STE WILLIAMS

It’s been nearly one month now since the City of Baltimore was hit with a nasty ransomware attack that locked down its servers and left the city government without email, telecommunications, and disrupted real-estate transactions and bill payments, forcing city offices to rely on Gmail and Google Voice accounts to conduct daily business and support residents.

The city to date continues to struggle in the aftermath without a fully functional email system and other services, but mostly has kept the details of the May 7 attack under wraps. Some security experts meanwhile have obtained and studied samples of the so-called Robbinhood ransomware used in the attack, shedding some light on the code used in the devastating and high-profile attack on a major city and disrupting its operations.

Robbinhood has no known ties to existing malware families, they found, nor does it contain a self-propagation function, meaning it requires another method to spread from machine to machine. There was no sign in its code of the EternalBlue exploit, which was highlighted in a recent New York Times report as a key vehicle for spreading the ransomware in the Baltimore attack. Experts say it’s possible the attackers used EternalBlue in at least part of the attack on the city, but they have no proof at this time.

A more common scenario that has become popular among ransomware attackers targeting more financially lucrative targets such as businesses and large organizations is that the attackers planted the ransomware manually, using stolen credentials and the Remote Desktop Protocol (RDP), for example.

Most ransomware attacks today are more manual than worm events: many attackers now initially drop backdoors like Trickbot that gather information about the data and servers on the victim network, and they then target specific servers and systems that look most valuable.

“Threat actors choose infection vectors based on their target. If their target has vulnerable servers or systems that can be exploited, they might use an exploit to deliver ransomware, and EternalBlue is one example of” such an exploit, says Christopher Elisan, director of intelligence at Flashpoint, who has studied a sample of the Robbinhood ransomware. “There was no evidence that EternalBlue was being used to spread Robbinhood. But it’s not impossible that EternalBlue was another infection vector.”

If a target has some of its user credentials for sale in the Dark Web, for instance, it’s sometimes simpler for an attacker to procure those and log in via RDP to plant the malware, he says. “Or if the target doesn’t have good user awareness, they might just try using spam.”

Joe Stewart, an independent consultant working with Armor on analyzing Robbinhood, found no signs of EternalBlue in Robbinhood’s binary code, either. “It actually requires some other method of deployment,” Stewart notes. It could be planted manually, or via a domain controller or other dropper, he says. And that dropper could possibly also contain EternalBlue.

“In my scenario, EternalBlue wouldn’t give them access to servers, but it would be something they might leverage to get to a workstation that then would give them lateral access to servers to get to the domain controller, etc., to deploy malware on specific, critical systems that would cause the most pain,” he explains.

Still a mystery is the first stage of the attack – how the attacker got in and with what, if any malware, he says.

Stewart found that Robbinhood was written in the Golang (aka Go) programming language created by Google. Go is rarely used for ransomware: “We don’t see that too terribly often, but it’s getting more popular,” he says. He says he found no relationship between Robbinhood and any other known malware families.

Like most ransomware today, Robbinhood tries to disable security applications and backup systems, he says. “It will try and disconnect network drives and delete certain extensions in network drives and network shares where backups” are, he says. “That’s what you’d expect” in ransomware, he says.

It also appears the Robbinhood attackers are using, or are peddling, Robbinhood as a ransomware-as-a-service. Stewart says the panel interface used by the attacker to communicate with the city in the wake of the attack contains signs of a service model. “It’s set up exactly like a multi-tenant system,” he says. “The malware is created with the click of a button based on input to the panel,” for example. And the malware appears to use an embedded template.

“It seems more like ransomware-as-a-service than somebody hacking it independently and developing its own payload.”

He says the same is true for the earlier attack on the City of Greenville, N.C. “It’s definitely the same service. The binary we have associated with the Greenville attack is Robbinhood,” Stewart says. But each has different IDs embedded in the templates, he says, for the respective targets.

Long Road for Charm City

Most ransomware attacks don’t take as long to recover from as Baltimore’s incident. According to a recent study by email security service Mimecast, 42% of public sector organizations had been hit with a disruptive ransomware attack in the last month; 44% suffered two to three days of downtime in the wake of a ransomware attack, and 30% suffered four to five days.

“Ultimately … ransomware today is becoming much more targeted because it’s about financial gain,” says Josh Douglas, vice president of threat intelligence at Mimecast.

But so far, Baltimore hasn’t paid the ransom of $17,600 in bitcoin per system—a total of about $76,280—to the Robbinhood attackers. Mayor Bernard C. “Jack” Young, who previously declared the city would not pay the ransom, did appear to recently leave the door open for a change of heart. His office has not responded to multiple media inquiries about the attack over the past few weeks.

Myles Handy, press secretary for the Baltimore City Council President Brandon Scott, says the city’s email and other systems are “in the process” of being brought back online. When the city’s systems are fully operational, the Council plans to convene a select committee to study the city’s cybersecurity posture and response to the ransomware attack, he says.

The committee will “review the entire attack from the moment we were [attacked] until the moment it was resolved,” he says, and will focus on what could have been done and how the investigation into the attack unfolded.

Handy declined to comment on the attack or the now-suspended Twitter account that researchers at Armor since have tied to the actual attacker or attackers that launched Robbinhood on the city’s servers, citing the FBI’s investigation of the attack.

Adding insult to injury, Robbinhood’s attacker for weeks taunted and threatened the mayor to pay the ransom via Twitter, while leaking screenshots of confidential city documents and what purported to be user credentials, via the now-defunct social media account.

Related Content:

• Baltimore Ransomware Attack Takes Strange Twist

• Baltimore Hit with Hack on 911 System
• The Ransomware Dilemma: What if Your Local Government Is Next?
• 7 Recent Wins Against Cybercrime

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/robbinhood-inside-the-ransomware-that-slammed-baltimore/d/d-id/1334874?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In 2018, 2.8 billion consumer data records in the US were exposed, with personally identifiable information (PII) making up 97% of the total information. Those compromised records led to losses totaling more than $654 billion for US businesses.

The findings, from ForgeRock’s US Consumer Data Breach Report, are based on electronic consumer data breaches reported between January 1, 2018 and March 31, 2019. That information shows that the healthcare industry is, by far, the most likely to be hit with breaches; it’s responsible for nearly half (48%) of the total. That number is more than four times the percentage seen in any other business sector.

There were some significant shifts during the year. The number of healthcare breaches grew 400% between the first quarter of 2018 and the first quarter of 2019. And while unauthorized access was the most common loss factor in 2018, featuring in 34% of all breaches, in the first quarter of 2019 it was overtaken by misconfigurations, which sprang into the lead.

For more, read here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/28-billion-us-consumer-records-lost-in-2018/d/d-id/1334875?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A security vendor’s investigation of a May 2018 cyberattack on an East European bank has revealed the astonishing speed and sophistication with which some advanced threat actors can expand their presence on a network after gaining initial access to it.

The attack began when two employees of the bank were tricked into opening a malicious document in a spear-phishing email from the Carbanak group—a cybercrime outfit believed to have stolen hundreds of millions of dollars from banks in over 40 countries.

The tainted document contained three exploits for remote code execution in Microsoft Word, which minutes later allowed the attackers to install a backdoor for deploying new payloads and for establishing persistence on the freshly compromised infrastructure.  

One of the payloads was Cobalt Strike Beacon, a Carbanak malware tool that among other things allowed the attackers to map the organization’s internal network so they could find admin-level credentials for moving across the infrastructure.

Not long after, they managed to obtain credentials for one Domain Administrator, which they then proceeded to use to access a domain controller server and at least two other endpoint devices on the compromised bank network.

“In under two hours the attackers managed to directly compromise a critical infrastructure component and get admin-level credentials, without tripping any alarms,” says Liviu Arsene, global cybersecurity analyst at Bitdefender, the security vendor that was called in to investigate the breach.

Over the next two months, the attackers were able to use the credentials to quietly move about the network and to try and gain access to systems that would allow them to manipulate and withdraw funds from the bank’s ATMs. The breach was discovered after a series of security alerts were eventually triggered by the credentials being used to access systems not normally associated with them.

“The main takeaway is that organizations, even highly regulated ones that operate in the financial industry, need to focus on reducing the time to detect a potential security breach,” Arsene says. “It’s vital that they detect and block these attacks during the reconnaissance phase, before attackers execute their final heist.”

Bitdefender’s investigation of the attack on the East European bank revealed extensive planning and patience on the Carbanak group’s part.

In the first four weeks following the initial intrusion, the group systematically compromised numerous workstations in search of specific information that could help them breach the ATM network. One of the servers that the group compromised was later used to store documents pertaining to internal applications, system manuals, and other documents.

By Day 33, the group had gathered enough information to be able to connect to a host with access to banking applications. Over the next three weeks or so, members of the Carbanak group managed to break into at least seven other hosts with similar access to banking applications on the compromised network.

According to Bitdefender, the Carbanak group’s movements on the breached network suggested a comprehensive understanding of the nature and location of the data they were looking for. At the same time the group also appeared focused on improving its understanding of the bank’s internal systems in an effort to make its attack more efficient and stealthy, Bitdefender said in a report that summarizes the findings from its breach investigation.

The attackers showed experience in interacting with financial systems and appeared interested in constantly documenting and learning more about the inner workings of banking applications, potentially to maximize their efforts in future heists, Arsene says.

Keeping a Low Profile

Significantly, the attackers took considerable effort to maintain a low network footprint and to conceal their movement. For example, they used a single compromised workstation on the network to centralize and store all their collected information and for communicating with their command and control server, Bitdefender said. The group also made sure to carry out the bulk of their activities after normal business hours.

The reason their after-hours activity wasn’t flagged as suspicious was that the authentication credentials had the necessary security clearance to perform this activity, Aresene says. The admin-level credentials were regularly used for remote access outside business hours, so there was little reason the activity would be flagged as suspicious.

“What these attackers did was keep a low footprint by remotely dialing in and out of select targets, sometimes days apart,” Arsene notes. Command-and-control communication typically lasted between 20 minutes and one hour at most. Moving laterally across the infrastructure was a matter of using Remote Desktop Protocol with the stolen admin credentials.

“This way, any suspicious activity would have been regarded as normal activity since those credentials would normally belong to someone that had the security clearance to do that,” Arsene says.

Related Content:

• Carbanak/Cobalt/FIN7 Group Targets Russian, Romanian Banks in New Attacks
• FIN7 Cybercrime Gang Rises Again
• Cyberattackers Bait Financial Firms with Google Cloud Platform
• 7 Recent Wins Against Cybercrime

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/carbanak-attack-two-hours-to-total-compromise/d/d-id/1334876?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Consumers and enterprise customers expect the apps they download from Google Play, Apple’s App Store, and other officially sanctioned app repositories to be secure and have at least minimal respect for privacy. But security researchers at Lookout found 238 applications in Google Play that hid BeiTaAd, a well-obfuscated ad plugin that could display ads on the device’s lock screen, trigger video and audio advertisements even while the phone is asleep, and display ads outside the app that interfered with the user experience in other applications.

Kristina Balaam, security intelligence engineer at Lookout and author of the blog post on the research, says that the company’s research into the apps began with a phone call. “We [Lookout] got a support call from an enterprise user who noticed strange pop-up ads on their devices,” Balaam says. “The support person contacted the research team, we started digging through the apps, and realized that there were other samples.”

What they found was a collection of 238 apps from a single publisher, all of which contained adware that someone had gone to great lengths to hide. The publisher, CooTek, is known for legitimate Android apps and is listed on the NYSE. And the simple presence of adware in free apps isn’t unprecedented: Many publishers use in-app advertising as a way to profit from free apps. The difference in this case, Balaam says, is that “as official stores start to lock down the ads that can be shown, the publishers have to become more creative in how they hide adware.”

In the case of the CooTek apps, someone used very sophisticated techniques to obfuscate the adware executable bundled with the app. The adware was renamed, given a different filetype extension, and given AES encryption. All of this might have been a small annoyance, but BeiTaAd is so aggressive that it effectively rendered the device unusable for enterprise purposes.

The combination of CooTek apps and BeiTaAd adware was effective at spreading the ads to a wide audience. In a screen shot used in the research report, one of the apps — TouchPal Keyboard — shows more than 100,000,000 downloads. Together, the infected apps showed more than 440 million downloads, according to Lookout.

The research report states that as of May 23, 2019, all affected apps had been either removed from Google Play or updated to versions that do not contain BeiTaAd. Still, Balaam says, “Whoever is responsible for this plug-in, they’re aware that it doesn’t comply with the Google terms of service.” She doesn’t point a finger at the company or any individual, but continues, “Someone knew that what they were doing was wrong and they tried not to get caught.” 

Related content:

• Meet Scranos: New Rootkit-Based Malware Gains Confidence
• Windows Executable Masks Mac Malware
• Apple (Finally) Removes MacOS App Caught Stealing User Browser Histories
• Mobile App Threats Continue to Grow
• Android Malware Comes Baked into Some New Tablets, Phones

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/adware-hidden-in-android-apps-downloaded-more-than-440-million-times/d/d-id/1334877?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Imperva has agreed to acquire bot management provider Distil Networks. The deal is intended to strengthen Imperva’s position in the application security market and develop its security tools.

Arlington, Va.-based Distil Networks, founded in 2011, has developed a bot detection and mitigation tool designed to identify and respond to a range of automated attacks against enterprise applications and APIs. Imperva wants to integrate this tech into its own application security tool, which aims to protect business data and applications wherever they’re deployed.

This marks the fifth acquisition for Imperva, and its first since the security company was purchased by Thoma Bravo in October 2018. Following that deal, valued at $2.1 billion, Imperva continued to run as a privately held company from its Redwood Shores, Calif., headquarters.

Imperva officials did not share the price of Distil Networks, a late-stage venture company that most recently completed its Series C round and has raised a total of $59 million in funding.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/imperva-snaps-up-distil-networks-for-api-app-security/d/d-id/1334867?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Containers are a very big deal in enterprise computing right now. If your organization isn’t already using them, then trends indicate it probably will soon. This application virtualization technology has had profound implications for some companies that have embraced DevOps, and there is plenty of potential for it to have a similar impact on security operations.

To understand why, it’s good to start with an understanding of just what containers are. A modern application is a collection of pieces of code: the main application itself, configuration files, and custom files on which it depends. These tend to be unique to the application as it’s configured to be deployed on a given server.

A container bundles all of these things up into an image that can be saved and deployed quickly, consistently, and automatically across multiple servers. If differences exist in the operating system details between the development and production servers, the container insulates the application from them, making application movement between development and operations very fast and straightforward.

So what are the implications for security in all of this? One is that containers can allow vulnerabilities to quickly propagate if developers trust that all code in an image has been properly reviewed and updated. Conversely, a more positive implication is that specific network and application configurations can be tested, saved as images, and then automatically deployed when an attack, malware, or other problem takes the network or application delivery system down.

Because container technology is still relatively new, many IT managers are reluctant to depend on it. They also worry about complexity. But fear not: At Interop19, the Network Orchestration Hands-on Showcase decided to do a proof of concept that showed just how simple a container deployment can be — and why containers can be important to even a smaller organization. The demonstration involved primary and secondary network links with monitoring and network control applications deployed on the simplest of servers — Raspberry Pis.

Here, we’ll look at the individual components used in the showcase and how each could be used by a security team to replicate the work done at Interop. Most are software, a couple are languages (or language-like), and one is hardware. (To help those who are interested in replicating its experiment, the Interop Demonstration Lab team has placed all of its containers and support code on GitHub.)  

Is your organization using containers? Are you using them in your security infrastructure? Let us know in the Comments, below. 

(Image: Curtis Franklin, Jr. for Dark Reading)

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/operations/7-container-components-that-increase-a-networks-security/d/d-id/1334861?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Medical testing provider Quest Diagnostics announced on Monday that the information of about 11.9 million of its patients — including their dates of birth and Social Security numbers — had been put at risk due to a breach of the website of a fourth-party supplier of debt-collection services dating as far back as August 2018.

The supplier, American Medical Collection Agency (AMCA), provides debt-collection services to Optum360, a medical billing service, which in turn is contracted by Quest. AMCA only notified Quest and Optum of the breach on May 14, and has not provided detailed information, Quest claimed in a notice posted on June 3.

“Quest is taking this matter very seriously and is committed to the privacy and security of our patients’ personal information. Since learning of the AMCA data security incident, we have suspended sending collection requests to AMCA.”

The incident underscores the threat that third-party — and, in this case, fourth-party — suppliers can pose to their clients, especially if the suppliers do not have a mature security program. 

“This was a breach through a vendor in their supply chain and shows that, however good your security strategy is, it can only ever be as good as the weakest link in the chain—and that could easily be a third party,” Laurence Pitt, security strategy director at Juniper Networks, wrote in a statement sent to Dark Reading. “It’s essential to evaluate security for every link in the supply chain, and data-protection regulations enforce this. You cannot outsource security responsibility.”

AMCA has struggled to respond to the breach. In early March, threat intelligence firm Gemini Advisory notified the company that it had found caches of financial details for sale on the Dark Web that led back to its customer base. Gemini Advisory never received a response to its outreach, and so notified law enforcement as well.

“It’s not the first time we had the same (non-)response,” says Stanislav Alforov, director of research and development for Gemini Advisory. “It seems like that everyone is always in denial — like there are seven stages to being breached and the first one is denial.”

Because AMCA claims to handle more than $1 billion in receivables every year, a breach of its service likely affects other medical providers as well. However, the company has not provided any comprehensive information to Quest or Optum360. 

“AMCA has not yet provided Quest or Optum360 detailed or complete information about the AMCA data security incident, including which information of which individuals may have been affected,” Quest Diagnostics stated on June 3. “And Quest has not been able to verify the accuracy of the information received from AMCA.”

AMCA has hired crisis management firm Brunswick Group, which provided a statement to Dark Reading on the breach, saying that following the notification, it conducted an internal review and shut down its web payments page.

“We hired a third-party external forensics firm to investigate any potential security breach in our systems, migrated our web payments portal services to a third-party vendor, and retained additional experts to advise on, and implement, steps to increase our systems’ security,” AMCA said in the statement. “We have also advised law enforcement of this incident.”

While the information leaked does not include diagnostic results, according to Quest, the inclusion of the dates of birth and Social Security numbers makes the data much more complete and therefore more valuable, says Giovanni Vigna, co-founder and CTO of network security provider Lastline.

“Customers impacted may now have to deal with identity theft — this requires a significant amount of time to handle — including the recovery of damaged credit scores while also fixing fraudulent charges on credit cards,” he says.

Gemini Advisory expects more medical firms to notify their customers that their information has been compromised. While the company only found information on slightly more than 200,000 people on the Dark Web, cybercriminals often post only a subset of stolen accounts, Alforov says.

“I think you will start hearing from other affected clients going forward,” he says. “This data so far is only from Quest Diagnostic clients, just the ones that were sent to collections. Those were the card holders that were affected.”

Related Content

• Humana Breaches Reflect Chronic Credential Theft in Healthcare
• The Rx for HIPAA Compliance in the Cloud
• Atrium Health Breach Exposes 2.65 Million Patient Records
• Cybersecurity The Internet of Medical Things
• Regulations, Insider Threat Handicap Healthcare IT Security

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/risk/medical-debt-collector-breach-highlights-supply-chain-dangers/d/d-id/1334870?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple