monthly cyber threat briefing - american hospital association · 2018-10-03 · kelvin security...

1

855.HITRUST

(855.448.7878)

www.HITRUSTAlliance.net© 2016 HITRUST Alliance. All Rights Reserved.

Monthly

Cyber Threat

Briefing

February 2016

2

855.HITRUST

(855.448.7878)


Presenters

• Majed Oweis: CISCP Analyst, US-CERT

• Srujan Kotikela: Senior Threat Scientist, Armor

• Jon Clay: Sr. Mgr – Global Threat Communications, Trend Micro

• Luis Mendieta: Sr. Threat Researcher, ThreatStream

• Dennis Palmer: Senior Assurance Associate, HITRUST

3

855.HITRUST

(855.448.7878)


NCCIC/US-CERT

4

855.HITRUST

(855.448.7878)


ARMOR: TOP THREAT ACTORS AND

COMMAND AND CONTROL ACTIVITY

5

855.HITRUST

(855.448.7878)


Top Vulnerability Exploits for the Last 30 Days

NAME HITS RELATED TECHS/MALWARE

CVE-2015-6612 5 Bluetooth, Alphabet Inc., Android, Telephony

CVE-2014-3566

(POODLE)5

SSL, Google, Encryption, OpenSSL, IBM

Corporation

MS08-067 5Conficker, Honeypot, Microsoft, DCE/RPC,

Connection

CVE-2015-3977 5 Schneider Electric, IMT25, CVSS v2

CVE-2015-5655 4

CVE-2013-0634 4Adobe, Adobe Flash Player, Firefox,

Microsoft Word, Microsoft Windows

CVE-2015-7645 4Adobe Flash Player, Adobe, Angler Exploit

Kit, Nuclear Pack Exploit Kit, Trend Micro

CVE-2014-9163 4Adobe, Adobe Flash Player, Flash

15.0.0.242, Microsoft IE, Forbes

NAME HITS RELATED TECHS/MALWARE

CVE-2015-8126 126 Reddit, Bitcoin

CVE-2014-0160

(Heartbleed)20 OpenSSL, Yahoo, Google, Encryption, SSL

Stagefright

Vulnerability12

Android, Google, Exploit, Smartphone,

Zimperium

CVE-2015-0311 8Adobe Flash Player, Adobe, Microsoft Control

Flow Guard, Windows 8.1, Windows 8

CVE-2015-7830 8 XML

CVE-2015-4000

(Logjam)6

OpenSSL, Diffie-Hellman, Apache HTTP

Server, Encryption, TLS Encryption

CVE-2015-1743 6Microsoft IE, Microsoft, Explorer Elevation,

Internet Explorer 7, RCE

CVE-2015-1745 6Microsoft IE, Microsoft, Adobe, memory

corruption, RCE

Action Item:

1. Follow-up

related

vulnerabilities

(attack tree)

2. Identify the

patch status

of you

systems

3. Prioritize your

remediating

efforts

6

855.HITRUST

(855.448.7878)


Top Emerging Malware EntitiesNAME HITS RELATED TECHS/MALWARE

Cherry Picker 499 Abaddon, Point of Sale, Trustwave, Encryption, Radar

Bookworm 207 Microsoft, Kaspersky Lab, Palo Alto Networks, Deluxe Corp, PlugX - Korplug - Sogu

b374k web shell 85 Unix shell, PDO, Perl, Injection, Java

KillerRat 9 njRAT - Bladabindi

Candle Jar 9 Positive Energy, ClearBox, Results Hub, Sun Washed Linen, Diluents

Fastoplayer 5 Microsoft Windows

BadBarcode 5 Internet of Things

TinyLoader 4 VAWTRAK, Abaddon, Proofpoint, Fareit, Microsoft Word

Karrot 4 Mobile Phone, TalkTalk Telecom Group

GoMovix 4 Microsoft IE, Firefox, Mozilla, Google

Action Item:

1. Identify malware

entities related to

your environment

and block

2. Ensure your

network sensors

are always up-to-

date and tuned to

detected indicators

7

855.HITRUST

(855.448.7878)


Hacker Activity NAME HITS

Anonymous Palestine 2

APT17 Deputy Dog 2

Anonymous Mexico 2

Kelvin Security Team 1

AnonGh0st 1

Hunter Gujjar 1

Anonymous Operation Philippines 1

Guardians of Peace 1

Al Qassam Cyber Fighters 1

Anonymous Canada 1

NAME HITS

Anonymous 2794

CtrlSec 378

Cyber Caliphate 257

Lizard Squad 75

GhostSec 18

Anonymous Legion 16

Anonymous Argentina 14

Mujahidin Cyber Army 11

Armada Collective 6

Anonymous Ireland 6

Cracka With Attitude 5

Action Item:

1. Follow hacker

activity that

are a threat to

your brand

2. Subscribe to

threat

intelligences

feeds for

constant

updates

8

855.HITRUST

(855.448.7878)


Top Suspicious IP AddressesNAME HITS

89[.]248[.]167[.]155 4

84[.]200[.]65[.]2 4

41[.]33[.]194[.]107 4

208[.]100[.]26[.]230 4

176[.]98[.]26[.]188 4

113[.]207[.]36[.]253 3

123[.]151[.]149[.]222 3

112[.]82[.]223[.]47 3

NAME HITS

46[.]109[.]168[.]179 30

188[.]118[.]2[.]26 24

118[.]170[.]130[.]207 18

81[.]183[.]56[.]217 11

114[.]44[.]192[.]128 10

87[.]222[.]67[.]194 6

23[.]239[.]65[.]180 4

216[.]243[.]31[.]2 4

93[.]174[.]95[.]77 4

Action Item:

1. Ensure your

security

monitor list is

updated with

the latest

threat IPs

9

855.HITRUST

(855.448.7878)


Ransomware Criminals Infect Thousands with Weird WordPress Hack

An unexpectedly large number of WordPress websites have been mysteriously compromised and are

delivering the TeslaCrypt ransomware to unwitting end-users. Antivirus is not catching this yet.

Malware researchers from Malwarebytes and other security firms have reported that a massive

number of legit WordPress sites have been compromised and are silently redirecting visitors to sites

with the Nuclear Exploit Kit.

Currently it's not yet clear how the WordPress sites are getting infected, but it is highly likely that there

is a new vulnerability that is being exploited in either WP or a very popular WP plugin.

The WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to

domains appearing to be hosting ads.

The compromised WordPress sites were hacked and included encrypted code at the end of all

legitimate JavaScript files. The malware tries to infect all accessible .js files.

The attack tries to conceal itself and the code redirects end-users through a series of sites before

dropping the ransomware payload. Once a WP Server is infected, the malware also installs a variety

of backdoors on the machine.

Action Item:

1. Patch Server Operating Systems

2. Patch WordPress

3. Get rid of unused WP plugins as soon as possible and patch the current ones

4. Update all your WP instances at the same time to prevent cross-infections

5. Lock down all WP instances with a very strong password and the WP 2-factor authentication

6. Backup your data and keep daily off-site backups.

7. Regularly pentest your websites

10

855.HITRUST

(855.448.7878)


Healthcare Supply Chain List Posted on Deepweb

Threat Actor: Thanos

TTP: Supply Chain Attacks

On January 19th, 2016, an actor known as 'Thanos' shared

some contact information for supply chain providers to

Healthcare Organizations.

While all of the information is generally public, the packaging of

the information in this format could indicate future supply chain

attacks against US and EU based healthcare organizations.

Organizations are advised to pay close attention to

interconnections and communication (including email) to and

from the listed organizations.

Action Item:

1. Patch Server Operating Systems

Sr no.|Topic|Company Name |Website |Currency|EmailAddress|Phone Number|FaxNumber|Country| 2580|IT Health Care|Vignette|http://www.vignette.com/|U.S.D|[email protected]|512 741 4300 |512 741 1537|U.S.A| 2581|IT Health Care|WelchAllyn|http://www.welchallyn.com/|U.S.D|[email protected]|800 535 6663|315 685 3361|U.S.A| 2582|IT Health Care|Lexmark International, Inc|http://www1.lexmark.com|U.S.D|[email protected]|859 232 2000|212 880 2828|U.S.A| 2583|IT Health Care|TANDBERG|http://www.tandberg.com|U.S.D|[email protected]|617 933 8919|617 933 8920|U.S.A| 2584|IT Health

Care|concentra|https://contact.concentra.com|U.S.D|[email protected]|860 289 5561|860 291 1895 |U.S.A| 2585|IT Health Care|Sage|http://www.sagenorthamerica.com|U.S.D|[email protected]|770 724 4000| |U.S.A| 2586|IT Health Care|ePartnersInc|http://www.epartnersolutions.com/|U.S.D|[email protected]|972 819 2700|972 819 2705|U.S.A| 2587|IT Health Care|Jacada Ltd (NASDAQ: JCDA)|http://www.jacada.com/|U.S.D|[email protected]|770 352 1300|770 352 1313|U.S.A| 2588|IT Health Care|HK Systems , Inc.|http://www.hksystems.com/|U.S.D|[email protected]|262 860 6715|262 860 7010|U.S.A|2589|IT Health Care|IntacctCorporation|http://us.intacct.com/|U.S.D|[email protected]|408 878 0900|408 878 0910 |U.S.A| 2590|IT Health Care|TecturaCorporation|http://www.tectura.com|U.S.D|[email protected]|650235 1925|650 585 5599 |U.S.A| 2591|IT Health Care|Keane , Inc. (NYSE: KEA)|http://www.keane.com/|U.S.D|[email protected]|877 885 3263|617 241 9507|U.S.A| 2592|IT Health Care|3i InfotechLimited|http://www.3i-infotech.com|U.S.D|[email protected]|952 828 9868|952 828 9867|U.S.A| 2593|IT Health Care|ErgotronInc|http://www.ergotron.com/|U.S.D|[email protected]|800 888 8458|651 6817600|U.S.A| 2594|IT Health Care|JobscienceInc|http://www.jobscience.com/|U.S.D|[email protected]|866 284 1892|415 777 1085 |U.S.A| 2595|IT Health Care|Medversant Technologies LLC|http://www.medversant.com/|U.S.D|[email protected]|800 508 5799| |U.S.A| 2596|IT Health Care|HayesManagement Consulting|http://www.hayesmanagement.com|U.S.D|[email protected]|617 559 0404|617 559 0415|U.S.A| 2597|IT Health

11

855.HITRUST

(855.448.7878)


Critical Fixes for IE Vulnerabilities and

updates for Flash PlayerMicrosoft released 13 security bulletins addressing vulnerabilities in Internet Explorer, Microsoft Windows, and Microsoft. Out of

these bulletins 6 are tagged as Critical while 7 are marked as Important.

One of the critical bulletins (MS16-009) resolves issues affecting older versions of Internet Explorer (IE 9, 10) as well as IE 11.

When exploited successfully, it could lead to remote code execution thus compromising the security of the system. Microsoft

announced that it will have limited support for older versions of IE, and encouraged users to upgrade to the latest version, which is

currently IE 11.

Microsoft Edge also has critical vulnerabilities which can also result to remote code execution once successfully exploited.

Another notable security bulletin for this month’s cycle is MS16-015, which fixes flaws in Microsoft Office. Attackers can execute

arbitrary code when they leverage these vulnerabilities.

Adobe also rolled out several patches for Adobe Connect, Adobe Experience Manager, Adobe Flash Player, and Adobe

Photoshop CC and Bridge CC. Several of the bugs found in Flash Player are considered as critical vulnerabilities that may lead to

attackers compromising the system or taking full control of the affected systems.

Action Item:

Ensure only the updated version of software are running in your environment.

12

855.HITRUST

(855.448.7878)


Suspicious Domain Registrations: hitrust

(January 2016)hitrustnow.com (Pattern: hitrust): administrativecontact_city: Panama City administrativecontact_country: PANAMA administrativecontact_email: [email protected] administrativecontact_name: DOMAIN MAY BE FOR SALE, CHECK AFTERNIC.COM Domain Admin administrativecontact_organization: Whois Foundation administrativecontact_postalcode: 0823 administrativecontact_state: Panamá administrativecontact_street1: Ramon Arias Avenue, Ropardi Building, Office 3-C PO Box 0823-03015 administrativecontact_telephone:5078365679 audit_auditupdateddate: 2016-01-17 00:00:00 UTC contactemail: [email protected] createddate: 17-jan-2016 domainname: hitrustnow.com expiresdate: 17-jan-2017 nameservers: NS27.ROOKDNS.COM|NS28.ROOKDNS.COM| registrant_city: Panama City registrant_country: PANAMA registrant_email: [email protected] registrant_name: DOMAIN MAY BE FOR SALE, CHECK AFTERNIC.COM Domain Admin registrant_organization: Whois Foundation registrant_postalcode: 0823 registrant_state: Panamá registrant_street1: Ramon Arias Avenue, Ropardi Building,Office 3-C PO Box 0823-03015 registrant_telephone: 5078365679 registrarianaid: 303 registrarname: PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM standardregcreateddate: 2016-01-17 00:00:00 UTCstandardregexpiresdate: 2017-01-17 00:00:00 UTC standardregupdateddate: 2016-01-17 00:00:00 UTC status: clientTransferProhibitedhttp://www.icann.org/epp#clientTransferProhibited technicalcontact_city:Panama City technicalcontact_country: PANAMA technicalcontact_email: [email protected] technicalcontact_name: DOMAIN MAY BE FOR SALE, CHECK AFTERNIC.COM Domain Admin technicalcontact_organization: Whois Foundation technicalcontact_postalcode: 0823 technicalcontact_state: Panamá technicalcontact_street1: Ramon Arias Avenue, Ropardi Building, Office 3-C PO Box 0823-03015 technicalcontact_telephone: 5078365679 updateddate: 17-jan-2016 whoisserver: whois.PublicDomainRegistry.com

hitrustexperts.info (Pattern: hitrust): administrativecontact_city: Yorba Linda administrativecontact_country: UNITED STATES administrativecontact_email: [email protected] administrativecontact_name:Tim Roncevich administrativecontact_postalcode: 92887 administrativecontact_state: California administrativecontact_street1: 28135 Shady Meadow Lane administrativecontact_telephone: 17143182458 audit_auditupdateddate: 2016-01-26 00:00:00 UTC billingcontact_city: Yorba Linda billingcontact_country: UNITED STATES billingcontact_email: [email protected] billingcontact_name: Tim Roncevich billingcontact_postalcode: 92887 billingcontact_state: California billingcontact_street1: 28135 Shady Meadow Lane billingcontact_telephone: 17143182458 contactemail:[email protected] createddate: 2016-01-26T00:44:59Z domainname: hitrustexperts.info expiresdate: 2017-01-26T00:44:59Z nameservers: NS53.DOMAINCONTROL.COM|NS54.DOMAINCONTROL.COM|registrant_city: Yorba Linda registrant_country: UNITED STATES registrant_email: [email protected] registrant_name: Tim Roncevichregistrant_postalcode: 92887 registrant_state:California registrant_street1: 28135 Shady Meadow Lane registrant_telephone: 17143182458 registrarianaid: 146 registrarname: GoDaddy.com, LLC standardregcreateddate: 2016-01-26 00:44:59 UTCstandardregexpiresdate: 2017-01-26 00:44:59 UTC status: serverTransferProhibitedhttps://icann.org/epp#serverTransferProhibited|addPeriod https://icann.org/epp#addPeriod technicalcontact_city: Yorba Linda technicalcontact_country: UNITED STATES technicalcontact_email: [email protected] technicalcontact_name: Tim Roncevichtechnicalcontact_postalcode: 92887 technicalcontact_state:California technicalcontact_street1: 28135 Shady Meadow Lane technicalcontact_telephone: 17143182458 whoisserver: whois.godaddy.com

Action Item:

1. Educated your

employees to

look into

certificate

information

13

855.HITRUST

(855.448.7878)


TREND MICRO: RANSOMWARE

14

855.HITRUST

(855.448.7878)


Motivation: Return per Malware Infection

Spam bot $

Banking Trojan $$

Ransomware $$$

15

855.HITRUST

(855.448.7878)


2015 Comparison

Crypto-Ransomware

83%

Ransomware17%

16

855.HITRUST

(855.448.7878)


Jan 2016 Regional Ransomware Outbreaks

Sat Sun Mon Tue Wed Thu Fri

1

2 3 4 5 6 7 8

9 10 11 12 13 14 15

16 17 18 19 20 21 22

23 24 25 26 27 28 29

30 31

17

855.HITRUST

(855.448.7878)


Cryptowall: Number of clicks on malicious URLs per hour on day

of outbreak - June 2015

18

855.HITRUST

(855.448.7878)


Cryptowall: Number of clicks on malicious URLs per hour on day

of outbreak - July 2015

19

855.HITRUST

(855.448.7878)


Typical Spam Outbreak

Spam Bot Spam Malware

20

855.HITRUST

(855.448.7878)


Cryptowall 4.0 Outbreaks

ISP Spam Malicious Malware

Webservers

21

855.HITRUST

(855.448.7878)


TorrentLocker Outbreaks

Hosted Spam Landing Malware

Page (Captcha)

22

855.HITRUST

(855.448.7878)


Conclusion

• Campaigns with excellent operational execution

– A lot of effort on Evasion

– Using $ to make some of this evasion happen

• Moving from a consumer threat towards business

• Starting to use encryption for system hostage

• No Silver Bullets

– Defense in Depth

23

855.HITRUST

(855.448.7878)


Best Practices (IT Managers)• Turn on Web & Email Reputation

• Turn off macros if not needed

• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task

• Disable AutoPlay to avoid automatic execution of executable files in removable/network drives

• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access.

• Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be

shared

• Standard Stuff

– Do end-user education

– Enforce a strong password policy

– Apply security patches for all programs and the Operating Systems

– Backups!!

24

855.HITRUST

(855.448.7878)


Best Practices (when compromised)

• When a computer is compromised, isolate it immediately from the network

• During system infection, temporarily restrict write accesses to shared folders

• Contact Law Enforcement

25

855.HITRUST

(855.448.7878)


THREATSTREAM: NJRAT TROJAN

ALIVE AND KICKING….

26

855.HITRUST

(855.448.7878)


Overview:

• njRAT- remote access trojan. designed to

capture keystrokes, steal saved browser data

and upload/download files.

• Tool of choice due to is ease to use and it wide

community support e.g “tutorials”.

27

855.HITRUST

(855.448.7878)


Who uses njRAT

• used in cyberespionage ops in the middle east. also by hacktivist

and Sirian electronic army.

• Lately as of few months ago there has been a spike of its usage in

the Brazilian region.

• Also used by script kiddies

28

855.HITRUST

(855.448.7878)


njRAT and the Healthcare industry

• 36% of infections related with the healthcare vertical were related

with njrat according with fireeye report. [1]

[1]https://www.fairwarning.com/wp-content/uploads/2015/08/FireEye-Report-Cyber-Threats-to-Healthcare-and-Pharmaceutical-Companies.pdf

29

855.HITRUST

(855.448.7878)


Geographic distribution of jRAT c2’s

30

855.HITRUST

(855.448.7878)


njRAT Distribution Methods

Picture credit to Phishme Labs.

31

855.HITRUST

(855.448.7878)


njRAT Capabilities

• Complete remote system administration capabilities

• Scrapes saved credentials from browser

• Uploads/downloads files

• Command execution

• Key logging

• Webcam control

32

855.HITRUST

(855.448.7878)


njRAT weekly build count

33

855.HITRUST

(855.448.7878)


njRAT Mitigation

• Have antivirus software with the latest

definitions

–May not help if packed

• Application whitelisting

• User education on spearphishing attacks

• Up-to-date Network IDS

34

855.HITRUST

(855.448.7878)


njRAT Detectionrule njRat

{

strings:

$s1 = {7C 00 27 00 7C 00 27 00 7C} // |'|'|

$s2 = "netsh firewall add allowedprogram" wide

$s3 = "Software\\Microsoft\\Windows\\CurrentVersion\\Run" wide

$s4 = "yyyy-MM-dd" wide

$s5 = "abcdefghijklmnopqrstuvwxyz" wide

$v1 = "cmd.exe /k ping 0 & del" wide

$v2 = "cmd.exe /c ping 127.0.0.1 & del" wide

$v3 = "cmd.exe /c ping 0 -n 2 & del" wide

condition:

all of ($s*) and any of ($v*) and new_file

}

Yara Rule:

rule courtesy of: https://malwareconfig.com/yara/

https://malwareconfig.com/yara/

35

855.HITRUST

(855.448.7878)


njRAT Detection

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"njRAT C2

Callout"; flow:from_client,established; content:"|00|lv|7C 27 7C

27 7C|"; fast_pattern; classtype:trojan-activity;)

snort Rule:

36

855.HITRUST

(855.448.7878)


Thank you!!!! Any questions?

37

855.HITRUST

(855.448.7878)


HITRUST

38

855.HITRUST

(855.448.7878)


CSF Controls Related to Threats

• CSF Control for njRAT distribution , Suspicious IP addresses, Ransomeware

(WordPress Ransomware)

– Control Reference: *01.i Policy on the Use of Network Services

• Control Text: Users shall only be provided access to internal and

external network services that they have been specifically authorized to

use. Authentication and authorization mechanisms shall be applied to

users and equipment.

• Implementation requirement: The organization shall specify the

networks and network services to which users are authorized access.

39

855.HITRUST

(855.448.7878)



• CSF Control for Vulnerability Patching

– Control Reference: *10.m Control of technical vulnerabilities

• Control Text:Timely information about technical vulnerabilities of systems being used

shall be obtained; the organization's exposure to such vulnerabilities evaluated; and

appropriate measures taken to address the associated risk

• Implementation Requirement: Specific information needed to support technical

vulnerability management includes the software vendor, version numbers, current state

of deployment (e.g. what software is installed on what systems) and the person(s) within

Appropriate, timely action shall be taken in response to the identification of potential

technical vulnerabilities. Once a potential technical vulnerability has been identified, the

organization shall identify the associated risks and the actions to be taken. Such action

shall involve patching of vulnerable systems and/or applying other controls.

40

855.HITRUST

(855.448.7878)



• CSF Control for Top Emerging Malware Entities

– Control Reference: *09.j Controls Against Malicious Code

• Control Text: Detection, prevention, and recovery controls shall be

implemented to protect against malicious code, and appropriate user

awareness procedures on malicious code shall be provided.

• Implementation Requirement: Protection against malicious code

shall be based on malicious code detection and repair software,

security awareness, and appropriate system access and change

management controls.

41

855.HITRUST

(855.448.7878)



• CSF Control for Ransomware (autorun functions)

– Control Reference: *09.o Management of Removable Media

• Control Text: Formal procedures shall be documented and

implemented for the management of removable media.

• Implementation requirement: The organization shall formally

establish and enforce controls for the management of removable

media and laptops including restrictions on the type of media and

usage, and registration of certain types of media including laptops.

(disable autorun, sanitize media before connecting)

42

855.HITRUST

(855.448.7878)



• CSF Control for Ransomware (unauthorized software)

– Control Reference: *10.h Control of operational software

• Control Text: There shall be procedures in place to control

the installation of software on operational systems

• Implementation requirement: The organization shall

maintain information systems according to a current baseline

configuration and configure system security parameters to

prevent misuse.

43

855.HITRUST

(855.448.7878)


QUESTIONS?

44

855.HITRUST

(855.448.7878)


Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content

Spotlight

http://www.HITRUSTAlliance.net

http://hitrustalliance.net/content-spotlight/

http://hitrustalliance.net

http://hitrustalliance.net

monthly cyber threat briefing - american hospital association · 2018-10-03 · kelvin security...

Documents