Banking Trojan Targets Petrochemical Outfits

The pernicious program Citadel has been around for awhile, but it’s using some new tricks on new targets.

From its humble origins as a “man in the browser” thief of banking credentials, Citadel has become a knave of all trades. Once it lands on a computer, it can be configured in a number of ways with a file from a server operated by Web predators.

Citadel now can achieve “full remote control over an infected machine,” Dana Tamir, director of enterprise security for Trusteer, an IBM company, told TechNewsWorld.

“In the past, [Citadel] targeted individuals and their personal and financial information,” Tamir said. “The reason? It wanted to steal money.”

Now the malware is being used to target enterprises, many of them petrochemical companies located in the Middle East, Trusteer researchers have discovered.

“When you target these petrochemical companies, you’re not targeting individuals anymore,” Tamir noted. “You’re targeting enterprise systems. That’s all about information.”

APT Explosion

Trusteer has not been able to identify who is behind the attacks on the petrochemical company systems or what specific information they want from the systems, Tamir explained. Nevertheless, the intrusions do have sinister implications for any likely targets of an advanced persistent threat attack, in which information is continuously exfiltrated from a system over a prolonged period of time.

“When we talk about APTs, we typically talk about custom malware that was specifically designed for a target and sophisticated delivery methods to get the malware into the organizations,” Tamir pointed out.

However, “that’s not the case anymore,” she continued. “We’re seeing massively distributed malware in these attacks.”

That means much of the groundwork for an APT is completed before it’s even activated.

“We estimate one in every 500 machines in the world have Citadel-type malware on them,” Tamir said. “When it targeted an individual, it wasn’t a huge risk to the organization. Now it can quickly be turned around against the organization.”

Drupal Patched

Content management systems like WordPress and Drupal have become popular marks for hackers because flaws in them can be parleyed into access to data riches. Fortunately, a vulnerability found last week in a module in Drupal, which is used by about a million sites on the Web, was closed before it could become meat for online predators.

“It was fixed very quickly, so I think it’s unlikely that the vulnerability is being exploited in the wild,” Greg Knaddison, director of engineering for Card.comand a member of the Drupal security team, told TechNewsWorld.

The cross-site scripting vulnerability addressed by the security team was in Drupal’s Mollom Module, which is used to prevent spam on a site, as well as provide some advanced moderating tools. In a worst-case scenario, the flaw could be used to take total control of a site.

While that’s a serious consequence, it’s not as serious as the Heartbleed flaw found in OpenSSL — and it was a lot easier to fix.

“To fix this issue on Drupal, you just download the most recent version of the module from and install it on a site,” Knaddison explained.

Heartbleed “impacted not only the SSL handshake when you go to a website, but also a lot of other software that relied on the OpenSSL library,” he said — “software that had to be recompiled after the fix was downloaded.”

The Vishing Threat

KnowBe4 has just rolled out a new tool to help organizations combat vishing.

Vishing combines phishing with robocalling to pry information from employees to provide a digital desperado with a foothold in an organization.

During KnowBe4’s training, employees receive typical vishing calls and are scored on their reactions. Do they give the visher information? Do they hang up? Managers receive the results of the pseudo vishing campaign so they can coach their more gullible charges on recognizing the scam.

Vishers mount automated campaigns using open source tools to dial thousands of calls per hour, according to KnowBe4. Calls can pretend to be from HR or a bank and try to cajole everything from a target — from their voicemail pin number and bank account and credit card information to healthcare information.

Voice PIN codes are particularly highly prized among vishers, noted KnowBe4 CEO Stu Sjouwerman.

“Once they have the PIN,” he told TechNewsWorld, “they can listen to someone’s voice mail. With that data, they can social engineer that person very effectively.”

Breach Diary

  • Sept. 15. Navigators Group announces insurance product that covers expenses arising out of a privacy breach including notification costs, crisis management, credit monitoring, identity theft restoration, regulatory and PCI fines and penalties, data restoration and network extortion attempts.
  • Sept. 16. C&K Systems, the technology partner of Goodwill Industries, reports that data thieves evaded detection on the retailer’s point-of-sale systems for 18 months before discovery.
  • Sept. 16. Aventura Hospital in Florida reports third data breach in last two years. Breach puts at risk personal information of 82,601 patients.
  • Sept. 16. Apple announces two-factor authentication for iCloud. In addition, it alerts users that beginning Oct. 1 all third-party apps will need an app-specific password to work with iCloud.
  • Sept. 17. Armed Services Committee of U.S. Senate releases report finding that hackers associated with the Chinese government breached systems of contractors working with the U.S. Transportation command 20 times in a single year. All but two of the breaches were unknown to the agency, which is responsible for the global movement of U.S. troops ad equipment.
  • Sept. 17. Apple, with the download release of iOS 8, becomes first mobile phone maker to activate by default a kill switch that allows an owner to brick a phone if stolen or lost.
  • Sept. 18. Brian Krebs reports data breach at American Income Life, an insurance company based in Waco, Texas. Incident is under investigation by the company and number of people affected is unknown.
  • Sept. 18. Home Depot discloses 56 million payment cards are at risk due to data breach of its point-of-sale systems from April to September.
  • Sept. 18. Law Enforcement Access to Data Stored Abroad Act (LEADS Act) filed in U.S.Senate by Sens. Orrin Hatch, R-Utah, Chris Coons, D-Del., and Dean Heller, R-Nev., to require warrant to access email and other communications. Proposed law would preclude the use of warrants to obtain communications content stored outside the U.S. unless it was in the account of an American.
  • Sept. 23. Karoke bar chain K Box in Singapore breached by hacker group and personal information of 300,000 members released to the public.

Upcoming Security Events

  • Sept. 22. Cyber Intelligence Europe 2014. Renaissance Brussels Hotel, Rue du Parnasse 15, 19, 1050 Brussels, Belgium. Registration: 600-850 euros, military and public sector; 1,200-1,700 euros, private sector.
  • Sept. 23. Linking Enterprise and Small Business Security to Shore up Cyber Risks in the Supply Chain. 11 a.m. ET. InformationWeek webinar. Free with registration.
  • Sept. 23-24. St. Louis SecureWorld. America’s Center Convention Complex, 701 Convention Plaza, St. Louis. Registration: $695, two days; $545, one day.
  • Sept. 23-24. APWG eCrime Researchers Symposium. DoubleTree by Hilton Hotel Birmingham, 808 South 20th St., Birmingham, Alabama. Registration: before Sept. 2, $400; after Sept. 1, $500.
  • Sept. 24. Rock Stars of Cyber Security. Brazos Hall, Austin, Texas. IEEE members, $229; non-members, $299; students, $129.
  • Sept. 26. B-Sides St. John’s. Uptown Kenmount Road, St. John’s Newfoundland and Labrador. Free.
  • Sept. 29-Oct. 2. ISC2 Security Congress 2014. Georgia World Congress Center, Atlanta. Registration: through Aug. 29, member or government, $895; non-member, $1,150. After Aug. 29, member and government, $995; non-member, $1,250.
  • Sept. 29-Oct. 2. ASIS 2014. Georgia World Congress Center, Atlanta. Registration: exhibits only, free; before August 30, members $450-$895, non-members $595-$1,150, government $450-$895, spouse $200-$375, student $130-$250; after August 29, member $550-$995, non-member $695-$1,250, government $550-$995, spouse $200-$475, student $180-300; a la carte, $50-$925.
  • Sept. 29-Oct. 3. Interop New York. Jacob Javits Convention Center, New York City. Expo: free. Total Access: early bird (July 1-Aug. 15) $2,899; regular rate (Aug. 16-Sept. 26), $3,099; Sept. 27-Oct. 3, $3,299.
  • Sept. 30. Can Your Website and Network Infrastructure Withstand Multi-vector Attacks? 1 p.m. ET. Webinar sponsored by Arbor Networks. Free with registration.
  • Oct. 1. Indianapolis SecureWorld. Sheraton Indianapolis at Keystone Crossing. Registration: $695, two days; $545, one day.
  • Oct. 2. How To Avoid Being the Breach Scapegoat. 2 p.m. ET. Webinar. Free with registration.
  • Oct. 3. B-Sides Portland. Refuge PDX, Portland, Oregon. Free.
  • Oct. 10-11. B-Sides Warsaw. Andersa 29, Warsaw, Poland. Free.
  • Oct. 14-17. Black Hat Europe 2014. Amsterdam RAI, Amsterdam, the Netherlands. Registration: before Aug. 30, 1,095 euros; before Oct. 10, 1,295 euros; before Oct. 18, 1,495 euros.
  • Oct. 16. SecureWorld Denver. The Cable Center, Denver. Registration: $695, two days; $545, one day.
  • Oct. 18. B-Sides Raleigh. Raleighwood, Raleigh, North Carolina. Free.
  • Oct. 19-20. B-Sides Washington D.C. Washington Marriott Metro Center, Washington, D.C. Free.
  • Oct. 19-27. SANS Network Security 2014. Caesar’s Palace, Las Vegas, Nevada. Courses: job-based, $3,145-$5,095; skill-based, $1,045-$3,950.
  • Oct. 29-30. Security Industry Association: Securing New Ground. Millennium Broadway Hotel, New York City. Registration: before Oct. 4, $1,095-$1,395; after Oct. 3, $1,495-$1,895.
  • Oct. 29-30. Dallas SecureWorld. Plano Centre, 2000 East Spring Parkway, Plano, Texas. Registration: $695, two days; $545, one day.
  • Dec. 2-4. Gartner Identity & Access Management Summit. Caesers Palace, Las Vegas, Nevada. Registration: before Oct. 4, $2,150; after Oct. 4, $2,450; public employees, $2,050.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels