Monthly Cyber Threat Briefing - HITRUST Alliance · Adobe Flash Player, Adobe, Angler Exploit Kit, Neutrino Exploit Kit, Antiy Labs CVE-2016-2208 9.4/10.0 ... • Security Awareness:

1 855.HITRUST (855.448.7878) www.HITRUSTAlliance.net

© 2016 HITRUST Alliance. All Rights Reserved.

Monthly Cyber Threat Briefing July 2016



Presenters • US-CERT: Majed Oweis, CISCP Analyst • Armor: Charity Willhoite, Intelligence Analyst • Trend Micro: Steve Duncan, Product Management • Anomali: Matthew Wollenweber, Sr. Research Engineer • HITRUST: Talha Hasan, Jr. Information Security Analyst



NCCIC/US-CERT REPORT



TLP: GREEN – AR-16-20150 – Network Analysis Report (AR) on Compromised Cisco ASA Devices

• Analysis conducted by DHS US-CERT Network and Einstein Analytics Team. • Suspected that malicious actors leveraged vulnerabilities cited in

CVE-2014-3393 to inject malicious code into affected appliances. • Affected Cisco ASA software versions are included in the analysis report. • Analysis included information about JavaScript code found in the copyright

panel of affected devices. Purpose of the code appears to be for credential harvesting.

• Same code, with different name, seen on Github.



• Similar activity redirecting to https[:]//www[.]dreamscap[.]com/jquery.js.

• Code at “dreamscap” appeared to be similar to code found on Github.

• Both included an object called “x” with values for name, version and author.

• Object “x” at “dreamscap” site had the author value deleted. Comments about the code were also absent. The “dreamscap” site also included a URL to another resource, logon.php.

• Recommended mitigations and references describing the vulnerability are included in the AR.

TLP: GREEN – AR-16-20150 – Network Analysis Report on Compromised Cisco ASA Devices (continued)



Report location: • TLP: GREEN – AR-16-20150 –

https://portal.us-cert.gov/documents/70338/108826/AR-16-20150/1619fa49-08d3-4c49-b6ea-17fb2e9d35ce

Other resources: • https://tools.cisco.com/security/center/viewAlert.x?alertId=35917 • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3393 • https://www.cvedetails.com/cve/CVE-2014-3393/ • https://www.iad.gov/iad/library/ia-advisories-alerts/recommendations-

to-mitigate-unauthorized-cisco-rommon-access-and-validate-boot-roms.cfm



Questions? Comments? Contact US-CERT at: • Email: [email protected] • Phone: 1-888-282-0870 • Website: www.us-cert.gov

Contact CISCP at: [email protected]



ARMOR Top Threat Trends and Defenses



Trending Vulnerabilities

Action Items:

• Effectively and immediately patch vulnerabilities according to vendor and NIST recommendations: https://web.nvd.nist.gov

• Practices using SRSsoft HER software should disable access from remote support accounts to their networks. RDP access from the internet should be disabled. Replace with an alternative solution until a patch is released.

• PilotFish EHR integration clients should activate incident response teams and contact PilotFish immediately.

NAME RISK SCORE FIRST SEEN RELATED TECH

CVE-2016-0189 7.6/10.0 Critical 6/9/16 The Microsoft (1) JScript 5.8 and (2) VBScript 5.7 and 5.8 engines, as

used in Internet Explorer 9 through 11 and other products

CVE-2015-8651 9.3/10.0 High 12/2/15 Adobe Flash Player, Adobe, Angler Exploit Kit, Neutrino Exploit Kit, Antiy Labs

CVE-2016-2208 9.4/10.0 Critical 5/19/16 Symantec AV Engine 20151.1.1.4

SRSsoft N/A 5/16 SRS EHR (all versions) – all clients exploitable

PilotFish Technologies N/A 7/16 PilotFish EHR integration – all clients exploitable



Additional Details – CVE-2016-0189 EK IOCs Locky Affid 13 : Malware hash - 300a51b8f6ad362b3e32a5d6afd2759a910f1b6608a5565ddee0cad4e249ce18 Sundown EK: Hash61f9a4270c9deed0be5e0ff3b988d35cdb7f9054bc619d0dc1a65f7de812a3a1 IP - 185.93.185.224 Domain - vicolavicolom.com



Top Emerging Malware

Action Items: • Preserve your data: Frequent data backups! • Security Awareness: Do not download untrusted apps on mobile devices, update Windows often!

NAME Category RELATED TECH, Industries, Indicators

Conficker Botnet, Worm, Trojan, Ransomware MS Windows, XP, Windows 7

Tinba aka Tiny Banker or Zusy Trojan, Virus, Web-inject MS Windows, banking websites, banking apps, Gamarue bot

Sality Virus MS Windows



Top US Healthcare Targets: June – July 2016

Name of Entity Individuals Affected Breach Submission Date Type of Breach Location of Breached Information

Laser & Dermatologic Surgery Center 31,000 6/14/2016 Hacking/IT Incident Network Server

Uncommon Care, P.A. 13,674 6/21/2016 Hacking/IT Incident Network Server

Grace Primary Care, PC 6,853 6/7/2016 Hacking/IT Incident Network Server

Allergy, Asthma & Immunology of the Rockies, PC 6,851 6/17/2016 Hacking/IT Incident Network Server

Massachusetts General Hospital 4,293 6/29/2016 Hacking/IT Incident Network Server

The Vein Doctor 3,000 6/3/2016 Hacking/IT Incident Electronic Medical Record, Network Server

My Pediatrician, PA 2,500 6/1/2016 Hacking/IT Incident Network Server

Vincent Vein Center 2,250 6/7/2016 Hacking/IT Incident Electronic Medical Record

Blaine Chiropractic Center 1,945 7/14/2016 Hacking/IT Incident Network Server

Health Incent, LLC 1,100 7/11/2016 Hacking/IT Incident Other



Emerging Threats: IP Block List IP Address Risk Score Malware Behavior Observed

185.106.122.38 99% Ransomware C&C IP

51.255.172.55 96% Ransomware C&C IP

199.59.243.120 94% C&C IP Botnet

141.8.224.93 93% C&C IP Zeus Botnet C2

185.146.169.16 93% Ransomware C&C IP

5.187.0.137 93% Ransomware C&C IP Locky C2 IP, Neutrino EK

54.72.130.67 93% C&C IP

62.149.128.154 93% C&C IP Spamming, Phishing, DDoS

75.99.13.124 93% C&C IP Dridex Botnet C2

100.7.41.35 92% Malware C&C IP DarkComet C2, Malware

107.23.198.240 92% C&C IP



TREND MICRO The Value of Records: The Darkoverlord case study



Background

• Zero-day exploit in Remote Desktop Protocol

– Only specific to some orgs using RDP

• Extortion mails to affected orgs went unanswered

• Darkoverlord turned to TheRealDeal marketplace to sell records



Records Compromised • 689,621 patient records

– Separate databases

• Farmingham Misouri MS Access database: 48,000 patients

• Atlanta, Georgia internal network: 397k medical records

• Central/Midwest misconfigured network: 210k records

– Full Data: full names with full addresses, social security, DOB, phone, gender, insurance ID

– 151 to 643 BTC ($96k to $411k)

• Another possible 9.3 million records – 750 BTC ($478k)



So what is the value? • Privacy Rights Clearinghouse data survey

– Medical records: $82.90 – Social security: $55.70 – Payment details: $45.10 – Physical location

information: $38.40 – Marital status: $6.10 – Name and gender: $2.90



Where will it end up? • Bitglass experiment phase I

– 1,500 fake records with secret watermark put on market – In 12 days:

• 1,100 clicks, 47 downloads • Data shared in 22 countries, 5 continents • 2 Cybercrime syndicates from Russia and Nigeria

• Bitglass Phase II – Fake credentials – In 24 hours

• 5 Bank logins • 3 online storage break-ins • 94% uncovered other accounts



Why? • Persistence of data forms • Mischief in the victim’s name:

– Opening new lines of credit – Phony tax claims – Etc.,.



Requirementstoaddresstheproblem Detection: identify and block spear-phishing emails that are often part of the initial phase of a targeted attack or ransomware campaign

Interoperability: work seamlessly with an existing spam filter or secure email gateway to detect email spear-phishing attacks that may contain advanced malware including ransomware

ROI: low cost of acquisition and tangible benefits from avoidance of costs and risks of targeted and ransomware attacks.



GOZI DETECTED VIA CTX ANOMALI



Overview: • On June 8th 2016, HITRUST CTX partners began

automatically reporting domains associated with Gozi o What is the CTX o What is Gozi



Anomali_trend Connector + HITRUST CTX



Gozi Domain: magasoldator[.]ru

This known Gozi/URSNIF/IBSF domain was observed and reported via the HITRUST CTX



What is Gozi ISFB? • Gozi (also called URSNIF and ISFB) is a banking trojan that was first

reported circa 2008 • Commonly dropped via Pony but is known to also spread via phishing • Blocks AV products and Microsoft updates • Injects into common browsers to collect banking information • Exfiltrates data using long random looking URLs that are often

labeled as images • This variant uses fast-flux techniques • Source code leaked leaked in April 2016



Participating in HITRUST

• https://hitrustalliance.net/ctx-registration/



Strategies for Mitigating Gozi • Endpoint AV • Network protection: URL filtering and Email sandboxing • Detection via correlating with threat intelligence sent to IDS, NGFW, or SIEM

• Detecting file mismatch (Gozi urls look to be images but aren’t) • High entropy in URL strings (will be noisy)



For More Information

Name Email

Ma#hewWollenweber [email protected]

AnomaliSupport/InfoRequests [email protected]



Useful Links • https://hitrustalliance.net/documents/cyber_intel/CTX/HiTrustCTXROIPresentation.pdf

• https://hitrustalliance.net/hitrust-pilot-advances-health-industry-cyber-threat-sharing-combat-ransomware-cyber-attacks

• https://github.com/gbrindisi/malware

• https://ui.threatstream.com/search?status=active&value__re=.*ursnif.*

• https://ui.threatstream.com/search?status=active&value__re=.*magasoldator.ru.*

• https://ui.threatstream.com/search?status=active&value__re=.*ISFB.*

• https://api.threatstream.com/api/v1/myattacks/

• http://www.threatgeek.com/2016/06/new-ursnif-variant-targeting-italy-and-us.html

• https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/

• https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature

• https://www.secureworks.com/research/gozi

• https://www.secureworks.com/research/banking-botnets-the-battle-continues



Indicators Associated with this Botnet • magasoldator[.]ru • bangoteensdab[.]ru

• germandartisor[.]ru • gashikbarango[.]ru

• beeengootrator[.]ru • ebankistragira[.]ru

• magamedpatygoose[.]ru

• majahedislampork[.]ru • maxidorkivast[.]ru

• 6af7e41e10ef6a7e075cb82d844810377b9fbb08

• 868801075c90864b6dbb54c661fe690d9e1d130e • 329b50acf49900b51e7870ae27eb458c2cb9e00b

• 868801075c90864b6dbb54c661fe690d9e1d130e • f59528d8cf4090cf3e2d634059f0ff03a1e10e52

• 175a7e9d34c625da059d8505a6c51ccb



HITRUST Threat Correlation to CSF



CSF Controls Related to Threats CSF Control for Vulnerability Patching • Control Reference: *10.m Control of technical vulnerabilities

– Control Text: Timely information about technical vulnerabilities of systems being used shall be obtained; the organization's exposure to such vulnerabilities evaluated; and appropriate measures taken to address the associated risk

– Implementation Requirement: Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems) and the person(s) within Appropriate, timely action shall be taken in response to the identification of potential technical vulnerabilities. Once a potential technical vulnerability has been identified, the organization shall identify the associated risks and the actions to be taken. Such action shall involve patching of vulnerable systems and/or applying other controls.



CSF Controls Related to Threats CSF Control for Emerging Threats/IP Blocklist • Control Reference: 01.i Policy on the Use of Network Services

– Control Text: Users shall only be provided access to internal and external network services that they have been specifically authorized to use. Authentication and authorization mechanisms shall be applied to users and equipment.

– Implementation Requirement: The organization shall specify the networks and network services to which users are authorized access.



CSF Controls Related to Threats CSF Control for top emerging malware • Control Reference: 09.j Controls Against Malicious Code

– Control Text: Detection, prevention, and recovery controls shall be implemented to protect against malicious code, and appropriate user awareness procedures on malicious code shall be provided.

– Implementation Requirement: Protection against malicious code shall be based on malicious code detection and repair software, security awareness, and appropriate system access and change management controls.



QUESTIONS?



Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight

Monthly Cyber Threat Briefing - HITRUST Alliance · Adobe Flash Player, Adobe, Angler Exploit Kit, Neutrino Exploit Kit, Antiy Labs CVE-2016-2208 9.4/10.0 ... • Security Awareness:

Documents