In this week’s Shadow Talk, Dr Richard Gold joins us to discuss the return of the L0pht hackers. In 1998 the L0pht members delivered a cybersecurity hearing to the United States Senate, warning that any one person in their group could take down the Internet within 30 minutes. 20 years on, we look back on what has and hasn’t changed in the world of information security. In Part II, the team covers recent reporting on the use of military-style tactics such as war gaming and intelligence fusion centers in the financial services industry. We ask whether such tactics are effective, and whether smaller organizations can also employ the techniques being used by some of the world’s largest enterprises.


BackSwap malware switches bank transfer recipient

BackSwap deployed browser manipulation techniques against Microsoft Windows-operating machines to target Polish online banking users. The malware was delivered in spam campaigns with the “Nemucod” downloader attached, simulating modified legitimate applications. Once installed, the malware used innovative techniques to identify user browsing information and specific banking transfers by using event hooks in the Windows message loop. A malicious JavaScript file was then injected into the URL address field, then swapped intended transfer recipient details for those of attacker-controlled accounts. The technique works across multiple browsers, and bypasses browser protection mechanisms. The campaign remains active, and BackSwap’s methods will likely be adapted by other banking malware developers.


Canadian banks’ customer data allegedly stolen

In two instances that are likely linked, threat actors reportedly informed the Bank of Montreal and Canadian Imperial Bank of Commerce subsidiary Simplii that they had obtained customer data through an undisclosed method. The legitimacy of the claims could not be independently verified, but statements from the affected banks suggested that the attackers had obtained credible data for up to 90,000 individuals. Some media outlets reportedly received notice of extortion demands against the financial institutions, although the banks did not confirm receiving such demands and they may have been sent to the press by an unrelated, opportunistic threat actor. At the time of writing, any information on TTPs used in any associated breach is unknown, as is the date of any breach that may have occurred.


Chilean bank services disrupted by virus

Banco de Chile confirmed that an undisclosed virus had affected the bank’s networks on 24 May 2018. Reportedly, malware had infected workstations and other assets, thereby disrupting branch and telephone services. Social media posts, apparently made by Banco de Chile customers, also indicated service interruptions to Web platforms, and possible social engineering activity, such as phishing scams. However, the bank stated that customer accounts and transaction security had not been compromised. There have been no details of any TTPs reported, but, given Banco de Chile’s statements, the malware appeared to be disruptive, and could have been used to obscure other malicious activity. It is highly likely that more reporting will emerge in the short to medium term (one week to three months).


US-CERT reveals current Lazarus Group activity

The United States Computer Emergency Readiness Team (US-CERT) released an advisory detailing “HIDDEN COBRA” (aka Lazarus Group) malware that has reportedly been used since 2009. The advisory described “Joanap” (a backdoor trojan) and “Brambul” (a Server Message Block worm), which have been previously associated with the same threat group. US-CERT also highlighted new and ongoing activity associated with the group, including targeted sectors and geographies.