This week we are covering three emerging stories in the weekly threat report. First, we’ll cover a newly discovered case of ATM skimmers being installed at banks. Then we’ll transition to two digital threats. The first is related to the reuse of breached credentials in brute force attacks against the financial sector and the second is related to Microsoft’s battle against phishing attacks targeting the upcoming mid-term elections.
Two ATM Skimmers Found at Old Second Bank
Authorities from Aurora Police Department are investigating ATM skimmers found at two Old Second Bank branches in Aurora. The first ATM skimmer was found at 1300 block of North Farnsworth Avenue by an Old Second Bank employee at around 6:30AM. The employee saw a woman walking up to the ATM and acting suspiciously. When the woman left the area, the bank employee checked the ATM with the ATM skimmer and notified other branches of possible skimming which in turn identified the second ATM skimmer at the Fox Valley branch. Investigators are looking through security footages and already released surveillance photos related to the ATM skimming incident. The police are advising bank account holders to immediately report any possible identity or card theft to their bank.
Credential Stuffing Attacks Focused on Financial Sector
Cybersecurity firm Akamai has recently released its “2018 State of the Internet / Security – Credential Stuffing Attacks Report”. The report shows that organizations, particularly in the financial sector, should be cautious about credential stuffing attacks. Credential stuffing is considered to be login attempts utilizing passwords recovered from a breach. The trend of malicious login attempts is on the rise because botnets are being used to automate credential stuffing, and according to the researchers, it has a Distributed Denial of Service (DDoS) effect. Researchers have documented over 30 billion malicious login attempts from November 2017 to June 2018.
Akamai recorded two particular cases of credential stuffing with the use of heavy-handed botnet operation. First is an unnamed Fortune 500 company where login attempts average from 50,000 an hour to over 350,000 in a single afternoon. The botnet generated 8.5 million malicious attempts in six days. The second is a US credit union that receives 45,000 login attempts every 60 minutes. Another botnet that used a brute-force attack generated 4.2 million attempts in 7 days. Researchers have noted that the US, Russia, and Vietnam are the primary sources of credential stuffing attacks.
Researchers have mentioned that credential stuffing attacks are continuously evolving their methodologies - from volume-based noisier attacks to stealthy low and slow attacks. Without the right defense and expertise, top to bottom organizations alike would fall victim to such attacks.
APT28 Uses Bitcoin to Register Midterm Election Phishing Domains
RiskIQ conducted an investigation into domains that Microsoft sink-holed, which were used in phishing activity that Microsoft attributed to APT28. Microsoft was able to tie the domains in question back to APT28 by tracking historical infrastructure and following the tactics, techniques, and procedures (TTPs) associated with the group over the past few years. The domains were styled to mimic US Senate domains, along with think tanks Hudson Institute and the International Republican Institute. These domains are currently sink-holed at Microsoft’s IP 188.8.131.52. The subdomains target mail servers, or emulate Microsoft products, associated with the domains below:
- senate[.]group [adfs.senate[.]group]
- my-iri[.]org [Sharepoint.my-iri[.]org]
- hudsonorg-my-sharepoint[.]com [Mail.hudsonorg-my-sharepoint[.]com]
- office365-onedrive[.]com [Mail.office365-onedrive[.]com]
RiskIQ found that APT28 exclusively used domain registrars and hosting providers that accept Bitcoin as payment. This is typical for APT28, who maintain multiple command and control servers for varying durations, cycling the hosting IP, while using registrars that accept Bitcoin, fake phone numbers and names, and use of a registrant email address derived from the domain being registered. The connection to old infrastructure was on the IP 154.16.138[.]57 which hosts vpn647639221.softether[.]net, a VPN service abused by APT28 according to the Department of Justice. This IP also hosted ‘mail[.]office365-onedrive[.]com’ on June 26th. The domains also had connections to disinformation campaigns, as the domain americafirstpolitics[.]com is hosted on Namecheap’s IP, 184.108.40.206, which also hosts of office365-onedrive[.]com. Historical information shows the domain americafirstpolitics[.]com hosting typical disinformation articles and content.
Hosting providers abused by APT28 include Bacloud, Frantech, GloboTech Communications, Info-Tel, MonoVM, Namecheap, Public Domain Registry, and Swiftway. Domains were hosted on various IPs, from rapid cycling that lasted less than a month to domains on Bacloud that were hosted for nearly a year (adfs-senate[.]services was hosted on 185.25.51[.]64 from September 2017 to August 2018). RiskIQ noted that some subdomains were hosted only for a day or two before being taken offline, saying “APT28 [may have] launched attacks from these domains then rapidly disabled routing/hosting to avoid detection or capture of their phishing or malware pages.”
Several of the servers had open ports used for Microsoft’s remote desktop protocol, while others presumably ran SSH on port 22. Almost all, except 220.127.116.11, ran HTTP with a few running HTTPS as well. The IPs 18.104.22.168 and 22.214.171.124 had some ports open that were almost matching, the only differences being the former having port 22 open while the later opened 49157, which is usually assigned dynamically. Interestingly, they also have ports open, typically used, for NetBIOS and Distributed COM Service Control Manager, which should not be exposed to the internet as it can be used to quickly identify every DCOM-related server/service running on a machine for exploitation. The IP 126.96.36.199 had port 25 open, which is used for SMTP and could be indicative of its use for sending phishing emails.