Weekly Threat Report - 27th July 2018
Report's are drawn from recent open source reporting, see the latest report here:
Singapore health system attacked - 1.5m records stolen
Singapore's Ministry of Health and Ministry of Communications and Information have reported that 1.5 million personal data records, about a quarter of the country’s population, were stolen in a recent breach. The data included names, national identity card numbers, addresses, gender, race and dates of birth, with 160,000 of these also containing the records of dispensed medicines.
The Cyber Security Agency of Singapore (CSA) said the attack was "deliberate, targeted and well-planned". They determined that attackers accessed the network by breaching a front-end workstation, managing to get privileged access to the database over time. Records were then downloaded between 27th June and 4th July and transferred to servers overseas. Victims included several Singaporean ministers, including Prime Minister Lee Hsien Loong.
This latest incident adds to a trend of healthcare breaches where personal data was targeted. The Norwegian health sector suffered a comparable breach in January this year which exposed personal data of three million patients. The sector is a ripe target for malicious actors due to the aggregation of large amounts of personal data often containing identifiable information which may be used for identity theft or for further targeted attacks.
A variety of threat actors are highly likely to continue targeting the healthcare sector. This will be intensified as technology becomes more ingrained into core healthcare systems, increasing the threat surface for attacks that steal data and disrupt services.
The threat from Emotet dropper malware
The US Department of Homeland Security has warned of the threat to network systems from Emotet. Emotet is an advanced banking trojan that primarily functions as a downloader or dropper of other banking trojans. It is disseminated through malicious attachments or links in email, which often appear as quite convincing invoices, receipts and shipping notices using branding familiar to the recipient. Emotet has worm-like features that result in rapidly spreading network-wide infections; it can evade typical signature-based detection, is Virtual Machine aware and has several methods for maintaining persistence on a network. The US alert reports that Emotet infections on local government systems have cost up to $1 million per incident to remediate.
Cyber security companies have reported that Emotet has been used to deliver a variety of second-stage malware payloads such as the banking trojans Dridex and Trickbot, spambot malware and ransomware. Palo Alto Networks report that the Emotet and Trickbot combination is particularly potent as it combines the mass distribution properties of Emotet with the network lateral movement capabilities of Trickbot. A Trend Micro report from 2017 showed the UK as the next most targeted country after the US followed by Canada, Mexico and Germany.
Those organisations with good spam filtering, who only give administrator rights when appropriate and with proper system administration and up-to-date Windows hosts, are at a lower risk of infection.