Banks | US Cyber Labs

gATO rEaDiNg - 2012 Maindiant “An Evolving Threat” and Trend-Micro LuckyCat ReDux reports. Great reading for any security geek but most important it’s about the business side of the hack. Take the old smash and grab of financial information and split town, process the financial windfall and party like it’s 2999. Now it’s more beneficial for the criminals to stay inside the victims servers and collect intelligence and espionage. Ok let the gAtO break it down for you, not as a criminal that’s easy, as a state actor I would go after AeroSpace, Energy, Shipping, Military Research, Engineering, India and Tibetan Activist… Wait a minute a India, a Tibetan Activist group, oh yeah you know it’s China but this is to be expected from China. Now the new spin is why would they go into a banks and use advanced persistent threats (APTs) hacks, well as gAtO understands it the Chinese have a shit load of MONEY— follow the money is not only an american thing it’s for every player in the world.

We have to look at the data through 3 different set of eye’s (magnifying glass with gAtO’s old EyE’s) but it’s still the same – Your data (ALL- your little company secrets) needs protection.

Here is the Score-Card your Business — versus – Competition, Government, Criminals, Hacktavist, Economic Espionage, Nuisance Hackers. On top of all this 94% of victims were notified by an external entity that they were hacked. If that doesn’t send chills down every board member in every company in the world, nothing does.

Here you are doing your business and let’s be frank some business well they walk a thin line sometimes like dumping medical and radioactive waste on a beach in New Jersey ( I know Snooki lives there) . IS your company maybe polluting the ground water for a 100 mile radius of the plant. This is not the information that they want hackers, or the press to get a hold of. “Remmember Rudolf Murdock News Hacking Empire- hey hack anyone for a buck”

Protect Customer Data yeah companies and governments want to protect it, but their little illegal/legal stuff companies do like hiding the report of the of shore oil well that just blew up and spilled all kinds of stuff all over the Gulf coast. These are the real thing that keep business people up at night worrying about hackers, it’s plain and simple cover your ass and let’s get that no bid government contract after we pay off the senator and we better encrypt that information…..

Hackers come in all flavors but if you look at the LuckyCat crewz these are very unique. Not only real computer scientist but marketing campaign and project management. They dual tier C&C (Command and Control), they use the victims supply chain to move laterally across trusted networks in order to be more invisible. Invisible takes a new trend here these hacker hide their code in plain site, they used older malware as insertion points sometimes and of course social engineering to gain access.

Bottom line these new hackers- they are business-men, -they are governments, -they are commercial criminals, -they are hacktivist or -they are a lone wolf hacker. Companies are finally getting the message. Protect your data, not just your customer’s data, but all your little secrets because if your online– someone is watching you and these can be a 15 year old kid or a Dual Master degree in computer technology that is unemployed or works for a government. Trust but verify takes on a new meaning now -gAtO oUt

lab notes - The report, which is based on hundreds of advanced threat investigations conducted over the past year, includes analysis, statistics and case studies that highlight how advanced and motivated attackers are stealing sensitive intellectual property and financial assets.

Malware Only Tells Half of the Story Organizations’ investments in malware detection and antivirus capabilities, while effective in detecting characteristics associated with common worms, botnets, and drive-by downloads, do little to help defend against targeted intrusions.

The use of these publicly available tools has added some complexity to identifying threat actors because when organizations identify a piece of publicly available malware they often cleanse the file and — in the process — obscure what could be a larger incident.

It’s unclear why banks wouldn’t already be looking for unusual settlement activity and conducting daily monitoring, but there it is. At any rate, “high-risk” merchants generally handle the dicey and vicey types of online commerce, such as Internet gaming, adult Web sites, rogue anti-virus software sales and online pharmacies. Might be a good idea to keep an extra close eye out for these types of unauthorized charges over the next few days

Cyber War’s of (1) One and (0) Zero’s.

In the last week so far, hackers hit the NYSE (New York Stock Exchange), and we find out that hackers hit unmanned drones flying covert and military operations around the world. The U.S has resisted all attempts till now to internationalize treaties on cyberspace. Below are some of the major attacks from September alone. USCyberLabs was one of the sites getting hacked via the InMotion attack by Tiger-M@te. Were am I going with all this, well let start with the cyber attacks in September-2011 I outlined them in red on the timeline below, these are all attacks going after governments.

Who knew that “The Arab Spring”, “LulzSec” and “Occupy Wall Street” all have a unify message. Were sick and tired, you had your chance now it’s ours.

Useful Resources for compiling the table include:

Cyber War News (but it looks like it gave up to post reports on Cyber Attacks on 25 September 2011)
~~CNET Hackers Chart~~ (unfortunately it is not up-to-date since 24 August 2011).
DATALOSSdb
Dark Reading
Naked Security
Office Of Inadequate Security (DataBreaches.net)
The Hacker News

My inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.

http://paulsparrows.wordpress.com/2011/10/02/september-2011-cyber-attacks-timeline-part-ii/

Update: On 09/30/2011, Betfair reported a 3.15 million records breach with a total estimated cost of 1.3 billion USD winning the laurel wreath of the most expensive breach of the month.

Date	Author	Description	Organization	Attack
Sep 16		Websites of several Mexican government ministriesAs part of OpIndipendencia, websites of several Mexican government ministries, including Defense and Public Security, are teared down in the same day of the symbolic beginning of Mexico’s independence from Spain.		DDoS
Sep 16	Mikster	Clubmusic.comClubmusic.com, a worldwide dj website. is hacked and the leak dumped on pastebin.		SQLi
Sep 16	Sec Indi Security Team	Official Website of The United States Navy An hacker crew called Sec Indi Security Team Hacker uploads a custom message on the server to warn a WebDav vulnerability.		WebDav Vulnerabilty
Sep 16	?	California State Assembly More than 50 employees of the California State Assemby, including some lawmakers, have been warned that their personal information might have been obtained by a computer hacker.		?
Sep 17	?	Intelligence And National Security Alliance Names and email addresses of hundreds of U.S. intelligence officials have been posted on an anti-secrecy website. On Monday Sep 10 INSA published a major report warning of an urgent need for cyberdefenses. Within a couple of days, in apparent retaliation, INSA’s “secure” computer system was hacked and the entire 3,000-person membership posted on the Cryptome.org website		N/A
Sep 17	?	Fake FBI Anonymous Report A Fake FBI Psychological profile of the Anonymous group is published. Although not a direct cyber attack, this event can be considered an example of psychological hacking and a “sign of the times” of how information and counter information may play a crucial role in hacking.		SQLi?
Sep 18		Texas Police Anonymous/Anti-sec releases a documentcontaining a list of about 3300 members of the Texas Police Association		N/A
Sep 19	?	Mitsubishi Heavy IndustriesMitsubishi Heavy Industries, Japan’s biggest defense contractor, has revealed that it suffered a hacker attack in August that caused some of its networks to be infected by malware. According to the firm, 45 network servers and 38 PCs became infected with malware at ten facilities across Japan. The infected sites included its submarine manufacturing plant in Kobe and the Nagoya Guidance & Propulsion System Works, which makes engine parts for missiles.		APT
Sep 19		City Of Rennes TeaMp0isoN takes responsibly to hack the official website of The City Of Rennes (France) via a tweet. They also publish the reason of hack on the defacement page.		Defacement
Sep 19	?	Hana SK Hana SK Card Co., a South Korean credit card firm, announces that Sep 17, some 200 of its customers’ personal information has been leaked. Total cost of the breach is $42,800.	Hana SK Card	SQLi?
Sep 20	?	Former USSR Region Source report that at least 50 victim organizations ranging from government ministries and agencies, diplomatic missions, research institutions, and commercial entities have been hit in the former Soviet Union region and other countries in an apparent industrial espionage campaign that has been going on at least since August 2010.The advanced persistent threat (APT)-type attacks — dubbed “Lurid” after the Trojan malware family being used in it — has infected some 1,465 computers in 61 countries with more than 300 targeted attacks.		APT
Sep 20	Shad0w	Fox Sports Website Fox Sports website, on of the most visited Websites in the world (rank 590 in Alexa) gets hacked. An Hacker named “Shad0w” releases SQL injection Vulnerability on one of the sub domain of Fox Sports and exploit it to extract the database. Leaked database info posted on pastebin.Vulnerable link is also posted together admin password hashes.		SQLi?
Sep 22		Core Security Technologies Another security Firm target of hacking: Core Security Technologies is hacked by an hacker called Snc0pe, who defaces some websites belonging to the firm. Mirror of the hack can be seen here.		N/A
Sep 24	?	UKChatterboxPopular IRC service UKChatterbox advises users to change their passwords following a series of hacks which culminated in an attack that may have compromised user details. The password reset follows on from a succession of outages previouslyattributed to maintenance upgrades, back to the start of the summer. In a notice to users, UKChatterbox advises users to change their passwords and not to re-use them on other sites. The number of hacked account is unknown.		N/A
Sep 25		Seven Major Syrian Cities and Government Web Sites The Anonymous unleash a chain of defacement actions against the Syrian Government, hacking and defacing the official sites of seven major Syrian cities, which stayed up in their defaced version for more than 16 hours. The defacement actions kept on the following day in which 11 Syrian Government Sites were defaced as part of the same operation.		Defacement
Sep 25	?	Indira Gandhi International AirportAlthough happened three months ago, it turns out that a ‘technical snag’ hittinh operations at the Indira Gandhi International Airport (IGIA) T3 Terminal was caused by a “malicious code” sent from a remote location to breach the security at the airport.		APT
Sep 26		Inmotion Hosting Server 700,000 websites hosted on InMotion Hosting network are hacked by TiGER-M@TE. The hackers copied over the index.php in many directories (public_html, wp-admin), deleted images directory and added index.php files where not needed. List of all hacked 700,000 sites here.		Defacement
Sep 26		Austrian Police The Austrian Anonymous branch publishes the names and addresses of nearly 25,000 police officials, raising fears for officers’ personal security. An Austrian Interior ministry spokesman said the information came from an “association closely related with the police”. Estimated cost of the breach is around $ 5,400,000.		SQLi?
Sep 26		USA Today Twitter AccountThe USA Today Twitter account is hacked and starts to tweet false messages mentioning the other accounts hacked by the authors of the action: the Script Kiddies (already in the spotlight for hacking the FoxNews Twitter Account at the Eve of 9/11 anniversary)		Account Hacking
Sep 26	?	MySQL.comMySQL.com website is struck by cybercriminals, who hacked their way in to serve up malicious code to visiting computers with a Java exploit that downloaded and executed malicious code on visiting Windows computers. Brian Krebs reportsthat just few days before, he noticed on a Russian underground website that a hacker was offering to sell admin rights to MySQL.com for $3000. MySQL.com receives almost 12 million visitors a month (nearly 400,000 a day).		Java Exploit to install malware
Sep 26		Harvard University In retaliation for the defacements performed by the Anonymous targeting Syria, Syrian Electronic Soldiers deface the website of the prestigious Harvard University. The same group came in the spotlight during July and August for defacing Anonoplus engaging a “de facto” cyberwar against The Anonymous.		Defacement
Sep 26	?	#Occupywallstreet The month of September is characterized by theOccupyWallStreet Operation, started on September, the 17th and still ongoing. Although not directly configurable as an hacking action, it may rely on the support of the Anonymous who “doxed” a senior police who controversially usec pepper spray against a group of female protesters.		N/A
Sep 27		COGEL, Council On Governmental Ethical Law Once again in this month,Snc0pe claims another resounding action. This time the alleged target is the official website of The Council on Governmental Ethics Laws (COGEL). He posts a message onpastebin, along with the database download link.		SQLi?
Sep 28		Tiroler Gebietskrankenkasse (TGKK) AnonAustria in the spotlight again after the resounding hack against Austrian Police. This time the victim is an health insurance firm Tiroler Gebietskrankenkasse (TGKK) whose database of some 600,475 medical records AnonAustria claims to have hacked. The databse includes some celebrities. The total cost of the breach is around $128,500,000.00.		SQLi?
Sep 29	?	SAIC (Science Applications International Corp.) SAIC, one of the Pentagon‘s largest contractors reveals to have discovered a data breach occurred a couple of weeks before, affecting as many as 4.9 million patients who have received care from military facilities in San Antonio since 1992. The breach involved backup computer tapes from an electronic health care record. Some of the information included Social Security numbers, addresses, phone numbers and private health information for patients in 10 states. Statement of the data breach here Estimated cost of the breach is around $ 1 billion.		Car Burglary
Sep 30	?	Laptop Virus RepairAlthough not resounding as the one which targeted MySQL.com, here it is another example of a website infected with malicious code targeting a free antivirus cloud based service.	Laptop Virus Repair	Malicious Code
Sep 30	?	BetfairBetfair reports a leak including not only the payment card details of most of its customers but also “3.15m account usernames with encrypted security questions”, “2.9m usernames with one or more addresses” and “89,744 account usernames with bank account details”. The incident occurred on 14 March 2011 but was announced only 18 months later. Estimated cost of the breach is around $1.3 billion.		?