One Article Review
| Source |  SecurityWeek |
|---|---|
| Identifiant | 519655 |
| Date de publication | 2018-03-16 15:26:00 (vue: 2018-03-16 15:26:00) |
| Titre | PinkKite POS Malware Is Small but Powerful (Recyclage) |
| Texte | A newly discovered piece of malware targeting point-of-sale (POS) systems has a very small size but can do a lot on the infected systems, security researchers reveal. Called PinkKite, the POS malware was observed last year as part of a large campaign that ended in December, but was only detailed last week at Kaspersky Lab's Security Analyst Summit (SAS). Discovered by researchers at Kroll Cyber Security, the malware is believed to have appeared last year for the first time. Similar to previously observed POS malware families such as TinyPOS and AbaddonPOS, the new PinkKite has a very small size (it is less than 6kb) and uses its tiny footprint to evade detection. Despite this, however, the malware includes memory-scraping and data validation capabilities. Furthermore, Courtney Dayter and Matt Bromiley, who detailed the threat at last week's SAS 2018, reveal that PinkKite uses a hardcoded double-XOR cipher to encrypt credit card numbers. It also features built-in persistence mechanisms, and a backend infrastructure that leverages a clearinghouse to exfiltrate data to (POS malware typically sends data to the command and control (C&C) server). In fact, the PinkKite operators used three clearinghouses (or depots) that the malware sent data to in the observed campaign. These were located in South Korea, Canada and the Netherlands, the researchers revealed. The use of clearinghouses likely made the data collection easier and allowed operators to distance themselves from the terminals, but it also made the operation very noisy. For distribution purposes, the attackers likely infected a system and then moved laterally across the targeted company's network environment using PsExec. Next, the hackers used Mimikatz to extract credentials from the Local Security Authority Subsystem Service (LSASS), and then connected to the compromised systems to steal credit card data via a Remote Desktop Protocol (RDP) session. The PinkKite executable, the researchers discovered, attempts to pass as a legitimate Windows program and uses names such as Svchost.exe, Ctfmon.exe and AG.exe for that. Different versions of the malware exist, including a whitelist variant that specifically targets processes in a list, and a blacklist iteration that instead ignores certain processes. After scrapping credit card data from the system memory, PinkKite validates card numbers using a Luhn algorithm. It also employs a double-XOR operation to e |
| Envoyé | Oui |
| Condensat | 2018 already android apps april bay billion but certificates ciso conference cyber cybercrime daily digicertqrypter discovered forum google half hits hundreds ics industry links majority malware moon news oct organizations over pinkkite pos powerful rat register replaced: reviews security singapore small sponsored symantec tags: threats usa vast virus worldwidenew “henbox” |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
Les reprises de l'article (1):
| Source | SecurityWeek |
|---|---|
| Identifiant | 516129 |
| Date de publication | 2018-03-15 12:35:04 (vue: 2018-03-15 12:35:04) |
| Titre | Vast Majority of Symantec Certificates Already Replaced: DigiCert |
| Texte | Less than 1% of the top 1 million websites have yet to replace Symantec-issued certificates before major browsers distrust them, DigiCert announced this week. Last year, DigiCert bought the Certification Authority (CA) business run by Symantec, one of the oldest and largest CAs, after a series of issues observed over the past couple of years triggered major browser vendors to announce plans to remove trust in digital certificates issued by the CA. Later this year, both Chrome and Firefox will stop trusting certificates issued by Symantec, and others might follow suite. The move will affect all certificates issued before DigiCert acquired the Symantec CA division, including those issued under the GeoTrust, RapidSSL, Thawte, and VeriSign brands. DigiCert, which said last year |
| Envoyé | Oui |
| Condensat | already certificates digicert industry infrastructure links majority news replaced: security sponsored symantec tags: vast |
| Tags | |
| Stories | |
| Notes | |
| Move |
|
L'article ne semble pas avoir été repris sur un précédent.