Half Of CEOs Have Fallen Victim To Phishing Attacks

Half Of CEOs Have Fallen Victim To Phishing Attacks


Isolated phishing email

CEOs need training to avoid phishing scams

Half of chief executives have fallen victim to a phishing attack, indicating that they lack the right cyber security training to protect themselves.

Research conducted by threat intelligence firm AlienVault found that 82 per cent of IT security professionals worry that their CEOs and other executives are still vulnerable to phishing scams.

Yet despite this concern only 45 per cent provide cyber security training to all  employees, including the board, while 20 per cent do not conduct any training and instead tackle the fallout of such cyber attacks when they occur.

Javvad Malik, security advocate at AlienVault, explained that the threat from phishing is more pervasive than it ought to be, given that there are many tools to prevent scam emails being opened or executing rogue code.

“The challenge here is twofold. Firstly, most phishing scams that target execs are well crafted and researched. Similar looking domains are registered and execs are carefully researched. Secondly, many execs have personal assistants who manage their day-to-day operations and who are often more susceptible to social engineering techniques,” he said.

“As such, it is important to train all users in an organisation as attackers will always try to strike at the weakest links, who may not even be internal employees. CEO fraud also routinely targets third-party suppliers, partners and customers, so awareness should be spread to all associated parties.

“To stay a step ahead, security teams need to monitor third-party activity closely and use threat intelligence networks to keep abreast of the latest scams being employed by criminals.”

Threat intelligence tools in the IT security market allow IT professionals to get insight into nefarious activity on their networks, but phishing still presents companies with an expensive threat.

The FBI recorded a 270 per cent increase in CEO victims of fraud since the beginning of 2016. Such fraud has cost US organisations more than $2.3bn over the past three years, while each attack is estimated to cost $25,000 to $75,000. 

At times when there are numerous economic challenges and competition from all sides, such attacks have the potential to erode a company’s success.

More damming is AlienVault’s research showing that 45 per cent of IT professionals think it likely that their organisation would pay a ransom demand if their network was infected by ransomware, often trigged after a successful phishing attack.

“It’s worrying to see how many people would consider paying up if they were infected with ransomware. Negotiating with criminals is a dangerous game that offers no guarantees, and cooperating in this way just encourages more attacks,” said Malik.

Phishing scams have risen by rise by 20 per cent in 12 months, and even major cloud services are used as a vector for such attacks, so the problem is not likely to go away anytime soon.

Threat Intel

via News ≈ Packet Storm http://ift.tt/1Fpvz7L

June 28, 2016 at 09:48AM

The 101 of Ransomware

The 101 of Ransomware


Ransomware is a type of malware that restricts access to infected computers and requires victims to pay something in order to regain full access to their data. Spear phishing and email are the most common methods for spreading ransomware. Drive-by download is a term becoming more popular, and it is….

Threat Intel

via CERT-EU : EMM AlertFilter System: CERT-LatestNews http://ift.tt/1gYYfLb

June 28, 2016 at 11:21AM

Troublemaking Bart ransomware follows in Dridex and Locky’s footsteps

Troublemaking Bart ransomware follows in Dridex and Locky’s footsteps


A newly discovered ransomware named Bart doesn’t need to connect with a command-and-control server in order to encrypt victims’ files, meaning even the strongest corporate firewalls may be unable to stop Bart from rendering a PC ineffective.

Threat Intel

via CERT-EU : EMM AlertFilter System: CERT-LatestNews http://ift.tt/1gYYfLb

June 28, 2016 at 11:21AM

Chrome DRM Vulnerability Can be Exploited to Copy Streamed Movies (June 24 and 27, 2016)

Chrome DRM Vulnerability Can be Exploited to Copy Streamed Movies (June 24 and 27, 2016)


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII – Issue #51

June 28, 2016


Cerber Ransomware Targets (Lots Of) Office365 Users US Legislators Want to Know How DoD Will Respond to Critical Infrastructure Cyberattack DNC Attackers Also Targeted Clinton Campaign and Clinton Foundation Federal Progress in Cybersecurity Uneven


Stolen Patient Records Offered for Sale Traditional Security Not Working for Hospitals Microsoft Will Pay US $10,000 for Windows 10 Update That Damaged Machine IRS Retires E-file PIN Application Chrome DRM Vulnerability Can be Exploited to Copy Streamed Movies SMS Texts for Two-Factor Authentication? Think Again EU Will Vote on Revised Privacy Shield Draft Next Month Lenovo Fixes Support Tool Flaws



********************** Sponsored By ThreatSTOP **************************

Stop admiring threats, start blocking them with ThreatSTOP. Automatically supercharge your existing network security devices with operationalized threat intelligence. Special SANS promotion: 25% off our Starter Kit. Start blocking threat today!




–SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 |


–MGT 433 at SANS London Summer 2016| London, UK | July 7-8 |


–SANS London Summer 2016| London, UK | July 9-16 |


–SANS Rocky Mountain | Denver, CO | July 11-16 |


–SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 |


–SANS San Antonio | San Antonio, TX | July 18-23 |


–Industrial Control Systems Security Training | Houston, TX | July 25-30 |


–SANS Vienna | Vienna, Austria | August 1-6 |


–Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 |


–Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 |


–SANS Alaska | August 22-27, 2016 | Anchorage, AK |



Cerber Ransomware Targets Office365 Users (June 27 and 28, 2016)

More than half of cloud security firm Avanan’s customers using Office365 received phishing emails that were designed to infect computers with ransomware. Microsoft started blocking the malicious attachment on June 23, one day after the attack began.

[Editor Comments ]

(Pescatore): The major lesson here is that the AV capabilities built into email services like Gmail or Office365 are usually the first thing targeted threat actors test their payload against. The old adage “Infrastructure can not protect itself” is definitely still valid with email services. You still need to monitor and protect your Windows endpoints at least as well as before outsourcing email. Ideally, use the transition to *improve* security – add stronger authentication and better endpoint protection, or both, as part of that switchover. Finally, make sure your incident response processes extend out to each new eternal service or cloud service provider – they all do things differently, they don’t adapt to you.

(Williams): While managed services such as Office365 are not a panacea (logging for instance is often subpar), they adapt to threats much faster than most enterprise managed offerings. The same ransomware phishing emails will continue to threaten enterprise managed email users for months.

(Northcutt): Same day service in a nanosecond world! According to Avanan, they first detected the attack at 6:44 AM June 22 UTC and blocking started at 11:34 AM UTC. Millions of people received the phishing emails. In the days to come we will have some idea of the size of the cleanup. Blessed are they that maintain frequent backups:


Read more in: SC Magazine: Microsoft Office 365 hit with massive Cerber ransomware attack, report


The Register: Ransomware scum target corporate Office 365 users in 0-day campaign


US Legislators Want to Know How DoD Will Respond to Critical Infrastructure Cyberattack (June 23, 2016)

The US House Armed Services Committee wants to know how the Department of Defense (DoD) would respond to a cyberattack against the country’s critical infrastructure, but DoD Acting Assistant Secretary for Homeland Defense and Global Security Thomas Atkin was not able to provide specific answers. Atkin did say that if requested, DoD would assist the Department of Homeland Security (DHS), which has jurisdiction over homeland attacks. Congress is also moving toward elevating US Cyber Command to a full combatant command.

[Editor Comments ]

(Assante): There are two main camps on this issue. One camp advocates for more clearly defined thresholds as a necessary element to establishing norms and supporting a policy of deterrence. (Let alone the operational practicalities of having a plan.) The other camp believes a more powerful tool is uncertainty and values flexibility allowing the context and specifics involved in an attack to drive a decision. There are merits to both approaches, but we should not miss the opportunity to establish norms and expectations as real world events come to light. The attack on Ukraine’s power system impacted the critical lifeline service of electricity during winter. The attacks were both disruptive and destructive, and it clearly targeted civilian infrastructure. We must ask ourselves, what lessons are being drawn?

(Murray): Regardless of the intent or capability of the DoD, the response to a “cyber attack against the country’s critical infrastructure” will be in the hands of those who manage and operate the infrastructure day to day.

Read more in: Federal News Radio: When should DoD respond to a cyberattack? No one really knows


DNC Attackers Also Targeted Clinton Campaign and Clinton Foundation (June 21, 22, and 27 2016)

Earlier this month, researchers confirmed that attackers working on behalf of the Russian government infiltrated the US Democratic National Committee (DNC) network and stole information. Now there are reports that the same groups of attackers also breached the networks of the Hillary Clinton campaign and the Clinton Foundation.

[Editor Comments ]

Read more in: Washington Post: Cyber researchers confirm Russian government hack of Democratic National Committee


NBC News: Russian Hackers Believed to Have Breached Clinton Foundation Computers


Bloomberg: Clinton Foundation Said to Be Breached by Russian Hackers


DarkReading: Google Accounts Of US Military, Journalists Targeted By Russian Attack Group


Federal Progress in Cybersecurity Uneven (June 24, 2016)

Alan Paller speaks with Federal News Radio’s Tom Temin about cybersecurity preparedness in the US federal government. While most agencies currently have a broad and thin layer of cybersecurity, some – most notably the military and law enforcement – have learned that they need people with hands-on cybersecurity skills to meet the rapidly changing attack surface.

Read more in: Federal News Radio: Alan Paller: Federal progress in cybersecurity


*************************** SPONSORED LINKS *****************************

1) On-Demand Webcast: Key Findings from Symantec’s 2016 Internet Security Threat Report


2) Stop Ransomware Attacks Before They Start: Get the Latest Research on How Ransomware Arrives.


3) FREE eBook – Improve Network Security and Visibility with NetFlow!



Stolen Patient Records Offered for Sale (June 27, 2016)

A data thief has offered hundreds of thousands of healthcare records for sale on the Internet. Three health care organizations are also reportedly being asked for ransom. The attack was likely carried out trough a vulnerability in the remote desktop protocol (RDP), which allows workers to access their work computers while away from the office.

[Editor Comments ]

(Williams): The key to this story was buried – it’s that the attacker claims to have discovered a remotely exploitable vulnerability in RDP. When possible RDP should not be directly exposed to the Internet without the protection of a VPN. ]

Read more in: Computerworld: Hacker selling 655,000 patient records from 3 hacked healthcare organizations


BBC: US Healthcare records offered for sale online


Microsoft Will Pay US $10,000 for Windows 10 Update That Damaged Machine (June 27, 2016)

Microsoft will pay a California woman US $10,000 after her computer was automatically updated to Windows 10 without her authorization. The update rendered the computer unusable. In February 2016, Microsoft included Windows 10 in its monthly update. Because it was classified as a “recommended update,” it automatically installed unless users deliberately blocked it.

Read more in: BBC: Payout of $10,000 for Windows 10 update


IRS Retires E-file PIN Application (June 26 and 27, 2016)

The US Internal revenue Service (IRS) has discontinued its Electronic Filing PIN web application due to “questionable activity.” The IRS disclosed earlier this year that attackers had exploited weaknesses in the app to steal PINs ostensibly to file fraudulent returns. Although the IRS reinforced security for the app, PINs were still being compromised, so the decision was made to retire the app.

[Editor Comments ]

(Ullrich): Fraudulent tax returns have been a preferred way to cash in on stolen PII for a while now. The IRS has a particular challenging problem in having to authenticate users with whom it interacts only once a year. Traditional passwords will not work in this case. Social security numbers used to work as a form of “password”, but with pretty much every social security number being leaked over the last couple of years, they can no longer be used. It will be interesting to see if the new scheme of using information from prior year tax returns will work, or if the IRS has to change its business rules which would likely lead to slower refunds. ]

Read more in: FCW: Another IRS tax tool bites the dust


The Hill: IRS under fire from hackers


The Register: IRS kills off PINs citing increasing suspicious activity


Computerworld: IRS kills electronic filing PIN feature due to repeated attacks


ZDNet: IRS dumps e-filing PIN security early – after yet more automated attacks


Traditional Security Not Working for Hospitals (June 24 and 27, 2016)

A study conducted by researchers at a trio of US universities (the University of Pennsylvania, Dartmouth University, and the University of Southern California) found that medical professionals at hospitals routinely take steps to bypass security measures on computers, medical devices, and keypad-protected rooms. While the workers are aware that they are not following best practices, the situation underscores the fact that the way security is currently implemented does not allow medical professionals to do their jobs in a timely manner.

[Editor Comments ]

(Pescatore): The report points out a mix of issues. Some reflect bad design of electronic health record systems that force caregivers to take risky actions just to get their job done. Most of the others are the traditional problems of high power users finding that security solutions cause too much “friction,” so they evade them. Too much of health care cybersecurity has been compliance driven, vs. building in (ironically) basic security hygiene.

(Ullrich): In my SANS classes, I often use a true story of an operating room nurse who couldn’t access a cabinet with restricted medication during a surgery after the authentication server went down. Availability trumps confidentiality and integrity if someone’s life is at risk, and “fail open” is a very sensible solution. Controls have to be designed very careful in these environments. In addition, the access to medical data has to happen quickly and without friction in emergency situations. Traditional security is just not designed for these use cases.

(Williams): In my experience in healthcare environments, the devices most likely to be left logged in are those in critical care patient areas (ER, ICU, etc.). Recognizing this enabled creative protection strategies including enhanced monitoring for account misuse and limiting what internal resources could be accessed from these machines. The healthcare IT security problem is just an extension of threat modeling: understanding where your threats are most significant will enable better defensive strategies.

(Murray): HIPAA remains “in the ditch.” The law that was supposed to encourage the “portability” of patient data by ensuring security has had unintended and perverse consequences. In the name of not being “too prescriptive,” it asks healthcare providers to do something that they simply are not equipped to do, design security. Hospitals desperately need help in designing security that strikes an appropriate balance between effectiveness and convenience in their applications and environments.

(Paller): The help Murray calls for begins with prescriptive guidance that provides a minimum standard of due care. The Center for Internet Security Critical Controls provide just such a baseline. As automated tools emerge over the next few months that reliably measure compliance with the Critical Controls, they will slowly but inexorably raise security standards across hospitals and other key technology using organizations. Hospitals with highly experienced security architects on staff – not consultants – may consider adapting the Critical Controls to their unique needs – all others should implement the Critical Controls thoughtfully without adjustments.

Read more in: The Register: Medicos could be world’s best security bypassers, study finds


The Hill: Study slams hospitals for lax use of passwords


Chrome DRM Vulnerability Can be Exploited to Copy Streamed Movies (June 24 and 27, 2016)

A bug in Google Chrome’s Widevine EME/CDM technology digital rights management (DRM) technology allows users to make illegal copies of movies from streaming services. Google was notified about the issue on May 24, but has not yet fixed the problem.

Read more in: Christian Science Monitor: Why pirates can easily steal movies from Chrome


Wired: A Bug in Chrome Makes It Easy to Pirate Movies


Ars Technica: Chrome DRM bug makes it easy to download streaming video


SMS Texts for Two-Factor Authentication? Think Again (June 26, 2016)

SMS messages for two-factor authentication are not as secure as they might seem. Rather that something users possess, SMS messages are something users are sent, which means they can be intercepted. Alternatives include authentication apps for smartphones or a physical token that generates one-time codes.

[Editor Comments ]

(Pescatore): The article points out that even SMS messages are way more secure than just relying on reusable passwords alone, and that the attacks against SMS messaging authentication approaches are difficult to carry out. Those attacks also don’t lend themselves to mass exploitation the way phishing attacks do against reusable passwords. Bottom line: if you have an opportunity to move your organization to some form of token or biometric for higher levels of authentication, definitely go for it. Don’t allow claims that “message 2FA solutions aren’t perfect” to be an excuse for doing nothing.

(Murray): The security professional who does not implement one-time-passwords because he “knows how to defeat them,” continues to tolerate reusable passwords that he also “knows how to defeat.” Perfect security is the enemy of the good and the excuse for the status quo. This report notwithstanding, there is nothing higher on the enterprise security agenda, no opportunity with a greater return, than the implementation of strong authentication. The real reason that one-time-passwords are not more widely used has more to do with inertia and sloth than security.

Read more in: Wired: So Hey You Should Stop Using Texts for Two-Factor Authentication


EU Will Vote on Revised Privacy Shield Draft Next Month (June 24 and 26, 2016)

A revised version of a data transfer agreement between the US and the European Union has been sent to EU member states for review. The Privacy Shield agreement has been drafted to replace the Safe Harbor arrangement that the EU struck down last fall over US surveillance concerns. The EU is expected to vote on the new Privacy Shield draft in early July.

Read more in: Reuters: EU, United States agree on changes to strengthen data transfer pact


The Hill: Draft of new US-EU data transfer deal sent to EU member states


Computerworld: The EU and U.S. reach data-transfer deal, report says


SC Magazine: Industry, privacy groups: EU and U.S. Privacy Shield changes unlikely to ease concerns


Lenovo Fixes Support Tool Flaws (June 24, 2016)

Lenovo has released patches for a pair of vulnerabilities in the Lenovo Solution Center (LSC), a support tool that comes preinstalled on laptops and desktops. The flaws could be exploited to take control of vulnerable machines and terminate processes. Users are advised to upgrade to LSC version 3.3.003.

[Editor Comments ]

(Williams): The Lenovo support tools vulnerabilities are just a small sample of vulnerabilities in poorly tested, manufacturer specific bloatware. These tools have no place on enterprise managed machines if they are not explicitly needed for operations. If the tools are required for operations, don’t assume that the manufacturer has adequately tested them for security – engage qualified testers to determine your exposure.

Read more in: Computerworld: Lenovo patches two high-severity flaws in PC support tool


Lenovo Advisory: LEN-7814 Lenovo Solution Center Arbitrary Process Termination or Code Execution by Unprivileged Local Users



“Bart” Ransomware


Swagger Vulnerablity


“Enriched” Voter Database Leak


Recent Fake DDOS Threats by “Armada Collective”


CCTV Cameras Still A Major Threat



The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI’s critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation’s top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power’s CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, http://www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute’s top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute’s Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS’ efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit


Threat Intel

via SANS NewsBites http://ift.tt/28Uul1q

June 28, 2016 at 11:42AM

Russian APT Launched Massive Spear-Phishing Campaign Targeting Google Accounts

Russian APT Launched Massive Spear-Phishing Campaign Targeting Google Accounts


Dell’s SecureWorks Counter Threat Unit (CTU) detected a massive phishing campaign targeting the Google accounts of military personnel, government officials, journalists and political activists in the US, EU, Russia, and former Soviet states. The security vendor discovered the phishing campaign after….

Threat Intel

via CERT-EU : EMM AlertFilter System: CERT-LatestNews http://ift.tt/1gYYfLb

June 28, 2016 at 11:51AM

Retefe banking Trojan now targeting UK banking customers – SC Magazine

Retefe banking Trojan now targeting UK banking customers – SC Magazine


SC Magazine

Retefe banking Trojan now targeting UK banking customers
SC Magazine
This makes it easy for the Retefe banker Trojan to steal important data and money,” Avast researchers pointed out. Banks have been warning their customers of this campaign but chances are that many users have been infected; their info stolen and

and more »

Threat Intel

via banking trojan http://ift.tt/1UImDER

June 28, 2016 at 12:03PM

C-Suite Execs Won’t Pay Ransom Attacks, Until They Get Hacked

C-Suite Execs Won’t Pay Ransom Attacks, Until They Get Hacked


How many businesses will pay a ransom if attacked? It might depend on if they have already been a victim of ransomware.

Threat Intel

via CERT-EU : EMM AlertFilter System: CERT-LatestNews http://ift.tt/1gYYfLb

June 28, 2016 at 12:21PM

Hacker Claims to be Selling 655,000 Patient Records from Three Hacked Hospitals, Media Reports Say

Hacker Claims to be Selling 655,000 Patient Records from Three Hacked Hospitals, Media Reports Say


Heather Landi A hacker claims to have 655,000 patient records allegedly obtained by hacking into three separate healthcare databases and is selling those patient records on the dark web marketplace, according to a report originally published by news site DeepDotWeb.

Threat Intel

via CERT-EU : EMM AlertFilter System: CERT-LatestNews http://ift.tt/1gYYfLb

June 28, 2016 at 12:21PM

Attackers Wrapping New Tools In Old Malware To Target Medical Devices – Dark Reading

Attackers Wrapping New Tools In Old Malware To Target Medical Devices – Dark Reading


Attackers Wrapping New Tools In Old Malware To Target Medical Devices

Hospital equipment running old operating systems providing safe harbor for data theft, TrapX says.

Medical devices running outdated operating systems like Windows XP and Windows 7 are giving attackers safe harbors within hospital networks for carrying out data theft in a nearly undetectable manner, a new report from TrapX Security warned this week.

The report is based on the security vendor’s analysis of data associated with an ongoing series of attacks against three healthcare institutions that are its customers. All of the attacks involve equipment running older, non-supported versions of Windows installed within the hospital networks.

The most significant takeaway from the analysis, according to TrapX, is the manner in which the attackers in each case intentionally repackaged and embedded sophisticated new malware tools in extremely old malware wrappers in an apparent bid to avoid detection.

One of the malware samples used in the attack, for instance, was designed to take advantage of a remote code execution vulnerability in Microsoft Server Service dating back to 2008. The attackers used the worm to compromise a radiation oncology system running Windows XP and a fluoroscopy workstation also running Windows XP in one of the hospitals. That access then allowed the attackers to install backdoors and botnet connections within the hospital network in order to exfiltrate data, though they could have easily caused significant damage to the equipment as well.

Since endpoints running newer Windows versions are not vulnerable to the threat, they did not either detect the malware or ignored it completely. “This ensured that the worm would go undetected while it sought out older Windows systems,” TrapX said in its report.

In another hospital, the attackers compromised a Windows XP-based MRI system and installed a Remote Access Trojan on the device using malware tools packaged inside an out-of-date wrapper for network32.kido.ib. The malware sample is ignored by patched Windows 7 and Windows 8 platforms and newer operating system and therefor managed to evade detection, the security vendor said.

According to TrapX, its analysis showed clear evidence that attackers are intentionally packaging their tools in a manner so to target medical equipment running Windows XP, Windows 7 and other older operating systems.

“The most interesting approach we discovered was the utilization of self-spreading malware that use old exploits that would compromise medical devices only,” says Moshe Ben-Simon, co-founder and vice president of services at TrapX.

Medical devices provide a tempting target for attackers because many of them run old, no-longer supported operating systems. So long as the equipment works as intended, hospitals are often reluctant to update the operating systems on these devices, Ben-Simon says

“Also, they are closed turnkey systems and hospitals are generally not allowed to install cyber defense software on them because of legal and risk issues.” Unlike typical desktop systems, medical devices do not get updated often and some equipment can remain in place for years after their operating systems have become obsolete. As a result, the corrections and fixes that are available on newer operating systems are not present in these medical devices making them vulnerable to attacks, Ben-Simon says.

Even when an organization makes the effort to keep their systems patched, all it takes for an attacker to break into them is to repackage the malware slightly using easily available tools.

“Once a backdoor is established in one machine, they can move into other machines under the control of the human attacker,” Ben-Simon says. “These medical devices create a huge series of safe harbors within the hospital network, not easily detected, and very difficult to remediate and remove.”

Related stories: 

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

Threat Intel

via malware – Google News http://ift.tt/1VWoSr6

June 28, 2016 at 12:27PM

Vulnerability Spotlight: LibreOffice RTF Vulnerability

Vulnerability Spotlight: LibreOffice RTF Vulnerability


Vulnerability discovered by Aleksandar Nikolic of Cisco Talos.

Talos is disclosing the presence of CVE-2016-4324 /


, a Use After Free vulnerability within the RTF parser of LibreOffice. The vulnerability lies in the parsing of documents containing both stylesheet and superscript tokens. A specially crafted RTF document containing both a stylesheet and superscript element causes LibreOffice to access an invalid pointer referencing previously used memory on the heap. By carefully manipulating the contents of the heap, this vulnerability can be able to be used to execute arbitrary code. This vulnerability requires user interaction to open the file.

Rich Text Format (RTF) was designed as a cross platform format for interchanging documents. Although the format standard has not evolved since 2008, the format remains widely supported by word processing suites. Attackers have previously exploited RTF parser vulnerabilities in MS Office, and used RTF files as a vector for embedding other malicious objects. Exploiting vulnerabilities such as these requires the user to interact with and open the file in order to trigger the attack. Raising awareness of the existence of vulnerabilities such as these with users can help in reminding people not to open unexpected or suspicious emails or files. Although currently, we have no evidence to suggest that this vulnerability is being exploited in the wild.  We recommend that administrators upgrade systems to the latest version of LibreOffice to remove the vulnerability.

Snort rules: 39148, 39149

Threat Intel

via Talos Blog http://ift.tt/1X0Zw9r

June 28, 2016 at 01:09PM