Threat Report 2019

Home , Emotet, Ransomware, Titanium (malware)

Healthcare Threat Report 2019

THREAT REPORT Healthcare 2019

As a highly regulated industry, healthcare organizations struggle to balance patient data security and quick accessibility by both patients and medical staff. Shockingly, the greatest threats to healthcare organizations aren’t all that new, they’re just getting harder to fix. The BluVector Threat Team examines the threats that target healthcare and offers suggestions on how to reduce breach risk.

Table of Contents 3. Threat Chart 4. Infographics 5. Infographics Continued 6. Summary 7. Summary Continued 8. APT: Operation Oceansalt 9. APT: Rising Sun 10. APT: Kwampirs 11. APT: Operation GhostSecret 12. RANSOMWARE: BitPaymer 13. RANSOMWARE: BitPaymer/FriedEx 14. RANSOMWARE: SamSam 15. RANSOMWARE: Gandcrab 16. TROJAN: RtPOS 17. About BluVector

MONTHS IN ADVANCE BLUVECTOR WOULD HAVE DETECTED THREATS

APTs RANSOMWARE TROJANS

43 50 8 Rising Sun BitPaymer RtPOS 32 43 Operation Gandcrab Oceansalt 30 29 Operation BitPaymer/ GhostSecret FriedEx

BluVector runs all discovered malware samples through historical classifiers to 11 12 identify when our machine learning engine would have first detected the named threat. Kwampirs SamSam BluVector currently supports over 35 file- specific machine learning classifiers.

Infographics $1.4 MILLI N AVERAGE COST FOR HEALTHCARE CYBERATTACK RECOVERY Source: https://healthitsecurity.com/news/healthcare-cyberattacks-cost-1.4-million-on-average-in-recovery

MOST CYBER ATTACKED INDUSTRIES:

#1 GOVERNMENT HEALTHCARE#2

Source: https://healthitsecurity.com/news/healthcare-cyberattacks-cost-1.4-million-on-average-in-recovery

Infographics Continued $335 AVERAGE COST PER HEALTHCARE RECORD DURING A DATA BREACH

Source: https://www.cisecurity.org/blog/data-breaches-in-the-healthcare-sector/ 85,000 AVERAGE CONNECTED DEVICES IN A LARGE HOSPITAL OPEN TO CYBERATTACKS

Source: https://www.cisecurity.org/blog/data-breaches-in-the-healthcare-sector/

Summary Unhealthy Malware Diagnosis in Healthcare a site that looks official but isn’t. Healthcare workers are well-educated, work under pressure It’s not only the patients who are infected at with a lot of complicated equipment and have hospitals. In 2018, healthcare became the number to pivot to describe diagnoses to patients who two most attacked industry sector, second only to don’t understand the terms. Like other modern government, according to the Radware 2018-2019 workforces, healthcare workers assume that the 1 Global Application and Network Security Report . IT team has it figured out. The IT team assumes It is a persistent threat that healthcare IT teams that medical and support staff are knowledgeable need to address - 39% of respondents to the enough to not click on phishing emails. Yet, the survey said that they face daily or weekly attacks data is clearly showing that’s not helping. Unlike on their networks. a computer worm, these threats are localized to the computer that they infect. The more that a Finding and remediating the threat is only part malicious attachment is clicked on and opened, of the challenge. While IT teams are working to the wider the threat becomes. contain the breach, healthcare organizations have to address the impact of any negative publicity Just like diet and exercise, the cure might be as that thrust them into the news. The American simple as going back to the basics. Enacting a 2 Journal of Managed Care uncovered a shocking 101-style email security classes is a great place statistic for hospitals that were victims of a data to start. While many will likely already know the breach. basics, it will be a refresher course for many but might help those who aren’t practicing good email After a breach, hospitals spent 64% more on security hygiene to elevate their efforts. Internal advertising in order to increase interest, patient email examples of sample emails that made it branding and reversing negative reactions to through can also help in solidifying and localizing the breach. Inside those facilities, respondents the impact. reported a 54% drop in productivity and revenue- related tasks. The point is pretty simple: It’s time Healthcare organizations with training programs to increase the health of healthcare security. should mandate cybersecurity training courses for all existing employees and should require that all Treating Healthcare Networks Like Patients new employees complete this training before they While healthcare IT teams may have not the access the organization’s email or networks. medical training that their colleagues have had, their methodologies are similar. They both Enabling Cybersecurity 911 in Email leverage technologies to diagnose an issue, While email is an effective communications tool, determine what is working (and what is not) and it is also the preferred attack plane for threat use their training to determine a treatment plan actors. While existing security defenses are in for resolution. Treating a network like a patient place to weed out known malicious emails, new is a good grounding exercise for devising a threats from external emails continue to appear comprehensive security plan. in end-users’ inboxes. For additional defensive, healthcare organizations should add a mechanism First, behavior modification is a huge first step. to report suspicious emails to the organization’s In the eight malware examples we’ve studied in (official or designated) cybersecurity officer. this report, spearphishing is the most prevalent This might be as simple as having a “report a cause of many of the initial infection events. cybersecurity problem by clicking here” within the That can be a malicious macro in a Word or header of the inbound emails. This way, end-users Excel file, attached to an email embedded file can become proactive participants in the security attachments that look like an x-ray or a link to of organization and gain access to a quick

Summary Continued mechanism to report a cybersecurity incident. task but without active security and thoughtful leadership, breaches will come. Come up with An Ounce of Prevention realistic goals to help your organization improve its security mindfulness but designing simple but Of course, there’s no stronger way to protect impactful ways of making progress but in two IT networks than technology. This is where ways: one for end-users and the other for IT staff. security teams need to think just like their Then book a follow-up appointment to check in medical counterparts. Looking for obvious weak on the success metrics and access where you’re points like old systems that offer low-security at, where your teams need to go and deciding on gains or unpatched ghost servers within their the right solutions that fit your operational needs. infrastructure are easy places to start. Ensuring Of course, should that be a next generation IDS, that desktop workstations are on a schedule powered by AI for your network, BluVector Cortex to receive the latest patches and updates is detected the healthcare-related threats in this another, but challenges arise with some of the report, on average, 29 months before their release specialized medical devices that have been into the while. deployed. Because of the specialized nature of these devices, they might run a proprietary or embedded operating system that is not easy to patch or update. Each should go through rigorous security vulnerability assessments before being attached to the network and then monitored on the network.

Kwampirs, one of the threats discussed in this report, created by the Orangeworm group, not only attacks healthcare facilities and pharmaceutical companies, it’s been going after medical device manufacturers. So far there are no reports of it spreading to those devices. But getting malware installed at the manufacturer could make it harder to detect and control. BluVector’s Threat Team uncovered a Windows malware code that showed up in an Android application. While the malware wouldn’t execute, it showed that attackers are getting very innovative on their attacks. Healthcare Findings In addition to monitoring for known threats, healthcare organizations need to proactively monitor their networks for the unknown threats MONTHS IN ADVANCE IN that come every day. Much like how an x-ray can EARLIEST DETECTION “see” inside the human body, the network needs to be monitored for things that the security team can not see.

Following Up in Three Months NEW THREATS FOUND THIS QUARTER Implementing a top-down security mandate across any healthcare organization in no easy

APT: Rising Sun 43

What Is It? pointing toward Lazarus. However, they make no determination of attribution, as they state it is Researchers at McAfee identified a new Advanced also potentially an attempted false flag operation Persistent Threat (APT) campaign they have aimed at placing the blame on Lazarus. named Operation Sharpshooter, which uses a cyber espionage payload they named Rising Sun. How Does It Propagate?

The Rising Sun backdoor uses the RC4 The Rising Sun malware does not contain the cipher to encrypt its configuration data and necessary code to self-propagate. The attack communications. As with most backdoors, vector in this case is embedded in malicious Word on initial infection, Rising Sun will send data documents containing macros which download regarding the infected system to a command the malicious payload. It is believed that targeted and control (C2) site. That information captures individuals were sent messages on social media computer and user name, IP address, operating containing links to the Word documents, claiming system version and network adapter information. to be work recruitment campaigns. Rising Sun contains 14 functions including executing commands, obtaining information on When/How Did BluVector Detect It? disk drives and running processes, terminating Five samples are listed in the McAfee report and processes, obtaining file creation and last access BluVector’s patented Machine Learning Engine times, reading and writing files, deleting files, (MLE) detected them all. Regression testing has altering file attributes, clearing the memory of shown these samples would have been detected processes and connecting to a specified IP an average of 43 months prior to their release. address.

The researchers stated that during October and November of 2018, 87 organizations in 24 countries were infected (although the majority were based in the U.S.). Targeted organizations include defense and government-related, as well as financial, energy, telecommunications and healthcare industries.

The campaign began on October 25, 2018 with links to malicious documents, hosted on Dropbox, sent to targeted organizations via social media. These documents claim to be job descriptions for positions at unknown companies. The documents contain data appear to be created using Korean language versions of Microsoft Word. The documents contain malicious macros that execute shellcode. This shellcode then downloads both a benign decoy document and Rising Sun.

McAfee researchers found similarities between the code of Rising Sun and that of Duuzer, a previous cyber espionage backdoor that has been attributed to the Lazarus APT group (aka Hidden Cobra). They also found indicators potentially

APT: Operation Oceansalt 32

What Is It? the ease with which origins of malware can be spoofed. Researchers at McAfee have released a report detailing the analysis of APT (Advanced Persistent How Does It Propagate? Threat) activity they have named Operation Oceansalt, which has so far consisted of five The malware does not contain the necessary campaigns. The first three were directed at South code to self-propagate. The attack vector is Korean universities and public infrastructure, the spear phishing emails containing Excel files with fourth at several Canadian and U.S. industries malicious macros. including finance, telecommunications and When/How Did BluVector Detect It? healthcare. The final campaign targeted the U.S. and South Korea. In each case, the attack vector Fourteen samples relating to Oceansalt are was spear phishing emails containing Excel publicly available and BluVector’s patented spreadsheets in Korean, with malicious macros Machine Learning Engine (MLE) detected them all. that resulted in the installation of Oceansalt Regression testing has shown the samples would malware. have been detected an average of 32 months prior to their release. Once installed, Oceansalt attempts to connect to its command and control (C2) server. It is capable of sending information regarding the drives, files and processes on the infected system, execute commands, delete and create files, terminate processes and create command shells.

Researchers have named these campaigns Countries Targeted by Operation Oceansalt Operation Oceansalt due to the fact they found significant similarities to a piece of malware named Seasalt dating all the way back to 2010. Oceansalt has only a few differences compared South to Seasalt, Oceansalt encodes the data it sends, it uses a hardcoded C2 server address and does not Korea survive reboots of the infected system.

Seasalt has been attributed to a Chinese APT (Advanced Persistent Threat) group known as Comment Crew and APT1, originally exposed in a Mandiant report. The report, released in 2013, examined attacks on U.S. corporations that Canada resulted in the theft of hundreds of terabytes of data.

While it is highly unlikely that APT1 has suddenly resurfaced, it is believed that the source code for Seasalt was never released or sold on the dark web. There is speculation as to the reasons why Oceansalt is so similar to Seasalt. One reason USA is an attempt to falsely attribute the attacks to Chinese interests, which is quite plausible given

APT: Operation GhostSecret 30

What Is It? malware, including manipulation of files, wiping and deletion of files, executing commands on an Researchers from the McAfee Advanced Threat infected system, exfiltrating data and files and Research team have released a report regarding gathering various system information. a new campaign from the Lazarus APT Group (aka Hidden Cobra) which is believed to have, The investigation found the C2 servers were at the very least, strong ties to North Korea. The located in Thailand, as was the case for previous initial stage of this campaign, named Operation Lazarus group attacks. McAfee worked with GhostSecret, occurred at the end of February 2018 the Thai government to have the servers taken and targeted the Turkish financial sector. down but kept the servers intact so they can be forensically analyzed by law enforcement agencies.

How Does It Propagate?

The malware does not self-propagate.

The initial infection vector is not currently publicly known; however, previous Lazarus Group attacks have leveraged spearphishing with malicious attachments or compromising remote access tools utilizing easily guessed or brute-forced passwords.

When/How Did BluVector Detect It? From March 18 to 26, researchers observed additional attacks on organizations in 17 Three samples are publicly available, and countries, mainly in the Asia-Pacific region, BluVector’s patented Machine Learning Engine but also including the United States. The (MLE) detected all three. Regression testing has attacks covered a broad range of industries shown the samples would have been detected, on including critical infrastructure, healthcare, average, 30 months prior to their release. telecommunications, entertainment, higher education and finance. The purpose of this campaign is the exfiltration of sensitive data, and the infrastructure related to this attack is still operational at the time of publication.

Researchers found sections of code in the malware associated with these attacks that strongly resemble other Lazarus group-related malware, including the Sony Pictures attack in 2014. The malware communicates with its C2 server using port 443. Despite utilizing the standard SSL port, the traffic uses a custom format, which has been seen in previous Lazarus group malware. The malware contains a list of IP addresses it will not accept connections from, all of which are associated with Indian ISPs. All expected functionality is present in the

APT: Kwampirs 11

What Is It? accessed systems, network shares, mapped drives and network adapters. The malware Researchers at Symantec detailed their findings decrypts and drops the main payload DLL into the activities of a new attack group and the contained within itself. When it does so, it backdoor Trojan they have been using to target inserts a randomly created string into the DLL healthcare-related organizations. in an attempt to defeat hash- and pattern-based detection. The malware also copies itself to The group, dubbed Orangeworm, is believed to network shares and contains a list of command be comprised of a small number of individuals and control (C2) servers with which it attempts and has been operating for several years. The to establish connections. Both of these actions origin, location and motivations of the group are are considered noisy, but it appears not to have currently unknown. Approximately 17% of systems concerned the authors as these behaviors have infected with Orangeworm are located in the U.S. not changed over time.

How Does It Propagate? APPROXIMATELY If the attackers determine an infected system is a high-value target based on system information gathered by the malware, the attack will attempt to use open network shares to spread within the network.

OF SYSTEMS INFECTED No information is available concerning the initial WITH ORANGEWORM ARE infection vector, however, the most common LOCATED IN THE U.S. vector for similar attacks is social engineering, The organizations known to have been targeted either as malicious attachments or downloads by Orangeworm are either directly involved in the performed by malicious documents. It is believed healthcare sector (including healthcare providers the Orangeworm group is selecting its targets or pharmaceutical companies) or organizations carefully, making spearphishing a likely infection that provide goods and services to the healthcare vector. industry (including IT solution providers and equipment manufacturers). Researchers believe When/How Did BluVector Detect It? this to be a component of a larger supply-chain There are nine publicly available samples and attack resulting in Orangeworm gaining access to BluVector’s patented Machine Learning Engine their primary healthcare targets. (MLE) detected all of them. Regression testing This malware, named Kwampirs, gives attackers has shown samples would have been detected an backdoor access to compromised systems to average of 11 months prior to their release, which extract system information and sensitive data. mainly occurred during mid-to-late 2016. The backdoor has even been found on systems used for operating X-ray and MRI machines. The attackers also seem to favor systems used by patients to complete consent forms.

The Kwampirs malware utilizes built-in system commands to gather various system information, particularly that which would assist in lateral movement through a network, such as recently

RANSOMEWARE: BitPaymer 50

What Is It? the IT department to essentially shutdown their entire network, resulting in staff being forced to While some cybersecurity pundits claim the use typewriters. Other systems impacted included demise of ransomware, their prognostications email, telephone, swipe card and even their were at best a premature conclusion. In recent backup and disaster recovery servers. They are weeks, variants of BitPaymer ransomware have currently planning on reimaging 650 systems at a infected systems at the Professional Golfers rate of about 38 per day. Association of America (PGA) and the local government offices of Matanuska-Susitna, a FORE! According to reports, staff at the PGA municipal borough of greater Anchorage. of America began receiving pop-up ransom messages on their workstation screens on August BitPaymer, first identified in July 2017, was 7, 2018. Though not yet confirmed by the PGA but responsible for ransomware attacks on a number based on the wording, it is believed BitPaymer of Scottish hospitals in August 2017. BitPaymer is ransomware is responsible. Another aspect also known for making large ransom demands, up consistent with BitPaymer ransomware is the to 53 bitcoin (currently in excess of $332,000). In offer to email two encrypted files to the attackers, most cases, the initial attack vector of BitPaymer who would decrypt them as proof of their “honest ransomware is compromising internet-facing intentions.” It is reported that encrypted files Remote Desktop Protocol (RDP) servers. The include digital marketing assets related to the passwords to these RDP servers are brute forced. PGA Championship tournament and the Ryder Cup.

How Does It Propagate?

The malware does not contain the necessary code to self-propagate. The most common attack vector for BitPaymer ransomware is compromising internet-facing RDP servers by brute forcing poor or common passwords where there are no security policies in place to enforce password lockouts.

When/How Did BluVector Detect It?

Specific samples have not yet been publicly In the case of Matanuska-Susitna, based on attributed to either incident. Therefore, a random a report from the IT Director, the BitPaymer selection of 25 recent BitPaymer samples were ransomware was part of an attack consisting of tested and BluVector’s patented Machine Learning several malware payloads, including the Emotet Engine (MLE) detected them all. Regression trojan. His investigation believes the ransomware testing has shown that samples would have been payload was activated 4 to 6 weeks after their detected an average of 50 months prior to their network was initially compromised. He incorrectly release. characterizes this attack as a zero-day, based on the fact their legacy anti-virus product did not detect any malware components of the attack until it was too late.

The attack affected all 500 of their user endpoint systems and 120 of their 150 servers, requiring

RANSOMWARE: Gandcrab 43

What Is It? According to Fortinet, one feature that Gandcrab does not yet include is the ability to propagate Researchers have previously noted that the using network file shares, through the use of the developers of Gandcrab ransomware appear to EternalBlue exploit. This functionality is expected have adopted an agile development model as to be included in future versions. they’ve been releasing new versions that improve both the functionality and the underlying code. How Does It Propagate?

This trend appears to be continuing as security The malware does not yet contain the necessary vendor Fortinet discovered version 4.1 of code to self-propagate. In this case, it has been Gandcrab only two days after the release of observed being downloaded from compromised version 4.0. Due to such a rapid release schedule, websites that claim to offer pirated software, Gandcrab is currently considered to be the most but instead (somewhat ironically) serve the prolific ransomware family, responsible for ransomware. over 50,000 infections and $600,000 in ransom payments in a two-month period earlier in 2018. When/How Did BluVector Detect It? Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 43 months prior to their release.

The new Gandcrab 4.1 added the more efficient Salsa2.0 encryption algorithm, removing the most commonly used RSA-2048. The most significant Gandcrab Searches For AV change is the malware now contains a lengthy Software Including: list (in one case, nearly 1,000 long) of hardcoded C2 websites. The remainder of the C2 URLs is Avast Internet Security Suite created from lists of words, allowing the final URL Avira Antivirus to appear to be randomly generated. The malware Comodo Firewall Pro sends a variety of system information to the C2 ESET Antivirus site, including if the keyboard is using a Russian layout and any installed anti-virus product(s). Kaspersky Antivirus Currently there appears to be no good reason to F-Secure Internet Security send this information, but it is potentially a feature McAfee On-Access Antivirus Scanner that’s still under development. The malware will Microsoft Windows Defender also terminate various processes belonging to Panda Titanium Antivirus Office, database, email and similar applications Symantec Antivirus engine prior to encrypting files. Though not unique to Gandcrab, this ensures the user’s most current Symantec Endpoint Protection files will be encrypted, therefore maximizing the Tiny Personal Firewall user’s motivation to pay the ransom. Trend Micro PC-Cillin Firewall

RANSOMWARE: BitPaymer/FriedEx 29

What Is It? When/How Did BluVector Detect It?

Researchers at legacy anti-virus vendor ESET have BluVector’s patented machine learning malware published findings that show strong evidence that detection engine detects the BitPaymer/FriedEx the authors of the Dridex banking trojan are also ransomware as malicious. Regression testing on responsible for writing the code for the BitPaymer samples has shown the ransomware would have ransomware. Owing to the connections they been detected by BluVector 29 months prior to its found with Dridex, ESET refers to this malware as release. FriedEx.

The Dridex banking trojan has been seen in the wild since 2014 and since its initial release has been significantly updated and improved, becoming one of the most sophisticated and successful banking trojans.

The BitPaymer/FriedEx ransomware was first seen in July 2017 and received significant media coverage when it was responsible for infecting several National Health Service hospitals in Scotland during August 2017. Much like the recently discussed SamSam ransomware, BitPaymer/FriedEx tends to target higher-profile companies and entities, rather than home users, and usually uses brute force Remote Desktop attacks to initially infect systems.

Researchers showed screenshots that appear to come from the Hex-Rays decompiler tool, showing almost identical code in key areas of Dridex and BitPaymer/FriedEx functions. There were also commonalities in the compiler information and compiler timestamps. Their findings make a strong case for the same authors being behind both families of malware. It appears the authors saw an opportunity to take their existing Dridex codebase and modify it as necessary to create a ransomware revenue stream for themselves.

How Does It Propagate?

Similar to the SamSam ransomware, BitPaymer/ FriedEx spreads by attackers manually brute forcing Remote Desktop Protocol (RDP) servers, which then gives them access to devices within the networks. Again, best practice dictates that RDP servers should not be accessible from the internet.

RANSOMWARE: SamSam 12

What Is It? ransomware. However, they believe it may be compromised RDP and VNC servers that gave Researchers from Cisco TALOS recently the attackers their first foothold into entering released details of a new variant of the SamSam corporate networks. This is another reminder that ransomware, which has affected organizations in a determined attacker will find any weakness in several industry verticals, including government, your perimeter defense. Best practice dictates healthcare and ICS. that RDP and VNC servers should not be accessible from the internet. Media reports have advised various healthcare organizations have been affected in recent When/How Did BluVector Detect It? days, including MedStar, a non-profit group that manages 10 hospitals in the Baltimore and BluVector’s patented machine learning malware Washington, DC area, Chicago-based AllScripts detection engine detects SamSam ransomware as and Hancock Health Hospital, as well as Adams malicious. Regression testing on several samples Memorial Hospital in Indiana. The government has shown they would have been detected by municipality of Farmington, New Mexico has also BluVector an average of 12 months prior to their been impacted. release.

The initial infection vector has not yet been determined, though it is believed to be consistent with previous SamSam variants, where the attackers manually install the ransomware after compromising the corporate network and moving laterally to identify which business critical servers would make the best targets.

The ransomware consists of two components, a loader and an encrypted payload, both delivered as .NET executables. By design, the attackers must manually activate the ransomware using a randomly generated encryption key. SamSam is not a mass market ransomware such as WannaCry, but it is designed to be deployed on high-value targets.

Researchers have determined at least one Bitcoin wallet is being used to collect ransom payments. Currently this wallet has collected 30.4 Bitcoin, which at the time of writing is worth approximately US$270K.

How Does It Propagate?

Unlike many other strains of ransomware, SamSam does not self-propagate.

Researchers have not yet determined with certainty the initial infection vector which then allowed the attackers to install the SamSam

TROJAN: RtPOS 8

What Is It? security numbers.

A new report from Booz Allen Hamilton Cyber Given its narrow focus, it is believed that RtPOS (BAHC) describes a piece of POS malware named is used in conjunction with additional malware RtPOS that appears to have been undiscovered in order to compromise the payment processing for a year. In previous Threat Reports, we have system and exfiltrate the extracted data. The discussed the concept of dwell time in (RadRAT compile date of the sample is August 2017 and InvisiMole) as the period of time between and there is no evidence to suggest this is not a network being compromised and when that accurate, indicating the malware has been breach was detected. unnoticed in the wild for a full year.

POS malware, such as LockPOS, is designed to How Does It Propagate? steal payment card data from terminals and other systems used to process card payments in stores The malware does not self-propagate and the and other businesses. Most often, the card data is infection vector is currently unknown. extracted directly from the memory of the infected When/How Did BluVector Detect It? system. Readers may remember the news around the use of POS malware, such as in well publicized BluVector’s patented Machine Learning Engine attacks on customers of Home Depot and Target (MLE) detected the RtPOS malware. Regression in 2014. testing has shown the sample would have been detected 20 months prior to its discovery, which BAHC did not describe how or where they appears to be 12 months after it was created, obtained the sample from, though they named meaning BluVector would have detected this it RtPOS based on a debug string found in the sample 8 months before it was even created. sample. The metadata of the sample shows the language code to be Russian, which could indicate a possible location of the authors (or at least their chosen language). The sample’s apparent lack Biggest POS Breaches In 2018: of sophistication and functionality has caused Jan: Aetna speculation as to whether it is an example of Feb: FedEx malware that’s under development. Although Mar: Orbitz these same attributes could also indicate Mar: Under Armour deliberate intent on the part of the authors to Apr: Saks Fifth Avenue, Lord & Taylor make the malware more stealthy. Apr: Panera Bread Apr: SunTrust Banks Unlike the majority of current malware, RtPOS May: Chili’s malware is not packed or otherwise obfuscated. May: Nuance Communications However, this may actually make the sample June: TaskRabbit June: Ticketmaster appear less suspicious to endpoint-specific anti- June: Adidas malware solutions. In a departure from most POS July: Macy’s malware, this sample also does not contain the July: U.S. Air Force capability to exfiltrate stolen card data, that data July: LabCorp Diagnostics is merely logged in plain text to a file stored in the July: LifeLock Windows\SysWOW64 directory. The malware is August: Fortnite very specific in its function, it only accepts two Sept: British Airways Sept: Facebook parameters (either “install” or “remove”) and only Oct: U.S. Department of Defense looks for card data but not other data that could be commoditized by attackers, such as social Source: https://www.identityforce.com/blog/2018-data-breaches

About BluVector, A Comcast Company

As a leader in network security, BluVector is empowering security teams to get answers about real threats, allowing businesses and governments to operate with greater confidence that data and systems are protected.

BLUVECTOR MLE BLUVECTOR SCE BluVector MLE is a patented supervised Machine BluVector SCE is the security market’s first Learning Engine that was developed within the analytic specifically designed to detect fileless defense and intelligence community to accurately malware as it traverses the network. By detect zero-day and polymorphic malware in emulating how the malware will behave when it is real time. Unlike unsupervised machine learning, executed, the Speculative Code Execution engine which is leveraged by most security vendors determines, at line speed, what an input can do today, BluVector MLE algorithms were pre- if executed and to what extent these behaviors trained to immediately identify malicious content might initiate a security breach. By covering embedded within common file formats like Office all potential execution chains and focusing on documents, archives, executables, .pdf, and malicious capacity rather than malicious behavior, system updates. The result: 99.1%+ detection the analytic technology vastly reduces the number accuracy upon installation. of execution environments and the quantity of analytic results that must be investigated.