header image

Cyber Threat Intelligence Briefing: 30 October 2020

Billy Gouveia, Mona Damian 30 October 2020
30 October 2020    Billy Gouveia, Mona Damian

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders

Download Report

The S-RM Cyber Threat Intelligence Briefing is a weekly round-up of the latest cyber security news, trends and indicators, curated by our threat intelligence specialists.

OVERVIEW

  • US government officials warn of imminent threat to US healthcare providers. Officials of the US Department of Homeland Security and FBI held a conference call with healthcare executives to warn them of imminent cyber threats against healthcare facilities. Meanwhile, officials in Finland are responding to a hacker threatening to leak patient data stolen from a psychotherapy clinic.

  • More European backing for the US approach to 5G security. The Slovak Republic, Bulgaria, North Macedonia and Kosovo have all taken steps to show their support for the US-led initiative to only use ‘trusted’ telecommunications suppliers for 5G infrastructure and services.

  • In other news this week, millions of consumers have been complaining about robocalls this year, there is an ongoing phishing campaign targeting Microsoft Teams users, and we discuss the importance of patching CMS systems… again.

SUBSCRIBE TO RECEIVE OUR WEEKLY CYBER THREAT INTELLIGENCE BRIEFING VIA EMAIL

Security Round-up

Threat of imminent attack against US hospitals
  • On 28 October, US government officials warned healthcare industry executives of an ‘imminent cybercrime threat to US hospitals and healthcare providers.’ Law enforcement has warned healthcare organisations to take ‘timely and reasonable precautions to protect their networks from these threats.’[1]
  • Security reporter Brian Krebs has said he received an earlier tip that the ransomware group Ryuk was plotting “to deploy ransomware at over 400 healthcare facilities in the US.”

So what? The US government did not issue any Indicators of Compromise (IOCs) as part of the warning. Instead, healthcare security teams must look to ensure patching is up to date, backups are in place, and remain on high alert. Security researcher Aaron Stephens shared a collection of IOCs tied to Ryuk, on 28 October, that security teams can use as a helpful resource.[2] Ransomware groups have been targeting healthcare organisations aggressively in recent months, demanding six and seven figures in ransom, and no doubt leveraging the added pressures the pandemic exerts on healthcare facilities to remain up-and-running.

Hackers hold data on Finnish psychotherapy patients for ransom
  • Finnish government officials have reported being ‘in shock’ after a hacker was able to steal data from a Finnish psychotherapy clinic, Vastaamo, on “up to tens of thousands” of patients, holding that data for ransom.[3]
  • The criminal responsible, the self-proclaimed “ransom_man”, is using a dark web site to leak patient data, demanding EUR 200 from individual patients in exchange for not having their data exposed on the site. The records of over 300 patients have so far been leaked on the site.
  • The attacker had reportedly also issued a ransom demand of EUR 450,000 to the therapy centre. Finnish authorities are asking anyone receiving demands for money to contact Finnish police.

So what? Though extortion involving stolen data as part of a ransomware attack is very prevalent at the moment, particularly targeting the healthcare industry, this case is more unusual. For one, no ransomware is involved. Here, only the sensitive data is being used to extort money, there are no encrypted systems, and the attacker is attempting to extort individual patients directly. Security expert Mikko Hypponen pointed out a similar incident in 2019, where an attacker sent ransom demands to patients of Florida’s Center for Facial Restoration.[4] The take-away for healthcare organisations is that patient data is a valuable extortion lever for threat actors; ensuring that data is locked down remains paramount.

Four EU nations agree to US-led 5G security statements
  • Last Friday, the US Department of State announced that the Slovak Republic, Bulgaria, and North Macedonia had all made a joint declaration with the US that in developing their 5G infrastructure, they will only include trusted suppliers following a “rigorous evaluation”.[5]
  • Kosovo made a similar undertaking, signing a memorandum of understanding.

So what? This is the latest development in what has been a long running campaign by the US to warn nations globally, but particularly in Europe, against allowing Chinese companies to develop their telecommunications networks for fears it could grant the nation undue influence over the West’s critical infrastructure. Although not directly mentioned, the campaign is believed to be a direct attack on Huawei, and China has argued that the US has been motivated by commercial reasons.

Microsoft Teams targeted by a phishing campaign
  • Last week, security researchers reported an ongoing phishing campaign that targeted as many as 50,000 Office 365 users.[6]
  • The campaign was designed to pretend that a user had received an automatic email notification from Microsoft Teams, notifying them that they had a “missed chat” in the instant messaging application. If the user clicked on any of the buttons, including one that said “Reply in Teams”, they would be redirected to a fake Microsoft login page and be prompted to enter their Office 365 credentials.
  • The campaign was not targeted, and the purported ‘missed chat’ was from a generic individual and not actually from within the organisation.

So what for security teams? This story is a reminder of the importance and value for organisations to conduct regular and thorough cyber awareness training for their employees. Since working from home has become the new normal, phishing campaigns are increasingly impersonating well known collaboration platforms like Microsoft Teams and Zoom. However, they often contain features that easily identify them as malicious with even a basic understanding of phishing and its common indicators.

2 million robocall complaints received so far in 2020
  • Almost 2 million Americans complained to the Federal Trade Commission (FTC) about illegal automated “robocalls”.[7] Robocalls are often associated with political and telemarketing phone campaigns but can also be used for public-service or emergency announcements.
  • The government agency has also collected more than USD 160 million in civil penalties and equitable monetary relief during this period.
  • Among the fines issued, the largest was a USD 120 million fine against a telemarketer for making roughly 100 million spoofed calls in a three-month period.

So what for leadership? While this story concerns telemarketing, it highlights a change in attitude amongst consumers; consumers are becoming less tolerant towards their data being used for purposes to which they have not willingly consented. It is imperative to have robust privacy processes in place to ensure that all of the data your company is collecting has a lawful basis for processing. Data retention periods need to be strictly adhered to and controls, such as encryption at rest and during transit, should be applied to sensitive data.

KashmirBlack botnet behind attacks on CMS platforms
  • A sophisticated botnet dubbed KashmirBlack is reportedly behind thousands of attacks against websites, by infecting their underlying Content Management System (CMS) platforms. The botnet, active since late 2019, leverages exploits for known vulnerabilities in CMS software such as WordPress, Joomla and Drupal to infect the target website.[8]
  • According to researchers at security group Imperva, the botnet attacks websites for a range of criminal goals, including cryptocurrency mining, redirecting traffic to spam pages, and even web defacements.

So what for security teams? Threat actors leveraging CMS platforms to target websites is nothing new. Botnets are known to leverage vulnerabilities to infect a victim’s network. Other activity we have recently discussed  targeting CMS platforms is the web skimming activity dubbed Magecart, which leverages vulnerabilities in Magento CMS. Security teams should prioritise patching CMS platforms to the latest version, given the propensity of threat actors to leverage vulnerabilities in CMS.

 

References:

[1] ‘FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals’, Krebs on Security, 28 October 2020.

[2] ‘Unc1878_indicators’, GitHub, 28 October 2020.

[3] ‘Finland shocked by therapy center hacking, client blackmail’, AP News, 25 October 2020.

[4] @mikko, 24 October 2020.

[5] ‘Four more European nations sign onto US 5G security agreements’, ZDNet, 25 October 2020.

[6] ‘Microsoft Teams Phishing Attack Targets Office 365 Users’, Threat Post, 22 October 2020.

[7] ‘FTC receives almost 2 million robocall complaints in nine months’, Bleeping Computer, 27 October 2020.

[8] ‘KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others’, ZDNet, 26 October 2020.

 

To discuss this article or other industry developments, please reach out to one of our experts.

Billy Gouveia
Billy Gouveia Senior Managing Director Email Billy
Mona Damian
Mona Damian Senior Analyst Email Mona

CYBER INCIDENT RESPONSE: PERSPECTIVES FROM INSIDE THE RISK ECOSYSTEM

In our latest report, we examine a cyber incident from the perspective of several key stakeholders.

Download Report