Resultados 1 a 8 de 8
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    18,573

    [EN] Brazilians whacked: Crooks hijack bank's DNS to fleece victims

    Kaspersky believes the bank’s account at NIC.br was compromised.

    At 1 pm on October 22 of last year, the researchers say, hackers changed the Domain Name System registrations of all 36 of the bank’s online properties, commandeering the bank’s desktop and mobile website domains to take users to phishing sites.

    After around five hours, Kaspersky’s researchers believe, the bank regained control of its domains, likely by calling up NIC.br and convincing it to correct the DNS registrations. But just how many of the bank’s millions of customers were caught up in the DNS attack remains a mystery.

    Usernames, passwords swiped for hours, malware dropped on PCs.

    Andy Greenberg
    04.04.17

    The traditional model of hacking a bank isn’t so different from the old-fashioned method of robbing one. Thieves get in, get the goods, and get out. But one enterprising group of hackers targeting a Brazilian bank seems to have taken a more comprehensive and devious approach: One weekend afternoon, they rerouted all of the bank’s online customers to perfectly reconstructed fakes of the bank’s properties, where the marks obediently handed over their account information.

    Researchers at the security firm Kaspersky on Tuesday described an unprecedented case of wholesale bank fraud, one that essentially hijacked a bank’s entire internet footprint. At 1 pm on October 22 of last year, the researchers say, hackers changed the Domain Name System registrations of all 36 of the bank’s online properties, commandeering the bank’s desktop and mobile website domains to take users to phishing sites. In practice, that meant the hackers could steal login credentials at sites hosted at the bank’s legitimate web addresses. Kaspersky researchers believe the hackers may have even simultaneously redirected all transactions at ATMs or point-of-sale systems to their own servers, collecting the credit card details of anyone who used their card that Saturday afternoon.

    “Absolutely all of the bank’s online operations were under the attackers’ control for five to six hours,” says Dmitry Bestuzhev, one of the Kaspersky researchers who analyzed the attack in real time after seeing malware infecting customers from what appeared to be the bank’s fully valid domain. From the hackers’ point of view, as Bestuzhev puts it, the DNS attack meant that “you become the bank. Everything belongs to you now.”

    DNS Stress

    Kaspersky isn’t releasing the name of the bank that was targeted in the DNS redirect attack. But the firm says it’s a major Brazilian financial company with hundreds of branches, operations in the US and the Cayman Islands, 5 million customers, and more than $27 billion in assets. And though Kaspersky says it doesn’t know the full extent of the damage caused by the takeover, it should serve as a warning to banks everywhere to consider how the insecurity of their DNS might enable a nightmarish loss of control of their core digital assets. “This is a known threat to the internet,” Bestuzhev says. “But we’ve never seen it exploited in the wild on such a big scale.”

    The Domain Name System, or DNS, serves as a crucial protocol running under the hood of the internet: It translates domain names in alphanumeric characters (like Google.com) to IP addresses (like 74.125.236.195) that represent the actual locations of the computers hosting websites or other services on those machines. But attacking those records can take down sites or, worse, redirect them to a destination of the hacker’s choosing.

    In 2013, for instance, the Syrian Electronic Army hacker group altered the DNS registration of The New York Times to redirect visitors to a page with their logo. More recently, the Mirai botnet attack on the DNS provider Dyn knocked a major chunk of the web offline, including Amazon, Twitter, and Reddit.

    But the Brazilian bank attackers exploited their victim’s DNS in a more focused and profit-driven way. Kaspersky believes the attackers compromised the bank’s account at Registro.br. That’s the domain registration service of NIC.br, the registrar for sites ending in the Brazilian .br top-level domain, which they say also managed the DNS for the bank. With that access, the researchers believe, the attackers were able to change the registration simultaneously for all of the bank’s domains, redirecting them to servers the attackers had set up on Google’s Cloud Platform.2

    With that domain hijacking in place, anyone visiting the bank’s website URLs were redirected to lookalike sites. And those sites even had valid HTTPS certificates issued in the name of the bank, so that visitors’ browsers would show a green lock and the bank’s name, just as they would with the real sites. Kaspersky found that the certificates had been issued six months earlier by Let’s Encrypt, the non-profit certificate authority that’s made obtaining an HTTPS certificate easier in the hopes of increasing HTTPS adoption.

    “If an entity gained control of DNS, and thus gained effective control over a domain, it may be possible for that entity to get a certificate from us,” says Let’s Encrypt founder Josh Aas. “Such issuance would not constitute mis-issuance on our part, because the entity receiving the certificate would have been able to properly demonstrate control over the domain.”

    Ultimately, the hijack was so complete that the bank wasn’t even able to send email. “They couldn’t even communicate with customers to send them an alert,” Bestuzhev says. “If your DNS is under the control of cybercriminals, you’re basically screwed.”

    Aside from mere phishing, the spoofed sites also infected victims with a malware download that disguised itself as an update to the Trusteer browser security plug-in that the Brazilian bank offered customers. According to Kaspersky’s analysis, the malware harvests not just banking logins—from the Brazilian banks as well as eight others—but also email and FTP credentials, as well as contact lists from Outlook and Exchange, all of which went to a command-and-control server hosted in Canada. The Trojan also included a function meant to disable antivirus software; for infected victims, it may have persisted far beyond the five-hour window when the attack occurred. And the malware included scraps of Portugese language, hinting that the attackers may have themselves been Brazilian.

    Total Takeover

    After around five hours, Kaspersky’s researchers believe, the bank regained control of its domains, likely by calling up NIC.br and convincing it to correct the DNS registrations. But just how many of the bank’s millions of customers were caught up in the DNS attack remains a mystery. Kaspersky says the bank hasn’t shared that information with the security firm, nor has it publicly disclosed the attack. But the firm says it’s possible that the attackers could have harvested hundreds of thousands or millions of customers’ account details not only from their phishing scheme and malware but also from redirecting ATM and point-of-sale transactions to infrastructure they controlled. “We really don’t know what was the biggest harm: malware, phishing, point-of-sale, or ATMs,” Bestuzhev says.

    And just how would NIC.br have lost control of the bank’s domains so catastrophically in the first place? Kaspersky points to a January blog post from NIC.br that admitted to a vulnerability in its website that would have in some circumstances allowed changes to clients’ settings. But NIC.br noted in its post that it had no evidence that the attack had been used. The post also refers vaguely to “recent episodes of major repercussions involving DNS server changes,” but attributes them to “social engineering attacks.”

    In a phone call, NIC.br’s technology director, Frederico Neves, disputed Kaspersky’s claim that all 36 of the bank’s domains had been hijacked. “I can assure that the numbers Kaspersky is putting out are speculation,” Neves said. He denied that NIC.br had been “hacked.” But he conceded that accounts may have been altered due to phishing or via customers’ compromised email, adding that “any registry the size of ours has compromises of user accounts regularly.”1

    Kaspersky’s Bestuzhev argues that, for banks, the incident should serve as a clear warning to check on the security of their DNS. He notes that half of the top 20 banks ranked by total assets don’t manage their own DNS, instead leaving it in the hands of a potentially hackable third party. And regardless of who controls a bank’s DNS, they can take special precautions to prevent their DNS registrations from being changed without safety checks, like a “registry lock” some registrars provide and two-factor authentication that makes it far harder for hackers to alter them.

    Without those simple precautions, the Brazilian heist shows how quickly a domain switch can undermine practically all other security measures a company might implement. Your encrypted website and locked down network won’t help when your customers are silently routed to a bizarro version deep in the web’s underbelly.

    https://www.wired.com/2017/04/hacker...ine-operation/

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    18,573

    Lessons From Top-to-Bottom Compromise of Brazilian Bank

    At the outset, this looked like a site hijacking but much more was happening. The caper was uncovered last Oct. 22 when it was apparent the bank’s website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.

    Michael Mimoso
    April 4, 2017

    For three months starting last October, hackers pulled off a stunning compromise of a Brazilian bank’s operations top-to-bottom. The attack was comprehensive with each of the bank’s 36 domains, corporate email and DNS under the attacker’s control.

    Once Kaspersky Lab researchers Fabio Assolini and Dmitry Bestuzhev dug under the covers of this attack, they discovered that the attackers had extended their operations to nine other institutions worldwide, the researchers said today at the Security Analyst Summit.

    At the outset, this looked like a site hijacking, but Assolini and Bestuzhev quickly discovered that much more was happening. The caper was uncovered last Oct. 22 when it was apparent the bank’s website was serving malware to each of its visitors. The malware was a Java file tucked inside a .zip archive loaded into the index file.

    “Every single visitor got a plugin with the JAR file inside,” Bestuzhev said, adding that the attackers had control of the site’s index file. Within the index, an iframe was loaded and it was redirecting visitors to a website from where the malware was being dropped.

    “We were wondering, had the bad guys pwned the whole bank? How is this possible?” Bestuzhev said.

    Digging deeper, the researchers found the homepage was displaying a valid SSL certificate from Let’s Encrypt, a free Certificate Authority.

    “This happened one day before the attack,” Bestuzhev said. “This seemed very interesting for us.”

    The depths of the compromise quickly became apparent. All 36 bank domains were under the attackers’ control, including the online, mobile, point-of-sale, financing and acquisitions, and more.

    “All domains, including corporate domains, were in control of the bad guy,” Assolini said, adding that the attackers also were inside the corporate email infrastructure and shut it down, preventing the bank from informing customers of the attack or contacting their registrar and DNS provider.

    Assolini, a native Brazilian, said the bank was founded in the early 20th Century and manages 500 branches in Brazil, the U.S., Argentina and Grand Cayman; there are 5 million customers and $25 billion in assets under the bank’s control.

    Pulling the malware apart, the researchers found eight modules, including configuration files with bank URLs, update modules, credential-stealing modules for Microsoft Exchange, Thunderbird, and the local address book, and internet banking control and decryption modules. All of the modules, the researchers said, were talking to a command and control server in Canada.

    One of the modules, called Avenger, is a legitimate penetration testing tool used to remove rootkits. But in this case, it had been modified to remove security products running on compromised computers. It was through Avenger that the researchers determined that nine other banks around the world were similarly attacked and owned.

    “The bad guys wanted to use that opportunity to hijack operations of the original bank but also drop malware with the capacity to steal money from banks of other countries,” Bestuzhev said.

    The researchers also reported finding phishing pages loaded onto bank domains trying to induce victims to enter payment card information.

    This plot was hatched at least five months in advance when the Let’s Encrypt certificate was registered. Spear-phishing emails were also discovered targeting local companies using the name of the Brazilian registrar.

    This could be the avenue the attackers used to run the bank’s DNS settings; at one point they were able to redirect bank traffic to their servers.

    “Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad,” Bestuzhev said. “If DNS was under control of the criminals, you’re screwed.”

    The researchers stressed the importance of securing the DNS infrastructure and the need to take advantage of features such as two-factor authentication, which most registrars offer, but few customers use, the researchers said.

    “That’s exactly what happened with this bank,” Assolini said.

    https://threatpost.com/lessons-from-...n-bank/124770/
    Última edição por 5ms; 05-04-2017 às 11:06.

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    18,573

    Hackers take over bank's DNS system

    Iain Thomson
    5 Apr 2017

    Rather than picking off online banking customers one by one, ambitious hackers took control of a Brazilian bank's entire DNS infrastructure to rob punters blind.

    The heist, detailed by security engineers at Kaspersky Lab, took place over about five hours on Saturday October 22, 2016, after the miscreants managed to get control of the bank's DNS hosting service using targeted attacks. They managed to transfer all 36 of the bank's domains to phony websites that used free HTTPS certs from Let's Encrypt. These sites masqueraded as the bank's legit online services, tricking marks into believing the malicious servers were the real deal. That allowed the crims to steal customers' usernames and passwords as they were typed into the sites' login boxes.

    "All domains, including corporate domains, were in control of the bad guy," said Fabio Assolini, a senior security researcher at Kaspersky, in a blog post. He said the attackers also took over the bank's email servers so that staff couldn't warn customers not to log in.

    During the attack, every time a customer logged in, they were handing over their details to the attackers, all of which were sent off to a command and control server in Canada. In addition, the dummy websites dropped malware onto each visitor's computer in the form of .zip'd Java plugin files: clicking on those would start an infection on machines capable of running the malicious code.

    The malware had eight separate modules, covering abilities like credential-stealing for Microsoft Exchange, Thunderbird, and the local address book, updating systems, and a program called Avenger. This software is a legitimate rootkit removal tool that had been modified to shut down security software on any computer that downloaded it.

    "The bad guys wanted to use that opportunity to hijack operations of the original bank, but also drop malware with the capacity to steal money from banks of other countries," said Dmitry Bestuzhev, director of Kaspersky Lab's global research and analysis team in Latin America.

    The burst of malware did set off alarms elsewhere, and the source was traced back to the bank. Security staff managed to get the original DNS credentials restored to the bank, however the attack shows the importance of managing such things much more tightly.

    "Imagine if one employee is phished and the attackers had access to the DNS tables, man that would be very bad," Bestuzhev said. "If DNS was under control of the criminals, you're screwed."

    https://www.theregister.co.uk/2017/0...ks_dns_system/

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Jul 2011
    Posts
    1,161
    Algumas viagens na maionese:
    - Eles sabiam que o bug de CSRF não foi explorado nesse caso; havia sido fartamente divulgado que o único caso foi revertido quase instantaneamente pelo próprio usuário afetado.
    - Os certificados da Let's Encrypt valem por pouco tempo, então eles só conseguiram emitir um certificado a partir do momento que ganharam controle do domínio; eles não pediram esse certificado 6 meses antes.
    - Nenhum banco em sã consciência utiliza o DNS incluso do serviço, que é limitado e tem TTL muito alto (24h); esse banco não era exceção, e tinha e tem seus próprios servidores DNS autoritativos tanto à época do incidente quanto agora.

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    18,573
    Segurança do Registro.br

    Iniciado por 5ms, 30-05-2016 13:56

  6. #6

  7. #7
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Posts
    18,573

    ICYMI: Site do banco Banrisul é redirecionado para página falsa


    Página redirecionada no endereço 'banrisul.com.br'. (Foto: Reprodução/@assolini)

    Altieres Rohr
    24/10/2016

    O site do Banco do Estado do Rio Grande do Sul (Banrisul) teve um problema no sábado (22) que fez o endereço "Banrisul.com.br" ser redirecionado para um site controlado por terceiros. A página oferecia o download de um arquivo que, se executado, instalava um ladrão de senhas bancárias no computador e ainda tentava remover diversos programas antivírus, para que o código não fosse identificado.

    Procurado pela coluna Segurança Digital do G1, o Banrisul afirmou que "houve um problema externo à estrutura de tecnologia do Banrisul, relativo ao domínio de acesso à internet. O problema foi identificado e resolvido com as providências técnicas adotadas".

    O caso foi relatado por volta do meio dia de sábado no Grupo de Trabalho de Engenharia e Operação de Redes (GTER), frequentado por administradores de redes. Fabio Assolini, analista de vírus da fabricante de antivírus Kaspersky Lab, publicou uma imagem do golpe no Twitter também no sábado, mostrando a fraude.

    "Clientes do @Banrisul não instalem o arquivo oferecido na home, esse .ZIP não é plugin, mas um trojan bancário, o site foi comprometido", tuitou Assolini.

    Para convencer os visitantes a baixarem e instalarem o arquivo malicioso, o site dizia que se tratava de um "mecanismo de segurança" oferecido pelo banco. Mas o arquivo oferecido não tinha ligação com o componente em questão. Em vez disso, era uma praga digital que rouba senhas.

    De acordo com o analista da Kaspersky Lab e os frequentadores da lista GTER que acompanharam o caso, os invasores conseguiram acesso à conta usada para gerenciar o endereço "Banrisul.com.br" no serviço Registro.br. Esse acesso permitiu aos malfeitores alterar uma configuração de rede e levar visitantes para um site de sua escolha, fora da infraestrutura do banco.

    Embora o comunicado do Banrisul tenha confirmado um problema no registro do domínio, o banco não revelou como os invasores conseguiram o acesso.

    http://g1.globo.com/tecnologia/blog/...ina-falsa.html

  8. #8
    WHT-BR Top Member
    Data de Ingresso
    Jul 2011
    Posts
    1,161
    Certificados emitidos:

    https://crt.sh/?id=47675898
    https://crt.sh/?id=47630635

    Busca por certificados emitidos a qualquer tempo:
    https://crt.sh/?q=%25banrisul.com.br

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens
  •