Monthly Cyber Threat Briefing July 2016

Transcription

Monthly
Cyber Threat
Briefing
July 2016
855.HITRUST
(855.448.7878)
www.HITRUSTAlliance.net
1
© 2016 HITRUST Alliance. All Rights Reserved.
Presenters
• US-CERT: Majed Oweis, CISCP Analyst
• Armor: Charity Willhoite, Intelligence Analyst
• Trend Micro: Steve Duncan, Product Management
• Anomali: Matthew Wollenweber, Sr. Research Engineer
• HITRUST: Talha Hasan, Jr. Information Security Analyst
855.HITRUST
(855.448.7878)
2
NCCIC/US-CERT REPORT
855.HITRUST
(855.448.7878)
3
TLP: GREEN – AR-16-20150 – Network Analysis Report (AR) on
Compromised Cisco ASA Devices
• Analysis conducted by DHS US-CERT Network and Einstein Analytics Team.
• Suspected that malicious actors leveraged vulnerabilities cited in
CVE-2014-3393 to inject malicious code into affected appliances.
• Affected Cisco ASA software versions are included in the analysis report.
• Analysis included information about JavaScript code found in the copyright
panel of affected devices. Purpose of the code appears to be for credential
harvesting.
• Same code, with different name, seen on Github.
855.HITRUST
(855.448.7878)
4
TLP: GREEN – AR-16-20150 – Network Analysis Report on Compromised
Cisco ASA Devices (continued)
• Similar activity redirecting to https[:]//www[.]dreamscap[.]com/jquery.js.
• Code at “dreamscap” appeared to be similar to code found on Github.
• Both included an object called “x” with values for name, version and author.
• Object “x” at “dreamscap” site had the author value deleted. Comments about the code
were also absent. The “dreamscap” site also included a URL to another resource,
logon.php.
• Recommended mitigations and references describing the vulnerability are included in
the AR.
855.HITRUST
(855.448.7878)
5
Report location:
• TLP: GREEN – AR-16-20150 –
https://portal.us-cert.gov/documents/70338/108826/
AR-16-20150/1619fa49-08d3-4c49-b6ea-17fb2e9d35ce
Other resources:
• https://tools.cisco.com/security/center/viewAlert.x?alertId=35917
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3393
• https://www.cvedetails.com/cve/CVE-2014-3393/
• https://www.iad.gov/iad/library/ia-advisories-alerts/recommendationsto-mitigate-unauthorized-cisco-rommon-access-and-validate-bootroms.cfm
855.HITRUST
(855.448.7878)
6
Questions? Comments?
Contact US-CERT at:
• Email: [email protected]
• Phone: 1-888-282-0870
• Website: www.us-cert.gov
Contact CISCP at: [email protected]
855.HITRUST
(855.448.7878)
7
Top Threat Trends and Defenses
ARMOR
855.HITRUST
(855.448.7878)
8
Trending Vulnerabilities
NAME
RISK SCORE
FIRST SEEN
RELATED TECH
CVE-2016-0189
7.6/10.0
Critical
6/9/16
The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as
used in Internet Explorer 9 through 11 and other products
CVE-2015-8651
9.3/10.0 High
12/2/15
Adobe Flash Player, Adobe, Angler Exploit Kit, Neutrino Exploit Kit,
Antiy Labs
CVE-2016-2208
9.4/10.0
Critical
5/19/16
Symantec AV Engine 20151.1.1.4
SRSsoft
N/A
5/16
SRS EHR (all versions) – all clients exploitable
PilotFish Technologies
N/A
7/16
PilotFish EHR integration – all clients exploitable
Action Items:
• Effectively and immediately patch vulnerabilities according to vendor and NIST recommendations: https://web.nvd.nist.gov
• Practices using SRSsoft HER software should disable access from remote support accounts to their networks. RDP access from the internet should be
disabled. Replace with an alternative solution until a patch is released.
• PilotFish EHR integration clients should activate incident response teams and contact PilotFish immediately.
855.HITRUST
(855.448.7878)
9
Additional Details – CVE-2016-0189 EK IOCs
Locky Affid 13 : Malware hash 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565dd
ee0cad4e249ce18
Sundown EK:
Hash61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d
0dc1a65f7de812a3a1
IP - 185.93.185.224
Domain - vicolavicolom.com
855.HITRUST
(855.448.7878)
10
Top Emerging Malware
NAME
Category
RELATED TECH, Industries, Indicators
Conficker
Botnet, Worm, Trojan,
Ransomware
MS Windows, XP, Windows 7
Tinba aka Tiny
Banker or Zusy
Trojan, Virus, Web-inject
MS Windows, banking websites, banking apps, Gamarue bot
Sality
Virus
MS Windows
Action Items:
• Preserve your data: Frequent data backups!
• Security Awareness: Do not download untrusted apps on mobile devices, update Windows often!
855.HITRUST
(855.448.7878)
11
Top US Healthcare Targets: June – July 2016
Name of Entity
Individuals Affected
Breach Submission Date
Type of Breach
Location of Breached Information
Laser & Dermatologic Surgery Center
31,000
6/14/2016
Hacking/IT Incident
Network Server
Uncommon Care, P.A.
13,674
6/21/2016
Hacking/IT Incident
Network Server
Grace Primary Care, PC
6,853
6/7/2016
Hacking/IT Incident
Network Server
Allergy, Asthma & Immunology
of the Rockies, PC
6,851
6/17/2016
Hacking/IT Incident
Network Server
Massachusetts General Hospital
4,293
6/29/2016
Hacking/IT Incident
Network Server
The Vein Doctor
3,000
6/3/2016
Hacking/IT Incident
Electronic Medical Record, Network Server
My Pediatrician, PA
2,500
6/1/2016
Hacking/IT Incident
Network Server
Vincent Vein Center
2,250
6/7/2016
Hacking/IT Incident
Electronic Medical Record
Blaine Chiropractic Center
1,945
7/14/2016
Hacking/IT Incident
Network Server
Health Incent, LLC
1,100
7/11/2016
Hacking/IT Incident
Other
855.HITRUST
(855.448.7878)
12
Emerging Threats: IP Block List
IP Address
Risk Score
Malware
185.106.122.38
99%
Ransomware C&C IP
51.255.172.55
96%
Ransomware C&C IP
199.59.243.120
94%
C&C IP
Botnet
141.8.224.93
93%
C&C IP
Zeus Botnet C2
185.146.169.16
93%
Ransomware C&C IP
5.187.0.137
93%
Ransomware C&C IP
54.72.130.67
93%
C&C IP
62.149.128.154
93%
C&C IP
Spamming, Phishing, DDoS
75.99.13.124
93%
C&C IP
Dridex Botnet C2
100.7.41.35
92%
Malware C&C IP
DarkComet C2, Malware
107.23.198.240
92%
C&C IP
855.HITRUST
(855.448.7878)
13
Behavior Observed
Locky C2 IP, Neutrino EK
The Value of Records: The Darkoverlord case study
TREND MICRO
855.HITRUST
(855.448.7878)
14
Background
• Zero-day exploit in Remote Desktop
Protocol
– Only specific to some orgs using RDP
• Extortion mails to affected orgs went
unanswered
• Darkoverlord turned to TheRealDeal
marketplace to sell records
855.HITRUST
(855.448.7878)
15
Records Compromised
• 689,621 patient records
– Separate databases
• Farmingham Misouri MS Access database:
48,000 patients
• Atlanta, Georgia internal network: 397k
medical records
• Central/Midwest misconfigured network:
210k records
– Full Data: full names with full addresses, social
security, DOB, phone, gender, insurance ID
– 151 to 643 BTC ($96k to $411k)
• Another possible 9.3 million records
– 750 BTC ($478k)
855.HITRUST
(855.448.7878)
16
So what is the value?
• Privacy Rights
Clearinghouse data survey
– Medical records: $82.90
– Social security: $55.70
– Payment details: $45.10
– Physical location
information: $38.40
– Marital status: $6.10
– Name and gender: $2.90
855.HITRUST
(855.448.7878)
17
Where will it end up?
• Bitglass experiment phase I
– 1,500 fake records with secret watermark put on market
– In 12 days:
• 1,100 clicks, 47 downloads
• Data shared in 22 countries, 5 continents
• 2 Cybercrime syndicates from Russia and Nigeria
• Bitglass Phase II
– Fake credentials
– In 24 hours
• 5 Bank logins
• 3 online storage break-ins
• 94% uncovered other accounts
855.HITRUST
(855.448.7878)
18
Why?
• Persistence of data forms
• Mischief in the victim’s name:
– Opening new lines of credit
– Phony tax claims
– Etc.,.
855.HITRUST
(855.448.7878)
19
Requirementstoaddresstheproblem
Detection: identify and block spear-phishing emails that are
often part of the initial phase of a targeted attack or
ransomware campaign
Interoperability: work seamlessly with an existing spam filter or
secure email gateway to detect email spear-phishing attacks that
may contain advanced malware including ransomware
ROI: low cost of acquisition and tangible benefits from avoidance
of costs and risks of targeted and ransomware attacks.
855.HITRUST
(855.448.7878)
20
GOZI DETECTED VIA CTX
ANOMALI
855.HITRUST
(855.448.7878)
21
Overview:
• On June 8th 2016, HITRUST CTX partners began
automatically reporting domains associated with Gozi
o What is the CTX
o What is Gozi
855.HITRUST
(855.448.7878)
22
Anomali_trend Connector + HITRUST CTX
855.HITRUST
(855.448.7878)
23
Gozi Domain: magasoldator[.]ru
This known Gozi/URSNIF/IBSF domain was observed and reported via the HITRUST CTX
855.HITRUST
(855.448.7878)
24
What is Gozi ISFB?
• Gozi (also called URSNIF and ISFB) is a banking trojan that was first
reported circa 2008
• Commonly dropped via Pony but is known to also spread via phishing
• Blocks AV products and Microsoft updates
• Injects into common browsers to collect banking information
• Exfiltrates data using long random looking URLs that are often
labeled as images
• This variant uses fast-flux techniques
• Source code leaked leaked in April 2016
855.HITRUST
(855.448.7878)
25
Participating in HITRUST
• https://hitrustalliance.net/ctx-registration/
855.HITRUST
(855.448.7878)
26
Strategies for Mitigating Gozi
• Endpoint AV
• Network protection: URL filtering and Email sandboxing
• Detection via correlating with threat intelligence sent to IDS,
NGFW, or SIEM
• Detecting file mismatch (Gozi urls look to be images but aren’t)
• High entropy in URL strings (will be noisy)
855.HITRUST
(855.448.7878)
27
For More Information
Name
Email
Ma#hewWollenweber
[email protected]
AnomaliSupport/InfoRequests
[email protected]
855.HITRUST
(855.448.7878)
28
Useful Links
• https://hitrustalliance.net/documents/cyber_intel/CTX/HiTrustCTXROIPresentation.pdf
• https://hitrustalliance.net/hitrust-pilot-advances-health-industry-cyber-threat-sharing-combat-ransomware-cyberattacks
• https://github.com/gbrindisi/malware
• https://ui.threatstream.com/search?status=active&value__re=.*ursnif.*
• https://ui.threatstream.com/search?status=active&value__re=.*magasoldator.ru.*
• https://ui.threatstream.com/search?status=active&value__re=.*ISFB.*
• https://api.threatstream.com/api/v1/myattacks/
• http://www.threatgeek.com/2016/06/new-ursnif-variant-targeting-italy-and-us.html
• https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/
• https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature
• https://www.secureworks.com/research/gozi
• https://www.secureworks.com/research/banking-botnets-the-battle-continues
855.HITRUST
(855.448.7878)
29
Indicators Associated with this Botnet
• magasoldator[.]ru
• bangoteensdab[.]ru
• germandartisor[.]ru
• 868801075c90864b6dbb54c661fe690d9e1d130e
• gashikbarango[.]ru
• f59528d8cf4090cf3e2d634059f0ff03a1e10e52
• beeengootrator[.]ru
• 175a7e9d34c625da059d8505a6c51ccb
• ebankistragira[.]ru
• magamedpatygoose[.]ru
• majahedislampork[.]ru
• maxidorkivast[.]ru
• 6af7e41e10ef6a7e075cb82d844810377b9fbb08
• 868801075c90864b6dbb54c661fe690d9e1d130e
• 329b50acf49900b51e7870ae27eb458c2cb9e00b
855.HITRUST
(855.448.7878)
30
Threat Correlation to CSF
HITRUST
855.HITRUST
(855.448.7878)
31
CSF Controls Related to Threats
CSF Control for Vulnerability Patching
• Control Reference: *10.m Control of technical vulnerabilities
– Control Text: Timely information about technical vulnerabilities of systems being used
shall be obtained; the organization's exposure to such vulnerabilities evaluated; and
appropriate measures taken to address the associated risk
– Implementation Requirement: Specific information needed to support technical
vulnerability management includes the software vendor, version numbers, current state
of deployment (e.g. what software is installed on what systems) and the person(s)
within Appropriate, timely action shall be taken in response to the identification of
potential technical vulnerabilities. Once a potential technical vulnerability has been
identified, the organization shall identify the associated risks and the actions to be
taken. Such action shall involve patching of vulnerable systems and/or applying other
controls.
855.HITRUST
(855.448.7878)
32
CSF Control for Emerging Threats/IP Blocklist
• Control Reference: 01.i Policy on the Use of Network Services
– Control Text: Users shall only be provided access to internal and external
network services that they have been specifically authorized to use.
Authentication and authorization mechanisms shall be applied to users and
equipment.
– Implementation Requirement: The organization shall specify the networks
and network services to which users are authorized access.
855.HITRUST
(855.448.7878)
33
CSF Control for top emerging malware
• Control Reference: 09.j Controls Against Malicious Code
– Control Text: Detection, prevention, and recovery controls shall be
implemented to protect against malicious code, and appropriate user
awareness procedures on malicious code shall be provided.
– Implementation Requirement: Protection against malicious code
shall be based on malicious code detection and repair software,
security awareness, and appropriate system access and change
management controls.
855.HITRUST
(855.448.7878)
34
QUESTIONS?
855.HITRUST
(855.448.7878)
35
Visit www.HITRUSTAlliance.net for more information
To view our latest documents, visit the
Content Spotlight
855.HITRUST
(855.448.7878)
36

Monthly Cyber Threat Briefing July 2016

Transcription

Similar documents

I`m helping to end MS by participating in the 2016 Jayman BUILT MS

HITRUST CSF v7

The Board of Directors of Qatar Fuel (WOQOD) is pleased to invite

5 `S` Training Program at ABV-IIITM, Gwalior on 21.07.2016

4 star ALOE HOTEL, PAPHOS

HITRUST Monthly Briefing May 2016

loyola institute for ministry on-campus open house thursday, may 12

HALF OFF - Bavarian Inn

The Magic Wizard

KMEA Standards Handout

2016 MW Alliance Raffle - Manitowish Waters Alliance LTD