Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Bank Fraud Toolkit Circumvents 2FA & Device Identification
Newest First  |  Oldest First  |  Threaded View
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/16/2015 | 9:26:45 AM
Re: Workaround: Block web access
Good points all around @Spikes.
I also see where application whitelisting would be a major mitigation solution for this kind of malicious toolkit. 
The downside is that the solutions we describe require the end user to be technically savvy to implement... and that is assuming they would want to spend the time...  and in some cases money...  to do so.
Spikes
50%
50%
Spikes,
User Rank: Apprentice
1/15/2015 | 8:02:37 PM
Workaround: Block web access
I put a lot of emphasis on preventing this sort of malicious software from getting there in the first place, but once your endpoint has been infected by malware, things get dicy fast.  If you can't trust the sanctity of your endpoint device (phone/laptop/PC), you've really lost all hope of being secure.  But, I do have a couple suggestions for people scared of what to do about this sort of malware threat.

One option, as Scott points out above, is to have some clever next-gen 2FA mechanism for your banking sites, but let's face it that's just not ubiquitous yet so not a very real solution for an enterprise or your average user.  I do however applaud new approaches to authentication which protect against these "virtual mugging" (and for the record, I love this clever terminology, did you come up with this one Sara?) attacks, and hope they grain traction and become widespread.

But what if you assume you've got this kind of malware on your system now.  What would you do?  How about this.. Block web access.  Just don't surf the web anymore, problem solved, right?  

Well okay, that's just not practical.  However, you could whitelist your trusted sites perhaps.  But my advice is to isolate your browser to a virtual machine and use a firewall to block web access for your endpoint entirely.  Allowing only the isolated browser instance to communicate out on 80/443.  If done well, pre-existing malware would not be able to communicate to its command & control servers, and this kind of threat is suddenly dead in its tracks.
TextPower
100%
0%
TextPower,
User Rank: Strategist
1/15/2015 | 4:01:31 PM
Bypassing 2FA depends on the *type* of 2FA
FULL DISCLOSURE: I am the co-founder and CEO of an authentication platform company 

Thanks for writing a solid article about KL-Remote.  In the never ending game of cat-and-mouse between hackers and security, chalk up another one for the hackers.

I do want to note one thing, though.  Your article states that the KL-Remote circumvents 2FA and that's true - most of the time.  It depends on the type of 2FA.  My company's 2FA platform (TextKey) takes the standard SMS 2FA and turns it on its head: a message is sent *from* the phone rather than to it and a secure connection occurs between our server and the website server completely outside the browser environment.  

This method of sending an authentication text from the phone is infinitely more secure than current methods.  It eliminates man-in-the-middle/browser attacks as well as eliminating the potential interception of the SMS sent to the phone.  As a result this type of authentication is impervious to a KL-Remote attack.  

We've built our own authentication product on the platform to demonstrate its security and effectiveness.  "SnapID" authenticates using the TextKey platform and at the same time completely eliminates the need for any user ID or password when logging into a SnapID-enabled website.  No hacks and no hassles.

In short, different flavors of 2FA have different levels of protection.  
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/15/2015 | 3:31:22 PM
Re: Very creepy..
Agreed...  fascinating and scary at the same time.

I am particularly interested in the ports, protocols, and traffic involved in the malware client operations.
I would expect the client would be designed to run on common ports and protocols to avoid any firewall or intrusion detection systems.

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/15/2015 | 2:53:35 PM
Very creepy..
this gives me the shivers, thinking about what could be lurking behind, inside, over my shoulder when I am navigating a bank transaction. Sara, did IBM Security Trusteer provide any information about how many transactions were hijacked,or machines effected?


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises Are Assessing Cybersecurity Risk in Today's Environment
The adoption of cloud services spurred by the COVID-19 pandemic has resulted in pressure on cyber-risk professionals to focus on vulnerabilities and new exposures that stem from pandemic-driven changes. Many cybersecurity pros expect fundamental, long-term changes to their organization's computing and data security due to the shift to more remote work and accelerated cloud adoption. Download this report from Dark Reading to learn more about their challenges and concerns.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-46547
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via /usr/local/bin/mjs+0x2c17e. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46548
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via add_lineno_map_item at src/mjs_bcode.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46549
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via parse_cval_type at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46550
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via free_json_frame at src/mjs_json.c. This vulnerability can lead to a Denial of Service (DoS).
CVE-2021-46553
PUBLISHED: 2022-01-27
Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_set_internal at src/mjs_object.c. This vulnerability can lead to a Denial of Service (DoS).