Mitigating Information Security Risks
Financial CyberSecurity Threats
by
Craig Schiller, CISSP-ISSMP, ISSAP
EVP-IT Services & CIO
Security Compliance Associates
Agenda
Today's presentation Brought to you by
©2021, Craig Schiller &
Security Compliance Associates
2
About SCA
Security Compliance
Associates
•
•
•
•
•
Since 2005, SCA has been a credit Union industry
leading provider of information security Assessment
and compliance services
Focuses on a hands-on partnership approach, using
continuous improvement in the assessment and
reporting processes.
Specializes in thorough, comprehensive
assessments using industry best tools and
methodologies including SANS Top 20, NIST, ISO,
and PCI-DSS
Service over 13% of the Top 200 Credit Unions
In addition to Standard Internal/External
Assessments, tracking regulator focus on Online
Banking, Mobile banking, and Risk Analysis
©2021, Craig Schiller &
Security Compliance Associates
3
Business Banking Threat
Pitfalls of Business Banking
©2021, Craig Schiller &
Security Compliance Associates
4
The threat
Two of the most successful criminal operations (and the
respective malware) are known as Clampi and Zeus. The
operations have been in place for over a year, and have
proven to be successful, difficult to stop, and damaging.
A public school district in Pennsylvania lost $700,000 in a
two-day attack. A county government in Kentucky lost
$415,000. Last Christmas a New York school district lost
$3M of which .5M remained unrecovered as of 6-Jan.
©2021, Craig Schiller &
Security Compliance Associates
5
The threat
©2021, Craig Schiller &
Security Compliance Associates
6
Rules have changed
Persons who conduct institutional/commercial online banking
operations are being specifically targeted by the criminals.
Standard desktop computer antivirus is not an effective
defense because the attackers constantly morph the attacks
to evade antivirus signatures.
Network defenses, such as firewalls and IDS/IPS, that rely on
signatures are similarly ineffective.
Some attacks have successfully defeated two-factor
authentication, a real-time trojan successfully bypassed a
SecureID system to steal $447,000 using 27 different
transactions to siphon off the funds.
Two-factor remains to be an effective defense against many
other attacks.
©2021, Craig Schiller &
Security Compliance Associates
7
SpyEye/Zeus or Z-Bot
The Zeus Trojan uses key-logging techniques to steal sensitive data
such as user names, passwords, account numbers and credit card
numbers. It injects fake HTML forms into online banking login
pages to steal user data. SpyEye now modifies online bank
statements so the victim doesn’t know that money is being
siphoned from their accounts. SpyEye/Zeus added investment
firms and retail stores that offer credit cards to its list of targets. A
new Zeus derivative has added a Man-in-the-Mobile attack.
©2021, Craig Schiller &
Security Compliance Associates
8
Operation Aching Mules
©2021, Craig Schiller &
Security Compliance Associates
9
Operation Aching Mules
Mules were recruited from Russian and Eastern European citizens
They were given fake passport credentials
The passport credentials were used to establish bank accounts for the
ACH transfers
©2021, Craig Schiller &
Security Compliance Associates
10
Operation Aching Mules
NYPD detectives entered a Bronx bank in February to investigate a
suspicious $44,000 withdrawal. International investigation began in
Omaha, in May 2010 when fraudulent ACH payments were made to 46
bank accounts
Cyber-attacks began in Eastern Europe, sending apparently-benign
email to computers at small businesses and municipalities in the US
Clicking on a link downloaded Zeus
The malware recorded their keystrokes as they logged into their
bank accounts online
Hackers made unauthorized transfers of thousands of dollars at a
time to receiving accounts controlled by the co-conspirators.
Once the victim/employee begins executing an online banking
transaction on behalf of his or her employer, ZeuS invisibly also
executes a fraudulent wire transfer, usually for $10,000 or less.
©2021, Craig Schiller &
Security Compliance Associates
11
Operation Aching Mules
Money Mules
Receiving accounts were set up by a "money mule
organization" responsible for retrieving the proceeds of the
malware attacks and transporting or transferring the stolen
money overseas.
The money mule organization recruited individuals who had
entered the United States on student visas, provided them
with fake foreign passports, and instructed them to open
false-name accounts at U.S. banks.
Once these false-name accounts were successfully opened
and received the stolen funds from the accounts
compromised by the malware attacks, the "mules" were
instructed to transfer the proceeds to other accounts, most of
which were overseas, or to withdraw the proceeds and
transport them overseas as smuggled bulk cash.
©2021, Craig Schiller &
Security Compliance Associates
12
Operation Aching Mules
U.S. authorities charged 92 Russians and Eastern Europeans
who allegedly opened U.S. bank accounts expressly to receive
cash transferred from hacked online banking accounts.
The defendants charged in Manhattan federal court include
managers of and recruiters for the money mule organization, an
individual who obtained the false foreign passports.
19 Eastern Europeans were arrested in the UK.
The Ukrainian SBU arrested 5 key subjects of the investigation.
$70M over the last four years.
©2021, Craig Schiller &
Security Compliance Associates
13
DDoS used to prevent recall
In one case, the subjects used a Distributed Denial of Service (DDoS)
attack against a compromised ACH third-party provider to prevent the
provider and the bank from recalling the fraudulent ACH transfers
before money mules could cash them out. These ACH transfers ranged
from thousands to millions of dollars.
©2021, Craig Schiller &
Security Compliance Associates
14
Exploitation of online banking credentials
The FBI has seen a significant increase in fraud involving the exploitation of valid online
banking credentials belonging to small and medium sized businesses.
In a typical scenario, the attack vector is a "spear phishing" e-mail which contains
either an infected file or a link to an infectious Web site. The e-mail recipient
is generally a person within a company who can initiate funds transfers on behalf
of the business, or a credential account holder (treasury management platforms typically
support both wires and Automated Clearing House (ACH) transfers).
Once the user opens the attachment, or navigates to the Web site, malware
is installed on the user's computer. The malware contains a key logger, which harvests
the user’s corporate online banking credentials. Shortly thereafter, the subject
either creates another user account from the stolen credentials or directly initiates
a funds transfer masquerading as a legitimate user. These transfers have
occurred through both the wire system and the ACH Network.
©2021, Craig Schiller &
Security Compliance Associates
15
Trojan attachment
©2021, Craig Schiller &
Security Compliance Associates
16
Spearphishing with Download
Spearphishing
email
©2021, Craig Schiller &
Security Compliance Associates
17
Keystroke logger video
Banking Trojan Captures User's Screen in Video Clip
©2021, Craig Schiller &
Security Compliance Associates
18
Man in the Browser Attack - Torpig
Torpig/Mebroot/Sinowal or Anserin Financial bot, Boot sector virus –reimaged machines are re-infected as soon as the machine is re-booted. Uses
Man-in-the-Browser attack.
©2021, Craig Schiller &
Security Compliance Associates
19
Ramnit
Morphed into a financial malware in 2011. Ramnit can infect Windows
executable files, HTML files, office files and possibly other file types.
The malware includes a Man-in-the-Browser (MitB) web injection
module, which enables Ramnit to modify web pages (client-side),
modify transaction content, insert additional transactions – all in a
completely covert manner invisible to both the user and host
application. Suspected to have incorporated code from Zeus.
Many new malware families are based on Public domain Zeus code
(e.g. Citadel, Ice IX, Neloweg).
©2021, Craig Schiller &
Security Compliance Associates
20
Clampi/Ligats/Ilomo,Rscan
A trojan designed to steal credentials from infected
systems.
• This malware was used in the Slack Auto Parts
$75,000 loss.
• Uses psexec (from SysInternals) to spread
across intranets.
• Steals credentials for online banking sites as well
as credentials stored locally.
• To bypass firewalls, Clampi injects itself into IE
for Command & Control traffic.
• Like Zeus/SpyEye, Tunnels back through
member’s computer to log into the victim’s account
• "They are targeting {4600} institutions where
users may enter data that might be useful in
stealing money, such as utilities, retail, online
casinos, banking, insurance, accounting services,
credit bureaus," Joe©2021,
Stewart
Craig Schiller &
21
Security Compliance Associates
Classes of sites targeted by Clampi
Advertising networks
Utilities
Email marketing
Stock brokerages
Market research databases
Online casinos
Retail
Career sites
Insurance
Banking
Credit card companies
Accounting Services
Wire transfer services
Mortgage lenders
Consumer databases
Webmail
Foreign Postal Services (Non-US)
Software
Military/Gov information portals
Recommendation engines
ISPs
Various News blogs
File upload sites
©2021, Craig Schiller &
Security Compliance Associates
22
Feodo
Security researchers from FireEye identified this banking trojan, which
is capable of launching man-in-the-browser (MITB) attacks and
targets an unusually high number of financial institutions. In
addition Feodo targets PayPal, Amazon, Myspace or Gmail
The malware is similar in concept and features to other banking
trojans like ZeuS, SpyEye, Bugat or Carberp. It steals online
banking credentials and other sensitive information by intercepting
data inputted into Web forms, as well as injecting rogue HTML
elements into pages.
©2021, Craig Schiller &
Security Compliance Associates
23
Cridex, Carperb/Dapato
Cridex has a database of 137 banks. The Banking plug-in control
panel contains the structure of the banks' web pages, so the Trojan
can identify which valuable fields to send back to the command
and control server.
The cyber criminals can create and change forms that are normally
completed by the victim. The attacks started with several large
spam campaigns by cyber criminals who had previously
compromised hundreds of WordPress-based websites. The spam
emails included embedded URL links or HTML attachments that
trick the victim to browse those compromised websites. All these
links eventually lead to web pages infected with the Phoenix
exploit kit. This Trojan’s capability is basically similar to Zeus and
SpyEye. It collects information from the user’s machine and sends
it to the C&C server. The Cridex Trojan takes control of the victim’s
machines and allows it to collect information and potentially make
fraudulent transactions by manipulating the bank Web pages.
M86 Security Labs
©2021, Craig Schiller &
Security Compliance Associates
24
Shylock malware platform
Feb 2012 the Shylock malware platform
intorduced a fake financial institution chat.
By combining MitB techniques of HTML and
JavaScript, criminals are now able to bring
live chat right to your browser.
The system couldn't identify your PC
You will be contacted by a representative of bank to confirm your personality.
Please pass the process of additional verification otherwise your account will be locked.
Sorry for any inconvenience, we are carrying about security of our clients.
©2021, Craig Schiller &
Security Compliance Associates
25
Ice IX
Malware developed using Zeus source code.
Captures sensitive information on telephone
accounts belonging to the victims who
happen to be customers of BT, TalkTalk and
Sky. US banking customers have also been
targeted by the scam.
The criminal organization can redirect the
calls your financial institution makes to
verify suspicious transactions – straight
into the waiting handsets of professional
criminal caller services.
©2021, Craig Schiller &
Security Compliance Associates
26
Financial Malware Attack Vectors
OWASP Financial Malware List
©2021, Craig Schiller &
Security Compliance Associates
27
Advanced Persistent Threat
APT is not malware, it is an attack paradigm. APT events are usually named
for the campaign (e.g. Aurora, Titan Rain, RSA), not for the malware family they
belong to. APT attacks have been around since before 2000.
They most closely resemble a black ops scenario. They can use old and new
technology as needed to accomplish the desired objective.
Stuxnet
Flame
©2021, Craig Schiller &
Security Compliance Associates
28
Stuxnet overview
“the dangerously
misleading
expectation of
complacent asset
owners that
something like
Stuxnet can’t happen
to them if they are not
high-value military
targets.”
Stuxnet partial flow diagram
Ralph Langner
©2021, Craig Schiller &
Security Compliance Associates
29
Stuxnet detail 1
©2021, Craig Schiller &
Security Compliance Associates
30
Stuxnet detail 2
©2021, Craig Schiller &
Security Compliance Associates
31
Stuxnet detail 3
©2021, Craig Schiller &
Security Compliance Associates
32
Stuxnet detail 4
©2021, Craig Schiller &
Security Compliance Associates
33
Stuxnet detail 5
©2021, Craig Schiller &
Security Compliance Associates
34
Characteristics of the worm
©2021, Craig Schiller &
Security Compliance Associates
35
Worm Propagation
©2021, Craig Schiller &
Security Compliance Associates
36
Exploitation techniques
©2021, Craig Schiller &
Security Compliance Associates
37
Control System Exploitation
On any system with Siemens Step 7 software, Stuxnet modifies dlls so
that users on Programming stations can’t see what Stuxnet has modified
on Programmable Logic Controllers (PLCs).
Stuxnet confirms it can connect to an appropriately configured PLC, the
starts one of three sequences to inject code to payloads into the PLC.
Two of the sequences sabotage the speed of the PLC (centrifuges)
The third sequence prevents the PLC safety logic from alarming or
overriding the changes made by Stuxnet.
©2021, Craig Schiller &
Security Compliance Associates
38
Command and Control
In case something goes wrong or if the instructions need to be changed:
Normal communications would use HTTP to communicate with one of
two Command and Control servers. The firewalls in the recommended
architecture would block any direct communications from the Process
Control and Control Systems Networks.
All infected systems communicate using a P2P protocol using Windows
Remote Procedure Calls. RPC is used by Windows file sharing,
Windows printing spooling, OPC, and some Siemens proprietary data
exchange protocols.
©2021, Craig Schiller &
Security Compliance Associates
39
Flame
Likely that Flame was created by the same organization that created Stuxnet.
©2021, Craig Schiller &
Security Compliance Associates
40
Summary of Kaspersky’s Analysis of Flame’s C&C
Largest and most complex attack toolkit to date, used primarily for
cyber-espionage
The Flame C&C infrastructure, which had been operating for years, went
offline immediately after Kaspersky Lab disclosed the discovery of the
malware’s existence last week.
Currently there are more than 80 known domains used by Flame for C&C
servers and its related domains, which have been registered between
2008 and 2012.
During the past 4 years, servers hosting the Flame C&C infrastructure
moved between multiple locations, including Hong Kong, Turkey,
Germany, Poland, Malaysia, Latvia, the United Kingdom and Switzerland.
The Flame C&C domains were registered with an impressive list of fake
identities and with a variety of registrars, going back as far as 2008.
According to Kaspersky Lab’s sinkhole, infected users were registered in
multiple regions including the Middle East, Europe, North America and
Asia-Pacific.
The Flame attackers seem to have a high interest in PDF, Office and
AutoCad drawings.
The data uploaded to the Flame C&C is encrypted using relatively simple
algorithms. Stolen documents are compressed using open source Zlib
and modified PPDM compression.
Windows 7 64 bit, which we previously recommended as a good solution
against infections with other malware, seems to be effective against
Flame.
©2021, Craig Schiller &
Security Compliance Associates
41
Information gathered by Flame
Data gathered according to Symantec
©2021, Craig Schiller &
Security Compliance Associates
42
Information gathered by Flame
Data gathered according to Symantec
©2021, Craig Schiller &
Security Compliance Associates
43
Recommendations
1. Make certain that systems used in performing financial transactions are
protected by strict technical controls and receive periodic validation.
2. Make certain that personnel involved in performing online financial
transactions have the necessary security awareness and training. Those
persons should receive targeted training on phishing and this threat.
3. Have written policies defining the controlled environment in which
online banking transactions can be conducted, e.g. what systems can be
used, how they must be secured and maintained, required personnel
training, etc.
4. Routinely audit compliance with established technical controls and
policies.
5. All online banking operations should be conducted on special-use
computers that are used SOLELY for financial transactions. No other use
of the machine should be permitted - no e-mail, no web browsing, no
general-purpose business use - nothing but institutional online financial
institution transactions.
Educause.edu
©2021, Craig Schiller &
Security Compliance Associates
44
Technical Recommendations
-- Systems used for online banking:
• Should have the least amount of software installed as necessary to
facilitate their business functions.
• Should have Javascript and ActiveX disabled or specifically limited to
trusted sites.
• Should be subject to a change management process for any work
that's to be done on the machine. Multiple-party approvals should be
required.
• Should be examined monthly and routinely patched by professional
institutional IT security staff. If the system is not examined or patched
by a specific date of a month, business office folks should not use it
until the IT security staff bring it up to date.
• Physical access to the machine should be tightly controlled.
• The system should have a permanent and obvious distinguishing
mark, e.g. spray paint it orange, to insure there can be no mistaking
that this is a special purpose machine.
• Any other intentional use of the machine should be a cause for
disciplinary action.
©2021, Craig Schiller &
Security Compliance Associates
45
How Do We Detect Botnets?
Computer is
Exploited
Becomes a Bot
Other Bot Clients
Security & FW
logs
C&C
User Browsing Malicious Sites
New Bot Rallys to
let Botherder
know it’s joined
the team
A/V Detection
Retrieve the Anti
A/V module
Download server
Secure the New
Bot Client
C&C
Known Malware
Distribution sites
Listen to the C&C
Server/Peer for
commands
Known C&C sites
User Complaint
C&C
Report Result to
the C&C Channel
Botlike Traffic
Retrieve the
Payload module
Download server
Bad Behavior
Abuse@ notices
Execute the
commands
Talking to Darknet
Possible traffic to victim
On Command,
Erase all evidence
and abandon the
client
Anomalous Protocol Detection
©2021, Craig Schiller &
Security Compliance Associates
46
Technical & Policy Controls
•
•
•
•
•
•
•
Two-factor authentication should be used for financial institution
access were available. While two-factor authentication will not
protect against all attacks it does provide protection against many.
Application white-listing, e.g. on Windows (e.g. AppLocker) can offer
significant protection.
Don't make the machine part of a Windows domain. Administer the
machine using a local administrator account.
Place the machine on a separate VLAN, on a secure dedicated hardwired network connection.
Shut the machine down when not in use.
Implement very aggressive firewall and possibly proxy protections for
the system. All non-banking traffic should be denied.
Aggressively monitor traffic to and from the system
From the The Irretrievable Losses of Malware-Enabled ACH and Wire Fraud:
©2021, Craig Schiller &
Security Compliance Associates
47
User Notification
•
•
•
•
•
Traditional Help Desk response to malware must be changed for
financial malware.
When financial malware is involved, infected users need to be asked
if they used the infected computer for e-commerce, electronic
banking, or investment activities.
If yes, then they should be advised to contact their credit union,
credit card company, or investment firm.
They should change their account passwords, change their credit
cards, and review their accounts for transactions that they did not
make.
Credit unions should provide financial malware awareness for
members and employees.
©2021, Craig Schiller &
Security Compliance Associates
48
DNS Changer event
UNITED STATES v. VLADIMIR TSASTSIN, ET AL.
FBI Operation Ghost Click – arrested 6 Estonian nationals that were operating
the Rove criminal enterprise. The botnet infected 4 million computers including
500,000 in the US. The botnet included a dnschanger mechanism the replaced
the default DNS server with one under the control of the criminal enterprise.
After the arrest the FBI worked with outside organizations to continue to operate
the bogus DNS servers so that victims computers would not be affected. The
Court ordered ISC to maintain these servers for 120 days. According to the FBI
website, “The clean DNS servers will be turned off on July 9, 2012, and
computers still impacted by DNSChanger may lose Internet connectivity at
that time. “
©2021, Craig Schiller &
Security Compliance Associates
49
DNS Changer event
Chances are that some of your customers may be among those that are
infected.
How to tell that you are infected.
Use ipconfig /all on the windows command line to determine the IP address of
your DNS server
Use the IP address of the DNS server on the following website.
http://www.dns-ok.us/
©2021, Craig Schiller &
Security Compliance Associates
50
DNS Changer event
If the dns-ok-us website background is red, then you should have your computer
re-imaged or have your computer reformatted and have the operating system
installed.
This check and the mitigations steps should be completed before July 9, 2012.
©2021, Craig Schiller &
Security Compliance Associates
51
Q&A
Questions?
Craig Schiller, CISSP-ISSMP, ISSAP
Craig.Schiller@SCASecurity.com
EVP-IT Services & CIO
Security Compliance Associates
727.571.1141
www.scasecurity.com
©2021, Craig Schiller &
Security Compliance Associates
52