NH-ISAC Daily Security Intelligence Report – April 11, 2017
Total Page:16
File Type:pdf, Size:1020Kb
NH-ISAC Daily Security Intelligence Report – April 11, 2017 This information is marked TLP GREEN: This information is marked TLP GREEN: Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community. BREACH REPORT Tullamore Hospital Patient's Information Sent to Wrong Person After Data Blunder A data breach at Tullamore Hospital is among 212 cases revealed today, the Irish Independent have reported. 212 data protection breaches, where patient's private information was misused or mishandled, were recorded by the HSE last year, including a major blunder in Tullamore. In the Offaly hospital's case, the office of the Data Protection Commissioner actually received information pertaining to a patient when those private details were faxed in error… Link – http://www.offalyexpress.ie/news/home/244553/tullamore-hospital-patient-s- information-sent-to-wrong-person-after-data-blunder.html CRIME and INCIDENT REPORT Microsoft Office Zero-Day Used to Push Dridex Banking Trojan The operators of the Dridex botnet are using the recently disclosed Microsoft Office zero- day to spread a version of their malware, the infamous Dridex banking trojan. It is unclear at this time if the Dridex gang was the group that discovered the zero-day, or if they just figured out a way to exploit it after McAfee and FireEye disclosed public details over the weekend… Link – https://www.bleepingcomputer.com/news/security/microsoft-office-zero-day- used-to-push-dridex-banking-trojan/ Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day This weekend saw multiple reports a new zero-day vulnerability that affected all versions of Microsoft Word. Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia… Link – https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions- recipients-unpatched-microsoft-zero-day NH-ISAC Additional information regarding Microsoft Zero day / Dridex Campaign Event: New MS Office Zero-Day Attacks Reported Being Exploited In The Wild Summary: McAfee first reported: • New MS Office zero-day attacks reported being exploited in the wild. • Samples detected are organized as Word files (more specially, RTF files with “.doc” extension name). • The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. • The earliest attacks reported dates back to late January. Recommendations include: • Do not open any Office files obtained from untrusted locations. • The attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled. FireEye then reported: • The attack starts with an e-mail that attaches a malicious Word document containing a malicious OLE2lnink object. • When opened, the exploit code makes a connection to a remote server where it downloads a malicious HTML application file (HTA) disguised as a document created in MS RTF (Rich Text Format) The attack is notable for several reasons: • It bypasses most exploit mitigations: This capability allows it to work even against Windows 10, which security experts widely agree is Microsoft's most secure operating system to date. • Unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn't require targets to enable macros. • Before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened. • Security experts are reporting that Microsoft will patch the vulnerability on Tuesday. • Users can block code-execution exploits by adding the following to their Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0. • FireEye email and network products detect the malicious documents as: Malware.Binary.Rtf. NSA Hacking Tools Dumped Online by Shadow Brokers Group The Shadow Brokers, a hacking group, has published the password to a collection of hacking tools used by the NSA. This comes as a form of protest against Donald Trump going back on his campaign promises. Before releasing all the data into the wild, the hackers had actually put the data up for auction, but nobody bought it, perhaps due to the steep asking price of over $7 million in bitcoin. Now, the group revealed a password that unlocks an encrypted cache of documents in a Medium post… Link – http://news.softpedia.com/news/nsa-hacking-tools-dumped-online-by-shadow- brokers-group-514760.shtml Hackers Count on Password Reuse in Amazon Third-Party Seller Campaign Hackers are using stolen credentials bought on the Dark Web from earlier data breaches to break into seller accounts. Once in, they can change the bank-deposit information for the account to siphon off sales. They’re also post “deals” on Amazon that are anything but—the merchandise advertised is nonexistent. The bad guys offer four-week shipping, hoping to get paid before Amazon (or the recipient) cops onto the fraud… Link – https://www.infosecurity-magazine.com/news/hackers-count-on-password-reuse- in/ Computer Engineer Charged with Theft of Proprietary Computer Code Zhengquan Zhang of California has been arrested and charged by a US federal court with stealing trade secrets from his employer, a New York financial services firm. A US Department of Justice (DoJ) release says that between March 2016 and March 2017, Zhang stole over three million files of confidential data and computer code. According to the DoJ, Zhang stole the company’s source code for algorithmic trading models and trading platforms by installing a code that gained access to the network’s encryption keys. He allegedly also stored the stolen files on his employer’s network before installing another code to transfer the data to a third-party software development site… Link – http://www.darkreading.com/attacks-breaches/computer-engineer-charged-with- theft-of-proprietary-computer-code-/d/d-id/1328602? US Takes Down Huge Botnet as Spain Arrests Notorious Russian Hacker US authorities moved Monday to take down a global computer botnet behind the massive theft of personal data and unwanted spam emails, as Spain arrested the notorious Russian hacker who operated it. US authorities say the Russian, Piotr or Peter Levashov, had operated the Kelihos network of tens of thousands of infected computers, stealing personal data and renting the network out to others to send spam emails by the millions and extort ransom from computer owners. Levashov, also known in the hacking world as Peter Severa, was arrested at Barcelona airport on Friday at the US request… Link – http://www.securityweek.com/us-takes-down-huge-botnet-spain-arrests-notorious- russian-hacker NEWS REPORT ONC Reiterates Healthcare Data Privacy, Security Need in PMI The Precision Medicine Initiative (PMI) is a federal research program that hopes to improve how disease is treated, but there are still healthcare data privacy and security concerns. However, ONC explained in a recent blog post that keeping data secure through PMI remains a top priority. ONC partnered with the National Institutes of Health (NIH) to launch three separate but related activities to advance PMI. One of those activities is Sync for Science (S4S) API Privacy and Security, which assesses whether S4S API pilots implement appropriate privacy and security principles… Link – http://healthitsecurity.com/news/onc-reiterates-healthcare-data-privacy-security- need-in-pmi Are Large Teaching Hospitals at Greater Risk for Breaches? Larger hospitals, especially teaching institutions, appear to be at greatest risk for health data breaches, says a new study. That's possibly due to several factors, including these hospitals' rich pools of patient data and greater demands for sharing that information for patient care and research, some experts say. The study, which was published by JAMA Internal Medicine, analyzed data from the U.S. Department of Health and Human Services to examine what type of hospitals face a higher risk of data breaches.. Link – http://www.healthcareinfosecurity.com/are-large-teaching-hospitals-at-greater- risk-for-breaches-a-9819 Fake News at Work in Spam Kingpin’s Arrest? Over the past several days, many Western news media outlets have predictably devoured thinly-sourced reporting from a Russian publication that the arrest last week of a Russian spam kingpin in Spain was related to hacking attacks linked to last year’s U.S. election. While there is scant evidence that the spammer’s arrest had anything to do with the election, the success of that narrative is a sterling example of how the Kremlin’s propaganda machine is adept at manufacturing fake news, undermining public trust in the media, and distracting attention away from the real story… Link – https://krebsonsecurity.com/2017/04/fake-news-at-work-in-spam-kingpins-arrest/ Tools Used by Lamberts Apt Found in Vault 7 Dumps Links have emerged connecting targeted attacks going back a decade against high-profile government, industrial and financial targets around the world to hacking tools and documents leaked in the Vault 7 dump. Researchers at Kaspersky Lab today published a technical report on the activities of a group