Data Wizards’ Magic Proved Too Strong at #SS18Hack

May 25, 2018



Author: Alastair Waldeck, Head of Marketing (Snode)

 

One month after the successful Ideathon was held in Johannesburg CBD, the Hackathon participants gathered once again for the main event at Vodacom World in Midrand, the #SS18Hack! In total, 42 infosec aspirants from all around the country arrived for a two-day event that would test their stamina, concentration, teamwork and coding abilities to the limit!

The theme of these year’s Hackathon was ‘Man vs Machine – Securing the future of business against an ever-changing threat landscape’; focusing, as the title suggests, on machine learning and creating a solution that could solve real-world security problems that continue to plague many organisations today.

The 11 teams arrived early on the morning off 22 May, full of energy and motivation, and immediately started getting to work on their ideas with the guidance from their respective mentors. By the evening of the 22nd, the participants had made themselves comfortable and settled down for a long night of hard work and coding.

When delegates from the Security Summit walked in the next day, the room was virtually unrecognisable; bean bags, energy drinks and snacks were scattered everywhere! The long-haul proved too much for some as they caught a quick power nap to give themselves the ability to push through the last few hours before the final presentations and judging. The participants truly had pulled out all the stops to ensure that they can keep going, keep coding, with their eyes constantly focused on the top spot!

At half-past two on day two, time was up! The teams now had to pitch their ideas to the judges in the hopes that what they had manage to create was good enough to earn them a place in the winner’s circle. Each team had 6 minutes to present followed by Q&A from the judges.

After all the pitches were complete, the judges went away to deliberate as the teams anxiously waited for the results. A few minutes later, it was done, the scores were tallied and the winners were known. Doreen Mokoena, Internet Governance Coordinator at .ZA Doman Name Authority had the honours of announcing the top teams.

In third place was team Knowzee who presented a solution that allowed individuals to determine whether or not they were sharing too much information on their social media accounts.

First and second place were neck-in-neck with the judges having to discuss long and hard in order to reach a consensus as to whom they believed should be the winner.

Moringa IT, a team from Kimberley, ultimately claimed second place. Their idea was a platform that utilised the power of IoT in order to assist farmers with the irrigation of their crops by sensing the moisture levels in the soil and allowing the irrigation systems to automatically determine when and for how long the crops should get irrigated.

The magic of team Data Wizards, however, proved to be too much as they claimed top spot at this year’s hackathon! Their solution was to prevent fraudulent activity in real-time at a transactional level. As a transaction occurs, each transaction would be assigned a risk score based on a several factors, this score would then determine whether or not the transaction should be accepted or declined.

The winning team walked away with R20 000, followed by the second and third teams receiving R10 000 and R5 000 respectively.

We would like to thank everyone who participated in the Hackathon for their hard work and dedication and for assisting in pulling off yet another successful event! Here’s to many more!

The #SS18Hack was sponsored by the Northern Cape Department of Economic Development and Tourism, Geekulcha, Snode, The Business Clinic, MTN and CISO Alliances.

Previous

Proof: SA Is First In Line For Emerging Advanced Attacks

May 21, 2018

Author: Alastair Waldeck, Head of Marketing (Snode)   In an article published by ITWeb last week, Nithen Naidoo (Snode Founder and CEO) stated that South Africa is often first in line for newly emerging, advanced attacks. Developing economies such as Bangladesh, Vietnam and South Africa are viewed as soft, and lucrative, targets by organised crime syndicates with highly advanced cyber capabilities due to the fact that they have not made the same kind of security investments as their developed nation counterparts. One of the interesting findings mentioned in the article was the increasing trend of Snode clients being affected by an old "commercial-grade" Trojan called FinSpy, which was widely reported in 2013. "The malware is not necessarily new but the attack vectors to deliver the malware are new and quite advanced. This is similar to the Terdot malware, which delivered the old Zeus Trojan.", stated Naidoo. At the same time we were detecting this type of activity within our SA client base, AlienVault’s Open Threat Exchange (OTX) reported the discovery of a new version of FinFisher, a malware that is currently evading notice and leveraging social media to threaten critics in Turkey and beyond. It is specifically coded in order to appear as simple criminal malware, however there are several forensic artefacts which provide a clear indication that the agent identified is in fact FinSpy. The most substantial change in this latest version when compared to the original FinSpy malware is the steps it has taken to address the failures that led to the original software’s discovery and acknowledgement by security researchers. FinSpy infects its targets by redirecting the user, when downloading an application, to a version of an application that is infected with the FinFisher malware. This then allows the attacker to perform several activities such as live surveillance through webcams and microphones, keylogging, and exfiltration of files. The fact that this trend of the new, emerging FinFisher malware was detected by the Snode Guardian Cybersecurity Platform at the same time as organisations abroad is proof that South Africa is indeed a prime target for new and advanced cyberattacks. The need for South African organisations to not only ensure that they have adequate security measures in place to detect, prevent and respond against these attacks but also to share their threat intelligence and disclose when and how they are being attacked, is now more crucial than ever. In this ever-changing technological landscape, organisations are forced to find new ways to increase their security posture and minimise their risk. The Snode Guardian cybersecurity platform utilises learning machines, mathematics, and a synergy between both human and artificial intelligence (Intelligence Amplification) to monitor, detect and proactively respond to all threats on every device within your network, from traditional network devices through to BYOD, cloud and IoT devices. Naidoo will be presenting at the upcoming ITWeb Security Summit, and delegates attending his talk will learn about the emerging threats we see in Snode's South African client environments, as well as the key issues affecting the majority of its South African clients. He will also discuss the defence strategies clients have used that best address these issues. The ITWeb Security Summit is southern Africa’s definitive conference and expo for information security, IT and business professionals. This year, over 70 expert speakers will deliver key insights across 7 tracks, including workshops and training courses during the expanded 5-day event. The ITWeb Security Summit will be staged at Vodacom World, Midrand, from 22 – 23 May 2018; and CTICC Cape Town on 29 May 2018. Focused and interactive workshops as well as in-depth training courses will be run in the days around the main conference and exhibition. For more information, go to www.securitysummit.co.za. For information on Security Summit Cape Town, click here.

Next

Standard Bank Business users are the targets in latest phishing attack

March 20, 2019

Author: Snode Technologies Security researchers at Snode Technologies, a cybersecurity and data analytics company based in Gauteng, have recently uncovered an ongoing malicious phishing attack specifically targeted at Standard Bank Business users. The victims of this attack received a mail, seemingly from Standard Bank, that informed them that they had outstanding payments due to SARS and, in order to view the details of this outstanding payment, they had to click on the attachment. At a quick glance, the mail could potentially fool, even more vigilant users, into believing that it could indeed be legitimate. All the “normal” Standard Bank branding and imagery is visible, and the sender’s email address appears to be a legitimate Standard Bank domain. So then, the question is how did these attackers manage to use a seemingly legitimate address, subsequently bypass spam filters, and still manage to trick users into filling in their details?  To understand this, Snode’s security researchers performed a deep-dive analysis to uncover the true method and motivation for this phishing attack. Header Analysis First, a deep header analysis was conducted on one of the emails received to understand just exactly how the attackers used a standardbank.co.za email address. What was found is that the attackers were using an unprotected open email relay service (ecoenergo.com.ua, mail.ecoenergo.com.ua, 109.251.204.43) to spoof the sender address as “Standard Bank <ibsupport@standardbank.co.za>” This top-level domain (standardbank.co.za) was specifically crafted to bypass technical controls like spam filters. Spam Filter Pass Through Secondly, in order to understand how this attack bypassed the spam filters, it’s important to understand that spam filters will, in most cases, allow spoofed emails through if the *SPF (Sender Policy Framework) check results in a “Pass” or “Soft Fail”.  In this attempt, it was found that the attacker manipulated the header to trick the SPF record in resolving the original sender domain to the original sender IP, and not resolving to standardbank.co.za. When this happens, it exposes the original email relay (mail.ecoenergo.com.ua) but allows the email to pass through the filters. Below is an example of the ongoing phishing campaign: Figure1: An example of what the user will see when receiving the phishing mail. Social Engineering In the above screenshot of the sample mail, the copy asks the user to open the attached .pdf file to view the “…Pending payment from SARS.” When examining the attachment, it is evident that the file extension is “.pdf.html”. Once clicked, the user saves and opens a local HTML file (as opposed to the intended PDF). This HTML file initially loads a GoDaddy shortened URL in the user’s browser and then redirects to a URL that would look something like this: ‘https://zREDACTEDq/gti/onlinebanking.standardbank.co.za’. This final redirect changes as the phishing domains are reported and flagged as malicious by Google. Below are examples of live and burned domains hosting the phishing attack: Figure 2: Example of a live phishing domain. Figure 3: Example of a domain which has been burned. Taking a Closer Look After a domain is burned, a new deployment is spun up: Due to the rapid pace of deployment that the attacker requires in order to keep new phishing domains live and un-flagged, the process of deployment is done hastily and as a result the root directory of the web server is directory indexed – which reveals a .zip file used for these quick deployments. Within the source code, the inner workings of the web-server is revealed. This gave the security researchers at Snode access to the results of the phishing attack – saved on the web-hosted directory of each spun up domain.  The results that were uncovered included confidential information such as email addresses, passwords, client IPs, user agents, telephone numbers, and OTP attempts (the phishing server indefinitely loops, asking the user for the most recent OTP). At the time of this write-up, the phishing attack has been observed over a period of 3 days and in excess of 500 submissions have been made to the phishing website(s).