Woesnotgone Meadow; December 5, 2018

Woesnotgone (Woes-not-gone) Meadow
December 5, 2018
#

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. Today in the meadow we had a bit of excitement. Aunt Marjie, who really isn’t anyone’s aunt, had a visit to the town’s doctor. Although the doctor only accepts the local insurance, there are the usual patient files. A hospital outside of the Meadow had a little problem with this.

Valley Health is the parent company of a number of hospitals, including the Winchester Medical Center and five other regional hospitals. Valley Health had the opportunity to mail notifications to 857 patients of these medical facilities. This was to let them know their private, confidential data may have been compromised.  The data included the patient’s name, address, date of birth, social security number, the medical record number, and patient identification number.

This issue is related to a third party Valley Health contacted with to host the electronic medical records (EMR). The hospitals initiated a contract with Inova Health Systems in 2013 for a seven-year term. On October 24, 2018, Inova notified Valley Health that they had been notified by law enforcement of the underlying issue.

On September 5, 2018, an unauthorized person had accessed a portion of the patient records. After Inova had received the notice, the business initiated its own forensic review. Valley Health followed the course of action and launched their own forensic review. Valley Health’s investigations indicated 12,331 patient files were accessed.

The compromise was possible due to the unauthorized party using the credentials of an employee who no longer was with the business. The access was to the Inova billing system along with Valley Health’s electronic medical records in January 2017 and from July to November 2017. This unauthorized person had a relationship with the former Inova employee.

The circumstances of this lead to at least two germane questions. Did the former Inova employee write down and allow a third party, with whom there was a relationship, to see their credentials? In this junction, the employees and former employees should not do this, especially when password managers are readily available. Also, the unauthorized party accessed the system during two separate periods. The other person had to be logged in at suspicious times or while the authorized person was logged. Either way, the logs would have indicated an issue which should have been noted by the security team or SIEM. How was this missed by the humans and programs? Inova had to be warned by law enforcement after the second compromise.

With these and other issues, the situation certainly indicates an opportunity for growth and improvement with InfoSec.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.


Resources
Merod, a. (2018, November 23). Valley health sending letters to 857 patients possibly affected by security breach. Retrieved from http://www.winchesterstar.com/winchester_star/valley-health-sending-letters-to-patitients-possibly-affected-by-security/

Woesnotgone Meadow; December 3, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. A portion of the residents are very familiar with one aspect of internet usage-email. They use this mostly for family communications, share pictures, or just bugging one another. One area that has been a problem and continues to be is phishing, and not the kind by Margie’s pond, by the south side of her home. New York Oncology Hematology recently experienced this.

Phishing has become such a lucrative and easy attack method, it's no wonder its prevalence has skyrocketed. The methodology for the attack is relatively straightforward and is not an overly complex situation.

Attack
The phishing attack itself was launched and continued between April 20-27, 2018. The attackers sent their fraudulent emails with a link to be clicked on. Once the unfortunate user did this, the process of credential harvesting started. Of the mass number of emails sent, the attackers were successful with 14 users. Sometimes, all it takes is a handful of people clicking. The emails naturally appeared to be legitimate. The targets provided their username and passwords. The attack, clearly, was successful and compromised the system. The 14 email accounts were locked down once the issue was noted. The attack was detected and shut down. The triggering event was not published though. This could have been user detected, a user reported, or the enterprise (e.g. SIEM) detected this.

Affected Parties
There were 128,400 employees and patients affected by this. Overall, this did not affect the employees and patients who joined NYOH after April 27, 2018. As of November 2018, NYOH was not aware of any patient’s data being misused. These issues for the affected parties may not appear immediately, as the unauthorized parties with the data may choose to use this at their leisure. These may be used or sold without a time limit.

Remediation
NYOH contracted with a third party to conduct a forensic review. The report was delivered to NYOH on October 1, 2018. The report indicated one or more of the email accounts had PHI accessible to the attackers, and confidential and private health information was compromised to an unauthorized party. NYOH, due to the compromise, is offering the affected parties credit reporting services.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.


Resources
Daily Gazette Reporter. (2018, November 16). New york oncology hematology hit by email scam. Retrieved from https://dailygazette.com/article/2018/11/16/new-york-oncology-hematology-hit-by-email-scam

Dissent. (2018, November 17). New york oncology hematology notifying more than 128,400 employees and patients after phishing attack. Retrieved from https://www.databreaches.net/new-york-oncology-hematology-notifying-more-than-128400-employees-and-patients-after-phishing-attack/ 

New York Oncology Hematology. (2018). Phishing incident: What you need to know. Retrieved from https://newyorkoncology.com/security/

WGY News. (2018, November 17). New york oncology hematology reports data breach. Retrievd from https://wgy.iheart.com/content/2018-11-17-new-york-oncology-hematology-reports-data-breach/

Woesnotgone Meadow; December 2, 2018

Woesnotgone Meadow
December 2, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. This time of year the air begins to become a bit chilly as the reason starts to change from fall to winter, as the dogs bring the mud into the house. In Woesnotgone Meadow, our watering hole is Maggie’s on Main Street. This is the only watering hole in the meadow, however, in Southeast Asia, it happens another watering hole has surfaced. This, however, is not as pleasant.

This latest issue was discovered by ESET researchers. This was a new watering hole campaign, termed OceanLotus, using several websites. This has also been termed APT32 and APT-C-OO in certain circles. The geographic focus of this malware has been users and websites in Southeast Asia and has been in operation since September 2018. From all appearances, this seems to be well planned.

Differentiation
The watering hole attack protocol is not new to the environment or industry. One aspect which makes this unique is a large number of compromised websites, at least 21, involved with this attack. On a secondary level, this is also unique due to the handful of compromised websites being a high profile (e.g. Ministry of Defense of Cambodia, Ministry of Foreign Affairs, and International Cooperation of Cambodia).

Also, curiously this also targeted several Vietnamese newspapers and blog websites. These attackers usually focus on websites their targets regularly visit. This attack however focussed on websites visited by many people.

Evolving Attack
As noted, this is not a fresh attack format. This began operating in 2014 with the OceanLotus Advanced Persistent Threat (APT) group. This specific attack appears to have begun as OceanLotus Framework B in 2017, with updates creating the latest version. This includes using public key cryptography to exchange an AES session key. This indicates improved communication, and to prevent any security products from intercepting the payload.

Stealth
On the range of complexity with attacks, this is not on the basic end of the spectrum. To produce this more complex attack, the attackers for the compromised websites used a first and second stage process.

Responsible Reporting
This was noted by the researchers and they did notify the compromised websites in October 2018. This was not however fixed until late October 2018.

Attack
The attack process for this is relatively straightforward. The person visits the compromised site. The users are tricked into installing a fake installer or updater for commonly used software. The attackers at this point added a small amount of JavaScript on the index page or in the alternative the JavaScript file hosted on the same server. The code then loads a new script from a server controlled by the attackers.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.



Resources
Abel, R. (2018, November 20). Watering the ocean lotus: New watering hole attacks target southeast asia. Retrieved from https://www.scmagazine.com/home/security-news/for-the-last-few-months-the-threat-group-oceanlotus-also-knwon-as-apt32-and-apt-c-00-has-been-carrying-out-a-watering-hole-campaign-targetting-

Arghire, I. (2018, March 3). “OceanLotus” spies use new backdoor in recent attacks. Retrieved from https://www.securityweek.com/oceanlotus-spies-use-new-backdoor-recent-attacks

AlienVault. (2018, November 21). OceanLotus new watering hole attack in southeast asia. Retrieved from https://otx.alienvault.com/pulse/

Mitre Corporation. (n.d.). APT32. Retrieved from https://attack.mitre.org/groups/G0050/

Woesnotgone Meadow; November 30, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. The weather has been unusually cold earlier this week. This has kept many of the residents inside. With the activities limited by the cold, many people worked on their online banking, but not with HSBC Bank.

HSBC Bank has a presence in several countries. Notably for this case is the HSBC Bank subsidiary located in the US. Their system was attacked and compromised. The bank learned of this unauthorized access between October 4 through the 14th, 2018. The attackers were able to exfiltrate data, which was the target, with the client’s names, addresses, date of birth, account numbers, transaction histories, payee details, and balances. With this data, the attackers and whomever the data is sold to on the darkweb, have the ability to make the affected parties life “interesting” for over the next decade. This data allows for the unauthorized parties to use the identity to falsely open accounts, access other websites the clients may have accounts, and overall keep the persons monitoring their credit reports.

This affected thousands of online customers of HSBC Bank USA. The bank did not publish the full amount but did state this number was less than 1% of the US customers. Based on this, the affected parties could number up to 12,000 persons. This was the initial estimate and may increase as time passes and the forensic review continues. The bank, per California state law, notified the California Attorney General, as the breach affected 500 or more California residents.

The bank, attempting to be the good corporate citizen and limit liability, suspended the affected online accounts. The bank also in response to the compromise worked to improve their client authentication process. They also recommended the clients update their passwords and add security features to their login. This included the usual recommendation of using a unique password and changing these regularly.

The compromise was due to some form of a lack of cybersecurity. HSBC Bank has not however published how this occurred. The details noted so far seem to indicate this was a credential stuffing attack. This vulnerability is so usable for the attackers due to the users reusing the same username and passwords with the different website logins. Here, the credentials from one login and tried in other likely used websites and services.

If anyone in the Meadow is using the same logins or passwords for multiple websites, you may want to change these to something unique.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

E Hacking News. (2018, November 7). HSBC online banking customers’ data compromised: Confirms the bank. Retrieved from https://www.ehackingnews.com/2018/11/hsbc-online-banking-customers-data.html

HSBC. (2018, November 2). Notice of data breach. Retrieved from https://oag.ca.gov/system/files/Res%20102923?20PIB%20Main%20v3_1.pdf

Nichols, S. (2018, November 6). HSBC now stands for hapless security, became compromised: Thousands of customer files snatched by crims. Retrieved from https://www.theregister.co.uk/2018/11/06/hsbc_security_broken/

Winder, D. (2018, November 6). HSBC bank USA admits breach exposing account numbers and transaction history. Retrieved from https://www.forbes.com/sites/daveywinder/2018/11/06/hsbc-bank-usa-admits-breach-exposingaccount-numbers-and-transaction-history/#394417d35af3

Woesnotgone (Woes-not-gone) Meadow; November 28, 2018

All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. It seems as though winter has crept in like the wind. This has limited our activities somewhat as the roads have a not-so-nice layer of ice, which at times can be difficult to see, let alone drive on.

Seems as though the city of Muscatine, Iowa had their own event slowing down workflow also. As with most industries, nearly everyone with assets with value is a target. Local municipalities are not sheltered from this risk. Thankfully, the Meadow has not been targeted in recent years. In Muscatine, Iowa however several of their servers were targeted, including one used by the finance department.

The attackers used ransomware as their tool. This occurred at approximately 1am on October 17, 2018. This was very successful for the attackers. The servers were targeted and compromised. One of these included in the pool was used by the finance department, which was the Springbrook server. The other servers were used by the city hall departments and library. As this was successful, the affected departments had to use pen and paper for over a week. As of the latest report, the city officials were still reviewing what happened to allow the ransomware in. This has not been published yet.

The city officials did publish a press release on October 18, 2018, describing in general terms what happened. Fortunately, the critical servers were still operating. It is notable that the city did not pay the ransom. Years ago, the city decided to purchase cyber insurance, and this proved to be a benefit, from not only being insured, however, also the insurance company was very active in the response.

To remediate this, the city or insurance company contracted with a third party to assist with the issue. They believe they were able to isolate the ransomware and move forwards. Perhaps it would be prudent to provide additional training for the staff to be alert for general phishing attacks, USB sanitary practices, and what to not click on in the future.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

City of Muscatine. (2018, October 18). [Archived] City of muscatine servers hit with ransomware attack. Retrieved from https://www.muscatineiowa.gov/CivicAlerts.aspx?AID=760&ARC=1030

City of Muscatine. (2018, November 2). City slowly recovering from ransomware attack. Retrieved from https://www.muscatineiowa.gov/CivicAlerts.aspx?AID=770

Coleman, S.B. (2018, November 2). Update: City of muscatine “well on the way” to return of normal operations after ransomware attack. Retrieved from https://www.kwqc.com/content/news/City-of-Muscatine-reports-ransomware-attack-497981371.html

Hanson, A. (2018, October 23). City of muscatine responds to cyber attack. Retrieved from https://www.kwqc.com/content/news/City-of-Muscatine-responds-to-cyber-attack-498364541.html

Journal Staff. (2018, November 2). Muscatine still recovering from ransomware attack. Retrieved from https://muscatinejournal.com/muscatine/news/local/muscatine-still-recovering-from-ransomware-attack/

Loging, S. (2018, November 15). Muscatine coming back online after cyber attack left them in the dark. Retrieved from https://www.ourquadcities.com/news/muscatine-coming-back-online-after-cyber-attack-left-them-in-the-dark/1600554261

WQAA Digital Team. (2018, October 19). Muscatine cyber attack targets government financial server. Retrieved from https://wqad.com/2018/10/19/muscatine-cyber-attack-targets-government-financial-server/

WQAD Digital Team. (2018, November 2). Muscatine government cyber attack recovery ‘a slow process’. Retrieved from https://wqad.com/2018/11/02/muscatine-government-cyber-attack-recovery-a-slow-process/