KeyBase – the impact of malware and how to respond

Published on November 29, 2016 in Energy & Utilities • Manufacturing • Cyber Security

Cybercrime is increasingly – and rightly – a board-level issue for organisations. In this blog post we take an inside look at a real attack recently identified by the Fujitsu Cyber Threat Intelligence team.

KeyBase is a keylogger family of malware often delivered using spam emails that infect users who open malicious attachments. Observed in 2015 by Palo Alto, the malware was offered for sale on the notorious Hackforums.net, promising continued support and a fully undectable (FUD) offering.

In late 2016 Fujitsu Cyber Threat intelligence gathered information using trusted sources to help identify an ongoing campaign against UAE targets. One particular actor group has demonstrated the same techniques, tactics and procedures (TTPs) for several campaigns.

This allowed them to be identified on a number of occasions and they do not secure their panels appropriately, meaning those tracking the campaigns could identify victims and inform them of infections.

Sensitive information relating to the procurement process in the panel exposed almost 200 users and associated hundreds of passwords for the company affected by the compromise.

Credentials include:

Google Mail
DEWA (Dubai Energy & Water Authority)
Electronic Procurement services
Yahoo
Banking Services (Wells Fargo)
Electronic Tendering services
FedEx

Targeted attacks

The affected company manufactures hardware for use in petrochemical and power plants in the heavy engineering and utility industries. The company explicitly confirms the presence of computer-controlled equipment as part of its infrastructure.

The compromise of a hardware manufacturer is significant to those who are part of the supply chain, as demonstrated in the Target breach which resulted in the loss of 40 million credit card numbers. The reputational and financial damage from that breach is still being counted.

Risk and impact of compromise

The gang behind these UAE targets may not possess the level of operational security of more powerful adversaries who seek to compromise a company by using more sophisticated means. Instead they use low-tech attacks such as phishing campaigns to compromise a company.

Despite the relative lack of sophistication, however, the impact is still significant enough to allow the gang to extract valuable sensitive data and cause real reputational damage.

How to defend

There is no substitute for rigorous security practices around systems that hold or transfer sensitive information such as financial records or intellectual property.

An important part of this is to train the people trusted to use these systems, so they are aware of phishing emails and know how to spot the signs of a threat.

It is also critical to ensure the basics of good system management are in place, such as making sure that patches and vulnerability updates are promptly applied.

Anti-virus software should be kept up to date and can reduce the risks of malware such as KeyBase. However, it’s important to recognize that anti-virus software is only one layer of defence – it won’t remove the cyber threat alone.

In today’s threat landscape, organisations can no longer afford to be complacent when it comes to security. It needs to be top of the boardroom agenda.

By implementing an effective security education programme alongside a strong threat intelligence system and incident response plan, an organisation can combat today’s cybercriminal networks and protect their data assets.

Check out our Secure Thinking page for much more insight and advice.

Photo by HTSABO

(Visited 183 times, 1 visits today)