Weekly Threat Report - 10th August 2018
Report's are drawn from recent open source reporting, see the latest report here:
Social engineering to gain access: SIM swapping
SIM swapping (also known as ‘SIM splitting’) emerged several years ago but is on the increase as mobile phone numbers become more widely used as part of security checks. The scam sees attackers access victims’ texts, calls and other sensitive information, including security codes used as part of two-factor authentication (2FA).
To be successful, attackers first need personal information, gleaned through various forms of phishing, purchasing victims’ details from organised crime networks, or by conducting open source research. Social media sites can also contain sufficient information for attackers to masquerade as genuine customers.
Next, the attacker contacts the victim’s mobile phone provider, answers basic security questions and convinces the provider to transfer the phone number to a new SIM. The attacker (who has the new SIM) then has access, while the genuine account owner is blocked.
The attacker may then contact the victim’s bank, posing as the victim and claiming to have forgotten a PIN number or other details. The bank will usually send a text message containing a new activation code, allowing allow the attacker to take funds directly from the bank account.
Most victims will not discover they have been compromised until they are unable to make a call or send a text message.
SIM swapping is not new, but, with the increased use of smartphones for security checks for Internet banking and other financial transactions, incidents will likely be on the increase. UK banks are aware of SIM swapping and have taken steps to improve security after a number of cases in 2016.
Action Fraud, the UK’s National Fraud and Cyber Crime Reporting Centre, has previously issued SIM swap fraud warnings and advice on their website. The NCSC has recently published its 2FA guidance for individuals.
US payment processing services targeted by BGP hijacking attacks
Three United States payment processing companies were reportedly targeted by Border Gateway Protocol (BGP) hijacking attacks on their DNS servers in July.
BGP is a key protocol used for routing internet traffic around the world. The security of the internet as a whole depends on routing security, making BGP one of the major security issues; however, security was not built into BGP, which is decades old.
These Internet routing attacks were designed to redirect traffic directed at the payment processors to servers controlled by malicious actors, who would then attempt to steal the data.
The affected vendors have not commented so far, and there is no information on what, if any, data was compromised.
In April 2018, a similar attack affected traffic to and from Amazon's Route 53 DNS service and allowed traffic directed at MyEtherWallet to be redirected to a fake version of the site hosted in Russia. The attack, featured in our Threat Report on 4 May, saw hackers steal $160,000 worth of cryptocurrency.
In the UK, the NCSC’s Active Cyber Defence Programme is working to mitigate the potential for UK BGP attacks.
Bitpaymer: Cyber attack against Alaskan local government
The Alaskan local government borough of Matanuska-Susitna (Mat-Su) has confirmed they suffered a large scale, disruptive cyber attack in July, caused by a multi-faceted malware package containing Bitpaymer ransomware.
The malware infected virtually all of Mat-Su’s IT infrastructure and saw the borough revert to typewriters and hand-written receipts.
Antivirus software indicated that the Emotet banking trojan had infected many of the borough’s Windows 7 systems. As IT technicians removed the trojan, Bitpaymer ransomware was activated and spread throughout the network causing the following effects:
Most workstations and servers rendered inoperable
Telephone and email networks knocked offline
Swipe card door entry disrupted
User credential database access for the attacker
The scale of damage and disruption caused was more serious than previous Bitpaymer attacks, such as one that affected several Scottish hospitals in August 2017, and with which the NCSC assisted.
Although the path to compromise is unclear, Bitpaymer has previously used Remote Desktop Protocol (RDP) brute forcing to gain access to a network before spreading the malware manually on each system.
The NCSC has published advice on ransomware mitigation measures and incident management, as well as the importance of updating operating systems.
Malware targets cryptocurrency ATMs
Trend Micro have reported that malware specifically designed to target cryptocurrency ATMs is being sold on the DarkNet for $25,000 by an apparently established user who regularly sells ATM and other financially-related malware.
The malware, advertised as exploiting a service vulnerability and accompanied by a ready-to-use card once purchased, purports to allow the user to steal Bitcoin worth 6,750 USD/EUR/GBP at a time from bitcoin exchanges.
The Bitcoin news portal Bitcoinist says there are around 3,500 cryptocurrency ATMs across the world (compared to around 300 million traditional flat currency ATMs) but this number is set to rise if the trend follows last year’s four-fold increase.
There is currently a lack of standard security and verification standards for cryptocurrencies, and an ever-growing number of cryptocurrency offerings and exchanges. While the price and popularity of cryptocurrencies continue to grow, we assess that illicit actors will increase efforts to obtain and profit from these currencies including through theft, speculation, fraud, illicit mining, and abuse of new cryptocurrency offerings.
Increase of mobile phone enabled fraud
Last week the social news aggregator Reddit reported a data breach that saw hackers able to access a backup system containing user data, including email addresses, and a 2007 database with usernames and hashed passwords. Several Reddit employees' accounts connected to cloud and hosting providers were compromised.
The company employed an SMS-based two-factor authentication system where a one-time passcode was used to access systems, along with a password. The hack was accomplished by intercepting SMS messages, circumventing Reddit’s 2FA system. See the NCSC’s advice following the Reddit breach.
SMS-based verification tokens can be stolen with a variety of well-known techniques, including social engineering, mobile malware, exploitation and intercept of legacy telephone signalling systems, or by directly intercepting and decrypting signals from cell towers.
In May 2017, a major German mobile service provider, confirmed that cyber criminals had exploited signalling vulnerabilities to bypass 2FA to make unauthorised withdrawals from users' bank accounts. After compromising victim computers, the attackers purchased access to a fake telecoms provider and set up redirects from the victims' phone numbers to lines controlled by them; hence the 2FA confirmation SMS messages were rerouted.
SIM swapping is another increasingly popular method. See the related concurrent article ‘Social engineering to gain access: SIM swapping’
Last week, Californian authorities stated that a 20-year-old college student was facing 28 criminal charges for targeting and hijacking more than 40 phone numbers belonging mainly to Bitcoin investors and had allegedly stolen $5 million worth of Bitcoin.
These recent attacks have stimulated debate about the insecurities surrounding the use of SMS-based authentication. In the face of a determined attacker, SMS-based 2FA will not provide absolute protection, but despite the flaws in the system SMS 2FA is still better than not using 2FA at all.
The NCSC published 2FA guidance for individuals this week.