quarterly cyber threat briefing - hitrustalliance.net · briefing april 2018. 2 855.hitrust ......

1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net INTERNAL USE ONLY © 2018 HITRUST Alliance

855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 1 © 2017 HITRUST Alliance

Quarterly Cyber Threat Briefing April 2018


Quarterly Threat Briefing Agenda • US CERT NCCIC Report • Fast Facts:

– Countries affected by Malware – Top Malware Families – Ransomware Incidents

• Security Spotlight’s • Observations from Physician Practices


US CERT NCCIC REPORT


Technical Alerts Technical Alert (TA) 18-074A – Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors Technical Alert (TA) 18-086A – Brute Force Attacks Conducted by Cyber Actors HIDDEN COBRA - North Korean Malicious Cyber Activity:

Malware Analysis Report (MAR) – 10135536.11 – North Korean Trojan: SHARPKNOT


Technical Alert (TA) 18-074A – Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors • TA-18-074A:

– is a TLP: WHITE TA that was published on March 15, 2018 by the DHS National Cybersecurity and Communications Integration Center (NCCIC)

– is an analytical effort between DHS and the FBI

– Summarizes Russian government actions targeting U.S. Government entities, and organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors

– characterizes the activity as multistage, where smaller entities are targeted and infiltrated to gain remote access into energy sector networks. Once access is obtained, network reconnaissance and lateral movement is used to collect ICS information.

– includes access to resources (IOCs and malware reports)

– is available for review at https://www.us-cert.gov/ncas/alerts/TA18-074A


Technical Alert (TA) 18-086A – Brute Force Attacks Conducted by Cyber Actors

• TA-18-086A:

– is a TLP: WHITE TA that was published on March 28, 2018 by the DHS National Cybersecurity and Communications Integration Center (NCCIC)

– summarizes details associated with a type of brute force attack that uses password spraying in the attempt to gain unauthorized access

– provides guidance and contact information to obtain assistance if this type of attack is identified

– provides references to documentation from the NCCIC, NIST, and Microsoft for guidance on how to defend against password spray attacks

– is available for review at https://www.us-cert.gov/ncas/alerts/TA18-086A


Malware Analysis Report (MAR) 10135536.11 – North Korean Trojan: SHARPKNOT HIDDEN COBRA - North Korean Malicious Cyber Activity • MAR-10135536.11:

– is a TLP: WHITE MAR that was published on February 13, 2018 by the National Cybersecurity and Communications Integration Center (NCCIC)

– Is the result of an analytical effort between DHS and the FBI

– provides analysis of one (1) malicious executable file. When executed from the command line, the malware overwrites the Master Boot Record (MBR) and deletes files on the local system, any mapped network shares, and physically connected storage devices.

– includes a YARA rule that may be used to detect the malware

– is available for review at https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf

– includes indicators of compromise (IOCs) at https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.stix.xml


Questions? Comments? Contact: The National Cybersecurity & Communications Integration Center (NCCIC) at: • Email: [email protected] • Email: [email protected] • Email: [email protected] • Phone: 1-888-282-0870 • Website: www.us-cert.gov • CISCP Email: [email protected] • Additional NCCIC and CISCP reporting is available on the Homeland

Security Information Network (HSIN) at https://hsin.dhs.gov/


FAST FACTS


Fast Facts: Countries Affected by Malware Source: Trend Micro Smart Protection Network

Country January

Brazil 19.33% U.S. 14.65% Taiwan 9.06% Turkey 6.79% Italy 6.70% China 5.90% India 4.70% Canada 3.76% South Africa 3.32% France 2.29%

Country February

U.S. 15.48% Brazil 14.47% Turkey 9.10% Taiwan 7.82% Italy 7.08% India 4.86% China 4.05% Canada 3.23% South Africa 3.18% Spain 2.76%

Country March

Brazil 14.01% U.S. 13.96% Turkey 9.54% Taiwan 9.33% Italy 7.60% India 5.76% China 5.36% U.K. 2.81% Argentina 2.81% South Africa 2.74%


Fast Facts: Top Malware Families Source: Trend Micro Smart Protection Network

Malware January

WCRY 22.51% DOWNAD 3.79% COINMINER 2.88% COINHIVE 2.59% SALITY 1.64% DOWNADJOB 0.92% AUTORUN 0.86% PALEVO 0.41% SILLY 0.41% RIMECUD 0.33%

Malware February

WCRY 19.87% DOWNAD 3.96% COINMINER 2.54% SALITY 1.32.% MINER 0.89% DOWNADJOB 0.74% AUTORUN 0.74% BONDAT 0.68% OTORUN 0.54% SILLY 0.39%

Malware March

WCRY 19.35% DOWNAD 3.95% COINMINER 3.17% SALITY 1.27% POWLOAD 1.01% AUTORUN 0.92% DOWNADJOB 0.92% DUNHI 0.92% BONDAT 0.83% EMOTET 0.48%


Fast Facts: Ransomware Incidents Source: Trend Micro Smart Protection Network

Ransomware January

WCRY 97.67% LOCKY 0.43% CERBER 0.14% MILICRY 0.12% CRYPTESLA 0.07% CRYPCTB 0.04% CRYPJAFF 0.04% CRILOCK 0.02% KOVTER 0.02% CRYSIS 0.02%

Ransomware February

WCRY 97.26% LOCKY 0.26% PETYA 0.11% CRYPTESLA 0.11% CRYSIS 0.11% MILICRY 0.11% CERBER 0.10% CRYPTCTB 0.05% KOVTER 0.02% CRILOCK 0.02%

Ransomware March

WCRY 97.15% LOCKY 0.24% CERBER 0.19% MILICRY 0.13% CRYSIS 0.13% CRYPTESLA 0.13% PETYA 0.09% CRYPWALL 0.03% CRYPTCTB 0.03% CRILOCK 0.02%


SECURITY SPOTLIGHT


Security Spotlight - January MELTDOWN + SPECTRE INTEL PROCESSOR VULNERABILITIES Intel processors built since 1995 are reportedly affected by Meltdown (CVE-2017-5754), while Spectre (CVE-2017-5753 and CVE-2017- 5715) affects devices running on Intel, AMD, and ARM processors. Meltdown is related to the way privileges can be escalated, while Spectre entails access to sensitive data that may be stored on the application’s memory space. While no active exploitation has been reported as of this writing, desktops, laptops, and smartphones running on vulnerable processors are exposed to unauthorized access and information theft. Cloud-computing and virtual environments, along with multiuser servers—also used in data centers and enterprise environments—running these processors are also affected.


Security Spotlight – February IS BLOCKCHAIN TECHNOLOGY THE ANSWER TO MORE ACCESSIBLE HEALTHCARE?

The World Bank and World Health Organization are considering blockchain technology use to make healthcare accessible to anyone at any time and anywhere they may be. Is a HIPAA- compliant virtual-care platform the answer to the clamor for more accessible healthcare? Threats affecting cryptocurrencies are now a cybersecurity landscape staple. Two of the month’s top malware (Coinminer and Miner) are, in fact, cryptocurrency miners. Even Cerber (a ransomware variant) has been spotted stealing bitcoins. Will the same threats affecting systems that rely on the blockchain technology at present plague the future’s virtual-care platforms?


Security Spotlight - March ATTACKS ON CONNECTED PACEMAKERS CAN PUT PATIENTS AT RISK We’ve seen connected healthcare devices (specifically pacemakers) get hacked in the past. Attacks such as these can have not just adverse but likely fatal effects on their wearers, as reiterated by a recently published paper on connected healthcare devices. Threat actors have been known to exploit vulnerabilities in connected IoT devices for use in massive DDoS attacks akin to Mirai, Persirai, and most recently, OMG Mirai. IP cameras, DVRs, and the like aren’t the only connected devices susceptible to similar attacks though, unsecured connected pacemakers and MRI scanners are at risk, too. Researchers from the University of South Alabama demonstrated just how such a nefarious deed can be performed (morbid as that may be) as early as 2015. The government is taking the threat seriously as evidenced by a move to recall half a million vulnerable pacemakers from the market last year. The healthcare industry is strongly encouraged to take a stand as well.


OBSERVATIONS FROM PHYSICIAN PRACTICES


Observations from Physician Practices: Source: CyberAid Program Feedback Data

• Participants with Virus Events – January

• 10.34% – February

• 15.51% – March

• 20.68%

• Participants with Ransomware Related URL Detections

– January • 13.79%

– February • 5.17%

– March • 5.17%


Observations from Physician Practices: Source: CyberAid Program Feedback Data • Participants with Spyware

Events – January


• 5.17% – March

• 3.44%

• Participants with Malicious URL Callbacks

– January • 46.55%


– March • 60.34%



• Participants with Malicious Behavior Events

– January • 13.79%


– March

• 5.17%

• Participants with IPS Events – January


• 62.07% – March

• 68.96%



• Participants with Device Control Events – January


• 12.06% – March

• 12.06%


2018 OUTLOOK & THREATS TO WATCH FOR


2018 Outlook and Threats to Watch For • Apple’s Health Record app/feature aggregates patient-generated data in the

Health app. • Healthcare networks continue to suffer from data breaches. • Threat actors will ride on machine learning and blockchain technologies to

expand their evasion techniques. • The ransomware business model will still be a cybercrime mainstay in 2018,

while other forms of digital extortion will gain more ground. • Global losses from business email compromise scams will exceed US$9 billion

in 2018. • Enterprise applications and platforms will be at risk of manipulation and

vulnerabilities.


Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

quarterly cyber threat briefing - hitrustalliance.net · briefing april 2018. 2 855.hitrust ......

Documents