IT Security News Blast 4-25-2017

Healthcare records for sale on Dark Web

The Identity Theft Resource Center reported that there were 355 breaches in 2016 affecting 15 million records. 2016 was a record year for US Healthcare breaches – affecting hospitals, dental clinics, and senior care facilities, among others — with the top 10 breaches netting criminals in excess of 13 million records, and the Dark Web literally flooded with “fullz” (full packages of personally identifiable information) as well as patient insurance information.

http://www.csoonline.com/article/3189869/data-breach/healthcare-records-for-sale-on-dark-web.html

Erie County Medical Center systems still down 12 days after massive cyberattack

Buffalo-based Erie County Medical Center is still struggling to bring its computer systems back online after a virus was discovered on April 9, according to The Buffalo News. The hospital was hit with a cyberattack, but hospital officials are declining to confirm the attack is ransomware due to the ongoing investigation. However, Buffalo News cited sources that said the attack was indeed ransomware.

http://www.healthcareitnews.com/news/erie-county-medical-center-systems-still-down-12-days-after-massive-cyberattack

Locky Ransomware Roars Back to Life Via Necurs Botnet

Researchers warn the latest Locky campaign is borrowing effective techniques from the credential-stealing malware Dridex, which has become adroit at outsmarting sandbox mitigation efforts. […] Last year, Locky behind a series of massive spam campaigns that targeted hospitals with either malicious Word or JavaScript attachments. By December, Cisco reported, Necurs and Locky activity had gone silent.

https://threatpost.com/locky-ransomware-roars-back-to-life-via-necurs-botnet/125156/

Machine Learning in Security: 4 Factors to Consider

People have exponentially more computing power than they once did and generate massive amounts of data. The importance of timing and accuracy blend together in cognitive security. Information must be legitimized quickly to achieve maximum value from machine learning and stop security threats in any business environment. “The ability to verify and validate accuracy is the biggest value point associated with the cognitive engineer we have,” he says.

http://www.darkreading.com/analytics/machine-learning-in-security-4-factors-to-consider/d/d-id/1328704?

Manufacturers Are Leading Target of Infrastructure Cyber Attacks

One-third of all cyber-attacks in 2015 targeted manufacturers, and that number is only getting larger as technology advances and cyber criminals become more savvy. […] Most manufacturing systems today were made to be productive — they were not made to be secure. Every manufacturer is at risk — it isn’t a matter of if they will be targeted, it’s a matter of when,” says Rebecca Taylor, senior vice president for NCMS.

http://advancedmanufacturing.org/manufacturers-leading-target-infrastructure-cyber-attacks/

Hong Kong increases security measures as hackers hit brokers in cyberattack surge

Hong Kong will see its information security rules enhanced following a cyberattack at the city’s stockbrokers, which led to investor losses of an estimated $14 million. According to authorities, there have been nearly a hundred reported attacks of this sort in the past year and a half. The Securities and Futures Commission (SFC) stated that the new rules would include requirements for two-step authentication for account log-in and alerts for every transaction carried out.

https://ibsintelligence.com/ibs-journal/hong-kong-increase-security-measures-hackers-hit-brokers-cyberattack-surge/

BrickerBot, the permanent denial-of-service botnet, is back with a vengeance

BrickerBot, the botnet that permanently incapacitates poorly secured Internet of Things devices before they can be conscripted into Internet-crippling denial-of-service armies, is back with a new squadron of foot soldiers armed with a meaner arsenal of weapons. […] Like their predecessors, the newly discovered botnets target the same Internet-connected cameras, DVRs, and IoT devices that (a) run a Linux tool package known as BusyBox and (b) have a telnet-based interface publicly exposed and leave factory default administrative passwords unchanged. Those are the same devices that are preyed on by Mirai, the IoT botnet software that generated record-setting denial-of-service attacks on several occasions last year.

https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/

Cybersecurity Executive Order is Close to Release, Administration Official Says

The Trump administration’s first attempt at a cybersecurity executive order was criticized for placing too much responsibility with Department of Defense leadership, and a second draft of the order was pulled just before a scheduled signing in late January. Two weeks ago, retired Gen. Michael Hayden, who has served as the director of both the National Security Agency and CIA, confirmed the existence of a new draft order, characterizing it as “what you’d expect” of a national cybersecurity initiative.

https://www.meritalk.com/articles/cybersecurity-executive-order-is-close-to-release-administration-official-says/

White House links innovation and cybersecurity

The primary focus of the administration when it comes to cybersecurity will be to protect federal IT infrastructure. That will involve modernizing systems and moving toward shared services and commercial solutions in an effort to raise the standards for smaller agencies that do not have the budget and workforce to focus on cybersecurity the way the Department of Defense does, Joyce said. While that overall policy goal will be reflected in the EO, he said, it is looking more like the NSC will play a supporting role to Jared Kushner’s new Office of American Innovation, which is charged in part with modernizing federal IT.

https://fcw.com/articles/2017/04/24/joyce-white-house-cyber-carberry.aspx

Macron Campaign Was Target of Cyber Attacks by Spy-Linked Group

Feike Hacquebord, a researcher with security firm Trend Micro said he had found evidence that the spy group, dubbed “Pawn Storm”, targeted the Macron campaign with email phishing tricks and attempts to install malware on the campaign site. He said telltale digital fingerprints linked the Macron attacks with those last year on the U.S. Democratic National Committee (DNC) the campaign of presidential candidate Hillary Clinton, and that similar techniques were used to target German Chancellor Angela Merkel’s party in April and May of 2016.

http://fortune.com/2017/04/24/macron-campaign-france-hackers/

EU member of parliament: Nationalism at odds with international cybersecurity

MEP Marietje Schaake (Netherlands) said that closing borders to try to regain control over diminishing power could have dire consequence on the online landscape. At a meeting of global economic leaders she had attended, she said, the “Russian and Iranian foreign ministers couldn’t help but celebrate the post-Western world order.” […] But, she said, cybersecurity and the open internet pose problems that require coordination between disparate nations and even private companies, which she believes will continue to be asked to play bigger roles in international diplomacy.

http://thehill.com/policy/cybersecurity/330221-eu-member-of-parliament-nationalism-at-odds-with-international

We’re ‘heartbroken’ we got caught selling your email records to Uber, says Unroll.me boss

Over the weekend, it emerged Uber had, at times, played fast and loose with people’s privacy. At one point, it was buying anonymized summaries of people’s emails from Unroll.me, allowing the ride-hailing app maker to, for instance, figure out how many folks were using rival Lyft based on their emailed receipts. Not a great look. So in a blog post Sunday, Hedaya apologized – not for actually selling off the contents of users’ inboxes, but for upsetting people when they found out.

https://www.theregister.co.uk/2017/04/24/unrollme_caught_selling_email_to_uber/

A Closer Look at CIA-Linked Malware as Search for Rogue Insider Begins

The CIA and FBI reportedly have launched a joint investigation to discover who leaked thousands of confidential documents that contained descriptions of hacking tools used by the CIA to break into computer systems, smartphones, and smart televisions. Sources close to the investigation say US intelligence agencies are hunting a CIA employee or contractor with physical access to the documents, which were stored in a “highly secure” agency division, according to CBS News, which broke the story on this latest development.

http://www.darkreading.com/attacks-breaches/a-closer-look-at-cia-linked-malware-as-search-for-rogue-insider-begins/d/d-id/1328710?

FBI allays some critics with first use of new mass-hacking warrant

Mass hacking seems to be all the rage currently. A vigilante hacker apparently slipped secure code into vulnerable cameras and other insecure networked objects in the “Internet of Things” so that bad guys can’t corral those devices into an army of zombie computers, like what happened with the record-breaking Mirai denial-of-service botnet. The Homeland Security Department issued alerts with instructions for fending off similar “Brickerbot malware,” so-named because it bricks IoT devices. And perhaps most unusual, the FBI recently obtained a single warrant in Alaska to hack the computers of thousands of victims in a bid to free them from the global botnet, Kelihos.

https://arstechnica.com/tech-policy/2017/04/fbi-allays-some-critics-with-first-use-of-new-mass-hacking-warrant/

NSA’s DoublePulsar Kernel Exploit In Use Internet-Wide

A little more than two weeks after the latest ShadowBrokers leak of NSA hacking tools, experts are certain that the DoublePulsar post-exploitation Windows kernel attack will have similar staying power, and that pen-testers will be finding servers exposed to the flaws patched in MS17-010 for much longer than Conficker. […] DoublePulsar is a sophisticated memory-based kernel payload that hooks onto x86 and 64-bit systems and allows an attacker to execute any raw shellcode payload they wish.

https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/

Teen Hacker with Asperger’s Syndrome Ruined Cyber Infrastructure of Tech Giants

Mudd who is from the United Kingdom carried out 1.7 million cyber attacks on websites and servers around the world costing victims millions of dollars in damages. He then decided to sell Titanium Stresser to other cyber criminals and made £386,000 (USD 494,736). All that while sitting in his bedroom at his parents’ house. Now, Mudd, 20, he is facing the consequences of his crimes. The authorities claim that between December 2013 and March 2015, Mudd conducted 594 DDoS attacks by himself against 181 IP addresses affecting major cities worldwide.

https://www.hackread.com/teen-hacker-with-aspergers-syndrome-hacked-tech-giants/

Northrop Grumman can make a stealth bomber – but can’t protect its workers’ W-2 tax forms

Northrop Grumman has admitted one of its internal portals was broken into, exposing employees’ sensitive tax records to miscreants. […] “The personal information that may have been accessed includes your name, address, work email address, work phone number, Social Security number, employer identification number, and wage and tax information, as well as any personal phone number, personal email address, or answers to customized security questions that you may have entered on the W-2 online portal,” the contractor told its employees.

https://www.theregister.co.uk/2017/04/24/northrop_grumman_breach_worker_w2s/

WordPress, Joomla and Magento susceptible to new CMS malware

The attacker starts off by injecting IndoXploit Shell, which is normally used to deface a website, but in this case the malware uses the shell kit to snatch the configuration files found in the content management system (CMS) under attack and saving them to a plain text file, SiteLock reported. “While these text files may seem innocuous, they contain sensitive credentials that a hacker could use to access CMS-connected databases on target hosting accounts,” wrote SiteLock researcher Logan Kipp.

https://www.scmagazine.com/wordpress-joomla-and-magento-susceptible-to-new-cms-malware/article/652537/

Phishing attacks using internationalized domains are hard to block

When used in the Domain Name System (DNS) — the internet’s address book — internationalized domain names are converted into ASCII-compatible form using a system called Punycode. However, when displayed to users inside browsers and other applications that support Unicode, they are shown with their intended non-Latin characters, making it possible for billions of internet users to read domain names in their native languages and scripts. While this is great for global internet usability, the use of internationalized domain names does raise security problems because some alphabets contain characters that look very similar to Latin letters and this can be abused to spoof URLs.

http://www.csoonline.com/article/3191651/security/phishing-attacks-using-internationalized-domains-are-hard-to-block.html

 

====

Archived articles from the IT Security news blast are at https://criticalinformatics.com/it-security-news/

 

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.