ammyyadmin.jpg

This week was abuzz with a malicious group taking advantage of Ammyy Admin and draining bank accounts;  CiCi’s pizza was compromised along with their PoS provider and the  discovery of code hooking vulnerabilities.

Highlighting the cyber-security news from the past week in a 120 sec. read. Starting now.


Malware

A malicious group discovered an effective way of spreading malware to access and empty out bank accounts..

why is this signficant?

  • Ammyy Admin is a legitimate admin tool that provides user access to a computer from a remote location, making it possible for someone to work without physically being on the computer. The malicious group bundled a spyware within Ammyy Admin that automatically installed with the download.
  • The malicious group also modified the PHP script running Ammyy Web server to increase their success rate, which could give the malicious group a chance to gain control over the website.  "What resulted was a highly effective means for distributing the banking Trojan. That's because the legitimate tool Ammyy provided was in many ways similar to the banking Trojan in that they both provided remote access to the computer they ran on."
  • Ammyy Admin was not just leveraged for ease of malware distribution tool and for the fact that it already requires admin privileges. It also enables the Trojan to fly under the radar also when alerted upon as admins are quick to flag the related alerts as false positives. The way around this would be to prevent in real-time the actual data exfiltration attempt caused by the malicious components.

Read the full story on Ars Technica

Breaches

CiCi’s pizza experienced a credit card breach that effected a reported 500 store in 35 U.S. States.

why is this signficant?

  • It’s not definite, but it seems as the breach first started in 2015 and was not detected until March of this year.
  • The investigation started like most all PoS attacks, with suspicious activity coming from cardholders and the credit card companies connected the dots back to CiCi’s pizza.
  • The PoS malware trend is continuously hitting the hospitality, retail and restaurant markets.  Due the frequency of attacks, It doesn’t look like there is enough security awareness when it comes to a company taking a 3rd party resource.  According to Krebs, it looks as though the PoS service provider, Datapoint was also compromised.  
  • To get a technical breakdown of a PoS malware, we recommend this read on a PoS malware called MoDPos:  http://breakingmalware.com/malware/a-technical-breakdown-of-modpos/.

/** enSilo protects against PoS malware**/

 

Read the full story on KrebsOnSecurity

Vulnerabilities

enSilo’s researchers discovered six security issues in code hooking that can lead to the compromise of the underlying machine.

why is this signficant?

  • Hooking is a technique used by software, such as products that do virtualization, sandboxing and performance monitoring, to monitor and/or change the behavior of operating system functions in order to operate effectively. It’s particularly critical for security products.
  • These six security issues affect more than a dozen different software, including the 10 year old Microsoft Detours that is licensed to over 100 ISV’s and used within nearly every Microsoft product which will be patched in August. As a result, this code hooking vulnerability extends to millions of users.
  • Interested in learning more of the technical background and learning how security tools can be used as an intrusive channel? Join our researchers at BlackHat, Wed. Aug 3, 16:20 in the Jasmine Ballroom.
Read the Q&A by the researchers