DOCSLIB.ORG

Threat Report 2019

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Threat Report 2019 Healthcare Threat Report 2019 THREAT REPORT Healthcare 2019 As a highly regulated industry, healthcare organizations struggle to balance patient data security and quick accessibility by both patients and medical staff. Shockingly, the greatest threats to healthcare organizations aren’t all that new, they’re just getting harder to fix. The BluVector Threat Team examines the threats that target healthcare and offers suggestions on how to reduce breach risk. © 2019 BluVector, Inc. bluvector.io 1 Healthcare Threat Report 2019 Table of Contents 3. Threat Chart 4. Infographics 5. Infographics Continued 6. Summary 7. Summary Continued 8. APT: Operation Oceansalt 9. APT: Rising Sun 10. APT: Kwampirs 11. APT: Operation GhostSecret 12. RANSOMWARE: BitPaymer 13. RANSOMWARE: BitPaymer/FriedEx 14. RANSOMWARE: SamSam 15. RANSOMWARE: Gandcrab 16. TROJAN: RtPOS 17. About BluVector © 2019 BluVector, Inc. bluvector.io 2 Healthcare Threat Report 2019 MONTHS IN ADVANCE BLUVECTOR WOULD HAVE DETECTED THREATS APTs RANSOMWARE TROJANS 43 50 8 Rising Sun BitPaymer RtPOS 32 43 Operation Gandcrab Oceansalt 30 29 Operation BitPaymer/ GhostSecret FriedEx BluVector runs all discovered malware samples through historical classifiers to 11 12 identify when our machine learning engine would have first detected the named threat. Kwampirs SamSam BluVector currently supports over 35 file- specific machine learning classifiers. © 2019 BluVector, Inc. bluvector.io 3 Healthcare Threat Report 2019 Infographics $1.4 MILLI N AVERAGE COST FOR HEALTHCARE CYBERATTACK RECOVERY Source: https://healthitsecurity.com/news/healthcare-cyberattacks-cost-1.4-million-on-average-in-recovery MOST CYBER ATTACKED INDUSTRIES: #1 GOVERNMENT HEALTHCARE#2 Source: https://healthitsecurity.com/news/healthcare-cyberattacks-cost-1.4-million-on-average-in-recovery © 2019 BluVector, Inc. bluvector.io 4 Healthcare Threat Report 2019 Infographics Continued $335 AVERAGE COST PER HEALTHCARE RECORD DURING A DATA BREACH Source: https://www.cisecurity.org/blog/data-breaches-in-the-healthcare-sector/ 85,000 AVERAGE CONNECTED DEVICES IN A LARGE HOSPITAL OPEN TO CYBERATTACKS Source: https://www.cisecurity.org/blog/data-breaches-in-the-healthcare-sector/ © 2019 BluVector, Inc. bluvector.io 5 Healthcare Threat Report 2019 Summary Unhealthy Malware Diagnosis in Healthcare a site that looks official but isn’t. Healthcare workers are well-educated, work under pressure It’s not only the patients who are infected at with a lot of complicated equipment and have hospitals. In 2018, healthcare became the number to pivot to describe diagnoses to patients who two most attacked industry sector, second only to don’t understand the terms. Like other modern government, according to the Radware 2018-2019 workforces, healthcare workers assume that the 1 Global Application and Network Security Report . IT team has it figured out. The IT team assumes It is a persistent threat that healthcare IT teams that medical and support staff are knowledgeable need to address - 39% of respondents to the enough to not click on phishing emails. Yet, the survey said that they face daily or weekly attacks data is clearly showing that’s not helping. Unlike on their networks. a computer worm, these threats are localized to the computer that they infect. The more that a Finding and remediating the threat is only part malicious attachment is clicked on and opened, of the challenge. While IT teams are working to the wider the threat becomes. contain the breach, healthcare organizations have to address the impact of any negative publicity Just like diet and exercise, the cure might be as that thrust them into the news. The American simple as going back to the basics. Enacting a 2 Journal of Managed Care uncovered a shocking 101-style email security classes is a great place statistic for hospitals that were victims of a data to start. While many will likely already know the breach. basics, it will be a refresher course for many but might help those who aren’t practicing good email After a breach, hospitals spent 64% more on security hygiene to elevate their efforts. Internal advertising in order to increase interest, patient email examples of sample emails that made it branding and reversing negative reactions to through can also help in solidifying and localizing the breach. Inside those facilities, respondents the impact. reported a 54% drop in productivity and revenue- related tasks. The point is pretty simple: It’s time Healthcare organizations with training programs to increase the health of healthcare security. should mandate cybersecurity training courses for all existing employees and should require that all Treating Healthcare Networks Like Patients new employees complete this training before they While healthcare IT teams may have not the access the organization’s email or networks. medical training that their colleagues have had, their methodologies are similar. They both Enabling Cybersecurity 911 in Email leverage technologies to diagnose an issue, While email is an effective communications tool, determine what is working (and what is not) and it is also the preferred attack plane for threat use their training to determine a treatment plan actors. While existing security defenses are in for resolution. Treating a network like a patient place to weed out known malicious emails, new is a good grounding exercise for devising a threats from external emails continue to appear comprehensive security plan. in end-users’ inboxes. For additional defensive, healthcare organizations should add a mechanism First, behavior modification is a huge first step. to report suspicious emails to the organization’s In the eight malware examples we’ve studied in (official or designated) cybersecurity officer. this report, spearphishing is the most prevalent This might be as simple as having a “report a cause of many of the initial infection events. cybersecurity problem by clicking here” within the That can be a malicious macro in a Word or header of the inbound emails. This way, end-users Excel file, attached to an email embedded file can become proactive participants in the security attachments that look like an x-ray or a link to of organization and gain access to a quick © 2019 BluVector, Inc. bluvector.io 6 Healthcare Threat Report 2019 Summary Continued mechanism to report a cybersecurity incident. task but without active security and thoughtful leadership, breaches will come. Come up with An Ounce of Prevention realistic goals to help your organization improve its security mindfulness but designing simple but Of course, there’s no stronger way to protect impactful ways of making progress but in two IT networks than technology. This is where ways: one for end-users and the other for IT staff. security teams need to think just like their Then book a follow-up appointment to check in medical counterparts. Looking for obvious weak on the success metrics and access where you’re points like old systems that offer low-security at, where your teams need to go and deciding on gains or unpatched ghost servers within their the right solutions that fit your operational needs. infrastructure are easy places to start. Ensuring Of course, should that be a next generation IDS, that desktop workstations are on a schedule powered by AI for your network, BluVector Cortex to receive the latest patches and updates is detected the healthcare-related threats in this another, but challenges arise with some of the report, on average, 29 months before their release specialized medical devices that have been into the while. deployed. Because of the specialized nature of these devices, they might run a proprietary or embedded operating system that is not easy to patch or update. Each should go through rigorous security vulnerability assessments before being attached to the network and then monitored on the network. Kwampirs, one of the threats discussed in this report, created by the Orangeworm group, not only attacks healthcare facilities and pharmaceutical companies, it’s been going after medical device manufacturers. So far there are no reports of it spreading to those devices. But getting malware installed at the manufacturer could make it harder to detect and control. BluVector’s Threat Team uncovered a Windows malware code that showed up in an Android application. While the malware wouldn’t execute, it showed that attackers are getting very innovative on their attacks. Healthcare Findings In addition to monitoring for known threats, healthcare organizations need to proactively monitor their networks for the unknown threats MONTHS IN ADVANCE IN that come every day. Much like how an x-ray can EARLIEST DETECTION “see” inside the human body, the network needs to be monitored for things that the security team can not see. Following Up in Three Months NEW THREATS FOUND THIS QUARTER Implementing a top-down security mandate across any healthcare organization in no easy © 2019 BluVector, Inc. bluvector.io 7 Healthcare Threat Report 2019 APT: Rising Sun 43 What Is It? pointing toward Lazarus. However, they make no determination of attribution, as they state it is Researchers at McAfee identified a new Advanced also potentially an attempted false flag operation Persistent Threat (APT) campaign they have aimed at placing the blame on Lazarus. named Operation Sharpshooter, which uses a cyber espionage payload they named Rising Sun. How Does It Propagate? The Rising Sun backdoor uses the RC4 The Rising Sun malware does not contain the cipher to encrypt its configuration data and necessary code to self-propagate. The attack communications. As with most backdoors, vector in this case is embedded in malicious Word on initial infection, Rising Sun will send data documents containing macros which download regarding the infected system to a command the malicious payload. It is believed that targeted and control (C2) site. That information captures individuals were sent messages on social media computer and user name, IP address, operating containing links to the Word documents, claiming system version and network adapter information. to be work recruitment campaigns.
Load more

Recommended publications
  • Ransom Where?
    Ransom where? Holding data hostage with ransomware May 2019 Author With the evolution of digitization and increased interconnectivity, the cyberthreat landscape has transformed from merely a security and privacy concern to a danger much more insidious by nature — ransomware. Ransomware is a type of malware that is designed to encrypt, Imani Barnes Analyst 646.572.3930 destroy or shut down networks in exchange [email protected] for a paid ransom. Through the deployment of ransomware, cybercriminals are no longer just seeking to steal credit card information and other sensitive personally identifiable information (PII). Instead, they have upped their games to manipulate organizations into paying large sums of money in exchange for the safe release of their data and control of their systems. While there are some business sectors in which the presence of this cyberexposure is overt, cybercriminals are broadening their scopes of potential victims to include targets of opportunity1 across a multitude of industries. This paper will provide insight into how ransomware evolved as a cyberextortion instrument, identify notorious strains and explain how companies can protect themselves. 1 WIRED. “Meet LockerGoga, the Ransomware Crippling Industrial Firms” March 25, 2019; https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/. 2 Ransom where? | May 2019 A brief history of ransomware The first signs of ransomware appeared in 1989 in the healthcare industry. An attacker used infected floppy disks to encrypt computer files, claiming that the user was in “breach of a licensing agreement,”2 and demanded $189 for a decryption key. While the attempt to extort was unsuccessful, this attack became commonly known as PC Cyborg and set the archetype in motion for future attacks.
    [Show full text]
  • Monthly Threat Report November 2020
    NTT Ltd. Global Threat Intelligence Center Monthly Threat Report November 2020 hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Contents Feature article: Security in the app economy 03 Spotlight article: The Trickbot takedown 07 Spotlight article: Snapshot of threats to retail 08 About NTT Ltd.’s Global Threat Intelligence Center 09 2 | © Copyright NTT Ltd. hello.global.ntt report | GTIC Monthly Threat Report: November 2020 Security in the app economy Lead Analyst: Zach Jones, Sr. Director of Detection Research, WhiteHat Security, US It used to be simple; a retailer Attack vectors and security spending when organizations are trying to enable was a retailer and a bank was are misaligned customer access in our ‘there’s an app for that’ world. The problem is that a bank. Initially, the role of According to our 2020 NTT Ltd. represents a pipeline where benign and Global Threat Intelligence Report, 33% software in non-technology malicious traffic alike enter networks of observed attacks globally were sectors stayed behind the straight through firewalls and DMZs. The application-specific and 22% of attacks protocol was never designed for secure scenes, supporting the core were web-application based. This means application delivery so building HTTP competencies of that industry, a total of 55% of attacks detected globally applications is prone to error. Threat like inventory management occurred at the application layer. for retailers and account actors will continue to abuse these virtual According to Gartner Group, the 2020 front doors and windows. They are easy management for banks. Security Market Segment spend is to access and are often the weakest link This is no longer the case.
    [Show full text]
  • Virtual Currencies and Terrorist Financing : Assessing the Risks And
    DIRECTORATE GENERAL FOR INTERNAL POLICIES POLICY DEPARTMENT FOR CITIZENS' RIGHTS AND CONSTITUTIONAL AFFAIRS COUNTER-TERRORISM Virtual currencies and terrorist financing: assessing the risks and evaluating responses STUDY Abstract This study, commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the TERR Committee, explores the terrorist financing (TF) risks of virtual currencies (VCs), including cryptocurrencies such as Bitcoin. It describes the features of VCs that present TF risks, and reviews the open source literature on terrorist use of virtual currencies to understand the current state and likely future manifestation of the risk. It then reviews the regulatory and law enforcement response in the EU and beyond, assessing the effectiveness of measures taken to date. Finally, it provides recommendations for EU policymakers and other relevant stakeholders for ensuring the TF risks of VCs are adequately mitigated. PE 604.970 EN ABOUT THE PUBLICATION This research paper was requested by the European Parliament's Special Committee on Terrorism and was commissioned, overseen and published by the Policy Department for Citizens’ Rights and Constitutional Affairs. Policy Departments provide independent expertise, both in-house and externally, to support European Parliament committees and other parliamentary bodies in shaping legislation and exercising democratic scrutiny over EU external and internal policies. To contact the Policy Department for Citizens’ Rights and Constitutional Affairs or to subscribe to its newsletter please write to: [email protected] RESPONSIBLE RESEARCH ADMINISTRATOR Kristiina MILT Policy Department for Citizens' Rights and Constitutional Affairs European Parliament B-1047 Brussels E-mail: [email protected] AUTHORS Tom KEATINGE, Director of the Centre for Financial Crime and Security Studies, Royal United Services Institute (coordinator) David CARLISLE, Centre for Financial Crime and Security Studies, Royal United Services Institute, etc.
    [Show full text]
  • CYBER ATTACK TRENDS Mid Year Report 2021 CONTENTS
    CYBER ATTACK TRENDS Mid Year Report 2021 CONTENTS 04 EXECUTIVE SUMMARY 07 TRIPLE EXTORTION RANSOMWARE—THE THIRD-PARTY THREAT 11 SOLARWINDS AND WILDFIRES 15 THE FALL OF AN EMPIRE—EMOTET’S FALL AND SUCCESSORS 19 MOBILE ARENA DEVELOPMENTS 2 22 COBALT STRIKE STANDARDIZATION 26 CYBER ATTACK CATEGORIES BY REGION 28 GLOBAL THREAT INDEX MAP 29 TOP MALICIOUS FILE TYPES—WEB VS. EMAIL CHECK POINT SOFTWARE MID-YEAR REPORT 2021 31 GLOBAL MALWARE STATISTICS 31 TOP MALWARE FAMILIES 34 Top Cryptomining Malware 36 Top Mobile Malware 38 Top Botnets 40 Top Infostealers Malware 42 Top Banking Trojans 44 HIGH PROFILE GLOBAL VULNERABILITIES 3 47 MAJOR CYBER BREACHES (H1 2021) 53 H2 2021: WHAT TO EXPECT AND WHAT TO DO 56 PREVENTING MEGA CYBER ATTACKS 60 CONCLUSION CHECK POINT SOFTWARE MID-YEAR REPORT 2021 EXECUTIVE SUMMARY CHECK POINT SOFTWARE’S MID-YEAR SECURITY REPORT REVEALS A 29% INCREASE IN CYBERATTACKS AGAINST ORGANIZATIONS GLOBALLY ‘Cyber Attack Trends: 2021 Mid-Year Report’ uncovers how cybercriminals have continued to exploit the Covid-19 pandemic and highlights a dramatic global 93% increase in the number of ransomware attacks • EMEA: organizations experienced a 36% increase in cyber-attacks since the beginning of the year, with 777 weekly attacks per organization • USA: 17% increase in cyber-attacks since the beginning of the year, with 443 weekly attacks per organization • APAC: 13% increase in cyber-attacks on organizations since the beginning of the year, with 1338 weekly attacks per organization In the first six months of 2021, the global rollout of COVID-19 vaccines gave hope that we will be able to live without restrictions at some point—but for a majority of organizations internationally, a return to pre-pandemic ‘norms’ is still some way off.
    [Show full text]
  • North Korean Cyber Capabilities: in Brief
    North Korean Cyber Capabilities: In Brief Emma Chanlett-Avery Specialist in Asian Affairs Liana W. Rosen Specialist in International Crime and Narcotics John W. Rollins Specialist in Terrorism and National Security Catherine A. Theohary Specialist in National Security Policy, Cyber and Information Operations August 3, 2017 Congressional Research Service 7-5700 www.crs.gov R44912 North Korean Cyber Capabilities: In Brief Overview As North Korea has accelerated its missile and nuclear programs in spite of international sanctions, Congress and the Trump Administration have elevated North Korea to a top U.S. foreign policy priority. Legislation such as the North Korea Sanctions and Policy Enhancement Act of 2016 (P.L. 114-122) and international sanctions imposed by the United Nations Security Council have focused on North Korea’s WMD and ballistic missile programs and human rights abuses. According to some experts, another threat is emerging from North Korea: an ambitious and well-resourced cyber program. North Korea’s cyberattacks have the potential not only to disrupt international commerce, but to direct resources to its clandestine weapons and delivery system programs, potentially enhancing its ability to evade international sanctions. As Congress addresses the multitude of threats emanating from North Korea, it may need to consider responses to the cyber aspect of North Korea’s repertoire. This would likely involve multiple committees, some of which operate in a classified setting. This report will provide a brief summary of what unclassified open-source reporting has revealed about the secretive program, introduce four case studies in which North Korean operators are suspected of having perpetrated malicious operations, and provide an overview of the international finance messaging service that these hackers may be exploiting.
    [Show full text]
  • Global Security Report End Year 2020 Executive Summary
    Global Security Report End Year 2020 Executive Summary The Zix | AppRiver Global Security Report for 2020 highlights the threats and trends Zix | AppRiver Security analysts saw throughout the year. In 2020, analysts saw attackers shift their tactics to take advantage of the unprecedented situation the world faced due to the Covid-19 pandemic. These attacks: • Aimed to take advantage of uncertainty surrounding the pandemic and the shift to “work from home” throughout much of the year. • Leveraged other world events, like the contentious US election, to distribute their attacks. • Multiplied "living off the land” attacks across many new and otherwise legitimate services. • Continued shift from high volume email blasts to a much more focused and customized attack style. • Posed impersonation attacks as internal executive communications and were persistent throughout 2020. In this report, we will take a deep dive into many of the threats and trends we saw in email security as well as discuss examples of prevalent attacks and explore potential impacts. Introduction Threat actors have always leveraged both local and world events to help spread their attacks. Never more so than in 2020. Early in the year, as the global pandemic came to fruition, attackers began launching spam, phishing and malware attacks utilizing interest in the pandemic. It wasn’t long before they had begun crafting attacks centered around the surge in remote work. Later in the year they took advantage of the contentious US Election cycle to distribute attacks. In 2020, Attackers continued to embrace the use of more targeted attacks versus the large volume email blasts we have seen in the past.
    [Show full text]
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals
    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
    [Show full text]
  • Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE of CONTENTS 2016 Internet Security Threat Report 2
    Internet Security Threat Report VOLUME 21, APRIL 2016 TABLE OF CONTENTS 2016 Internet Security Threat Report 2 CONTENTS 4 Introduction 21 Tech Support Scams Go Nuclear, 39 Infographic: A New Zero-Day Vulnerability Spreading Ransomware Discovered Every Week in 2015 5 Executive Summary 22 Malvertising 39 Infographic: A New Zero-Day Vulnerability Discovered Every Week in 2015 8 BIG NUMBERS 23 Cybersecurity Challenges For Website Owners 40 Spear Phishing 10 MOBILE DEVICES & THE 23 Put Your Money Where Your Mouse Is 43 Active Attack Groups in 2015 INTERNET OF THINGS 23 Websites Are Still Vulnerable to Attacks 44 Infographic: Attackers Target Both Large and Small Businesses 10 Smartphones Leading to Malware and Data Breaches and Mobile Devices 23 Moving to Stronger Authentication 45 Profiting from High-Level Corporate Attacks and the Butterfly Effect 10 One Phone Per Person 24 Accelerating to Always-On Encryption 45 Cybersecurity, Cybersabotage, and Coping 11 Cross-Over Threats 24 Reinforced Reassurance with Black Swan Events 11 Android Attacks Become More Stealthy 25 Websites Need to Become Harder to 46 Cybersabotage and 12 How Malicious Video Messages Could Attack the Threat of “Hybrid Warfare” Lead to Stagefright and Stagefright 2.0 25 SSL/TLS and The 46 Small Business and the Dirty Linen Attack Industry’s Response 13 Android Users under Fire with Phishing 47 Industrial Control Systems and Ransomware 25 The Evolution of Encryption Vulnerable to Attacks 13 Apple iOS Users Now More at Risk than 25 Strength in Numbers 47 Obscurity is No Defense
    [Show full text]
  • Compromised Connections
    COMPROMISED CONNECTIONS OVERCOMING PRIVACY CHALLENGES OF THE MOBILE INTERNET The Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and many other international and regional treaties recognize privacy as a fundamental human right. Privacy A WORLD OF INFORMATION underpins key values such as freedom of expression, freedom of association, and freedom of speech, IN YOUR MOBILE PHONE and it is one of the most important, nuanced and complex fundamental rights of contemporary age. For those of us who care deeply about privacy, safety and security, not only for ourselves but also for our development partners and their missions, we need to think of mobile phones as primary computers As mobile phones have transformed from clunky handheld calling devices to nifty touch-screen rather than just calling devices. We need to keep in mind that, as the storage, functionality, and smartphones loaded with apps and supported by cloud access, the networks these phones rely on capability of mobiles increase, so do the risks to users. have become ubiquitous, ferrying vast amounts of data across invisible spectrums and reaching the Can we address these hidden costs to our digital connections? Fortunately, yes! We recommend: most remote corners of the world. • Adopting device, data, network and application safety measures From a technical point-of-view, today’s phones are actually more like compact mobile computers. They are packed with digital intelligence and capable of processing many of the tasks previously confined
    [Show full text]
  • Threat Landscape Report
    QUARTERLY Threat Landscape Report Q3 2020 NUSPIRE.COM THIS REPORT IS SOURCED FROM 90 BILLION TRAFFIC LOGS INGESTED FROM NUSPIRE CLIENT SITES AND ASSOCIATED WITH THOUSANDS OF DEVICES AROUND THE GLOBE. Nuspire Threat Report | Q2Q3 | 2020 Contents Introduction 4 Summary of Findings 6 Methodology and Overview 7 Quarter in Review 8 Malware 9 Botnets 15 Exploits 20 The New Normal 28 Conclusion and Recommendations 31 About Nuspire 33 3 | Contents Nuspire Threat Report | Q3 | 2020 Introduction In Q2 2020, Nuspire observed the increasing lengths threat actors were going to in order to capitalize on the pandemic and resulting crisis. New attack vectors were created; including VPN usage, home network security issues, personal device usage for business purposes and auditability of network traffic. In Q3 2020, we’ve observed threat actors become even more ruthless. Shifting focus from home networks to overburdened public entities including the education sector and the Election Assistance Commission (EAC). Many school districts were forced into 100% virtual or hybrid learning models by the pandemic. Attackers have waged ransomware attacks at learning institutions who not only have the financial resources to pay ransoms but feel a sense of urgency to do so in order to avoid disruptions during the school year. Meanwhile, the U.S. Elections have provided lures for phishers to attack. Nuspire witnessed Q3 attempts to guide victims to fake voter registration pages to harvest information while spoofing the Election Assistance Commission (EAC). Like these examples, cybercriminals taking advantage of prominent media themes are expected. We anticipate our Q4 2020 Threat Report 4 | Introduction Nuspire Threat Report | Q3 | 2020 to find campaigns leveraging more of the United report each quarter is a great step to gain that States Presidential election as well.
    [Show full text]
  • The Dark Reality of Open Source Spotlight Report
    SPOTLIGHT The Dark Reality of Open Source Through the Lens of Threat and Vulnerability Management RiskSense Spotlight Report • May 2020 Executive Summary Open sourCe software (OSS) has quiCkly transformed both And while Heartbleed and the Apache Struts how modern applications are built and the underlying code vulnerabilities are the household names of open source they rely on. Access to high-quality and powerful open vulnerabilities, they are far from the only examples. Open source software projects has allowed developers to quickly source software is increasingly being targeted by integrate new capabilities into their applications without cryptominers, ransomware, and leveraged in DDoS having to reinvent the wheel. As a result, it is now estimated attacks. Unfortunately, OSS vulnerabilities are often a that between 80% and 90% of the code in most modern blind spot for many enterprises, who may not always be applications is made up of open source components. aware of all the open source projects and dependencies Likewise, many of the very tools that have enabled the that are used in their applications. growth of DevOps and CI/CD such as Jenkins, Kubernetes, and Docker are themselves open source projects. With this in mind, we have focused this version of the RiskSense Spotlight report on vulnerabilities in some of OSS also allows organizations to reduce their software today’s most popular open source software, including costs, and is often key to digital transformation efforts more than 50 OSS projects and over 2,600 vulnerabilities. and the transition of services to the cloud. It is no We then used this dataset to provide a risk-based surprise then that a 2020 report from Red Hat found that analysis of open source software to reveal the following: 95% of organizations view open source software as strategically important to their business.
    [Show full text]
  • APT and Cybercriminal Targeting of HCS June 9, 2020 Agenda
    APT and Cybercriminal Targeting of HCS June 9, 2020 Agenda • Executive Summary Slides Key: • APT Group Objectives Non-Technical: managerial, strategic • APT Groups Targeting Health Sector and high-level (general audience) • Activity Timeline Technical: Tactical / IOCs; requiring • TTPs in-depth knowledge (sysadmins, IRT) • Malware • Vulnerabilities • Recommendations and Mitigations TLP: WHITE, ID#202006091030 2 Executive Summary • APT groups steal data, disrupt operations, and destroy infrastructure. Unlike most cybercriminals, APT attackers pursue their objectives over longer periods of time. They adapt to cyber defenses and frequently retarget the same victim. • Common HPH targets include: • Healthcare Biotechnology Medical devices • Pharmaceuticals Healthcare information technology • Scientific research • HPH organizations who have been victim of APT attacks have suffered: • Reputational harm Disruption to operations • Financial losses PII/PHI and proprietary data theft • HC3 recommends several mitigations and controls to counter APT threats. TLP: WHITE, ID#202006091030 3 APT Group Objectives • Motivations of APT Groups which target the health sector include: • Competitive advantage • Theft of proprietary data/intellectual capital such as technology, manufacturing processes, partnership agreements, business plans, pricing documents, test results, scientific research, communications, and contact lists to unfairly advance economically. • Intelligence gathering • Groups target individuals and connected associates to further social engineering
    [Show full text]