Monthly Cyber Threat Briefing July 2016

Transcription

Monthly Cyber Threat Briefing July 2016
Monthly
Cyber Threat
Briefing
July 2016
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
1
© 2016 HITRUST Alliance. All Rights Reserved.
Presenters
• US-CERT: Majed Oweis, CISCP Analyst
• Armor: Charity Willhoite, Intelligence Analyst
• Trend Micro: Steve Duncan, Product Management
• Anomali: Matthew Wollenweber, Sr. Research Engineer
• HITRUST: Talha Hasan, Jr. Information Security Analyst
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
2
© 2016 HITRUST Alliance. All Rights Reserved.
NCCIC/US-CERT REPORT
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
3
© 2016 HITRUST Alliance. All Rights Reserved.
TLP: GREEN – AR-16-20150 – Network Analysis Report (AR) on
Compromised Cisco ASA Devices
• Analysis conducted by DHS US-CERT Network and Einstein Analytics Team.
• Suspected that malicious actors leveraged vulnerabilities cited in
CVE-2014-3393 to inject malicious code into affected appliances.
• Affected Cisco ASA software versions are included in the analysis report.
• Analysis included information about JavaScript code found in the copyright
panel of affected devices. Purpose of the code appears to be for credential
harvesting.
• Same code, with different name, seen on Github.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
4
© 2016 HITRUST Alliance. All Rights Reserved.
TLP: GREEN – AR-16-20150 – Network Analysis Report on Compromised
Cisco ASA Devices (continued)
• Similar activity redirecting to https[:]//www[.]dreamscap[.]com/jquery.js.
• Code at “dreamscap” appeared to be similar to code found on Github.
• Both included an object called “x” with values for name, version and author.
• Object “x” at “dreamscap” site had the author value deleted. Comments about the code
were also absent. The “dreamscap” site also included a URL to another resource,
logon.php.
• Recommended mitigations and references describing the vulnerability are included in
the AR.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
5
© 2016 HITRUST Alliance. All Rights Reserved.
Report location:
• TLP: GREEN – AR-16-20150 –
https://portal.us-cert.gov/documents/70338/108826/
AR-16-20150/1619fa49-08d3-4c49-b6ea-17fb2e9d35ce
Other resources:
• https://tools.cisco.com/security/center/viewAlert.x?alertId=35917
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3393
• https://www.cvedetails.com/cve/CVE-2014-3393/
• https://www.iad.gov/iad/library/ia-advisories-alerts/recommendationsto-mitigate-unauthorized-cisco-rommon-access-and-validate-bootroms.cfm
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
6
© 2016 HITRUST Alliance. All Rights Reserved.
Questions? Comments?
Contact US-CERT at:
• Email: soc@us-cert.gov
• Phone: 1-888-282-0870
• Website: www.us-cert.gov
Contact CISCP at: CISCP@us-cert.gov
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
7
© 2016 HITRUST Alliance. All Rights Reserved.
Top Threat Trends and Defenses
ARMOR
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
8
© 2016 HITRUST Alliance. All Rights Reserved.
Trending Vulnerabilities
NAME
RISK SCORE
FIRST SEEN
RELATED TECH
CVE-2016-0189
7.6/10.0
Critical
6/9/16
The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as
used in Internet Explorer 9 through 11 and other products
CVE-2015-8651
9.3/10.0 High
12/2/15
Adobe Flash Player, Adobe, Angler Exploit Kit, Neutrino Exploit Kit,
Antiy Labs
CVE-2016-2208
9.4/10.0
Critical
5/19/16
Symantec AV Engine 20151.1.1.4
SRSsoft
N/A
5/16
SRS EHR (all versions) – all clients exploitable
PilotFish Technologies
N/A
7/16
PilotFish EHR integration – all clients exploitable
Action Items:
• Effectively and immediately patch vulnerabilities according to vendor and NIST recommendations: https://web.nvd.nist.gov
• Practices using SRSsoft HER software should disable access from remote support accounts to their networks. RDP access from the internet should be
disabled. Replace with an alternative solution until a patch is released.
• PilotFish EHR integration clients should activate incident response teams and contact PilotFish immediately.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
9
© 2016 HITRUST Alliance. All Rights Reserved.
Additional Details – CVE-2016-0189 EK IOCs
Locky Affid 13 : Malware hash 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565dd
ee0cad4e249ce18
Sundown EK:
Hash61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d
0dc1a65f7de812a3a1
IP - 185.93.185.224
Domain - vicolavicolom.com
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
10
© 2016 HITRUST Alliance. All Rights Reserved.
Top Emerging Malware
NAME
Category
RELATED TECH, Industries, Indicators
Conficker
Botnet, Worm, Trojan,
Ransomware
MS Windows, XP, Windows 7
Tinba aka Tiny
Banker or Zusy
Trojan, Virus, Web-inject
MS Windows, banking websites, banking apps, Gamarue bot
Sality
Virus
MS Windows
Action Items:
• Preserve your data: Frequent data backups!
• Security Awareness: Do not download untrusted apps on mobile devices, update Windows often!
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
11
© 2016 HITRUST Alliance. All Rights Reserved.
Top US Healthcare Targets: June – July 2016
Name of Entity
Individuals Affected
Breach Submission Date
Type of Breach
Location of Breached Information
Laser & Dermatologic Surgery Center
31,000
6/14/2016
Hacking/IT Incident
Network Server
Uncommon Care, P.A.
13,674
6/21/2016
Hacking/IT Incident
Network Server
Grace Primary Care, PC
6,853
6/7/2016
Hacking/IT Incident
Network Server
Allergy, Asthma & Immunology
of the Rockies, PC
6,851
6/17/2016
Hacking/IT Incident
Network Server
Massachusetts General Hospital
4,293
6/29/2016
Hacking/IT Incident
Network Server
The Vein Doctor
3,000
6/3/2016
Hacking/IT Incident
Electronic Medical Record, Network Server
My Pediatrician, PA
2,500
6/1/2016
Hacking/IT Incident
Network Server
Vincent Vein Center
2,250
6/7/2016
Hacking/IT Incident
Electronic Medical Record
Blaine Chiropractic Center
1,945
7/14/2016
Hacking/IT Incident
Network Server
Health Incent, LLC
1,100
7/11/2016
Hacking/IT Incident
Other
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
12
© 2016 HITRUST Alliance. All Rights Reserved.
Emerging Threats: IP Block List
IP Address
Risk Score
Malware
185.106.122.38
99%
Ransomware C&C IP
51.255.172.55
96%
Ransomware C&C IP
199.59.243.120
94%
C&C IP
Botnet
141.8.224.93
93%
C&C IP
Zeus Botnet C2
185.146.169.16
93%
Ransomware C&C IP
5.187.0.137
93%
Ransomware C&C IP
54.72.130.67
93%
C&C IP
62.149.128.154
93%
C&C IP
Spamming, Phishing, DDoS
75.99.13.124
93%
C&C IP
Dridex Botnet C2
100.7.41.35
92%
Malware C&C IP
DarkComet C2, Malware
107.23.198.240
92%
C&C IP
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
13
Behavior Observed
Locky C2 IP, Neutrino EK
© 2016 HITRUST Alliance. All Rights Reserved.
The Value of Records: The Darkoverlord case study
TREND MICRO
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
14
© 2016 HITRUST Alliance. All Rights Reserved.
Background
• Zero-day exploit in Remote Desktop
Protocol
– Only specific to some orgs using RDP
• Extortion mails to affected orgs went
unanswered
• Darkoverlord turned to TheRealDeal
marketplace to sell records
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
15
© 2016 HITRUST Alliance. All Rights Reserved.
Records Compromised
• 689,621 patient records
– Separate databases
• Farmingham Misouri MS Access database:
48,000 patients
• Atlanta, Georgia internal network: 397k
medical records
• Central/Midwest misconfigured network:
210k records
– Full Data: full names with full addresses, social
security, DOB, phone, gender, insurance ID
– 151 to 643 BTC ($96k to $411k)
• Another possible 9.3 million records
– 750 BTC ($478k)
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
16
© 2016 HITRUST Alliance. All Rights Reserved.
So what is the value?
• Privacy Rights
Clearinghouse data survey
– Medical records: $82.90
– Social security: $55.70
– Payment details: $45.10
– Physical location
information: $38.40
– Marital status: $6.10
– Name and gender: $2.90
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
17
© 2016 HITRUST Alliance. All Rights Reserved.
Where will it end up?
• Bitglass experiment phase I
– 1,500 fake records with secret watermark put on market
– In 12 days:
• 1,100 clicks, 47 downloads
• Data shared in 22 countries, 5 continents
• 2 Cybercrime syndicates from Russia and Nigeria
• Bitglass Phase II
– Fake credentials
– In 24 hours
• 5 Bank logins
• 3 online storage break-ins
• 94% uncovered other accounts
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
18
© 2016 HITRUST Alliance. All Rights Reserved.
Why?
• Persistence of data forms
• Mischief in the victim’s name:
– Opening new lines of credit
– Phony tax claims
– Etc.,.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
19
© 2016 HITRUST Alliance. All Rights Reserved.
Requirementstoaddresstheproblem
Detection: identify and block spear-phishing emails that are
often part of the initial phase of a targeted attack or
ransomware campaign
Interoperability: work seamlessly with an existing spam filter or
secure email gateway to detect email spear-phishing attacks that
may contain advanced malware including ransomware
ROI: low cost of acquisition and tangible benefits from avoidance
of costs and risks of targeted and ransomware attacks.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
20
© 2016 HITRUST Alliance. All Rights Reserved.
GOZI DETECTED VIA CTX
ANOMALI
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
21
© 2016 HITRUST Alliance. All Rights Reserved.
Overview:
• On June 8th 2016, HITRUST CTX partners began
automatically reporting domains associated with Gozi
o What is the CTX
o What is Gozi
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
22
© 2016 HITRUST Alliance. All Rights Reserved.
Anomali_trend Connector + HITRUST CTX
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
23
© 2016 HITRUST Alliance. All Rights Reserved.
Gozi Domain: magasoldator[.]ru
This known Gozi/URSNIF/IBSF domain was observed and reported via the HITRUST CTX
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
24
© 2016 HITRUST Alliance. All Rights Reserved.
What is Gozi ISFB?
• Gozi (also called URSNIF and ISFB) is a banking trojan that was first
reported circa 2008
• Commonly dropped via Pony but is known to also spread via phishing
• Blocks AV products and Microsoft updates
• Injects into common browsers to collect banking information
• Exfiltrates data using long random looking URLs that are often
labeled as images
• This variant uses fast-flux techniques
• Source code leaked leaked in April 2016
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
25
© 2016 HITRUST Alliance. All Rights Reserved.
Participating in HITRUST
• https://hitrustalliance.net/ctx-registration/
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
26
© 2016 HITRUST Alliance. All Rights Reserved.
Strategies for Mitigating Gozi
• Endpoint AV
• Network protection: URL filtering and Email sandboxing
• Detection via correlating with threat intelligence sent to IDS,
NGFW, or SIEM
• Detecting file mismatch (Gozi urls look to be images but aren’t)
• High entropy in URL strings (will be noisy)
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
27
© 2016 HITRUST Alliance. All Rights Reserved.
For More Information
Name
Email
Ma#hewWollenweber
mjw@anomali.com
AnomaliSupport/InfoRequests
support@anomali.com
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
28
© 2016 HITRUST Alliance. All Rights Reserved.
Useful Links
• https://hitrustalliance.net/documents/cyber_intel/CTX/HiTrustCTXROIPresentation.pdf
• https://hitrustalliance.net/hitrust-pilot-advances-health-industry-cyber-threat-sharing-combat-ransomware-cyberattacks
• https://github.com/gbrindisi/malware
• https://ui.threatstream.com/search?status=active&value__re=.*ursnif.*
• https://ui.threatstream.com/search?status=active&value__re=.*magasoldator.ru.*
• https://ui.threatstream.com/search?status=active&value__re=.*ISFB.*
• https://api.threatstream.com/api/v1/myattacks/
• http://www.threatgeek.com/2016/06/new-ursnif-variant-targeting-italy-and-us.html
• https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/
• https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature
• https://www.secureworks.com/research/gozi
• https://www.secureworks.com/research/banking-botnets-the-battle-continues
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
29
© 2016 HITRUST Alliance. All Rights Reserved.
Indicators Associated with this Botnet
• magasoldator[.]ru
• bangoteensdab[.]ru
• germandartisor[.]ru
• 868801075c90864b6dbb54c661fe690d9e1d130e
• gashikbarango[.]ru
• f59528d8cf4090cf3e2d634059f0ff03a1e10e52
• beeengootrator[.]ru
• 175a7e9d34c625da059d8505a6c51ccb
• ebankistragira[.]ru
• magamedpatygoose[.]ru
• majahedislampork[.]ru
• maxidorkivast[.]ru
• 6af7e41e10ef6a7e075cb82d844810377b9fbb08
• 868801075c90864b6dbb54c661fe690d9e1d130e
• 329b50acf49900b51e7870ae27eb458c2cb9e00b
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
30
© 2016 HITRUST Alliance. All Rights Reserved.
Threat Correlation to CSF
HITRUST
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
31
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Vulnerability Patching
• Control Reference: *10.m Control of technical vulnerabilities
– Control Text: Timely information about technical vulnerabilities of systems being used
shall be obtained; the organization's exposure to such vulnerabilities evaluated; and
appropriate measures taken to address the associated risk
– Implementation Requirement: Specific information needed to support technical
vulnerability management includes the software vendor, version numbers, current state
of deployment (e.g. what software is installed on what systems) and the person(s)
within Appropriate, timely action shall be taken in response to the identification of
potential technical vulnerabilities. Once a potential technical vulnerability has been
identified, the organization shall identify the associated risks and the actions to be
taken. Such action shall involve patching of vulnerable systems and/or applying other
controls.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
32
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for Emerging Threats/IP Blocklist
• Control Reference: 01.i Policy on the Use of Network Services
– Control Text: Users shall only be provided access to internal and external
network services that they have been specifically authorized to use.
Authentication and authorization mechanisms shall be applied to users and
equipment.
– Implementation Requirement: The organization shall specify the networks
and network services to which users are authorized access.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
33
© 2016 HITRUST Alliance. All Rights Reserved.
CSF Controls Related to Threats
CSF Control for top emerging malware
• Control Reference: 09.j Controls Against Malicious Code
– Control Text: Detection, prevention, and recovery controls shall be
implemented to protect against malicious code, and appropriate user
awareness procedures on malicious code shall be provided.
– Implementation Requirement: Protection against malicious code
shall be based on malicious code detection and repair software,
security awareness, and appropriate system access and change
management controls.
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
34
© 2016 HITRUST Alliance. All Rights Reserved.
QUESTIONS?
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
35
© 2016 HITRUST Alliance. All Rights Reserved.
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the
Content Spotlight
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
36
© 2016 HITRUST Alliance. All Rights Reserved.