By Lucas Zaichkowsky, Enterprise Defense Architect at AccessData
The U.S. Department of Justice (DOJ) announced a multi-national takedown operation for a high profile ZeuS botnet known as GameOver ZeuS (GOZ), named after analysis of initial malware samples. The takedown operation was dubbed “Operation Tovar” according to a post by independent journalist Brian Krebs. The DOJ further stated the GameOver ZeuS botnet is in control of an estimated 500,000 to 1 million Windows computers worldwide and leveraged these infected computers to conduct more than $100 million dollars in wire fraud.
In addition to Operation Tovar, the DOJ added they have disrupted the use of ransomware called CryptoLocker, known for encrypting documents on infected systems to make them unreadable. The attackers confronted their victims and proceeded to extort money in exchange for file recovery. The DOJ estimates there were 234,000 infections and more than $27 million in payments the first two months of operation.
The operators of GameOver ZeuS attracted close attention from authorities due to the extensive wire fraud activity. According to another Brian Krebs post, the GameOver Zeus attackers conducted DDoS attacks to distract banks while committing wire fraud and stealing hundreds of thousands of dollars.
What is not well known is that these attacks were widespread for a long time and caused a big scare in the financial services industry. According to several inside sources I have spoken with, a significant number of banks were hit by these attacks. Thanks to the continual flow of information shared among peer groups, such as Information Sharing & Analysis Centers (ISACs), participating organizations knew what signs to look for to avoid losses from these types of attacks.
The major difficulty in unraveling the GameOver ZeuS botnet infrastructure is mapping it out. Structured peer-to-peer (P2P) architecture allowed attackers to control their botnet army by accessing any infected system. Making matters even tougher, ZeuS botnet operators made it difficult to locate all infected systems using antivirus and next-gen antimalware products. They distributed generic droppers via email by attaching a zip file containing an executable, disguised as a document, or providing a link to web sites hosting popular exploit kits such as Blackhole. Exploit kits identify unpatched software for each visitor, then exploit those specific unpatched vulnerabilities.
However, the initial dropper would not be classified as ZeuS. It would contain a list of hard coded addresses for the ZeuS download. After the dropper downloads and executes ZeuS, a new variant is created on the fly for each infection and the original downloaded ZeuS exe is deleted. This makes it difficult for antivirus vendors to identify all compromised systems since each infection is a unique variant requiring more signatures.
According to a blog post by Dell SecureWorks, a successful take down of GameOver ZeuS required collaboration to simultaneously hijack DNS domains while blocking infected systems at ISPs and the sharing of information with other security organizations.
Botnets such as ZeuS are extremely common and simple to operate with no investment. ZeuS source code is already freely available on the Internet for anyone to modify and create their own variants that are undetectable by antivirus software. Once developed, attackers launch phishing campaigns with attached files or exploit kits to prevent email attachments from getting blocked.
A little over a month ago, I received an email containing a dropper attributed to GameOver ZeuS. Manual analysis uncovered that the dropper planted and executed a second stage dropper that would in turn download a package over the internet. It contained a special purpose password stealing version of ZeuS used to harvest saved passwords from popular software such as web browsers and it also loaded up Cryptolocker (aka Crilock). More information can be found on Microsoft’s Malware Encyclopedia. The most important detail about password stealing and CryptoLocker were not evident in reports generated by automated malware analysis engines from the first submitted dropper.
See the comments section in this VirusTotal report for the dropper where I provide manual analysis results (User: LucasErratus). Then compare it against automated analysis results from Malwr and Sophos. You can see in this VirusTotal report that the package, with the password stealing ZeuS, was only detected on 6 of 52 antivirus engines a full several days after it was submitted to the antivirus vendors.
Fast forward to today and I am afraid the detection results are not much better. Most antivirus vendors reject the submission I sent in because it is a bundle, not actual binaries that can be executed standalone. Even more noteworthy, automated analysis results only acknowledged one of two domains and not the second stage dropper which was programmed with the ZeuS package. Knowing both domains and all the other intermediary files is key to uncovering more infected systems and blocking future infections from that attack campaign.
To illustrate a more recent example, see the manual analysis I did on a fresh dropper unrelated to GameOver ZeuS that arrived in my home email June 1. View the comments section of this VirusTotal report and compare it to this automated Malwr report. The automated report identified one domain the dropper downloads ZeuS from. Manual analysis uncovered all ten and a narrative sequence of events. Again, this example highlights the important need to investigate all threats thoroughly.
Why is all of this important? Missing hosts with backdoors planted and compromised credentials is the primary reason hacking intrusions are not discovered until after the major damage is done. For example, in the recent eBay intrusion, attackers used compromised employee credentials to login and make their way to steal a database, affecting 145 million users. Undoubtedly, the hackers are cracking passwords from that dump and will use them to break into other organizations. It is also common for these attackers to sell access on the black market to those willing to pay a high premium. As seen in past database dumps, the success rate at cracking passwords is abysmally high. By using wordlists with real world passwords and high rate GPU cracking, it is easy to crack all but the most complex passwords using cheap consumer hardware.
In closing, the significance of GameOver ZeuS and recent high profile attacks reinforces the necessity to have the right tools and processes necessary to: identify and understand threats, successfully remediate the incident, block future related threats, and identify ones that still manage to slip through to the endpoints. Documenting findings as Indicators of Compromise (IOCs) and then applying them at the endpoint level, in network traffic, and by searching logfiles is how mature security teams accomplish these goals.
For organizations and users concerned by these types of threats, here are steps they can take to protect their environments and minimize the risks:
- Block email attachments containing executable files or zip files with executables such as exe and scr.
- Use vulnerability mitigation software to make up for unpatched software to avoid getting hit by exploit kits. The Microsoft Enhanced Mitigation Experience Toolkit (EMET) has a proven track record of deflecting software vulnerability exploitation including rare 0days vulnerabilities being exploited before software patches are available. Also, EMET can be managed in corporate environments using group policies making it a no-brainer business decision.
- Install antivirus software. Although not perfect, antivirus software can still catch a large percentage of malware and reduce noise. Detected incidents could even lead you to uncover damage or other malware that would have gone undiscovered otherwise.
- For organizations with IT security staff or dedicated IR teams, I recommend acquiring consolidated platforms such as AccessData’s ResolutionOne™ Platform, designed to automate most of the capabilities required to analyze and understand incidents, and uncover what narrowly focused point products are not telling them. Applying these capabilities in a piecemeal fashion creates a hodgepodge of tools that require many manual steps to build the final big picture. This indirectly increases the technical skill requirements needed to investigate incidents and contributes to the growing demand for advanced security experts. For more on this discussion, see the recent blog post by AccessData CEO, Tim Leehealey.
Bots Are People Too: Robotic Process Automation in Finance
By Tom Venables, Practice Director – Application & Cyber Security at Turnkey Consulting
As technology has advanced, Robotic Process Automation (RPA) has become a valuable tool for finance teams in streamlining everyday processes and operations. Until 2020, RPA worked in combination with skilled human resource to get these vital tasks done – and then came COVID-19.
The economic shock of the pandemic has led many organisations to pare back their workforces, and consequently they are increasingly turning to RPA in order to get the same jobs done for a smaller financial outlay. This acceleration in adoption can deliver huge benefits for these organisations, but comes with a number of tricky challenges to navigate, especially around security, risk and the management of system access.
Removing the margin for error
The premise of using RPA over human finance operatives is clear: robots don’t get tired or bored. Even the most skilled and experienced employee in the world will be fatigued by dealing with a seemingly endless stream of invoice amounts, PO numbers and other data and, over time, it’s easy for mistakes to creep in.
RPA bots don’t have this problem (and neither do they have to be regularly fuelled with coffee). They have the ability to read an invoice, attribute the information within it to the appropriate PO number, and set in motion all the payment and ledger activity related to that data. Not only do they do all that more reliably than humans, but they do so much faster and more cheaply. However, this ideal vision can only be achieved if RPA is built and implemented into a business correctly.
Different cure, same treatment
RPA bots do have incredible capabilities for automating and streamlining all these processes – but they first have to be told exactly what to do and how to do it. At a minimum, the controls that apply to human finance staff also need to be deployed to bots, with a view to these controls being even more robust, given the larger workloads bots can take on. It may also be necessary to amend controls so that they reflect the new ways of working; as the business processes change, so too do the key control points which must be captured.
This requires three key elements to be considered:
- Control execution points: taking an accounts payable (AP) process as an example, an AP clerk will approve processes manually, then pass onto the AP manager so that it has been checked by at least two people. RPA removes this function and reduces the level of human intervention to spot-checks; to avoid errors such as duplicate payments, it is essential to have automated controls working properly.
- Failure indicators: depending on how they are configured, bots can (occasionally) make mistakes, such as misjudging numbers of a similar format and putting a PO number in as an amount. Bots can resolve these issues themselves, but only if they know about the types of errors they should be looking for.
- Robust testing: both of the points above mean rigourous testing is critical; how meticulous that testing needs to be depends on the amount of work RPA is taking on. If, for example, RPA is handling half the cash outgoings at an organisation, then controls need to be sufficiently strong to match the risk posed to the business if things go wrong.
Safety still comes first
Along with controls, how RPA fits in with the organisation’s security provisions must also be considered. Bots can process a large number of invoices in a very short period of time. This speed is potentially enough to trigger warnings around security breaches as System Information and Event Management (SIEM) systems may perceive it as abnormal activity and flag it as a threat to the organisation; allowances need to be made to accommodate this major change in ‘usual’ activity.
It’s also worth remembering that bots are also pieces of software and, like any piece of software, they are therefore at risk of cyber attack. Because they are required to process lots of sensitive information at high speed without triggering alerts, they are often an attractive target for cyber-criminals. As well as considering bot security such as who can access their configuration, it is crucial to keep the authorisation assigned to bots to an absolute minimum in order to limit their risk profile and eliminate credentials often given to them that are unnecessary. Minimum authorisation states that the (bot or human) user should have only the level of access needed to perform the tasks required of them. The high volumes of processing undertaken by bot accounts reinforces the need to apply this principle, despite the temptation to ensure they can work with multiple scenarios without interuption by widening authorisation (which increases the risk they can undertake activity they shouldn’t).
Overall, RPA bots can and should be immensely powerful assets to most organisations in the unpredictable months and years ahead – but only with the right implementation. With risk, security and controls kept front of mind, the efficiency of finance operations can be improved, resulting in meaningful savings, and a reduction in the pressure put on the human finance staff.
How to drive effective AI adoption in investment management firms
Artificial intelligence (AI) has the potential to augment the work of investment management firms to unprecedented levels, powering decision-making, driving efficiencies, and ultimately improving performance. In fact, the market for AI in asset management is expected to grow to an astounding US$13.43 billion by 2027, expanding at a CAGR of 37.1% between 2020 and 2027. Innovative firms are applying AI across the industry value chain and transforming the ways in which they use the ever-expanding amounts of data that are available to them.
However, that’s not to say that there aren’t challenges and obstacles involved in leveraging the technology. AI adoption is not a ‘magic bullet’ that can solve inefficiencies without the right set-up, nor should it be treated as a simple ‘add-on’ that portfolio managers (PMs) can tap into when they see fit. AI implementation in an investment management firm requires a number of prerequisites in order to have maximum impact. But first, let’s take a look at exactly how AI can boost the performance of investment management firms.
How AI adds value
Implementing data analytics into the investment management value chain holds a number of benefits. For example, when it comes to front office operations, AI can supplement investment decisions by drawing insights from alternative sources of data such as satellite imagery or social media, while also automating the analysis of large datasets. Data science teams working within investment management can build simulations to allow PMs to predict the performance of new investment ideas. They can also use AI for trading – to optimize trade execution and automate trading decisions.
One example of using AI to power alpha generation comes from Man Group, which saw a five times increase in assets between 2014 and 2018, and whose funds that incorporate AI total more than US$12 billion. Front office operations are arguably the business area where AI holds the most potential.
When it comes to distribution and marketing, AI can improve prospect and sales targeting using segmentation, predict and reduce attrition, support personalization, and help develop pricing algorithms. Data analytics can also be implemented into the areas of operations, tech, and support to automate processes, improve talent targeting, predict team member performance, and strengthen compliance, amongst other uses.
Going beyond simply reducing costs and driving efficiencies, AI is providing new opportunities for investment management firms to transform how they use data to operate and inform decisions. But despite all of this, adoption levels are still relatively low: A 2019 survey by the CFA Institute found that only 10% of PMs responding had used machine learning (ML) techniques during the year prior. Furthermore, a 2019 report by BCG found that less than 30% of asset management firms are actively leveraging data analytics. Evidently, launching an AI project is not an overnight process – nor is it one that guarantees success without the right prerequisites in place.
Here’s how investment management firms can set themselves up for success and ensure readiness for AI implementation.
Embed a data culture
Before steaming ahead with any AI project, investment management firms need to ensure that the entire organization appreciates the value of data-driven decision making. A firm may have already hired a data science team or gained access to alternative data sets, but if it doesn’t have a culture of systematic decision making that permeates across the organization, the success of any AI project will be limited.
How can firms ensure that this is the case?
Ultimately, building data-driven must start at the top: the CEO, CIO, and all other executives must lead by example and evidence of their own commitment to data-based decisions. If leaders want their teams to leverage data at all points of decision-making, they must make the data accessible for non-technical employees and provide training on how to use any relevant tools. Teams must feel comfortable with the why of data analytics solutions, so management must make them explainable while ensuring they are aware of the capabilities and limitations of AI. And finally, the data science team must avoid working in a silo, away from the other business functions of the firm.
Reconfigure the team structure
The core investment process must be re-thought, from the ground up. Data science teams must be driven by a business need which is provided by the PM, and then the two must work together to co-develop the right solution.
In addition to having a centralized data science team, the firm should have decentralized data scientists that sit within the business unit. The central team should focus primarily on data acquisition, cleaning, and ensuring reliability. The rest of the work should be done by data scientists on the PMs team – this will ensure the work is in-line with the business needs and will actually be used by the PM. With the clean, reliable data coming from the data acquisition team, the data scientists can rapidly prototype ideas for the PM.
Invest in the right software
Too many investment management firms attempt to build all of their AI software in-house. While the software that’s required for core operations and stems from core finance expertise should be developed internally, this does not apply to all other solutions being used.
For example, data analysis and automation tools that leverage ML domains such as language processing, big data processing, or image processing should not be built in-house. Constructing these systems internally is expensive, time-consuming, and means hiring for skills that would otherwise not be required within the firm. Not to mention, such systems would need a large and active development force to continuously maintain them.
That’s why it’s advisable for firms to find a third-party vendor who can take care of building the feature set that’s required, update the software with its latest version, and scale according to needs. This vendor will also take measures to ensure that the firm’s standards are consistent with its peers, and importantly, keep the system stable and secure. By integrating with a third party vendor, data science teams can focus on the core business objectives and maximize the use of overall resources.
While AI offers countless opportunities for investment management firms to augment and power decision-making and is already setting apart the top-performing firms from those that lag behind in adoption. With so much potential to enhance portfolio performance, AI adoption should be viewed as non-negotiable for forward-looking and innovative firms. It is paramount, however, that these firms embed a data-driven approach across all teams – not just PMs – and provide the structures and tools necessary for results to flourish.
Democratising today’s business software with integrated cloud suites
By Gibu Mathew, VP & GM, APAC, Zoho Corporation
Advances in the cloud have changed the way we interact with the world. From how we pay our bills to how we communicate, to how we navigate the city streets, the cloud’s arrival has proven disruptive to the old ways of doing things.
This is perhaps no more true than in the realm of business software, an industry that has seen seismic shifts in the last two decades, and is now witnessing rapid adoption due to the global crisis in the last six months. Expensive, exceedingly complicated software that once was the purview of the few is now available to the masses, courtesy of the cloud and attendant improvements in technology. These strides have resulted in the democratisation of business software, the changing of an once-scarce resource into something everyone can access and use.
The shift to a more democratic, user-friendly, and affordable breed of business software has come about for a lot of reasons. Here are a few of the biggest ones:
THE CONSUMERISATION OF IT
As software has become more and more important to our day-to-day lives, it has also become friendlier for the end user. Actions that used to require reams of code and loads of technical know-how can now be completed with just a drag and a drop. Business software has followed suit, and increasingly looks, feels, and acts like consumer software. And with intuitive interfaces and familiar features, no specialised skills or training are required to get things up and keep them running.
MAINTAINING PRODUCTIVITY ON-THE-GO
The smartphone has put powerful computing technology in the palm of your hand and lets your business go everywhere you do. Sophisticated yet easy-to-use software is available ubiquitously, meaning that employees are no longer chained to desktop systems. In fact, driving and maintaining information across while you are on-the-go becomes a more seamless process. Software vendors whom are more customer centric, are providing mobile version as another mean of access on top of their services that runs on browser. Through real-time function, employees remain connected, and ground observation made during field work are readily updated through the cloud.
THE TECHNOLOGY BUFFET
Part and parcel of the democratsation of software is the rise in consumer choice. Every day, new solutions are added to app galleries and marketplaces around the web, giving people multiple ways to tackle any business process. These app stores also give businesses the opportunity to see what other companies are doing to tackle similar problems.
There used to be a handful of software vendors that a business could choose from; now there are hundreds. Because there are so many options, customers can choose how they want to manage their processes without having to learn new skills.
THE GREAT EQUALISER
Business software used to require a massive capital expenditure. As a consequence, only large companies with deep pockets could afford the features and capabilities software systems provided. However, the rise of the cloud and mobile technology have put an end to the need for installed, on-premise systems, and the costs (and time) associated with them. You no longer need a room full of servers or high capEx to run your business; a smartphone will do just fine. The result? Small businesses finally have access to the tools the “big boys” have had for years, and can now provide the same world-class experience to their customers.
SOFTWARE THAT YOU CAN PROVISION
As software has gotten easier to use, more people are using software. Decisions about what systems a business would run was left to people with diplomas in computer engineering. But no more. Today’s business software is more user-friendly than ever, meaning that even non-specialists can be as empowered as the pros to make decisions about the systems they’ll employ.
What’s more, advances in data virtualisation enables people to access the information they need without requiring special tools or knowledge. Data can now be retrieved and analysed by non technical individuals without having to know its structure, location, or format; this means a lot more people can have access to the details they need, without needing a bunch of training to get there. You can finally get rid of the IT gatekeepers and take charge of your business.
We believe that software is making the world better, but you still need the right suite. You need software that is easy enough for a tech novice to use, powerful enough for the expert, and priced reasonably enough so as not to impact anyone’s bottomline. Find a business solutions suite that’s “all-in” on cloud computing, includes a large selection of apps that are designed to handle every business process and run on every device. On top of that, it has to be affordable and, in the current times, prioritise data privacy and security. Most importantly, be confident that the provider you choose has business goals aligned to yours and are happy and willing to help you every step of the way.
Data Unions, fisherfolk and DeFi
By Ruby Short, Streamr In the fintech world it seems every month there’s a new trend or terminology to get...
Deloitte: Middle East organizations need to rethink their workforce in the wake of COVID-19
Organizations in the Middle East have had to take immediate actions in reaction to the COVID-19 pandemic, such as shifting...
One in five insurance customers saw an improvement in customer service over lockdown, research shows
SAS research reveals that insurers improved their customer experience during lockdown One in five insurance customers noted an improvement in...
ECOMMPAY expands Open Banking payments solution to Europe
Open Banking by ECOMMPAY facilitates fast, secure and simple payments International payment service provider and direct bank card acquirer, ECOMMPAY, has...
Bots Are People Too: Robotic Process Automation in Finance
By Tom Venables, Practice Director – Application & Cyber Security at Turnkey Consulting As technology has advanced, Robotic Process Automation...
The power of superstar firms amid the pandemic: should regulators intervene?
By Professor Anton Korinek, Darden School of Business and Research Associate at the Oxford Future of Humanity Institute. Gosia Glinska, associate...
How to drive effective AI adoption in investment management firms
By Chandini Jain, CEO of Auquan Artificial intelligence (AI) has the potential to augment the work of investment management firms...
Democratising today’s business software with integrated cloud suites
By Gibu Mathew, VP & GM, APAC, Zoho Corporation Advances in the cloud have changed the way we interact with...
Why the UK is standing tall at the forefront of fintech
By Michael Magrath, Director of Global Standards and Regulations, OneSpan In recent years, the UK has established itself as one...
How CFO’s can Help Their Businesses Successfully Navigate The Financial Fallout From COVID-19
By Mohamed Chaudry, Group CFO of FoodHub 2020 has been one of the toughest years in recent memory for business....