Category Archives: 2020

Visa proactively urge public aware of Baka Skimmer attack. (Baka credit card skimmer bundles stealth, anti-detection capabilities) – Sep 2020

Preface: Visa identified a previously unknown eCommerce skimmer, and named the skimmer ‘Baka’.

Synopsis: The malicious JavaScript code aimed to avoid detection for modern defense system. Baka is stealth, anti-detection capabilities.
According to an alert from Visa’s Payment Fraud Disruption (PFD) division, the skimmer also attempts to avoid detection and analysis by “removing itself from memory when it detects the possibility of dynamic analysis with Developer Tools or when data has been successfully exfiltrated”.

Reference: Visa security alert – https://usa.visa.com/content/dam/VCOM/global/support-legal/documents/visa-security-alert-baka-javascript-skimmer.pdf

Additional: Briefly describe the concept of attack. The attacker sneaks some malicious JavaScript (usually via a <script> tag) into your html which is then executed.

How to protect against this attack?
– Sanitizing at the url param layer
– Sanitizing at the templating layer

Ransomware hits Jack Daniel’s, said Bloomberg News – August 15, 2020

Preface: Whiskey production involves multiple procedures carried out in potentially hazardous atmospheres. LB Remote I/O System connects sensors and actuators to the DCS via PROFIBUS. In terms of application, DCS is suitable for whisky production and complex control processes.

Incident background: Brown-Forman Corp., a manufacturer of alcoholic beverages including Jack Daniel’s and Finlandia, said it was hit by a cyber-attack in which some information, including employee data, may have been impacted. Please refer to the link for more details – https://www.bloomberg.com/news/articles/2020-08-14/brown-forman-was-target-of-apparent-ransomware-attack

Technical details of ransomware: A message sent anonymously to Bloomberg claimed to have hacked Brown-Forman and compromised its internal network. Ransomware aka REvil. The infection mechanism of this ransomware relies Microsoft design weakness (CVE-2018-8453).

As usual, ransomware will copy the data then write data to the registry. The ransomware process will destroy all shadow volumes of the victim machine and disable the protection of the recovery boot. Finally, it encrypts files in all logical units and network shares, and displays the ransom notice on the screen.

Recommendation: In order to avoid ransomware attack. We should follow the patch management by vendor. And maintain update of antivirus program.

Australia (ACSC) urges local citizens to be vigilant against cyber attacks. The so-called copy-paste compromises – 18th June 2020

Preface: Australia’s government and institutions are being targeted by ongoing sophisticated state-based cyber hacks, Prime Minister Scott Morrison says. Mr Morrison did not name specific cases but said it had spanned “government, industry, political organizations, education, health, essential service providers and operators of other critical infrastructure”. 19th June 2020

Technical details: Long story short. The nick name of this attack ‘Copy-Paste Compromises. It is derived from the cyber attacker heavy use of proof of concept exploit code, web shells and other tools copied almost identically from open source. For more details, please refer below link to download the report.

https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

Attack highlights: Web shells are difficult to detect as they are easily modified by attackers and often employ encryption, encoding, and obfuscation. When a potential web shell is detected, administrators should validate the file’s origin and authenticity.

Recommendation: In normal circumstances, firewall locked down rule (deny any source to any destination) is hard to do the analytic through eyeball. But the attack vector designated to Australia. In order to avoid cyber attack in your firm. So firewall administrator should check their SIEM see whether it can find out the hints. If no such facility installed, Perhaps export the web server log see whether you can find out the attack activities details.

data breach spread to banking enterprise. no exception to bank of America – 28th may 2020.

Background: The PPP provides small businesses with forgivable loans of up to $10 million per company (8 weeks of payroll). This program was launched on April 3, 2020; it is a forgivable loan program offered primarily to help businesses deal with the adverse consequences COVID- 19.

Point of view: Cybercrooks have been leveraging malicious macros hidden inside XML files to distribute the Dridex financial malware few years ago. But it was happened on 2015. Form my point of view, the incident happen this time have similarity.

Possibility: We can based on below feature and predict that attacker may relies of this feature design weakness to conduct the attack.

Accessing E-TranE-Tran Options
•loan data file transfer in XML format (from a software vendor’s product or from a bank’s proprietary system) to the SBA’s E-Tran database
•A Web page where lenders can enter loan information on individual loans

One of the ways: XML injection attacks typically occur in this way: An attacker injects malicious JavaScript markup code as escaped text in an XML document. The XML document is then parsed by an XML application. Later, content of the XML element that contains malicious JavaScript markup code is used as input data for a website.

Official announcement – Please refer follow link : https://oag.ca.gov/system/files/2020-3523_Privacy_Notification_Final_Template%20%28P%29.pdf