header-image

Cyber Security Experts

Blog

top feature image

800K Patient Records At Issue in ProCare Health Snafu

Four healthcare IT companies are warning that one of New Zealand’s largest networks of family doctors, nurses and general practice teams has been storing hundreds of thousands of patient records containing personally identifiable information (PII) – without the knowledge or consent of the data subjects.

“ProCare Health has been storing [PII] including names, addresses, financial information, clinical data and medication histories in a database called ‘Clinical Intelligence System,’” wrote four healthcare companies in a letter Tuesday to New Zealand’s Privacy Commissioner, obtained by the New Zealand Herald.

The four – HealthLink, Medtech Global, myPractice and Best Practice Software New Zealand – claim that up to 800,000 patients’ medical data is at risk, though they acknowledged that they didn’t know the full extent of the data collection.

They allege that most patients “seemed unaware of the ProCare database.” That could be a violation of the New Zealand Health Information Privacy Code, which, similar to HIPAA in the U.S., stipulates how health information is collected, used, held and disclosed by health agencies.

“At a time when attitudes towards patient privacy are shifting in favor of giving greater protections to the individual, here is an organization that has no direct patient relationship asking doctors to help it amass all the patient records it can get access to,” they wrote.

ProCare Health isn’t taking the allegations in stride, saying in a media statement that “Patients should understand from the enrollment form that identifiable information is shared with the [primary health organization] (PHO) for the purposes stated. The PHO has strict procedures to ensure that individual patient privacy is protected and uses the data for improving healthcare provision and planning…ProCare takes very seriously the care of both patients and their records and has very robust frameworks and processes in place to ensure all legislation obligations are met.”

The organization’s clinical director, Allan Moffitt, added: “As a PHO ProCare could not function without collecting this data and as an organization owned and governed by clinicians, we take very seriously our obligations to privacy and security of information.”

top feature image

Peer-to-Peer Crypto-Exchanges: A Haven for Money Laundering

The need to launder money is omnipresent in the criminal world, and lately, a new way of doing it has come to the fore: peer-to-peer cryptocurrency exchanges.

These exchanges offer one-to-one relationships and transactions; buyers and sellers of virtual currency sign-up with their location information, IP address and other data to verify their identity, link to their wallets, and from there can swap and cash out currencies with other people who decide to trust them. Parties sometimes take the relationship offline too, meeting face-to-face to close out deals. After striking a bargain, a buyer can exchange cash in person, transfer bank funds online or can exchange funds for prepaid cards, gift cards or other cryptocurrencies.

These platforms offer an alternative to the marketplace methods represented by big Bitcoin exchanges such as Coinbase, and many users feel they can get better deals and a better service experience by using them. There’s another difference though: Peer-to-peer exchanges are decentralized and often lack the accountability, security and transparency measures used by the larger players.

Coinbase for instance monitors for dark web activity and recently implemented the Know Your Customer identity verification service (not that it’s not in hot water in other ways), which in theory makes it harder for criminals to launder money or use the funds to buy items from the underground. So, peer-to-peer alternatives have started to be a go-to choice for criminals looking to take advantage of the anonymity of cryptocurrency.

“Although certain peer-to-peer cryptocurrency exchanges might willingly cooperate with law enforcement, there are readily available methods that threat actors utilize while laundering their illicitly gained funds to maintain anonymity,” said Flashpoint, which flagged the increasing criminal activity on the exchanges in a post Monday. Intelligence analyst Kathleen Weinberger told Threatpost that these include tried-and-true methods like using forged documents to sign-up for the services.

“A lot of what’s going on here is just a criminal rather than a technical story,” she said in an interview. “It’s easy to look for a technical solution to prevent this – there certainly is one (or rather a thousand of them). But there’s pressure on services to try and make their service usable – they don’t want their average user having to struggle for days to have their identity verified. At the same time, they have to make sure that this isn’t getting in the way of things being safe and accountable.”

Being a relatively new arena, that’s a work in progress. So for now, “it’s law enforcement having to crack down on those buying and selling identities and fake documents to combat this,” she said.

Law enforcement has seen some successes despite the hurdles that the exchanges present; for instance, OxyMonster, a notorious dark web purveyor of drugs and other illicit goods, was nabbed in May after detectives made a connection between a Facebook page and his dark web site on the Dream marketplace. Even though he was using a peer-to-peer Bitcoin “tip jar” for transactions, they managed to track him down by other means, arresting him as he entered the country from France, on his way to a beard contest in Miami.

Because of this Wild West element, Flashpoint analysts have observed a growing number of underground discussions around using these exchanges for criminal means, including recommendations around certain peer-to-peer services that threat actors consider valuable or the safest. Some discussions include listings of established—also known as “aged”—local exchange accounts for sale, which are less likely to be flagged for fraud because they have the appearance of long-term use.

top feature image

Recent Andariel Group ActiveX Attacks Point to Future Targets

Researchers say that the North Korea-linked Andariel hacking group may be looking to switch up its targets, based on key changes in its script found on recently compromised websites.

The Andariel group is associated with the infamous Lazarus Group, North Korea’s cyber-espionage unit. Andariel has been particularly active over the past few months, targeting mainly South Korean victims. According to South Korean security researchers at IssueMakersLab, the group has mainly been using a zero-day exploit on Microsoft’s ActiveX software framework, enabling watering-hole attacks on South Korean websites.

However,  Trend Micro researchers noticed at the end of June 2018 that the group was injecting their script into four targeted South Korean websites for reconnaissance purposes – and, the script has striking differences from Andariel has used before. That could show that it may be trying to collect different ActiveX object information, and ultimately expand its target base, researchers said on Monday.

“In the earlier case, the group collected targeted ActiveX objects on users’ Internet Explorer browsers before they used the zero-day exploit,” Joseph Chen, fraud researcher with Trend Micro, said in a post. “This was possibly part of their reconnaissance strategy, to find the right targets for their exploit. Based on this, we believe it’s likely that the new targeted ActiveX objects we found could be their next targets for a watering-hole exploit attack.”

Trend Micro researchers said they found the injected script June 21, and that it was similar to the sample Andariel previously used, including a string of attacks in May. The injected script was on the website of a Korean non-profit organization, as well as three South Korean local government labor union websites.

The script was used to collect information from visitors’ browser: browser type, system language, Flash Player version, Silverlight version, and multiple ActiveX objects. Chen said the code had similar obfuscation and structure to the samples previously found from the Andariel. However, interestingly, Chen said that the script was trying to detect two ActiveX objects not targeted in previously viewed samples.

One was related to digital rights management software from a South Korean document-protection security vendor; while the other is related to a South Korea-based voice conversion software company. Both are used by local governments and public institutions, researchers said.

The verification process in the older script is also different from the ActiveX detection, which was only for the Internet Explorer browser – but now can be performed on other browsers, Chen said.

“In the script found in June, the websocket verification could also be performed on other browsers like Chrome and Firefox,” researchers said. “This shows that the attacker has expanded his target base, and is interested in the software itself and not just their ActiveX objects. Based on this change, we can expect them to start using attack vectors other than ActiveX.”

The reconnaissance lasted until June 27; and the websites have been notified about the compromise, said researchers.

“Reconnaissance is the stage where attackers collect information from potential targets to help them determine what tactics will work,” Chen said. “These new developments from the Andariel group give us an idea of their plans, although we cannot make specific assumptions about their strategy.”

top feature image

DDoS Attacks Get Bigger, Smarter and More Diverse

Distributed denial of service attacks, bent on taking websites offline by overwhelming domains or specific application infrastructure with massive traffic flows, continue to pose a major challenge to businesses of all stripes. Being knocked offline impacts revenue, customer service and basic business functions – and worryingly, the bad actors behind these attacks are honing their approaches to become ever more successful over time.

Several new themes are emerging in the 2018 distributed denial of service (DDoS) threat landscape, including a shift in tactics to reach new heights in volumetric campaigns, attacks that rely on a sheer wall of large amounts of packet traffic to overwhelm the capacity of a website and take it town.

However, while these traditional, opportunistic brute-force DDoS attacks remain a menace has emerged. These DDoS threats are more sophisticated and micro-targeted attacks. They take aim at, say, a specific application rather than a whole website. These type DDoS attacks are a rapidly growing threat, as are “low and slow” stealthier offensives. At the same time, bot herders are working on expanding their largely IoT-based botnet creations, by any means possible, often to accommodate demand from the DDoS-as-a-service offerings that have created a flood of new participants in the DDoS scene. Those new entrants are all competing for attack resources, creating a demand that criminals are all too happy to fulfill.

“Attacks are getting larger, longer and more complex, as [the tools used to carry out attacks] are becoming more available,” said Donny Chong, product director at Nexusguard. “DDoS used to be a special occurrence, but now it’s really a commonplace thing – and the landscape is moving quickly.”

Terabit Era Dawns

One of the most notable evolutions in the DDoS landscape is the growth in the peak size of volumetric attacks. Attackers continue to use reflection/amplification techniques to exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols to maximize the scale of their attacks. Notably however, in February the world saw a 1.3 Tbps DDoS attack against GitHub—setting a record for volume (it was twice the size of the previous largest attack on record) and demonstrating that new amplification techniques can give unprecedented power to cybercriminals. Just five days later, an even larger attack launched, reaching 1.7 Tbps. These showed that DDoS attackers are more than able to keep up with the growing size of bandwidth pipes being used by businesses.

The technique used in February and March made use of misconfigured Memcached servers accessible via the public internet. Memcached servers are used to bolster responsiveness of database-driven websites by improving the memory caching system. Unfortunately, many of them have been deployed using a default insecure configuration, which has opened the door to DDoS attacks that use User Datagram Protocol (UDP) packets amplified by these servers — by as much as 51,200x. That in turn means that malefactors can use fewer resources.  For example, they can send out only a small amount of traffic (around 200 Mbps) and still end up with a massive attack.

top feature image

DanaBot Trojan Targets Bank Customers In Phishing Scam

The recently-discovered DanaBot banking trojan is making the rounds in a phishing campaign that targets potential victims with fake invoices from software company MYOB.

The emails purport to be invoices from MYOB, an Australian multinational corporation that provides tax, accounting and other business services software for SMBs. But in reality, the missives contain a dropper file that downloads the DanaBot banking trojan, which once downloaded steals private and sensitive information, and sends screenshots of the machine’s system and desktop to the Command and Control server.

“Cybercriminals are targeting victims in Australian companies and infecting them with sophisticated multi-stage, multi-component and stealthy banking trojans like DanaBot to steal their private and sensitive information,” said Trustwave researchers in a post about the campaign, Friday. “In this campaign the attackers sent targeted phishing emails in the form of fake MYOB invoice messages with invoice links pointing to compromised FTP servers hosting the DanaBot malware.”

According to Trustwave researchers Fahim Abbasi and Diana Lopera, a flurry of phishing email scams have been spotted targeting Australian customers of MYOB. The phishing emails used the standard MYOB-like html invoice template to convince users they are real; telling the client that an invoice is due and asking them to “View Invoice” via a button at the bottom of the email.

Karl Sigler, threat intelligence manager SpiderLabs at Trustwave, told Threatpost that criminals likely purchased or perhaps generated their own list of likely MYOB customers. “Given how much information people share publicly, especially on social networks, these lists are not hard to come by,” he said. Trustwave didn’t have any information about how many victims specifically were targeted by the campaign.

top feature image

No Evidence of GandCrab Leveraging SMB Exploit – Yet

A new version of the evolving ransomware threat GandCrab has been identified by researchers – but evidence of the new malware self-propagating via the Windows transport protocol Server Message Block (SMB) exploit still remains to be seen.

Security researchers at Fortinet said that they have spotted version 4.1 of GandCrab in the wild. The ransomware was first spotted six months ago, but has already grown and continuously evolved to become a formidable and threatening ransomware sample in 2018.

Recent reports, suggesting the ransomware exploited a vulnerability in the SMB transport protocol used by Windows machines  including on XP and Windows Server 2003, raised concern.

The SMB exploit (Eternal Blue) was used in the destructive Wanna Cry ransomware attacks in 2017. That means if the reports were true, GandCrab developers have started pushing their malware to vulnerable Windows XP and 2003 PCs, wrote security researcher Kevin Beaumont in a post about the ransomware earlier this month.

“Impacting legacy XP and 2003 systems suggests some older environments may end up at risk where there is poor security practice — e.g. no working antivirus software,” he wrote. And while a patch (MS17-010) for the SMB exploit (which includes Windows XP and 2003) was issued by Microsoft after WannaCry, many of these legacy systems have not been updated.

However, while the new version contains a new network communication method, researchers said they could not find evidence that the malware can self-propagate via the Windows SMB exploit.

“Since we had not seen any technical report for the claim, we decided to investigate and confirm this rumour since this functionality was not observed during our previous analysis. However, this was to no avail,” the researchers said in a recent post about the newest GandCrab sample.

top feature image

Deceased Patient Data Being Sold on Dark Web

It is no shocker medical records are a prime target for cybercriminals. But less intuitive is the market for medical records of the deceased on the dark web. We took a closer look at the reason behind this strange trend. Here is what we found.

First off, despite best efforts, stolen medical records – of the living — for sale on black markets remain a huge problem. In fact, Cynerio is still seeing continued growth in the number of incidents of patient medical record breaches from hacking and unauthorized access to healthcare systems.

Meanwhile, as more medical records hit the black market the value of the stolen data declined. The reason is simple, supply and demand. By comparison, medical records are generally significantly higher value than stolen user credit card data.

top feature image

Cisco Patches High-Severity Bug in VoIP Phones

A range of business customers could be impacted by a high-severity security flaw discovered in Cisco VoIP phones. The vendor issued a patch on Wednesday.

Cisco also patched two medium-security flaws today in its FireSIGHT management platform for network security; and one medium-severity issue in the Web Security Appliance. Finally, it issued a fix for a high-severity bug in its platform for mobile operator routers, StarOS.

The most critical of the flaws, CVE-2018-0341, would allow command injection and remote code execution on IP phones, including higher-end models that have HD video call functionality. The advisory said that thanks to insufficient input validation, an authenticated user could send specially crafted shell commands to a specific user input field using the web-based user interface that links to the handsets. That could result in the ability to inject and execute arbitrary shell commands, opening the door for attackers to eavesdrop on conversations, intercept rich media data, place phone calls and more.

The vulnerability, found internally by the vendor, affects IP Phone 6800, 7800 and 8800 series devices that run a Multiplatform Firmware release prior to Release 11.2(1). No exploits have yet been seen in the wild, Cisco said – and the requirement for an attacker to be logged into the user interface in order to launch an attack somewhat mitigates the severity of the issue.

Cisco also sent out fixes for two medium-severity flaws in the Cisco FireSIGHT System Software, which provides centralized management for network security and operational functions for Cisco ASA with FirePOWER services and Cisco FirePOWER network security appliances. It automatically aggregates and correlates cyber-threat information for business users.

The first issue is a file policy bypass vulnerability (CVE-2018-0383), found in the detection engine of FireSIGHT. An unauthenticated, remote attacker could send a maliciously crafted FTP connection to transfer a file to an affected device; that file could carry malware built to disable the detection mechanisms in the system or carry out other nefarious actions.

“A successful exploit could allow the attacker to bypass a file policy that is configured to apply the ‘block upload’ with reset action to FTP traffic,” the vendor said.

The second vulnerability (CVE-2018-0384) in same detection engine could allow an unauthenticated, remote attacker to bypass a URL-based access control policy that is configured to block traffic for an affected system.

“The vulnerability exists because the affected software incorrectly handles TCP packets that are received out of order when a TCP SYN retransmission is issued,” the vendor explained. “An attacker could exploit this vulnerability by sending a maliciously crafted connection through an affected device. A successful exploit could allow the attacker to bypass a URL-based access control policy that is configured to block traffic for the affected system.”

Another medium-severity flaw (CVE-2018-0366) is a cross-site scripting vulnerability in the web-based management interface of the Cisco Web Security Appliance.

Using social engineering, a malicious actor could convince an interface user to click a specially crafted link that would then give threat actors the ability to execute arbitrary script code in the context of the interface, or allow the attacker to access sensitive browser-based information.

Meanwhile, Cisco has also patched a high-severity StarOS IPv4 fragmentation denial-of-service vulnerability (CVE-2018-0369). StarOS powers next-generation mobile networks, which support everything from tablets and smartphones to connected cars, smart-city and other IoT deployments. The platform provides virtualization and intelligence for mobile network architectures, and allows dynamic resource allocation for mobile services and networks to help wireless carriers manage their bandwidth to deliver higher levels of service to consumers and businesses.

top feature image

Microsoft Fixes 17 Critical Bugs in July Patch Tuesday Release

Browser vulnerabilities took center stage in Microsoft’s July Patch Tuesday security bulletin. In all, Microsoft patched 17 bugs rated critical, with ten tied to scripting engine flaws impacting Internet Explorer. In total, Microsoft is reporting 53 bugs: 17 critical, 34 rated important, one moderate and one low.

The most severe of the browser bugs reported are four Chakra scripting engine memory corruption vulnerabilities (CVE-2018-8280, CVE-2018-8286, CVE-2018-8290, CVE-2018-8294). Each are remote code execution vulnerabilities tied to the JScript engine (Chakra), developed by Microsoft for its 32-bit version of the Internet Explorer.

“The 16 CVEs covering browsers should be prioritized for workstation type devices, meaning any system where users are commonly accessing the public internet through a browser or checking email. This includes multi-user servers that are used as remote desktops for users,” wrote Jimmy Graham, director of product management at Qualys.

Five bugs are tied to Microsoft Edge. One is a spoofing vulnerability (CVE-2018-8278) that exists when Microsoft Edge improperly handles specific HTML content, which could trick users into believing that they were visiting a legitimate website. “The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” wrote Microsoft.

Another bug (CVE-2018-8304) is a Windows DNSAPI denial of service vulnerability. DNSAPI is a dynamic-link library file in Windows. In this context it contains functions used by a system’s domain name system (DNS) in a client’s application program interface.

“While not a severe as last month’s wormable CVE-2018-8225, this bug could allow remote attackers to shut down a DNS server through merely a malformed DNS response. Again, that’s better than code execution, but it’s never good when an adversary can remotely shut down a part of your critical infrastructure,” commented ZDI researchers in their Patch Tuesday analysis.

Microsoft’s Office was also patched to prevent emails from containing untrusted TrueType fonts that could be used to compromise a targeted system.

The Office tampering vulnerability (CVE-2018-8310) “exists when Microsoft Outlook does not properly handle specific attachment types when rendering HTML emails. An attacker could exploit the vulnerability by sending a specially crafted email and attachment to a victim, or by hosting a malicious .eml file on a web server,” Microsoft wrote. EML files are a file format developed by Microsoft to archive emails while at the same time preserving the original HTML formatting and header.

Speculative Processor Vulnerability

Based on the recent research findings from Google on the potential new cache timing side-channels exploiting processor speculation, here is the latest information on possible Arm processors impacted and their potential mitigations. We will post any new research findings here as needed.

Cache timing side-channels are a well-understood concept in the area of security research and therefore not a new finding. However, this side-channel mechanism could enable someone to potentially extract some information that otherwise would not be accessible to software from processors that are performing as designed. This is the issue addressed here and in the Cache Speculation Side-channels whitepaper.

It is important to note that this method is dependent on malware running locally which means it’s imperative for users to practice good security hygiene by keeping their software up-to-date and avoid suspicious links or downloads.

The majority of Arm processors are not impacted by any variation of this side-channel speculation mechanism.