Report

Weekly Threat Report 17th November 2017

Created:  17 Nov 2017
Updated:  17 Nov 2017
NCSC Threat Report
We would like your feedback on the Weekly Threat Report. Please send us your thoughts, suggestions and queries using our 'Contact Us' page.
This report is drawn from recent open source reporting

New banking trojan discovered

Security researchers have discovered a new trojan targeting customers of banks, payment card providers, mobile service providers, payroll, webmail and e-commerce sites. Known as IcedID, the malware uses web browser manipulation techniques to trick users into entering their login credentials and payment authorisation details into malicious webpages. The malware affects systems infected by the highly persistent Emotet banking trojan that hijacks computers to form botnet infrastructure for cyber crime.

Customers of two UK banks as well as those of some financial institutions in the US and Canada have so far reportedly been affected by IcedID. The number of customer victims and the scale of financial losses incurred is currently unknown.

We have seen a number of trojans targeting the banking sector, but IcedID stands out as it has only been in the wild since September, yet already demonstrates advanced capabilities. These capabilities are on a par with long-established banking trojans such as Dridex and Zeus which required many years to develop. The National Crime Agency estimates Dridex has resulted in approximately £20 million in losses to the UK economy. If IcedID capabilities are as good as reported then UK financial losses could be in line with these losses. IcedID capability will likely continue to be developed over coming weeks and months, increasing the risk of infection and potential scale of losses.


Concerns over connected toys

The consumer organisation Which? recently published a safety report on its concerns over vulnerabilities in certain children’s toys with Bluetooth and Wi-Fi connectivity. It was able to show that several popular connected toys, which allow you and your child to interact with the toy via a smart device, had unsecured Bluetooth connections. These could potentially allow a stranger to make contact with your child through the toy.

Which? found that the Furby Connect, I-Que Intelligent Robot, Toy-fi Teddy and CloudPets cuddly toy all had unsecured Bluetooth connections because no password, PIN Code or any other authentication is necessary to gain access. Bluetooth usually has a 10-metre range limit, but can have a usable range up to around 100 metres, which could potentially put a child at risk from someone with malicious intentions nearby.

Last year, Germany’s telecoms watchdog found similar unsecured accesses in the My Friend Cayla talking dolls and recommended that parents destroy them as they could be used to ‘illegally spy’ on their children. When purchasing connected toys for your child, consider reading up on known security issues, utilising any password protections and keeping Apps that control these toys updated.

The NCSC is urging manufacturers of these toys to improve security.
 

Sowbug targets South East Asia and South American governments

Cyber security company Symantec recently identified a new cyber espionage group called “Sowbug” that targets governments in South East Asia and South America.  Sowbug uses a sophisticated piece of malware called “Felismus” that was discovered earlier this year by Forcepoint Security Labs.

It is currently unknown how Felismus infiltrates a target’s network but once deployed it can maintain a persistent presence, avoiding detection by disguising itself as an Adobe or Word file. The operators of the malware also appear to work outside the usual business hours of the victim, possibly to avoid arousing suspicion from legitimate users.

Sowbug uses Felismus to predominantly steal information relating to foreign policy, diplomatic relations and, specifically, Asia-Pacific relations.  It has also been seen searching for files on remote shares in an attempt to infect other computers on the network.

Sowbug has probably been operating since at least early 2015, but its stealthy capabilities have enabled it to remain very low profile and evade detection.

Sowburg’s identity and primary motivation is currently unknown. There has been speculation this could be a state sponsored group due to the government targets, the sophistication of Felismus, and its success.  Some of the malware code appeared to indicate that the operators’ first language may not be English. 

Although Sowbug appears to target a very specific set of victims, its modular capabilities are of particular concern. Organisations and members of the public should ensure that they keep their antivirus software up to date to avoid being infected with the Felismus malware.

--

The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.

Join CiSP

Was this report helpful?

We need your feedback to improve this content.

Yes No