Monthly Archives: June 2016

Hacker selling 655,000 patient records from 3 hacked healthcare organizations

Healthcare_Databreach
A hacker is reportedly trying to sell more than half a million patient records, obtained from exploiting RDP, on a dark web marketplace.

A hacker going by “thedarkoverlord” is reportedly selling 655,000 patient records on a dark web marketplace; he claims to have three separate healthcare databases which include patients’ full names, Social Security numbers, dates of birth, addresses and more – data that could be used for identity theft and fraud.

The hacker claims to have exploited Remote Desktop Protocol (RDP) at three healthcare organizations in order to steal the databases. Thedarkoverlord told DeepDotWeb that “it is a very particular bug. The conditions have to be very precise for it.”

He also provided screenshots taken on June 13 as proof of the intrusions, showing the extent of sensitive patient information in the records. The databases contain Social Security numbers, patients’ full names, race and genders, addresses, dates of birth, phone numbers, insurance information and email addresses. That’s more than enough information for a thug to impersonate a victim to set up a line of credit or to take out a loan.

The databases being advertised on TheRealDeal marketplace allegedly include 48,000 patient records from a healthcare organization in Farmington, Missouri, another 210,000 records from Central/Midwest US, and 397,000 healthcare records from Georgia.

Although “thedarkoverlord” is offering “to sell a unique one-off copy of each of the three databases,” the hacker told Motherboard that he has already sold $100,000 worth of records from the Georgia organization. “Someone wanted to buy all the Blue Cross Blue Shield Insurance records specifically.”

Healthcare_Database

The asking price for the full healthcare database with nearly 400,000 records from Georgia is 607.84 bitcoins, which at the time of writing is currently about $389,390. The hacker described it as “a very large database in plaintext from a healthcare organization in the state of Georgia. It was retrieved from an accessible internal network using readily available plaintext usernames and passwords.”

He wants 303.92 bitcoins, about $195,147, for 210,000 patient records from “a very large database in plaintext from a healthcare organization in the Central/Midwest United States. It was retrieved from a severely misconfigured network using readily available plaintext usernames and passwords.”

As for the 48,000 records being sold for 151.96 bitcoins, about $97,574, he claims the plaintext database came from a healthcare organization in Farmington, Missouri. “It was retrieved from a Microsoft Access database within their internal network using readily available plaintext usernames and passwords.”

If thedarkoverlord sells all three healthcare databases just once, then he would make about $682,110. If he also made $100,000 for the Blue Cross Blue Shield data, and only does that once, then he stands to make more than three-quarters of a million dollars for his criminal activities.

Hacker wants hush money, delivered ransom demand to each organization

The hacker is not revealing the names of the breached organizations yet, since he is trying to extort a ransom from them. He told Motherboard the ransom demand is “a modest amount compared to the damage that will be caused to the organizations when I decide to publicly leak the victims.”

Thedarkoverlord asked DeepDotWeb to include the following note for the breached companies:
“Next time an adversary comes to you and offers you an opportunity to cover this up and make it go away for a small fee to prevent the leak, take the offer. There is a lot more to come.”

Hard Rock Las Vegas suffers a second data breach

hard-rock-las-vegas-100668952-primary_idge
For the second time, the card-processing network was compromised

On Monday, Hard Rock Hotel & Casino in Las Vegas disclosed data breach, after malware was discovered on their card processing system. This is the second time the casino has had to report such an incident.

In a statement, Hard Rock said that on May 13, the resort started an investigation after receiving reports of fraudulent activity on cards used at their Las Vegas location. The investigators discovered unauthorized access to the card-processing network, and later discovered malware on the systems themselves.

The malware targeted card details such as the customer’s name, card number, expiration date, and internal verification codes. In other instances, the malware only obtained card data, but no names.

The breach timeline includes cards that were used at some restaurant and retail outlets between October 27, 2015 and March 21, 2016. It’s important to note, this incident only impacts the Hard Rock Hotel & Casino in Las Vegas.

Last year, in May, Hard Rock disclosed a similar data breach that impacted payment cards.

The compromised cards were used between September 3, 2014 and April 2, 2015, at restaurant, bar and retail locations at the Hard Rock Hotel Las Vegas property, including the Culinary Dropout Restaurant.

Given that this is the second data breach under similar circumstances, it looks as if the clean-up on the first incident didn’t catch everything.

Otherwise, the situation is worse from a security standpoint. This week’s disclosure could point to the fact that criminals were able to access the payment network a second time using the previous methods, or managed to find another way in.

Either way, the incident shows that the network was clearly left vulnerable to some degree, and criminals exploited this fact in just over five months.

Zero-Day Warning! Ransomware targets Microsoft Office 365 Users

microsoft-office-zero-day-exploit
If just relying on the security tools of Microsoft Office 365 can protect you from cyber attacks, you are wrong.

Variants of Cerber Ransomware are now targeting MS Office 365 email users with a massive zero-day attack that has the ability to bypass Office 365’s built-in security tools.

According to a report published by cloud security provider Avanan, the massive zero-day Cerber ransomware attack targeted Microsoft Office 365 users with spam or phishing emails carrying malicious file attachments.

The Cerber ransomware is invoked via Macros. Yes, it’s hard to believe but even in 2016, a single MS Office document could compromise your system by enabling ‘Macros‘.

Locky and Dridex ransomware malware also made use of the malicious Macros to hijack systems. Over $22 Million were pilfered from the UK banks with the Dridex Malware that got triggered via a nasty macro virus.

You can see a screenshot of the malicious document in the latest malware campaign below, targeting Microsoft Office 365 users:

 microsoft-office-exploit

While the security firm did not specify the exact number of users possibly hit by the ransomware, Microsoft reported in its first quarter 2016 that there are almost 18.2 Million Office 365 subscribers.

“While difficult to precisely measure how many users got infected,” Avanan estimated that “roughly 57 percent of organizations using Office 365 received at least one copy of the malware into one of their corporate mailboxes during the time of the attack.”

Although Cerber originally emerged in March, the malware campaign targeting Office 365 users began on June 22. However, Microsoft started blocking the malicious file attachment on June 23.

The Cerber Ransomware not only encrypts user files and displays a ransom note, but also takes over the user’s audio system to read out its ransom note informing them that their files were encrypted.

The ransomware encrypts files with AES-256 encryption, asking victims to pay 1.24 Bitcoin (nearly US$810) for the decryption key.

How to Protect Yourself from Cerber Ransomware

In order to prevent yourself from the Cerber or any ransomware attack:

  • Always keep your system and antivirus up-to-date.
  • Regularly backup your files in an external hard-drive.
  • Disable Macros in your MS Office programs.
  • Always beware of phishing emails, spams, and clicking the malicious attachment.
  • You can also use an Intrusion detection system (IDS), to help you quickly detect malware and other threats in your network.

Dozens of Malicious Apps on Play Store can Root & Hack 90% of Android Devices

Android
It’s not at all surprising that the Google Play Store is surrounded by a large number of malicious apps that has the ability to gain users’ attention into falling victim for one, but this time, it is even worse than most people realize.

Researchers at Trend Micro have detected a family of malicious apps, dubbed ‘Godless,’ that has the capability of secretly rooting almost 90 percent of all Android phones.

Well, that’s slightly terrifying.

The malicious apps are distributed via different methods and variety of app stores, including Google Play Store, which is usually considered as a safe option for downloading apps.

The malicious apps packed with Godless contain a collection of open-source or leaked Android rooting exploits that works on any device running Android 5.1 Lollipop or earlier.

90% Android Devices are Vulnerable to Godless Rooting Malware

Since Android ecosystem is so broken that around 90 percent of all Android devices are vulnerable to this malicious software. Godless apps have already been installed on more than 850,000 devices worldwide so far.

Rooting a device could expose a user to several security risks as it practically opens the door to unwanted access, hardware failure, data leaks and information theft, and so on if the developer has malicious intent.

Based on the source code they analyzed, Trend Micro researchers say that once an app with Godless malware is installed on a victim’s device, it uses a framework known as “android-rooting-tools” to gain root access to the victim’s device.

From there, the malware will make sure the victim’s screen is turned off before executing the malicious code.

Here’s what a Godless-Packed App can do to your Device:
Once Godless gained root privileges, it starts communicating with a command and control (C&C) server, from where it gets an apps list to be installed on the rooted device and installs them without the users knowledge, and all of this can be done remotely as well.

“With root privilege, the malware can then receive remote instructions on which app to download and silently install on mobile devices,” Trend Micro says. “This can then lead to affected users receiving unwanted apps, which may then lead to unwanted ads. Even worse, these threats can also be used to install backdoors and spy on users.”

The researchers say the malware has the ability to bypass security checks done Google Play store and other online app stores.

Although there are several apps in Google Play, including utility apps like flashlights, Wi-Fi apps, and popular game apps, that contain the malicious Godless code, Trend Micro had identified only one such Android app by name.

Dubbed Summer Flashlight, the malicious app had been installed from 1,000 to 5,000 times, and was recently removed from the Google Play store, but it’s still listed in search engine caches for the time being.

Godless is the latest Android malware to use rooting exploits in order to gain a persistent foothold on victims’ handsets. Based on the graphic, most victims are located in India, followed by Indonesia, and Thailand (9.47 percent). The US also has around 17,000 Godless downloads.

“Unknown developers with very little or no background information may be the source of these malicious apps,” Trend Micro notes.

So, in order to avoid being a victim to one such app, Android users are advised to avoid using third-party app stores and always “review the developer” when downloading apps even from Google’s official store.

 

AWS and Microsoft get FedRAMP approval for sensitive cloud data

iStock_usgovernmentcapitol25346_jpg_800x600_q96

Another day, another piece of good news for both Microsoft Azure and Amazon Web Services (AWS); the vendors are two of three companies which have been given authority by the US government for federal agencies to use them for sensitive cloud data.

Azure and AWS, alongside CSRA’s ARC-P IaaS, have been given the green light under the new FedRAMP High Baseline requirements. The full, mammoth spreadsheet documenting each guideline can be found on the FedRAMP website (XLS), but at a general level the requirements enable government bodies to put ‘high impact’ data – including data which involves the protection of life and financial ruin – in the cloud.

Chanelle Sirmons, communications lead for FedRAMP, explained in an official post: “While 80% of federal information is categorised at low and moderate impact levels, this only represents about 50% of federal IT spend. Now that FedRAMP has set the requirements for high impact levels, that breaks open the remaining 50% of the $80 billion a year the US government spends on IT that could potentially move to the cloud securely.”

“We are pleased to have achieved the FedRAMP high baseline, giving agencies a simplified path to moving their highly sensitive workloads to AWS so they can immediately begin taking advantage of the cloud’s agility and cost savings,” said Teresa Carlson, AWS VP worldwide public sector in a statement. A statement from Microsoft read: “Microsoft remains committed to delivering the most complete, trusted cloud platform to customers. This accreditation helps demonstrate our differentiated ability to support the unique needs of government agencies as they transition to the cloud.”

Amazon and Microsoft have had their clouds FedRAMP accredited since June and October 2013 respectively – back when the latter was still known as Windows Azure – while ARC-P was the first vendor to receive the federal stamp of approval in 2012. Three years on, this represents a major step forward for government use of cloud technologies.

Uber Hack lets anyone find Unlimited Promo Codes for Free Uber Rides

uber-logo

An Independent Security Researcher from Egypt has discovered a critical vulnerability in Uber app that could allow an attacker to brute force Uber promo code value and get valid codes with the high amount of up to $25,000 for more than one free rides.

Mohamed M.Fouad has discovered a “promo codes brute-force attack” vulnerability in the sign-up invitation link for Uber that allows any user to invite another user to join the service and get one or more than one free rides based on the promotion code value.

Fouad realized that the Uber app did not have any kind of protection against brute-force attacks, allowing him to generate promo codes (that start with ‘uber+code_name’) until he found valid ones.

uber-unlimited-free-rides

The brute force attempt helped Fouad find several numbers of valid promo codes with high value in US dollar between $5,000 to $25,000, which would have helped him get a number of free rides between one to three.

Another flaw was also discovered in mid-June that allowed attackers to use promo code without signing up with a new user.

Uber Team Refuses to Patch the Flaw

As a responsible security researcher, Fouad also reported the critical flaw multiple times to the Uber security team, but the company did not accept his bug report and considered the vulnerability out of scope.

“I reported this vulnerability three months ago, and I am not only the one who reported it,” Fouad told The Hacker News. “They always reply with out of scope and considered as a fraud, and we have to send this bug to fraud team.”

Another security researcher, named Ali Kabeel, also reported the same flaw but in riders.uber.com/profile URL code customization feature. He also gets the same response from the Uber team that the flaw is out of scope.

Although the company fixed the brute force vulnerability in the payment page by applying the rate-limiting, the above two areas of the app remain still vulnerable, which could lead to many fraud incidents.

Clinton Foundation said to be breached by Russian hackers

HClinton

The Bill, Hillary and Chelsea Clinton Foundation was among the organizations breached by suspected Russian hackers in a dragnet of the U.S. political apparatus ahead of the November election, according to three people familiar with the matter.

The attacks on the foundation’s network, as well as those of the Democratic Party and Hillary Clinton’s presidential campaign, compound concerns about her digital security even as the FBI continues to investigate her use of a personal e-mail server while she was secretary of state.

Clinton Foundation officials said the organization hadn’t been notified of the breach and declined to comment further. The compromise of the foundation’s computers was first identified by government investigators as recently as last week, the people familiar with the matter said. Agents monitor servers used by hackers to communicate with their targets, giving them a back channel view of attacks, often even before the victims detect them.

Before the Democratic National Committee disclosed a major computer breach last week, U.S. officials informed both political parties and the presidential campaigns of Clinton, Donald Trump and Bernie Sanders that sophisticated hackers were attempting to penetrate their computers, according to a person familiar with the government investigation into the attacks.

The hackers in fact sought data from at least 4,000 individuals associated with U.S. politics — party aides, advisers, lawyers and foundations — for about seven months through mid-May, according to another person familiar with the investigations.

Thousands of Documents

The thefts set the stage for what could be a Washington remake of the public shaming that shook Sony in 2014, when thousands of inflammatory internal e-mails filled with gossip about world leaders and Hollywood stars were made public. Donor information and opposition research on Trump purportedly stolen from the Democratic Party has surfaced online, and the culprit has threatened to publish thousands more documents.

A hacker or group of hackers calling themselves Guccifer 2.0 posted another trove of documents purportedly from the DNC on Tuesday, including what they said was a list of donors who had made large contributions to the Clinton Foundation.

The Republican Party and the Trump campaign have been mostly silent on the computer attacks. In an earlier statement, Trump said the hack was a political ploy concocted by the Democrats.

Information about the scope of the attacks and the government warnings raises new questions about how long the campaigns have known about the threats and whether they have done enough to protect their systems.

The Clinton campaign was aware as early as April that it had been targeted by hackers with links to the Russian government on at least four recent occasions, according to a person familiar with the campaign’s computer security.

U.S. Inquiries

The U.S. Secret Service, Federal Bureau of Investigation and National Security Agency are all involved in the investigation of the theft of data from the political parties and individuals over the last several months, one of the people familiar with the investigation said. The agencies have made no public statements about their inquiry.

The FBI has been careful to keep that investigation separate from the review of Clinton’s use of private e-mail, using separate investigators, according to the person briefed on the matter. The agencies didn’t immediately respond to requests for comment.

Clinton spokesman Glen Caplin said that he couldn’t comment on government briefings about cyber security and that the campaign had no evidence that its systems were compromised.

“We routinely communicate and cooperate with government agencies on security-related matters,” he said. “What appears evident is that the Russian groups responsible for the DNC hack are intent on attempting to influence the outcome of this election.”

The DNC wouldn’t directly address the attacks but said in a written statement that it believes the leaks are “part of a disinformation campaign by the Russians.”

Trump spokeswoman Hope Hicks didn’t respond to e-mails seeking comment about the government warnings. The Republican National Committee didn’t respond to e-mail messages. A Sanders spokesman, Michael Briggs, said he wasn’t aware of the warnings.

IDing the Hackers

The government’s investigation is following a similar path as the DNC’s, including trying to precisely identify the hackers and their possible motives, according to people familiar with the investigations. The hackers’ link to the Russian government was first identified by CrowdStrike Inc., working for the Democratic Party.

A law firm reviewing the DNC’s initial findings, Baker & McKenzie, has begun working with three additional security firms — FireEye Inc., Palo Alto Networks Inc. and Fidelis Cybersecurity — to confirm the link, according to two people familiar with the matter, underscoring Democrats’ concerns that the stolen information could be used to try to influence the outcome of the November election.

A spokesman for Baker & McKenzie didn’t immediately respond to requests for comment. DNC spokesman Luis Miranda said the party worked only with CrowdStrike.

If the Democrats can show the hidden hand of Russian intelligence agencies, they believe that voter outrage will probably outweigh any embarrassing revelations, a person familiar with the party’s thinking said.

So far the released documents have revealed little that is new or explosive, but that could change. Guccifer 2.0 has threatened to eventually release thousands of internal memos and other documents.

Line of Attack

Sensitive documents from the Clinton Foundation could have the most damaging potential. The Trump camp has said it plans to make the foundation’s activities a subject of attacks against Clinton; the sort of confidential data contained in e-mails, databases and other digital archives could aid that effort.

An analysis by Fidelis confirmed that groups linked to Russian intelligence agencies were behind the DNC hack, according to a published report.

The government fills a crucial gap in flagging attacks that organizations can’t detect themselves, said Tony Lawrence, a former U.S. Army cyber specialist and now chief executive officer of VOR Technology, a computer security company in Hanover, Maryland.

“These state actors spend billions of dollars on exploits to gather information on candidates, and nine times out of ten [victims] won’t be able to identify or attribute them,” he said.

Google Accounts

Bloomberg News reported Friday that the hackers who hit the DNC and Clinton’s campaign burrowed much further into the U.S. political system than initially thought, sweeping in law firms, lobbyists, consultants, foundations and policy groups in a campaign that targeted thousands of Google e-mail accounts and lasted from October through mid-May.

Data from the attacks have led some security researchers to conclude that the hackers were linked to Russian intelligence services and were broadly successful in stealing reports, policy papers, correspondence and other information. Dmitry Peskov, a spokesman for President Vladimir Putin, denied that the Russian government was involved.

Russia uses sophisticated “information operations” to advance foreign policy, and the target audience for this kind of mission wouldn’t be U.S. voters or even U.S. politicians, said Brendan Conlon, who once led a National Security Agency hacking unit.

“Why would Russia go to this trouble? Simple answer — because it met their foreign policy objectives, to weaken the U.S. in the eyes of our allies and adversaries,” said Conlon, now CEO of Vahna Inc., a cyber security firm in Washington. Publishing the DNC report on Trump “weakens both candidates — lists out all the weaknesses of Trump specifically while highlighting weaknesses of Clinton’s security issues. The end result is a weaker president once elected.”

Russia Link

Russia has an expansive cyber force that it has deployed in complex disinformation campaigns throughout Europe, according to intelligence officials.

BfV, the German intelligence agency, has concluded that Russia was responsible for a 2015 hack against the Bundestag that forced shutdown of its computer systems for several days. Germany is under “permanent threat” from Russian hackers, said BfV chief Hans-Georeg Maassen.

Security software maker Trend Micro said in May that Russian hackers had been trying for several weeks to steal data from Chancellor Angela Merkel’s Christian Democratic Union party, and that they also tried to hack the Dutch Safety Board computer systems to obtain an advance copy of a report on the downing of a Malaysian aircraft over Ukraine in July 2014. The report said the plane was brought down by a Russian-made Buk surface-to-air missile.

The cyber attacks are part of a broader pattern of state-sponsored hacking by Russia focused on political targets, with a goal of giving Russia the upper hand in dealing with other governments, said Pasi Eronen, a Helsinki-based cyber warfare researcher who has advised Finland’s Defense Ministry.