Forescout Cyber Weekly Roundup
November 25, 2019
Retail
Black Friday is coming, MageCart cybercriminals skim Macy’s, customer payment info stolen: Following previous FBI warnings about e-commerce data threats, Macy’s, one of the biggest retailers in the US, announced a MageCart supply chain attack and a “small number” of customer payment records stolen. The attack relied on malicious code to intercept and save (skim) payment data of customers; This malicious code was injected alongside the everyday scripts used on the Macy’s website. This is not the first time we’re writing about the risks MageCart cybercriminals pose to e-commerce, so the best strategy is to remain calm, be on the lookout for identity theft and fraud, use disposable prepaid debit cards, and shake it up this holiday season by dipping into the cash-stash under the mattress and get on out there—to risk getting pickpocketed on the way to the store in real life.
Ransomware / Healthcare
Ryuk strikes back, this time at the veterinarian: We are always concerned about human healthcare, but last month, a company operating over 700 animal care facilities globally was attacked with Ryuk, malware known for high-profile ransom extortion incidents, obstructing access to health records, payment information, and general management software. The systems should be up and running again anytime soon, and employees claim that no animal was turned away because of the attack, but we still don’t know whether the ransom was paid or is there another way around it since the company declined to comment on it.
https://krebsonsecurity.com/2019/11/ransomware-bites-400-veterinary-hospitals/
Editor’s Choice
Android Camera app exploit might see and hear us undetected: Unsuspicious permissions in Android, specifically in Google Pixel and Samsung devices, could potentially be exploited to access not only our photo and video gallery, but record video and audio (including conversations) without ever alerting the user. Researchers have created an app that asks for storage access – a pretty common permission request from a mobile app – and this one permission is all it takes to overtake and control our phone remotely. Experts are saying it’s always a smart move to cover your smartphone camera, but how to protect yourself against your calls being recorded? The only dead giveaway that we are being listened to would be a sudden spike in network activity in a visibility tool – so it’s good to have one along with a plastic camera cover.
Operational Technology / Industrial Control Systems
Established Middle Eastern hackers now target industrial control supply chain: Iranian hacking group APT33 has reportedly started attacking physical control systems and critical OT infrastructure instead of their typical IT targets. As the group’s history spreads across the entire Middle East, with occasional ventures even to the US, results of their activity might be disastrous. Over 2,000 organizations were attacked by the group only in the last two months, including manufacturers, suppliers, or maintainers of industrial control system equipment. This type of supply chain attack can be very viral, as it is speculated that the group is trying to use industrial equipment to go downstream and use the infected systems to attack end-users, but their motives remain largely unknown outside of speculation. Whatever their reasoning might be, the article describes what could happen in attacks like this – and even though Iran is suffering from a massive, government-induced internet blackout, we wouldn’t advise to ignore this threat.
https://www.wired.com/story/iran-apt33-industrial-control-systems/
Financial Services
If you didn’t update yet, do it now: Oracle E-Business Suite customers that neglected to update the platform in their system might be vulnerable to a bug used for bank fraud. Even though the update is available since April, statistics show that around half of all companies using the suite have not patched their devices yet. As Oracle is one of the leading providers of services to financial institutions, this might provide a lot of headache for banks, who not only might be used in attacks, but also be a target of them. Device visibility includes monitoring its software status, and we cannot stress this enough – bank fraud should be a good enough reason to make sure you stay up to date. Remember BlueKeep? It targeted old, legacy systems. If half of enterprises haven’t updated Oracle apps on their critical infrastructure, how aligned with risk management are we really?
https://www.theregister.co.uk/2019/11/20/oracle_ebs_flaws/
Ransomware / State, Local, Education
Louisiana state government compromised: This week we’re covering two stories regarding ransomware. We talk about this a lot, but it’s crucial to follow the stories to know the possible outcome and importance of being prepared. The first story details how Louisiana state government was hit by an attacker that managed to shut down multiple websites and e-mail systems – for a second time in the last few months. Last July, Louisiana Governor John Bel Edwards declared a state-wide emergency after an attack on networks related to emergency services and schools. This time, most of the servers were saved from penetration, but only because the state IT department shut off some services, rendering them useless.
https://www.tripwire.com/state-of-security/featured/ransomware-strikes-again-state-louisiana/