Bears Inc & TreasureHuntAs the United States switches from swipe to chip-based card technology, point-of-sale (POS) [1] malware authors are doing their best to make bank before it's too late. New versions of POS malware have been increasing year on year, and reports have signalled one variant called TreasureHunt [2] that appears to be a bespoke build for a data-selling group called Bears Inc [3]. TreasureHunt functions like most other kinds of POS malware. By scanning a payment terminal's running processes, it can extract card details from RAM just before they are encrypted. The card information is then uploaded to a C&C server until it can be sold at a later date. It's been estimated that TreasureHunt has existed since at least 2014, based on reports submitted to VirusTotal and the registration date of the malware's C&C server. The scarcity of information on TreasureHunt implies that it has not been widely used.Technical analysis available here [4].GAO report on the IRS breachesA total of 720,000 online taxpayer accounts have been accessed by third parties since June 2015, according to a recent Government Accountability Office (GAO) report. The accounts were compromised using the social security numbers, dates of birth and street addresses of taxpayers acquired through various means. By supplying this information to the online IRS [5] 'Get Transcript' service and answering some addition questions, thieves could gain access to full tax transcripts and use them to file for fraudulent refunds.The GAO report has identified 'persistent information security weaknesses' that leave the IRS and other federal agencies 'at risk of disruption, fraud, or inappropriate disclosure of sensitive information'.Full report available here [6].OpCanary [7]Anonymous has renewed the #OpCanary campaign, targeting large corporations that the group accuses of prioritising profits over legal and moral concerns.The recent campaign has resulted in the defacement of websites belonging to Canadian mining company BCGold Corporation and Kenya Petroleum Refineries Limited, with Rick Astley's 'Never Gonna Give You Up' playing centre stage. Of course it's all fun and games until someone gets 'rolled...Apple Vs. FBI (Update)Despite claiming it was technologically impossible, the FBI have successfully managed to access data on the iPhone that belonged to one of the San Bernardino shooters [8], bringing a premature end to one of the most pivotal cases of privacy versus security in recent years.The legal proceedings have been dropped and the FBI have achieved everything they set out to do, but for Apple, the real battle is only just beginning. Apple must now acknowledge that the FBI possesses a method capable of bypassing their most secure iOS settings. This technique could be limited to the specific software Farook’s iPhone was running, or it may be more widespread. Whatever the specifics, it undeniably has the capacity to affect the privacy of thousands of Apple users across the globe.American security services have long sought access to data on Apple devices, which are some of the best encrypted in the world. Now that they have it, they’re highly unlikely to give it up easily, even when Apple launch their inevitable legal proceedings.Whilst some cynics believe the NSA have long had the capability to bypass Apple’s encryption, this case has proved beyond doubt that even iOS is not infallible to vulnerabilities or security breaches. With the FBI unlikely to reveal the contents of the flaw any time soon, it is a worrying time to be an Apple user, and an even more worrying time to be an Apple shareholder.Social Sites hit by Malvertising [9]The trend of using domain shadowing [10] combined with fingerprinting attacks [11] to launch sophisticated and hard to detect malvertising campaigns continued this week. Popular social sites likes.com [12] and livejournal.com [13] have been affected by malicious adverts that serve up the notorious Angler exploit kit [14].Both sites generate well over 100 million visitors per month, making it a highly dangerous infection and something internet users should be well aware of.An increased sophistication has been noted in relation to malvertising campaigns over the last three months. By using fingerprinting techniques, cyber criminals can target users that are most vulnerable to infection: people without up-to-date anti-virus programs or outdated software. This increases the rate of infection but also decreases the likelihood that the campaign will be identified by security researchers.The Silobreaker Team
[1] https://my.silobreaker.com/view360old.aspx?item=11_528960526
[2] https://my.silobreaker.com/view360old.aspx?item=11_987753415
[3] http://www.silobreaker.comapplewebdata://8B6FDECE-E929-4DBA-A641-AE625016DE06/
[4] https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html
[5] https://my.silobreaker.com/view360old.aspx?item=11_322428
[6] http://www.gao.gov/assets/680/676097.pdf
[7] https://my.silobreaker.com/view360old.aspx?item=11_738735239
[8] https://my.silobreaker.com/view360old.aspx?item=11_936015117
[9] https://my.silobreaker.com/view360old.aspx?item=11_59737649
[10] https://my.silobreaker.com/view360old.aspx?item=11_833444122
[11] https://my.silobreaker.com/view360old.aspx?item=11_974550382
[12] http://likes.com/
[13] http://livejournal.com/
[14] https://my.silobreaker.com/view360old.aspx?item=11_657356627
↧