Securezoo Articles
Article Topics   
By Frank Crast and Andrew Pierce, 12/28/2014

Securezoo is pleased to release our Security Threat and Intelligence Report Volume 7, the latest report of new threats and vulnerabilities being exploited in the wild along with mitigation guidance and fixes as they become available. In this report, we include the latest updates on new DDoS attacks on gaming sites of Sony Playstation Network and Xbox Live, a new WordPress malware campaign, a new banking trojan Vawtrak, and JPMorgan data breach.

JPMorgan data breach linked to missing 2FA

The data breach of over 80 million JPMorgan Chase & Co customer household and business personal records could have been prevented if two factor authentication (2FA) was installed on critical banking servers, according to a New York Times report and internal investigation. As noted in the report, JPMorgan failed to secure a banking server on its network that should have required 2FA (or second one time password used in addition to normal login and password) to access critical banking services. Attackers thus were able to use stolen credentials to access the server and steal customer emails, street addresses and phone numbers.

The company assured customers that no financial account nor password information was stolen since the attack was stopped soon after the breach was discovered and before further damage could have occurred. Although the attack origin was not known, JPMorgan found that the attackers may have been the same group that earlier breached a website used for a charity event the bank sponsored.

Guidance: Implement 2FA for remote access and on sensitive company systems. Examples would be for cloud administrator console systems/websites, DNS registrars and internal or cloud systems used to store or process customer information. 

Related articles:  


WPcache-Blogger (another WordPress) malware campaign

Security firm Securi discovered yet another WordPress vulnerability and malware campaign exposing thousands of WordPress sites. Coming days after the "SoakSoak" malware campaign was discovered, this new malware "WPcache-Blogger" also exploits a RevSlider plugin vulnerability. The campaign consists of 3 distinct malframes according to the Securi report, which "have caused 28,235 websites to be blacklisted by Google (according to their safebrowsing stats) in a very short time frame. Our internal analysis has identified more than 50,000 WordPress websites compromised via this new campaign, not all have been blacklisted yet."

Guidance:   Ensure web systems (to include plug-ins and third party software) are updated and patched in a timely manner. Continuously scan your websites for malware, such as Securi's malware scanner or from VirusTotalAlso, check out the "Hardening WordPress" guidelines on the website.

Related articles:  


Major DDoS Attacks against Sony, Xbox and Rackspace

Sony's Playstation network was taken down for nearly 48 hours via a distributed denial-of-service (DDoS) attack spoiling the holidays for many online gamers. The Sony network was slowly returning to normal on Friday after being attacked on Christmas day by a hacker group called "Lizard Squad." The group also took credit for taking down rival gamemaker Microsoft's Xbox Live network over the holidays.

Rackspace, a popular cloud provider and hosting company, was also a victim of a major DNS DDoS attack before Christmas as noted in their company blog: "engineers identified a UDP DDoS attack targeting the DNS servers in our IAD, ORD, and LON data centers. As a result of this issue, authoritative DNS resolution for any new request to the DNS servers began to fail in the affected data centers." 

Guidance: Ensure network architecture is resilient by upgrading capacity and infrastructure components where needed to handle or
offload traffic spikes due to DDoS floods. Also, companies can subscribe to DDoS mitigation providers, who can block attack internet traffic upstream before reaching company networks.

Related articles:  

Vawtrak dangerous banking trojan

A newer banking trojan called "Vawtrak" is very active and used to infect computers and steal banking information. According to SophosLabs, the malware is constantly being updated on a daily basis to make it much more dangerous and harder to detect. For instance, the malware configuration files, back-end command-and-control servers and even how the data is stored and transported have changed over time.

Guidance: Apply patches in a timely manner, ensure up-to-date anti-malware protections are in place and be wary of phishing threats

Related articles:  

Recent security updates and patches

Topic: Malicious Software Controls, Network Security, Patch Management, Vulnerability Management