Weekly Threat Report - 4th May 2018
Report's are drawn from recent open source reporting, see the latest report here:.
'Orangeworm' Group Targeting Healthcare Industry
Symantec have reported that a group they have tracked as ‘Orangeworm’ since 2015 are targeting the healthcare industry in the United States, Asia and Europe, including the UK.
40% of their attacks focus on the healthcare industry. Other industries targeted are either closely related to healthcare or part of the supply chain, including IT, manufacturing, logistics and agriculture. It is likely that the supply chain has been deliberately targeted to gain access to their customers’ environments.
After gaining access to the target environment the group deploy a custom malware trojan, allowing attackers to remotely access the compromised device. The malware collects information about the computer to determine if it may be of interest, before "aggressively" copying itself to other systems with open network shares.
The trojan uses an older propagation method that mainly works on older operating systems, and the health sector is known to use legacy systems on older platforms. It has been discovered on devices hosting software used for high-tech imaging devices such as MRI and X-rays, as well as devices used to complete consent forms.
The group's exact motives are unclear. However, it is likely that they are interested in obtaining personal or proprietary information, possibly for identity theft, extortion or corporate espionage.
In the UK, the Department of Health and Social Care recently announced a funding package to improve their cyber security capabilities. The package of measures includes ensuring that all UK health and care organisations are using the latest Windows 10 software with up-to-date security settings.
The implementation of this upgrade and other basic hygiene measures should prevent malware, like the Kwampirs trojan, from exploiting NHS legacy vulnerabilities.
Organisations concerned about this type of activity should read the NCSC’s guidance on malware protection and supply chain security.
DCMS Cyber Security Breaches Survey 2018
The latest Department for Digital, Culture, Media and Sport Cyber Security Breaches Survey has shown that more businesses are now adopting the NCSC’s Cyber Essentials scheme.
The scheme enables organisations to be certified independently for having met a good-practice standard in cyber security and demonstrates to clients (or prospective clients) that you take the protection of their data seriously.
The survey reports a rising proportions of medium and large businesses who have achieved the standard - from 4% to 13% of medium businesses and from 10% to 25% of large businesses.
In absolute terms the numbers being certified independently are still quite low, but the survey's findings show that half of all businesses surveyed (51%) have implemented all of the technical controls under Cyber Essentials, an encouraging sign that the key message of more effective cyber security is reaching business. However, the report states that many organisations, particularly smaller ones, may not be aware that they can gain certification for existing cyber security measures.
The survey also highlights that the NCSC’s 10 Steps to Cyber Security, a risk management regime to manage cyber security, has also been successful. Across all businesses, 55% have acted on five or more of the steps. This rises to 94% of large businesses. It also shows that among large charities with an income of £500k per year 85% have implemented five or more of the steps. Micro firms have shown the biggest improvement from 38% in 2016 to 49% in 2018.
One key message from the report was the lack of training and staff awareness of cyber security. The report noted that only 20% of businesses and 15% of charities had given their staff any training over the last year. Organisations report that potentially the most disruptive attacks have been flagged up by staff, rather than security measures. This underlines how critical staff awareness and training are in this area, and the 10 Steps guidance has a section on this subject.
The NCSC has also produced cyber security guides for small businesses and charities that can significantly reduce an organisation's chances of becoming a victim of cyber crime.
Operation Power OFF
Last week, the National Crime Agency led a successful joint operation with Dutch Police and other international law enforcement authorities to take down a website advertising Distributed Denial of Service (DDoS) services.
Operation Power OFF saw six suspects arrested for their involvement with the website 'webstresser.org' and a separate suspect arrested for their suspected involvement in a series of DDoS attacks against the UK finance sector in late 2017.
Webstresser.org sold the services of a stresser tool that could deliver DDoS attacks. It could be hired to target websites, overwhelm their capability and take them offline, causing widespread disruption to businesses. These services were sold for $14.99 yet could cause hundreds of thousands of pounds worth of damage.
This is an excellent example of public and private collaboration to combat cyber crime. With industry engaging with local law enforcement and government agencies and then with international authorities, this cross-border crime can no longer be seen as offering the anonymity it was once believed to hold.
Anyone who suspects they personally or their business has been the victim of fraud or a cyber crime should report it in the first instance to Action Fraud.
The NCSC have published DDoS guidance including advice on readying your defences to deal with a DDoS attack and how to mitigate against one.
MANRS maketh the network…
Early last week malicious actors redirected a portion of internet traffic flowing across Amazon Web Services (AWS) for approximately two hours before stealing around $150,000 in cryptocurrency from MyEtherWallet.com virtual wallets.
The attack used a hacking technique where internet traffic is intercepted from a legitimate website and redirected to a fake website (in this case one for MyEtherWallet.com). This allowed the attackers to steal customers' legitimate logon details in order to empty their cryptocurrency wallets.
The attack hijacked the Border Gateway Protocol (BGP), a key protocol used for routing internet traffic around the world. The security of the internet as a whole depends on routing security. However, security was never built into BGP, which is decades old.
The incident occurred just a day after the non-profit Internet Society (ISOC) announced its Mutually Agreed Norms for Routing Security (MANRS) initiative. They recommend that MANRS should be adopted by internet exchange points (IXPs) and Internet Service Providers (ISPs) who control international internet connectivity.
The widespread implementation of MANRS by IXPs and CPS would eliminate the most common routing threat to internet traffic and would have almost certainly prevented MyEtherWallet.com and its customers from suffering the consequences of this BGP hijacking.
According to ISOC, in 2017 alone there were 14,000 routing outages or incidents which led to stolen data, lost revenue, reputational damage and more. ISOC claims that MANRS will address these threats through technical and collaborative action across the internet.
More information can be found on the MANRS website.