INDUSTRY OVERVIEW: FINANCIAL

Transcription

1 ii IBM MSS INDUSTRY OVERVIEW: FINANCIAL RESEARCH AND INTELLIGENCE REPORT RELEASE DATE: NOVEMBER 5, 2014 BY: JOHN KUHN, SENIOR THREAT RESEARCHER

2 iii TABLE OF CONTENTS EXECUTIVE OVERVIEW... 1 MAJOR FINANCIAL DATA BREACHES... 1 METHODS OF FINANCIAL DATA LOSS... 2 METHODS OF ATTACK... 4 HEARTBLEED... 4 MALWARE... 4 POPULAR BANKING TROJANS... 5 WEB APPLICATION ATTACKS... 5 MALICIOUS WEBSITES & SPEAR PHISHING... 6 DEFAULT PASSWORDS... 6 RECOMMENDATIONS/MITIGATION TECHNIQUES... 6 CONTRIBUTORS... 7 REFERENCES... 7 DISCLAIMER... 7

3 1 EXECUTIVE OVERVIEW Why do bank robbers rob banks? Well, That s where the money is. --Willie Sutton. While the origin of this quote is up for debate, the message is not, especially, in today's connected world. Criminals have been targeting financial institutions since the existence of the first bank. It's simply the quickest route to the money. In more recent years though, the risk to reward ratio for physical bank robbery has become much less appealing as security measures have increased considerably. What's a criminal entrepreneur to do? Not enter the bank, of course. Cyber attacks targeting financial institutions are becoming increasingly more effective. Not only is there a larger target area with all the interconnected systems, but criminals can also attack the customers of the bank. ATMs, online banking, payment systems, and retail Pointof-Sale (POS) systems are all points of potential weakness in the long chain of money transfer. Criminals are targeting you, the customer, and your money. Hence, not only do modern banks have to protect their own infrastructure, they have an obligation to monitor and protect the finances and identities of millions of people globally. This report is going to take a close look at financial data breaches, popular banking Trojans, and other methods of attack gleamed from IBM s MSS world-wide event data. MAJOR FINANCIAL DATA BREACHES According to the Privacy Rights Clearinghouse, nearly 460 million financial records have been leaked, lost, or stolen in the United States. While this may seem like an incredibly high number, the majority of it falls on two major data breaches. Court Ventures tops the charts as one of the largest data leaks to date with a reported 200,000,000 records stolen, which contributed greatly to the spike in the fall of 2013 as observed below in Figure 1. Although this is recorded as "unintended disclosure", it also has an element of insider threat. Through a very tangled web of information/data sharing, the criminal was able to gain access to the records through Court Ventures who also had a partnership with US Info Search. The criminal posed as a private investigator out of Singapore and gained access to all the records needed. The intent was to resell this data to the underground market for the purpose of identity theft. Criminals used the information to open new credit lines, loans and in other ways to put cash in their pockets. This data breach emphasizes the need to focus on the "money trail", which is often hard to monitor due to constant acquisitions that are common in the financial industry. Even the most rigorous auditing can often leave gaps in security practices and compliance.

4 2 Figure 1. Timeline of number of financial records lost in the United States since i The second major financial security breach reported in recent years targeted Heartland Payment Systems. Albert Gonzalez is now serving a 20 year sentence for hacking this company where a reported 1.5 million credit card numbers were stolen. He formerly belonged to "Shadowcrew", an international group of hackers with strong ties to Eastern Europe. Areas such as Odessa, Ukraine are a hot bed for fraudulent credit card activity. SQL Injection was used to gain access to the network of payments systems and install a RAT (Remote Administration Tool) to further penetrate and leak the targeted data. This technique is one of the leading causes of data loss for all top industries. It's an incredibly versatile attack and often goes undetected without proper mechanisms in place such as IDS or SQL monitoring software. IBM MSS Threat Research Group has published papers on the subject that help outline how attacks like this are carried out and how to help protect against them. METHODS OF FINANCIAL DATA LOSS Mining the public records for data loss reveals key insights into how exactly financial institutions are leaking customer data. There are many different ways that data is lost or stolen as indicated in Figure 2 below. In the data breach examples above, the methods used varied yet both were extremely successful attacks.

5 3 Figure 2. Breakdown of number of financial records lost and method of loss in the United States since ii As shown in Figure 3 below, the majority of the losses are the result or organizations disclosing information unintentionally. However, many states are still struggling to fight the cyber threat aspect of the attacks. Figure 3. Number of records lost by state since 2005 and type of attack. iii

6 4 METHODS OF ATTACK Managed Security Services has a wealth of information from our worldwide sensor network to see how attacks against any organization are being carried out. Let s take a look at the financial industry specifically. Figure 4. The majority of attacks seen against the financial industry via IDS signatures in iv HEARTBLEED Thankfully Heartbleed didn't create enough volume to make our top attacks chart, however it was the most significant attack we witnessed against the financial industry in Banking systems rely on encryption protocols and often use OpenSSL to secure customer data. The stealthy nature of this attack and the abundance of tools to exploit it resulted in a low cost, high return investment to the attacker. Most of the world s vulnerable systems to the attack have been subsequently patched; however it s critical that your entire network is patched. MALWARE Malware, targeted attacks, and advanced adversaries, while not specifically shown in our data, pose an incredible threat to the financial sector. As shown in Figure 3, it is the second largest method of financial records loss in the United States since Custom-made malware designed to target and infiltrate specific organizations are on the

7 5 rise. They are designed to evade all current detection mechanisms and blend in with every day functionality in an organization. This type of malware could be easily brought in by an advanced adversary with the knowledge and funding to complete their objective, penetration into the network. Attackers are not only directly targeting the banking systems - there is an entire economy behind banking Trojans. Much of the malware is bought and sold on the underground markets and have become incredibly simple to use and set up. Below are some of the most common and popular banking Trojans we see targeting customers networks. POPULAR BANKING TROJANS ZEUS: One of the original Trojans specifically targeting online banking. It has gone through many iterations from the original 1.0, expanding its capability in version 2.0. This is a "full service" Trojan and does not only contain the malware itself, but also toolkits that allow for customization and building. These toolkits even include software to control the malware. On top of these "features", Zeus often comes included with tools to host your own malicious website to lure victims into your control. For many years, the source code for Zeus has been leaked and it's become the basis of many more modern variants such as Gameover Zeus. This variant utilizes P2P to diversify its command and control as well as many more new tricks to maintain control of infected machines. CITADEL: Arguably, Citadel uses source code and techniques based on Zeus however, adds even more capability into the mix. It has the ability to use AES encryption not only on its configuration file, but on its Command and Control as well. It also uses a very clever way to hook into web browsers in order to inject instructions specifically designed to mimic your online bank or steal the credentials passed into it. To further the infection, it has a built in keystroke logger as well as an and FTP login credential stealer. It's incredibly versatile and can add on any further modules such as a video capture service that can record video from your screen and send it to the attacker s command and control. Carberp: This Trojan has its roots in more traditional capability. It was designed to remotely steal users sensitive data. One of the more advanced features of this Trojan is its rootkit capability that allows the Trojan to remain deep in the infected machine and evade detection. This malware also comes with a slew of plugins furthering the capability to remove AV and competing infections such as Zeus. With strong encryption capability and bundling with the Blackhole exploit kit, infections of this Trojan rapidly expanded. Its capability allows capturing of banking credentials and ransomware type scams. WEB APPLICATION ATTACKS Web applications are a high target via Command & SQL Injection against public and non-public facing sites. The softest target in any organization will always be their web sites and SQL databases. While much of the banking industry uses rigorous vulnerability scanning and penetration testing, holes can often still remain. Techniques and

8 6 tools appear as rapidly as the vulnerabilities they exploit. MALICIOUS WEBSITES & SPEAR PHISHING Malicious websites are utilized by attackers as a method to gain internal access into critical systems. Malicious websites are a concern for all industries, as they allow attackers to penetrate networks and potentially evade the perimeter defenses of an organization. Sophisticated spear phishing is often utilized to target personnel inside the network, specifically in the area they want to obtain data from. These attacks often utilize malicious PDFs with payloads that contain malware or send the victim to a malicious website. RATS are typically the payload, giving the attacker full control of the victim s system including access to the webcam and microphone. Penetration into connected systems would follow along with burying more malware to remain a persistent foothold within the network. DEFAULT PASSWORDS One alarming statistic from our data is that many organizations are using default passwords on systems such as their MySQL databases. It is imperative for organizations to thoroughly audit all of its connected devices and take the steps to configure them properly. Password rotation is absolutely critical to maintain reliable security at the very basic level. Once attackers penetrate a network, they often have a static list pulled at the time of penetration. Rotating these passwords can help stop further infiltration or at the very least, slow the attacker. RECOMMENDATIONS/MITIGATION TECHNIQUES This is an area where security intelligence is a must. It is critical that organizations understand the adversaries they face every day - from what their capability and motivations are, to where they attack from. Having this knowledge can help financial companies keep one step ahead of criminals and bolster internal and external detection and protection mechanisms. The data breach incidents highlighted in this report are just two of hundreds that have affected the financial industry in the last several years. Lessons learned from these incidents are applicable to the entire industry. First, the insider threat is a legitimate concern facing organization s today. It is important to monitor employee activity in order to identify misuse. Limit unauthorized access by disabling default user names and passwords. Require unique ID and passwords and preferably implement two-factor authentication. Critical systems should be contained in their own segment within an organization s network and closely monitored for suspicious activity. The second data breach and our attack data provide another lesson learned SQL injection is one of the largest concerns facing not only the financial industry, but all industries. Vulnerability scanning and penetration testing are key to mitigating this threat. IBM has a very reliable and robust set of rules within its SIEM environment allowing

9 7 nearly a %100 accuracy rate of SQL injection detection. More SQL injection recommendations can be obtained from our report SQL Injection Input Validation located on the MS Threat Research Papers web site (see references). Heartbleed is an example of a threat where timely deployment of routine validated security patches goes a long way to limiting the pervasiveness of particular threats. Malware including Trojans specifically targeting banks also continue to pose a significant threat to the financial industry. Use anti-virus and other host based protections as suitable. Disable unneeded services and ports. Unintended disclosure is the largest method of data loss for the financial industry in the United States. It is important for organizations to update cyber incident response policies and facility crisis management plans to incorporate cyber security scenarios. Providing training on these policies is also a critical step towards educating employees on how to prevent the disclosure of financial data. CONTRIBUTORS Michelle Alvarez - Researcher/Editor, Threat Research Group Nick Bradley Practice Lead, Threat Research Group REFERENCES DISCLAIMER This document is intended to inform clients of IBM Security Services of a threat or discovery by IBM Managed Security Services and measures undertaken or suggested by IBM Security Service Teams to remediate the threat. The data contained herein describing tactics, techniques and procedures is classified Confidential for the benefit of IBM MSS clients only. This information is provided AS IS, and without warranty of any kind. i Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse. ii Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse. iii Chronology of Data Breaches Security Breaches 2005-Present, Privacy Rights Clearinghouse. iv 2014 IDS Data, IBM Managed Security Services.