This week saw a second banking trojan released in the region, targeting payment service providers and the three top banks in Brazil. The World Anti-Doping Agency also suffered a data breach with over 3,000 of their email addresses leaked online. The WADA has come under criticism lately for their scathing indictment of the Russian national team’s widespread doping, and subsequent willingness to allow the Russian athletes to compete after all.
Speaking of Russia, they’re (once again) widely considered to be behind the hack of the Equation Group - the sophisticated offensive cyber unit that is believed to belong to the NSA. There’s a growing consensus that Russia wanted something to leverage in the event of US retaliation against them over the DNC hacks, in spite of many NSA employees’ claims that an agency insider is the more likely culprit.
Olympic Exploits: Going for Gold
The Olympics are still in full swing heading into the last week of the games, and so are security threats. A new banking trojan called Zeus Sphinx was unleashed, following the Zeus Panda trojan from last week. Zeus Sphinx is targeting online banking and Boleto payment services for three top Brazilian banks as well as a bank in Colombia.
As we discussed last week, these types of major events (especially events drawing in tourists or visitors) are prime real estate for POS and banking exploits. Attendees are unfamiliar with their surroundings, and are likely to be distracted; people want to get their money and go. Banks, both at home and abroad, are dealing with a large volume of transactions, and financial institutions are stuck between wanting to protect their users and not wanting to freeze accounts too easily. No one wants to answer the call of an unhappy customer who has a card denied while trying to do some Olympic shopping in Rio.
The World Anti-Doping Agency was also hacked, and had over three thousand emails leaked as a result. The timing of this breach is undeniably linked to the Games; Russia has been criticized this year after an investigation confirmed the state manipulated the doping control process. Australia’s official swimming website was also DDoSed this week, an act largely considered retaliation for Australian Mack Horton calling Sun Yang, one of China’s swimmers, a “drug cheat.” These sorts of breaches and leaks are a perfect example of exploits done for reasons other than financial gain; some attacks stem from a sense of patriotism, or from a feeling of being “wronged” and a desire to retaliate.
Kaspersky Lab, the security firm known for monitoring the sophisticated cyber unit known as the “Equation Group”, said that the 300MB of tools and exploits leaked by the Shadow Brokers shared a strong connection to the Lab’s previous findings from the Equation Group.
Cisco also confirmed that two vulnerabilities for their products from the leaked Equation Group’s archive are legitimate. The two exploits, “EPICBANANA” and “EXTRABACON,” can be used to remotely execute programs on Cisco’s firewall products. Cisco was aware of one vulnerability, but blind to the other.
The Shadow Brokers are selling the rest of the archive for one million Bitcoin (over $550 million). That kind price tag raises the question of whether the Shadow Brokers actually intend to sell the exploits, or if they’re simply using the listing as a publicity stunt.
One more thing:
This week, Matchlight detected the resurgence of a dark web gun market that sells rifles, handguns, silencers, and body armor. The vendor claims to build and modify small arms and that they “have been in the arms industry for many years.”