Archive for May, 2016
Much has been reported and discussed about the bank heists that affected Bangladesh, Vietnam, and Ecuador. All three cases involved the Society for Worldwide Interbank Financial Transfers (SWIFT), a system used by financial/banking institutions worldwide for communicating financial messages or instructions, and has more than 10,000 customers from the financial sector: banks, brokerage institutions, foreign exchanges, and investment firms, among others. Continue reading
Memory deduplication is a popular technique to reduce the memory footprint of a running system by merging memory pages with the same contents. Until recently, its primary use was in virtualization solutions, allowing providers to host more virtual machines with the same amount of physical memory , , . The last five years, however, have witnessed an increasingly widespread use of memory deduplication, with Windows 8.1 (and later versions) adopting it as a default feature inside the operating system itself .
DRAM, dude! Rowhammer brings down secure browser
In the first week of May 2016, FireEye’s DTI identified a wave of emails containing malicious attachments being sent to multiple banks in the Middle East region. The threat actors appear to be performing initial reconnaissance against would-be targets, and the attacks caught our attention since they were using unique scripts not commonly seen in crimeware campaigns. Continue reading
CVE-2015-2545 is a vulnerability discovered in 2015 and corrected with Microsoft’s update MS15-099. The vulnerability affects Microsoft Office versions 2007 SP3, 2010 SP2, 2013 SP1 and 2013 RT SP1. Continue reading
Bank in Philippines was also targeted by attackers, whose malware shares code with tools used by Lazarus group. Continue reading
Security researchers have tied the recent spate of digital breaches on Asian banks to North Korea, in what they say appears to be the first known case of a nation using digital attacks for financial gain.
We have observed an attack led by the APT group Wekby targeting a US-based organization in recent weeks. Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit. Continue reading
In May 2016, Unit 42 observed targeted attacks primarily focused on financial institutions and technology organizations within Saudi Arabia. Artifacts identified within the malware samples related to these attacks also suggest the targeting of the defense industry in Saudi Arabia, which appears to be related to an earlier wave of attacks carried out in the fall of 2015. We have grouped these two waves of attacks into a campaign we have named ‘OilRig’.