecting and in today's world security tools are being used as keys into a victim's server.

Read the full story on ZDNet

 

2. A hacking group FIN6 infected 2,000 retail/hospitality payment terminals with Trinity malware and successfully compromised POS systems stealing an approximate 10 million credit cards.  

why is this signficant?

  • FIN6 is a notorious cyber gang that is known for compromising POS systems since first detected them last year.
  • FIN6 goes after credit card credentials and then resells that information on the Dark Web, usually for $21. In the past they advertised 20 million credit cards which would be approximately a $400 million profit for the cybergang.

Read the full story on The Register

/** Read here how enSilo protects PoS and enables continuous operations, even during investigation and remediation of an attack **/

Verizon Data Breach Investigation Report (VDBIR)

Verizon's Data Breach Investigation Report (VDBIR) indicates the constant threat from threat actors, with 89% of data breaches having a financial or espionage motive.  This emphasizes the importance of data exfiltration prevention, since the threat actor seems to already be in and prevention is being left in the dust.

why is this signficant?

  • “In 93% of cases where data was stolen, systems were compromised in minutes or less. An exfiltration happened within minutes in 28% of cases”.
  • Phishing emails continues to be a top way that an organization of cyber criminals or a state affiliated cyber criminals are forcing their malware upon the victims's PC's.  Within the first hour of the phishing emails being received, there were 1 million that opened the email and 1/2 million clicked within the email.  One of the biggest phishing campaigns that we have seen lately, has been hitting tax payers and stealing data that can be used to intercept a tax refund, which then lands into the hands of the criminal leaving the tax payer empty handed.
  • VDBIR shows that threat actors will begin with simple tools and techniques, due to detection. Once, they figure out the method of detection, they usually jump over it and that is when the sophisticated attacks are implemented escaping detection. 90% of the cyber-espionage incidents involved malicious software and "90% of cyber-espionage breaches capture trade secrets or proprietary information."

Read the VDBIR Executive Summary here