Navicent Pwned

People tend to visit their doctor every now and again for the annual check-ups, scrapes, and other issues. As the patients visit their respective doctor, the office requires certain information and the doctor have their notes from the visit. This information is important to us and has value. Most of the time, securing this is not an issue. This was not the case for Navicent Health. Navicent Health is based in Macon, GA. This is one of middle Georgia’s largest employers and healthcare providers. This is also the second largest hospital.

The attackers focused on the hosted staff email system. This, fortunately, did not include the EHR system or network. The staff email system did, however, contain the patient’s private personal information. This included the patient's name, data of birth, address, limited medical information, and a portion of the patient also had their social security number exposed. To top off the list, there was also billing and appointment scheduling data.

The successful attack occurred in July 2018. Curiously, this was detected on January 24, 2019. Navicent did notify law enforcement of the attack and breach. The breach affected 278,016 patient’s PHI and PII. The patient’s data was located on the compromised email server. Navicent was not completely sure I the attackers viewed or downloaded the patient’s data. To be conservative, it is presumed the attackers had.

The company contracted with a third-party forensics firm to investigate the issue. They also notified the affected parties. They were offering, in response to the breach, free ID theft protection. This was limited to the patients with their social security number exposed. The patient recommendation is for them to monitor their credit report and account statements. To alleviate the potential for this to happen again, the management is reviewing additional staff education and adding other technology.

There were a number of issues with this successful attack. First, there needed to be additional training for the staff. Also as a significant issue, there was a rather significant time lag from the attack date to the detection date. The successful attack was in July 2018. The detection occurred on January 24, 2019. This was a rather long time to detect a rather significant issue. There has been no comment as to why this took so long.

Resources

Abrams, L. (2019, April 17). Navicent health data breach exposes patient’s personal info. Retrieved from https://www.bleepingcomputer.com/news/security/navicent-health-data-breach-exposes-patients-personal-info/ 

Corley, L. (2019, March 22). Navicent health announces cyber attack targeting its email system. Retrieved from https://www.macon.com/news/local/crime/article228281814.html

Davis, J. (2019, March 25). Navicent health reports data breach from july 2018 cyberattack. Retrieved from https://healthitsecurity.com/news/navicent-health-reports-data-breach-from-july-2018-cyberattack

Dissent. (2019, March 22). Navicent health announces cyber attack targeting its email system. Retrieved from https://www.databreaches.net/navicent-health-announces-cyberattack-targeting-its-email-system/ 

Drees, J. (2019, April 16). Update: Data breach exposes 278,000 navicent health patients’ information. Retrieved from https://www.beckershospitalreview.com/cybersecurity/update-data-breach-exposes-278-000-navicent-health-patients-information.html

HIPAA Journal. (2019, March 25). PHI exposed in three recent email security incidents. Retrieved from https://www.hipaajournal.com/phi-exposed-in-three-recent-email-security-incidents/

Inforisktoday. (2019). Cyberattack exposes PHI in email attacks. Retrieved from https://www.inforisktoday.com/cyberattack-exposes-phi-in-email-accounts-a-12349/  

Marlin, L. (2019, March 26). Email breaches in three states expose protected health information. Retrieved from https://privaplan.com/blog/email-breaches-in-three-states-expose-protected-health-information/

McGee, M.K. (2019, April 5). Cyberattack exposes phi in email accounts. Retrieved from https://www.careersinfosecurity.com/cyberattack-exposes-phi-in-email-accounts-a-12349

Navicent Health. 92019). Notice of data security incident. Retrieved from https://www.navicenthealth.org/notice-of-data-security-incident.html

Spamfighter. (2019). Navicent health reported data breach due to a cyberattack. Retrieved from https://www.spamfighter.com/news-22140-Navicent-Health-reported-Data-Breach-due-to-a-cyberattack.htm

Vigo County Pwned

Every municipality has a varied level of services and staffing for the residents. Based on the size, the training would also differ. A smaller village naturally would not have an in-depth cybersecurity training due to the workforce and budgetary constraints. One municipality which may wish they had more training is Vigo County, located in Indiana. On one particular day, the users began to notice their systems weren’t working. This was manifested with the users being locked out of their account.

Although this was curious on its own merits, the attack tool was much more basic. The attackers used a basic tool to compromise the system. There were a number of emails sent with malware included, and the users were clicking away. This malware was coded specifically to find financial and banking data for their unauthorized use. The attack may have been limited to a few systems independently, however this was destructive at an advanced level due to 129 of the 489 county computers not have a patch pushed to the systems. Most of these systems happened to be part of the courthouse network, versus the county government center or another network where there could have been much more damage. The county has stated that no data was exfiltrated. Fortunately there were viable back-ups ready to be used.

Immediately after the successful attack was detected, the county ceased the email and internet activity. The IT Department asked the County Treasurer and Auditor to stop any internal banking activity until the point where there was an assurance the issue was resolved. They also did upgrade a portion of the system in response to the issue.

This issue brings up many actions items to follow for any business. There needs to be additional training, throughout the year, on phishing. This also shows the importance of viable back-ups. Without this, the issue would have been much larger for the county. The focus should also continue to be on patch management. A robust patch management process would have also had a limiting factor on this problem.

Resources

Lehman, S. (2019, February 14). Virus takes out vigo county government computers. Retrieved from https://www.wthitv.com/content/news/It-rekked-havoc-on-us-virus-takes-out-vigo-county-government-computers-505813581.html

Taylor, D. (2019, February 12). Nasty virus hit vigo county’s computers. Retrieved from https://www.tribstar.com/news/local_news/nasty-virus-hit-vigo-county-s-computers/

Even the Art Industry is not Safe! Artsy Pwned

There are art galleries and museums throughout the nation. When the locality does not have a physical site, there is always the internet as a resource. There are services which provide an inlet into the art world for those of us not proximate to the larger museum. One of these services is Artsy, which is described as “…an online platform that offers views into the art world as well as works for sale…” (Dissent, 2019).

In February 2019, the CTO, Daniel Doubrovkine, emailed the service’s users notifying them of “…a data security incident that may have impacted your Artsy account data.” Merely reading this short portion of his sentence was a bit alarming. With all of the breaches in the retail and commercial industries, there tends to be sensitivity when this occurs.

This affected approximately 1M Artsy users. The affected data is believed to be the user’s name, email, and IP address. While this is still an issue, on the bright side, any credit card or banking information was not included. The business had not been notified of any actual fraud or attempted fraudulent events arising from this issue. The data is presumed to be on sale on the dark web.

Artsy recommended the users change their passwords. Also if the users happened to use the same passwords for other sites, which unfortunately occurs, the users were recommended to change these also. This is not a significant issue as the other data, as these were stored as hashes.

Unfortunately, the method or vector for the successful attack had not been published. This would have been useful to share so others could learn from the issue and not compound the same problem. The attack does, however, highlight the importance of a thorough defense in depth for the perimeter and hashing passwords, for this use case.

Resources

Dissent. (2019, February 14). Artsy alerts users of data-security breach; report claims hacked information for sale. Retrieved from https://www.databreaches.net/artsy-alerts-users-of-data-security-breach-report-claims-hacked-information-for-sale/

Greenberger, A. (2019, February 14). Artsy alerts users of data-security breach; report claims hacked information for sale. Retrieved from http://www.artnews.com/2019/02/14/artsy-data-stolen-security-incident/

Mums on the breach! Mumsnet cloud issue

Mumsnet is a service for parents by parents. This is used as a forum for parents to post their thoughts, ideas, questions, etc. and for others to respond. Parents, who may question or are encountering issues they haven’t experienced before, have the opportunity to talk to others who have worked through the specific issue.

Mumsnet reported there was an issue with their attempt to migrate to the service to the cloud. This was reported to the Information Commissioner Office (ICO), as private, confidential information was involved for GDPR residents. The issue was other non-authorized persons were able to log into the other user’s accounts without any authorization. In particular, there is a forum where persons are able to post comments on various topics. The company upgraded its software which the forum is run on. For three days (Tuesday afternoon 2pm GMT to Thursday morning 9am GMT), if two users attempted to log in at the same time, the two accounts could be switched. The user could post a message as the other user, view the other’s account details, and read their private messages. On a positive note, they were not able to see the other’s passwords, as these are encrypted.

Mumsnet was not aware of how many user’s accounts had been affected by this. During the time where the issue was presented, an estimated 4k users logged in. As the user’s had to attempt to log in during this period, the entire 4k would not have been affected. There were however at least 14 incidences. The business is reviewing the logs. With the potential GDPR fines, this could be a significant issue.

This represents an opportunity to learn. When there is a significant upgrade, there should be testing done to ensure there aren’t issues, along with running duplicate systems if the need presents itself so that this issue does not occur elsewhere.

Resources

Cyware. (2019, February 7). Mumsnet reports itself to regulators over data breach. Retrieved from https://cyware.com/news/mumsnet-reports-itself-to-regulator-over-data-breach

Dissent. (2019, February 10). Mumsnet reports itself to regulator over data breach. Retrieved from https://www.databreaches.net/mumsnet-reports-itself-to-regulator-over-data-breach/

Hellard, B. (2019, February). Mumsnet reports data breach to ICO after problematic cloud move. Retrieved from https://www.itpro.co.uk/information-commissioner/32943/mumsnet-reports-data-breach-to-ico-after-problematic-cloud-move

Hern, A. (2019, February 7). Mumsnet reports itself to regulator over data breach. Retrieved from https://www.theguardian.com/uk-news-2019/feb-07/mumsnet-reports-itself-to-regulator-over-data-breach

Hunter, D. (2019, February 8). Mumsnet reports data breach to the ICO. Retrieved from https://dgpr.report/news/2019/02/08/mumsnet-reports-dta-breach-to-the-ico/

Kunert, P. (2019, February 7). Mumsnet data leak: Mooning parents could see other user’s privates after cloud migration. Retrieved from https://www.theregister.co.uk/2019/02/07/mumsnet-breach/

Australian Parliament Attacked!

With local municipalities, there is a local government managing the business for the town, city, village, etc. Dependent on the size of the municipality, the required governance may be significant, or lower. As each of these grows, there tends to be more staffing required, larger networks, and more responsibility to go around.

National governments are no different. As these have grown, the infrastructure to support these likewise has grown to a critical mass. As these agencies grow larger, they also tend to be more of a target. The Australian parliamentary recently found this out, the hard way, or gave them the opportunity to review their defensive cybersecurity posture.

As with any national government, there is a substantial network infrastructure in place to support the computing activities. This was recently attacked or as they put it, there was a “security incident on the parliamentary computing network.” While some are calling this an attack, others are also calling this a breach. The timing for this was curious. This occurred merely three months prior to the Australian election.

This was not a substantial or prolonged attack. This was focused on the parliamentary computer network. This includes database and email systems. The attack occurred overnight. The initial incident response indicated no data had been exfiltrated. This was still being investigated after the attack. The authorities are also reviewing if a state actor had been involved.

Unfortunately, the attack methods have not been elaborated on. This will prove to be the more interesting part. This could also be used as a teaching tool, so that there would at least be some form of a benefit.

To be conservative and as an abundance of caution, all of the passwords had to be reset. There were also other measures being worked on to further secure the network.

This was not a new target. The US government has been hacked several times over the years, with many different agencies, including the IRS, OPM, and FDIC, to name a few. The week before the attack the British government experienced a bit of this when their email and phone contact lists were attacked. Also, the Scottish parliament email accounts were attacked unsuccessfully in 2017. This list is not extensive by any means. There have been many more attacks. Some known, most probably not published.

This exemplifies the need to have exercises for computer cybersecurity. This requires regular audits and examinations to ensure the system’s cybersecurity is up to date.

Resources

BeauHD. (2019, February 8). Australian parliamentary network hacked in possible foreign government attack. Retrieved from https://it.slashdot.org/story/19/02/08/073241/austrailia-parliamentary-network-hacked-in-possible-foreign-government-attack

BBC. (2019, February 8). Australian parliament hit by cyber-hack attempt. Retrieved from https://www.bbc.com/news/world-australia-47166590

Borys, S. (2019, February 7). China link possible in cyber attack on Australian parliament computer system, ABC understands. Retrieved from https://www.abc.net.au/news/2019-02-08/china-government-cyber-security-breach-parliament-hackers/10792938

Central Telegraph. (2019, February 8). China probed in parliament hack attack. Retrieved from https://www.centraltelegraph.com.au/news/breach-of-federal-parliamentary-computing-network-/3642837/

Moderc, M. (2019, February 8). Australian parliamentary network hacked; no sign data stolen. Retrieved from https://www.cnbc.com/2019/02/08/australian-parliamentary-network-hacked-no-sign-data-stolen.html

Remeikis, A. (2019, February 7). Australian security services investigate attempted cyber attack on parliament. Retrieved from https://www.theguardian.com/australian-news/2019/feb/08/asio-australian-security-services-hack-data-breach-investigate-attempted-cyber-attack-parliament

Schwartz, M.J. (2019, February 8). Hack attack breaches Australian parliament network. Retrieved from https://www.bankinfosecurity.com/hack-attack-breaches-australian-parliament-network-a-12012

The Associated Press. (2019, February 8). Australian parliamentary network hacked; no sign of data stolen. Retrieved from https://abcnews.go.com/Technology/wireStory/australian-parliamentary-network-hacked-sign-data-stolen-60930659

Wroe, D., & Uhlmann, C. (2019, February 8). Federal MPs’ computer network hacked in possible foreign government attack. Retrieved from https://www.smh.com.au/politics/federal/federal-mps-computer-network-hacked-forcing-passwords-to-be-changed-20190208-p50wgm.html

Physician's Office Forced to Close Due to Ransomware

Ransomware’s Long-Reaching Effects: Physician’s Office Shut done

Physicians are located throughout the nation. These all have their specialties. As these practices vary in size, their budgets spent on cybersecurity vary greatly. The rule of thumb, for better or worse, has been the greater amount spent on cybersecurity the more intricate and hardened the system is. This, however, has not always been the case.

Recently Brookside ENT and Hearing Center had the pleasure of managing a successful cybersecurity attack and compromise. This doctor’s office was located in Michigan. The successful attack initially encrypted the files and complete computer system for the Brookside ENT and Hearing Center. The attacker demanded a $6,500 ransom for the decrypt key. The ransom was refused, which normally is a good route to follow if you have viable backups and/or are able to recreate the data without a significant issue. Naturally, the attackers were not exceptionally happy with this response. As a direct result from this, the entirety of the practice’s computer network was erased. This included all of the patient files and records. This was, to say the least, a bad situation.

Effect

The medical practice was owned by John Bizon, MD, and William Scalf, MD. After all the records were erased, the owners decided to retire and close the practice. Rebuilding the practice’s data and other pertinent information was simply not worth it for the owners/doctors. This adversely affected the patients.

The data affected was rather expansive. This included all the appointment schedules, payment data, and other patient information. On the bright side, it appears no patient data was accessed and the electronic health records (EHR) were encrypted. The potential issue with this is the encryption protocol in place was not published. It is presumed this an industry standard and not home-rolled or an outdated version.

Incident Response

The FBI was actively investigating the successful attack. Unfortunately, the attack vector and tools had not been published yet. The data for this could have been used as a learning tool and case study for others. The attack could have been a simple phishing attack with the right staff members clicking on an image or link.

This illustrates the need for purposeful training for the staff members on the various cybersecurity topics. It is by far too late for this practice; however, others may learn from this.

Resources

Davis, J. (2019, April 1). Michigan practice to shutter after hackers delete patient files. Retrieved from https://healthitsecurity.com/news/michigan-practice-to-shutter-after-hackers-delete-patient-files

Genesee County Pwned!

Genesee County under attack!

-Charles Parker, II

There are vast numbers of municipalities of various sizes adjacent to each other throughout each state in the nation. Each of these obviously has a computer network, of varying sizes, in place for the day to day operations. One of these counties, in Michigan, also recently had an interesting issue. Genesee County has had much written about it, as the city of Flint is at the center of the media storm. In this county, there was recently a successful ransomware attack, unfortunately.

Attack

Ransomware has been over the last few years been exceptionally successful as an attack. The trend continues, as published repeatedly across many industries. One of these was the municipal offices of Genesee County, located in Michigan. The successful attack used one of the ransomware tools. The Genesee County Clerk stated the county servers were shut down due to this. The ransomware followed its standard protocol and encrypted the files. There naturally was a demand for money with this. Once received the attackers would provide the decrypt key. The initial forensic work indicated no files were exfiltrated, which was a good thing.

What to do?

This was a rather significant issue for the county. There were a few options for the county to follow, given the parameters of the attack. They could pay the fee and hope they would provide the decrypt key. The county would also have to hope the attackers did not leave any malware or back doors in the network. As an alternative, they could not pay the fee and use back-ups, which would require time and accurate and viable back-ups being in place prior to the attack. As the third option, do nothing and hope for the best.

The county ended up not paying the ransom. This was the safest bet as long as the county had up to date recent back-ups, which had been tested, in place. Fortunately for the county and their general fund, and their insurance company, there were adequate back-ups in place. The back-ups had been done the evening before at midnight. This indicated the data replication would be minimal. There would still be al mass amount of time, as the back-ups needed to be used to replace the encrypted data and files.

Affected

The attacks can vary in depth and width across the network, depending on the network itself and the form of ransomware. This could affect one system or the complete set of servers. In this case, nearly all of the networks in the system were affected. The county had signs in the window of the offices that the computer system was down, they were using manual systems, and the computer systems had been down for several days. The one relatively pertinent system for payroll was not, however, affected.

Forensic Work

This was a rather large project. The county contacted and had been working with the Michigan State Police and the FBI for their expertise. They may have been other third-party contractors involved.

Lessons Learned

Ransomware is a curious tool. While very devastating, it may also be viewed as being modular, in that the malicious tool may be adjusted according to the end result needed. All it takes is one employee in the wrong department to click on the wrong link. This issue did, however, show the importance of back-ups and testing them to ensure these really are backing up. This also shows there still is the distinct need for the employees to be trained.

Resources

Acosta, R. (2019, April 4). Ransomware computer virus hits county network. The Flint Journal, A1.

Ciak, M. (2019, April 4). Genesee county hacking incident ‘more extensive than initially thought’. Retrieved from Genesee County hacking incident 'more extensive than initially thought'

Dissent. (2019, April 3). Genesee county’s email system not functional after ransomware attack. Retrieved from https://www.databreaches.net/genesee-countys-email-system-not-funcitonal-after-ransomware-hack/

Olenick, D. (2019, April 5). Genesee county ransomware attack more severe than originally thought. Retrieved from Genesee County ransomware attack more severe than originally thought | SC Media

Pierret, A. (2019, April 3). Genesee county’s email system not functional after ransomware attack. Retrieved from Genesee County's email system not functional after ransomware hack

Winant, D. (2019, April 4). Servers in genesee county were hacked. Retrieved from https://www.wnem.com/news/breaking-servers-hacked-in-gen-co/

Securing Connected Cars

Securing Connected Cars

Charles Parker, II

Vehicles abound in society and culture. These vary in age, color, manufacturer, and the amount of tire and brake wear. One topic which has been in the news and talked about commonly has been securing these vehicles, especially the connected vehicles now and the future autonomous vehicles. Seemingly, there are new articles with these are the story focus. With these vehicles, due to the other assets the vehicle connects to (e.g. V2X, V2I, V2V, V2G, etc.), a successful attack has the potential to have a really bad day.

Vehicles are becoming increasingly connected. At some point in the near future, the vehicles we have grown with will become autonomous. With all of these iterations with vehicle advancing in technology, one aspect becomes increasingly pertinent. The vehicles have to incorporate security into the vehicle’s infrastructure. The functionality requires it. As these vehicles control a greater extent of the operations, previously managed manually, the risk increases. When the vehicles are autonomous, the risk is rather significant. For instance, when the sensors are connected, the risk is for a false positive. If there is a tire pressure monitoring system (TPMS), the risk is for the equipment to read more or less than the actual air pressure reading in the tire. An attacker could successfully force the system to register an exceptionally low-pressure reading forcing the driver to pull over to the side of the road.

With the advanced autonomous drive vehicle, the risk is magnified. This is due to the attacker having the opportunity to take full control of the vehicle. The auto could be re-routed to a totally different location or turn into traffic during rush hour. This series of use cases illustrate the necessity and requirement for a secure vehicle infrastructure. These attacks absolutely do not have to be by someone located in or within a few feet of the car, or physically connected to it with a patch cord. These attacks may be done from anywhere across the globe with a fair internet connection. This makes the connected and autonomous drive vehicle even more potentially devastating. These attacks occur unfortunately with the present fleets. These may initially take the form of a proof of concept (PoC) at this point. The jump to a fully mature attack from this point is not that great of a stretch for the adequately trained attacker. These hypothesized compromises have been demonstrated by cybersecurity researchers on the Tesla, BMW, Nissan, Mitsubishi, FCA, and other manufacturer vehicles.

To address this growing germane issue, Mitsubishi Electric developed a cyber-defense system to defend vehicles. The new system incorporates multiple cybersecurity layers into one defense in depth tool. This works by improving the head unit’s (HU’s) ability to defend the vehicle. The vehicle’s connected function has allowed for an in-depth attack vector and path to the vehicle’s crown jewels, or the attacker’s targets to exfiltrate.

As noted, there are multiple layers of defense. This acts much like an intrusion detection/protection system (IDS/IPS). This is intended to decrease the potential for a successful attack. The more difficult is would be for the attacker to succeed, the greater the chance the attacker will move onto the next target, looking for an easier target. The attackers would not spend weeks or months on a random target when they would be able to successfully compromise another vehicle in days or a week. This is simple economics and algorithm.

This works by identifying attempted attacks in the HU and modules controlling the vehicle. This detects attack methods for the vehicle. This was designed for a faster boot-up. This is estimated to take less than 10% of the time for a conventional boot-up process. For this cybersecurity system, the HU is the focus for the defensive operating system. This is an appropriate central point as the HU is attached to the internet, and the researchers analyzed the defense-in-depth used by critical infrastructure and applied the theory to the vehicle.

The new system verifies the software in the vehicle’s operations integrity during the boot-up process. The system completes the task while not being over-bearing on the processing time and power. The direct effect on the system is paramount. The vehicle’s cybersecurity has to be fully addressed prior to the more connected vehicles being placed on the road. The drivers across the freeways would rather not have a rogue vehicle careening through traffic during rush hour on a Tuesday morning.

This cybersecurity feature is a great first step. This tool addresses one vector for an attack. There are others which focus on the other aspects of the vehicle’s functions and communications to address in the future.

Resources

Green Cars Congress. (2019, January 22). Mitsubishi electric develops cyber defense technology for connected cars. Retrieved from https://www.greencarcongress.com/2019/01/20190122.html

Kovacs, E. (2019, January 22). Mitsubishi develops cybersecurity technology for cars. Retrieved from https://www.securyweek.com/mitsubishi-develops-cybersecurity-technology-cars

Market Watch. (2019, January 21). Mitsubishi electric develops cyber defense technology for connected cars. Retrieved from https://www.marketwatch.com/press-release/mitsubishi-electric-develops-cyber-defense-technology-for-connected-cars-2019-01-21

R., J. (2019, January 22). Mitsubishi electric develops auto cyber security. Retrieved from https://www.universitymitsubishi.com/mitsubishi-electric-develops-auto-cyber-security/

Rajan, P. (2019, January 23). Mitsubishi electric develops cybersecurity technology for connected cars. Retrieved from https://www.telematicswire.net/automotive-security/mitsubishi-electric-develops-cybersecurity-technology-for-connected-cars/

Operation Sharpshooter

Operation Sharpshooter has you targeted
-Charles Parker, II

One aspect of our lives is impacted by a particular industry. Without this in place, our lives would be drastically, significantly different. This industry would be the defense industry. Another pertinent function involves the government, which is likewise integral to our society. In the past, these have been attacked successfully and compromised several times over the years. As targets, these continue to be ripe with data and information useful and able to be sold. To accomplish this end, there has been a campaign to breach the government and defense firms. The data held in these two organizations is very useful to many parties across the globe.

Operation Sharpshooter
This campaign was recently in use. The focus was to target defense businesses and government agencies. The attackers were able to compromise dozens of these organizations across the world. The operation was active from October to November 2018. There were 87 companies targeted. These were geographically located in 24 countries. These were primarily in the nuclear, defense, energy, and finance industries. These were located in the US, South America, Europe, Middle East, India, Australia, and Japan. The attackers used as their tool an openly accessible tool used by consumers and businesses every single day. The attackers used social media to send their messages. These were disguised as recruitment documents when these were actually documents with a little malicious intent sprinkled in.

Once the target opened the attachment, the "Rising Sun" malware was installed and the hilarity ensued. This appears to be an updated Trojan Duuzer, which was previously used in the Sony attack from years ago. This would send the data to its command & control (C&C) server via http POST requests. Typically, this would access and exfiltrate the usernames, IP addresses, network configurations, and system settings. Oher sensitive data would also been attacked, if possible. All of this was done with the 14 distinct capabilities this was coded with, summarized as intelligence gathering, encryption, exfiltration, and terminating processes. This could be used as the first step of a larger attack. This was another example of a successful social engineering attack.

This successful campaign emphasizes the need to provide adequate training for the staff on phishing and what to look for in these.


Resources
Barth, B. (2018, December 12). 'Sharpshooter' cyberespionage campaign scopes out defense, critical infrastructure sectors. Retrieved from https://www.scmagazine.com/home/security-news/sharpshooter-espionage-campaign-scopes-out-defense-critical-infrastructure-sectors/

Browne, R. (2018, December 12). Hackers hit global government and defense firms with cyberspying campaign, McAfee says. Retrieved from https://www.cnbc.com/2018/12/12/mcafee-operation-sharpshooter-hack-hit-government-defense-firms.html

EHacking News. (2018, December 12). Malware 'operation sharpshooter' hits government and defense firms: McAfee. Retrieved from https://www.ehackingnews.com/2018/12/malware-operation-sharpshooter-hits.html

IBS Intelligence. (2018, December 12). New malware 'operation sharpshooter' hits global defense, finance and critical infrastructure claims mcafee. Retrieved from https://ibsintelligence.com/ibs-journal/new-malware-peration-sharpshooter-hits-global-defense-finance-and-critical-infrastructure-claims-mcafee/

Muncaster, P. (2018, December). Operation sharpshooter targets nue and defene firms. Retrieved from https://www.infosecurity-magazine.com/news/operation-sharpshooter-targets/

Palmer, D. (2018, December 12). Global hacking campaign takes aim at finance, defence and engery companies. Retrieved from https://www.zdnet.com/article/global-hacking-campaign-takes-aim-at-finance-defence-and-energy-companies/

Sherstobitoff, R., & Malhotra, A. (2018, December 12). 'Operation sharpshooter' targets global defense, critical infrastructure. Retrieved from https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/

2019 6 13 Cisco routers targeted again

Cisco Routers Targeted ... Again
-Charles Parker, II

The Cisco name is known across the globe and is highly regarded. A massive amount of engineering has been applied to the product line, and in this case their routers.

Targets
There were security researchers who detected the Cisco RV 320 and RV 325 WAN routers being scanned and the vulnerabilities attempted to be exploited. Specifically, this was aimed at the RV 320 with versions 1.4.2.15 through 1.4.2.19, and RV 325 versions 1.4.2.15 through 1.4.2.17. These hardware instances are used commonly with internet service providers (ISP) and large enterprises.

Attacks
The attacks started in earnest in January 2019. This just happened to coincide with researcher David Davidson releasing a proof-of-concept exploit for the targeted routers.

Vulnerabilities
The vulnerabilities driving these exploits were CVE-2019-1653 and CVE-2019-1652. The vulnerability cited in -1653 allows a remote attacker to get sensitive device configuration details without requiring a password. This allows the attacker to obtain hashed credentials. The vulnerability noted in -1652 allows the remote attacker to inject and run admin commands on the device without a password and control the targeted device.

Earlier, 6,247 RV 320 and 3,410 RV 325 routers were vulnerable. These were in 122 countries and 1,619 distinct ISPs. These were both reported to Cisco by RedTeam Pentesting from Germany.

Remediation
After the notification, naturally, the Cisco engineers worked on this. The end result was the patches were created and released in January 2019. This may have been fine, however, the attackers were using Davidson's PoC attack and adding other commands. This allowed the attackers to take full control over the noted Cisco devices. To alleviate the issue, users were recommended to upgrade to the firmware version 1.4.2.20. The users were also recommended to change their passwords. It was pertinent for the users to do this, or they may have an unwelcome surprise.


Resources
0x27. (2019, January 24). CVE-2019-1652/CVE-2019-165B exploits for dumping cisco rv320 configurations & debugging data and remote root exploit. Retrieved from https://githumb.com/0x27/CiscoRV320Dump

Cimpanu, C. (2019, January 27). Hackers are going after cisco RV320/RV325 routers using a new exploit. Retrieved from https://www.zdnet.com/article/hackers-are-going-after-cisco-rv320rv325-routers-using-a-new-exploit

Cisco. (2019, January 25). Cisco small business rv320 and rv 325 routers command injection vulnerability. Retrieved from https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject

Kumar, M. (2019, January 28). New exploit threatens over 9,000 hackable cisco rv320/rv325 routers worldwide. Retrieved from https://thehackernews.com/2019/01/hacking-cisco-routers.html

Hacking the blockchain-It's not just for breakfast anymore

No longer impregnable-Hacking the blockchain
-Charles  Parker, II


Blockchain seems to have been over the last few years one of the words attracting quite a bit of attention. As the functional attribute providing the backbone for cryptocurrency several new protocols were popping up. A handful was prepared for their introduction, while too many others were not. This was to provide a promise for those investing and using cryptocurrency. With this in place, the cryptocurrency was safe.

This was heralded as the one application of computer science engineering which was not vulnerable to a successful attack. By all accords for those directly, intrinsically involved in the industry, this was nothing to worry about due to the structure and framework used by the blockchain.

Not Merely a Theory-Coinbase
It would be easy enough to spout on how the blockchain apps could be hacked. There are many theories on how this could be done. A portion of these is exceptionally complicated, while others are relatively more simple.

In January 2019, the theory became reality. The security team at Coinbase was working through the day, just like any other. At some point, they began to note strange occurrences focussed on Ethereum Classic. This exchange platform is generally used to purchase and sell cryptocurrency. The attackers had control of over half of the Coinbase network. The attacker's efforts allowed them to rewrite the transaction history.

The rewriting of the transaction logs allowed the group to double-spend. Gate.io lost approximately $200k. This was not the only successful attack. Since 2017, there has been nearly $2B of cryptocurrency stolen, and this is the publicly revealed amount.

Market's Attitude
Honestly, the market should not be shocked by this turn of events. There is a mass amount of cryptocurrency in these platforms waiting to be attacked. These attacks are not easy to complete successfully. This being said, as long as there is money or assets to steal, there will be targets.

Woesnotgone Meadow; June 6, 2019

All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, the residents and families may need to use county resources every now and again. These various services are readily available. In the Grand Rapids, MI area there is an agency providing mental health services. The services are provided by the Kent County Community Mental Health Authority. The organization is also known as Network 180.

Attack Method

The system was breached on October 28, 2018. The breach was open for approximately 9 days. The county agency was targeted for a phishing campaign.  This has been seen in abundant numbers over the last few years as more phishers come online, and users continue to be click-happy. The phishing emails were above average in composition and form, as these were created from a legitimate source. Three employees, lured by the emails, clicked the link or attachment.

Once detected, there was a full investigation. The investigation was managed by the HIPAA Privacy Officer, HIPAA Security Officer, IT Department, and HIPAA Legal Counsel. The issue was reported to HHS. The investigating team, through their efforts, could not definitely state whether the data was viewed or accessed.

Data

The attackers focused on data and other valuable points in the system. With this attack, the subject data was encrypted email accounts (names, addresses, dates of birth, Medicaid, and Medicare ID numbers, Network 180 internal ID numbers, waiver support application ID numbers, provider names, schools attending or attended, demographic data, names of the patient’s relatives, ethnicity or race, and patient’s health care provider(s). For approximately 20 of the 2284 patients, the social security numbers were also compromised.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Remediation

The successful attack required a mass password reset. The organization also needed to update their cybersecurity measures.

Resources

Davis, J. (2019, January 10). Phishing attack hits kent county community mental health. Retrieved from https://healthitsecurity.com/news/phishing-attack-hits-kent-county-community-health

Dissent. (2019, January 8). MI: Kent county community mental health authority notifies 2,284 patients after phishing attack. Retrieved from https://www.databreaches.net/mi-kent-county-community-mental-health-authority-notifies-2284-patients-after-phishing-attack/

Hackbusters. (2019, January). Phishing attacks at mental health organization affects 2284 clients. Retrieved from http://www.hackbusters.com/news/stories/4248385-phishing-attacks-at-mental-health-organization-affects-2284-clients-health-data-management

Woesnotgone Meadow; June 4, 2019

All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we have our municipal office, which manages the Meadow’s business and works with our citizens. The Meadow has maintained its presence under the radar and has been fortunate to not have been attacked. Akron, OH, however, has not been this lucky.

The city’s computers were the targets for the attack. As this was successful, ransomware was applied to their system. Curiously, this was the 2^nd time the city was successfully attacked. The first was in 2013.

Effect

Once the successful attack was detected, the city knew there was a significant issue. The attack shut down a majority of Akron’s 311 system. This also affected other critical software and hardware systems. Fortunately for the city, the attack wasn’t nearly as in-depth and devastating as it could have been.

Demand!

The attackers demanded a six-figure sum for the decrypt key. Without the funds, the decrypt key would not be provided. This potentially would have been devastating. The city’s data and information being encrypted could have crippled the workflow, recordkeeping, and had operations pushed back into the 1950s with paper and pencil.

Response

The city did not respond to the attackers. The city had the foresight to have daily back-ups done. Without this in place, the attackers would have had significantly more leverage on the city. The city ended up restoring the files from the day before, so the workers only had to enter one day’s worth of work.

From the legal aspect, the city did contact the FBI and Ohio Highway Patrol. The Akron mayor also requested assistance from the governor in the form of the Ohio National Guard’s help from the 172^nd Cyber Security Protection Team.

Take-Away

The attack shows the importance of not only active monitoring for the system but also back-ups. The back-ups were integral to de-escalating the attacker’s leverage. These allowed the city to restore the data from the day before, without spending the money to attempt to secure the decrypt key. Without this, the city would have the opportunity to make a large payment and hope the decrypt was provided. These were also done on a daily rotation, which allowed for the not only the restore but also for a minimal amount of data having to be rekeyed in or otherwise incorporated into the data.

With this case and many others, the rule to apply is back-up and check the back-ups to ensure they are not corrupted.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.

Resources

Ashworth, A. (2019, January 25). Akron combats ‘financially motivated’ cyberattack on city servers. Retrieved from https://www.ohio.com/news/20190125/akron-combats-financially-motivated-cyberattacks-on-city-servers

Houston Chronicle. (2019, January 26). Akron says cyberattack forced shutdowns of city help line. Retrieved from https://www.houstonchronicle.com/news/article/Akron-says-cyberattack-forced-shutdown-of-city-13564123.php

Scofield, D. (2019, January 25). Multiple local and state agencies investigating cyberattack on akron’s city servers. Retrieved from https://www.news5cleveland.com/news/local-news/akron-canton-news/multiple-local-and-state-agencies-investigating-cyber-attack-on-akrons-city-servers

Woesnotgone Meadow; May 31, 2019

All is well here at Woesnotgone Meadow, where everyone has above average bandwidth.

In the Meadow, we certainly play video games. Sometimes by ourselves, other times with our children or grandchildren. We play racing games, zombie games, and many others. We expect to have a great time with this. What we don’t expect is to be a victim of ransomware.

Ransomware

The new ransomware, Anatova, has been detected. This was originally detected by McAfee. The research indicates this was released on January 1, 2019. The ransomware has been noted as infecting others in a private peer to peer networks. This has been analyzed. The ransomware curiously was engineered to be modular in nature. This allows the ransomware to be updated for new functions. This also makes the ransomware more difficult to detect. While this is the case, it has been detected across the globe in Belgium, Germany, France, and the UK, among other European countries.

Code

This version of ransomware was engineered with a slight twist. This does encrypt files just like the other ransomware tools already do. This ransomware also checks for connected network shares and encrypts these files.

It is not known who or what group coded this ransomware. Curiously, the malware does not infect systems located in Syria, Egypt, Morocco, Iraq, and India.

How it Works

 This uses an old social engineering trick/method. Anatova has an icon of a game or application. This fools the user into believing they will be double-clicking on the game. Post-double click, the system shows a request for admin rights. If the user just clicks this for convenience or believes this is a requirement, their (not-so much) fun begins.

This encrypts their system and files, on the PC and servers. The ransomware uses strong encryption, using a pair of RSA keys. The malware retrieves the username of the logged in party and/or active user. These names are compared with default usernames used with sandboxes. If this is found, the ransomware will not work.

Demands

Once the infection is in place and the user has the “uh-oh” moment, the system notifies the user of the ransomware. The system then demands a payment to unlock the files, just as with the other ransomware samples.

Lessons

This is another example of the additional training needed by the staff. There are very limited occasions when downloading a game is required at work. The equipment really should be used for work.

Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest encryption.

Resources

Allen, D. (2019, January 23). Anatova is a nasty new ransomware that targets gamers. Retrieved from https://www.techradar.com/news/anatova-is-a-nasty-ransomware-that-targets-gamers

Bhatnagar, V. (2019). Anatova ransomware is targeting gamers. Retrieved from http://www.hackbusters.com/news/stories/4297915-anatova-ransomware-is-targetting-gamers

Digital Trends. (n.d.). Latest ransomware targets gamers with a malicious sophistication. Retrieved from https://www.digitaltrends.com/computing/anatova-ransomware-targets-gamers-malicious/

EHacking News.(2019, January 26). Anatova ransomware is targeting gamers. Retrieved from http://www.ehackinghews.com/2019/01/anatova-ransomware-is-targeting-gamers.html

Fire-Ball Cyber Security. (2019, January 26). Anatova ransomware is targeting gamers. Retrieved from https://fireballcybersecurity.blogspot.com/2019/01/anatova-ransomware-is-targeting-gamers.html

Palmer, D. (2019, January 24). New ransomware poses as gamers and software to trick you into downloading it. Retrieved from https://www.zdnet.com/article/new-ransomware-poses-as-gamers-and-software-to-trick-you-into-downloading-it/

Salim, S. (2019, January 25). Alert: Ransomware found in free games and software. Retrieved from https://www.digitalinformationworld.com/2019/01/anatova-ransomware-targeting-gamers-skilled-hackers.html

Scammell, R. (2019, January 23). Watch out for anatova, a new ransomware targeting gamers. Retrieved from https://www.verdict.co.uk/anatova-ransomware-gamers/