STE WILLIAMS

A new report out today shows that 90% of SAP systems in the enterprise are exposed to complete system compromise via a 13-year-old configuration vulnerability that few organizations have taken action on. This exposure puts business-critical systems like ERP, HR, finance and supply chain all at risk.

Detailed in a report published today by ERP security firm Onapsis, the flaw in question is a configuration problem in SAP NetWeaver that makes it possible for a remote unauthenticated attacker with only network access to the system to claw out unrestricted access to all SAP systems. While the potential attack scenario is not completely trivial – it requires the attacker to have knowledge of SAP’s architecture and coding standards – it’s also not difficult to carry out either. And the payoff is big. 

As the underlying platform for all SAP deployments, SAP NetWeaver is used by 378,000 customers worldwide, including 87% of the Global 2000. The configuration insecurity is present by default in all versions of SAP NetWeaver, including cloud and next-generation digital business suite S/4HANA.

“It’s not something that organizations need to patch – it’s something that they need to change in their actual SAP implementation,” explains JP Perez-Etchegoyen, CTO at Onapsis.  “Basically this is a configuration setting in SAP applications that is configured wide open by default. It was well documented in 2005, but we still find it in nine out of 10 SAP implementations today.”

The insecurity makes it possible for an attacker to register a rogue application server and start receiving client connections from the SAP system, basically pretending to be a part of the trusted application servers that make up an impacted organization’s SAP ecosystem.

“Typically, organizations have their existing implementation in a flat network, meaning that all the SAP services are available and reachable,” Perez-Etchegoyen explains. “So this will allow an attacker without username and password to basically access all the information stored and processed within the system.”

These kind of systems are a treasure trove for corporate espionage, data theft and any other kind of cyber grift imaginable. The digital assets at stake include detailed information about vendors, customers, financial records and detailed operational blue prints. What’s more, it’s not just privacy or confidentiality that’s at stake. The integrity of the entire system is put at risk, as an attacker could easily enough start generating fake P.O.s to themselves, manipulate data or even completely sabotage the nerve center of an enterprise’s business critical systems by taking the system down.

“They can access the data, modify the data, pretty much anything they want,” he says. “In the biggest organizations in the world, pretty much all of the business processes are supported by SAP and pretty much the most important information is stored there. We do believe that this is a very big risk that needs to be addressed.”

Related Content:

• 7 Non-Financial Data Types to Secure
• Cybercrime Economy Generates $1.5 Trillion a Year
• Despite Risks, Nearly Half of IT Execs Don’t Rethink Cybersecurity after an Attack

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the security track here. Register with Promo Code DR200 and save $200.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/the-default-sap-configuration-that-every-enterprise-needs-to-fix/d/d-id/1331641?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

lan Meller, Justin Shattuck, and Damien Rocha also contributed to this article

In case you haven’t noticed, 2017 was somewhat of a milestone in the DDoS industry: it was absent a major world record-setting DDoS event. The bad news is that in 2018, DDoS attacks are slamming back in full force. The number of attacks mitigated globally by F5 from 2016 to 2017 increased by 26%. Q1 historically receives the lowest number of attacks. Based on F5’s Q1 2018 attack count, the number of DDoS attacks will exceed 33% growth in 2018.

Taking Q1 2018 into account, the amount of DDoS attacks against targets in the Asia Pacific (APAC) region are increasing faster than any other region of the world. North America (N-AMER), Europe, the Middle East and North Africa (EMEA) have been steadily increasing year over year but did not see the same Q1 2018 growth as APAC.

North American targets have received the majority of DDoS attacks since their inception. This trend changed in 2017 when DDoS attacks targeting North America dropped below 50%, while EMEA-targeted DDoS attacks rose above a third, and APAC grew from 8% in 2016 to 17% in 2017. In Q1 2018, businesses in APAC received almost as many attacks as businesses in North America.

The Q1 2018 attacks are only one quarter in comparison to the annual averages of 2016 and 2017. If attacks against North America decline in Q2, as they have done the past 2 years, the trend of North America declining in overall percentage of attacks received will continue to drop. Attacks against EMEA entities increased in Q2 in 2016 and 2017, indicating there is a good chance EMEA’s percentage of the total will continue to rise, potentially surpassing North American targets for the first time.

Online gaming businesses were the top DDoS target in Q1 2018, followed by financial services and hosting providers. Collectively those industries received 76% of the DDoS attacks in Q1 2018. Web hosting providers and financial organizations have always been top DDoS attack targets, and that trend continued in 2017. Why? Because those two industries directly translate downtime into dollars lost. Therefore, blackmail DDoS attacks is a very lucrative for attacks as paying the ransom is an effective way to stop the pain.

The gap between the traditional top targets and other various industries including technology providers, ISP’s, online gaming, and business service providers is steadily closing. Every year we continue to see a broader scope of DDoS targets with the growth in DDoS-for-hire services at extremely affordable rates, and availability of DDoS tools to the common script kiddie.

DDoS Attacks by Type
UDP fragmented attacks are becoming increasingly popular with DDoS attackers that use multiple vectors in their attacks to “fill up the pipe” by maximizing the packets and fragments being sent through it.

When breaking down the DDoS attacks into volumetric, reflection, or application attack categories, volumetric attacks have always been the majority. Applications, as opposed to the traditional network, are a rising DDoS attack vector. Application attacks are more precise and require traffic scrubbing, versus the typical blocking of unwanted port traffic at the network layer. As the internet moves towards a virtualized application environment, we expect DDoS attacks targeting applications to take a larger slice of the pie in the future.

F5 has already mitigated multiple attacks greater than 250 Gbps in 2018. The interesting thing about these attacks is that it was clear the attackers had done their homework. They knew the prefixes they were targeting as they targeted multiple hosts in the same /24 subnet simultaneously, while constantly changing the target hosts. As mitigations were applied, the attackers continued to target other prefixes. In total, 3 different /24 subnets were targeted.

The top 10 source traffic countries remained the same throughout all attacks, which could indicate that the attacks were launched from the same systems over the four-day period. This type of attack behavior is consistent with IoT devices in which compromises and subsequent attacks go undetected or, in less likely scenarios, compromised systems owned by businesses (that don’t know they have been compromised) and are being used to launch attacks.

The largest source of the attacks came from the US, which is not typical. This is an indicator of a significant number of vulnerable systems (potentially compromised memcached systems or IoT devices) in the US being targeted to launch DDoS attacks from.

With the rise in IoT devices, cloud computing and online databases, more vulnerable systems are becoming available to attackers to launch devastating DDoS attacks than ever before. When defending against modern cyber threats, no business is immune to damaging DDoS attacks. If you cannot afford downtime, get a DDoS strategy in place now so you don’t have to scramble to put one in place while you’re under attack.

Get the latest application threat intelligence from F5 Labs.

Sara Boddy currently leads F5 Labs, F5 Networks’ threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/europe-and-asia-take-on-more-ddos-attacks/a/d-id/1331633?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

lan Meller, Justin Shattuck, and Damien Rocha also contributed to this article

In case you haven’t noticed, 2017 was somewhat of a milestone in the DDoS industry: it was absent a major world record-setting DDoS event. The bad news is that in 2018, DDoS attacks are slamming back in full force. The number of attacks mitigated globally by F5 from 2016 to 2017 increased by 26%. Q1 historically receives the lowest number of attacks. Based on F5’s Q1 2018 attack count, the number of DDoS attacks will exceed 33% growth in 2018.

Taking Q1 2018 into account, the amount of DDoS attacks against targets in the Asia Pacific (APAC) region are increasing faster than any other region of the world. North America (N-AMER), Europe, the Middle East and North Africa (EMEA) have been steadily increasing year over year but did not see the same Q1 2018 growth as APAC.

North American targets have received the majority of DDoS attacks since their inception. This trend changed in 2017 when DDoS attacks targeting North America dropped below 50%, while EMEA-targeted DDoS attacks rose above a third, and APAC grew from 8% in 2016 to 17% in 2017. In Q1 2018, businesses in APAC received almost as many attacks as businesses in North America.

The Q1 2018 attacks are only one quarter in comparison to the annual averages of 2016 and 2017. If attacks against North America decline in Q2, as they have done the past 2 years, the trend of North America declining in overall percentage of attacks received will continue to drop. Attacks against EMEA entities increased in Q2 in 2016 and 2017, indicating there is a good chance EMEA’s percentage of the total will continue to rise, potentially surpassing North American targets for the first time.

Online gaming businesses were the top DDoS target in Q1 2018, followed by financial services and hosting providers. Collectively those industries received 76% of the DDoS attacks in Q1 2018. Web hosting providers and financial organizations have always been top DDoS attack targets, and that trend continued in 2017. Why? Because those two industries directly translate downtime into dollars lost. Therefore, blackmail DDoS attacks is a very lucrative for attacks as paying the ransom is an effective way to stop the pain.

The gap between the traditional top targets and other various industries including technology providers, ISP’s, online gaming, and business service providers is steadily closing. Every year we continue to see a broader scope of DDoS targets with the growth in DDoS-for-hire services at extremely affordable rates, and availability of DDoS tools to the common script kiddie.

DDoS Attacks by Type
UDP fragmented attacks are becoming increasingly popular with DDoS attackers that use multiple vectors in their attacks to “fill up the pipe” by maximizing the packets and fragments being sent through it.

When breaking down the DDoS attacks into volumetric, reflection, or application attack categories, volumetric attacks have always been the majority. Applications, as opposed to the traditional network, are a rising DDoS attack vector. Application attacks are more precise and require traffic scrubbing, versus the typical blocking of unwanted port traffic at the network layer. As the internet moves towards a virtualized application environment, we expect DDoS attacks targeting applications to take a larger slice of the pie in the future.

F5 has already mitigated multiple attacks greater than 250 Gbps in 2018. The interesting thing about these attacks is that it was clear the attackers had done their homework. They knew the prefixes they were targeting as they targeted multiple hosts in the same /24 subnet simultaneously, while constantly changing the target hosts. As mitigations were applied, the attackers continued to target other prefixes. In total, 3 different /24 subnets were targeted.

The top 10 source traffic countries remained the same throughout all attacks, which could indicate that the attacks were launched from the same systems over the four-day period. This type of attack behavior is consistent with IoT devices in which compromises and subsequent attacks go undetected or, in less likely scenarios, compromised systems owned by businesses (that don’t know they have been compromised) and are being used to launch attacks.

The largest source of the attacks came from the US, which is not typical. This is an indicator of a significant number of vulnerable systems (potentially compromised memcached systems or IoT devices) in the US being targeted to launch DDoS attacks from.

With the rise in IoT devices, cloud computing and online databases, more vulnerable systems are becoming available to attackers to launch devastating DDoS attacks than ever before. When defending against modern cyber threats, no business is immune to damaging DDoS attacks. If you cannot afford downtime, get a DDoS strategy in place now so you don’t have to scramble to put one in place while you’re under attack.

Get the latest application threat intelligence from F5 Labs.

Sara Boddy currently leads F5 Labs, F5 Networks’ threat intelligence reporting division. She came to F5 from Demand Media where she was the Vice President of Information Security and Business Intelligence. Sara ran the security team at Demand Media for 6 years, covering all … View Full Bio

Article source: https://www.darkreading.com/partner-perspectives/f5/europe-and-asia-take-on-more-ddos-attacks/a/d-id/1331633?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dozens of healthcare organizations, many of them in the United States, have become victims of what appears to be a highly targeted international campaign to steal data on sophisticated medical equipment and systems.

The campaign is notable for the potential it has to execute extensive damage to high-value x-ray machines, MRI systems, and other medical devices as well as their network infrastructure.

Symantec was the first to identify the previously unknown Orangeworm campaign. It found that at least 100 healthcare entities and companies in the healthcare supply chain have been hit since January 2015. About two dozen of those organizations became victims during the last half of 2017 and early part of this year.

In an advisory this week Symantec described Orangeworm as deploying Kwampirs, a custom backdoor on systems belonging to multiple healthcare organizations with international operations.

The backdoor gives the attackers full remote access to compromised machines, which they have then used to establish a persistent presence on the network. The attackers have used the backdoor to collect basic system and network information to determine if a compromised system or network is high-value or not.

If the system is high-value, Orangeworm typically copies the backdoor on other systems via open network shares. The attackers have then proceed to harvest a lot more information about the victim network including computers that have been accessed recently, mapped drives, open network shares, and information on network adapters.

For the most part, Kwampirs’ functionality is similar to many other backdoors. However, it does not spread by taking advantage of vulnerabilities or exploits, says Jon DiMaggio, senior threat intelligence analyst at Symantec. Instead it relies on open shares found in the target environment to spread.

Based on the type of commands executed within victim networks and the type of information being gathered by the group, Orangeworm is conducting operations to learn about the technologies running on many of the compromised devices, says DiMaggio.

“One way this information could be leveraged is to possibly create pirated versions of the technologies the attacker is collecting information on,” he says. It could also help the attackers gain a better understanding of how these systems and devices function and operate. “All of this could be used as an advantage to a competitor,” DiMaggio says.

Devices running medical technology have been clearly one of the high-value targets for the group, DiMaggio says. This includes various types of x-ray and MRI devices and associated systems that interact or control the devices themselves. About 17% of the victim organizations so far are US-based, and the rest are scattered over nearly two-dozen other countries including India, Saudi Arabia, Philippines, the United Kingdom, and France.

Known victims include hospitals, pharmaceutical firms, medial equipment manufacturing firms, and providers of IT and logistics services to organizations in the healthcare sector. The list of Orangeworm’s victims suggests they were specifically targeted for attack rather than randomly picked. The secondary victims appear to have been selected for the likely access they provided to the intended targets, according to Symantec.

Troubling as the espionage itself has been, the real concern is just how much access the attackers have managed to gain on compromised networks, DiMaggio says. “The Kwampirs malware used by Orangeworm provided a backdoor and allowed the attacker to load additional tools and malicious payloads at their discretion,” he notes.

“The access and control the attacker had on victim systems could allow the attacker to do much worse, such as sabotage or destroy expensive medical equipment as well as the infrastructure that supports these devices.”

Campaigns like Orangeworm highlight the need for organizations in the healthcare sector to start addressing some of the issues that can stem from incorporating legacy systems into production environments. Ordinarily, the security mechanisms built into many modern operating systems and security devices would have been effective in stopping Kwampirs.

“The attackers, however, were aware the healthcare vertical as a whole still relies on older platforms and technologies to host medical tech,” DiMaggio says. “This allowed the attacker to use a much more primitive way to spread than it would be able to in an environment that did not include these legacy technologies.”  

Even though the method used by Kwampirs to propagate and communicate with command and control servers is particularly noisy, it has worked well for them so far, according to Symantec, which thus far has no information on the origin of the attackers.

Medical Equipment at Risk

Based on Symantec’s description the Kwampirs backdoor, it would not be effective against any modern security protections or up-to-date systems, says John Nye, director of cybersecurity research and communications at CynergisTek. Orangeworm is taking advantage of known issues that exist in the modern healthcare-imaging suite, which includes imaging devices such as MRI and CTs, he says.

“That is, they utilize expensive and complex systems, like MRIs and x-rays that are owned by vendors that have not taken the initiative to update or improve the security of these devices,” Nye says. “This is why it is so critical for all organizations to segment any system they do not — or cannot — control away from the primary enterprise network where sensitive information is stored.”

Leon Lerman, CEO of Cynerio, says hospitals and the healthcare sector in general continue to be a popular target for attackers because of just how valuable medical records and patient information is in the criminal market. Records containing protected health information for instance can fetch ten times as much as stolen credit card data in underground markets because it enables identify theft and healthcare fraud.

Related Content:

• What Enterprises Can Learn from Medical Device Security
• MEDantex Healthcare Transcription Firm Accidentally Exposes Medical Records
• Hospital Email Security in Critical Condition as DMARC Adoption Lags
• 8 Ways Hackers Monetize Stolen Data 

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-healthcare-firms-among-dozens-hit-in-orangeworm-cyberattack-campaign/d/d-id/1331652?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Dozens of healthcare organizations, many of them in the United States, have become victims of what appears to be a highly targeted international campaign to steal data on sophisticated medical equipment and systems.

The campaign is notable for the potential it has to execute extensive damage to high-value x-ray machines, MRI systems, and other medical devices as well as their network infrastructure.

Symantec was the first to identify the previously unknown Orangeworm campaign. It found that at least 100 healthcare entities and companies in the healthcare supply chain have been hit since January 2015. About two dozen of those organizations became victims during the last half of 2017 and early part of this year.

In an advisory this week Symantec described Orangeworm as deploying Kwampirs, a custom backdoor on systems belonging to multiple healthcare organizations with international operations.

The backdoor gives the attackers full remote access to compromised machines, which they have then used to establish a persistent presence on the network. The attackers have used the backdoor to collect basic system and network information to determine if a compromised system or network is high-value or not.

If the system is high-value, Orangeworm typically copies the backdoor on other systems via open network shares. The attackers have then proceed to harvest a lot more information about the victim network including computers that have been accessed recently, mapped drives, open network shares, and information on network adapters.

For the most part, Kwampirs’ functionality is similar to many other backdoors. However, it does not spread by taking advantage of vulnerabilities or exploits, says Jon DiMaggio, senior threat intelligence analyst at Symantec. Instead it relies on open shares found in the target environment to spread.

Based on the type of commands executed within victim networks and the type of information being gathered by the group, Orangeworm is conducting operations to learn about the technologies running on many of the compromised devices, says DiMaggio.

“One way this information could be leveraged is to possibly create pirated versions of the technologies the attacker is collecting information on,” he says. It could also help the attackers gain a better understanding of how these systems and devices function and operate. “All of this could be used as an advantage to a competitor,” DiMaggio says.

Devices running medical technology have been clearly one of the high-value targets for the group, DiMaggio says. This includes various types of x-ray and MRI devices and associated systems that interact or control the devices themselves. About 17% of the victim organizations so far are US-based, and the rest are scattered over nearly two-dozen other countries including India, Saudi Arabia, Philippines, the United Kingdom, and France.

Known victims include hospitals, pharmaceutical firms, medial equipment manufacturing firms, and providers of IT and logistics services to organizations in the healthcare sector. The list of Orangeworm’s victims suggests they were specifically targeted for attack rather than randomly picked. The secondary victims appear to have been selected for the likely access they provided to the intended targets, according to Symantec.

Troubling as the espionage itself has been, the real concern is just how much access the attackers have managed to gain on compromised networks, DiMaggio says. “The Kwampirs malware used by Orangeworm provided a backdoor and allowed the attacker to load additional tools and malicious payloads at their discretion,” he notes.

“The access and control the attacker had on victim systems could allow the attacker to do much worse, such as sabotage or destroy expensive medical equipment as well as the infrastructure that supports these devices.”

Campaigns like Orangeworm highlight the need for organizations in the healthcare sector to start addressing some of the issues that can stem from incorporating legacy systems into production environments. Ordinarily, the security mechanisms built into many modern operating systems and security devices would have been effective in stopping Kwampirs.

“The attackers, however, were aware the healthcare vertical as a whole still relies on older platforms and technologies to host medical tech,” DiMaggio says. “This allowed the attacker to use a much more primitive way to spread than it would be able to in an environment that did not include these legacy technologies.”  

Even though the method used by Kwampirs to propagate and communicate with command and control servers is particularly noisy, it has worked well for them so far, according to Symantec, which thus far has no information on the origin of the attackers.

Medical Equipment at Risk

Based on Symantec’s description the Kwampirs backdoor, it would not be effective against any modern security protections or up-to-date systems, says John Nye, director of cybersecurity research and communications at CynergisTek. Orangeworm is taking advantage of known issues that exist in the modern healthcare-imaging suite, which includes imaging devices such as MRI and CTs, he says.

“That is, they utilize expensive and complex systems, like MRIs and x-rays that are owned by vendors that have not taken the initiative to update or improve the security of these devices,” Nye says. “This is why it is so critical for all organizations to segment any system they do not — or cannot — control away from the primary enterprise network where sensitive information is stored.”

Leon Lerman, CEO of Cynerio, says hospitals and the healthcare sector in general continue to be a popular target for attackers because of just how valuable medical records and patient information is in the criminal market. Records containing protected health information for instance can fetch ten times as much as stolen credit card data in underground markets because it enables identify theft and healthcare fraud.

Related Content:

• What Enterprises Can Learn from Medical Device Security
• MEDantex Healthcare Transcription Firm Accidentally Exposes Medical Records
• Hospital Email Security in Critical Condition as DMARC Adoption Lags
• 8 Ways Hackers Monetize Stolen Data 

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/us-healthcare-firms-among-dozens-hit-in-orangeworm-cyberattack-campaign/d/d-id/1331652?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Much like the rest of the world, healthcare organizations are shifting work to cloud services in order to improve accessibility and patient care. However, the migration of these workloads and moving valuable information such as PHI (personal health information) and PII (personally identifiable information) to the cloud has also led to cybercriminals taking a particular interest in the industry.

The number of ransomware  and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk. From 2011 through 2014, the sector — including hospitals, labs, pharmacies, drug companies and outpatient clinics — experienced the highest number of data breaches of all industries. What makes these organizations such a popular target?

1. Highly Valuable Data
One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.

A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cybercriminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it for a longer period of time.

2. Lack of IT Investment and Training
Another reason the healthcare industry is popular among cybercriminals is its systematic underinvestment in IT security. Most healthcare organizations spend just 3% of their IT budgets on security, while the SANS Institute — the largest provider of cybersecurity training and certifications — recommends spending at least 10%.

For most healthcare organizations, security is often an afterthought. They don’t provide regular cybersecurity training for their employees, which could help reduce insider threats. For example, 18% of healthcare employees say they’re willing to sell their login credentials for between $500 and $1,000. And about one-quarter of healthcare employees know someone in their organization who has engaged in this practice.

To address employee-related cyber vulnerabilities, it’s important to note that while training is essential, it won’t magically protect patients’ digital data. Although some hospitals struggle to deploy the most basic IT security measures, such as intrusion detection and the ability to wipe lost or stolen devices, it is imperative that basic cyber hygiene practices are coupled with ongoing training to both protect well-intended employees and mitigate future data loss from those seeking to profit.

3. Highly Connected Systems
Having shifted workloads to the cloud, healthcare organizations have highly connected systems that run the risk of being deeply affected even if the attack takes place on smaller, partial systems. In other words, a cyberattack in one place could bring down the entire system. In May 2017, the WannaCry ransomware attack forced multiple hospitals across the United Kingdom to turn away ambulances transporting patients and cancel surgeries that were within minutes of starting. Even basic processes like admitting patients and printing wrist bands were compromised.

The impact of WannaCry illustrates how important it is for healthcare organizations to be able to function and provide patient care during a cyberattack. After all, lives are at risk, meaning there’s a general urgency to get back to business as soon as possible. For attackers, this urgency makes it extra tempting to target healthcare organizations, because they assume it will make them more likely to pay the ransom to reverse the infection.

Fighting Back
What can the healthcare industry do to mitigate cyber threats? To begin with, the industry must realize that cybersecurity is human-centric. Gaining insight into the normal rhythm of users’ behavior, for example, or the flow of data in and out of the organization improves risk response. Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all personnel on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated on a regular basis.

Additionally, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.

Yes, reaching 100% security against cyberattacks won’t happen. But with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.

Related Content:

• Supply Chain Attacks Could Pose Biggest Threat to Healthcare
• Misconfigured Clouds Compromise 424% More Records in 2017
• New Targeted Ransomware Hits Healthcare, Manufacturing

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Allan Alford is Chief Information Security Officer (CISO) at Forcepoint. In this role he leads Forcepoint’s corporate security and governance program, including the implementation of the company’s internal user and data protection program for 2,700 employees worldwide. As … View Full Bio

Article source: https://www.darkreading.com/endpoint/why-hackers-love-healthcare/a/d-id/1331537?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Much like the rest of the world, healthcare organizations are shifting work to cloud services in order to improve accessibility and patient care. However, the migration of these workloads and moving valuable information such as PHI (personal health information) and PII (personally identifiable information) to the cloud has also led to cybercriminals taking a particular interest in the industry.

The number of ransomware  and other malware attacks is rising incredibly fast in the healthcare industry, putting human lives as well as critical data at risk. From 2011 through 2014, the sector — including hospitals, labs, pharmacies, drug companies and outpatient clinics — experienced the highest number of data breaches of all industries. What makes these organizations such a popular target?

1. Highly Valuable Data
One of the key aspects making healthcare organizations a top target is the value of their data. Commonly, a single stolen credit card number yields an average $2,000 profit and quickly becomes worthless. Healthcare data, however, such as PHI or PII, is extremely valuable on the black market.

A single PHI file, for example, can yield a profit of up to $20,000. This is mainly because it can take weeks or months for a healthcare data breach to be discovered, enabling cybercriminals to extract much more valuable data. Moreover, because healthcare data can contain dates of birth and Social Security numbers, it is much more difficult or even impossible to change, so thieves can take advantage of it for a longer period of time.

2. Lack of IT Investment and Training
Another reason the healthcare industry is popular among cybercriminals is its systematic underinvestment in IT security. Most healthcare organizations spend just 3% of their IT budgets on security, while the SANS Institute — the largest provider of cybersecurity training and certifications — recommends spending at least 10%.

For most healthcare organizations, security is often an afterthought. They don’t provide regular cybersecurity training for their employees, which could help reduce insider threats. For example, 18% of healthcare employees say they’re willing to sell their login credentials for between $500 and $1,000. And about one-quarter of healthcare employees know someone in their organization who has engaged in this practice.

To address employee-related cyber vulnerabilities, it’s important to note that while training is essential, it won’t magically protect patients’ digital data. Although some hospitals struggle to deploy the most basic IT security measures, such as intrusion detection and the ability to wipe lost or stolen devices, it is imperative that basic cyber hygiene practices are coupled with ongoing training to both protect well-intended employees and mitigate future data loss from those seeking to profit.

3. Highly Connected Systems
Having shifted workloads to the cloud, healthcare organizations have highly connected systems that run the risk of being deeply affected even if the attack takes place on smaller, partial systems. In other words, a cyberattack in one place could bring down the entire system. In May 2017, the WannaCry ransomware attack forced multiple hospitals across the United Kingdom to turn away ambulances transporting patients and cancel surgeries that were within minutes of starting. Even basic processes like admitting patients and printing wrist bands were compromised.

The impact of WannaCry illustrates how important it is for healthcare organizations to be able to function and provide patient care during a cyberattack. After all, lives are at risk, meaning there’s a general urgency to get back to business as soon as possible. For attackers, this urgency makes it extra tempting to target healthcare organizations, because they assume it will make them more likely to pay the ransom to reverse the infection.

Fighting Back
What can the healthcare industry do to mitigate cyber threats? To begin with, the industry must realize that cybersecurity is human-centric. Gaining insight into the normal rhythm of users’ behavior, for example, or the flow of data in and out of the organization improves risk response. Additionally, the industry should be aware that cybersecurity isn’t just the responsibility of the IT department: everyone should be aware of the risks, from management down to brand-new contract staff.

Healthcare security professionals need to understand the threats they face and the regulations they must comply with, and they must be provided with best practices for strengthening cybersecurity defenses. This means implementing comprehensive security awareness training that educates all personnel on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in case of an active exploit. And since the threat landscape is constantly changing, training should be repeated and updated on a regular basis.

Additionally, implementing the right cybersecurity measures, such data loss prevention, user behavior analytics, and endpoint security technologies, will further protect an organization’s infrastructure and patient data from ransomware attacks. By creating a system that guards the human point — where people interact with critical business data and intellectual property — and takes into account the intersection of users, data, and networks, the healthcare industry can improve its cyber threat protection.

Yes, reaching 100% security against cyberattacks won’t happen. But with a few steps, healthcare organizations can make sure that it’s too complex or unprofitable for threat actors to attack them, which will result in them moving on to another target.

Related Content:

• Supply Chain Attacks Could Pose Biggest Threat to Healthcare
• Misconfigured Clouds Compromise 424% More Records in 2017
• New Targeted Ransomware Hits Healthcare, Manufacturing

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Allan Alford is Chief Information Security Officer (CISO) at Forcepoint. In this role he leads Forcepoint’s corporate security and governance program, including the implementation of the company’s internal user and data protection program for 2,700 employees worldwide. As … View Full Bio

Article source: https://www.darkreading.com/endpoint/why-hackers-love-healthcare/a/d-id/1331537?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new phishing campaign was discovered sending more than 550 million emails within the first quarter of 2018, according to data from Vade Secure. The threat was discovered in early January and has primarily hit users in the US, UK, France, Germany, and the Netherlands.

Victims receive emails disguised to come from popular brands and services in their home country. Attackers try to steal their banking information by offering coupons or discounts in exchange for their participation in an online quiz or contest.

Experts believe a serious criminal organization is behind this campaign, which doesn’t use pirated websites as many phishing attacks do. This one appears to use leased and legitimate IP addresses, servers, and domain names, which would drive infrastructure costs up to tens of thousands of dollars. They also use tools to shorten URLs and conceal the ultimate destination.

These sophisticated techniques caused the threat to bypass many existing email security tools, researchers report. Read more details here.

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-phishing-attack-targets-550m-email-users-worldwide/d/d-id/1331654?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

A new phishing campaign was discovered sending more than 550 million emails within the first quarter of 2018, according to data from Vade Secure. The threat was discovered in early January and has primarily hit users in the US, UK, France, Germany, and the Netherlands.

Victims receive emails disguised to come from popular brands and services in their home country. Attackers try to steal their banking information by offering coupons or discounts in exchange for their participation in an online quiz or contest.

Experts believe a serious criminal organization is behind this campaign, which doesn’t use pirated websites as many phishing attacks do. This one appears to use leased and legitimate IP addresses, servers, and domain names, which would drive infrastructure costs up to tens of thousands of dollars. They also use tools to shorten URLs and conceal the ultimate destination.

These sophisticated techniques caused the threat to bypass many existing email security tools, researchers report. Read more details here.

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/new-phishing-attack-targets-550m-email-users-worldwide/d/d-id/1331654?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Combine exploits of two of the Internet’s foundation protocols with a human behavior “vulnerability” and you get an attack that can be quite successful: That’s what happened on Amazon’s domain name service on April 24, and the result is a $150,000 lesson in stacked vulnerabilities.

The attack was first spotted around 8 a.m. Central Daylight Time on Tuesday, when bogus routes began getting published by a small number of networks taking their cue from Route53, the domain name system for Amazon. The bogus routes sent traffic to fake name servers, which then directed those looking for MyEtherWallet.com to a server in Russia, where some users blew through warnings to answer questions from a phishing app and give up their cryptocurrency credentials. Those users lost the contents of their cryptowallets.

The Border Gateway Protocol (BGP) was the foundation of the attack. Misdirection then moved to DNS, sending some users to a server that didn’t have the proper certificate for an HTTPS connection. Looking at the exploit as it moved up the stack can help us understand why three well-known and technologically unsophisticated exploits combined for success in this attack.

Own the Route

BGP is the protocol that tells routers the best way to send traffic along the multi-hop path that makes up each internet session. These instructions come from complex algorithms, constant monitoring, and, in many cases, skilled professional “router jockeys” who know their router performance and what’s going on in their network neighborhood. The entire process relies on trust at each level and step.

With all the trust, there’s a bias built into the system: The more specific a route, the better. The attackers in this case saw routes to some of the Amazon Route53 name servers that were advertised as /23 and substituted /24 routes.

“The bad guys strategically poisoned the BGP route tables to redirect the Route 53 name servers to their servers. They had to cherry-pick two or three /24s that just happened to be the ones for [MyEtherWallet.com],” says Cricket Liu, chief DNS architect at Infoblox. The choice of name servers to target didn’t require deep inside information, either. “The information is publicly available; just look up the DNS records for them, and you know which address spaces you need to commandeer,” he says.

The attack began with the /24 routes advertised by a server at eNET Inc., an ISP in Columbus, Ohio. eNet servers forwarded them to other BGP servers, as they are supposed to do. eNET hosts in an Equinix facility in Columbus, which has a direct link to the substantial Equinix facility in Chicago. This made propagation of the links somewhat faster, though, as Liu says, “This could have been done anywhere. Any authoritative servers could have done it.”

While the spurious routes were advertised, not all routers accepted the new routes. “Most ISPs will actively filter the prefixes from other providers,” says Alex Henthorn-Iwane, vice president of product marketing at ThousandEyes. The weakness in the system, he says, is that the filtering is part of good BGP hygiene and is voluntary. As a result, “Most of the providers rejected [the new routes], but a couple didn’t, and those two propagated them out to the rest of the internet. That means it wasn’t as widespread as it might be, but it did hit some people.”

According to AWS, neither AWS nor Amazon Route 53 were compromised in the attack. “An upstream Internet Service Provider (ISP) was compromised by a malicious actor who then used that provider to announce a subset of Route 53 IP addresses to other networks with whom this ISP was peered. These peered networks, unaware of this issue, accepted these announcements and incorrectly directed a small percentage of traffic for a single customer’s domain to the malicious copy of that domain,” the company said in a statement.

Own the Name

The malicious route didn’t go to a fake version of MyEtherWallet. Instead, it directed queries to a malicious DNS server. “It is rare to see the DNS on top of the BGP attack,” says Patrick Sullivan, senior director of security strategy at Akamai. “Someone exploited the lack of integrity checking with BGP route advertising and the lack of integrity for DNS responses.”

Once individuals trying to reach MyEtherWallet were given the malicious route, the next level of the exploit became easier. “The authoritative servers looked like they had legitimate addresses, but because of BGP they went to spurious authoritative servers that then served bad resolution,” says Merike Käo, CTO at Farsight Security.

Part of the unusual nature of this attack is that the threat actors were phishing rather than trying to capture traffic. “The fear is a man in the middle attack where they try to decrypt HTTPS traffic offline after they capture it,” says Sullivan.

Instead of being stealthy about information capture, the attackers required users to type it in — and ignore warnings to do it.

Own the User

While the focus has been on the BGP and DNS elements of this attack, neither would have been effective without cooperation from the users. “This was poor end-user security hygiene where users saw some pretty dire warnings and they just clicked straight through,” Sullivan says. “They saw that it was not a CA-approved cert and blew through the warnings.”

Aside from more training, it’s unclear how else to prevent users from falling for this. “Because it’s human, it’s vulnerable. Humans can opt in or opt out of practices,” says Henthorn-Iwane. “The human factor, on balance, is always going to be a security vulnerability.”

And that makes the final point of the nature of this attack. “I would call it the criminal underground taking advantage of basic Internet hygiene,” says Käo.

Routes Forward

There are technologies and standards of practice that prevent a layered attack like this one:

• DNSSEC — DNS Security Extensions (DNSSEC) is a basic step that many more organizations should be implementing, experts say. DNSSEC provides for a chain of certificates attesting to the validity of an address. “DNSSEC isn’t enormously difficult or expensive. In the early days it was, but that was 20 years ago,” says Liu.
• MANRS — Mutually Agreed Norms for Routing Security (MANRS) are principles for making sure that malicious and spurious routes are not propagated through the Internet. The basics are clear policies and active filtering for routes and addresses that come from questionable sources.
• BCP38 — Originally intended to provide protection from DDoS attacks, BCP38 is an implementation of  RFC2827 Network Ingress Filtering. It provides for standard ways of filtering packets with spoofed IP addresses. As it turns out, it would also significantly hinder BGP takeovers that propagate spurious routes and addresses.
• RPKI — Resource Public Key Infrastructure (RPKI) is a way for resource owners to specify which autonomous systems can originate IP address prefixes. In the context of this attack, RPKI would have prevented the first step from occurring.

The primary limitation of all four of these is that they require website, DNS server, or router owners to opt in to the protection. Any owners who choose to opt out present realistic attack surfaces for criminals.

Meantime, even if your organization isn’t targeted, it can be affected by this type of attack. “When you’re running a digital business it’s not just about being hit directly, it’s about being hit when someone else is targeted,” says Henthorn-Iwane. “You don’t have to be targeted to be damaged.”

“It is my hope that events like this will further raise the awareness to follow best practice mandates,” says Käo. “Even if you’re helping protect someone else, some day it will come back and help protect you.”

Related Content:

• How to Protect Industrial Control Systems from State-Sponsored Hackers
• Mirai Variant Botnet Takes Aim at Financials
• Digital Extortion to Expand Beyond Ransomware
• DNS Hijacking: The Silent Threat That’s Putting Your Network at Risk

Join Dark Reading LIVE for a two-day Cybersecurity Crash Course at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the agenda here. Register with Promo Code DR200 and save $200.

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/myetherwallet-dns-attack-offers-opt-in-lessons/d/d-id/1331656?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple