Issue 40 - Week of Nov 23rd

1. The Target breach, two years later: It was exactly 2 years ago that Target was hacked, even today it remains the most significant breach in history because it was the first time the CEO of a major company was fired because of a data breach. Target says it has since taken a number of actions to repair and improve its security posture - the retailer brought in new senior leadership with cybersecurity know-how, the retailer also rolled out EMV-compliant POS terminals in all of its stores (the ones that accept chip and pin), several changes were made in the network and its structure. Until some time ago Organizations would not take security seriously until they had breach but it is now slowly changing with several of them taking proactive measures. 

2. RSA warns of Zero detection Trojan: Zero-day vulnerabilities and zero detection malware threats continue to bother cyber security professional worldwide. Last week RSA announced the discovery of GlassRAT, a zero detection malware that has been around for more than 3 years. RSA also presented evidence that GlassRAT's command and control (C2) infrastructure has some historical overlap with other malicious malware campaigns that have previously targeted Asia-based organizations. The malware comes with reverse shell capabilities and allows for data exfiltration, file transferring, process listing, and other typical RAT capabilities. It is also known to have used the trademarked icon of Adobe Flash Player and to have been named "Flash.exe" in the past. 

3. Stealthy ModPOS is 'Most sophisticated PoS malware' ever: Researchers are warning retailers about ModPOS malware in their systems that is nearly impossible to detect, can do a whole lot more than just scrape customers credit card data. ModPOS is modular. In addition to the PoS card scraper module, it also has a keylogger, an uploader/downloader (with which it could add other pieces), and plug-ins for scraping credentials, and gathering local system and network information. The malware is able to stay persistent and obfuscated because every module is a rootkit (operates in kernel mode). 

4. Nuclear Exploit Kit Spreading Cryptowall 4.0 Ransomware: All earlier verisions of Cryptowall were being spread through spam and Phishing emails, last week researchers have found that for the first time Cryptowall 4.0 has been infecting machines via an exploit kit. The move to Nuclear, won’t be exclusive; industry expects other exploit kits, including Angler, to eventually redirect compromised sites their way. Attackers will continue moving Cryptowall 4.0 via spam as well. 

5. United Airlines waits 6 months to patch critical flaw submitted to bug bounty program: A security researcher found and reported a critical vulnerability to United Airlines that could allow an attacker to “completely manage any aspect of a flight reservation using United’s website.” He claims United Airlines, which announced a bug bounty program about six months ago, didn’t deploy a fix for five months and only plugged the holes after he threatened to publicly disclose the unpatched vulnerability. 

6. Blackhole Exploit Kit Makes a Comeback: The once-popular Blackhole exploit kit has returned, attempting to infect using old exploits but also showing signs of active development. The return of Blackhole suggests that cyber-criminals may be reusing the code (a lot of criminals do not reinvent the wheel), they will use older infrastructure and build on top of it. Exploit kits are software programs used by cyber-criminals to infect victims and install malicious software (Dropper file). They are a basic building block for creating botnets and infecting users' systems to steal information. 

7. Starwood and Hilton suffer data breach: Starwood Hotels and Resorts is investigating data breaches at 54 locations. A malware breached and affected point-of-sale systems at all the 54 locations. The attackers gained access to credit card information, including cardholder name, card number, security code and expiration dates. In a separate incident, Hilton publicly disclosed last week that it was hit by a cyber-attack and noted that unauthorized malware targeted payment card information at its Worldwide hotels. It's not uncommon for attackers to use malware and tactics across entities within the same industry as most of them use very similar software that have similar vulnerabilities. 

8. Dell acknowledges security hole in new laptops: Last week, Dell said that a security hole exists in some of its recently shipped laptops that could make it easy for hackers to access users’ private data. This flaw is being compared to Superfish (adware preinstalled on Lenovo computers earlier this year). The Flaw: Dell PCs were found to have the eDellRoot certificate and private key preinstalled, and worse, they were found to be the same across all of Dell's affected laptops. Using this anyone could launch a Man in the Middle Attack and redirect browser traffic to spoofs of real websites. 

9. CISO Forum in India: In a hall full of CISOs of key Indian private companies during an event in Chandigarh, many CISOs present did not know which authority in government needs to be approached in case of a cyber-attack. A few mentioned that they would approach Indian Computer Emergency Team (CERT-In), few mentioned that they will go to National Critical Information Infrastructure Protection Centre (NCIIPC), few mentioned that they will go to the cyber police station in their city while a few were of the opinion that they will go to the local police station. One of the CISOs narrated an interesting situation when local police demanded a photograph of data which was stolen. :-)

10. Indian hackers deface Pakistani websites on 26/11 anniversary: Underground Indian hacking groups have launched an attack on Pakistani websites on the seventh anniversary of 26/11 Mumbai attacks. Cybercrime experts' claim several hacking groups carried out a mass defacement operation on key Pakistani websites to pay "homage to the martyrs of 26/11 terror attacks". Recently, hacking group Mallu cyber soldiers claimed to have hacked several Pakistani websites and servers to avenge Pakistani attacks.