Political Wrinkles  

Go Back   Political Wrinkles > General Discussion > Tech Help, Electronics, & Gaming
Register FAQDonate PW Store PW Trivia Members List Calendar Search Today's Posts Mark Forums Read

Tech Help, Electronics, & Gaming Discuss Attacks Using New Malware on 31 Global Banks at the General Discussion; Humm banks are taking a beating... Attackers target dozens of global banks with new malware Watering hole attacks attempt to ...

Reply
 
Share LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 02-25-2017, 07:22 PM
mlurp's Avatar
PW Enlightenment
 
Join Date: Mar 2008
Location: Flatlands
Gender: Male
Posts: 35,472
Thanks: 17,637
Thanked 10,084 Times in 7,861 Posts
Default Attacks Using New Malware on 31 Global Banks

Humm banks are taking a beating...

Quote:
Attackers target dozens of global banks with new malware

Watering hole attacks attempt to infect more than 100 organizations in 31 different countries.


Organizations in 31 countries have been targeted in a new wave of attacks which has been underway since at least October 2016. The attackers used compromised websites or “watering holes” to infect pre-selected targets with previously unknown malware. There has been no evidence found yet that funds have been stolen from any infected banks.

The attacks came to light when a bank in Poland discovered previously unknown malware running on a number of its computers. The bank then shared indicators of compromise (IOCs) with other institutions and a number of other institutions confirmed that they too had been compromised.

As reported, the source of the attack appears to have been the website of the Polish financial regulator. The attackers compromised the website to redirect visitors to an exploit kit which attempted to install malware on selected targets.

Symantec has blocked attempts to infect customers in Poland, Mexico and Uruguay by the same exploit kit that infected the Polish banks. Since October, 14 attacks against computers in Mexico were blocked, 11 against computers in Uruguay, and two against computers in Poland.
Custom exploit kit

The attackers appear to be using compromised websites to redirect visitors to a customized exploit kit, which is preconfigured to only infect visitors from approximately 150 different IP addresses. These IP addresses belong to 104 different organizations located in 31 different countries. The vast majority of these organizations are banks, with a small number of telecoms and internet firms also on the list.

Here is a Chart showing how many Banks in different Countries, at this site below.

Figure 1. Countries in which three or more organizations were targeted by attackers
Links to Lazarus?

The malware used in the attacks (Downloader.Ratankba) was previously unidentified, although it was detected by Symantec under generic detection signatures, which are designed to block any files seen to engage in malicious activities.

Analysis of the malware is still underway. Some code strings seen in the malware used shares commonalities with code from malware used by the threat group known as Lazarus.

Ratankba was observed contacting eye-watch[.]in for command and control (C&C) communications. Ratankba was then observed downloading a Hacktool. This Hacktool shows distinctive characteristics shared with malware previously associated with Lazarus.

434-Fig2 New Sample.png

Figure 2. Code strings seen in sample of Hacktool used in recent attacks.

Lazarus has been linked to a string of aggressive attacks since 2009, largely focused on targets in the US and South Korea. Lazarus has been involved in high level financial attacks before and some of the tools used in the Bangladesh bank heist shared code similarities with malware used in historic attacks linked to the group.

Further investigation of these attacks is underway and, over time, more evidence may emerge about the identity and motives of the attackers. After a series of high profile attacks on banks during 2016, this latest incident provides a timely reminder of the growing range of threats facing financial institutions.

Malware used in watering hole attacks on Polish banks has tentative links to #Lazarus group Click to Tweet
Protection

Symantec and Norton products protect against these attacks with the following detections:

Downloader.Ratankba
Web Attack: SunDown Exploit Kit Website 5
Backdoor.Destover

IOCs

The follow are indicators of compromise related to these attacks.

Command and control infrastructure

.................................................. .. Continued At ...................................
Must be Part Geek to understand this:

https://www.symantec.com/connect/blo...NORTON_2017_02
__________________
////////////////////////////////////////////////////////////



Patriotism means to stand with the country. It does not mean to stand with the President.

Theodore Roosevelt.



Improvise-Adapt-Over Come.
Reply With Quote
The Following User Says Thank You to mlurp For This Useful Post:
  #2 (permalink)  
Old 06-16-2017, 03:06 AM
Master
 
Join Date: Dec 2011
Location: Okolona
Gender: Male
Posts: 1,139
Thanks: 853
Thanked 312 Times in 263 Posts
Angry Re: Attacks Using New Malware on 31 Global Banks

No. Korean Lazarus hacker group hits UK's NHS...

Cyber-attack on UK 'came from N Korea'
Fri, 16 Jun 2017 : The Lazarus group - who targeted Sony Pictures in 2014 - believed to have been behind NHS cyber-attack.
Quote:
British security officials believe that hackers in North Korea were behind the cyber-attack that crippled parts of the NHS and other organisations around the world last month, the BBC has learned. Britain's National Cyber Security Centre (NCSC) led the international investigation. Security sources have told the BBC that the NCSC believes that a hacking group known as Lazarus launched the attack. The same group is believed to have targeted Sony Pictures in 2014. The Sony hack came as the company planned to release the movie The Interview, a satire about the North Korean leadership starring Seth Rogen. The movie was eventually given a limited release after an initial delay. The same group is also thought to have been behind the theft of money from banks.


GCHQ can detect the work of hackers around the globe

NHS hit

In May, ransomware called WannaCry swept across the world, locking computers and demanding payment for them to be unlocked. The NHS in the UK was particularly badly hit. Officials in Britain's National Cyber Security Centre (NCSC) began their own investigation and concluded their assessment in recent weeks. The ransomware did not target Britain or the NHS specifically, and may well have been a money-making scheme that got out of control, particularly since the hackers do not appear to have retrieved any of the ransom money as yet. Although the group is based in North Korea the exact role of the leadership in Pyongyang in ordering the attack is less clear.

Detective work

Private sector cyber-security researchers around the world began picking apart the code to try to understand who was behind the attack soon after. Adrian Nish, who leads the cyber threat intelligence team at BAE, saw overlaps with previous code developed by the Lazarus group. "It seems to tie back to the same code-base and the same authors," Nish says. "The code-overlaps are significant." Private sector cyber security researchers reverse engineered the code but the British assessment by the NCSC - part of the intelligence agency GCHQ - is likely to have been made based on a wider set of sources. America's NSA has also more recently made the link to North Korea but its assessment is not thought to have been based on as deep as an investigation as the UK, partly because the US was not hit as hard by the incident. Officials say they have not seen any significant evidence supporting other possible culprits.


The WannaCry ransomware has been linked to a North Korean hacking group

Central bank hack

North Korean hackers have been linked to money-making attacks in the past - such as the theft of $81m from the central bank of Bangladesh in 2016. This sophisticated attack involved making transfers through the Swift payment system which, in some cases, were then laundered through casinos in the Philippines. "It was one of the biggest bank heists of all time in physical space or in cyberspace," says Nish, who says further activity has been seen in banks in Poland and Mexico. The Lazarus group has also been linked to the use of ransomware - including against a South Korean supermarket chain. Other analysts say they saw signs of North Korea investigating the bitcoin method of payment in recent months.

Scattergun
__________________
The water's always turbulent where two great rivers meet.
Reply With Quote
The Following User Says Thank You to waltky For This Useful Post:
  #3 (permalink)  
Old 06-16-2017, 11:17 PM
mlurp's Avatar
PW Enlightenment
 
Join Date: Mar 2008
Location: Flatlands
Gender: Male
Posts: 35,472
Thanks: 17,637
Thanked 10,084 Times in 7,861 Posts
Default Re: Attacks Using New Malware on 31 Global Banks

Hummm, didn't we read or hear about this a few weeks ago Walt?

Just saying....

See what goes around can come back around to bite U.

But I do give a thank you for any news posted, unlike many here. As I got love in my heart....
__________________
////////////////////////////////////////////////////////////



Patriotism means to stand with the country. It does not mean to stand with the President.

Theodore Roosevelt.



Improvise-Adapt-Over Come.
Reply With Quote
The Following User Says Thank You to mlurp For This Useful Post:
Reply

Tags
attacks, banks, global, malware, new, using

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On

Forum Jump


All times are GMT -5. The time now is 03:38 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2017, vBulletin Solutions, Inc.

Content Relevant URLs by vBSEO 3.2.0