monthly cyber threat briefing will begin shortly audio is being … · 2015-10-12 · hitrust...
TRANSCRIPT
HITRUSTHealth Information Trust Alliance
HITRUST Cyber Threat Intelligence and
Incident Coordination Center (C3) and
U.S. Department of Health and Human Services
Monthly Cyber Threat Briefing
Will Begin Shortly
Audio is being broadcast through your computer speakers
– please adjust your volume
Participants will be able to ask questions through the chat
function in the webex console
HITRUSTHealth Information Trust Alliance
HITRUST Cyber Threat Intelligence and
Incident Coordination Center (C3) and
U.S. Department of Health and Human Services
Monthly Cyber Threat Briefing
June 2014 (In Review)
HITRUSTHealth Information Trust Alliance
• Introduc)on • Monthly Produc)on • Threat Updates • Calendar • Discussion
Agenda
© 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Monthly Production
4
Bold )tles are highlighted in this briefing
• Alleged Anonymous Brasil Member Threatens FIFA World Cup Sponsors in Reuters Interview
• Alleged APT Campaign Targe)ng U.S. Airports • ANALYTIC UPDATE: GameOver ZeuS and CryptoLocker Malware Command-‐and-‐
Control Infrastructure Disrupted by Law Enforcement • Android Based Malicious Apps Con)nue To Target South Korean Banking
Customers • Android Crimeware Targets Micropayment Infrastructure in Taiwan • Android-‐Based Ransomware Discovered That Encrypt Files • Anonymous Video Cri)cizes Turkish Government, Claims Recent AUack Against
Prime Minister • Anonymous-‐Affiliated Actor Announces Upcoming Hack)vist Campaign Targe)ng
the Petroleum Sector • Anonymous-‐Affiliated Actor Conducts Defacements in Support of OpPetrol, Target
List Circulated • Anonymous-‐Affiliated Hack)vist Targets Indonesian Government and Arms-‐
Manufacturer Websites • An)-‐Ukrainian Government Hack)vist Group Claims Leak of Government
Correspondence • An)-‐Ukrainian Government Hack)vist Group Leaks Email Conversa)on • An)virus Company Forum Breached • Applica)on May Facilitate Black Market For Leaked Data • Arab Hack)vists Promote Campaign Against and AUack Iraqi Government Targets
Amid Ongoing Violence • Asprox Botnet Ac-vity Spikes, Using New An--‐Detec-on Techniques • Australia Arrests Hacker Accused of Breaching "League of Legends" Online-‐Game
Database • Banking Malware Capable of Stealing HTTPS-‐Secured Network Traffic • Banking Malware Leverages ClickOnce Deployment in South Korea • Banking Trojans Spreading Through So[ware Updates in Japan • Campaign Against Japanese Government and Commercial En))es Iden)fied
• Censorship-‐Evasion So[ware Use in Iraq Increases in Response to Government Filtering Efforts
• China Con)nues Efforts To Tighten Internet Controls Around Tiananmen Anniversary
• China State Media Editorial Outlines Principles of Internet Sovereignty • Chinese Banks and E-‐Commerce Companies Take Further Steps to Transi)on
Away from U.S. IT Equipment • Chinese Government Announces Greater Oversight of Apple iMessage • Chinese Government Office May Ban Microso[ Office in Latest IT
Domes)ca)on Effort • Chinese Samsung Galaxy Clone Distributed With Pre-‐Installed Malware • Colombian Authori)es Arrest Members of Cybercriminal Ring Involved in
Na)onwide Banking Fraud • CryptoWall Ransomware Delivered by RIG Exploit Kit • Cybercriminals Conduct DNS Hijacking To Steal Banking Creden)als in South
Korea • Cybercriminals Employ New Device To Install Malware Into ATMs in Macau • Cybercriminals Hack Transporta)on Smartcard in South Korea • Cybercriminals Illegi-mately Deploy PCI-‐Compliance Tool Against POS
Systems • DDoS AUacks on Hong Kong Websites Coincide With Democracy-‐Ac)vist
Referendum • DDoS-‐For-‐Ransom AUacks Target Web Applica)on Companies Evernote and
Feedly • Defense Against Code Injec)on in Automobiles Demonstrated at Security
Conference • Dubai Residents’ Credit Cards Hacked and Used To Make Unauthorized
Payments to Abu Dhabi Police • European Bank Customer's Targeted by Luuuk Trojan • GameOver ZeuS and CryptoLocker Malware Command-‐and-‐Control
Infrastructure Disrupted by Law Enforcement • Hacker Claims Exploi)ng PayPal’s Chargeback Process Allows Users To
Generate Funds © 2014 HITRUST, Frisco, TX. All Rights Reserved
Wri?en permission required for further distribuGon. For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Monthly Production (continued)
5
• Hacker Group DerpTrolling Announces New Opera)on, DDoS AUacks Possible • Hack)vist Releases Documents Allegedly Detailing Russian Government Internet
Propaganda Campaign • Hack)vists Claim AUacks Against Sri Lankan Government and Financial Targets • Hack)vists Conduct AUacks In Support of OpPetrol With Minimal Impact • Hack)vists Promote Upcoming OpIsrael Reloaded AUacks • Hack)vists Ramp Up to OpPetrol Amid Increased Media Repor)ng • Hack)vists Targets Countries Suppor)ng ISIS, Journalist Claims SEA Link • Hospital Networks Leaking Data Over SMB Protocol • Hybrid Malware Combines POS Malware Capabili)es With Those of Banking
Creden)al-‐Stealing Trojans • Iranian Cyber-‐Espionage Campaign Used Iden)ty of U.S. Diploma)c Official in
Fake Persona • Iranian Ministry of Petroleum Closely Monitoring Cyberthreats • KiberBerkut Inac)ve Since Early June, Possibly in Response to Ukrainian
President’s Peace Plan • KiberBerkut Resumes Opera)ons, AUacks Radio Sta)on Website • Known Ichitaro Vulnerability Leveraged To Target Japanese Government and
Commercial En))es • Legacy Japanese Blog Plaaorm Vulnerability Puts Sites at Risk For Drive-‐By-‐
Download AUacks • Likely Payment Card Breach at P.F. Chang’s Restaurant Chain Linked to Previous
Breaches • Malver-sing Banners on Popular Websites Distribu-ng RIG Exploit Kit • Malware "Wrapper" Discovered on Legi)mate Israeli Banking App • Malware Campaign Leverages Thai Coup-‐Related Trojanized AUachments • Medical Device Firm Recently Admits to Two Data Breaches in 2013 • Mobile Malware AUack Possible Against Air-‐Gapped Networks • Mobile Malware Widespread in Vietnam • Mobile Ransomware Trojan Svpeng Targe)ng Android-‐Based Devices in the
United States
• New ATack Vector For Exploi-ng Heartbleed Discovered • New Hack)vist Group Claims AUacks on Ukrainian Bank • New Malware Tied to Old Suspected Chinese APT • New ZBOT Malware Func)onality Inhibits Network Detec)on • Newly Iden)fied Chinese APT Group Targe)ng Aerospace Companies Linked to
Other PLA Hacker Groups • Nokia Paid Extor)onist To Prevent Disclosure of Stolen Encryp)on Key • Offshore Drilling Company Suffers Data Breach • Oil and Natural Gas Industry Establishes Informa)on-‐Sharing Center • Pandemiya Trojan Marketed as Alterna)ve to ZeuS on Underground Forums • Paroled Online-‐Payment Firm Owner To Develop Russia’s Na)onal Payment
System • Patching of Specific NTP-‐Server Vulnerability Reported to Decrease Risk of NTP-‐
Reflec)on DDoS AUacks • Pennsylvania-‐Based Payroll-‐Provider Breach Affec)ng More Vic)ms • Popular Brazilian Sports Website Serving Malware, Hack)vists Announce
OpHackingCup • Popular Chinese Mobile Phone NFC Capability Used To Steal Bank Card Data • Popular Japanese Mobile Messaging Applica)on Accounts Breached • Ransomware Variant Encrypts Files Using Windows PowerShell • Release of a New CryptoLocker Variant Imminent • Rex Mundi AUempts To Extort Domino’s Pizza in France and Belgium • Rogue Insiders Help Steal USD 815,000 From South African Corpora)on’s Bank
Accounts • Russian Government to Phase Out U.S.-‐Made Microprocessors • Singaporean Government e-‐Services Plaaorm Accounts Breached • Small Businesses Targeted by Cloud-‐Based POS Malware Via Browser ATacks • Smart TV Vulnerable to Radio Frequency Injec-on • Sophis)cated Android Malware Targe)ng South Korean Banking Customers • Sophis)cated Malware AUack on Hedge Fund Manipulates Trades in Apparent
Front-‐Running Scheme
© 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Monthly Production (continued)
6
• South Korea’s Na)onal Police Releases Fraud-‐Preven)on Applica)on • South Korea-‐Based Cybercriminals Target Japanese Bank Customers • South Korean Consulate General in Shenyang Poten)ally Compromised • South Korean Cybercriminals Target Online Gambling • Spear-‐Phishing Campaign Leverages North Korean Satellite Launching Ground • Spyware Tool Employed by Governments Targets Mobile Phones • Sunni Militant Group in Iraq Employes Robust Social Media Strategy • Synology Network AUached Storage Boxes Leveraged For Dogecoin Mining • Syrian Electronic Army Claims AUack Against Reuters • Syrian Electronic Army Claims AUacks Against Two Bri)sh Newspapers • Tunisian Hack)vist Group Claims AUacks Against Brazilian Targets As Part of
World Cup Campaigns • Turkish Hack)vists Compromise Defense Contractor Chairman’s Email Account In
Protest Over Turkish Policy In Iraq • Two Russian Ci)zens Arrested For Opera)ng Apple Device Lockout Schemes • U.S. Department of Homeland Security Report Reveals Security Issues ini RFID-‐
Enabled ID Card Produc-on System • U.S. Forces Korea’s HR Database Compromised, PII Poten)ally Leaked • Unknown Cybercriminal Forces Code-‐Hos)ng Company Out of Business • UPDATE: DDoS AUacks on Hong Kong Websites Coincide With Democracy-‐Ac)vist
Referendum • UPDATE: Rex Mundi AUempts To Extort Domino’s Pizza in France and Belgium • Vietnamese Ministry Employees Suffer Targeted AUack, Likely Conducted by
Chinese Na)on-‐State Actors • Vulnerability Discovered in Internet-‐Connected Thermostat • XSS Vulnerability Forces Temporary Shutdown of TweetDeck • ZeuS Variant Targets Cloud Infrastructure To Conduct DDoS ATacks
© 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Threat Updates
• Cybercriminals Illegi)mately Deploy PCI-‐Compliance Tool Against POS Systems • Ransomware Variant Encrypts Files Using Windows PowerShell • New AUack Vector For Exploi)ng Heartbleed Discovered • Smart TV Vulnerable to Radio Frequency Injec)on • Zeus Variant Targets Cloud Infrastructure to Conduct DDoS AUacks • Small Businesses Targeted by Cloud-‐Based POS Malware Via Browser AUacks • Asprox Botnet Ac)vity Spikes, Using New An)-‐Detec)on Techniques • U.S. Department of Homeland Security Report Reveals Security Issues in RFID-‐Enabled ID Card Produc)on System
• Medical Device Firm Recently Admits to Two Data Breaches in 2013 • Vulnerability Discovered in Internet-‐Connected Thermostat • Hospital Networks Leaking Data Over SMB Protocol • Malver)sing Banners on Popular Websites Distribu)ng RIG Exploit Kit • World Cup Cyber Ac)vity Mostly Low-‐Capability Defacements and DDoS AUacks • Hong Kong DDoS AUacks Highlight Broader Use of the AUack Vector by Possible Na)on-‐State Groups
7 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Cybercriminals Illegitimately Deploy PCI-Compliance Tool Against POS Systems
8
• Newly discovered point of sale (POS) malware kit contains commercially available credit card number-‐scanning tool, “Card Recon,” which increases efficiency of stealing credit card details from compromised servers
– Pirated version of Card Recon quickly iden)fies card numbers in stolen data – PCI-‐compliance so[ware used to scan files, email accounts, images, and databases for
card informa)on • Toolkit allows aUackers to compromise servers via a VNC brute-‐force password
cracking tool – A[er scanning the system and obfusca)ng malicious ac)vity, the toolkit allows aUackers
to run the pirated Card Recon so[ware • Card Recon is also used to validate that the stolen data contains credit card
numbers ― Uses iden)fica)on number-‐valida)ng algorithm ― Also contains RAM scraper and a keylogger to confirm the stolen data is a CC number ― By using commercially available tools to scan and validate card numbers, criminals can
market the data as represen)ng poten)ally valid accounts • Takeaway – The integra)on of Card Recon so[ware within the malware toolkit
decreases the barrier to entry for unskilled cybercriminals to more quickly and efficiently find and validate lucra)ve credit card numbers from compromised systems © 2014 HITRUST, Frisco, TX. All Rights Reserved
Wri?en permission required for further distribuGon. For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Ransomware Variant Encrypts Files Using Windows PowerShell
• TROJ_POSHCODER.A—uses AES (advanced encryp)on standard) and 4096-‐bit RSA public-‐key cryptography to exchange the AES key and encrypt the vic)m’s files
• Vic)ms are locked out of their machines and are instructed to visit a website via a Tor browser, create a bitcoin-‐wallet and transfer 1 bitcoin to the aUacker’s wallet before they are provided with the decryp)on key
• Windows PowerShell—which is included by default in Windows 7 and Windows 8—is a task-‐based command-‐line shell and scrip)ng language designed for system administrators to manage mul)ple computers in a network
– Since PowerShell is a network administra)on tool included in Windows Server 2008 and 2012 it is possible that malicious actors are also targe)ng servers
• PowerShell-‐based malware has been used by threat actors in the past to bypass an)virus and malware-‐detec)on programs, now used to develop ransomware
– Cyber4Sight analysts assess that cybercriminals could be developing PowerShell-‐based ransomware to evade network defenses and infect machines on corporate networks
– PowerShell script can be modified to automate infec)on across all machines on the network, drama)cally expanding the infec)on rate
9 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
New Attack Vector for Exploiting Heartbleed Discovered
10
• New aUack vector for exploi)ng Heartbleed OpenSSL—dubbed “Cupid”—exploits vulnerability in Extensive Authen)ca)on Protocol (EAP)
– Poten)ally affects Android mobile phone users and organiza)ons using enterprise wireless solu)ons or 802.1x network accessed controlled (NAC) wired networks
– Cupid can be executed before the aUacking and vic)m machines exchange keys and cer)ficates; therefore the aUacker only needs a valid username to exploit the vulnerability
– AUack relies on modifying the behavior of one of three different legi)mate applica)ons for ini)a)ng wireless connec)ons—wpa_supplicant, hostapd, and freedradius
– Puts all organiza)ons that use enterprise wireless solu)ons or 802.1x NAC at risk of targe)ng by cyberthreat actors seeking to illegi)mately obtain creden)als
• Researchers have also discovered a flaw in the open-‐source GnuTLS cryptographic library which is similar to the Heartbleed vulnerability. ― GnuTLS is popular in Linux distribu)ons
• Cyber4Sight assesses that the Cupid aUack and newly discovered GnuTLS highlight the inherent risk to corpora)ons and consumers that rely on open-‐source so[ware which is o[en not properly tested for security vulnerabili)es
© 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Smart TV Vulnerable to Radio Frequency Injection
• Vulnerabili)es in Smart TVs may allow cyberthreat actors to hijack users’ online accounts
• Dubbed the “red buUon aUack”, allows aUacker to: – Capture incoming digital broadcast signals – Inject malicious HTML code into the data being transmiUed – Send the signals back out on the same frequency – Gain access to websites—such as Yelp and Facebook—that the users were logged into
on their Smart TV permiwng the distribu)on of spam and fraudulent posts on social media websites
• AUack can be scaled by using 1-‐waU amplifier to broadcast signal to a large area, poten)ally using UAV
• Malicious streams are difficult to detect and—because they are not web-‐based—almost impossible to trace
• Users can prevent this by cuwng off Internet access to all broadcast-‐delivered HTML content, or require confirma)on each )me a web-‐based app is opened on the Smart TV
11 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
ZeuS Variant Targets Cloud Infrastructure to Conduct DDoS Attacks
• ZeuS malware framework was recently modified by malicious actors to collect cloud-‐based creden)als for the purpose of conduc)ng distributed denial of service (DDoS) aUacks
– Cybercriminals are targe)ng company websites containing cloud-‐based applica)ons and crea)ng customized payloads—such as web-‐injects—to collect login creden)als
– ZeuS has been observed being paired with the popular Dirt Jumper DDoS kit; customizable malware that u)lizes mul)ple methods to ini)ate powerful DDoS aUacks
• Cloud service vendors are viewed as lucra)ve targets by cybercriminals – The cloud framework provides anonymity, enabling greater opera)onal security for
aUacks. – The cloud also provides extensive bandwidth and processing power for conduc)ng
aUacks. Addi)onally, mi)ga)ng this aUack could prove challenging since malicious traffic would be directed from a legi)mate domain owned by the cloud-‐services vendor
• Cyber4Sight analysts assess that the updated func)onality of the newest ZeuS variant may encourage hack)vists or na)on-‐state actors to employ the malware in tailored campaigns
12 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Small Businesses Targeted by Cloud-Based POS Malware Via Browser Attacks
• Recently-‐discovered cloud-‐based POS malware—dubbed “POSCLOUD<dot>Backdoor/Agentuses—uses keylogging and screenshots rather than RAM-‐scraping to steal payment-‐card data and customers’ (PII) via vulnerabili)es in web browsers
• Uses two aUack vectors: – Employees are fooled into visi)ng a malicious website that executes a drive-‐by
download aUack – Employees receive spear-‐phishing email messages
• A[er ini)al infec)on, the malware connects to a command-‐and-‐control (C2) server to download addi)onal malware capable of intercep)ng form data and login creden)als
– Malware exploits two recently-‐discovered vulnerabili)es: • “Double free” vulnerability in Adobe Flash Player • “User-‐a[er-‐free” vulnerability in Internet Explorer
• Cyber4Sight assesses that the POSCLOUD malware could have a very high rate of success in infec)ng its targets and stealing payment-‐card informa)on, given its targe)ng of small businesses
13 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Asprox Botnet Activity Spikes, Using New Anti-Detection Techniques
• Asprox botnet ac)vity increased drama)cally in May 2014, with anywhere between 50 and 500,000 malicious email messages distributed per outbreak
– Asprox botnet was first observed in December 2013 and since that its controllers have used a variety of spam email topics to spread it
• Latest Asprox campaign has several new features in comparison to previous campaigns
– Spam email subject lines and content have a new court-‐related theme – Rather than a malicious link in the body of the email message, the malware payload is
delivered via a malicious executable aUachment disguised as a Word document – Change in detec)on aUributes—such as constantly changing the IP addresses of the
command-‐and-‐control (C2) servers
• Cyber4Sight assesses that FireEye’s publica)on of this report could spur the botnet’s controllers to further customize the topics of their spam email messages
14 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
U.S. Department of Homeland Security Report Reveals Security Issues in RFID-Enabled ID Card Production System
• RFID automa)c iden)fica)on and data capture technology is used “as a security feature and means of expedi)ng border crossings.”
– RFID automa)c iden)fica)on and data capture technology presents new security challenges – Includes increased risk of unauthorized users accessing data stored in system databases
• The security issues uncovered in the U.S. DHS report primarily concern a component called Card Personaliza)on System Technology Refreshment (CPSTR)
– Pulls biographic and biometric informa)on from an internal system and returns it to the system a[er the card is produced.
• Vulnerabili)es discussed in the report include: – 27 of 31 Windows worksta)ons in the CPSTR system were missing 6-‐years’ worth of Java patches – A missing security patch designed to prevent aUackers from remotely execu)ng arbitrary code on
CPSTR Windows servers – An Oracle database server was found to be missing 22 patches, represen)ng more than 5-‐years’
worth of Oracle updates
• Cyber4Sight assesses that missing patches in the CPSTR system could be exploited by cyberthreat actors—if they have not been already—to steal the personally iden)fiable informa)on (PII) of U.S. permanent residents for a variety of malicious purposes, including iden)ty the[ for financial gain or impersona)on to facilitate other criminal ac)vity
15 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Medical Device Firm Recently Admits to Two Data Breaches in 2013
• U.S.-‐based medical device manufacturer Medtronic, Inc. claimed it experienced two cyber incidents in 2013
– The first incident involved the loss of an unnamed number of pa)ent records from diabetes unit
– Medtronic also suffered an unauthorized intrusion into its systems origina)ng from an unspecified Asian country
• Cyber4Sight analysis suggests that the second incident was likely part of a data-‐collec)on campaign conducted by China-‐based cybercriminals or possibly na)on-‐state actors
– Cybercriminals would steal proprietary informa)on and sell it to interested individuals so that corresponding devices could be developed and sold on the Chinese market
– Na)on-‐state actors could use the informa)on to accelerate domes)c research and development of next-‐genera)on medical devices
– China-‐based malicious actors have shown interest in acquiring intellectual property from U.S.-‐based medical device manufactures in the past
16 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Vulnerability Discovered in Internet-Connected Thermostat
• Google’s Internet-‐connected Nest thermostat contains a vulnerability enabling malicious actors to install a backdoor in the device
• The exploit kit takes advantage of the device’s built-‐in device firmware update (DFU) mode
– A custom boot-‐loader establishes root access to the device, enabling the user to modify files without restric)on
– Then an SSH (secure shell) server is loaded onto the device allowing remote access to the thermostat and allegedly allowing an aUacker to bypass most home network firewalls
• Cyber4Sight analysis suggests that hack)vists, cybercriminals, and na)on-‐state actors would likely find this exploit useful for their opera)ons
– A[er bypassing a vic)m’s home-‐network firewall, a cyberthreat actor could monitor network traffic for personal login creden)als that could be used to conduct financial fraud or iden)ty the[
– As part of the Internet of Things (IoT) the thermostat could be compromised and co-‐opted into a botnet designed to conduct distributed denial of service (DDoS) aUacks
– It is possible businesses could purchase these thermostats for use in corporate buildings. Na)on-‐state actors could use this exploit to access a company’s corporate network and collect proprietary informa)on
17 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Hospital Networks Leaking Data Over SMB Protocol
• Healthcare related informa)on security researchers recently announced their discover of an unspecified number of hospital networks leaking informa)on onto the Internet via port 445, the port for the SMB (Server Message Block), which is designed to share files, printers, and serial ports among devices in a network
• Thousands of healthcare network devices and computers found to be leaking iden)fica)on and network informa)on due to their being directly connected to the Internet as opposed to being protected behind an internal firewall
• Researchers claim hospital administrators had misconfigured SMB so that many types of devices—including defibrillators and drug infusion pumps—were exposing informa)on
– Some of the devices had assigned names on the networks which would allow hackers to iden)fy specific systems for aUack
• Takeaway—misconfigured network sewngs in one healthcare organiza)on could affect broader segments of the healthcare sector
– The ubiquity of SMB suggests that even fully updated systems remain vulnerable to aUacks
18 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Malvertising Banners on Popular Websites Distributing RIG Exploit Kit
• Adobe Flash-‐based malver)sing campaign on popular websites is redirec)ng users to a landing page distribu)ng the RIG exploit kit
– RIG has previously been used to distribute the Cryptowall ransomware
• Malver)sing banners are being placed on popular websites which are redirec)ng via an iframe injec)on, to a URL on the same domain as the malicious adver)sing server
• Cybercriminals have set parameters on the campaign such that the malver)sements are not detected by an)virus so[ware and do not redirect vic)ms with incompa)ble systems
• RIG exploit kit contains: – Adobe Flash (CVE-‐2014-‐0497 and CVE-‐2013-‐0634) – Microso[ Silverlight (CVE-‐2013-‐0074 and CVE-‐2013-‐3896)
19 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
World Cup Cyber Activity Mostly Low-Capability Defacements and DDoS Attacks
• Observed malicious cyber ac)vity against the 2014 FIFA World Cup and its sponsors has not caused significant damage or disrup)on as of yet
• Examples of observed cybercriminal ac)vity: – Phishing email messages promo)ng free )ckets or containing supposed “breaking news”
about the World Cup. One iden)fied case served the DarkComet remote administra)on tool and another served a known vulnerability in Microso[ Word.
– A drive-‐by-‐download aUack in which a malver)sing banner redirected users to a domain previously associated with serving rootkits and malware that creates popup ads
• Examples of observed hack)vist campagins: – Alleged (but unconfirmed) DDoS aUack by the hack)vist collec)ve Anonymous Brasil
against The Emirates Group, a Dubai-‐based interna)onal avia)on holding company – Alleged (but unconfirmed) DDoS aUack by Anonymous Brasil against Yingli Solar, a
China-‐based solar energy company – The defacement of the Johnson Controls—a U.S.-‐based energy efficiency company—
website by Tunisian Hackers Team, a Tunisian hack)vist group – Alleged leaks by the low-‐capability hack)vist group UGLegion of informa)on on the
CEOs of McDonalds and Johnson & Johnson, a U.S.-‐based healthcare product company 20 © 2014 HITRUST, Frisco, TX. All Rights Reserved
Wri?en permission required for further distribuGon. For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Hong Kong DDoS Attacks Highlight Broader Use of the Attack Vector by Possible Nation-State Groups
• Chinese na)on-‐state threat actors—or their proxies—may be employing DDoS-‐style aUacks normally associated with less sophis)cated threat actors
– Recent large-‐scale distributed denial of service (DDoS) aUacks on democracy-‐related sites in Hong Kong coincided with poli)cal pressure from the Chinese central government
• One of the websites suffered a massive DDoS aUack, which CloudFlare—the site’s host—determined exceeded 300 GBps
– If accurate, the reported scale cons)tutes one of the largest DDoS aUacks ever observed
• Cyber4Sight analysts believe that the Chinese government was likely involved, at least through a proxy group
– It also possible that the aUacks were the work of Chinese na)onalist hack)vists, who have previously conducted DDoS aUacks against sites for supposed an)-‐Chinese interests
• The massive scale and specific vector (Layer 7 aUack) suggest a level of sophis)ca)on generally beyond that of conven)onal hack)vists
– These types of aUacks are designed to beat DDoS-‐mi)ga)on tools that suppress or cut off the transfer of specific types of data
• If sophis)cated Chinese na)on-‐state-‐affiliated threat actors—or their proxies—now use DDoS aUacks as part of their arsenal, it is possible that adversaries of China or corpora)ons deemed to be an)-‐Chinese may ul)mately become targets
21 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Calendar
• 5–11 July: Tunisian_Hàckers Team’s planned aUacks against U.S. financial ins)tu)ons • 13 July: FIFA World Cup Final Game • 20 July: Iran nuclear nego)a)ons deadline • 22–23 July: RSA Conference Asia Pacific & Japan in Singapore • 24 July: Laylat al-‐Qadr (Muslim religious holiday) • 28 July: Eid al-‐Fitr (Muslim religious holiday marking the end of Ramadan) • 2–7 August: Black Hat USA conference in Las Vegas • 7–10 August: DEF CON conference in Las Vegas • 14 August: Independence Day in Pakistan • 15 August: Independence Day in India • 17–21 August: Crypto 2014 in California • 7 September: Independence Day in Brazil • 11 September: Anniversary of aUacks on the World Trade Center and the Pentagon (2001) • 16 September: Independence Day in Mexico • 22–24 September: Cyber Intelligence Europe conférence
22 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Discussion
• Share threat indicators, incidents, and events
23 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
HITRUSTHealth Information Trust Alliance
Discussion
• Share threat indicators, incidents, and events • Sign up for briefings and alerts
• CyberRX future exercise sign up or Spring 2014 exercise findings hUp://hitrustalliance.net/cyberrx/
24 © 2014 HITRUST, Frisco, TX. All Rights Reserved Wri?en permission required for further distribuGon.
For more informaGon visit www.hitrustalliance.net/c3
www.hitrustalliance.net/cyberupdates/
HITRUSTHealth Information Trust Alliance
• Monthly threat briefings will take place on the 3rd Thursday of each month
• Monthly threat reports will be distributed on the 1st of each month
Future Events
HITRUSTHealth Information Trust Alliance
• You can u)lize the chat func)on on the webex desktop to ask ques)ons of the presenters
• The moderator will review and provide to the presenters )me permiwng
Questions