header image

Cyber Threat Intelligence Briefing: 18 September 2020

Tyler Oliver, Mona Damian 18 September 2020
18 September 2020    Tyler Oliver, Mona Damian

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders

Download Report

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

  • Magecart resurgence. This week’s first story focuses on a large-scale automated card-skimming attack impacting websites using Magento 1.0.
  • Credential stuffing attacks target US banks. The FBI issued a warning to organisations in the US financial services industry, attributing recent hacks to credential stuffing attacks.
  • In other stories this week, billions of Bluetooth devices are affected by a vulnerability in the software stack and schools are impacted by DDoS attacks (again).

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

Security Round-up

Magecart gang strikes again
  • Over the weekend, an automated campaign launched by Magecart against more than 2,000 Magento stores compromised the personal data of thousands of customers.[1]
  • Given the number of stores affected, this is anticipated to be one of the largest card skimming attacks since 962 stores were hacked in one night in July last year.[2]
  • The incidents are believed to be related to a recent zero day in Magento 1.0 that was released for sale on the dark web for as little as USD 5,000. Magento 1.0 is used for payment systems and became out-of-support in June 2020.[3]

So what for security teams? Magento 1.0 stopped receiving software updates in 2020, rendering websites using that software vulnerable to zero days. This highlights the importance of establishing a vulnerability and patch management programme within your organisation and ensuring that end-of-support software is upgraded.

FBI issues warning about credential stuffing attacks targeting banks
  • The FBI issued a private security alert to the US financial sector, warning organisations about the resurgence in the number of credential stuffing attacks that have led to previous breaches in the financial sector.[4]
  • Credential stuffing attacks have increased over the last few years as leaked login credentials have become more commonplace on dark web markets. While these attacks have a low success rate, when deployed on a large scale and using automation, they can lead to the compromise of numerous accounts.
  • Collectively, almost 50,000 account compromises against US financial institutions have been documented since 2017.[5] These have led to considerable financial losses through fraudulent transfers being made to compromised accounts.
So what for security teams? The need for dark web monitoring solutions that generate alerts when credentials belonging to an employee of an organisation are detected online has increased. This allows immediate action to be taken via password resets and the temporary disabling of compromised accounts.

So what for senior leadership? Credential stuffing attacks highlight the requirement for organisations to implement strong password policies, in line with latest National Institute of Standards and Technology (NIST) guidelines. Doing so prevents the damage that can be caused by credentials uncovered in old data leaks.

Bluetooth security flaw impacting billions of devices
  • A newly disclosed Bluetooth Low Energy Spoofing Attack (BLESA) vulnerability impacts devices running the Bluetooth Low Energy protocol, which billions of internet-of-things (IoT) devices currently use in their software stacks.[6]
  • The attack allows a nearby attacker to bypass reconnection verifications and send spoofed data to a BLE device with incorrect information.
  • Apple has assigned the following vulnerability to the attack and patched it:
  • CVE-2020-9770
  • However, Android are yet to patch the vulnerability. Defending against most Bluetooth attacks usually means pairing devices in controlled environments, but defending against BLESA is a much harder task, since the attack targets the often occurring reconnect operation.
  • All of these Android devices are now awaiting patches from their software suppliers.

So what? Unpatched vulnerabilities in IoT devices present a significant risk and a patching nightmare. Given that billions of devices are now reliant on software suppliers, mitigating controls will need to be put in place to protect vulnerable devices. A major vulnerability in one of the protocols used by the majority of IoT devices can have a widespread, detrimental impact.

Education sector targeted by DDoS attacks… again
  • In addition to the back-to-school ransomware attacks  that have been observed lately, such as those in Fairfax, VA and Newhall, CA, schools have also experienced a series of DDoS attacks.[7]
  • Research from Check Point shows that different methods have been adopted by attackers in different regions, with the end goal varying from one region to another.
  • A 30% increase in attacks during July and August has been observed in the education sector. While a large portion of the attacks have been attributed to hacktivists, students testing out online DDoS tools share some of the responsibility, as evidenced by a South Miami student who was arrested earlier this month for launching eight DDoS attacks against schools. [8]

So what? Opportunistic as hackers are, this is just the latest turn of events in a barrage of attacks against the education sector. With the sector suffering heavily from ransomware attacks recently, it’s time for schools and universities to increase their security budget and implement mitigating controls. 

 

Indicators of compromise

The Indicators of Compromise (IOCs) below offer a snapshot of the forensic artefacts currently known to be associated with some of the campaigns discussed in this week's set of stories.

Magecart attack launched against Magento 1.0

Security firm Sansec has investigated the Magecart’s latest attack that impacted 2,000+ stores in the US. The following are IOCs for this variant:

 

Description

IOC

IP

92.242.62[.]210, 91.121.94[.]12

Filename

Mysql.php

C&C domain

hxxps://imags.pw/502.jsp

 

REFERENCES

[1] ‘Massive Magecart attacks steal personal data from Magento 1 stores’, SC Magazine, 14 September 2020

[2] ‘Our crawlers detected 962 breached stores last night’, Sansec Twitter, 5 July 2019

[3] ‘E-Commerce Sites Hit With New Attack on Magento’, Dark Reading, 14 September 2020

[4] ‘FBI: Credential Stuffing Leads to Millions in Fraudulent Transfers’, Security World Expo, 15 September 2020.

[5] ‘FBI says credential stuffing attacks are behind some recent bank hacks’, ZDNet, 14 September 2020

[6] ‘Billions of devices vulnerable to new ‘BLESA’ Bluetooth security flaw’, Threats Hub, 15 September 2020

[7] ‘Surge in DDoS attacks targeting education and academic sector’, Bleeping Computer, 15 September 2020

[8] ‘Student arrested in Miamidade Schools cyberattacks ‘a good kid’, neighbours say’, Local 10, 3 September 2020

To discuss this article or other industry developments, please reach out to one of our experts.

Tyler Oliver
Tyler Oliver Director, Cyber Security Email Tyler
Mona Damian
Mona Damian Senior Analyst, Cyber Security Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report