This week, our feature story looks at a series of data breaches happening from the inside at banks in Eastern Europe, an attack called DarkVishnya. The attacks were recently covered in Bleeping Computer’s story: Netbooks, RPis, and Bash Bunny Gear — Attacking Banks from the Inside.
Unlike many malicious cyberattacks, the DarkVishnya attacks were executed through malicious physical devices that were connected to corporate networks. Intruders placed malicious devices — including low-cost laptops and BashBunny pen testing devices that resemble USB drives — in offices, and often connected them through corporate ethernet ports.
Once the devices were in place, hackers could remotely control their access to sensitive areas of corporate servers. To the corporate IT and security departments, these devices looked like legitimate laptops, USBs, printers, or other equipment that were regularly used by employees.
In the second stage of the attack, the devices scanned for open files, folders, and web servers that contained sensitive corporate data. The objective was to secure login credentials for payment systems and other valuable information. In many cases, attackers relied on tools like Powershell to bypass whitelisting technologies and domain policies.
We often talk about malicious credential theft attacks happening to unsuspecting employees through phishing emails, but rarely is an attack repeatedly executed from the inside using malicious physical devices. However, even the most secure buildings have entryways for intruders, who may range from couriers to contractors.
It’s important to isolate network access from common areas or where it’s easily accessible to unauthorized (and potentially malicious) visitors. For example, if you take a look around most office buildings, you’ll find an open ethernet port on a desk or in a conference room, or potentially even unattended laptops left on the desk by employees on a break.
DarkVishnya is a great example of a physical insider attack that’s also executed on a network security level. Given the success of these serialized attacks within Eastern European banks, we may expect to see more of these hybrid-style insider threat incidents in 2019.
What Else is Happening
Source: PC Magazine
More people traveling for work will use their corporate devices to connect to public Wi-Fi, without the use of a VPN, a survey from ObserveIT recently found. Seventy-seven percent of respondents said they connect to free or public Wi-Fi on a work phone or computer while traveling, while 63 percent said they use public Wi-Fi to access work emails and files. Additionally, 21 percent admitted to leaving a work device unattended in public while traveling or working remotely.
Source: IT Pro
A leaked internal training document obtained by The Guardian shows that Google is concerned about insider threats from its temporary and contract workforce (known as TCVs at Google). The document, called the “ABCs of TCVs,” gives employees instruction on how to engage with contract workers — such as excluding them from certain internal meetings and trainings. It also shows that Google is worried about both data exfiltration from insider threats and being discovered as a Joint Employer, a legal designation that could be costly for the company.
Source: The New York Times
One of the most widely shared cybersecurity stories of the week has to do with how applications collect and sell consumer location data without the knowledge of consumers. The in-depth exposé analyzes data captured from 1.2 million devices over a three-day period in 2017, providing shockingly detailed information on the habits of consumers. Why this matters to insider threat watchers: user privacy will become more top-of-mind for consumers in 2019.
Source: The Hill
Could Equifax have prevented the massive data breach affecting 148 million customers? The House Oversight and Government Reform Committee certainly thinks so. The committee released a report this week saying the consumer credit reporting agency “aggressively collected data on millions of consumers and businesses while failing to take key steps to secure such information.”
What You Might Have Missed
In case you were too busy to read our last Insider Threat Level, here’s the 411:
We discussed how 2019 will be the year of cybersecurity hiring, according to Spiceworks. A recent survey showed that 47 percent of people named cybersecurity the biggest area of attention, particularly for large enterprise companies. In addition we covered Nordstrom’s insider threat-caused data breach, as well as a new study on an increase in phishing attempts.