Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Bank Fraud Toolkit Circumvents 2FA & Device Identification
Oldest First  |  Newest First  |  Threaded View
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/15/2015 | 2:53:35 PM
Very creepy..
this gives me the shivers, thinking about what could be lurking behind, inside, over my shoulder when I am navigating a bank transaction. Sara, did IBM Security Trusteer provide any information about how many transactions were hijacked,or machines effected?
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/15/2015 | 3:31:22 PM
Re: Very creepy..
Agreed...  fascinating and scary at the same time.

I am particularly interested in the ports, protocols, and traffic involved in the malware client operations.
I would expect the client would be designed to run on common ports and protocols to avoid any firewall or intrusion detection systems.

 
TextPower
100%
0%
TextPower,
User Rank: Strategist
1/15/2015 | 4:01:31 PM
Bypassing 2FA depends on the *type* of 2FA
FULL DISCLOSURE: I am the co-founder and CEO of an authentication platform company 

Thanks for writing a solid article about KL-Remote.  In the never ending game of cat-and-mouse between hackers and security, chalk up another one for the hackers.

I do want to note one thing, though.  Your article states that the KL-Remote circumvents 2FA and that's true - most of the time.  It depends on the type of 2FA.  My company's 2FA platform (TextKey) takes the standard SMS 2FA and turns it on its head: a message is sent *from* the phone rather than to it and a secure connection occurs between our server and the website server completely outside the browser environment.  

This method of sending an authentication text from the phone is infinitely more secure than current methods.  It eliminates man-in-the-middle/browser attacks as well as eliminating the potential interception of the SMS sent to the phone.  As a result this type of authentication is impervious to a KL-Remote attack.  

We've built our own authentication product on the platform to demonstrate its security and effectiveness.  "SnapID" authenticates using the TextKey platform and at the same time completely eliminates the need for any user ID or password when logging into a SnapID-enabled website.  No hacks and no hassles.

In short, different flavors of 2FA have different levels of protection.  
Spikes
50%
50%
Spikes,
User Rank: Apprentice
1/15/2015 | 8:02:37 PM
Workaround: Block web access
I put a lot of emphasis on preventing this sort of malicious software from getting there in the first place, but once your endpoint has been infected by malware, things get dicy fast.  If you can't trust the sanctity of your endpoint device (phone/laptop/PC), you've really lost all hope of being secure.  But, I do have a couple suggestions for people scared of what to do about this sort of malware threat.

One option, as Scott points out above, is to have some clever next-gen 2FA mechanism for your banking sites, but let's face it that's just not ubiquitous yet so not a very real solution for an enterprise or your average user.  I do however applaud new approaches to authentication which protect against these "virtual mugging" (and for the record, I love this clever terminology, did you come up with this one Sara?) attacks, and hope they grain traction and become widespread.

But what if you assume you've got this kind of malware on your system now.  What would you do?  How about this.. Block web access.  Just don't surf the web anymore, problem solved, right?  

Well okay, that's just not practical.  However, you could whitelist your trusted sites perhaps.  But my advice is to isolate your browser to a virtual machine and use a firewall to block web access for your endpoint entirely.  Allowing only the isolated browser instance to communicate out on 80/443.  If done well, pre-existing malware would not be able to communicate to its command & control servers, and this kind of threat is suddenly dead in its tracks.
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/16/2015 | 9:26:45 AM
Re: Workaround: Block web access
Good points all around @Spikes.
I also see where application whitelisting would be a major mitigation solution for this kind of malicious toolkit. 
The downside is that the solutions we describe require the end user to be technically savvy to implement... and that is assuming they would want to spend the time...  and in some cases money...  to do so.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3454
PUBLISHED: 2021-10-19
Truncated L2CAP K-frame causes assertion failure. Zephyr versions >= 2.4.0, >= v.2.50 contain Improper Handling of Length Parameter Inconsistency (CWE-130), Reachable Assertion (CWE-617). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-fx88-6c29-...
CVE-2021-3455
PUBLISHED: 2021-10-19
Disconnecting L2CAP channel right after invalid ATT request leads freeze. Zephyr versions >= 2.4.0, >= 2.5.0 contain Use After Free (CWE-416). For more information, see https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-7g38-3x9v-v7vp
CVE-2021-41150
PUBLISHED: 2021-10-19
Tough provides a set of Rust libraries and tools for using and generating the update framework (TUF) repositories. The tough library, prior to 0.12.0, does not properly sanitize delegated role names when caching a repository, or when loading a repository from the filesystem. When the repository is c...
CVE-2021-31378
PUBLISHED: 2021-10-19
In broadband environments, including but not limited to Enhanced Subscriber Management, (CHAP, PPP, DHCP, etc.), on Juniper Networks Junos OS devices where RADIUS servers are configured for managing subscriber access and a subscriber is logged in and then requests to logout, the subscriber may be fo...
CVE-2021-31379
PUBLISHED: 2021-10-19
An Incorrect Behavior Order vulnerability in the MAP-E automatic tunneling mechanism of Juniper Networks Junos OS allows an attacker to send certain malformed IPv4 or IPv6 packets to cause a Denial of Service (DoS) to the PFE on the device which is disabled as a result of the processing of these pac...