Anna Colins

incident response survival guideAll organizations are impacted by a security breach at some point. As the joke goes in the security industry, businesses fall into two categories: those that have been breached and those that don’t know they have been breached. Some organizations don’t know they have had a security incident until the FBI informs them.

A breach can have financial impact, regulatory impact or harm an organization’s brand and reputation. In order to minimize the damage, organizations need to be prepared for this eventuality. Here are some steps that will allow organizations to minimize the damage when a security breach occurs.

1. Acknowledge a breach is going to happen

Many people in security leadership roles communicate that they can prevent security breaches from happening. Imagine a general counsel communicating to the executive team that lawsuits can be prevented from happening. This would be a career-limiting move. The important thing is implementing controls so that when security breaches or lawsuits do happen, the damage is minimized.

2. Create an incident response plan

A properly-written incident response plan will be comprehensive and involve senior leadership from across the organization. These roles include:

  • CIO, CSO, CISO
  • Technical specialists with training in Incident Response (IR) and Forensics skills
  • Often, companies may not have sufficient technical resources internally and outside firms may be required
  • Business executive management including the CEO, CFO and COO
  • General Counsel
  • Outside counsel with experience in IR and Forensics matters
  • Media Communications, including perhaps outside Public Relations and media communications firms.

It is important to note that this cross-functional team should be assembled under the auspices of outside counsel. In other words, hire outside counsel first and then have the law firm retain the technical consultants that will do much of the day-to-day IR work. This is done to provide and extend attorney-client privilege as broadly as possible. Without doing so, much of the work that you may want to remain confidential may be subject to discovery and disclosure.

3. Use a commercially accepted incident response framework

The National Institute of Standards and Technology (NIST) has 800-61, a mature incident response framework organizations can adopt. There are others. While there is no need to reinvent the wheel when a solution already exists, these frameworks will need to be adopted to your organization. Doing so requires management commitment. People should know who is doing what, when and how, as well as ways to communicate ahead of time.

4. Define what an incident is

Organizations need to understand what an incident is and how severe it is. Examples of an incident include:

  • Intellectual property theft of materials such as strategic plans, financial data, customer information, employee data, engineering designs and much more
  • Organizations in regulated industries, such as healthcare, also have to comply with industry specific regulations. In healthcare, for example, compromise of personally identifiable information (PII) or personal healthcare information (PHI) must be handled in specific ways.

5. Engage law enforcement

It’s important to establish relationships with local police departments, the FBI and the U.S. Secret Service. They will pay much more attention if there is an existing relationship. Conversely, an organization risks being a low priority if they aren’t a known entity.

6.Protect communications

Organizations are extremely vulnerable during an incident and it is easy to ignore details. The bad guys often monitor traditional communications such as email, phones, cell phones and even text messages. Protected side channel communications are required. Take simple and effective precautions such as encrypting cell-phone conversations and text messages.

7.Perform table-top exercises

Preparation for significant events allows organizations to continue business operations with minimal disruption and minimize damage to their reputation. Rehearse on a regular basis how the organization would respond to hypothetical scenarios such as loss of customer data, financial data or patient information. Table-top exercise participants should include the same cross-functional team of people described in Section2, above. People should know ahead of time who is doing what, when and how as well as ways to communicate.

8. Have a plan for external and internal communications

Perception of an organization will hinge on how they respond to a press inquiry or if information leaks to social media. A timely response should be presented by authorized people. Similarly, have a plan for communicating with employees, and make sure that they know what they are allowed to say and not say to others. If the response is created at the last minute, it will be clear to anyone that hears it. On the other hand, a carefully-prepared message can generate a lot of goodwill.

Being prepared for an incident can be the difference in how an organization is perceived by its employees, business partners and shareholders. By following the recommendations listed above, organizations will be able to control the outcome of the breach instead of the breach controlling their outcome.


Help Net Security

Mozilla wants to kick Chinese certificate authority (CA) WoSign out of its trust program.

As well as being worried about the certs issued by WoSign, Mozilla accuses the company of buying another CA, StartCom, without telling anyone.

In this lengthy analysis posted to Google Docs, Mozilla says its certificate wonks have "... lost confidence in the ability of WoSign/StartCom to faithfully and competently discharge the functions of a CA."

That investigation follows on from a huge number of issues Mozilla outlines here.

Those issues include WoSign's notorious error of issuing a cert for GitHub to a university student.

The Mozilla engineers' report revolves around SHA-1 certificates. SHA-1 has been regarded as insecure for years and is therefore being deprecated by all major browsers.

As part of its deprecation process, Mozilla treats new SHA-1 certs as invalid unless the issuing CA completes an approval process – and the report says both WoSign and StartCom fudged the process by backdating new SHA-1s to make it seem they were issued before the January 1, 2016 ban.

It accuses WoSign of acquiring Israeli StartCom without disclosing the change of ownership, which “which we believe violates section 5 of the Mozilla CA Certificate Maintenance Policy”.

Although its media release says StartCom remains independent of WoSign, Mozilla says the former is using the latter's infrastructure to issue certs.

As an example of the backdating, Mozilla's investigation documents certificates issued to Australian payments processor Tyro. It nominates a StartCom SHA-1 certificate logged into Google's Certificate Transparency project in June this year, but which Mozilla believes was backdated by StartCom.

The Register has tried to contact Tyro about this certificate.

There's also a smackdown for WoSign's auditors, the Hong Kong office of Ernst & Young, which is says “failed to detect multiple issues they should have detected”.

Mozilla says it wants to “distrust only newly-issued certificates to try and reduce the impact on web users, as both of these CA brands have substantial outstanding certificate corpuses”.

Mozilla is seeking public comment on the issue, in particular to help decide when to implement its proposed ban, and whether WoSign or StartCom need to create new roots before they re-apply to be trusted again.

Interestingly, WoSign issued a media release in China (you'll need Google Translate for this link) at the beginning of last week, announcing it completed its equity investment in StartCom on September 19. ®

Sponsored: IBM FlashSystem V9000 product guide


The Register - Security

Android malware is becoming more resilient courtesy of newly adopted techniques that also allow malicious programs to avoid detection, Symantec reveals.

The mobile ecosystem is constantly expanding and becoming more feature-rich, and so is the mobile threat landscape. Most recently, a large number of malware families targeting the Android operating system were observed incorporating new techniques that allow them to both evade detection and maintain their presence on infected device even after being discovered.

One of these techniques is packing, which Android malware has been leveraging more freqently in recent months, Symantec’s security researchers explain. According to the Security firm, the amount of packed Android malware has increased from 10% to 25% in the nine months between December 2015 and August 2016.

Another trending technique among Android malware authors is the use of MultiDex malicious applications, which are programs that use two Dalvik Executable (DEX) files to deliver the final payload. Android apps usually contain executable code within DEX files, but typical Android programs have a single DEX file. Detection focuses on a single DEX file as well, and splitting the payload between two DEX files allows malware authors to evade detection in one simple move.

According to Symantec, malware authors are also creating Instant Run-based malware, or malicious programs that leverage the Instant Run feature released with Android Studio 2.0. The feature was designed to help developers quickly deploy updates to a debug application, all through simply pushing these updates in the form of .zip files.

To leverage this technique, malware authors are packing the malware payload portion of their app in code fragments that are hidden in the .zip file. The good news is that this technique can be used only on Android Lollipop and later SDK levels, and that it applies only to debug-version apps installed via sideloading. Applications distributed via Google Play are safe from it.

Recently, Android malware families also began using “strange” values in the application manifest file (AndroidManifest.xml) and in the compiled resources file (resources.arsc), yet another attempt to hide the malicious code from scanners. The use of inaccurate size values and magic values in headers can fool detection tools. Malware authors might also insert junk data into the string pool and at the end of files, or mismatch XML namespaces to hinder detection.

Symantec’s researchers also explain that, while malware that gains root privileges on the infected device is typically difficult to remove, a newly employed technique is being used to further lock the malware installation. The method leverages Android’s Linux roots in the process, in particular the chattr Linux command, which makes files immutable.

Basically, when the command is used on a file, it prevents the file from being deleted, even with root privileges. Now, malware authors have included the chattr utility, encrypted, into their malicious application, and are leveraging it “to copy and lock the payload APK into the system folder, further confusing attempts at removal,” Symantec explains.

To stay protected from these types of threats, users are advised to keep their apps and operating system updated at all times and to install programs only from trusted sources, such as Google Play. Moreover, users should install a mobile security application and should back up important data frequently, to ensure they don’t lose valuable information in the event of malware compromise.

Related: Xiny Android Trojans Can Infect System Processes

Related: Android Botnet Uses Twitter for Receiving Commands

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

MetInfo 3.0 SQL Injection
Posted Sep 19, 2016
Authored by indoushka

MetInfo version 3.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | 0c809902fc3e7ed21cd43e9abf5e5a58
 ========================================================================
| # Title : MetInfo 3.0 Sql injection vulnerability
| # Author : indoushka
| # email : https://www.facebook.com/Indoushka.official/
| # Tested on : windows 8.1 FranASSais V.(Pro)
| # Version : 3.0
| # Vendor : http://www.metinfo.cn
========================================================================

Drok : Powered by MetInfo 3.0

Sql injection :

http://www.qihangchain.com/about/show.php?lang=en&id=45 (inject her)

Greetz :----------------------------------------------------------------
|
jericho * Larry W. Cashdollar * moncet-1 * achraf.tn |
|
========================================================================


Exploit Files ≈ Packet Storm

USN-3084-3: Linux kernel (Raspberry Pi 2) vulnerabilities | Ubuntu

Jump to site nav

  • Jump to content
  • Cloud
    • Overview
    • Ubuntu OpenStack
    • Public cloud
    • Cloud tools
    • Cloud management
    • Ecosystem
    • Cloud labs
  • Server
    • Overview
    • Server management
    • Hyperscale
  • Desktop
    • Overview
    • Features
    • For business
    • For developers
    • Take the tour
    • Desktop management
    • Ubuntu Kylin
  • Phone
    • Overview
    • Features
    • Scopes
    • App ecosystem
    • Operators and OEMs
    • Carrier Advisory Group
    • Ubuntu for Android
  • Tablet
    • Design
    • Operators and OEMs
    • App ecosystem
  • TV
    • Overview
    • Experience
    • Industry
    • Contributors
    • Features and specs
    • Commercial info
  • Management
    • Overview
    • Landscape features
    • Working with Landscape
    • Return on investment
    • Compliance
    • Ubuntu Advantage
  • Download
    • Overview
    • Cloud
    • Server
    • Desktop
    • Ubuntu Kylin
    • Alternative downloads


Ubuntu Security Notices

Twitter, Dropbox, Uber and several other major tech companies have joined forces and launched the Vendor Security Alliance (VSA), a coalition whose goal is to improve Internet security.

The VSA aims to help organizations streamline their evaluation processes for vendors through a standard questionnaire designed to assess security and compliance practices.

Companies will be provided a yearly questionnaire that will help them determine if a vendor has all the appropriate security controls in place.

The first questionnaire, created by security experts and compliance officers, will be made available for free on October 1. It will measure vendors’ cybersecurity risk level, including procedures, policies, privacy, data security and vulnerability management.

“Once complete, that questionnaire is evaluated, audited, and scored by an independent third party auditor working alongside the VSA,” explained Ken Baylor, head of compliance at Uber. “Points will be granted for sound practices and taken away for practices that could increase security risks. Vendors can then use that score when seeking to offer their services to any business in the VSA, without the need for further audits.”

“The VSA will also enable companies to save time and money through the use of a standardized cybersecurity evaluation with real-time answers. The current way of evaluating cybersecurity risks and approving vendors can take several months – the new VSA process cuts the process down to minutes,” Baylor added.

The founding companies of the VSA are Uber, Docker, Dropbox, Palantir, Twitter, Square, Atlassian, GoDaddy and AirBnb. Executives from each of these organizations form the VSA’s board of directors.

A vendor security assessment questionnaire (VSAQ) is also available from Google. The search giant announced earlier this year that it had decided to open source its VSAQ framework, which the company has been using to evaluate the security and privacy posture of its third-party vendors.

Related Reading: Businesses Doubtful That Vendors Would Disclose a Breach

Related Reading: The Three W's of Re-evaluating Your Network Security Vendor

Related Reading: Facebook, Partners Unveil Alliance on Cybersecurity

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The US homeland security chief said Friday authorities have confidence in the integrity of electoral systems despite growing cybersecurity threats.

Department of Homeland Security Secretary Jeh Johnson offered his agency's assistance to state and local election authorities in protecting voting systems.

Johnson's comments come amid reports of cyberattacks on Democratic Party systems and on voter databases in some jurisdictions. Some reports have said Russia may be behind some attacks, although US officials have not confirmed this.

"In recent months, we have seen cyberintrusions involving political institutions and personal communications," Johnson said in a statement. "We have also seen some efforts at cyberintrusions of voter registration data maintained in state election systems. We have confidence in the overall integrity of our electoral systems. It is diverse, subject to local control, and has many checks and balance built in."

Nonetheless, Johnson added that "we must face the reality that cyberintrusions and attacks in this country are increasingly sophisticated, from a range of increasingly capable actors that include nation-states, cyber hacktivists, and criminals. In this environment, we must be vigilant."

The Department of Homeland Security "stands ready to assist state and local election officials in protecting their systems" as it does for private businesses and other organizations, he added.

He noted that DHS does not take over systems or regulate them but can offer "cyber hygiene scans" and other tools to help identify vulnerabilities.

DHS also will publish "best practices" for securing voter registration databases and addressing potential threats to election systems from ransomware.

"In recent weeks, a number of states have reached out to us with questions or for assistance," he said. "We strongly encourage more state and local election officials to do so."

Related: XTunnel Malware Specifically Built for DNC Hack

Related: FBI Probes Democratic Email Hack, but is Russia to Blame?

Related: FBI Investigating Democratic Party Email Hack

view counter

© AFP 2016

Tags:


SecurityWeek RSS Feed

The head of the UK’s new National Cyber Security Centre (NCSC) has detailed plans to move the UK to "active cyber-defence", to better protect government networks and improve the UK’s overall security.

The strategy update by NCSC chief exec Ciaran Martin comes just weeks before the new centre is due to open next month and days after the publication of a damning report by the National Audit Office into the UK government’s current approach to digital security.

Martin called for the "development of lawful and carefully governed offensive cyber capabilities to combat and deter the most aggressive threats".

Active cyber defence means hacking back against attackers to disrupt assaults, in US parlance at least. Martin defined the approach more narrowly as "where the government takes specific action with industry to address large-scale, non-sophisticated attacks".

During his speech at the Billington Cyber Security Summit in Washington DC, NCSC's Martin also floated the idea of sharing government network security tools such as DNS filters with private-sector ISPs, as previously reported.

Security vendors praised the UK government's more pro-active approach to cybersecurity, arguing it’s (if anything) overdue.

“The Government is right to look for innovative ways to disrupt organised cybercrime,” said Paul Taylor, partner and UK Head of cyber security at management consultants KPMG. “It’s crucial that we stay one step ahead of attackers and that takes constant innovation and coordination. No one is immune from cyber-attacks but UK small businesses are especially vulnerable as the reality is that many struggle to deal with an onslaught of ransomware and cyber enabled frauds.”

Taylor also backed the greater sharing of information security intelligence, a key plank in the NCSC’s policy that’s viewed with suspicion by privacy advocates*.

“A new partnership between Government and industry is needed to protect our society, take the offensive against criminals, and work together to disrupt digital crime,” Taylor explained. “At the moment many companies are reluctant to share information on attacks they’ve suffered, we need to build a safe space for Government and industry to share intelligence so that we have the best chance of tackling cybercrime.”

Matt Walker, VP Northern Europe, HEAT Software, noted that stronger defences were needed as government services such as universal credit become available online.

“The protection of citizens’ information from the threat of cyber-attack needs to become a higher priority for central and local government as we continue to move more and more interaction online,” Walker said. “The universal credit system alone will pay out seven per cent of UK GDP– making it a target for online fraud. Equally, the ransomware attack that locked Lincolnshire County Council out of its own systems for days had repercussions for mission-critical services such as health and social care.”

The NCSC will act as a hub for sharing best practices in security between public and private sectors as well as taking a lead role in national cyber incident response. The organisation will report to GCHQ, the signals intelligence agency.

Bootnote

*The US's Cybersecurity Information Sharing Act was bitterly but ultimately unsuccessfully opposed by privacy activists.

Sponsored: Boost business agility and insight with flash storage for analytics


The Register - Security

A security researcher this week disclosed a zero-day MySQL vulnerability that could allow attackers to gain complete control of servers, though questions remain about whether or not the flaw had already been addressed by Oracle. 

Dawid Golunski, the researcher who posted the advisory, reported the MySQL vulnerabilities on July 29 to Oracle, as well as to open source database vendors Percona and MariaDB, both of which were vulnerable to the same flaws as they are both MySQL forks. Golunski said both Percona and MariaDB had responded promptly and issued patches by the end of August, but, having heard nothing from Oracle, Golunski decided to go public with the first of the MySQL vulnerabilities he uncovered.

"As over 40 days have passed since reporting the issues and patches were already mentioned publicly," Golunski wrote, "a decision was made to start disclosing vulnerabilities (with limited PoC) to inform users about the risks before the vendor's next CPU update that only happens at the end of October."

The flaws would allow an attacker to abuse MySQL logging functions on improperly configured systems. Golunski's proof of concept attack starts by injecting malicious configuration data into MySQL configuration files with improper permissions. The next step is to create new configuration files, after which attackers would be able to escalate their MySQL privileges.

Oracle declined to comment on  Golunski's MySQL vulnerability report. It's possible that Oracle addressed some of the issues in the report prior to Golunski's disclosure. The MySQL patches were released on Sept. 6, for MySQL 5.7, 5.6 and 5.5, all of which appear to address some of the flaws Golunski submitted under CVE-2016-6662.

"MySQL seems to have already released versions that include the security fixes [with MySQL 5.6.33]," Percona stated on its blog. None of the experts SearchSecurity spoke with could verify whether the Oracle patches released on Sept. 6 addressed the vulnerability, and Oracle has not released an official patch or security advisory that clarifies the situation.

How serious is it?

The advisory, wrote Golunski, describes a critical vulnerability assigned to CVE-2016-6662, "which can allow attackers to (remotely) inject malicious settings into MySQL configuration files (my.cnf) leading to critical consequences."

If you aren't comfortable with quarterly patching, vote with your wallet. Jacob Williamsfounder, Rendition InfoSec LLC

MySQL servers using the default configuration in all version branches, including the latest versions, were found to be vulnerable, "and could be exploited by both local and remote attackers. Both the authenticated access to MySQL database (via network connection or web interfaces such as phpMyAdmin) and SQL injection could be used as exploitation vectors."

Experts were split on just how serious the MySQL vulnerability was. "It's serious, but it's not an unauthenticated vulnerability," said Jacob Williams, founder of consulting firm Rendition InfoSec LLC in Augusta, Ga. "Attackers need to have some way to issue queries to the server to make this exploitable. This might happen through shared access to a server or through another vulnerability such as SQL injection. The problem is that very low-privileged users can access unintended -- and known dangerous -- functionality that was not intended. This causes significant problems in shared hosting environments where multiple users are given access to a single MySQL database instance and their permissions are controlled by the database administrator."

However, Dmitry Chastukhin, lead SAP security analyst at ERPscan, suggested that the advisory's title may have overstated the "Remote Root Code Execution" aspect of the flaw. "In reality it is a privilege escalation vulnerability, which allows an attacker to escalate his or her rights -- in some cases -- on a server and gain root user privileges, if she or he can change the my.cnf configuration file. How to do it -- remotely and anonymously -- is a different matter. It requires other security issues in applications and weak configuration permissions on the server."

The attacker only needs to acquire some level of write permission in the filesystem to exploit this type of vulnerability, according to Mordechai Guri, chief science officer at Morphisec. Guri told SearchSecurity, "This is considered to be an easy task on the attacker's part. It's important to note that these semi-logic vulnerabilities won't go away and are proof that new approaches like moving target defense should be developed and deployed in many strata of the computer security stack, including operating systems, SQL language, et cetera."

What to do about it?

Williams had some specific suggestions for enterprises concerned about the MySQL vulnerability, starting with controlling access to the database itself. Since any user with SELECT permissions can access the administrative logging functions exploited in the vulnerability, "the configuration files which are normally owned by the MySQL user should be changed so they are owned by another user, such as root, and not writeable by the MySQL user."

"Finally, MySQL reads additional configuration data from my.cnf files," Williams noted. "One location it may read these from, /var/lib/mysql, must continue to have write permissions enabled for the MySQL server. To prevent attackers from writing a my.cnf file in this location as MySQL users, we are advising administrators to write my.cnf files owned by root in any directory where the MySQL user has write permissions."

"In all but extraordinary cases, MySQL should never be exposed to the open internet," said John Bambenek, manager of threat systems at Fidelis Cybersecurity in Waltham, Mass. "Ideally, a database server would behind a firewall in a standard three-tier design."

Oracle takes heat for its response

"Sometimes vulnerabilities can be complicated to patch and that could be delaying release," Bambenek said. "However, open communication with the researchers should be routine so that such issues are known. That said, considering other database platforms (PerconaDB and MariaDB) were able to patch, it calls into question whether complexity is really the issue for Oracle here. More importantly, Oracle should have developed some mitigation or something to protect enterprises in the meantime."

"Oracle's response to vulnerabilities involving open source projects must be more vigilant than those involving only closed source," Williams said. "Anyone can fork an open source project and they are likely to be notified as well when vulnerabilities are reported. If the open source project patches first, then Oracle's customers are exposed. I think it's clear that quarterly patching cycles are no longer sufficient in today's vulnerability research climate."

As for the takeaway for enterprises, Williams added, "If you aren't comfortable with quarterly patching, vote with your wallet. There are other database solutions out there and seeing Oracle hold to a quarterly patching schedule when open source forks have already patched is very troubling. Changing database engines is very expensive for an enterprise. If this behavior from Oracle continues, I'd definitely recommend examining your options."

"The fact that two other open source projects patched the same vulnerability before Oracle says a lot about their responsiveness," Williams said. "These are obviously serious vulnerabilities and because they are present in other projects, Oracle doesn't get to control the patch release timeline."

"In my opinion, this case is a good illustration of poor interaction between Oracle PR and tech departments," Chastukhin said. "They could have responded to Golunski's report in due time and publicly announced that the vulnerability was not as dangerous as the researcher stated and the patch was already released. In this turn of events, Oracle could have become the winner of the situation."

"What do we have now? A pile of articles with harsh criticism and frustration of system administrators."

This is not the end of the story, though. Golunski noted that "attackers could use one of the other vulnerabilities discovered by the author of this advisory, which has been assigned a CVEID of CVE-2016-6663 and is pending disclosure. The undisclosed vulnerability makes it easy for certain attackers to create /var/lib/mysql/my.cnf file with arbitrary contents without the FILE privilege requirement."

Next Steps

Find out more about mitigating MySQL vulnerabilities.

Learn about what happened to the open source database market after Oracle purchased MySQL.

Read more about how to spot security flaws in open source web applications.


SearchSecurity: Security Wire Daily News

Has Dridex been brushing up on its Latvian? Or perhaps its written Estonian skills? Maybe it’s preparing a long overseas stay requiring offshore banking accounts in the Cayman Islands? Recent Dridex configurations analyzed by IBM X-Force reveal that the new wave of Dridex attacks is resilient and more complex than your average malware campaign.

Following several quiet months, a spike in renewed activity suggests the gang operating Dridex is picking up speed with precision and planning.

Unlikely Targets

According to IBM X-Force Research, Dridex configurations from the past two months are replete with a hefty count of targets in some more common countries, such as the U.S., U.K., Canada and Australia. However, the Trojan is targeting some less charted territories as well, such as Lithuania, Latvia, Estonia, Lebanon and Ukraine, to name a few. This is quite uncommon for any banking Trojan.

Per its configuration files, Dridex currently targets over 20 Latvian banks, three banks in Estonia, three in Lithuania and one in Ukraine, among its other uncommon choices of late.

Dridex Malware Bugat
Figure 1. Dridex Configuration Geo Distribution; MD5: f5d2d004ac22b17fd48e28f85c9162bf. Source: IBM Trusteer)

Why would Dridex target just one bank in Ukraine, Lebanon or Lichtenstein? Perhaps the developers are moving money to and from these banks rather than stealing from them. Or maybe they start by testing one bank in a given region before developing more elaborate configurations.

Read the white paper: Fraud protection doesn’t have to be an uphill battle

Dridex Branches Out

In most cases, Dridex is after retail banking accounts (48 percent of targets), but next on its list are banking platforms and URLs leading to:

  • ACH payments and payroll services;
  • Background checks and recruitment sites.

There sure seems to be more going on than previously. Much like Shifu, Dridex is adding regular expressions to target digital banking platform providers, which are used by numerous banks. By doing that, Dridex enables itself to steal credentials from users of any bank that deploys that same platform instead of having to include the URL of each. X-Force researchers saw at least 10 different regular expressions of this type in recent Dridex configurations.

The malware is scouting login credentials to a well-known background check vendor and one of the top recruitment sites in the U.S. It’s not hard to guess what those will be used for: Background checks give fraudsters tons of personal information on high-value targets. Recruitment sites are unknowingly abused by criminals for posting fake jobs, ultimately resulting in money mule recruitment in the target geography where the fraud is to be cashed out.

This is rather telling: Dridex’s operators don’t typically recruit money mules in the U.S. or via recruitment sites. Perhaps they are running low on local accounts to facilitate their nefarious activity in America, especially with GozNym being ever so active in the same country.

Served By Good Old Office Macros

So what’s the infection vector at this time for malware like Dridex, which is not only after consumers, but interested in infecting company employees? Unsurprisingly, the top choice continues to be poisoned Word macros delivered in a document file via email. This infection method was extremely popular among banking Trojan operators in 2015, when, according to Dark Reading, macro malware levels hit a six-year high. This year is likely to end on a similar trend.

Dridex has been leveraging poisoned Word macros since it emerged in 2014. Locky, a ransomware code distributed by the same botnets as Dridex, also leverages this infection method, Ars Technica reported.

SecurityWeek reported that, aside from Word macros, Dridex operators also conducted recent drive-by download campaigns to drop Locky infections using the Neutrino exploit kit and automate infections.

Back From Vacation

Why did Dridex-delivering spam campaigns appear to be rather sluggish during the summer? With banking malware operations of this type, it’s actually common to see a drop during the summer months. An actor on Twitter who calls himself Dridex Bot, purporting to be part of the Evil Corp gang, indicated the group was on vacation:

Dridex Malware Cybercrime Gang

While this may be true, a gang like Dridex is more likely to slow down to retool before speeding right back up. According to X-Force researchers, Dridex released four builds in the past 30 days alone, including two code updates to its internal strings and its API obfuscation scheme. The malware’s configurations were modified, new infection campaigns prepared, additional sub-botnet sections created (No. 144, No. 1024) and new geographies targeted.

Furthermore, the Locky operation continues full steam ahead. According to Bleeping Computer, Dridex’s infrastructure is even being used to spread yet another ransomware piece: a new Trojan called Bart.

Busy Year for Dridex

It seems like it has been around forever, doesn’t it? But in reality, Dridex, in its current form, is only 2 years old. But it’s not so young in cybercrime terms, and the gang operating Dridex is having quite the busy year in 2016, dabbling in just about every kind of financial malice.

This year, Dridex started copying the Dyre Wolf attacks, attacking companies and robbing millions at a time. Dridex also launched its first ever redirection attacks in early 2016. In June, Dridex was linked with the SWIFT heists. Its Locky operation has been making the headlines far too often as well, mainly for terrorizing health care organizations across the globe with massive ransomware campaigns.

In fact, 69 percent of email attacks with malicious attachments in Q2 2016 contained Locky infections. Data from Shadowserver showed that Dridex infections per day (infected IPs) have also been on the rise, reaching 60 percent spikes in some parts of Europe.

What’s Next?

From information gathered by X-Force Research on Dridex activities across the globe, it is evident Dridex’s botnet operators are a multifaceted group, very likely connected with additional crime factions that use the same resources to commit cybercrime.

Is Dridex going away any time soon? This botnet appears to be more resilient than most. Dridex almost underwent a full takedown in 2015 following the arrest of one of the alleged botnet administrators. Alas, the botnet managed to escape this attempt and continue its operations.

In June, SecurityWeek reported that authorities attempted to disable Dridex by disrupting the Necurs botnet. That, too, was insufficient to halt the operations of Dridex and its branched ransomware arm. Necurs bounced back within a mere two weeks and got right back to the business of disseminating Dridex and Locky variants.

A Formidable Foe

Is this crime group rolling in illicit profits? Considering its resilience, size and all the connected parts of its operation, Dridex is likely the top cybercrime conglomerate of the decade. Researchers estimated that operators of the Dridex and Locky duo are netting between $ 100,000 and $ 200,000 per day, not including the millions they must have put away after their alleged part in SWIFT-related attacks.

If Dridex was indeed responsible for the SWIFT attacks, it is operating on the level of a billion-dollar crime ring. This makes Dridex a formidable foe for law enforcement.

Security professionals can deploy antifraud solution suites that evolve to mitigate the risks associated with Dridex. Researchers and analysts can also look up and share threat intelligence on Dridex activity, M.O. and indicators of compromise on the X-Force Exchange.

Recent Dridex MD5

  • fa6781ced155213d7a7535bbe109cf04
  • f5fe906f801d99fafa8a9e0584a37008
  • 7752eaeac2c3a37bba3564fbab0233fc
  • f8fd038db826a1e1c28d384cdc61a82d

Discover why Fraud protection doesn’t have to be an uphill battle


Security Intelligence