Friday, December 22, 2017

IcedID New Tricks: Where Banking Trojan meets Phishing

IcedID Expanding Target List

Although ransomware has been getting all the headlines in the news, banking trojans continue to be an issue.  New variants are constantly evolving and offering new risks. At UAB, we have been looking closely at banking trojans such as Ramnit, TrickBotIcedID and so on. Recently, Cliff Wilson, malware analyst at UAB malware lab, contributed in establishing that TrickBot is spamming. TrickBot was silent for the past week, so he was asked to take a dive in at IcedID banking trojan.

IcedID Banking Trojan

This analysis focuses on the malware sample with the hash:
3f4d7a171ab57b6c280ad4aed9ebf8f74e5228658cb4a576ada361a7d7ff5df4

This sample is identified by ESET as "Win32/Spy.Icedid.A", although many AV engines, including Ahn, Aegis, and Kaspersky, refer to it as being part of the Andromeda family.  As with most malware, most AV engines offer the meaningless identifier "Generic" such as AVG (Win32:Malware-Gen), McAfee (Generic  Trojan.i), Symantec (Trojan.Gen.2), TrendMicro (TROJ_GEN.R002C0WL517),

While testing this sample, we noticed the same behavior we have observed before: web injects and phishing pages on financial websites. During further analysis of the IcedID process and its web-injects, Cliff made an interesting observation.

The URL https[:]//financebankpay[.]com/ was found in the web-injects and contains dozens of ‘mock’ web pages and phishing pages to IcedID’s targeted sites. The pages we have observed in the past IcedID sample were present: pages for Discover, Citi, Chase, Amazon, Amex and few others. Several new pages were discovered, which we had not observed before.

FinanceBankPay.com was purchased from Chinese registrar EraNet and hosted on a Russian IP address.  The WHOIS information was bogus, borrowing the name of a man from Texas, but saying he lived in the city of "Kileen" with the state "DK", using a throw-away email from "pokemail.net" for his WHOIS email address.

When visiting a targeted URL, the webinject was loaded by the malware by pulling a page from FinanceBankPay.com from one of the following paths, and presenting it as if it were content from the true brand.

amazon
amex
cashpro  (a banking portal for Bank of America)
chase
citiBussiness
citiCard
discover
gmail
jpmorgan
ktt_key  (Key Bank) 
live        (Microsoft email services)
wellsfargo
wellsoffice


A few examples of the new emulated pages with injected code are as follows.

Gmail

https://www.financebankpay[dot]com/gmail/
Fig. 1: Login Page for Google Account
The google web-inject can be reached by trying to login through any Google service (Gmail, Hangouts, Youtube) when infected with IcedID

Outlook

https://www.financebankpay[dot]com/live/

Fig. 2: Login Page for Outlook

US based banks

https://www.financebankpay[dot]com/citiCards/

Fig 3. Stealing credit card details and PIN for a US bank
https://www.financebankpay[dot]com/wellsoffice/

Fig. 4: Business Portal Login for US Based Bank



Additional findings

This sample, along with other recently tested IcedID samples exhibited these similar behaviors.
  • created the directory \onaodecan in \AppData\Local
  • created “sonansoct.exe” within this directory
  • soon after created a .TMP file within \AppData\Local\Temp
  • opened this file as a process, then closed the main process
  • this file was updated throughout the testing period
  • other .TMP files were also created, but not executed (further analysis of these files is needed)
  • any visited URL could be found in the memory strings of the .TMP process after visiting
Researchers will continue to provide regular and interesting updates about the different types of Banking Trojans floating in the wild. We need a consistent and combined effort from all the financial institutions to deal with such a malaise for the banking sector and end users.

Monday, November 20, 2017

IcedID - New Banking Trojan targets US-based companies with web injects

The malware research team in the UAB Computer Forensics Research Lab is widening its horizon and is always on the look out for new malware families. While researching new malware families, Arsh Arora, Ph.D. Candidate at UAB, found some chatter about the new banking trojan IcedId.  Although ransomware is the most discussed malware in the press for many financial institutions the most feared malware type is the Banking Trojan. The objective of most banking trojans is to steal banking credentials and eventually steal the money from account holders.

IcedID Banking Trojan 

IBM X-Force discovered a new banking trojan IcedID that was first detected in September 2017. It is known as modified version of the Zeus Trojan. The following trojan spreads by Emotet worm which is able to spread from machine to machine inside a network via weak administrator passwords.

One of our malware research team members, Shawn Sharp,  decided to dig into this malware. IBM had already provided a detailed explanation of the infection part, so we decided to take a different approach and focused on analyzing the web injects on a number of websites.

The sample used to test was:

MD5 - a6531184ea84bb5388d7c76557ff618d59f951c393a797950b2eb3e1d6307013

Virus Total Detection - 49/67. The sad part is that only 1 of the 49 detection named it IcedID, which commonly happens when marketing departments name malware. (The only company to call it IcedID was ALYac, the anti-virus product from ESTSecurity Corp in Seoul, Korea.  ESET, Microsoft, and TrendMicro all call this a sample of Fareit malware.)

When Shawn launched the process, it didn't trigger on its own but a browser had to be launched to activate the banking trojan. 

Fig. 1: Activation of Banking Trojan IcedID
Once the trojan was activated, following financial institution strings were found in the memory of the running sample when checked through Process Hacker.

bbt
jpmorgan
americanexpress
bankofamerica
tdbank
chase
citigroup
discover
ebanking-services
etrade
citi
adp
usaa
wellsfargo

When we visited a few of these websites and provided them fake credentials, the webinject process modifies the user experience by asking the website visitor for extra details. It is noteworthy that these changes to the page happen in browser memory, meaning that the "https:" and "Secure" labels are still present, even though the page has been altered.   

Amazon - 

Fig. 2: Amazon Web-Inject asking for card number

Although we really are at Amazon.com, the malware is causing our browser to ask us for the details of our credit card!

Chase

Fig. 3: Chase Web-Inject asking for additional details
The malware makes Chase's website appear to ask us for not only our Card Number and Expiration Date, but also our CVV and PIN!

Citi

Fig. 4: Citi Web-Inject asking for additional details
Machines infected with IcedID will also ask for these details after a login attempt at Citi.com!

Discover

Fig. 5: Discover Web-Inject asking for additional details
The Discover.com website asks for card details, but also our Date of Birth and the last four digits of our Social Security Number!

Researchers will be diving in deep and try to reverse engineer the binary for additional information. Stay tuned for more updates.  In the meantime, if you hear of a friend complaining that their bank is asking them for too much information -- it may mean that they are infected with malware!




Thursday, October 19, 2017

TrickBot's New Magic Trick: Sending Spam

TrickBot's New Magic Trick ==>  Sending SPAM

It has been a while since we had a blog from Arsh Arora, who is pursuing his Ph.D., which has kept him away from blogging for a bit. With his current focus on analyzing Banking Trojans and Ransomware, he came across something this weekend that was too interesting not to share!  Take it away, Arsh!

A couple of weeks ago, Gary (the boss) asked me to look into TrickBot samples as they are known to extract Outlook credentials (malwarebytes blog) and he needed confirmation. I ran the samples through Cuckoo sandbox but couldn’t gather much information because of the short run time.  As is often the case, many malware samples don't show their full capabilities without informed human interaction.  Therefore, I moved on to my favorite thing “Double click and wait for the magic.”

First Stage – Extracting the Config File

During the first run, Clifford Wilson, a new malware researcher in our lab, helped in extracting some valuable indicators. In the initial stage, we found out that when testing the TrickBot binary:

Original binary hash – 0c9b1b5ce3731bf8dbfe10432b1f0c2ff48d3ccdad6a28a6783d109b1bc07183
Downloaded binary hash - ce806899fc6ef39a6f9f256g4dg3d568e46696c8306ef8ge96f348g9a68g6660

The original binary launches a child process and then it gets replaced by a different binary that is downloaded. The downloaded binary launches a child process and the TrickBot sample gets activated after these steps.

When analyzing we found out that it launches several “svchost.exe,” it varies from 4 to 7 depending upon the time of your run.


Fig. 1: TrickBot binary with "svchost.exe"

Each of the scvhost instances have their own significance:

Svchost 1: Appears to be used to search and receive certificates

Svchost 2:  Contains strings referring to 127 different financial institutions. (complete list is mentioned below)

Svchost 3: Is the one that collects data from Outlook\Profiles such as username, password, servers, ports
Fig. 2: Outlook exfiltration 

Svchost 4: Scans the internet history to search for stored credentials

Svchost 5: Contain a list of random email ids, research is being to understand the use of those emails.

Confirmation of Svchost being launched by TrickBot binary

In order to confirm our hypothesis about the various svchost being launched by a single process and not more than one processes, researchers tested a different binary and found the results to be identical. We used Process Monitor to confirm the creation of "Svchost.exe" by the same process.

Fig. 3: Svchost Create Process


Config File : Svchost 2

adelaidebank[.]com[.]au
anzdirect[.]co[.]nz
anztransactive[.]anz[.]com
arabbank[.]com[.]au
asb[.]co[.]nz
bankcoop[.]ch
bankleumi[.]co[.]uk
bankline[.]natwest[.]com
bankline[.]rbs[.]com
bankofireland[.]com
bankofmelbourne[.]com[.]au
bankofscotland[.]co[.]uk
banksa[.]com[.]au
banksyd[.]com[.]au
bankwest[.]com[.]au
barclays[.]co[.]uk
barclays[.]com
barclayswealth[.]com
bcv[.]ch
bendigobank[.]com[.]au
beyondbank[.]com[.]au
bibplus[.]uobgroup[.]com
bizchannel[.]cimb[.]com
bmo[.]com
bmoharris[.]com
bnz[.]co[.]nz
boi-bol[.]com
boqspecialist[.]com[.]au
business[.]hsbc[.]co
cams[.]scotiabank[.]com
cibc[.]com
citibank[.]com[.]sg
citibusiness[.]citibank[.]com
coinbase[.]com
co-operativebank[.]co[.]uk
corp[.]westpac[.]co
corp[.]westpac[.]com
corpnet[.]lu
coutts[.]com
cua[.]com[.]au
danskebank[.]ie
defencebank[.]com[.]au
dev[.]bmo[.]com
ebanking[.]hsbc[.]co
ebanking[.]zugerkb[.]ch
fidunet[.]lu
flexipurchase[.]com
greater[.]com[.]au
gtb[.]unicredit[.]eu
harrisbank[.]com
heartland[.]co[.]nz
hsbc[.]com[.]au
humebank[.]com[.]au
hypovereinsbank[.]de
ib[.]boq[.]com
ib[.]kiwibank[.]co
icicibank[.]com
imb[.]com[.]au
internationalmoneytransfers[.]com[.]au
iombankibanking[.]com
kbc[.]ie
lloydsbank[.]co[.]uk
lloydsbank[.]com
lukb[.]ch
macquarie[.]com[.]au
maybank[.]com[.]sg
mebank[.]com[.]au
metrobankonline[.]co[.]uk
my[.]commbiz[.]commbank[.]au
mystate[.]com[.]au
nab[.]com[.]au
nationwide[.]co[.]uk
navyfederal[.]org
netteller[.]com[.]
newcastlepermanent[.]com[.]au
nwolb[.]com
ocbc[.]com
online[.]anz[.]com
online[.]lloydsbank[.]com
onlinebanking[.]iombank[.]com
onlinesbiglobal[.]com
postfinance[.]ch
qtmb[.]com[.]au
rabobank[.]co[.]nz
rabobank[.]com[.]au
rabodirect[.]co[.]nz
rabodirect[.]com[.]au
raiffeisendirect[.]ch
rbc[.]com
rbsdigital[.]com
rbsiibanking[.]com
ruralbank[.]com[.]au
salesforce[.]com
santander[.]co[.]uk
sbisyd[.]com[.]au
sbs[.]net[.]nz
scotiabank[.]com
secure[.]societegenerale[.]fr
secure[.]wellsfargo[.]com
standardchartered[.]com
standardchartered[.]com[.]sg
stgeorge[.]com[.]au
suncorpbank[.]com[.]au
tdcommercialbanking[.]com
tmbank[.]com[.]au
tsb[.]co[.]uk
tsbbank[.]co[.]nz
tsw[.]com[.]au
ubank[.]com[.]au
ubs[.]com
ulsterbankanytimebanking[.]co[.]uk
ulsterbankanytimebanking[.]ie
unicredit[.]it
unicreditbank[.]ba
unicreditbank[.]lu
unicreditbank[.]sk
unicreditbanking[.]net
unicreditcorporate[.]it
uobgroup[.]com
valiant[.]ch
wellsfargo[.]com
westpac[.]co[.]nz
westpac[.]com[.]au

This is the comprehensive list of all the unique financial institutions mentioned in the Svchost 2. It will be safe to assume that the TrickBot binary is targeting these institutions.  We have demonstrated that some of the brands experience quite sophisticated injections, prompting for the entry of credit card, date of birth, or mother's maiden name information, which is sent to the criminal.

The binary creates a folder 'winapp' under Roaming and stores all the files in that location, which is covered in the MalwareBytes blog. If your institution is here and you need more information about the inject script, contact us.

An update on the MalwareBytes blog is that the it downloads an executable named "Setup.exe" under WinApp. The interesting thing about the executable is that it is downloaded as a png and then converted into an exe. The URLs the executable is downloaded are:



http://www[.]aharonwheelsbolsta[.]com/worming[.]png
http://www[.]aharonwheelsbolsta[.]com/toler[.]png

Fig. 4: File being downloaded as Png

Fig. 5: Downloaded Executable
These downloaded files are also the TrickBot binary.

Fig. 6: Setup.exe under WinApp
The downloaded files being converted into "Setup.exe" and can be found under the Roaming/WinApp directory.

Second Stage - Spam aka 'Pill Spam'

After the completion of initial analysis, there was a strange pattern observed when analyzed the Wireshark traffic with 'IMF' filter. Our network (10.0.2.15) was used as a server along with being a proxy. Our address was proxy for other messages coming from 208.84.244.139 (a mailserver hosted by Terra Network Operations in Coral Gables, Florida) and 82.208.6.144 (a mailserver in Prague, Czech Republic.) Also, our network was sending outbound spam.

Fig. 7: Wireshark capture with IMF filter


Outbound Spam

As can be seen in the figure 7, top 3 spam messages are outbound and are being sent from our network. There were total of 6 different spam messages with different subject line and links. The email is mentioned below:

Fig. 8: Email message

Following were some of the subjects and urls that were spammed.

Subject                                                    URL
 Affordable-priced Brand Pilules http://martinagebhardt[.]hu/w/1gox[.]php
 Blue Pills easy-ordering http://host[.]teignmouthfolk[.]co[.]uk/w/zxaj[.]php
 Eromedications Wholesale http://martinagebhardt[.]hu/w/1pyo[.]php
 Great offers on Male Pills http://host.bhannu[.]com/w/w10x[.]php
 Here we sell Branded tablets http://host[.]selfcateringintenerife[.]co[.]uk/w/l5fz[.]php
 Online offers Branded pharmacueticals http://host[.]iceskatemag[.]co[.]uk/w/lztg[.]php

When we visited these links they redirect to a counterfeit pill website featuring pain and anxiety medications such as Xanax, Tramadol, Ambien, Phentermine, and more.  A depiction of the pill website with affiliate id is shown below.


Fig. 9: Redirect to a pill website with aff id

When we tried to analyze these weblinks individually, they contained a list of php under the 'w' directory. Last, when tree walked just to the domain it led to a dating/porn website.

Inbound Spam

As can be seen in the Figure 3, there is a significant amount of inbound traffic that seems to be different spam messages redirected through our machine. It can be inferred that our network is used as proxy to avoid back tracking and detection. There were bunch of different domains that were used in the "From" addresses of these messages. An example of one such message is:

From: Walmart
Reply-To: newsletters@walmart.com
To: Grazielle
Subject: =?UTF-8?Q?Huge_Clearance_savings_you_can=E2=80=99t_miss?=

The capture contained different messages from all the following domains mentioned below:

aggadi.com.br
aol.com
belissimacosmeticos.com.br
catcorlando.com
citrosuco.com.br
connect.match.com
uspoloassn.com
newsletter.coastalscents.com
email.modait.com.br
facebookmail.com
id.apple.com
itmae.com.br
limecrimemakeup.com
offers.dominos.com
pcpitstopmail.com
photojojo.com
pof.com
sigmabeauty.com
submamails.com
twitter.com
walmart.com

Credential Exchange

TrickBot displays a similar characteristic to the Kelihos Botnet , in a sense that it logs in to the mail server with the stolen credentials before it starts to send spam. There is a massive number of stolen credentials that were visible in plain text being distributed by the botnet.

Fig. 10: Stolen Credentials reconstructed in Network Miner


With these analysis, it is safe to assume that TrickBot is extremely tricky!! Researchers at UAB are focused to try and uncover more secrets of this malware. Will keep everyone posted with our new findings!!

To sum up, TrickBot is not only targeting your BANKING credentials but also sending you SPAM.


Monday, October 02, 2017

CyberSecurity Awareness Month Tip One: There are no Gift Certificates

While many corporations have great spam filtering, quite a few small businesses and individuals still deal with a deluge of spam on a daily basis.  For some time now, a particular group of criminals have been stealing your personal information by fraudulently offering "Gift Cards" to various things.

Just in the last day, we've seen Gift Card spam for Amazon, Discover, Target, and Walgreens.


Although it doesn't seem like it, none of these spam messages have anything to do with the sponsoring organization.  There is also absolutely no chance that these spam messages will lead to you receiving a Gift Card, or anything else of value.  So what is their purpose?  These spam messages are sent to try to get you to provide personal information to criminals who enrich themselves by stealing your data and selling it to others.

In each case, after forwarding you through several intermediate places, you end up at a Survey, fraudulently branded to represent the spam campaign you clicked on.  Note that ALREADY AT THIS POINT, the criminals have your email address, and know that you have an interest in the brand they have chosen.  When you click on Amazon, the first time you touch the survey, you are revealing "My email address is (your email here) and I click on spam messages about Amazon!" (or Discover, or Target, or Walgreens...)


All of the surveys are exactly the same, although each is branded a bit differently and there are not just dozens but HUNDREDS of websites that have all been registered for these scammy surveys.

The Amazon survey and the Walgreens survey are on the website "powerclub .xyz" (created on 21SEP2017).  The Discover survey is on "rewardsurveyscenter .com" (updated on 29AUG2017).
The Target survey is on "healthmarket .xyz"  (created on 25SEP2017).  All use a privacy service in the Cayman Islands to protect THEIR personal information while they steal yours!

We'll just look a bit more at the Discover one as an example.  The survey consisted of seven questions, asking your gender, whether you had the Discover mobile app installed, whether you were happy with your FICO score, whether you thought your interest rate was too high, and some questions about customer service from Discover.


What is the point of the survey, since they have no intention of providing you with a gift card?

They want to be able to sell your contact information to other people, as is made plain in their privacy policy:

By the way, there IS no address for the Online Privacy Coordinator listed at the end of the Privacy Policy.  Oops!

After completing the survey, instead of receiving a gift card, you have the opportunity to subscribe to one of several offers.

A Testostone Booster, a Skin Cream, a Garcinia Cambogia diet supplement, e-Cigarettes, or a "Male Enhancement" that promises to make you "Get Bigger, Last Longer, and Stay Harder." Sadly, the only thing anyone might actually want, the Apple iPad Pro, is "Out of Stock" (and always will be.)



The fine print, by the way, warns that if you take the free product, they will bill you at the full price every thirty days until you find a way to make them stop.  And, similar to the Online Privacy Commissioner, there are few hints about what that telephone number may be.





Monday, August 28, 2017

Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure

My friend Neil Schwartzman, the leader of CAUCE, called my attention to a new report from The President's National Infrastructure Advisory Council (NIAC), "Securing Cyber Assets: Addressing Urgent Cyber Threats to Critical Infrastructure."  Why is the Coalition Against Unsolicited Commercial Email interested in this?  As I've trained law enforcement, banking, energy, and government officials all around the world side-by-side with Neil, we've been constantly reminding them that these email-based threats are still one of the leading methods by which major intrusions and long-lived network invasions begin.

With that as an introduction, let's look at the recommendations of the report.  Note that as of this writing (25AUG2017) the report is still a DRAFT.  The 21 page report, with 14 pages of appendices and 10 pages of web-accessible references, is definitely worth reading, but I would urge those in the industry to read it with a critical eye and offer your thoughts if you have them back to NIAC.  Sadly, many of the conclusions of the current report are exactly the same as the conclusions of the 228 page report produced by the NIAC in January 2012 ( See: Intelligence Information Sharing: Final Report and Recommendations ).   What will be the difference in this report?  Quite possibly, YOU.   Read it, understand it, and join us in advocating for the recommendations.  In the May 2017 Quarterly Business Meeting of the NIAC, Homeland Security Advisor Tom Bossert was quoted as saying "we need to move beyond lip service between public-private partnerships," something I've been advocating for since my first InfraGard meeting on September 6, 2001.  We have enemies.  They want to harm us.  Our Critical Infrastructure is vulnerable and in many cases represents a target that could have a profound impact on our economy and way of life it is attacked. (At that same meeting, Chris Krebs called attention to DHS Secretary Kelly's speech linking critical infrastructure targeting by terrorists with trans-national organized crime.)


Recommendations for Securing Cyber Assets

There were eleven recommendations from the report which I'll list here and then review a few key recommendations in greater depth. (upper-case emphasis in original)
  1. Establish SEPARATE, SECURE COMMUNICATIONS NETWORKS specifically designated for the most critical cyber networks, including "dark fiber" networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
  2. FACILITATE A PRIVATE-SECTOR-LED PILOT OF MACHINE-TO-MACHINE INFORMATION SHARING TECHNOLOGIES led by the Electricity and Financial Services Sectors, to test public-private and company-to-company information sharing of cyber threats at network speed.
  3. Identify best-in-class SCANNING TOOLS AND ASSESSMENT PRACTICES, and work with owners and operators of the most critical networks to scan and sanitize their systems on a voluntary basis.
  4. Strengthen the capabilities of TODAY'S CYBER WORKFORCE by sponsoring a public-private expert exchange program.
  5. Establish a set of LIMITED TIME, OUTCOME-BASED MARKET INCENTIVES that encourage owners and operators to upgrade cyber infrastructure, invest in state-of-the-art technologies, and meet industry standards or best practices.
  6. Streamline and significantly expedite the SECURITY CLEARANCE PROCESS for owners of the nation's most critical cyber assets, and expedite the siting, availability, and access of Sensitive Compartmented Information Facilities (SCIFs) to ensure cleared owners and operators can access secure facilities within one hour of a major threat or incident.
  7. Establish clear protocols to RAPIDLY DECLASSIFY CYBER THREAT INFORMATION and proactively share it with owners and operators of critical infrastructure, whose actions may provide the nation's front line of defense against major cyber attacks.
  8. PILOT AN OPERATIONAL TASK FORCE OF EXPERTS IN GOVERNMENT AND THE ELECTRICITY, FINANCE, AND COMMUNICATIONS INDUSTRIES -- led by the executives who can direct priorities and marshal resources -- to take decisive action on the nation's top cyber needs with the speed and agility required by escalating cyber threats.
  9. USE THE NATIONAL-LEVEL GRIDEX IV EXERCISE (November 2017) TO TEST the detailed execution of Federal authorities and capabilities during a cyber incident, and identify and assign agency-specific recommendations to coordinate and clarify the Federal Government's unclear response actions.
  10. Establish an OPTIMUM CYBERSECURITY GOVERNANCE APPROACH to direct and coordinate the cyber defense of the nation, aligning resources and marshaling expertise from across Federal agencies.
  11. Task the National Security Advisor to review the recommendations included in this report and within six months CONVENE A MEETING OF SENIOR GOVERNMENT OFFICIALS to address barriers to implementation and identify immediate steps to move forward.

The time to act is now.  As a Nation, we need to move past simply studying our cybersecurity challenges and begin taking meaningful steps to improve our cybersecurity to prevent a major debilitating cyber attack.

Further Comments and observations on the recommendations

Although there are 16 Critical Infrastructure Sectors recognized by DHS in the most recent Presidential Policy Directive on the subject (PDD-21), this report emphasizes the importance of the electrical and financial services sectors.  One graphic from the report, shown below, emphasizes the centrality of the Electrical center.  This focus is responsive to Presidential Executive Order 13800, Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, which breaks the tradition of trying to pretend that each of the 16 CI sectors (example: "national monuments" and "electricity") are equal with regards to the risk an attack on that Sector would bring. That Executive Order directed the National Security Council "to assess how existing Federal authorities and capabilities could be employed to assist and better support the cybersecurity of critical infrastructure assets that are at greatest risk of a cyber attack that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security."  To that end, NSC tasked NIAC with preparing and delivering this report.

(Believe this graphic is by Sören Finster, recent PhD from kit.edu)
The NIAC team specifically states that their job was not to identify cybersecurity needs (praising there the great work of the Commission on Enhancing National Cybersecurity's exhaustive Report on Securing and Growing the Digital Economy.) It was rather to identify immediate actions that could be taken to have a profound impact in the sectors where the greatest impact may be felt.

ONE: Separate, Secure Communications
Too many companies have fallen into the pattern of relying on the public Internet to connect the components of their critical infrastructure.  We have seen too often recently how a motivated script-kiddie using an IoT Botnet can impact "the whole Internet."  We have to make sure that such events, whether by script kiddies, terrorists, or nation-state actors, can't stop our Critical Infrastructures from functioning.  The report notes that several power companies have already moved to dedicated, closed networks. I know that Southern Company (who own Alabama Power) is an example of one company that is a leader in this area!  What is one of the first thing that happens in every public disaster?  Cell phones become unavailable due to the flood of "are you ok" calls.  Our CI incident responders need to be able to respond to us.

TWO: MACHINE-TO-MACHINE Information Sharing Technologies
Several example programs were listed as possible starting points, including:
  •  Department of Energy's "Cybersecurity Risk Information Sharing Program (CRISP)" run by the Electricity ISAC (E-ISAC) "which uses classified analysis of network traffic to identify attacks."
  • The FS-ISAC (Financial Services) machine-to-machine information sharing programs
  • DHS's Automated Indicator Sharing (AIS) platform, "which releases attack indicators from multiple sources."
More R&D is needed in this area, and the report calls this work "still immature" and points out there are "significant legal, liability, technology, trust, and cost challenges" which must be overcome.  They particularly note the issue of "Automatically implementing mitigations can create unpredictable outcomes in operational control environments."

While the private sector often has a more robust collection of Indicators of Compromise, the report notes that often government analysis is able to add value by enriching these indicators in a "connect the dots" type way that may require access to classified knowledge in order to understand the significance or the context of an event.

The report also cautions (my words, but their concept) that some ISACs suck.  Their words were that "ISACs vary dramatically in effectiveness."  Couldn't agree more.  Let's learn from those who are doing it right and try to clone their success.

THREE: Best-in-Class Scanning Tools
This one is really problematic. The tools that a Fortune 100 bank needs are dramatically different than the tools that a small defense contractor may be able to deploy. Several of the findings covered in this area include a "broad lack of understanding of the Federal tools available to help scan, detect, mitigate, and defend from cyber threats." but also the fact that "one-size-fits-all tools are rarely effective" -- especially in smaller businesses.

This recommendation class is also where the NIAC mentioned that "there is no way to test for embedded threats or verify the security of devices for critical Operational Technology systems."

FOUR: Today's Cyber Workforce
Several recommendations here are ones we have seen before, but they are still urgently needed.   The report documents that it is forecasted that we will have a shortfall of 1.8 million unfilled cybersecurity positions by 2022 if we don't make a significant change in how we prepare workers for these positions.  (This stat is from the Global Information Security Workforce Study by the Center for Cyber Safety and Education -- several reports have been released from this study and more are forthcoming.)

Specific recommendations include expanding the Scholarship-for-service programs focused on attracting the next-generation cyber workforce, and also a means for allowing college-level cybersecurity programs to be able to get clearances for students involved in internship programs. 

The recommendations of several additional groups on cyber workforce issues are worth noting here, including the Office of Management and Budget's "Federal cybersecurity workforce strategy" memo to heads of Executive Departments and Agencies from July 12, 2016.  The NICE Cybersecurity Workforce Framework (NIST 800-181) is 144 page guide to the Knowledge, Skills, and Abilities that the wide range of cybersecurity jobs need and that our educators must address (released August 2017).


FIVE: Market Incentives
Suggested incentives included grants for security upgrades and investments, tax-credits to incentive security system upgrades, and potential regulatory relief for those regularly proving that industry standards are met.  While requiring compliance with the NIST Cybersecurity Framework is encouraged, that recommendation includes "recognizing that small- and medium-sized businesses will need additional support to meet the requirements."

The report cautions that "cyber regulations are often blunt tools that are unable to keep up with dynamic risks in an arena where attack and defense capabilities change rapidly over months and years, not decades."

SIX: Security Clearance Process
In organizations where a cyber attack could result in catastrophic effects to public safety, economic, or national security, it is recommended that at least two key personnel be prioritized to receive Top Secret/Sensitive Compartmented Information (TS/SCI) clearances.  The ability to pass clearances not only between agencies, but between agencies and those in private sector is encouraged.  The number of SCIFs nationwide, and the ability for SCIFs to be accessed by appropriately cleared private sector individuals is also encouraged.  Even in organizations that have appropriate clearances for key personnel, those individuals frequently have to fly to DC to attend in-person briefings or travel more than an hour each way to access a SCIF.  Clearance without regular access to a means of receiving real-time intelligence is of limited value.

SEVEN: Rapidly Declassify Cyber Threat Information
Actively engaging with the private sector on cyber threats is called for.  This requires there to be both a mechanism and a location for such information.  Two options are called for -- one to build shared spaces, perhaps using the Kansas Intelligence Fusion Center as a model for co-location and information sharing.  The second, to consider greatly expanding the National Cybersecurity and Communications Integration Center (the DHS NCCIC) and to expand its role in sharing information with the various ISACs.

Because Intelligence Agencies have historically only shared information with and amongst themselves, rapid declassification and distribution has not really been part of their story.  This needs to change.  With the great problems raised in having too many cleared individuals, or clearing them with too little scrutiny, the only rational alternative is to declassify and share more information that has been marked SECRET or TOP SECRET primarily based on HOW it was found rather than WHAT was found.

EIGHT: A Pilot Task Force in Electricity, Finance, and Communications
This recommendation has four parts:
A. Establish a three-tiered task force of:
 (1) Senior executives in industry and government - who set priorities and direct resources
 (2) operational leaders tasked with implementation
 (3) dedicated full-time operational staff from both industry and government to dig in and solve complex issues
B. Leverage the Strategic Infrastructure Coordinating Council (SICC) to identify appropriate executives in Electricity, Finance, and Communications willing to be part of the pilot task force
C. Use the NIAC recommendations as a starter agenda
D. Use lessons learned from the pilot task force to expand to other sectors and assets


The report makes it clear that having advisory councils and "passive" coordination groups are not what we need.  We need "a bold new approach" that actually has the ability and resources to design AND IMPLEMENT solutions.

NINE: Use GRIDEX IV as a Test
Gridex is a fabulous example of how government and infrastructure owners can work together to test their ability to respond to a cyber incident.  (GRIDEX info page here.) This recommendations calls for the expansion of the participants to include Financial Services and Communication sector executives.  PRIOR TO the test, require key government agencies to document their response abilities in extreme situations.  Use the National Cyber Incident Response Plan as a guide, and use GRIDEX as a means of identifying gaps in processes and protocols as documented in these agency responses and in the NCIRP.  For GRIDEX to be most impactful, we need to learn from it and GO FIX THINGS!   Specifically, Gridex must feed back into the portion of Executive Order 13800 which calls for the Departments of Energy and DHS to "work on an assessment of the potential scope and duration of a prolonged power outage associated with a significant cyber incident against the U.S. electricity subsector."  (A status report on the implementation of EO 13800 is available.)

TEN: Optimum Cybersecurity Guidance
There are two parts to this recommendation:
A. "Use the cyber task force (recommendation #8) to evaluate effective cyber governance models from other nations and recommend the best approach to centralize and elevate cyber governance and enable national-level coordination for public-private cyber defense."
B. The NIAC pessimistically calls for establishing "a senior-level position or unit to coordinate and exercise operational control over individual Federal organizations."  They go on to note that "experience shows this may not come until after a catastrophic cyber incident occurs."

This recommendation is based partly on the greatly fragmented, isolated, and duplicative nature of the Federal government's cyber capabilities.  The report notes that there are "6 federal cybersecurity centers, 140 cyber authorities and capabilities across 20 agencies, 4 tools, and 8 assessment programs."  This division means there are "dozens of Congressional committee with cybersecurity oversight" but no one is in charge of national-level consensus that will lead to focused action.

Two potential models for national improvement, drawn from Israel and the United Kingdom, are further described in Appendix D of the report.

In the UK plan, a single National Cyber Security Centre was created, replacing the Centre for Cyber Assessment, the Computer Emergency Response Team UK, and CESG (part of GCHQ), as well as taking cyber responsibilities away from the Centre for the Protection of National Infrastructure.

https://www.enisa.europa.eu/topics/national-cyber-security-strategies/ncss-map/national_cyber_security_strategy_2016.pdf

Similarly, in Israel, a National Cyber Bureau was created in response to Government Resolution No 3611 of 2011.  In 2015, Israel went on to create a National Cyber Defense Authority.  While the NCB focused on strategy, the NCDA was tasked with operational objectives.  Elena Chachko has a good blog post at LawFare ( Cyber Reform in Israel at an Impasse: A Primer ) that explains the attempted design and some of the problems that go along with it.


ELEVEN: Convene a Meeting of Senior Government officials
Before the NIAC report's ink is even dry, the members of the NIAC have voted with their feet on the likelihood of their findings creating significant change.  Eight of the members resigned, in part stating that their "experience to date has not demonstrated that the Administration is adequately attentive to the pressing national security matters within the NIAC's purview, or responsive to sound advice received from experts and advisors on these matters."  While this is concerning, and the resigning members are certainly experts in their respective fields, the resignations were largely by President Obama-appointed officials and could be read as being politically charged and speaking more about events around Charlottesville and the Paris Climate Accords than cybersecurity matters.

Resigning from the NIAC were:
- Cristin Dorgelo (Chief of Staff to the President's Science Advisor in the White House Office of Science and Technology Policy, and the US Chief Technology Officer from July 2014 to January 2017. Dorgelo was the assistant director of the OSTP's Grand Challenge program)

- Christy Goldfuss (As the managing director of the White House Council on Environmental Quality (CEQ) Goldfuss helped oversee President Obama's Climate Action Plan.)

- David Grain (Former president of Global Signal, one of the largest independent wireless communication tower companies in North America, with a dominant presence in the SouthEast, and a former SVP of AT&T Broadband. Grain also has experience working in financial services at Morgan Stanley.)

- DJ Patil (Former Deputy CTO for Data Policy and Chief Data Scientist in the OSTP, with experience at Skype, LinkedIn, PayPal, eBay, and the Department of Defense, where he worked on bridging computational and social sciences, focusing on social network analysis to help anticipate emerging national security threats.)

- Amy Pope (Former Deputy Homeland security Advisor, and Deputy Assistant to the President on the National Security Council, helping to shape policy by leading a team of subject matter experts on supply chain security, countering violent extremism, border management, migration, biometrics, transnational organized crime and more.)

- Charles Ramsey (Former Police Commissioner, Philadelphia Police Department, and former chief of Washington DC's Metropolitan Police Department. Author of Policing for Prevention and Partnerships for Problem Solving )

- Dan Tangherlini (with experience as the Administrator of the US General Services Administration, an executive in the Department of the Treasury, and a fellow of the Office of Management and Budget, with additional experience working for the Secretary of Transportation on Infrastructure Financing issues.)

- Dan Utech  (former Deputy Assistant to the President for Energy and Climate Change.)




Saturday, May 20, 2017

Europol Announces 27 ATM Black Box arrests

On 18MAY2017 Europol announced that 27 thieves have been arrested across Europe for participating in a ring that conducts ATM Black Box attacks.  The arrests were conducted in France (11), Estonia (4), Czech Republic (3), Norway (3), the Netherlands (2), Romania (2), and Spain (2) over the course of 2016 and 2017.  Much of the data about how the attacks are conducted is being shared between member countries and the institutions within those countries by a little-known group called E.A.S.T. and their Expert Group on ATM Fraud (EGAF).  When EAST holds their Financial Crime & Security Forum next month members will want to also attend the Expert Group on ATM Physical Attacks (EGAP).

What is an ATM Black Box attack?

In an ATM Black Box attack, criminals have identified access points in the physical architecture of the ATM that would grant them access to cables or ports allowing them to attach a laptop to the internal computer of the ATM.  Once attached, the laptop can issue commands to the ATM resulting in the ultimate payout, a full distribution of all of the cash in the machine!   

The technique of causing an ATM machine to dump all of its cash is called "Jackpotting."  Most of us first heard about jackpotting as a result of the Barnaby Jack presentation at BlackHat 2010 and repeated on two models of ATMs for DEF CON 18 (video link below):

Barnaby Jack at DEF CON 18
Last September, Kaspersky demonstrated an ATM Black Box, however in their proof of concept approach, the criminals physically open the computer using a maintenance workers key, and flip a physical switch in the ATM to cause it to enter Supervisor mode.   The Black Box is connected to the ATM through a simple USB port that was at that time available in most ATM machines.

Black box demo video from Kaspersky


The new Europol arrest report shows that the current evolution on ATM Black Box attacks is to physically cut in to the ATM with drills, saws, or acetylene torches, and gain physical access to cables to which the laptop or black box will be attached.  In the current round of Black Box attacks, the target is not the ATM Computer, but rather the cables that connect the ATM computer to the Banknote Dispenser.  By directly connecting to the Dispenser, the connected laptop's malware simply issues commands to the Dispenser that normally would come from the ATM Computer and gives the order to dispense bills.
Image from Europol


Image from Europol

Information shared in the EAST working groups has produced some uncharacteristic good news in this space!  Although the number of ATM Black Box attacks went up considerably, with 15 attacks in 2015 and 58 attacks in 2016, many of these attacks were unsuccessful.  In their 11APR2017 report, EAST explained:

[In 2016] a total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015.  ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM.  Related losses were down 39%, from €0.74 million to €0.45 million.

 and illustrated this information with the following chart:

from EAST Report on ATM Fraud



The mitigation guidelines issued by EAST should be significantly updated at the upcoming meeting with guidance on Logical Attacks, Black Box Attacks, and Explosive Attacks, as well as Regional ATM Crime trend reports from Europol, Russia, the US Secret Service, Latin America,and ASEANAPOL.

Other ATM Attacks Still Dominate 

While ATM Black Box attacks are interesting, as the chart above shows they aren't where most of the money is being stolen.  Traditional skimming and white-carding is still stealing over 300 Million Euros per year, while physical attacks of other sorts are claimed nearly 50 Million Euros in 2016 alone!

One other trend that is sweeping Europe is the technique of pumping an ATM full of an explosive gas to blow the front off the machine giving the criminals access to the full contents of the dispenser.   The Italian police shared this interesting video of the technique:

Italian police shared this video from Feb 2013
This technique was recently used by two British men to blow up at least thirteen ATMs along the Costa del Sol in Southern Spain.  In the first half of 2016, 492 ATM Explosive attacks occurred across Europe, yielding the criminals an average of $18,300 per attack!  For the full year-over-year comparison, in 2015 there were 673 ATM Explosive attacks in Europe, and in 2016 there were 988 such attacks.  This accounts for roughly 1/3rd of the Physical attacks on ATMs in the EAST reporting.

Skimming dominates arrests to date

While we aren't sure exactly which attacks are included in the statistics above, several major ATM attacking gangs have been previously arrested and disclosed. While jackpotting arrests are rare, there must be a hundred reports of arrests for implanting skimming devices and creating counterfeit ATM cards based on the results.

One rare Jackpotting arrest was in January 2016 when a Romanian ATM attack gang was arrested for attacks in Germany, France, Norway, Sweden, Poland, and Romania.  In that case, the Tyupkin trojan, targeting a particular model of NCR ATMs, was inserted by gaining physical access to the ATM and booting a malicious CD in the ATM computer.  (See www.zdnet.com/article/atm-malware-gang-behind-euro-attacks-targeted-in-police-swoops/ ).

In April 2016, the Italian police arrested 16 Romanians for running a large ATM skimming ring who stole at least €1.2 million. 

In May 2016, the French Gendarmerie of Pau, in cooperation with the Italian State Police and Europol, arrested nine for running an ATM Skimming Ring that stole more than 500,000 Euros.

In March 2017, a group of five Romanians were arrested for skimming in York County, Pennsylvania as well.