HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns

Each year, HIMSS carries out a survey to collect information about safety experiences and cybersecurity practices at healthcare companies. The survey provides insights into the situation of cybersecurity in healthcare and identifies attack tendencies and common security gaps.

Continue reading “HIMSS Cybersecurity Survey: Phishing and Legacy Systems Raise Serious Concerns”

Phishing Campaign Leverages Google Translate to Steal Google and Facebook Credentials

A phishing campaign has been spotted that misuses Google Translate to make the phishing webpage seem to be an official login page for Google.

The phishing emails in the campaign are similar to several other campaigns that have been run in the past. The messages have the subject “Security Alert” with a message body almost identical to the messages sent by Google when a user’s Google account has been accessed from an unknown device or place.  The messages contain the Google logo and the text, “A user has just signed in to your Google Account from a new Windows appliance. We are transmitting you this electronic mail to confirm that it is you.”

Below the text is a clickable button with the text “Consult the activity.” Clicking the link will direct the user to a website that has a spoofed Google login box. If identifications are entered, they will be sent to the scammer.  

The electronic mails are sent from a Hotmail account – facebook_secur@hotmail.com – which is the first warning sign that the electronic mail notification is a fraud. On desktop browsers, the URL that users are directed to is obviously not official. A further indication that this is a fraud.

Nevertheless, the scam will not be so clear to any user on a mobile appliance. If the button in the electronic mail is clicked, the user will be directed to a phishing webpage that is served through Google Translate. The visible part of the URL in the address bar begins with translate.googleusercontent.com/translate, which makes the URL seem genuine. The use of Google Translate may be adequate to see the electronic mails bypass mobile safety defenses and the evidently official Google domain is likely to fool a lot of users into thinking the webpage is genuine.

If the user enters their Google identifications in the login box, an electronic mail is generated which transmits the identifications to the attacker. The user is then redirected to a bogus Facebook login page where the attackers also try to get the user’s Facebook login identifications.

The second attempt to phish for login identifications is easier to identify as fake as an old login box for Facebook is used. However, but at that point, the user’s Google account will already have been compromised.

The scam was recognized by Larry Cashdollar at Akamai.

IDenticard PremiSys Access Control System Vulnerabilities Found

ICS-CERT has issued a warning in relation to three high severity weaknesses in the IDenticard PremiSys access control system. All varieties of PremiSys software before version 4.1 are affected by the flaws.

If the weaknesses are effectively targeted it might result in full access being obtained to the system with administrative rights, theft of confidential information included in backups, and access being gained to details. The weaknesses might be targeted from a distant place and require a low level of expertise to abuse. Details of the weaknesses have been publicly disclosed.

The maximum severity weakness CVE-2019-3906 is related to hard-coded identifications which allow complete admin access to the PremiSys WCF Service endpoint. If properly exploited the hacker could gain complete access to the system with administrative rights. The weakness has been given a CVSS v3 base score of 8.8.

User identifications and other confidential data saved in the system are encrypted; nevertheless, a weak method of encryption has been applied which could probably be cracked resulting in the disclosure and theft of information. The weakness (CVE-2019-3907) has been given a CVSS v3 base score of 7.5.

Backup files are saved by the system as encrypted zip files; nevertheless, the password needed to unlock the standbys is hard-coded and cannot be altered. There is a chance a hacker could get access to the backup files and view/steal information. The weakness (CVE-2019-3908) has been given a CVSS v3 base score of 7.5.

Tenable’s Jimi Sebree identified and reported the faults.

IDenticard has tackled the hard-coded identifications weakness (CVE-2019-3906). Users must run an update to bring the software up to date with type 4.1 to tackle the weakness. IDenticard is presently developing a solution for the other two faults. A software update tackling those weaknesses is due to be released in February 2019.

As a temporary measure mitigation, NCCIC advises limiting and checking access to Port 9003/TCP, placing the system behind a firewall and making sure the access control system can’t be logged onto the Internet. If distant access is possible, secure methods must be used for access, including an up-to-date VPN.

Latest Speedup Linux Backdoor Trojan Used in Widespread Attacks

Safety researchers at Check Point have recognized a new Trojan called Speedup which is being utilized in targeted attacks on Linux servers. The Speedup Linux backdoor Trojan can also be utilized to attack Mac appliances.

The Trojan is installed through abuses of weaknesses via six Linux distributions, including the recently identified ThinkPHP vulnerability, CVE-2018-20062.

The present campaign is targeting Linux appliances in the Philippines, China, India, and Latin America. The Trojan was first noticed in late December, but infections have risen substantially since January 22, 2019. Although the malware is now being acknowledged by numerous AV engines, at the time of analysis, the malware was not being noticed as malevolent.

As soon as fitted, the malware communicates with its C2 server and records the sufferer’s machine. The malware tries to spread laterally within the infected subnet through a variety of RCE weaknesses including CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, the Hadoop YARN Resource Manager command implementation fault, and a JBoss AS 3/4/5/6 RCE weakness.

A Python script is included which checks for additional Linux servers within both internal and external subnets. Access is gained via brute force implies using a pre-defined list of usernames/passwords. Perseverance is achieved through cron and an internal mutex which makes sure only one occurrence remains active at any one time.

The Speedup Linux backdoor Trojan constantly communicates with its C2 and copies and runs a variety of different files, including an XMRig miner. The Trojan, under its C2 control, can run arbitrary code, download and execute files, stop running procedures on an infected host, uninstall programs, and update connected files.

Check Point scientists have attributed the Speakup Linux backdoor Trojan to a danger actor known as Zettabithf.

The complicated nature of the malware indicates it is likely that the objective of the attacker is not just to install cryptocurrency miners. When infected, any number of different malware payloads can be installed. Check Point proposes that more intrusive and aggressive campaigns are likely to be introduced.

Xvideos Sextortion Scam Threatens to Disclose Porn Viewing Habits

An xvideos sextortion cheat threatens to uncover users’ porn viewing habits to friends, family, and work partners.

The scammer announces to have recorded the user through the webcam while they viewed matter on the xvideos adult website. The electronic mail is made more credible by the addition of the user’s password in the message body.

The scammer announces to have gained access to the electronic mail receiver’s computer and installed a keylogger. The malware permitted information to be obtained from the appliance, including the websites that the user has visited. Moreover, the malware permitted access to be gained to the computer’s microphone and webcam.

The scammer announces to have recorded audio and video footage while the user visited the common adult website, xvideos. That footage was utilized to create a “double screen video” with one half of the screen displaying the webcam footage while the other displays the adult matter that was being seen at the time.

The user is told that the malware fitted on the computer permitted contacts to be harvested from Facebook, Messenger, and the user’s electronic mail account. The user is advised to make a payment of $969 in Bitcoin to avoid the video from being emailed to every contact.

The scammer proposes that proof that the video is actual can be obtained; however, requesting proof will see the video transmitted to 6 of the user’s contacts.

The Bitcoin address supplied in the electronic mail demonstrates that 11 people have made payments totaling 0.959 Bitcoin – Around $3,272 – therefore it is obvious that some people either trust the danger is actual or they are not wishing to take a chance.

These cheats are easy to create and only require a list of electronic mail addresses and passwords, which can be easily bought on underground markets and forums. The passwords used in the electronic mails are actual and come from earlier data breaks.

The passwords might be old, but they will no doubt be identified. Users who don’t practice good password hygiene might find their present password is supplied, adding to the realism of the cheat. These kinds of sextortion cheats are becoming progressively common. They are also extremely effective. A similar cheat was recognized in December which also used old passwords and had similar threats. The Bitcoin wallet used in that cheat showed over $50,000 in payments were made in a week.

Latest Cybersecurity Framework for Medical Devices Issued by HSCC

The Healthcare and Public Health Sector Coordinating Council (HSCC) has issued the latest cybersecurity framework for medical devices. Medical device sellers, healthcare suppliers, and other healthcare industry stakeholders that implement the voluntary framework will be able to improve the safety of medical appliances throughout their lifecycle.

The HSCC is a union of private sector crucial healthcare infrastructure units that have associated with the government to find and mitigate dangers and exposures facing the healthcare sector. The group includes over 200 healthcare industry and government companies. Collectively they work on developing strategies to tackle present and evolving cybersecurity challenges encountered by the healthcare sector.

Over 80 companies contributed to the growth of the Medical Appliance and Health IT Joint Security Plan (JSP), which builds on commendations made by the Healthcare Industry Cybersecurity Task Force founded by the Division of Health and Human Services after the passing of the Cybersecurity Information Sharing Law of 2015.

“It is vital for medical device producers and health IT sellers to take into account the JSP’s voluntary framework and its related plans and templates all through the lifecycle of medical devices and health IT as doing so is expected to lead to better security and therefore better products for patients,” clarified HSCC.

Cybersecurity controls can be tough to incorporate into existing procedures. Companies often fail to know how vital safety controls are, and when considering how to increase cybersecurity many don’t know where to begin or have inadequate resources to dedicate to the job. The framework assists by providing direction on how to create a safety policy and procedures that ally with and integrate into present procedures.

HSCC is urging companies to commit to applying the JSP as it is thought that by doing so patient security will be enhanced.

The JSP can be adopted by companies of all sizes and stages of maturity and assists them to increase cybersecurity of medical devices by tackling main challenges. A lot of big producers have already generated similar cybersecurity programs to the JSP, therefore it is likely to be of most use for small to medium-sized firms that lack consciousness of the steps to take to improve cybersecurity and those with fewer resources to dedicate to cybersecurity.

The JSP uses safety by design rules and identifies shared responsibilities between industry stakeholders to synchronize safety standards, risk assessment methods, reporting of weaknesses, and improve information sharing between appliance producers and healthcare suppliers. The JSP covers the whole lifecycle of medical appliances, from development to deployment, management, and end of life. The JSP contains numerous recommendations including the inclusion of cybersecurity measures during the design and development of medical appliances, handling product complaints linked to cybersecurity events, alleviation of post-market weaknesses, managing safety risk, and decommissioning appliances at end of life.

The Medical Appliance and Health IT Joint Security Plan can be downloaded on this link.

Apple IOS Vulnerability Allows Hackers to Spy on FaceTime Calls

A severe Apple IOS vulnerability has been noticed that lets people to gain access to both the microphone and the front-facing camera on Apple appliances by manipulating a fault in FaceTime. Further, the fault even lets microphone/camera access if the call is not replied. The fault has prompted several safety experts to advise Apple device proprietors to stop using FaceTime until the fault is rectified.

To manipulate the fault, a user would require to use FaceTime to call another individual with an iOS appliance. Before the call is replied, the users would need to add themselves as additional contacts to Group FaceTime. As soon as that has occurred, the persons being called would have their microphones turned on and the callers could listen to what is occurring in the room, even when the call is not replied.

If the individual being called was to silent the call (by pressing the power button) the front-facing camera would also be triggered, providing the caller video footage and audio.

Safety specialists have cautioned that it does not matter whether the call is replied, just by calling a person it is possible to listen to what is occurring in the room and see everything in the camera’s field of view. Although this might prove distressing for some FaceTime users, it might also result in serious harm. Compromising footage might be recorded and utilized for extortion.

Several cases of this happening have been posted on social media networks and it is obvious that this Apple IOS vulnerability is being actively abused. Apple is conscious of the problem and has announced that a solution will be issued later this week. Until such time, Apple appliance owners have been instructed to inactivate FaceTime through appliance settings. If FaceTime is inactivated, the vulnerability cannot be abused.

0Patch Micropatches Issued to Respond to 3 Zero-Day Windows Bug

0Patch has issued a micropatch to tackle three zero-day Windows bugs that have yet to be tackled by Microsoft, including a zero-day distant code execution vulnerability in the Windows Contacts app.

The 0Patch platform allows micropatches to be swiftly dispersed, applied, and unconcerned to/from running procedures without having to restart computers or even restart procedures. The platform is still in beta, even though checking and fine-tuning is nearly at an end. 0Patch has already issued several micropatches to tackle zero-day weaknesses in Microsoft products to assist companies temporarily alleviate vulnerabilities until a complete patch is issued.

The latest round of repairs tackles three lately found vulnerabilities in Microsoft products.

The first patch tackles a fault named AngryPolarBear which was identified by safety researcher SandboxEscaper who circulated a proof-of-concept exploit for the vulnerability in December. Although the vulnerability doesn’t allow distant code execution, an attacker might leverage the weakness to overwrite main system files, which might be utilized in DoS attacks.

The vulnerability lets a local unprivileged procedure to get a selected system file on a weak appliance overwritten in the context of a Windows Error Reporting XML file. The PoC lets the XML file to be substituted with a hard link to the selected target. An attacker will not have much influence over the matter of the XML file but might abuse the fault to corrupt the vital system file pci.sys, and thus avoid the system from booting. The patch halts the XML file from being erased.

The second patch also tackles another vulnerability identified by SandboxEscaper, which has been named readfile. A PoC exploit was also distributed in December. This vulnerability is present in the Windows Installer and might let an attacker get confidential information. The vulnerability can be abused by an unprivileged procedure and lets random files to be read – in the case of the PoC, the desktop.ini file.

The third patch tackles a vulnerability in the Windows Contacts app which, if abused, might result in distant code execution on a vulnerable appliance. The vulnerability fault was identified by ZDI researcher John Page who submitted the fault to Microsoft, which surpassed the 90-day window for delivering a repair. Microsoft has announced that it will not be delivering a repair to rectify the fault, so while micropatches are envisioned to be provisional repairs, this one is likely to be perpetual.

The vulnerability is present in the way that .Contact and .VCF contact information is saved and processed on Windows Vista to Windows 10 OSes. The vulnerability lets the formation of a contact file that has a malevolent payload in a sub-directory, which will be run when the user clicks the link in the contact file.

The Micropatches are supplied via the 0Patch platform which can be fitted free of cost. The Micropatches have been developed for Windows 10 and Windows 7 (for the second two vulnerabilities). Support at 0Patch must be contacted for patches for other susceptible Windows types.

Cryptocurrency Mining Malware Tops Most Wanted Malware List

Check Point’s Most Wanted Malware report for December 2018 demonstrates that cryptocurrency mining malware was the principal malware danger in December. The top four malware dangers in December 2018 were all cryptocurrency miners.

Continue reading “Cryptocurrency Mining Malware Tops Most Wanted Malware List”

North Carolina State AG Suggests Stricter Data Breach Notification Laws

North Caroline Attorney General Josh Stein and state agent Jason Saine have presented a bill to modernize data breach notification rules in the state and increase safeguards for state inhabitants after an increase in data breaches affecting North Carolina inhabitants were recorded all through 2017.

Continue reading “North Carolina State AG Suggests Stricter Data Breach Notification Laws”

773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale

A huge collection of login identifications that contains roughly 773 million electronic mail addresses has been uncovered by safety researcher Troy Hunt. Hunt is an Australian Microsoft Regional Director and keeps the Have I Been Pwned (HIBP) website, where people can test to see whether their login identifications have been thieved in a data breach.

Continue reading “773 Million Electronic mail Addresses and 21 Million Unique Passwords Listed for Sale”

Importance of Safety Awareness Training Emphasized by Censuswide Study on Phishing Danger

A fresh study by the consultancy company Censuswide has exposed the extent to which workers are being deceived by phishing electronic mails and how in spite of the danger of a data breaches and regulatory penalties, many companies are not providing safety awareness training to their workforce.

Continue reading “Importance of Safety Awareness Training Emphasized by Censuswide Study on Phishing Danger”

NIST Issues Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity

The National Institute of Standards and Technology’s National Cybersecurity Center of Excellence (NCCoE) has issued a draft paper covering the secrecy and safety dangers of telehealth and distant checking appliances together with best practices for safeguarding the telehealth and distant checking ecosystem.

Continue reading “NIST Issues Draft Paper on Telehealth and Remote Monitoring Device Cybersecurity”

Adobe Patches Actively Abused 0-Day Vulnerability in Flash Player

On Wednesday, December 5, 2018, Adobe released an update to rectify a vulnerability in Adobe Flash Player that is being leveraged by a threat group in targeted attacks in Russia. The threat group has previously attacked a healthcare service in Russia that is used by senior civil servants.

Continue reading “Adobe Patches Actively Abused 0-Day Vulnerability in Flash Player”

Why a Cloud Management Solution Must be Your Toolset-for-the-Cloud

It’s quite suitable that the words “tool” and “solution” are often used interchangeably in the field of cloud computing, since it’s possible to make an analogical assessment between the different kinds of tackles you keep in your workshop and how best to utilize a cloud management solution.

Think of the tackles you keep in your workshop. There are some that are task-specific, others that have twin purposes, and after that those that are multi-functional. Cloud management solutions are a tad like that. There are some suitable for tightening a screw, others suitable for knocking in or pulling out a nail, and after that those that perform everything – the Swiss army knife of cloud management solutions if you like.

You do not always require a multi-functional device for every workshop job, but it is tough to complete most jobs without using a variety of tackles. In the same way, you might finish one job this weekend using one set of tackles, and next weekend have one more job that needs a different sets of tackles. Cloud computing is a tad like that too, so it is handy to have a complete variety of cloud management tackles at your disposal.

Gathering a “Toolset-for-the-Cloud”

How you collect your “toolset-for-the-cloud” can make a difference to how efficiently you administer your cloud setting. If you use different sets of tackles, you might find the methods in which data are measured doesn’t connect – making it tough to evaluate performance and optimize expenses. It can be even tougher to identify tendencies, find inefficiencies and identify safety concerns.

If you take this situation and spread it into an enterprise setting in which every division is working towards a common objective, but using its own toolset to accomplish it, the probable results will be chaotic because of data being measured in several ways. A lack of clarity will make it tough to make main business decisions with assurance or understand what occurred when things go wrong.

This is why, when an organization is gathering a “toolset-for-the-cloud”, the cloud management solution selected has to contain a common set of abilities that measures data regularly, yet is adequately flexible to satisfy the requirements of every division. It will possibly be the case that some divisions do not require every capability of the cloud administration solution, but it is vital the capabilities they do use connect with the capabilities being utilized by other divisions.

Taking the Holistic View of Cloud Management

At enterprise level, a weekend workshop job is more like constructing a home than putting up a shelf, therefore you have to take a complete view to get the job completed. Not just do you require to know what tackles you need, but also what things you need and how they work together. Using the same correspondence, each division in the organization might be said to represent a different trade (carpenters, plumbers, electricians, etc.).

Even though a carpenter does not require precisely the same toolset as a plumber or an electrician, it is important all the tackles are present so the job can get completed. It is also crucial the tackles are compatible, and that the carpenter, the plumber, and the electrician are working towards the same mutual objective using the same plan. The result of not taking a complete view is that your home may fall down. It is crucial there is precision of the development being made so that main decisions can be made with assurance and any problems that arise can be settled with the minimum of interruption. In terms of cloud management, the same rules apply. You (the project manager) must have complete visibility over your assets to know how they work collectively and govern your environment efficiently.

California Wildfire-Themed BEC Attack Identified

It’s usual for phishers to use natural catastrophes as a lure to get ‘donations’ to line their pouches instead of helping the sufferers and the California wildfires are no exception. A lot of people have lost their lives in the fires and the death toll is likely to increase further as hundreds of people are still unaccounted for.

Entire towns such as Paradise have been completely devastated by the wildfires and hundreds of people have lost their homes. Numerous are suffering, have nowhere to reside, and have lost everything. As expected many people desire to donate money to assist the sufferers rebuild their lives. The attackers are using the sympathy of others to deceive companies.

A California wildfire phishing cheat was recently noticed by Agari that tries to capitalize on the tragedy. Nevertheless, contrary to several similar phishing campaigns that depend on huge volumes of electronic mails, this campaign is much more targeted.

The scammer is carrying out a business electronic mail compromise attack using the electronic mail account – or a deceived account – of the CEO of a firm. The first phase of the scam involves a rapid electronic mail to a worker questioning if they are available to assist. When a response is received, a second electronic mail is sent asking the worker to make a purchase of 4 Google Play gift cards, each of $500.

The CEO asks if there is a local store where the cards can be bought and asks the worker to make the purchase ASAP and to scratch off the reverse side, get the codes, and email them back. The electronic mail claims the CEO requires the cards to send to customers who have been caught up in the wildfires to provide help.

While the selected method of sending help is doubtful, to say the least, and the electronic mails have grammatical and spelling mistakes, the use of the CEO’s electronic mail account may persuade workers to go ahead as ordered. These cheats work because workers do not want to ask their CEO and desire to reply swiftly. Even though a request may be strange, the reasoning behind the request seems perfectly genuine.

Although this might seem like an obvious fraud, at least worthy of a call or text to the CEO to confirm its validity, some workers will no doubt not question the request. Each one that does as trained will cost the company $2,000.

This kind of cheat is common. They are often associated with wire transfer requests. In the rush to reply to the CEO’s request, a transfer is made, which might be for tens of thousands of dollars. The worker replies to the message through electronic mail saying the transfer has been made, the scammer erases the electronic mail, and the fake transfer is often not detected until after the scammer has used money mules to withdraw the money from the account.

Access to the CEO’s electronic mail account can be obtained in several ways, even though a spear phishing attack is common. Spam filtering solutions can assist to decrease the possibility for the first attack to take place and two-factor verification controls can avoid account access if identifications are stolen.

Staff training is vital to increase awareness of the danger of BEC attacks. Policies must also be applied that need all transfer requests sent through electronic mail, and any out-of-bounds requests, to be confirmed over the phone or through a text before a transfer is made.

Increase in Phishing Emails Using .Com File Extensions

The anti-phishing solution supplier Cofense, formerly PhishMe, has informed a noticeable rise in phishing campaigns utilizing files with the .com extension. The .com extension is utilized for text files with executable bytecode. The code can be performed on Microsoft NT-kernel-based and DOS operating systems.

The campaigns recognized through Cofense Intelligence are mainly being transmitted to financial facility divisions and are utilized to download a range of malevolent payloads including the Loki Bot, Pony, and AZORult information stealers and the Hawkeye keylogger.

Some of the electronic mails in the campaigns clarify the user must open a .iso file attached to the electronic mail to see information linked to the electronic mail notification. The .iso file contains the .com executable. One such electronic mail announced to be from a firm that had received payment, however, had no outstanding bills. The electronic mail requested the receiver check the payment with the finance division to decide if a mistake had been made. The attachment seemed to be a credit notification from the bank.

The subject lines utilized in the phishing campaigns are different and include shipping information notices, price requests, remittance advice, bank information, and bills, even though the two most usual subjects contained a reference to ‘payment’ or a ‘purchase order’.

The payment themed electronic mails were utilized with the AzoRult information stealer and the purchase order subject lines were utilized with Loki Bot and Hawkeye.

Most of the campaigns utilized the .com file as an electronic mail attachment, even though some variations utilized an intermediate dropper and downloaded the .com file through a malevolent macro or exploit. The latter is becoming more usual as IT safety teams are prepared to the direct delivery method. Most of the malware variations used in these campaigns interconnected with domains hosted on Cloudflare. Nevertheless, Cofense notes that the actual C2 is not hosted on Cloudflare. Cloudflare is utilized as a domain front as Cloudflare is often entrusted by companies and is for that reason less likely to arouse doubt.

Cofense expects there will be an increase in the use of .com attachments in phishing campaigns and suggests companies to include the file extension in their anti-phishing training programs and phishing electronic mail simulations to main users when attacks happen.