Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Bank Fraud Toolkit Circumvents 2FA & Device Identification
Threaded  |  Newest First  |  Oldest First
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
1/15/2015 | 2:53:35 PM
Very creepy..
this gives me the shivers, thinking about what could be lurking behind, inside, over my shoulder when I am navigating a bank transaction. Sara, did IBM Security Trusteer provide any information about how many transactions were hijacked,or machines effected?
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/15/2015 | 3:31:22 PM
Re: Very creepy..
Agreed...  fascinating and scary at the same time.

I am particularly interested in the ports, protocols, and traffic involved in the malware client operations.
I would expect the client would be designed to run on common ports and protocols to avoid any firewall or intrusion detection systems.

 
TextPower
100%
0%
TextPower,
User Rank: Strategist
1/15/2015 | 4:01:31 PM
Bypassing 2FA depends on the *type* of 2FA
FULL DISCLOSURE: I am the co-founder and CEO of an authentication platform company 

Thanks for writing a solid article about KL-Remote.  In the never ending game of cat-and-mouse between hackers and security, chalk up another one for the hackers.

I do want to note one thing, though.  Your article states that the KL-Remote circumvents 2FA and that's true - most of the time.  It depends on the type of 2FA.  My company's 2FA platform (TextKey) takes the standard SMS 2FA and turns it on its head: a message is sent *from* the phone rather than to it and a secure connection occurs between our server and the website server completely outside the browser environment.  

This method of sending an authentication text from the phone is infinitely more secure than current methods.  It eliminates man-in-the-middle/browser attacks as well as eliminating the potential interception of the SMS sent to the phone.  As a result this type of authentication is impervious to a KL-Remote attack.  

We've built our own authentication product on the platform to demonstrate its security and effectiveness.  "SnapID" authenticates using the TextKey platform and at the same time completely eliminates the need for any user ID or password when logging into a SnapID-enabled website.  No hacks and no hassles.

In short, different flavors of 2FA have different levels of protection.  
Spikes
50%
50%
Spikes,
User Rank: Apprentice
1/15/2015 | 8:02:37 PM
Workaround: Block web access
I put a lot of emphasis on preventing this sort of malicious software from getting there in the first place, but once your endpoint has been infected by malware, things get dicy fast.  If you can't trust the sanctity of your endpoint device (phone/laptop/PC), you've really lost all hope of being secure.  But, I do have a couple suggestions for people scared of what to do about this sort of malware threat.

One option, as Scott points out above, is to have some clever next-gen 2FA mechanism for your banking sites, but let's face it that's just not ubiquitous yet so not a very real solution for an enterprise or your average user.  I do however applaud new approaches to authentication which protect against these "virtual mugging" (and for the record, I love this clever terminology, did you come up with this one Sara?) attacks, and hope they grain traction and become widespread.

But what if you assume you've got this kind of malware on your system now.  What would you do?  How about this.. Block web access.  Just don't surf the web anymore, problem solved, right?  

Well okay, that's just not practical.  However, you could whitelist your trusted sites perhaps.  But my advice is to isolate your browser to a virtual machine and use a firewall to block web access for your endpoint entirely.  Allowing only the isolated browser instance to communicate out on 80/443.  If done well, pre-existing malware would not be able to communicate to its command & control servers, and this kind of threat is suddenly dead in its tracks.
aws0513
50%
50%
aws0513,
User Rank: Ninja
1/16/2015 | 9:26:45 AM
Re: Workaround: Block web access
Good points all around @Spikes.
I also see where application whitelisting would be a major mitigation solution for this kind of malicious toolkit. 
The downside is that the solutions we describe require the end user to be technically savvy to implement... and that is assuming they would want to spend the time...  and in some cases money...  to do so.


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20859
PUBLISHED: 2021-12-01
ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GSV firmware v2.11 and prior, WRC-19...
CVE-2021-20860
PUBLISHED: 2021-12-01
Cross-site request forgery (CSRF) vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and ...
CVE-2021-20861
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM LAN routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC...
CVE-2021-20862
PUBLISHED: 2021-12-01
Improper access control vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-175...
CVE-2021-20863
PUBLISHED: 2021-12-01
OS command injection vulnerability in ELECOM routers (WRC-1167GST2 firmware v1.25 and prior, WRC-1167GST2A firmware v1.25 and prior, WRC-1167GST2H firmware v1.25 and prior, WRC-2533GS2-B firmware v1.52 and prior, WRC-2533GS2-W firmware v1.52 and prior, WRC-1750GS firmware v1.03 and prior, WRC-1750GS...