Business Continuity & Cyber Security Incident log w/e 28/07/2017

Business Continuity Incident

Hotel wifi compromised in phishing attack

The so-called ‘DarkHotel’ group has been active for over a decade, with a signature brand of cybercrime that targets business travellers with malware attacks, using the Wi-Fi in luxury hotels across the globe.

Hotel Wi-Fi hotspots are compromised in order to help deliver the payload to the selected pool of victims. The exact methods of compromise remain uncertain, but cybersecurity experts believe it involves attackers remotely exploiting vulnerabilities in server software or infiltrating the hotel and gaining physical access to the machines.

Those behind the campaign have continually evolved their tactics and malware payloads, blending phishing and social engineering with a complex Trojan, in order to conduct espionage on corporate research and development personnel, CEOs, and other high-ranking corporate officials.

But now the actors behind DarkHotel have changed tactics again, using a new form of malware known as Inexsmar to attack political targets. Researchers at Bitdefender — who’ve analysed the malware strain — have linked the Inexsmar campaign to DarkHotel because of similarities with payloads delivered by previous campaigns.

In common with other espionage campaigns, the Inexsmar attack begins with a social engineering exercise designed to be interesting and convincing to the target.

Researchers remain uncertain about who is being targeted by the campaign — and the malware sample doesn’t provide clues about this — but the nature of the phishing emails point towards government and political targets.

Within the email is a self-extracting archive package, winword.exe, which when executed begins the Trojan downloader process.

In order to avoid the victim getting suspicious, the downloader opens a decoy Word document. It shows a list of supposed contacts in the North Korean capital, with references to organisations including FAO, UNDP, UN, UNICEF, and WFP. It even contains warnings about spammers and ensuring privacy — with the victim reading this just as their privacy is being compromised by hackers.

In order to prevent detection, the malware is downloaded in stages — another element of the campaign which links it to DarkHotel. The first stage of the downloader even hides malicious codes and strings inside an otherwise legitimate OpenSSL binary by statically linking the malicious code to the otherwise unrelated library code.

Following this, the malware runs a mshta.exe operation — a legitimate Microsoft HTML Application host needed to execute .HTA files — to download the second part of the payload and compromise the target with the Trojan malware.

Researchers suggest the multi-stage Trojan download is an evolutionary step to keep the malware competitive as victims’ defences improve.

“This approach serves their purpose much better as it both assures the malware stays up to date via system persistence — not achievable directly using an exploit, and giving the attacker more flexibility in malware distribution,” says the paper by malware researchers Cristina Vatamanu, Alexandru Rusu, and Alexandru Maximciuc.

DarkHotel is a highly sophisticated hacking operation, stockpiling digital certificates to aid in the distribution of malware and deploy backdoors with code hidden under many layers of protection.

The group is careful to cover their tracks but the nature of the attacks and the way DarkHotel picks victims potentially indicates involvement of a nation state actor.


Data Breach Hits Italian Bank


One of Italy’s largest banks, UniCredit,  confirmed that personal financial data of some 400,000 customers who took out loans through the bank have been unlawfully acquired a number of unauthorised third parties.

A service provider of customer reference data is blamed for the breach. An initial breach appears to have occurred in September and October 2016 with a second breach occurring in June and July 2017.

The bank issued a statement saying “Data of approximately 400,000 customers in Italy is assumed to have been impacted during these two periods,” no data, such as passwords allowing access to customer accounts or allowing for unauthorised transactions, has been affected, whilst some other personal data and Iban numbers might have been accessed.”

UniCredit has launched an audit and intends to file a claim with the Milan Prosecutor’s office.

A bank spokesperson said: “Customer data safety and security is UniCredit’s top priority and as part of Transform 2019, we are investing 2.3 billion euro in upgrading and strengthening its IT systems.”


TNT Customers Feel Impact of Cyber Attack

Small firms are being “crippled” by the continuing impact of last month’s NotPetya cyber attack on Dutch delivery firm TNT, a business group has warned.

The Federation of Small Businesses (FSB) says it has “serious concerns” over the effects of the 28 June attack.

“[It] has been debilitating for some small firms who remain in the dark over when, and if, they can expect their goods to be delivered,” the FSB said.

A TNT website message reads: “We regret any inconvenience to our customers.”

It adds: “We are implementing remediation steps as quickly as possible to support customers who experience limited interruption in pick-up and delivery operations and tracking systems access.”

However, the FedEx-owned firm did not wish to comment directly on the FSB’s comments.

‘Software compromised’

Mike Cherry, the FSB’s national chairman, said continuing disruption could threaten the survival of its members.

“Small business customers need accurate, clear and frequent updates from TNT to help them with their own contingency planning and a commitment to provide redress to those small businesses who have lost out,” he said.

“This is a stark reminder of the danger posed by cyber-crime and how it can strike down smaller businesses indirectly, having a much wider impact on the economy.

“It serves as a major wake-up call on the need to tackle and prevent the growing threat of cyber-crime right across the business community.”

FedEx has already warned the US stock exchange that the cyber attack will have a “material” financial effect on the company, given that it did “not have cyber or other insurance in place that covers this attack”.

A message posted on FedEx’s US website adds: “TNT operates in Ukraine and uses the software that was compromised, which allowed the virus to infiltrate TNT systems and encrypt its data.

“While TNT operations and communications were significantly affected, no data breach or data loss to third parties is known to have occurred.”

Seagate Agrees $5.75 Million Settlement for Employees Data Breach

Seagate will pay $5.75m to settle a lawsuit brought after staff accidentally handed over employees’ sensitive information to fraudsters.

The storage giant told [PDF] the California Northern US District Court this week that it is will cover the cost of identity protection services  and will pay up to $3,500 for each of the 12,000 employees whose data was leaked in a 2016 phishing attack.

The settlement, submitted to Judge Richard Seeborg, also includes Seagate paying for insurance coverage totaling around $42m for the costs the workers might incur from identity theft resulting from the attack – which has already been linked to a string of fake tax return scams.

The deal would put to rest the claims that the company was criminally negligent and in violation of California competition laws when, in 2016, one of its workers was duped by a phishing email and handed over the W-2 forms of everyone who had worked for the Seagate in the previous calendar year.

“Almost immediately, the cybercriminals exploited Seagate’s wrongful actions and filed fraudulent federal and state tax returns in the names of the employees,” the complaint [PDF] alleges.

“Some employees have learned that the cybercriminals filed fraudulent joint tax returns, using not only the employee’s social security number, but also the employee’s spouse’s social security number.”

Six named employees filed suit on behalf of all the workers whose personal info, including social security numbers, was leaked.

In filing for the settlement, attorneys for the plaintiffs say that the $5.75m is likely more than they would have been awarded had they taken the case to trial. The payout would not only cover two years of identity theft services from credit reporting and financial services conglomerate Experian, but also any other expenses the workers incurred when they had to clear their names for the fake tax returns.