Week 10: SecuritySheperd

Russian Hacker jailed over botnet data scraping scheme that drained victim bank accounts.

A Russian cybercrime has been sentenced to eight years for participating in a botnet scheme that caused at least $100 Million in financial damage. Aleksandr Brovko was an active member of several elite, online forums designed to gather and exchange criminal tools and services. Brovko wrote a script that enabled botnets to parse log data. Which was used to uncover personally identifiable information(PII) and account credentials. Brovko processed and trafficked over 200,000 unauthorized access devices during the course of the conspiracy. These devices consist of PII and Financial Account Details. Resulting in over $100 Million in intended losses

This week reading is on Burp Suite. Burp Suite is one of the most popular penetration testing and vulnerability finder tools, and is often used for checking web application security. “Burp,” as it is commonly known, is a proxy-based tool used to evaluate the security of web-based applications and do hands-on testing. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Researcher at Cyble cyber security firm were able to find more that 500,000 credentials for zoom account on the dark web (Hamilton, 2020).  Cyble stated that there were many account credentials that they were able to purchase it for less then a penny and other were just available publicly.

Cyble said that they were able to purchase around 530,000 Zoom account credentials as well as the meeting URLS and the host key. There were many account that belonged to the Chase and Citibank and there were couple for the education institutions.

 

 

References:

Hamilton, I. 2020. Researchers found and bought more than 500,000 Zoom passwords on the dark web for less than a cent each. Retrieved from: https://www.businessinsider.com/500000-zoom-accounts-sale-dark-web-2020-4

Hackers are stepping up attacks on health care systems with ransomware in the United States and other countries, creating new risks for medical care as the global coronavirus pandemic accelerates. Alerts from US authorities and security researchers highlight a wave of cyberattacks on hospitals coping with rising virus infections. An unusual warning this week from the FBI with the Departments of Homeland Security and Health and Human Services, underscored the threat. The three agencies “have credible information of an increased and imminent cybercrime threat to US hospitals and health care providers,” said the alert issued Wednesday, calling on health systems to “take timely and reasonable precautions to protect their networks from these threats.”

            Ransomware is a longstanding security issue and health care has been a frequent target. A September attack disrupted Universal Health Services, which operates hospitals in the US and Britain. But security experts say the attacks are accelerating as the pandemic worsens. Researchers at the security firm Check Point said its survey showed health care has been the most targeted industry by ransomware, with a 71 percent jump in attacks on US providers in October from a month earlier. Check Point said there have been significant rises in ransomware attacks on hospitals in Asia, Europe and the Middle East as well. Globally, the firm said ransomware attacks were up 50 percent in the third quarter compared with the first half of this year . Many of the attacks use a strain of ransomware known as Ryuk, which security researchers say may be tied to North Korean or Russian cybercriminals. The US government warning said health organizations are being targeted by phishing attacks to get access to the systems, with hackers using sophisticated tools including TrickBot software which can harvest credentials and exfiltrate data. The Canadian government’s Cyber Centre issued a similar warning in early October, warning of Ryuk ransomware “affecting multiple entities, including municipal governments and public health and safety organizations in Canada and abroad. “The ransomware problem is steadily worsening and a solution desperately needs to be found,” said Brett Callow of the security firm Emsisoft”.

 

US Healthcare providers have been warned that Trickbot malware and ransomware is targeting the sector.  Trickbot emerged in 2016 as a banking trojan but evolved into a multi-purpose malware downloader that infected systems that were sold on to other criminal groups as a service.  Trickbot developers created Anchor_DNS, a tool for sending and receiving data from victim machines using Domain Name System (DNS) tunneling.

The Anchor_DNS backdoor forces infected PCs to communicate with command-and-control servers over DNS to bypass network defense products and hide malicious communications with legitimate DNS traffic.  Anchor_DNS uses a single-byte XOR cipher to encrypt its communications, which have been observed using key 0xB9. Once decrypted, the string Anchor_DNS can be found in the DNS request traffic.  CISA has now listed several indicators of compromise that security teams should look for.  It notes that the Trickbot malware for Windows copies itself as an executable file with a 12-character (includes .exe), randomly generated filename – for example, mfjdieks.exe – and places this file in the directories, C:\Windows\, C:\Windows\SysWOW64\, and C:\Users\[Username]\AppData\Roaming\.

https://www.zdnet.com/article/fbi-warning-trickbot-and-ransomware-attackers-plan-big-hit-on-us-hospitals/#ftag=RSSbaffb68

Readings this week had a concentration in Burp Suite and injection attacks.  Injection attacks have dominated the top of web application vulnerability lists for much of the past decade.  XSS remains the most prevalent vulnerability, while SQL injection is the most often exploited of these vulnerabilities.  Injection attacks are preferred by malicious users as a way to obtain restricted data from a back end database or to embed malicious code onto a web server that will in turn serve up malware to unsuspecting clients.

 

Questions for the class:

What is an example of a SQLi?  Meaning what input would the attacker put in the URL to try a SQLi?