Monthly Archives: April 2016

A security firm has successfully taken down the Mumblehard Linux botnet as part of a public-private legal effort.

The story begins in April 2015, when ESET, an IT security firm located in Slovakia, first published a report (PDF) on the botnet.

“Linux/Mumblehard is a family of malware targeting servers running both the Linux and BSD operating systems,” ESET researchers explain. “A Mumblehard infected server opens a backdoor for the cybercriminals that allows them full control of the system by running arbitrary code. It also has a general purpose-proxy and a module for sending spam messages.”

The researchers go on to note that they registered a domain name acting as a command and control (C&C) server for Mumblehard’s backdoor module, a move which allowed them to collect statistics about the botnet’s size and distribution.

About a month after it published its report, ESET noticed an apparent reaction from the malware authors when they decided to remove all unnecessary domain names and IP addresses from the list of C&C servers, keeping just one under their control.

Statistics from Mumblehard sinkhole after the publication (Source: ESET)

This gave the security researchers an idea.

“With only one IP address acting as the C&C server for the Mumblehard backdoor and no fallback mechanism, a takeover of that IP address would suffice to stop the malicious activities of this botnet,” ESET explains in a blog post. “We decided to take action and contacted the relevant authorities to make things happen.”

Working with the Cyber Police of Ukraine and CyS Centrum LLC, another security company, ESET was able to learn more about the botnet and eventually replace the Mumblehard C&C server with a sinkhole on February 29th, 2016.

Data collected by ESET indicates upwards of 4,000 Linux systems had been compromised by the botnet.

Currently, CERT-Bund is working to notify all affected parties.

“Collaboration with law enforcement and external entities was crucial in making this operation a success. ESET would like to thank the Cyber Police of Ukraine, CyS Centrum LLC and CERT-Bund,” the security researchers conclude. “We are proud of our efforts to make the internet a safer place. Mumblehard might not be the most prevalent, the most dangerous or the most sophisticated botnet out there, but shutting it down is still a step in the right direction and shows that security researchers working with other entities can help reduce the impact of criminal activity on the internet.”

News of this takedown comes approximately two years after the FBI led an international legal effort do disrupt the Gameover ZeuS botnet.

Via: tripwire

Despite the operating system reaching end of life exactly two years ago today, statistics show Windows XP still runs on one out of every ten desktops around the world.

According to IT security firm ESET, however, the statistics have lowered significantly since Microsoft pulled support for its once dominant platform.

Compared to April 8, 2014, nearly 28 percent of machines across the globe were operating on Windows XP. Months after the operating system’s end-of-life (EOL), only about 2.4 percent had upgraded to Windows 7 or Windows 8.1.

ESET researcher Aryeh Goretsky explained that while Windows XP is down to a fraction of its original market share, Windows XP remains in use worldwide at 8-11 percent – and somewhat higher in emerging markets.

March 2016 Desktop Operating System Market Share. Source: NetMarketShare

Without regular updates or patches, the remaining users’ PCs are considerably more vulnerable to malicious code designed to steal or damage data.

“[Computers still running Windows XP] can act as springboards for attacking other systems, as well,” warned Goretsky.

“While it’s critical that users protect these unpatched, unsupported systems, it is even more important for them to migrate to newer versions of Windows, which are more secure.”

Furthermore, in January of this year, Microsoft ended support for several older versions of Internet Explorer. Google Chrome followed suit by announcing it would no longer support Windows XP come April 2016.

“Such older platforms are missing critical security updates and have a greater potential to be infected by viruses and malware,” Google’s Director of Engineering Marc Pawliger also warned.

Via: tripwire

Credit where credit is due – Apple cannot be accused of slouching when it comes to fixing a newly publicized vulnerability that could have seen unauthorized parties bypassing the passcode and accessing information from iPhones.

And what’s more, the Cupertino firm was able to fix the flaw without having to push any new software out to the millions of iPhones potentially at risk.

The flaw, present in the latest version 9.3.1 of iOS, made it possible for someone with physical access to your iPhone to gain unauthorized access – waltzing past the passcode and Touch ID fingerprint sensor.

Vulnerability Labs disclosed details of the security hole, explaining the process.

With a locked iPhone, an attacker can command Siri to search an app (such as Twitter). When a result containing contact details – such as an email address – are found, the attacker can use 3D Touch to bring up the Quick Actions Menu, allowing them to add it to an existing contact. And with this, the iPhone’s complete contacts list is exposed.

With a few more clicks, the iPhone’s photo library is accessible too.

Researcher Jose Rodriguez made a YouTube video, demonstrating how easy it was to exploit the vulnerability.

Vulnerability Labs says that it informed Apple’s security team of the flaw on 18 March, but that the flaw was still present when Apple rolled out iOS 9.3.1 on April 4th.

However, it now appears that Apple did not have to change iOS at all in order to fix the security hole.

Instead, the company has made a server-side change, forcing Siri to request that the iPhone is unlocked (through a recognized fingerprint or passcode) when searches that could result in the flaw being exploited are requested.

Nonetheless, there have been too many passcode bypass flaws found in iOS over the years for my liking.

If you worry that your supposedly locked iPhone might be vulnerable to future flaws then it seems to me that you can increase your security by permanently disabling Siri from the lock screen.

To do that, go to Settings / Touch ID & Passcode, scroll down to the “Allow access when locked” section and disable Siri.

An obvious question is could this vulnerability have helped the authorities in the recent FBI vs Apple case?

Personally, I think that’s unlikely.

The iPhone at the center of the San Bernardino case was an iPhone 5C. The vulnerability that Apple has just patched only works on devices which include support for 3D touch – in other words, the iPhone 6S and iPhone 6S Plus.

Via: tripwire

MedStar Health is reporting that its clinical and management computer systems are almost fully back online, eight days after the medical organization suffered a cyber attack that forced it to shut down its network.

On March 28 the company reported that a virus had hit its network, preventing some users from logging on and using the system and had taken down its system to prevent the problem from spreading. MedStar runs 10 hospitals and 250 outpatient clinics in the Maryland and Washington, D.C. area. The organization has not stated what type of attack took place, but information security industry speculation is leaning toward ransomware.

MedStar found itself in good company.

According to Healthcare IT News, three California hospitals run by Prime Healthcare; Alvarado Hospital Medical Center, Chino Valley Medical Center and Desert Valley Medical Center all experienced attacks in late March. In addition, King’s Daughters’ Hospital in Madison, Ind., had a computer infected with ransomware.

All of those organizations were able to regain use of their systems in just a short period of time and no patient information was compromised nor were any ransoms paid, Healthcare IT News reported.

Via: scmagazine

Adobe has announced its plans to release a patch for a “critical” Flash Player vulnerability that is currently being exploited in the wild.

In a security advisory, the transnational computer software company explains that the vulnerability (CVE-2016-1019) exists in all current versions of Flash Player for Windows, Macintosh, Linux, and Chrome OS.

“Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe warns.

At this time, Adobe is aware of reports indicating that attackers are actively exploiting CVE-2016-1019 in the wild, particularly on machines running Windows 7 and Windows XP with Flash Player versions 20.0.0.306 and earlier.

The advisory recommends that users update to 21.0.0.197, the latest version of Adobe Flash Player. The vulnerability still exists in that version, but Adobe notes that a mitigation introduced in version 21.0.0.182 currently protects users against exploitation of the vulnerability.

To verify the version of Flash installed on a system, users are urged to visit Adobe’s about page or right-click on Flash-based content and select “About Adobe (or Macromedia) Flash Player.” This check should be performed on any and all browsers that are used on a regular basis.

If any browser is found to be running a version earlier than 21.0.0.182, users should update to the newest version of Adobe Flash Player immediately.

In the meantime, Adobe intends to release an emergency security update that addresses this vulnerability, whose discovery is credited to Kafeine (EmergingThreats/Proofpoint) and Genwei Jiang (FireEye, Inc.), as well as Clement Lecigne of Google, as early as April 7th.

News of this vulnerability comes on the heels of Adobe’s decision to rebrand Flash Professional as Adobe Animate CC. Although some industry voices have argued this move could spell the end for Flash Player, Adobe has reiterated its plans to work with Microsoft, Google, Facebook, and other partners in an effort to improve the security and compatibility of Flash content

Via: tripwire

WhatsApp, the popular mobile messaging application with more than one billion active users, has announced its adding full end-to-end encryption to all communication on its service.

The feature means a major enhancement in security for users worldwide, making it nearly impossible for anyone to snoop on the messages, phone calls, photos, videos and attachments exchanged across WhatsApp’s network.

End-to-end encryption is enabled by default on any mobile phone running the latest version of the app, including iPhone, Android, Windows, Blackberry and Nokia.

“The idea is simple: when you send a message, the only person who can read it is the person or group chat that you send the message to,” reads a blog post published by WhatsApp.

“No one can see inside that message. Not cybercriminals. Not hackers. Not oppressive regimes. Not even us. End-to-encryption helps make communication via WhatsApp private – sort of like a face-to-face conversation.”

The app originally began implementing encryption back in 2013, and adopted the capability for messages on certain phones after a collaboration with privacy-focused company Open Whisper Systems in 2014.

Committed to expand support across additional in-app features and operating systems, WhatsApp says it spent the last 18 months fully integrating Open Whisper System’s strong encryption protocol into the product.

The announcement comes on the heels of much controversy around the Apple vs. FBI debacle, which has brought the issue of encryption and user privacy front and center.

“Encryption is one of the most important tools governments, companies and individuals have to promote safety and security in the new digital age,” said WhatsApp.

“While we recognize the important work of law enforcement in keeping people safe, efforts to weaken encryption risk exposing people’s information to abuse from cybercriminals, hackers and rogue states.”

According to Wired Magazine, the company has recently received a wiretap order after the Justice Department “ran into its end-to-end encryption,” which could potentially lead to another court battle.

WhatsApp declined to comment on the particular order, reported Wired.

Via: tripwire

The United States and Canada have issued a joint alert on ransomware and the threat it poses to both individuals and businesses.

In their bulletin, the Canadian Cyber Incident Response Centre (CCIRC) and the United States Computer Emergency Readiness Team (US-CERT), which operates under the Department of Homeland Security (DHS), provide an overview of ransomware, including how it works and what types of samples may currently be circulating around the web.

The alert names two new variants in particular: Samas and Locky. The former is known to have targeted vulnerable web servers at healthcare facilities earlier this year, whereas the latter is known to have recently locked hospitals and other medical centers out of their computer systems.

Not all Locky infections have been the same. Back in February, the ransomware targeted the computer systems of Hollywood Presbyterian Medical Center, a hospital based in southern California. Hospital staff were locked out of the computer system for close to 10 days until administrators ultimately decided to pay the ransom fee of approximately US$17,000.

More recently, the Ottawa Hospital fell victim to Locky, but it restored its systems without paying a dime via the use of data backups.

The FBI has recommended in the past that paying the ransom is sometimes the only way to retrieve your encrypted data. But that’s not necessarily the case.

“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information,” the alert warns. “In addition, decrypting files does not mean the malware infection itself has been removed.”

With that in mind, US-CERT and CCIRC recommend that individuals and organizations alike focus on ransomware prevention, which should include creating a data backup plan and maintaining an up-to-date antivirus solution on all computers/devices.

For more ransomware prevention tips, please click here.

Via: tripwire

The risk of sophisticated malware, especially of ransomware, has grown exponentially over the years. This means we need to evolve our techniques for mitigation, detection and monitoring of malicious behavior on our assets. It’s a wise move given the durability of this threat. Indeed, the rise of ransomware, which attempts to scare users and organizations into paying a fee to retrieve their hijacked data, is on the rise and is something we’ll probably see for years to come.

To prevent ransomware from abusing our networks, multiple layers of protection are needed for complete coverage. These in include: (1) Pre-breach/Mitigation, (2) Active Breach, (3) Post-breach, (4) Active Monitoring, and (5) Tuning Current Configurations. Addressing these five layers in tandem allows for a comprehensive approach of defending an enterprise against malware.

PRE-BREACH/MITIGATION

The first step to defending against ransomware is to stop it as close to the endpoint as possible. This means working with an anti-virus vendor that’s properly configured to assist with defending the system against the abuse of malware.

With this being said, not all anti-virus is created equal. The old school mentality of using signatures to defend against malware has lost its edge when it comes to guarding systems against present-day malware. Investing in next-generation antivirus (NG-AV) that isn’t based on signatures but is instead predicated on machine learning and common attack locations assists with a higher rate of detection among anti-malware vendors.

In the meantime, there should be a review of your current anti-virus solutions to make sure you have security software installed and appropriately configured on all necessary systems.

Having anti-virus fine-tuned, even with a NG-AV, won’t always protect you from ransomware. That’s why using native internal policies on the endpoints to restrict where files can be installed can go a long way in defending against attacks.

ACTIVE BREACH

The second layer of defense when creating a malware defendable network is to have systems in place that will determine when an active breach is occurring. These systems are designed to catch threats that bypass malware protection on the endpoint (if the system has endpoint protection to begin with) and issue an alert when a breach is detected on the network.

This is done passively, either by setting up network taps within the core of the network and alerting on user baselines or by utilizing deception technology/decoys (honeypots/honeytokens) that alert to the presence of something that shouldn’t have touched them.

Active breach technology doesn’t stop threats, but it proactively notifies of an attack that’s currently underway. It will also assist with limiting the scope of a response against an attack. Since this doesn’t rely on agents, it gives a holistic view of what might have been missed with endpoint AV agents.

POST BREACH

The post-breach defense is closely tied to the active breach layer to determine exactly where the malware is in use. These systems are more forensically capable to start packet captures, look for known indicators of compromise (IoC) that are tied to the particular variant of ransomware, and give investigators the ability to pinpoint what other systems in the network have the same files (or IoCs) as the infected systems.

This is an incident response and forensic tool to be used to isolate systems that are truly infected, also known as Endpoint Detection and Response (EDR). Many of these systems are dependent on agents installed on them to accomplish this task with the exception of sandboxes, which is why the active breach technology assists with filling the holes of missing agents in this needed layer.

ACTIVE MONITORING

With the systems in place now to defend and alert against malware, the next piece of the design is to monitor the network 24×7. Since malware will many times lay dormant for days or weeks, there’s a need to be consistently looking at alerts and notifications that come from the malware protection systems which have been put in place.

Sending these logs to a third party SOC, or establishing an internal SOC to act on these alerts while they’re occurring, gives the greatest potential for success when it comes to defending against malware.

TUNING CURRENT CONFIGURATIONS

While advanced technology might currently not be in place (E.G NG-AV, network anomaly tools, forensic IoC, sandboxing, etc), there are still areas of improvement in the network that can be worked on to defend against malware.

This includes verifying all systems are patched (both third party and OS), determining that every system is running the appropriate current AV agents, tuning the AV policies to be more restrictive when it comes to scanning files, blocking servers from egressing to the internet, denying split tunneling on the VPN, forcing all systems through a proxy, and verifying that you have up-to-date spam detection, properly segmented networks, and most important of all backups of all your data.

CONCLUSION

Creating a network that’s impervious to ransomware, or malware in general, is almost impossible, but there are internal tunings of current systems that can assist with making it harder for malware to infect your network while you wait for the budget or implementation of more advanced technology.

There is no silver bullet when it comes to defending against malware, just the ability to block what you can and contain what gets in. The faster you can respond against something that slipped past your defenses, the better chance you have to mitigate the risk moving forward.

Via: tripwire

It’s been a month since Hollywood Presbyterian Medical Center joined the ranks of Premera Blue Cross, Anthem, CareFirst BCBS, and a considerable number of other healthcare institutions that have experienced recent hacks where personal patient data might have been exposed.

While it may have played out like the plot of a bad “cyber”-thriller movie, the nightmare is not long forgotten by Hollywood Presbyterian, who was forced to pay a $17,000 bitcoin ransom to regain control of its computer systems and digital medical records after a ransomware attack.

Unfortunately, that payment was just a tiny fraction of the total cost a breach like this would cost a healthcare organization.

While some institutions take more precautions to protect themselves than others, I believe there are three fundamental reasons healthcare organizations are at heightened risk:

1. They are oftentimes wealthy entities with large sums of money that are very worried about reputation damage.
   
2. The value of individual healthcare records is worth 10 times more than a credit card number on the black market.
   
3. A hospital system’s care delivery is centralized in the electronic medical record system (EMR) – a single point of failure if the system is compromised.
   

To get a better picture of the financial implications of a breach, consider the following:

Forensic investigation of IT systems

In order to resolve existing vulnerabilities and protect against future attacks, healthcare institutions must pinpoint the origin and method of the infiltration. Computer forensic investigators analyze the computer data across the institution to determine if those devices have been compromised by unauthorized access.

According to InfoSec Institute, the cost of a computer forensic investigation varies greatly ($100-$600 per hour), depending on the number and types of systems involved and the complexity of the recovery of evidence.

HIPAA fines for compromised personal health information (PHI) and associated lawsuits

HIPAA-covered entities may be subject to steep penalties for violating regulations ranging from $10,000-$25,000 for every violation, up to $1 million per year.

In addition, wrongful disclosure of ePHI can include fines of $50,000 and imprisonment up to one year.

Overhauled IT security and communication infrastructure to prevent future incidents.

Hollywood Presbyterian will need to reevaluate its business continuity and disaster recovery plans. As a result of inadequate planning, the hospital lost revenue when it was forced to transfer patients to other nearby medical centers, all the while continuing to pay for overhead expenses and salaries.

As you can see, the expenses add up quickly. But the above-mentioned damages don’t even begin to factor in the negative impact on brand and patient trust, both of which are extremely important to healthcare institutions and are time- and resource-intensive to rebuild.

For the 6,000 healthcare organizations in the U.S., the Hollywood Presbyterian incident should serve as a wake-up call to take immediate steps to protect themselves and their patients from ransomware infections, hacks and other similar attacks.

So, that begs the question, how can organizations best mitigate risk and avoid costly breaches at the hands of ransomware and other threats?

First off, resources need to be allocated for IT infrastructure maintenance and security. Next, the use of non-encrypted communication tools for sharing PHI – including email – should be greatly reduced or completely eliminated, as this is one of the more vulnerable areas and among the easiest to fix.

Making sure that IT systems have the latest software updates will help maintain the security of the entire infrastructure. This includes performing regular scans for viruses, malware, ransomware and spyware; backing up data frequently; and changing passwords on a regular basis. It is equally important to protect servers, desktops and all mobile devices on the network.

If regular updates are not made across the entire infrastructure, you significantly increase the risk of attacks that can penetrate the network and result in data loss/costly HIPAA violations. However, who is to say that the risks stop at data loss?

The potential for something more nefarious is real, which is all the more reason why organizations must adopt safeguards to protect themselves and their patients.

Via: tripwire

Security experts have discovered vulnerabilities in a database where the U.S. State Department stores visa information.

Reuters writes that the State Department first learned of the security flaws following an internal review of its computer systems several months ago.

In a report, security experts warned the department that its Consular Consolidated Database (CCD) was at risk of being compromised. That database contains current and archived visa records, which consist of personally identifiable information including names, addresses, photos, biometric data, and identification numbers from the Bureau of Consular Affairs.

The CCD is essential for the U.S. government’s ability to process passport applications.

An official familiar with the review told ABC News that the State Department has already implemented a “coordinated mitigation plan” that has remediated all of the vulnerabilities, which were attributed to the department’s use of several legacy systems.

“[We] view this issue in the lowest threat category,” the official said.

Even so, some government sources have expressed their doubts as to whether all of the vulnerabilities identified in the review have indeed been fixed.

“Vulnerabilities have not all been fixed,” and “there is no defined timeline for closing [them] out,” said one congressional source informed of the matter.

Another source warned that officials with the State Department waited several months before they started to address some of the key issues highlighted in the internal review.

At this time, there is no evidence that a breach of the database has occurred.

ABC News reached out to the State Department for comment, but no official has confirmed whether all of the vulnerabilities discovered in the review have been patched or whether the department is still working on patching the security issues.

News of these vulnerabilities follow more than a year after the State Department temporarily shut down its unclassified email system following a suspected hack.

Via: tripwire