3 cybersecurity investigations from 2017 you’ll want to read
Welcome to Threat Intel’s #WednesdayWisdom column, a weekly read to help improve your cybersecurity knowledge and keep you informed on important developments.
Researchers in Symantec Security Response have had a busy start to 2017, having already published findings on a number of investigations.
Here is a round-up of three you might be interested in reading about in more detail.
Our researchers kicked off the year with some bad news for frequent flyers by revealing that screens at airport boarding gates were leaking information that could have allowed attackers to gain control over passengers’ bookings, allow them to cancel flights, or steal sensitive information.
The discovery was made by one of our frequently-flying researchers who noticed a timed-out web-browsing window displaying at his boarding gate. He discovered he was able to open the IP address displayed on the screen on his smartphone and through a little investigation he found he was able to access passenger information, including the six-digit passenger name record (PNR) locators, and several letters of people’s surnames.
This could be enough information to allow someone to access a booking, which would reveal other information such as a passenger’s full name and contact details, as well as allowing access to their frequent flyer account. This would give attackers the chance to get up to all sorts of mischief, as we detail in our full blog on this issue.
This blog looked at a possible link between two separate attack groups carrying out attacks in the Middle East — Shamoon and Greenbug.
In January, Symantec researchers were investigating reports of an attack in the Middle East involving the destructive disk-wiping malware used by the Shamoon group. The malware used by Shamoon is just the destructive payload. It requires other means to be deployed on targeted organizations’ networks and is configured with previously stolen credentials.
Symantec had discovered the Greenbug espionage group during previous investigations into Shamoon, which first made headlines in 2012 and resurfaced in November 2016, and in both cases malware was used to carry out attacks on energy companies in Saudi Arabia. This blog investigated if it was possible that Greenbug was responsible for providing Shamoon with stolen credentials.
The Security Response blog details recent attacks carried out by Greenbug that have led researchers to draw tentative links between this group and Shamoon. However, researchers will continue to track these groups separately unless harder evidence emerges.
Banks, telecoms, and internet firms were among those compromised by watering hole attacks that attempted to infect more than 100 organizations in 31 countries, though no evidence was found that money was stolen from any of the infected banks.
The attacks came to light when a Polish bank discovered previously unknown malware running on a number of its computers and, when it shared indicators of compromise (IOCs), other institutions confirmed they too had been compromised.
Analysis of the malware used in the attacks uncovered commonalities with code used by the threat group known as Lazarus, which has been linked to a string of aggressive attacks since 2009.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.