Qakbot: Malware nuance causing headaches!

Malware is a valid, viable tool for attackers. There are the usual variants that have been coded over time. As these are introduced over time, the signature attack became known and the defensive systems know to look for these. The attackers clearly are aware of this and code variants of this malware to evade detection. One such example is Qakbot.

Origins

Qakbot is not a new malware example. This has been around since 2007, making it an old veteran of the computer infection/malware game. While this has been in the environment for such an extended period, it is still a viable attack tool, especially with the nuance as of late.

Operations

This works via propagating with network shares. This was designed to not only disable a node, but also an entire network. This works with multiple components is endeavors. The early variants used the “.qbot” string. This used a single layer of encryption when encrypting the machines.

As time passed, the later variants set the configuration files to hidden. To yet further obscure the files, and folders, this also used random names. To further complicate the host’s workflow, the configuration file’s encryption was doubled.

With this iteration, to infect the client, the attacker may lure the victim to a malicious site, which would host the exploit kit. They also may simply email the special pdf to the victim. As the victim becomes infected, the malware began to detect if the user was visiting a banking or finance related website. Specifically, this malware was coded to detect activity with JPMorgan Chase, Citibank, Citigroup, Huntington Bank, Bank of America, Wells Fargo, 5/3 Bank, Key Bank, PNC Bank, and others.

This was also configured to harvest credentials from Windows machines, Outlook, Windows Live Manager, RDP, and Gmail messenger. If this was not enough, the malware also looked for Internet Explorer’s password manager.

Long-Lasting Malware

In the cybersecurity field, not all malware has such a long, viable life in actually being useful in attacks. With this iteration, there are many components, with each of these functioning differently. A useful update is when it detects being in a VM, the malware uninstalls itself. With this function, it would be substantially difficult for the researcher to reverse engineer the sample or monitor its acts, as it removes itself. The malware isn’t static, offering a difficulty in placing a signature in the AV tools, as the malware is updated as needed from the C&C center. To make itself even more difficult in detecting, the updates are designed to mutate its appearance. At one point in this cycle, 85% of the infected systems were in the US. The primary successful targets were the academic, government, and healthcare industries. This level of penetration was mostly due to its code allowing it to modify itself.

Resources

Cluley, G. (2016, April 16). Mutating qbot worm infects over 54,000 PCs at organizations worldwide. Retrieved from https://www.tripwire.com/state-of-security/featured/qbot-malware/

Dela Torre, J. (2011, September 1). Qakbot: A disaster waiting to happen. Retrieved from https://www.virusbulletin.com/virusbulletin/011/09/qakbot-disaster-waiting-happen

Millman, R. (2019, May 3). Qakbot malware avoids discovery by breaking itself in two. Retrieved from https://www.scmagazineuk.com/qakbot-malware-avoids-discovery-breaking-itself-two/article/153689

Trend Micro. (2011, January 12). QAKBOT: A prevalent infostealing malware. Retrieved from https://www.trendmicro.com/vinfo/us/threat-encyclepedia/web-attack/80/qakbot-a-prevalent-infostealing-malware

Memories, like the corner of my (PCB)

Cybersecurity for embedded systems has come onto the limelight in recent years. The connected systems in vehicles have pulled this as a primary focus. If these systems are compromised, no one is safe on or near the roadways. With the emphasis on this, a bit of history is warranted. Without a quick baseline of where we began, the present trajectory does not mean as much to us. Just over four years ago, there was an astounding event. About this same time, the infamous Jeep hack occurred. This was a well-financed, researched endeavor. There was another interesting event involving ingenuity and the cost of two movie tickets.

Curiosity Pushing Creativeness or Ingenuity is the Mother of Invention

In 2015, a 14-year-old boy decided to fiddle around with a vehicle’s embedded system. The creative mind thought through the attack and figured it would be a great way to spend his time. A person, generally, is not able to simply walk up to a vehicle and miraculously hack it. There has to be some form of research to even attempt this. The young researcher when to the local (at the time) Radio Shack and purchased $15 of electronics. The equipment was openly available to anyone with the money and did not require anything special. He was able to use this to unlock and start a connected vehicle. The target vehicle was not manufactured by a new, small automaker with little experience, however, just the opposite.

What makes this significant?

There has been many different vehicle attacks and compromises published over the years. These vary from the basic to the attacks requiring multiple steps and everything to line up perfectly. This particular attack was different. This shifted the attack theory. The industry easily could be caught up in applying technology. They have to purchase the newest equipment and use this wherever possible to highlight the capabilities for the investors and industry. The “look at what we can do” is warranted in certain environments. This works to advance technology and capabilities in pertinent circumstances. This sounds wonderful, however, certain parties become wrapped up in equating the expense with testing and cybersecurity. Dependent on the circumstances, it may be acceptable to spend $200-$300 on equipment to create a new testing device, instead of $3,500 for something which may or may not work well given your use. With this, your business may distinctly not spend a mass amount, if the business does not need to. As with independent labs and testing facilities, the real focus should be the mission-to independently test the products using what is needed. A successful test and attack are based on the results, not necessarily the amount spent on the equipment. It is notable with certain tests; high end equipment is required. This is however not the case with all the circumstances. At time simple ingenuity is more pertinent.

Resources

Bigelow, P. (2015, February 15). A 14-year-old hacker caught the auto industry by surprise. Retrieved from https://www.autoblog.com/2015/02/18/14-year-old-hacker-caught-industry-by-surprise-featured/

King, L. (2015, February 23). 14-year-old hacks connected cars with pocket money. Retrieved from https://www.forbes.com/sites/leaking/2015/02/23/14-year-old-hacks-connected-cars-with-pocket-money/#69286a702f81

Lavrinc, D. (2015, February 15). How a 14-year-old hacked a car with $15 worth of radio shack parts. Retrieved from https://jalopnik.com/how-a-14-year-old-hacked-a-car-with-15worth-of-radio-1686620075

Mearian, L. (2015, February 20). With $15 in radio shack parts, 14-year-old hacks car. Retrieved from https://www.computerworld.com/article/2886830/with-15-in-radio-shack-parts-14-year-old-hacks-a-car.html

Vijay. (2015, February 20). 14 year old hacks car with homespun kit with circuits bought from radio shack. Retrieved from https://www.techworm.net/2015/02/14-year-old-hacks-car-with-homespun-kit-with-circuits-bought-from-radio-shack.html

Doctor's Management Services (DMS) - Pwned!

Doctor’s offices have a mission-to take care of their patients. This focus is on the patient’s mind also as the person is sitting in the doctor’s office waiting. One way to streamline operations and potentially improve cash flow is to outsource the billing function. There are many firms focused on efficiently billing for the doctor’s services. These businesses, due to their operations, hold much of the same data as the doctor’s offices. These businesses also derive income as they process the claims. These two factors make these businesses perfectly viable targets. One such business was Doctor’s Management Services (DMS). DMS is based in Massachusetts. The business primary mission is to provide medical billing and services to their clients, the doctor’s offices and hospitals.

Attack

The initial stages of the attack occurred on April 1, 2017. The attack vector was a remote desktop protocol attack through an endpoint. This was detected on Christmas Eve, 2018. When the files were encrypted and the staff was not able to access them, the management knew they had a rather significant problem. The business hired forensic professionals to investigate the incident. Through the investigation, the malware was determined to be GandCrab.

Unfortunately, this did not affect only one client. This affected 38 different practices. The patient’s PII could have been compromised as part of this compromise. This includes, much to the patient’s detriment, their name, address, date of birth, social security number, driver’s license number, Medicare/Medicaid information, and other medical information. This does not necessarily mean the patient’s PII had been accessed, however, I would be willing to presume it has. Otherwise, why would the attackers be seeking to breach their security? The business did report this to the HHS per HIPAA regulation. The business also notified the persons whose PII was affected.

Post-Encryption

As expected, the business was given a ransom amount. Once paid the decrypt key would be provided. The business refused to pay. This is generally the optimal route, given the opportunity for more malicious acts. The business elected to use their back-ups and rebuild the files.

Mitigation

Clearly, there was a need for improvement in this situation. The business updated its network security and limited access to the system from IPs outside of their organization. There was also additional staff training, to assist in the attempt to remove, as much as possible, the potential for this to occur again. 

Questions

The attackers appear to have had unfettered access to the system from April 1 through December 24, 2018. This is an exceptionally long time for an unauthorized third party to have full access to the system and not be noticed by the SIEM and InfoSec personnel. The question in the mind of many is what did the business have in place that did not work at all?

Resources

Cyware. (2019, April 25). Doctor’s management service hit with gandcrab ransomware attack compromising patient data. Retrieved from https://cyware.com/news/doctors-management-service-hit-with-gandcrab-ransomware-attack-compromising-patient-data-b6eebd02

Davis, J. (2019, April 25). Medical billing service reports April 2017 ransomware attack. Retrieved from https://healthitsecurity.com/news/medical-billing-service-reports-april-2017-ransomware-attack

Dissent. (2019, April 24). MA: Medical billing services notifies patients of ransomware incident. Retrieved from https://www.databreaches.net/ma-medical-billing-service-notifies-patients-of-ransomware-incident/

Jones, K. (2019, July 19). Gandcrab in huge profit as SMBv1 exploit is dismissed. Retrieved from https://hackercombat.com/gandcrab-in-huge-profit-as-smbv1-exploit-is-dismissed/

Olenick, D. (2019, April 25). GandCrab ransomware strikes doctor’s management services. Retrieved from https://www.scmagazine.com/home/security-news/ransomware/gandcrb-ransomeware-strikes-doctors-management-services/

Sowells, J. (2019, April 28). Another healthcare firm falls victim to gandcrab ransomware. Retrieved from https://hackercombat.com/another-healthcare-firm-falls-victim-to-gandcrab-ransomware/

Truta, F. (2019, April 25). GandCrab ransomware claims another healthcare firm. Retrieved from https://securityboulevard.com/2019/04/gandcrab-ransomware-claims-another-healthcare-firm

Woods, A. (2019, April 29). GandCrab attack on doctor’s management service exposed patient data. Retrieved from https://www.2-spyware.com/gandcrab-attack-on-doctors-management-service-exposed-patient-data

Healthcare Pwned... Again

Healthcare continues to be a significant target. The healthcare institution’s budgets have been decreased due to a number of different issues. These include patient mobility as there are more options than ever and patient insurance payments. The latter, at best are stable however have probably been decreasing as new contracts are renegotiated. While this is occurring, the costs (direct labor, overhead, utilities, supplies, etc.) have increased.

As margins continue to be narrowed, the cuts have to be made somewhere. Cybersecurity, since the measurement of the success is elusive, may not receive the positive budgetary attention it really should. While more staff members may be needed, the positions may not be opened for applicants. This makes securing the perimeter, infrastructure, cloud, etc. difficult at best. This coupled with the attackers not being limited by geography, further complicates the InfoSec mission. All it takes is one person making the wrong choice one time to begin a cascading effect. Verity Health Systems and Medical Foundation had the opportunity to learn from a recent related issue.  

Incidents

Over the recent period, there were a number of incidents. The first was in late November 2018 and another in mid-January 2019. There are other reports indicating there were two incidents in November. The access was simple enough; through three employee’s web email accounts. This allowed access to any emails or attachments in the respective compromised email accounts.

What makes this unusual is not only the number of successful attacks but also the timing. There were three attacks in such a short period of time is clearly not a good thing. For these to be successful infers a problematic, systemic issue. This forces the conversation on the level of insecurity. It is distinctly possible the SOC did not monitor the logs and other activities related to the email.

Data

The patients “possibly” affected were from many facilities. These included the Verity Medical Foundation, and Verity hospitals (O’Connor Hospital, St. Louise Regional Hospital, Seton Medical Center (inclusive of the Seton Coast side campus), St. Francis Medical Center, and St. Vincent Medical Center.

The accessed emails contained health and medical data for the patients (names, treatment information, medical conditions, billing codes, and health insurance policy numbers). There were other email accounts accessed which contained personal information (names, health insurance policy number, subscriber numbers, dates of birth, patient ID numbers, phone numbers, and addresses). A portion of the attachments unfortunately also had social security and driver license numbers. To top it off, the emails may have included, for certain Verity employees and 3rd parties, their personal and health data.

Remediation

Within hours of learning of each incident, the Verity InfoSec Team ceased the unauthorized third-party access, disabled the affected email accounts, disconnected the devices from the network, and removed the unauthorized emails sent to the other employees. These actions were a positive show of the prudent steps implemented. The thought is the attackers were actually seeking the user names and passwords. Due to the compromise and the access records containing PII and PHI, the business is offering credit monitoring services for one year free to any individual whose social security number or driver’s license number was involved.

To limit the opportunity for this to occur again, the business is requiring mandatory training for the employees and improving and increasing the security measures. The business also put a call center in place for affected persons to call for questions and to get additional information.

Notification

Per the reports, there is no direct evidence of the unauthorized access or use of the patient’s individual health or personal information. Verity Health System of California, Inc. and Verity Medical Foundation have, however, notified patients who are potentially affected. These persons were informed their specific individual or a portion of their information may have been accessed without authorization. The attackers were still unknown.

Resources

Davis, J. (2019, March 26). Verity reports third data breach caused by employee email hack. Retrieved from https://healthitsecurity.com/news/verity-reports-third-data-breach-caused-by-employee-email-hack

Dissent. (2019, January 29). Verity health system of California, inc and verity medical foundation notify individuals and regulatory bodies of data security incident. Retrieved from https://www.databreaches.net/verity-health-system-of-california-inc-and-verity-medical-foundation-notify-individuals-and-regulatory-bodies-of-data-security-incident/

Spitzer, J. (2019, January 29). Verity health system reports 3 phishing attacks. Retrieved from https://www.beckershospitalreview.com/cyberseucrity/verity-health-system-reports-3-phishing-attacks.html