Tag Archives: Cyberattack

Homeland Security Issues Warning on Cyberattack Campaign

The Department of Homeland Security is warning IT services providers, healthcare organizations and three other business sectors about a sophisticated cyberattack campaign that involves using stolen administrative credentials and implanting malware, including PLUGX/SOGU and RedLeaves, on critical systems.

The alert notes that DHS’ National Cybersecurity and Communications Integration Center “has become aware of an emerging sophisticated campaign, occurring since at least May 2016, that uses multiple malware implants. Initial victims have been identified in several sectors, including information technology, energy, healthcare and public health, communications and critical manufacturing.”

Mac McMillan, president of the security consulting firm CynergisTek, says the threat is serious. “These attacks could lead to full network compromise, long-term undetected attacks, and compromise/exploitation of systems and data, essentially putting both operations and patient safety at risk,” he says.

The April 27 alert, which was updated on May 2, says preliminary analysis has found that threat actors appear to be leveraging stolen administrative credentials – local and domain – and certificates.

“Some of the campaign victims have been IT service providers, where credential compromises could potentially be leveraged to access customer environments,” the alert notes. “Depending on the defensive mitigations in place, the threat actor could possibly gain full access to networks and data in a way that appears legitimate to existing monitoring tools.”

Under Investigation

DHS says the activity is still under investigation. “The threat actors in this campaign have been observed employing a variety of tactics, techniques, and procedures,” according to the alert. “The actors use malware implants to acquire legitimate credentials then leverage those credentials to pivot throughout the local environment. NCCIC is aware of several compromises involving the exploitation of system administrators’ credentials to access trusted domains as well as the malicious use of certificates.”

Additionally, the adversary makes heavy use of PowerShell and the open source PowerSploit tool to enable assessment, reconnaissance, and lateral movement, the alert notes.

“Command and control primarily occurs using RC4 cipher communications over port 443 to domains that change IP addresses. Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites. Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity.”

In addition to leveraging user impersonation via compromised credentials the attackers are using malware implants left behind on key relay and staging machines, the alert states. “In some instances, the malware has only been found within memory with no on-disk evidence available for examination. To date, the actors have deployed multiple malware families and variants, some of which are currently not detected by anti-virus signatures. The observed malware includes PLUGX/SOGU and RedLeaves.”

The attackers have modified the malware to “improve effectiveness and avoid detection by existing signatures,” the alert notes.

DHS warns successful network intrusion involving these attacks could result in temporary or permanent loss of sensitive or proprietary information, disruption to regular operations, financial losses incurred to restore systems and files and potential harm to an organization’s reputation.

Earlier Warning

The DHS alert follows a blog posted in early April by researchers at BAE Systems and PwC about the firms’ investigation into a campaign of intrusions against several major managed services providers.

“These attacks can be attributed to the actor known as APT10 – a.k.a. CVNX, Stone Panda, MenuPass, and POTASSIUM,” the blog states. “Their activity seems to have increased in mid-2016, and has focused on compromise of MSPs as a stepping stone into victim organizations.”

APT10 is a Chinese cyber espionage group that the security firm FireEye has been tracking since 2009.

The blog from BAE and PwC notes that the current campaign linked to APT10 can be split into two sets of activity: Attacks targeting MSPs, engineering and other sectors with common as well as custom malware, and attacks targeting Japanese organizations with the ‘ChChes’ malware.

The attacks linked to APT10 targeting managed services providers use a custom dropper for their various implants, the researchers note. “This dropper makes use of dynamic-link library side-loading to execute the main payload.” The researchers write their analysis shows the attackers have used several payloads, including:

  • PlugX, a well-known espionage tool in use by several threat actors;
  • RedLeaves, a newly developed, fully-featured backdoor, first used by APT10 in recent months.

“Whilst these attackers have skill, persistence, some new tools and infrastructure – there is nothing about the techniques themselves that should make this hard to detect or mitigate. The lessons learned from these incidents should be used as an opportunity for security improvements for both MSPs and their customers,” the blog says.

DHS in its alert notes: “All organizations that provide IT services as a commodity for other organizations should evaluate their infrastructure to determine if related activity has taken place. Active monitoring of network traffic for the indicators of compromise … as well as behavior analysis for similar activity, should be conducted to identify command and control traffic.”

In addition, DHS notes, “Frequency analysis should be conducted at the lowest level possible to determine any unusual fluctuation in bandwidth indicative of a potential data exfiltration. Both management and client systems should be evaluated for host indicators provided.”

Precautionary Moves

McMillan suggests that healthcare entities take steps to prevent falling victim to these attacks.

“Healthcare organizations should ensure that their service provider is actually looking for the indicators,” he says. “Within their own network they should be assessing for the presence of the detailed indicators in the NCCIC report. If an indicator of compromise is detected they should take appropriate action to remediate and reach out to NCCIC for assistance and further details. Secondarily, they should be reviewing the service provider contracts to ensure the vendor is monitoring actively.”

About the Author:

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group’s HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek’s healthcare IT media site.

HSBC suffers major security breach as hackers launch cyber attack on bank’s servers

HACKING group OurMine claim they took down US and UK HSBC servers following a spate of cyber attacks on major tech firm bosses.


The hacking group announced details of the security breach on its website, including links to HSBC’s US and UK sites.

In a shock strike, the so-called security firm took the major bank’s UK and US servers offline on Tuesday.

In a statement, the cyber attackers wrote: “Hello Guys, today we checked HSBC Bank security, and their website was able to be attacked!, and now we took it down.

“If you are working on HSBC Bank, please contact us…we will stop the attack and we will let you know how to protect it from people attacks!”

BREACH: It is not know whether the hack caused any disruption for HSBC’s online customers

TARGETED: OurMine claims it can “help you with your accounts security”

By early Wednesday, HSBC’s U.S. and U.K. websites appeared to be working normally.

OurMine positions itself on its website as an account and company security firm. “We scan the whole company websites and staffs and give you the weaknesses and how to fix it,” it says.

Buzzfeed reports the company recently claimed to have attacked social media accounts of prominent CEOs in order to promote its business. One if its most prominent alleged attacks was in early June, when it claimed it took over Facebook CEO Mark Zuckerberg’s social media accounts. Since then, it claims to have also targeted accounts of the several CEOs including Google’s Sundar Pichai, Uber’s Travis Kalanick, and Twitter’s Jack Dorsey.

In December, it claimed it attacked WikiLeaks.

In a second post on Tuesday, the group announced it “stopped the attack” after “a staff of HSBC talked with us”.

It is not know whether the hack caused any disruption for HSBC’s online customers.

Daily Star Online has contacted HSBC for comment.

SECURITY BREACH: The group announced it “stopped the attack” after talking to the bank.

This seems to be an everyday occurrence in today’s “Digital Age”.  Make sure you change your passwords regularly….l.



Ponemon Institute Reports Healthcare Data Under Attack by Criminals.

Results from the Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data have confirmed what many in the healthcare industry had suspected and even feared: 65% of the healthcare organizations participating in the study had experienced electronic information-based security incidents over the past two years. In addition, some 87% of third-party vendors, identified by HIPAA as Business Associates (BAs), reported a data breach in the last two years.

More disturbing is the revelation that for the first time in the history of the study, criminal attacks are the number one cause of data breaches in healthcare. The number of criminal attacks on healthcare organizations and business associates has increased 125% compared to five years ago. According to the study, more than 90% of the healthcare organizations taking part had experienced a data breach, and 40% of the respondents had experienced more than five data breaches over the past two years.

No healthcare organization, no matter its size, is impervious to these attacks. And they are certainly not immune to the side effects of a breach.

The rapid growth of data breaches in the healthcare industry is putting health information at risk at an alarming rate. Moreover, it’s expensive—for all concerned. According to the Ponemon Institute study, “…the average cost of a data breach for healthcare organizations is estimated to be more than $2.1 million…the average cost of a data breach to BAs represented in this research is more than $1 million.”

The study’s findings also reveal that 45% of the healthcare organizations surveyed reported the occurrence of a Cyberattack indicated the source of the attack was criminal, while 12% cited the work of malicious insiders. 39% of the BAs reported breaches caused by criminal attackers while 10% attributed the attacks to malicious insiders.

The study described an increase in Web-borne malware attacks, citing 78% of the healthcare organizations surveyed as having experienced security incidents caused by malware; 82% of BAs had suffered security incidents attributed to malware.

Perhaps one of the most shocking data points reported is that in spite of the increased criminal activity and the rapidly evolving threat environment, the majority of healthcare organizations indicated implementing no changes to what they’re doing or how they’re doing it. Only 40% of healthcare organizations and 39% of BAs surveyed expressed concern about cyberattacks.

Other Findings Giving Cause for Increased Cyber security Measures

Policies and Procedures in Place

The survey results clearly illustrate the reality that healthcare organizations and the BAs with whom they work need to invest more in technologies that allow them to respond quickly to data breaches. While 58% of healthcare organizations responding agreed that they have policies and procedures in place that allow them to detect a data breach quickly and efficiently, fewer than half believe they have sufficient technologies in place to do so — and only 33% were confident they have the resources needed to prevent or quickly detect a data breach. Responses of BAs participating in the survey fell along similar lines. 50% of business associates responding stated that they have the policies and procedures in place to prevent or detect a security incident, while fewer than half believe they have sufficient technologies. Lastly, only 41% of BAs stated that they have adequate resources to be able to identify and repair data breaches.

Top Concerns of Respondents

The research also revealed interesting insights relating to the top concerns of survey respondents. While the number of criminal attacks on healthcare organizations and business associates has increased 125% compared to five years ago (and 45% of the organizations surveyed traced data breaches to criminal activity) only 40% of the respondents were most concerned about Cyberattacks as a security threat. BAs were even less immediately worried with only 35% citing Cyberattacks as a top concern. Here’s an overview of what they reported being most concerned about:

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

The security threats BAs worry about most:

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data

How Attacks Are Discovered

Among other key findings detailed in the Poneman report are the statistics relating to how health organizations have uncovered the security attacks. 69% learned of a data breach through an audit or assessment, while 44 % were discovered by an employee. 30% of data breaches were reported by patients, 23% were uncovered accidentally, and 18%came from a legal complaint. Law enforcement was responsible for 6 % of the discoveries and loss prevention teams for 5%.

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data  

Business associates reported different statistics, with 60% of data breaches reported as being uncovered by employees and 49% discovered as a result of audit or assessment. BAs said 33% were found accidentally, 21% through a legal complaint, 17% from a patient complaint, 13% from loss prevention teams, and 12% by law enforcement.

Source: The Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data


The findings of the Ponemon Institute survey paint an alarming picture: the healthcare industry, which manages vast amounts of personal data, is under attack by criminal elements and jeopardized by employee negligence, as well as the actions of malicious insiders. The number of data breaches is growing exponentially, and both healthcare organizations, and the business associates who serve them lack sufficient technologies, resources, and processes to ensure data is kept secure.

The report details a slow but steady increase in technologies used by both healthcare organizations and their business associates to detect and mitigate the impact of cybersecurity threats, but concludes that the pace of the investments in both technologies and security expertise is not sufficient at this time.

In conclusion, the Ponemon Institute calls for intensive employee training and awareness programs, ramped up investments in technologies and security expertise, and a broad application of innovative solutions to the industry to improve the current status of the privacy and security of the nation’s healthcare data.