New “Fileless Malware” Targets Banks and Organizations Spotted in the Wild

By: Swati Khandelwal

Fileless Malware

More than a hundred banks and financial institutions across the world have been infected with a dangerous sophisticated, memory-based malware that’s almost undetectable, researchers warned.

Newly published report by the Russian security firm Kaspersky Lab indicates that hackers are targeting banks, telecommunication companies, and government organizations in 40 countries, including the US, South America, Europe and Africa, with Fileless malware that resides solely in the memory of the compromised computers.

Fileless malware was first discovered by the same security firm in 2014, has never been mainstream until now. Fileless malware is a piece of nasty software that does not copy any files or folder to the hard drive in order to get executed. Instead, payloads are directly injected into the memory of running processes, and the malware executes in the system’s RAM.

Since the malware runs in the memory, the memory acquisition becomes useless once the system gets rebooted, making it difficult for digital forensic experts to find the traces of the malware.

The attack was initially discovered by a bank’s security team after they found a copy of Meterpreter — an in-memory component of Metasploit — inside the physical memory of a Microsoft domain controller.

Fileless Malware

After conducting a forensic analysis, Kaspersky researchers found that the attackers leveraged Windows PowerShell to load the Meterpreter code directly into memory rather than writing it to the disk. The cyber crooks also used Microsoft’s NETSH networking tool to set up a proxy tunnel for communicating with the command and control (C&C) server and remotely controlling the infected host.

They also stashed the PowerShell commands into the Windows registry in an effort to reduce nearly all traces of the attacks left in logs or hard drive after a reboot of the device, making detection and forensic analysis difficult. The ultimate goal of the attackers was apparently aimed at compromising computers that control ATMs so that they could steal money. Kaspersky Lab researchers plan to reveal more details in April about the attack, which is occurring on an industrial scale worldwide. The attack has already hit more than 140 enterprise networks in business sectors, with most victims located in the US, France, Ecuador, Kenya, the UK, and Russia. And since the threat is so hard to spot, the actual number is likely much higher.

Craig Stilwell Named VP of Worldwide Partner Strategy & Sales

As we look forward to new opportunities in 2017 and delivering a Citrix Summit that empowers our partners to achieve great success, I am excited to share that Citrix has appointed Craig Stilwell as Vice President of Worldwide Partner Strategy & Sales.

Craig Stilwell- Citrix VP of Partner Strategy

Many in the partner community already know Craig, who has been with Citrix for more than 17 years and understands our sales and channel strategy very well. We are thrilled to have him move into this very important position to lead our partner strategy and work with you all. Craig assumes the position previously held by Kimberly Martin, who is no longer with Citrix.

As the new worldwide channel leader, Craig will draw from his extensive sales and channel leadership experience to invigorate our commitment to our partners and their long-term success and profitability. Specifically, in the near-term Craig will focus on three priorities:

  • Drawing on his experience to lead a partner team aimed at maintaining our leadership in the enterprise market and increasing our presence in the mid-market.
  • Transitioning to the cloud and the major role the channel has to play in the move from on premise to the cloud.
  • Reducing the complexity of our channel programs and making it easier for partners to do business with Citrix.

Craig has more than 23 years of technology experience and, having spent the majority of his career at Citrix, knows our business extremely well. Most recently he served as Area Vice President of our U.S. Commercial business responsible for all sales and products in the U.S. Commercial segment. Previously, Craig served in several roles of increasing responsibility at Citrix, most notably as Vice President of Americas Channel Sales & Field Operations where he was not only responsible for Americas partners, but also marketing, renewal and inside sales, sales operations and field readiness.

Before joining Citrix, he was on the management team of an IT consulting firm based in South Florida, and served as a senior manager in the consumer products industry practice at Accenture.

Craig’s experience heading up our U.S. Commercial business and the Americas channel sales and field ops organization will be invaluable. We look forward to sharing more about our vision for 2017 with our partners next month at Citrix Summit in Anaheim! In the meantime, Craig will be reaching out to partners to say hello and always welcomes partners to contact him via LinkedIn.

By: Carlos Sartorius (Citrix Profile)


Secret Service IT management slammed after breach

Secret Service IT management slammed following Chaffetz breach

By Joe Davidson

A Secret Service agent orders people into buildings near the entrance to the West Wing of the White House in Washington on Friday, May 20, 2016, after the White House was placed on security alert after shooting on street outside. (AP Photo/Andrew Harnik)
A Secret Service agent orders people into buildings near the entrance to the West Wing of the White House in Washington on Friday, May 20, 2016, after the White House was placed on security alert after shooting on street outside. (AP Photo/Andrew Harnik)


Now that the votes are in and the presidential campaign is done, the Secret Service can close an incredibly busy election season.

Perhaps it can turn some of that energy to protecting its computer systems, which suffer from neglect, ignorance and bad management, according to a watchdog’s report.

The report by the Office of Inspector General (OIG) at the Department of Homeland Security is related to the agency’s breach and leak of personal information belonging to Rep. Jason Chaffetz (R-Utah) last year. That was another in a string of embarrassments for a law enforcement agency that has had such a proud tradition.

A 2015 OIG investigation found that 45 employees got into Chaffetz’s 2003 Secret Service job application. Only four had a legitimate need, leaving the rest in violation of the Privacy Act and agency policies. The file snooping began minutes after Chaffetz, chairman of the House Oversight and Government Reform Committee, opened a hearing into allegations of agents’ misconduct.

Chaffetz said the current report, issued last month, shows that “despite past warnings, USSS [U.S. Secret Service] is still unable to assure us their IT systems are safe.” In a letter to Inspector General John Roth, Chaffetz also said the discipline for some agents in his case “is not adequate to deter similar behavior in the future” and asked Roth to continue his investigation.

The October report goes well beyond the Chaffetz case and dissects the agency’s information technology operation in scathing particulars.

Summing up the report, the inspector general’s office offered this mouthful: The “audit uncovers a myriad of problems with Secret Service’s IT management including inadequate system security plans, systems with expired authorities to operate, inadequate access and audit controls, noncompliance with logical access requirements, inadequate privacy protections, and over-retention of records. The OIG concluded that Secret Service’s IT management was ineffective because Secret Service has historically not given it priority. The Secret Service CIO’s [Chief Information Officer] Office lacked authority, inadequate attention was given to updating IT policies, and Secret Service personnel were not given adequate training regarding IT security and privacy.”

The Secret Service agreed with the report’s 11 recommendations, even though officials believe it does not reflect the agency’s recent IT progress. In a memorandum responding to the report, Secret Service Director Joseph P. Clancy noted last year’s hiring of retired Marine Brig. Gen. Kevin Nally as CIO and “the sweeping and unprecedented improvements” under his leadership.

“While more work remains to be done,” Clancy said that “the Secret Service has made considerable improvements in a remarkably short period of time. . . . We take the motto of being ‘worthy of trust and confidence’ very seriously in all areas in which we operate.”

Here are some points from the report:

  • Inadequate and ineffective system security: Security plans were “inaccurate, incomplete, or in one case, non-existent.” Many plans “were missing key items.” Some plans “incorrectly listed system security personnel in positions they no longer held, making it unclear as to who to contact in case of an incident.”
  • Outdated access controls: Secret Service access control policies were last updated 16 years ago, more than a lifetime in the digital era. “As such, it was not clear who should have access to the sensitive information retained on the USSS systems.” Once users gained access to the Master Central Index mainframe system, they could get into all system data, whether they needed it or not. Inactive accounts were not promptly disabled.
  • Poor audit controls: This hindered the ability to detect unusual activity or respond to security risks and attacks.
  • Lack of privacy protections: “Privacy documentation was incomplete, not up to date, or missing.” The inspector general requested system security plans for five systems. “Only four were provided,” and each was incomplete. Information System Security Officers “indicated they were unaware of the requirements for documenting privacy controls.”
  • Missing leadership: The Secret Service did not have a designated, full-time privacy officer reporting directly to the agency director as the Department of Homeland Security required, increasing “the likelihood that privacy requirements would continue to not be fully addressed.”
  • Over-retention of records: This violates the Privacy Act and relates directly to Chaffetz’s file, which was viewed when it was 12 years old. “[I]t was not reasonable to maintain this information for more than 10 years after Congressman Chaffetz submitted his application, and therefore, the continued retention of his records violated the Privacy Act.”
  • Low priority: The OIG found some “key guidance” related to IT management dated to 1992, “reflecting that IT was not a priority.” Key IT openings were left vacant for months. At one point, the agency’s CIO office’s vacancy rate was 29 percent. Hundreds of employees lacked adequate IT training, leaving them not fully aware of their “responsibilities in properly safeguarding mission critical data.”

Roth recognized agency IT improvements in a statement with the report, but added that until they and the recommendations are fully implemented “the potential for another incident like that involving Chairman Chaffetz’ personal information remains.”