KeyBase – the impact of malware and how to respond

By , - Information SecurityManufacturing

Cybercrime is increasingly – and rightly – a board-level issue for organisations. In this blog post we take an inside look at a real attack recently identified by the Fujitsu Cyber Threat Intelligence team.

KeyBase is a keylogger  family of malware often delivered using spam emails that infect users who open malicious attachments. Observed  in 2015 by Palo Alto, the malware was offered for sale on the notorious Hackforums.net, promising continued support and a fully undectable (FUD) offering.

In late 2016 Fujitsu Cyber Threat intelligence gathered information using trusted sources to help identify an ongoing campaign against UAE targets. One particular actor group has demonstrated the same techniques, tactics and procedures (TTPs) for several campaigns.

This allowed them to be identified on a number of occasions and they do not secure their panels appropriately, meaning those tracking the campaigns could identify victims and inform them of infections.

Sensitive information relating to the procurement process in the panel exposed almost 200 users and associated hundreds of passwords for the company affected by the compromise.

KeyBase Actors UAE

 

Credentials include:

  • Google Mail
  • DEWA (Dubai Energy & Water Authority)
  • Electronic Procurement services
  • Yahoo
  • Banking Services (Wells Fargo)
  • Electronic Tendering services
  • FedEx

Targeted attacks

The affected company manufactures hardware for use in petrochemical and power plants in the heavy engineering and utility industries. The company explicitly confirms the presence of computer-controlled equipment as part of its infrastructure.

The compromise of a hardware manufacturer is significant to those who are part of the supply chain, as demonstrated in the Target breach which resulted in the loss of 40 million credit card numbers. The reputational and financial damage from that breach is still being counted.

KeyBase Actors UAEKeyBase Actors UAE

 

Risk and impact of compromise

The gang behind these UAE targets may not possess the level of operational security of more powerful adversaries who seek to compromise a company by using more sophisticated means. Instead they use low-tech attacks such as phishing campaigns to compromise a company.

Despite the relative lack of sophistication, however, the impact is still significant enough to allow the gang to extract valuable sensitive data and cause real reputational damage.

How to defend

There is no substitute for rigorous security practices around systems that hold or transfer sensitive information such as financial records or intellectual property.

An important part of this is to train the people trusted to use these systems, so they are aware of phishing emails and know how to spot the signs of a threat.

It is also critical to ensure the basics of good system management are in place, such as making sure that patches and vulnerability updates are promptly applied.

Anti-virus software should be kept up to date and can reduce the risks of malware such as KeyBase. However, it’s important to recognize that anti-virus software is only one layer of defence – it won’t remove the cyber threat alone.

In today’s threat landscape, organisations can no longer afford to be complacent when it comes to security. It needs to be top of the boardroom agenda.

By implementing an effective security education programme alongside a strong threat intelligence system and incident response plan, an organisation can combat today’s cybercriminal networks and protect their data assets.

Check out our Secure Thinking page for much more insight and advice. 

Photo by HTSABO

Bryan Campbell

Senior Security Researcher & Fujitsu Distinguished Engineer at Fujitsu
Bryan is an experienced security analyst with a proven record of delivering technology services across industry sectors.

He has developed his design, technical, project and security skills within some of the UK’s top employers and institutions.

Latest posts by Bryan Campbell (see all)

Leave a Reply

Your email address will not be published. Required fields are marked *