[BreachExchange] A Busy Month for Cyber Attackers: Tesco Bank, Three Mobile and Muni

Audrey McNeil audrey at riskbasedsecurity.com
Tue Dec 20 19:49:04 EST 2016


http://www.itproportal.com/features/a-busy-month-for-
cyber-attackers-tesco-bank-three-mobile-and-muni/

Last month we witnessed, once again, the might of the modern
cyber-attacker. Tesco Bank, Three Mobile and Muni, San Francisco’s transit
system, were all publicly outted when their networks were hacked – proving
once again that cyber security can affect us all.

Tesco Bank

Tesco Bank, a popular UK retail bank, was breached in early November,
affecting 9,000 customers. Tesco shelled out over £2,500,000 to those who
lost money – but their loss was not purely financial, their business
integrity was cast into doubt. As trust forms the bedrock of business for
banks, once this is questioned the reputational damage can be irreparable.

It is estimated that financial institutions are 300 times more vulnerable
to a cyber-breach than any other, despite the sector being one of the most
cyber security-mature. Traditional security measures can no longer be
considered sufficient when it comes to protecting financial information,
and much of this comes down to increases in complexity.

Security teams in banks and other large businesses are struggling to
monitor digital activity across an ever-bigger, ever more diverse network.
Combine this with the challenge of an increasingly sophisticated threat,
and human security teams are inevitably going to miss the silent and
stealthy attacks capable of bypassing network borders.

Three Mobile

Up next in the media spotlight: Three Mobile. Here, the data of 130,000
customers was exposed when hackers exploited employee credentials to gain
access to customer data including names, date of births and contact
details, without triggering security alarms.

Three Mobile’s rapid identification, investigation and engagement with law
enforcement to arrest three men in connection with the attacks might have
helped minimise the reputational and financial damage at stake. However,
initial news of the attack ignited panic on social media, demonstrating the
importance of post-breach contingency plans, including PR.

Security teams should now be asking themselves: would I be able to notice
if something that appears to be legitimate, is actually fraudulent? More
frequently we are seeing wily hackers use employee logins to disguise
themselves on the network and carry out attacks from the inside, undetected.

Hackers are using increasingly sophisticated methods of attack making it
difficult to distinguish between innocent insiders and malicious attackers.
Only by gaining visibility into their internal systems and understanding
what ‘normal’ looks like, can organisations detect the subtle behaviours
which are, in fact, illegitimate and need investigating.

Muni

The commuters of San Francisco got a free ride to work a few weeks ago
after San Francisco’s transport agency, Muni, was hit by ransomware.

Over 2,000 computers, critical to the safe running of the major city’s
transportation system were infected with the variant of the HDDCryptor
malware. Normal operations ground to a halt and the criminals held Muni to
a ransom of around half a million dollars.

This will not be the last attack we see on public transport. Trains, trams
and buses are an essential part of modern life, however, outdated and
under-resourced, they are juicy targets for cyber-criminals wanting to
wreak havoc en masse. Defenders of critical infrastructure and data cannot
afford to wait any longer in modernising their systems and implementing
self-learning methods to catch threats while they are active internally.
Note to the security team: don’t expect to catch the attacker as they walk
through the gate.

Machine Learning – Catching Threats Before Disaster Strikes

The bottom line must be that we cannot continue with security status quo,
when the rules have changed. The threat is inside the network. Just like
the human body is constantly battling with viruses, organisations need to
constantly monitor for compromises with immune system technology that
fights back fast. By developing an ‘immune system’ for their networks,
companies can identify suspicious behaviours as they emerge, and respond to
them before serious damage is done. This is the best chance we have to even
out the battlefield.

Machine learning enables this immune system approach and is already
detecting and automatically responding to previously unidentified threats
in a number of organisations across the world.

For instance, Darktrace recently discovered that biometric scanners, used
to restrict access to machinery in an Asian manufacturing company, had been
compromised through software vulnerabilities. Using machine learning to
detect unusual network behaviours, attackers were found to be changing
legitimate biometric data with different data – quite possibly their own
fingerprints. No signature existed for that type of threat and it would
have gone unchecked by legacy controls. Fortunately, Darktrace was able to
flag it to the organisation in time to avoid a physical intrusion and
potentially catastrophic damage.

In another case, a charity in California suffered a ransomware attack via a
spear phishing campaign. The attacker sent an email containing a fake
invoice, supposedly coming from a stationary supplier known to the company.
The charity’s receptionist opened the attachment, and as soon as she did,
JavaScript within the document connected her computer with a server in
Ukraine. This downloaded malware began to encrypt company files within
minutes, but Darktrace had identified the attack as quickly.

The speed of ransomware is virtually impossible to deal with using legacy
approaches. Fortunately, in this instance, machine learning technology
alerted the organisation fast enough for the receptionist’s desktop to be
disconnected from the network – preventing the ransomware from spreading
further.

Clearly, from observing both the high-profile attacks and those that escape
the headlines, machine learning is a truly powerful tool in tackling
today’s threats before they can cause crisis. Armed with automation and
better visibility, defenders now stand a chance in combatting the evolving
cyber-threat, which is a growing concern for all.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161220/045b9a44/attachment.html>


More information about the BreachExchange mailing list