New Trojan used in financial attacks
Symantec recently reported on a malware variant 'Trojan.Odinaff' which has been involved in a number of discreet campaigns targeting global financial organisations since January 2016. Organisations involved in banking, securities, trading and payroll appear to be the primary targets, with organisations providing the support services to these industries also of interest.
According to the report, US institutions have been most frequently targeted, followed by Hong Kong, Australia, the UK and Ukraine. Odinaff is believed to be deployed in the first stages of an attack, as a means of gaining a foothold onto a target network. Once installed, Odinaff is capable of maintaining a stealthy, persistent presence on a network, as well as installing additional tools to assist in the attack: tools which Symantec have reported as 'bearing the hallmarks' of Carbanak, another cyber criminal group reported to have made significant financial gains through its targeting of financial organisations.
These Odinaff attacks are another example of high-value targeting by capable attackers seeking to maximise their financial yield per attack ratio.
Nuclear sector cyber security in focus
The International Atomic Energy Agency (IAEA) Director, Yukiya Amano, informed reporters, during a recent visit to Germany, about a 'disruptive cyber attack' that took place 'two to three years ago' against an unspecified nuclear power plant.
There has been discussion in the cyber security blogosphere as to where this attack occurred: we judge it likely that the incident Amano referred to was the compromise and data deletion attack in late 2014 against the Korea Hydro and Nuclear Power Company (KHNP), the state-run operator of South Korea's nuclear power stations. The data affected was 'non-critical', but included blueprints, manuals and employee information. The attackers also used wiper malware to destroy data and the Master Boot Record (MBR) of a number of computers. In 2015, the South Korean Government formally accused North Korea of being behind the attack. Cyber security researchers including TrendMicro noted a number of similarities between the KHNP attack and previous incidents that have been linked to North Korea, including the 2014 Sony Pictures attack.
The KHNP incident received a large amount of media attention at the time, though the Korean Government stated the attack itself caused only limited disruption, and did not threaten safety systems. This event highlights the impact that even a low-level cyber attack on the nuclear sector can cause. Amano's statement draws attention to the issue ahead of an IAEA conference on wider nuclear security in December.
Windows and related Microsoft products dominate vulnerabilities updates this week, due to Microsoft's monthly patch Tuesday falling this week. The other vulnerability updates centre mainly on platform-agnostic/cross-platform updates, with a particular focus on Linux and Unix-based systems.
Please log in to CiSP for more information on all of these issues. Register now at www.ncsc.gov.uk/cisp.