NH-ISAC Daily Security Intelligence Report – April 11, 2017

This information is marked TLP GREEN: This information is marked TLP GREEN: Recipients may share TLP:GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels. Information in this category can be circulated widely within a particular community. TLP:GREEN information may not be released outside of the community.

BREACH REPORT

Tullamore Hospital Patient's Information Sent to Wrong Person After Data Blunder

A data breach at Tullamore Hospital is among 212 cases revealed today, the Irish Independent have reported. 212 data protection breaches, where patient's private information was misused or mishandled, were recorded by the HSE last year, including a major blunder in Tullamore.

In the Offaly hospital's case, the office of the Data Protection Commissioner actually received information pertaining to a patient when those private details were faxed in error…

Link – http://www.offalyexpress.ie/news/home/244553/tullamore-hospital-patient-s- information-sent-to-wrong-person-after-data-blunder.html

CRIME and INCIDENT REPORT

Microsoft Office Zero-Day Used to Push Dridex Banking Trojan

The operators of the Dridex botnet are using the recently disclosed Microsoft Office zero- day to spread a version of their malware, the infamous Dridex banking trojan. It is unclear at this time if the Dridex gang was the group that discovered the zero-day, or if they just figured out a way to exploit it after McAfee and FireEye disclosed public details over the weekend…

Link – https://www.bleepingcomputer.com/news/security/microsoft-office-zero-day- used-to-push-dridex-banking-trojan/

Dridex Campaigns Hitting Millions of Recipients Using Unpatched Microsoft Zero-Day

This weekend saw multiple reports a new zero-day vulnerability that affected all versions of Microsoft Word. Today, Proofpoint researchers observed the document exploit being used in a large email campaign distributing the Dridex banking Trojan. This campaign was sent to millions of recipients across numerous organizations primarily in Australia…

Link – https://www.proofpoint.com/us/threat-insight/post/dridex-campaigns-millions- recipients-unpatched-microsoft-zero-day

NH-ISAC Additional information regarding Microsoft Zero day / Dridex Campaign

Event: New MS Office Zero-Day Attacks Reported Being Exploited In The Wild

Summary: McAfee first reported: • New MS Office zero-day attacks reported being exploited in the wild. • Samples detected are organized as Word files (more specially, RTF files with “.doc” extension name). • The exploit works on all Microsoft Office versions, including the latest Office 2016 running on Windows 10. • The earliest attacks reported dates back to late January. Recommendations include: • Do not open any Office files obtained from untrusted locations. • The attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.

FireEye then reported: • The attack starts with an e-mail that attaches a malicious Word document containing a malicious OLE2lnink object. • When opened, the exploit code makes a connection to a remote server where it downloads a malicious HTML application file (HTA) disguised as a document created in MS RTF (Rich Text Format) The attack is notable for several reasons: • It bypasses most exploit mitigations: This capability allows it to work even against Windows 10, which security experts widely agree is Microsoft's most secure operating system to date. • Unlike the vast majority of the Word exploits seen in the wild over the past few years, this new attack doesn't require targets to enable macros. • Before terminating, the exploit opens a decoy Word document in an attempt to hide any sign of the attack that just happened. • Security experts are reporting that Microsoft will patch the vulnerability on Tuesday. • Users can block code-execution exploits by adding the following to their Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0. • FireEye email and network products detect the malicious documents as: Malware.Binary.Rtf.

NSA Hacking Tools Dumped Online by Shadow Brokers Group

The Shadow Brokers, a hacking group, has published the password to a collection of hacking tools used by the NSA. This comes as a form of protest against Donald Trump going back on his campaign promises.

Before releasing all the data into the wild, the hackers had actually put the data up for auction, but nobody bought it, perhaps due to the steep asking price of over $7 million in bitcoin. Now, the group revealed a password that unlocks an encrypted cache of documents in a Medium post…

Link – http://news.softpedia.com/news/nsa-hacking-tools-dumped-online-by-shadow- brokers-group-514760.shtml

Hackers Count on Password Reuse in Amazon Third-Party Seller Campaign

Hackers are using stolen credentials bought on the Dark Web from earlier data breaches to break into seller accounts. Once in, they can change the bank-deposit information for the account to siphon off sales. They’re also post “deals” on Amazon that are anything but—the merchandise advertised is nonexistent. The bad guys offer four-week shipping, hoping to get paid before Amazon (or the recipient) cops onto the fraud…

Link – https://www.infosecurity-magazine.com/news/hackers-count-on-password-reuse- in/

Computer Engineer Charged with Theft of Proprietary Computer Code

Zhengquan Zhang of California has been arrested and charged by a US federal court with stealing trade secrets from his employer, a New York financial services firm. A US Department of Justice (DoJ) release says that between March 2016 and March 2017, Zhang stole over three million files of confidential data and computer code.

According to the DoJ, Zhang stole the company’s source code for algorithmic trading models and trading platforms by installing a code that gained access to the network’s encryption keys. He allegedly also stored the stolen files on his employer’s network before installing another code to transfer the data to a third-party software development site…

Link – http://www.darkreading.com/attacks-breaches/computer-engineer-charged-with- theft-of-proprietary-computer-code-/d/d-id/1328602?

US Takes Down Huge Botnet as Spain Arrests Notorious Russian Hacker

US authorities moved Monday to take down a global computer botnet behind the massive theft of personal data and unwanted spam emails, as Spain arrested the notorious Russian hacker who operated it.

US authorities say the Russian, Piotr or Peter Levashov, had operated the Kelihos network of tens of thousands of infected computers, stealing personal data and renting the network out to others to send spam emails by the millions and extort ransom from computer owners. Levashov, also known in the hacking world as Peter Severa, was arrested at Barcelona airport on Friday at the US request…

Link – http://www.securityweek.com/us-takes-down-huge-botnet-spain-arrests-notorious- russian-hacker

NEWS REPORT ONC Reiterates Healthcare Data Privacy, Security Need in PMI

The Precision Medicine Initiative (PMI) is a federal research program that hopes to improve how disease is treated, but there are still healthcare data privacy and security concerns. However, ONC explained in a recent blog post that keeping data secure through PMI remains a top priority.

ONC partnered with the National Institutes of Health (NIH) to launch three separate but related activities to advance PMI. One of those activities is Sync for Science (S4S) API Privacy and Security, which assesses whether S4S API pilots implement appropriate privacy and security principles…

Link – http://healthitsecurity.com/news/onc-reiterates-healthcare-data-privacy-security- need-in-pmi

Are Large Teaching Hospitals at Greater Risk for Breaches?

Larger hospitals, especially teaching institutions, appear to be at greatest risk for health data breaches, says a new study. That's possibly due to several factors, including these hospitals' rich pools of patient data and greater demands for sharing that information for patient care and research, some experts say.

The study, which was published by JAMA Internal Medicine, analyzed data from the U.S. Department of Health and Human Services to examine what type of hospitals face a higher risk of data breaches..

Link – http://www.healthcareinfosecurity.com/are-large-teaching-hospitals-at-greater- risk-for-breaches-a-9819

Fake News at Work in Spam Kingpin’s Arrest?

Over the past several days, many Western news media outlets have predictably devoured thinly-sourced reporting from a Russian publication that the arrest last week of a Russian spam kingpin in Spain was related to hacking attacks linked to last year’s U.S. election. While there is scant evidence that the spammer’s arrest had anything to do with the election, the success of that narrative is a sterling example of how the Kremlin’s propaganda machine is adept at manufacturing fake news, undermining public trust in the media, and distracting attention away from the real story… Link – https://krebsonsecurity.com/2017/04/fake-news-at-work-in-spam-kingpins-arrest/

Tools Used by Lamberts Apt Found in Vault 7 Dumps

Links have emerged connecting targeted attacks going back a decade against high-profile government, industrial and financial targets around the world to hacking tools and documents leaked in the Vault 7 dump.

Researchers at Kaspersky Lab today published a technical report on the activities of a group it calls the Lamberts, which they say is the same group Symantec identifies as Longhorn. The Lamberts’ toolkit is on par with malware and backdoors used by other APT operations such as Regin, Project Sauron, Duqu2 and Project Sauron, Kaspersky researchers said. And they added the group was most active in 2013 and 2014, but samples created last year have been discovered…

Link – https://threatpost.com/tools-used-by-lamberts-apt-found-in-vault-7- dumps/124900/

VULNERABILITY REPORT

Bulletin (SB17-100) Vulnerability Summary for the Week of April 3, 2017

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US- CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard.

Link – https://www.us-cert.gov/ncas/bulletins/SB17-100

Similarities in Partial Fingerprints May Trick Biometric Security Systems No two people are believed to have identical fingerprints, but researchers at the New York University Tandon School of Engineering and Michigan State University College of Engineering have found that partial similarities between prints are common enough that the fingerprint-based security systems used in mobile phones and other electronic devices can be more vulnerable than previously thought…

Link – https://www.helpnetsecurity.com/2017/04/11/partial-fingerprints-trick/

______

EJB

Operations

National Health ISAC (NH-ISAC)

Global Situational Awareness Center

226 North Nova Road, Suite 391

Ormond Beach, Florida 32174 www.nhisac.org twitter.com/NHISAC