The following is this week’s sample of ThreatScape® Media Highlights – an email roundup of security headlines augmented by insights and analysis from iSIGHT Partners. Our cyber threat intelligence clients receive this update daily.
Thursday, 31 March 2016
Virus Infects MedStar Health System’s Computers, Forcing an Online Shutdown
From The Media
A virus has infected MedStar Health’s computer network, leading MedStar to take down all system interfaces in efforts to reduce the rate of infection. MedStar Health is a $5 billion USD health care provider with 10 hospitals in the Washington, D.C. region. The FBI is investigating the incident, which some sources say involved ransomware. According to MedStar, there is no evidence that any information has been exfiltrated. Neither MedStar nor the FBI have indicated how long the systems will remain offline.
Read the Story: The Washington Post
iSIGHT Partners Analyst Comment
Whether or not ransomware was used in this incident, we suggest the actors may have compromised MedStar Health’s internal network in a targeted rather than opportunistic attack, given the high ransom amount reported in some media sources. Recent successful hospital extortions have likely made them more appealing for targeted attacks, and this threat is unlikely to lessen in the foreseeable future, as hospitals must continuously have access to sensitive patient records that can be affected by ransomware.
Related iSIGHT Partners Reports
16-00002294 (Ransomware Threat Landscape Overview), 28 March 2016
16-00003354 (Ongoing Extortion Attempts Attributed to ‘Armada Collective’ Unlikely to Be Linked to 2015 Attacks), 14 March 2016
16-00004062 (SEA Member ‘The Shadow’ (aka ‘Ethical Spectrum’) Targets Tech Companies with Intrusion, Extortion), 29 March 2016
The FBI Just Cracked the San Bernardino iPhone. Is the Showdown With Apple Over?
From the Media
The U.S. Department of Justice has successfully gained access to the data stored on the San Bernardino gunman’s iPhone without Apple’s assistance. The notification comes after a lengthy back-and-forth between the FBI and Apple. However, the question still remains whether the FBI could have forced Apple to decrypt the device in question.
Read the Story: BBC
iSIGHT Partners Analyst Comment
Despite the fact that the FBI dropped its highly publicized case against Apple, iSIGHT Partners assesses with high confidence that the encryption debate will continue to unfold both in the US and in other countries. The FBI indicated that they sought help accessing the phone from a third party, but has otherwise not disclosed how they accessed the phone, or whether the technique(s) involved are applicable to iPhones more modern than the 5c or iOS 9. Media reports indicate that the FBI plans to continue to use the US court system to seek access to encrypted devices as part of future investigations. There are multiple legislative efforts meant to address the so-called “going dark” issue underway at both the U.S. federal and state level.
Related iSIGHT Partners Reports
15-00000266 (Apple Reportedly Gives Privileged Access to Chinese Government), 28 Jan. 2015
15-00012370 (US Law and Government Policy Roundup: August – October 2015), 17 Nov. 2015
15-00013224 (Global Law and Government Policy Roundup: August – October 2015), 3 Dec. 2015
Hacker Sends Anti-Semitic Fliers to Network Printers at Princeton, Many Other Colleges
From The Media
White supremacist hacker Andrew Auernheimer claimed responsibility for recently sending anti-Semitic printouts to networked printers at universities across the country. Academic departments from schools in Maryland, California, New Jersey, Massachusetts and Illinois received the one-page flyer. Auernheimer reportedly sent the flyers to at least 20,000 printers across the United States by way of exploiting devices publicly available online.
Read the Story: The Washington Post
iSIGHT Partners Analyst Comment
The stunt was designed for publicity, and there is no evidence of any damage to any of the affected devices or exposure of user credentials. Auernheimer is a notorious hacktivist who was convicted in 2011 for unauthorized access of AT&T customer data as part of the group Goatse Security. Aurenheimer’s case attracted support from civil liberty advocates and the conviction was eventually vacated.
Related iSIGHT Partners Reports
15-00004534 (Atlanta Billboard Defaced with Obscene Image), 22 May 2015
Intel-1234296 (Internet of Things Security Concerns Growing), 15 Sept. 2014
Malvertising Hits eBay Subsidiary
From The Media
According to Malwarebytes, eBay subsidiary Gumtree was hit with a malvertising attack. The website offers classified advertising and is prominent in Australia, the UK and South Africa. Any visitor clicking on the fake advertisement would be exposed to the Angler Exploit kit. Gumtree receives 48 million visits per month.
Read the Story: SC Magazine
iSIGHT Partners Analyst Comment
Malicious actors often impersonate prominent or reputable organizations to fool advertisement companies and drive traffic to domains hosting exploit kits such as Angler. Exploit kit operators use these operations to drop a wide variety of malware onto victim machines, often as part of a malware installation service. It is not clear what type of malware was delivered in this case. In a similar case in February 2016, content on a site associated with a US football team redirected to an Angler exploit kit landing page.
Related iSIGHT Partners Reports
16-00001924 (eCrime Actors May Have Taken Advantage of Web Traffic on Denver Broncos Site Leading Up to Super Bowl; Redirected Users to Angler Exploit Kit), 17 Feb. 2016
15-00000226 (Angler Exploit Kit Overview), 23 April 2015
15-00014258 (Overview of Exploit Kits and the Exploit Kit Market), 11 Jan. 2016
New Cyber Espionage Trojan Spreading in Taiwan
From The Media
Symantec researchers recently detected a new Trojan, dubbed Backdoor.Dripion, being used to infect victims in Taiwan. The researchers suspect that the Trojan is associated with Budminer, an organization involved in cyber espionage operations, based on former iterations of the file. Dripion is designed to exfiltrate information from target machines and has been tied to only a small number of attacks in Taiwan.
Read the Story: SC Magazine
iSIGHT Partners Analyst Comment
Technical indicators released in Symantec’s report overlap with activity we track as TEMP.Barhopper, a China-based intrusion set that primarily targets Taiwanese Government entities. We have been tracking this activity since at least 2013 and have observed TEMP.Barhopper employ Ilitat malware to download secondary tools including the Enfal, Taidoor, and AtMoney payloads. Affected victims suggest organizations involved in defense and economic affairs or the development of advanced technology may be the primary targets of TEMP.Barhopper activity.
Related iSIGHT Partners Reports
Intel-1008733 (Taiwan’s Defense and Intelligence Sector Under Constant Threat), 14 March 2014
Intel-1013962 (TEMP.Barhopper Activity), 14 Jan 2014
Drivers Targeted By GPS-Based Phishing Scam
From The Media
Pennsylvania drivers are being targeted by a phishing scam leveraging GPS data to make the lure appear more legitimate. The message received by drivers purports to be a speeding ticket and includes accurate personal information about the recipient, such as first and last name, and provides the speed and road at which the driver was on. The Tredyffrin, Pennsylvania police department issued a warning about the scheme. The source of the GPS information used in the lure is not known, however, law enforcement suspects that it may be the result of a traffic or mobility application.
Read the Story: CSO Online
iSIGHT Partners Analyst Comment
Although we are uncertain how adversaries are obtaining location and personal data, as it could have come from a variety of sources, this scam demonstrates how adversaries can leverage unauthorized information disclosures for malicious activity. Users should maintain a healthy suspicion of unsolicited e-mails, especially when they claim to come from an authoritative source.
Related iSIGHT Partners Reports
ThreatScape Media Highlights (Crooks Cleverly Impersonate ISPs in New Type of Tech Support Scam), 22 March 2016
16-00004070 (Potential Targeted Malware Infection Lures for April 2016), 30 March 2016
The post ThreatScape Media Highlights Update – Week Of March 30th appeared first on iSIGHT Partners.
