Coming up this week on Breaking Badness. Today we discuss: Dutch-Bangla Bank Suffers from Withdrawal Symptoms, I Squid You Not, and B-E-C Easy as 1-2-3.
Here are a few highlights from each article we discussed:
Dutch-Bangla Bank Suffers from Withdrawal Symptoms
- Silence appears to have been around for about 3 years or so, and they seem to have grown in sophistication and reach pretty quickly. IB-group noted that they made some rookie moves at the beginning, but have been upping their game.
- They started out targeting Russian and former Eastern Bloc countries’ banks, but since then they’ve grown up in the world and expanded their operations to Latin America, Asia, and Europe. Not much activity in North America that we’re aware of, though there might be a connection between Silence and another actor group called TA505, and if they are connected, then that means there’s been some activity in the US as well. As of today, according to IB group, they’ve tallied up over $4million in ill-gotten gains.
- Like so many actor groups, they seem to start in a lot of cases with phishing. Their recon emails don’t actually have a malicious payload, but they do give them a list of working email addresses to go with. They’ve sent hundreds of thousands of these, with their biggest campaign to date, this Asian campaign, involving around 80,000 of them just for that one.
- Like so many actor groups, they seem to start in a lot of cases with phishing. Their recon emails don’t actually have a malicious payload, but they do give them a list of working email addresses to go with. They’ve sent hundreds of thousands of these, with their biggest campaign to date, this Asian campaign, involving around 80,000 of them just for that one.
I Squid You Not
- Last week, Trend Micro did a responsible disclosure of a buffer overflow vulnerability within Squid. The vulnerability allows for either a Remote Code Execution or DoS attack. The affected versions of Squid are 4.0.23 through 4.7.
- There are two services that are affected by this vulnerability.
- The “cache management reports” service, for displaying statistics about what is being cached.
- FTP service.
- Attack vector is through Basic HTTP Authentication.
- HttpHeader::getAuth() function that handles authentication that defines a buffer of size 8192 bytes to hold the base64 decoded credential info. But the function does not check if the decoded credential info is longer than the buffer size. This can lead to what’s called a buffer overflow.
- Good news: it takes a carefully crafted http header to cause a Remote Code Execution (RCE).
- Bad news: you don’t need to know exactly how to do all that to cause harm.
- Passing in a large blob of credential info, larger than the buffer size would most likely cause the proxy service to crash.
B-E-C Easy as 1-2-3
- The exact steps used by the attackers in this scenario weren’t publicly disclosed.
- Most often these attacks start with very targeted spearphishing emails, targeting either at the victim or someone the victim trusts.
- In this case, attackers posed as one of the school district’s construction contractors, and was able to trick school employees into authorizing a payment. The attackers even went so far as to make their bank account look like the construction company’s bank account.
This Week’s Hoodie/Goodie Scale
Dutch-Bangla Bank Suffers from Withdrawal Symptoms
[Tim]: 5/10 Hoodies
[Turbo]: 6/10 Hoodies
I Squid You Not
[Tim]: 4/10 Hoodies
[Turbo]: 4.3/10 Hoodies
B-E-C Easy as 1-2-3
[Tim]: 5/10 Hoodies
[Turbo]: 6/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!