Friday Five: 1/15 Edition
Catch up on infosec news with our roundup of the top headlines from this week.
Happy Friday! Here’s our recap of this week in cyber security.
One of last week’s biggest stories in security was the discovery that a Ukrainian power outage was at least partially caused by a malware attack. The news sparked debate over the potential for an increase in cyber attacks targeting critical infrastructure in the near future; while some took the news as a sure sign of an impending “cyberwar,” others downplayed their predictions with claims that squirrels are still the biggest threat to critical infrastructure today. On Tuesday, Kim Zetter published an article covering a newfound vulnerability that may make critical infrastructure hacking far more simple than initially anticipated. In short, the majority of variable-frequency drives employed by motors in several different types of infrastructure – such as “fans and pumps in water plants, mining operations and in heating and air conditioning systems” – are susceptible to speed manipulation due to read/write controls that lack any form of authentication. According to Reid Wightman, the researcher behind the discovery, this vulnerability requires relatively low skill and could already be used successfully against infrastructure targets accessible via the internet. Read the article for more.
2. Android malware steals one-time passcodes to hijack accounts protected by two-factor authentication by Jeremy Kirk
New research has discovered that a piece of Android malware is capable of intercepting one-time passcodes sent by two-factor authentication systems common to online banking applications and other high-sensitivity web apps. The malware is called Android.Bankosy and can intercept passcodes sent via SMS as well as redirect phone call-based passcodes to attackers. This malware could enable attackers who have obtained victims’ user names and passwords through previous data breaches or social engineering tactics to circumvent the security provided by two-factor authentication and hijack victims’ accounts. For more on this threat, read the article.
This week saw the release of a new report from the Cloud Security Alliance with some troubling findings on the success of cyber attacks that employ ransom tactics: one quarter of the 209 IT security and tech professionals polled would be willing to pay ransoms up to $1 million to buy back or prevent the release of stolen data. The Cloud Security Alliance’s survey supports the conclusion of a San Francisco Chronicle article from last week which reported that large tech firms often buy back stolen data following data breach incidents. The fact that so many companies are seemingly willing to pay these ransoms offers massive incentives for cybercriminals, a sign that doesn’t bode well for those tasking with securing systems and data against these attacks. For more findings from the Cloud Security Alliance’s latest survey, read this article.
Another malware discovery this week came from ZScaler’s ThreatLabZ, who found a new family of malware that masks itself using compromised certificates and enables attackers to monitor victims’ activity on infected devices. ThreatLabZ researchers have named the malware family Spymel. Upon infection, the malware uses keyloggers to monitor user activity and steal information, which is then relayed back to attackers, assumedly for use in further attacks or fraud. For more on the Spymel Trojan, read this article.
Even Major League Baseball is starting to see hacking attacks as means for harvesting competitive intelligence. This week’s headlines brought some resolution to last year’s case in which a St. Louis Cardinals official was charged with hacking into the Houston Astros recruiting database. Last Friday, former Cardinals director of baseball development Christopher Correa plead guilty to illegally accessing the Astros’ scouting database from March 2013 to March 2014. Correa faces up to five years in prison for five counts of “unauthorized access of a protected computer” – each of which carries a potential fine of $250,000. For more on the Astros/Cardinals hacking case, read the article.