2015. július 9., csütörtök

The power of Cyber Threat Analysis

Recently major on-line media portals shared some news about a mass cyber attack against clients of major banks.
Hackers targeting users of Barclays, Royal Bank of Scotland, HSBC, Lloyds Bank and Santander
You can find one of these articles by clicking on this link: http://www.net-security.org/malware_news.php?id=3070
 “If the user opens a banking web page, the malware will contact a malicious server and send it a compressed version of the web page. The server will then respond with the compressed version of the web page with malicious code added to it. This altered web page is then displayed on the victim’s web browser. Its appearance remains exactly the same, but the added code harvests the victim’s login credentials.”
All is fine, but it does not mean any significant difference from recent similar attacks. Using altered web pages of the targets and stealing users credentials or already opened sessions is a well konwn hacking technique. Perhaps we should approach the problem from another perspective to gain a really different view. That is: Why can we not predict the hacker attacks?
The truth is that we can. Hacker attacks are significantly predictable.
My cyber threat analysis team (CTAC) predicted this particular cyber crime campaign and so alerted relevant CERTS and other potentially affected parties on 22 May already. Based on our methodology my CTAC experts were able to disclose the preparations for the attacks.
Technically, by monitoring newly altered domain names that were previously registered or moved by the attackers and analizing the IP addresses behind the revealed names, my CTAC team was able to recognize the potential of a new attack campaign against clients of the banking industry.
In this particular case through cyber threat analysis we were even able to realize fake login pages and redirector pages on the virtual private servers.
Based on the collected indicators my coordination PoC alerted the relevant parties and shared a list of malitious servers, as below.
  • bar-claysbn.net 111.90.144.20 
  • barclaysb.net 104.27.179.48 
  • brtbn.com 98.126.109.94 
  • firsttexasb.com 104.28.11.124 
  • firsttexasbk.com 104.28.9.50 
  • firsttexasbn.com 104.28.18.50 
  • frbnny.com 151.80.197.189 
  • ftexasbn.com 111.90.144.20 
  • grtbn.net N/A 
  • medbroker247.com 193.109.68.87 
  • nmkbk.com N/A 
  • ntwestonlinebn.com 46.105.211.207 
  • sainsburysbn.com 151.80.197.189 
  • skyebng.net 151.80.197.189 
  • stchatered.com 111.90.144.20 
  • stchateredbn.com 46.105.211.207 
  • turkishbn.com 111.90.144.20 
  • uba-bn.com 151.80.197.189 111.90.144.20
  • unitbn.com N/A 
  • unitedtrustbn.com 46.105.211.207 
  • us-bnk.net 104.27.177.16 
It should be mentioned that most of the indicators are same as the already known APT28 campaign indicators. Now the attackers are using phising e-mails with links of the altered domains to redirect victims to the cloned login page of banks to collect credentials or to attack the victims through watering hole technique.
Currently my CTAC team is analizing the next potential cyber crime campaign that is thought to target PayPal clients. Results will be shared with you through an upcoming post here in LinkedIn. View Ferenc Fresz's profile on LinkedIn