HITRUST Cyber Threat Intelligence and Incident ... · HITRUST Cyber Threat Intelligence and...

HITRUST Cyber Threat Intelligence and

Incident Coordination Center (C3)

and

U.S. Department of Health and Human

Services

Monthly Cyber Threat Briefing

Will Begin Shortly

Audio is being broadcast through your computer speakers

– please adjust your volume

Participants will be able to ask questions through the chat

function in the webex console

HITRUST Cyber Threat Intelligence and

Incident Coordination Center (C3)

and

U.S. Department of Health and Human

Services

Monthly Cyber Threat Briefing

May 2014 (Review)

• Introduction

• Monthly Production

• Threat Updates

• Trends and Outlook

• Calendar

• Discussion

Agenda

© 2014 HITRUST, Frisco, TX. All Rights ReservedWritten permission required for further distribution.

For more information visit www.hitrustalliance.net/c3

Monthly Production

4

Bold titles are highlighted in this briefing

• ANALYTIC UPDATE: DDoS Attack Reported by UltraDNS, Very Likely Responsible For TD Ameritrade Outage

• ANALYTIC UPDATE: U.S. Government Indicts 5 Chinese People’s Liberation Army Officers For Cyber Attacks on U.S. Companies

• AnonManifest Hacks World Cup Committee and Sao Paolo State Government Sites

• Anonymous-Affiliated Actor Appears Highly Active Against Numerous Industries and Governments, But Most Attacks Are Overstated

• Arrest of Two Anonymous-Affiliated Cambodian Hacktivists Leads to Cyber Attacks

• Australian Authorities Arrest Two Anonymous-Affiliated Hacktivists• Australian Authority Warns of Future Cyberthreats Against the Healthcare,

Energy, and Government Sectors • AutoNation Leaks Financial Information After Third-Party Vendor Breach • Baylor Health Care System Suffers Data Breach • Belgian Ministry of Foreign Affairs Quarantined After Cyber-Espionage Attack • Brazilian Foreign Ministry Email Servers Hacked • Bulgarian Police Arrest ATM Skimming Gang Linked to Attacks in Southeast Asian

Countries • Californian Student Health Center’s Computers Infected With Keylogging

Malware • Casino Operator Suffers Second Financial Data Breach • Catholic Health Initiatives Email Messages Redirected, PHI Likely Compromised • China Bans Windows 8 on Government Systems • China Continues Tightening Restrictions on U.S. Equipment and Services in Wake

of Indictment • Chinese APT Group Shiqiang Gang Suspected in New Spear-Phishing Activity • Chinese APT Targets Southeast Asian Countries Over South China Sea • Chinese Government Encourages Domestic Alternative to Windows XP • Chinese Government Expands IT Vendor Vetting To Bolster Cyber Defenses • Chinese Hackers Deface 220 Vietnamese Sites Amid Tensions Over South China

Sea

• Chinese Online-Gaming Company Hit by DDoS Attacks, Threat Actors Arrested • Cybercriminal Targets Australian Company’s Automatic Payments • Cybercriminals Compromise Dogecoin Auction Website • Cybercriminals Steal South Korean Digital Certificates • Cybercriminals Target Another South Korean Cosmetic Company • DDoS Malware Incorporates Linux Servers Into Botnet • DDoS-For-Ransom Cybercriminal Targets More North American Tech

Companies • DHS Announces Breach of Two Industrial Control Systems • Dogecoin Wallet Service Temporarily Shut Down After Alleged Theft • Dubai Police Announce Tentative Plan To Use Google Glass For Law

Enforcement • eBay Breach Spurs Cybercriminal Schemes • eBay Customer Database Compromised by Cyber Attack • Estonia Planning To Store Government Data and Online Services Internationally • Following Contact With Hilf-ol-Fozoul, Saudi Hacktivist Reports on Attack

Against Qatar • French Telecommunication Provider Suffers Second Breach This Year, Leading

to Spike in Spear-Phishing Email Messages • Gray Hat Hacker Exposes Vulnerabilities in Australian Government Services

Portal • Hacktivist Group Allegedly Exploits Cisco Zero-day to Compromise Ukrainian

Central Election Commission’s Servers • Hilf-ol-Fozoul Resumes Blog Posts After 6-Month Hiatus • iCloud Activation Lock Allegedly Bypassed Via Man-in-the-Middle Attack • Indian Cybercriminal Leverages Rewards Points Database To Compromise

Payment Cards • Indiana Hospital Website Breached, Patient Data Stolen and Used in Spear-

Phishing Scheme • Iranian Authorities Take Multiple Law Enforcement Actions Amid Internet

Policy Debate • Iranian Officials Spar Over Alleged Ban of Messaging Application WhatsApp



Monthly Production (continued)

5

• Iranian President Gives Major Policy Speech Promoting Internet Usage, While Iranian Authorities Conduct Arrests Over YouTube Video

• Iranian Software Engineers Create Cyber Intrusion-Detection Software • Islamic Hacktivists Announce OpFIFA Campaign • Japan Basketball Association Website Compromised in Suspected Watering-Hole

Attack • KiberBerkut Breaches Facebook Account, Solicits Supporters For DDoS Attack • Law Enforcement Raids BlackShades RAT Users, Limited to Cooperating Countries • Libyan Hackers Claim Heartbleed Vulnerability Used To Deface Toolkit Provider

Website • Lock-Out Attack Targets Apple Users in Australia and New Zealand • Massive DDoS Attack Reported by UltraDNS, Very Likely Responsible For TD

Ameritrade Outage • Merchandise Rerouted After South Korean E-Commerce Website Breach• Messaging Application Viber Reportedly Blocked in Iran Amid Internal Political

Struggle • Microsoft Word Zero-Day CVE-2014-1761 Deployed in New MiniDuke• Mining Disaster Spurs Turkish Hacktivist Group To Deface Municipal Government

Website • Montana Public Health Department Server Breached • More Than 100 Thai Government Sites Reportedly Compromised Amidst Massive

Political Turmoil • Nemanja Botnet Compromised Point-of-Sale Devices at Small Businesses and

Grocery • New Android Worm Targets Russian Speakers, Spreads Via SMS • New Anti-Ukrainian Government Hacktivist Group Leaks Conversation Between

Ukrainian Leaders • New Hacktivist Group in Ukraine Breaches Email Account • New Hybrid Trojan “Zberp” Targeting Unnamed Financial Institutions’ Customers • New Variant of Pharming Malware Leverages VPN • New Zealand Government Shuts Down Supercomputer After Unauthorized

Access Detected

• Pakistani Hacktivists Compromise Indian Ministry of Railway Server, Deface 47 Domains

• Philippines Cyber Police Track Down and Arrest Cyber-Extortion Ring • Popular South Korean Voice Chat Program Vulnerable to XSS Attack • Recent Adobe Flash Vulnerability Being Leveraged In Ongoing Financial PII Thefts

Targeting Japan • Saudi Arabia Announces Plans To Recruit Hackers To Bolster Cyber-Defenses • Saudi Military Conducts Large-Scale Exercises, Including Cybersecurity

Component • Security Expert Warns of Potential Increase in Use of Simple Network

Management Protocol For DDoS Attacks • Security Research Firm Releases Report on Iranian Cyber-Espionage Campaign • Security Research Firm Releases Report on Iranian Hacker Group • Security Researcher Demonstrates Wireless Automotive Hack • Security Researcher Identifies Design Flaws in BMW’s Smartphone Application • Security Researcher Identifies Self-XSS Facebook Scam Affecting Indian Users • Security Researchers Highlight Interconnected Nature of Chinese APT Groups • SeCuRiTy_511 Claims DDoS Attack on Saudi Aramco Website, Threatens More • SeCuRiTy_511 Leaks Israeli Airline Information • SeCuRiTy_511 Leaks Israeli Fuel Company Employee Information • Shake-Up at Anonymous-Affiliated News Source Over Missing Funds • Shortened-URL Provider Announces Customer Account Compromise • Silverlight Exploit Used in Malvertising Campaign • South Korean Credit Card App Compromised Using Stolen Digital Certificates • South Korean Cyber-Extortion Gang Targets Illegal Gaming Servers • South Korean Labor Union Websites Used in Watering-Hole Attacks • South Korean Pharmaceutical Company Website Used in Drive-by-Download

Attack • Syrian Electronic Army Hijacks BuzzFeed UK Twitter Account in Retaliation

Against U.S. Security Researcher and Syria Coverage • Syrian Electronic Army Hijacks Four Wall Street Journal Twitter Accounts Amid

Ongoing Spat With U.S. Security Researcher



Monthly Production (continued)

6

• Traffic Control System Vulnerable to Cyber Attack • Trojanized Version of Popular Chinese Chat Application WeChat Observed • TrueCrypt Pronounces Itself “Not Secure,” Advises Users To Switch to BitLocker • Tunisian Hacktivist Group Claims Attacks Against Bhutanese, Argentine, and

Maryland Government Targets • Tunisian Hacktivist Group Threatens Attacks Against U.S. Banks • Turkish Court Orders YouTube Ban To Be Lifted After 2 Months • U.S. Government Indicts 5 Chinese People’s Liberation Army Officers For Cyber

Attacks on U.S. Companies • Ukrainian Election Server Allegedly Infected With Virus, Also Attacked by

KiberBerkut• University of North Carolina Is Latest Victim of Data Breaches in Higher Education

Sector • Upcoming Presentation May Reveal New Automotive Exploits • UPDATE: Belgian Ministry of Foreign Affairs Quarantined After Cyber-Espionage

Attack • UPDATE: China Bans Windows 8 on Government Systems • UPDATE: Hacker Diabl0 Arrested in Thailand in Connection With Swiss Bank • UPDATE: KiberBerkut Breaches Facebook Account, Solicits Supporters For DDoS • UPDATE: KiberBerkut Breaches Facebook Account, Solicits Supporters For DDoS

Attack • UPDATE: Law Enforcement Raids BlackShades RAT Users, Limited to Cooperating

Countries • UPDATE: South Korea’s Agency For Defense Development Breached • UPDATE: Ukrainian Election Server Allegedly Infected With Virus, Also Attacked

by KiberBerkut• World Cup Ticket Vendor Suffers Cyber Attack • World Cup-Related Cybercriminal Scams Emerge as Tournament Approaches • XSS Vulnerabilities Identified in Popular South Korean Bulletin Board System



Threat Updates

• Indiana Hospital Website Breached, Patient Data Stolen and Used in Spear-Phishing Scheme

• Australian Authority Warns of Future Cyberthreats Against the Healthcare, Energy, and Government Sectors

• Baylor Health Care System Suffers Data Breach

• Catholic Health Initiatives Email Messages Redirected, PHI Likely Compromised

• South Korean Pharmaceutical Company Website Used in Drive-by-Download Attack

• Security Expert Warns of Potential Increase in Use of Simple Network Management Protocol For DDoS Attacks

• Californian Student Health Center’s Computers Infected with Keylogging Malware

• Anonymous-Affiliated Actor Appears Highly Active Against Numerous Industries and Governments, But Most Attacks Are Overstated

• DDoS Malware Incorporates Linux Servers Into Botnet

• DDoS-For-Ransom Cybercriminal Targets More North American Tech Companies

• Nemanja Botnet Compromised Point-of-Sale Devices at Small Businesses and Grocery Stores

• Montana Public Health Department Server Breached

7© 2014 HITRUST, Frisco, TX. All Rights Reserved

Written permission required for further distribution.For more information visit www.hitrustalliance.net/c3

Indiana Hospital Website Breached, Patient Data Stolen

and Used in Spear-Phishing Scheme

8

• Indiana-based DeKalb Health reported that in early February unknown cybercriminal actors breached a server that hosts its website, enabling the perpetrators to access three different databases containing patient information – 17 patients’ PII from the site’s online bill-pay section– 24 patients’ PII and PHI from an unnamed database– 1,320 patients’ (infants and their parents) PII from the Online Nursery database

• Mid-March DeKalb Health discovered a phishing page mimicking its legitimate donation website– Further research revealed a link on Dekalb Health’s main website to the phishing page– Spear-phishing email messages were sent to members of the community, asking them to

make a donation, with a link to the fraudulent page

• The website was hosted by a third party vendor, apart from the insitiution’s patient database, but appears to have still contained PII and PII

• Perpetrators are from “overseas”• Takeaway - The most effective security countermeasures can be completely

negated due to third party vendor weaknesses, highlighting the need for due diligence for all vendors



Australian Authority Warns of Future Cyberthreats Against

the Healthcare, Energy, and Government Sectors

9

• CISRO released a report highlighting cyber vulnerabilities and threats over the next decade

• Predicts that increasing digitization and use of technology will drive transition to a connected health services ecosystem, smart grid, and the consolidation of data infrastructure and services across the government

• Cites the growth in personally controlled electronic health records (PCEHR) which is expected to reach 1.5 million registrations in Australia by 2014– Could be used by cybercriminals to extort hospitals, defraud medical insurance

companies, or breach the patient’s financial and email accounts

• Each of these sectors have recently suffered cyber attacks– Taking into consideration the integration of these sectors, a future cyber attack could

have a system-wide impact instead of merely affecting an individual company or single government office



Baylor Health Care System Suffers Data Breach

10

• Unknown actors breached affiliated physician email accounts at two of its member organizations– Baylor Regional Medical Center in Plano, Texas– Health Texas Care System in Dallas, Texas

• In late January 2014 a small portion of its affiliated physicians fell victim to a spear phishing attack in which they provided their email credentials in response to what they believed to be legitimate internal requests

• This provided the attackers with access to the employees’ email accounts, which contained both PII and PHI of patients – 2,742 patients affected at Health Texas– Undisclosed number at Baylor Regional Medical Center

• Breach was discovered in late February and the affected employees had their passwords reset by Baylor

• No reports at this time of patient information being used maliciously• Reinforces organizations need to educate employees about spear phishing attacks and

the type of information that should and should not be provided to seemingly legitimate sources

• Disclosure seems to indicate that email accounts were not encrypted, allowing free access to data contained therein once the credentials were stolen



Catholic Health Initiatives Email Messages Redirected,

PHI Likely Compromised

11

• An unknown cyberthreat actor redirected email messages sent to Catholic Health Inititatives (CHI) doctors to his personal email account from 25 March – 30 March

• An outside tech company assessed that a domain name system (DNS) redirection attack was utilized to facilitate this breach– Cyberthreat actor gained administrator-level control of several websites/domains and

ultimately used that control to redirect messages sent to catholichealth<dot>net email addresses

– Detected because doctors reported receiving no, or significantly fewer, email messages than normal

– IP addresses used by cyberthreat actor appear to originate in Pakistan

• It is possible the groundwork for this attack was laid as early as January 2014, when employees of the Franciscan Medical Group (FMG), a facility managed by CHI, fell victim to spear-phishing emails purportedly from CHI

• FMG claims attacks are unrelated, however:– DNS redirection is most commonly executed from inside the targeted network and

stolen FMG credentials may have been used to gain admin-level control– FMG asserts no reports of fraud have emerged from their breach, suggesting a

cyberthreat actor may have carried out the attack in preparation for a later, more sophisticated attack



South Korean Pharmaceutical Company Website Used

in Drive-by-Download Attack

12

• The website of Daewoong, a major pharmaceutical company, was used in a drive-by-download attack and compromised to direct visitors to other malicious websites– Malicious JavaScript files disguised as pictures exploited JavaScript vulnerabilities in

visitors’ browsers– The unnamed malware was distributed via Daewoong’s site from June 2012 – April 2014– Since 11 March 2014 the web servers also posted links to other malicious websites

• Given the cyberthreat actor’s complete control of the compromised webs server, security researchers claim it is likely they gained access to other servers in the network that contain the company’s external-facing services– Some webpages are only accessible by employees, leading researchers to believe

Daewoong’s internal network and potentially the servers of 11 other Daewoongsubsidiaries may also be compromised

• It is likely that PHI was the target, and given that criminal uses for PHI is limited outside the victim’s country, it is also likely that the responsible cyberthreat actors are likely South Korea- or China-based



Security Expert Warns of Potential Increase in Use of

Simple Network Management Protocol For DDoS Attacks

• Network-connected devices – referred to as the Internet of Things (IoT) – that support simple network management protocol (SNMP) could become the preferred attack vector for reflected denial of service (DDoS) attacks

• Recent DDoS attack took advantage of user datagram protocol (UDP) packets used by SNMP in video-conferencing systems, with a single 87-byte packet generating 60,000 bytes sent back to victim IP address

• SNMP attacks will become more popular for various reasons:

– System admins are adapting their networks to mitigate DNS- and NTP-based attacks

– Using a firewall to block UDP packets is impractical, since the VCS systems dynamically negotiate ports to stream audio and video

– Increasing popularity of IoT devices will supply additional devices that could be compromised. Researchers estimate that by 2020 as many as 212 billion devices will be connected to the Internet.



Californian Student Health Center’s Computers

Infected With Keylogging Malware

14

• The University of California (UC) Irvine announced its student health center suffered a data security breach– In documents submitted to the State of California DoJ, UC Irvine claimed it was notified

by the California Information Security Office on 26 March 2014 that one of its computers at the health center contained a virus

– Deeper investigation discovered three computers were infected with a keystroke logger that collected and transmitted data to unknown servers between 14 February and 27 March

– PII and PHI of students was compromised

– It is unknown how the logger was installed on the machines

• It is likely that a myriad of credentials for accounts both inside and outside of UC Irvine’s infrastructure was collected

– Credentials used to access the internal university network

– Credentials for social media, personal email, and banking accounts

– Follow-on attacks using the compromised credentials are quite possible



Anonymous-Affiliated Actor Appears Highly Active

Against Numerous Industries and Governments, But

Most Attacks Are Overstated

• Anonymous Centre (<at>Anon_Centre) has claimed to have conducted a variety of attacks against organizations, including the healthcare industry

– On 16 May, he claimed to leak PII for the Indiana Regional Medical Center

• Cyber4Sight analysts assess that Anonymous Centre is likely a low-level hacktivistwith limited sophistication and abilities

– Falsely claiming attacks and data leaks from publically available sources

– The leaked Indiana Regional Medical Center healthcare PII was publicly available in a spreadsheet uploaded to a U.S.-based healthcare website in 2011



DDoS Malware Incorporates Linux Servers Into Botnet

• Antivirus software developer announced it discovered two families of trojansdesigned to infect Linux servers and incorporate them into a botnet to conduct (DDoS) attacks

– One family of trojans is based on malware that can execute TCP and UDP flood-based along with DNS amplification DDoS attacks

– A second family of trojans can infect both 32- and 64-bit distributions, collect configuration data of the infected machine, and conduct five different types of DDoS attacks: SYN flood, UDP flood, Ping flood, DNS amplification, and NTP amplification attacks

– Claimed it found another trojan that is designed to infect ARM-based distributions and conduct DDoS attacks via TCP flood and HTTP

– Claimed the command and control (C2) domains for the botnets are located in China

• Cyber4Sight analysts assess that this malware could potentially spread to other regions of the world, based on the usage of Linux-based servers

• Since the perpetrators developed variants capable of infecting ARM-based distributions, it is likely mobile devices will be targeted for incorporation into the botnet



DDoS-For-Ransom Cybercriminal Targets More North

American Tech Companies

• The website of Canada-based Internet dating site Plenty of Fish was disrupted by a DDoS attack

– Email messages sent to the company threatened the attack unless a ransom of USD 2,000 was paid

• Cyber4Sight™ assesses that common observed TTPs between this and previous DDoS-for-ransom attacks suggest that the same cybercriminal actor—dubbed by Cyber4Sight as Dalem—was likely responsible for this attack and that he has grown bolder in his demands and more dangerous in his capabilities in recent months

– Dalem’s bitcoin ransom requests have increased from USD 300 in the February attack on Meetup to USD 2,000 in the 20 May attack on Plenty of Fish

– DDoS attacks themselves have strengthened from 8 GBps to 40 GBps over the same time period

– It is possible that copycat groups could emerge to take advantage of Dalem’s credibility as a cyberthreat actor

• Although no healthcare organizations have yet been targeted by Dalem, he has proven he is capable of threatening sizable tech companies, and has the potential to turn his focus toward any industry he chooses



Nemanja Botnet Compromised Point-of-Sale Devices at

Small Businesses & Grocery Stores

• U.S.-based security company IntelCrawler recently identified a RAM-scraping point-of-sale (POS) malware with keylogging modules, dubbed the “Nemanja” botnet

– Targeted POS terminals, accounting systems, and grocery management platforms in 36 countries

– Botnet is possibly the largest POS malware discovered to date

– Possibly created by cybercriminals based in Serbia

• First discovered the Nemanja botnet in March 2014

– Has identified 1,478 infected hosts across the globe

– It was designed to infect various types of PC-based POS terminals, as well as grocery store management and accounting software programs

– The malware uses drive-by-download techniques and hacking of remote administration channels to infect systems

• Cyber4Sight assesses the Nemanja botnet appears to operate similarly to the BlackPOS RAM-scraping malware that was allegedly used against U.S. retailers, including Target

– With the addition of a keylogging function, cybercriminals may traverse victims’ corporate environment and gain access to databases that house sensitive customer financial and PII

– It is also possible that cybercriminals could use this malware to steal proprietary business information for financial gain



Montana Public Health Department Server Breached

• An unknown individual gained unauthorized access to a server hosting the protected health information (PHI), personally identifiable information (PII), and financial information of state residents and employees of the Montana Department of Public Health and Human Services (DPHHS)

– Network administrators detected suspicious activity on the server on 15 May 2014

– Server was subsequently shut down while an unnamed third-party investigated

– The attacker possibly exploited an unpatched vulnerability in an unnamed software program running on the server

– Perpetrator could have accessed the server as early as July 2013

• DPHHS stated the attacker may have accessed PHI and PII on the server, including clinical information related to medical care and dates of service

– DPHHS officials are still assessing the scope of the breach

– It is unknown how many people have been affected

• Cyber4Sight analysts assess the attackers likely accessed the server with the intent to mine bitcoins rather than to steal PHI or PII

– The perpetrators could acquire bitcoins more quickly using a compromised server than they could using other methods



Trends and Outlook

• DARPA Unveils “Hack-Proof Drone” With Technology Potentially Applicable to Automobile and Health Industries

– On 21 May 2014, the U.S. government’s Defense Advanced Research Projects Agency (DARPA) unveiled a new project as part of its High Assurance Cyber Military Systems (HACMS) program, which seeks to create hack-proof system architecture, software, and operating systems for critical “cyber-physical systems.” According to the HACMS program manager, this technology is “mathematically proven to be invulnerable to large classes of attack,” although security issues may still arise if the device is networked to less secure systems. DARPA’s presentation also shows examples of vulnerable embedded computer systems that could be protected with HACMS, including a pacemaker and an insulin pump



Calendar

• 12 June–13 July: FIFA World Cup in Brazil

• 16–20 June: Iran nuclear negotiations discussions in Vienna

• 20 June: Anniversary of the 2009 Iranian election protests

• 20–21 June: Suits and Spooks New York critical infrastructure conference

• 24–26 June: International Conference on Digital Security and Forensics in the Czech Republic

• 25 June: Korean War Anniversary

• 28 June: Ramadan begins

• 3–4 July: European Conference on Cyber Warfare and Security in Greece

• 5–11 July: Tunisian_Hàckers Team’s planned attacks against U.S. financial institutions

• 20 July: Iran nuclear negotiations deadline

• 22–23 July: RSA Conference Asia Pacific & Japan in Singapore

• 24 July: Laylat al-Qadr (Muslim religious holiday)

• 28 July: Eid al-Fitr (Muslim religious holiday marking the end of Ramadan)

• 2–7 August: Black Hat USA conference in Las Vegas

• 7–10 August: DEF CON conference in Las Vegas

• 14 August: Independence Day in Pakistan

• 15 August: Independence Day in India

• 17–21 August: Crypto 2014 in California



Discussion

• Share threat indicators, incidents, and events



Discussion

• Share threat indicators, incidents, and events

• Sign up for briefings and alerts

• CyberRX future exercise sign up or

Spring 2014 exercise findingshttp://hitrustalliance.net/cyberrx/



www.hitrustalliance.net/cyberupdates/

http://hitrustalliance.net/cyberrx/

http://www.hitrustalliance.net/cyberupdates/

• Monthly threat briefings will take place on the 3rd Thursday of each month

• Monthly threat reports will be distributed on the 1st of each month

Future Events

• You can utilize the chat function on the webex desktop to ask questions of the presenters

• The moderator will review and provide to the presenters time permitting

Questions

HITRUST Cyber Threat Intelligence and Incident ... · HITRUST Cyber Threat Intelligence and...

Documents

Transcript of HITRUST Cyber Threat Intelligence and Incident ... · HITRUST Cyber Threat Intelligence and...