Wednesday, 18 March 2015 PREMERA BLUE CROSS

Wednesday, 18 March 2015
PREMERA BLUE CROSS BREACHED, MEDICAL INFORMATION EXPOSED
FROM THE MEDIA
Premera Blue Cross announced that they had been breached yesterday, affecting 11
million customers. According to the news release, personal information including
names, addresses and other contact information was compromised. Clinical records
and data may have also been accessed. Premera Blue Cross is a healthcare provider
concentrated in the US Pacific Northwest region.
Read the Story: Reuters
ThreatScape®
ACCURACY
JUDGMENT
WITHHELD
iSIGHT PARTNERS ANALYST COMMENT
The Premera Blue Cross breach was reportedly first discovered on January 29, 2015, two days after
Anthem, Inc. discovered it had been compromised by cyber espionage actors. The Anthem incident
leveraged Derusbi malware which communicated with the domain we11point.com (similar to Anthem’s
previous name, “WellPoint”). iSIGHT Partners has identified a suspicious domain, "prennera.com" which
is likely a spoof of Premera, and a malicious payload signed with the same digital certificate as malware
from the Anthem hack. The domain “prennera.com” was registered on December 9, 2013, and the
malicious payload identified was compiled December 7, 2013. Additionally, one sample related to the
Anthem compromise was compiled on December 20, 2013. The similarities in the timeline combined
with the usage of the same code signing certificate, suggests that the same threat actor was responsible
for both compromises.
RELATED iSIGHT PARTNERS REPORTS
Intel-1346271 (Cyber Espionage Operators Breached Anthem, Inc. in Long Running Campaign), 10 Feb.
2015
15-00000396 (Anthem Health Insurance Previously Compromised by Identified Malicious Activity), 5
Feb. 2015
©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved.
SOUTH KOREA BLAMES NORTH KOREA FOR DECEMBER HACK ON NUCLEAR
OPERATOR
FROM THE MEDIA
South Korea has blamed North Korea for December cyber attacks against its nuclear
reactor operator. The cyber attacks were made between December 9 and 10 and
involved 5,986 phishing e-mails. According to South Korea’s investigation, the malware
used in the attack is the same malware (“kimsuky”) used by North Korean hackers.
Read the Story: Reuters
ThreatScape®
ACCURACY
JUDGMENT
WITHHELD
iSIGHT PARTNERS ANALYST COMMENT
iSIGHT Partners reported on suspected Chinese cyber espionage actors targeting KHNP in December
2014, utilizing PH_King malware. However, the posting of allegedly exfiltrated documents online and
demanding ransom is inconsistent with such actors and may suggest KHNP was successfully targeted by
multiple groups within the same timeframe. If the actors responsible are carrying out intrusions in
alignment with North Korean state policy, further activity may focus on targets of the current North
Korean regime.
RELATED iSIGHT PARTNERS REPORTS
15-00000128 (Updated Baseline of North Korean Cyber Capabilities), 15 Jan. 2015
15-00000196 (Chinese Espionage Operators Target KHNP), 28 Jan. 2015
Intel-944852 (‘Kimsuky’ Malware Targets South Korean Government, Think Tanks, and Industry), 20
Sept. 2013
MICROSOFT WARNS OF FAKE SSL CERTIFICATE FOR WINDOWS LIVE
FROM THE MEDIA
Microsoft has issued a warning that an SSL certificate for the website, “live.fi” has
been improperly issued and that it could be used to spoof content and conduct manin-the-middle attacks. Allegedly, all versions of Microsoft Windows operating systems
are vulnerable. The fake certificate has been revoked by the certificate authority.
Read the Story: Computer Weekly
ThreatScape®
ACCURACY
MEDIA
ON-TARGET
iSIGHT PARTNERS ANALYST COMMENT
The improperly issued SSL certificate for live.fi has been revoked, and we have no reason to believe that
it has been employed by malicious actors to date. While systems that do not employ automatic updates
(or manually apply update 2917500) may be at risk from this certificate, we suggest the more
concerning aspect of this incident for most enterprise environments is the overall security surrounding
the issuance of certificates.
RELATED iSIGHT PARTNERS REPORTS
Intel-1048155 (Common SSL Validation Failure), 27 Feb. 2014
08-2044 (Example of Another SSL Verification Vulnerability), 31 Aug. 2014
©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved.
ADVANTAGE DENTAL REPORTS HACKER BREACH
FROM THE MEDIA
Advantage Dental has indicated that unnamed actors gained unauthorized access to
its systems between February 23 and 26, resulting in the compromise of over 150,000
patients’ records. The company has notified the affected individuals and indicated
that patients’ names, Social Security numbers and home addresses, among other
information, was compromised.
Read the Story: Register Guard
ThreatScape®
ACCURACY
MEDIA
ON-TARGET
iSIGHT PARTNERS ANALYST COMMENT
Advantage Dental is an Oregon-based dental practice, with more than 20 clinics. Although not a major
breach like those of national retailers, the compromise of 150,000 records will likely enable cyber
criminals to conduct numerous types of fraud, most probably spamming and identity theft. Advantage
Dental was likely an opportunistic compromise. Cybercrime actors often utilize spam services to broadly
target as many potential victims as possible, increasing the likelihood that the infected victims are
valuable targets, such as Advantage Dental.
RELATED iSIGHT PARTNERS REPORTS
15-00000074 (Discussion of High-Level Trends including Breaches in Cyber Crime), 27 Jan. 2015
14-00000170 (Underground Sales during Late 2014 Indicate Databases Remain Valuable), 30 Dec. 2014
RESEARCHERS FIND SAME RSA ENCRYPTION KEY USED 28,000 TIMES
FROM THE MEDIA
More than two weeks after the FREAK flaw was released, 2.2 million hosts are still
accepting 512-bit encryption keys, according to researchers at the University of
London. The researchers also found that 28,394 routers running SSL VPN use the same
512-bit public RSA key. It is possible that the manufacturers involved generated one
key and installed it on many devices.
Read the Story: CSO Online
ThreatScape®
ACCURACY
MEDIA
ON-TARGET
iSIGHT PARTNERS ANALYST COMMENT
Because it improves the ease of exploitation for malicious actors, re-use of keys drastically reduces the
security of cryptographic implementations. Weak cryptography and poor encryption implementation
can severely undermine SSL implementations. A vendor fix is available for the FREAK flaw that would
prevent exploitation of this issue. At this point, iSIGHT Partners is unaware whether malicious actors are
targeting vulnerable networks relying on with these re-used keys.
RELATED iSIGHT PARTNERS REPORTS
ThreatScape Media Highlights (Microsoft Warns PCs are also Vulnerable to 'Freak' Security Flaw), 9
March 2015
15-34130 (Vulnerability Report the “FREAK” Flaw – CVE-2015-0204), 4 March 2015
Intel-1267065 (Similar “POODLE” Attack Method Capable of Exploiting Flaws in SSL 3.0), 15 Oct. 2014
©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved.
GOOGLE APP STORE GETS MORE OVERSIGHT
FROM THE MEDIA
Google apps are now being screened by a new Google team for malware and sexually
explicit material. Additionally, Google will be tightening their age-based rating system.
Prior to this system, Google only used an automated system to screen new apps.
Furthermore, developers will now have to answer special questions to help determine
the age based ratings.
Read the Story: The Verge
ThreatScape®
ACCURACY
MEDIA
ON-TARGET
iSIGHT PARTNERS ANALYST COMMENT
This development will almost certainly contribute to a safer Google Android marketplace. iSIGHT
Partners has previously observed malicious apps available in the Google app store that have bypassed
the marketplace's security checks. The human reviewers will be better able to detect emerging
techniques for evading automatic security scans, such as the use of packers to defeat static analysis.
However, this development may not affect malware that is already hosted in Google Play, as indicated
by the continued presence of previously observed malware.
RELATED iSIGHT PARTNERS REPORTS
Intel-1292224 (Mobile Malware Android.WeChat Highlights Potential Risks from Packing Android
Malware), 20 Nov. 2014
Intel-1239369 (KorBanker Mobile Malware Very Likely Used by Chinese Actors; Highlights Risk Posed by
Third-Party Appstores), 29 Sept. 2014
15-00000624 (Havildar Team Mobile Malware Analysis; Once Available Through Legitimate Channels),
23 Feb. 2015
About this Product
The expert analysts at iSIGHT Partners™ highlight and provide context to current media trends each day
as they analyze and encapsulate the events in cyber security. Topics selected cover a broad array of
cyber threats and are intended to aid readers in framing key publically discussed threats. iSIGHT
Partners does not specifically endorse any third-party claims made in this material or related links, and
the opinions expressed by third parties are theirs alone. The enclosed iSIGHT Partners comments and
accuracy rankings are based on information available at the time of publication, and iSIGHT Partners
reserves the right to hone its analytical perspectives as the threats evolve and as further intelligence is
made available.
Rank
Meaning
ThreatScape®
ACCURACY
This ranking denotes a media trend in which the information reported is generally
verifiable and can be correlated with our additional intelligence sources.
MEDIA
ON-TARGET
©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved.
ThreatScape®
ACCURACY
This ranking refers to a story in which key elements are unsubstantiated or
inaccurate. A story can have a key element which is inaccurate, and the rest
accurate, and still receive the ranking Off Target.
MEDIA
OFF-TARGET
ThreatScape®
ACCURACY
This ranking refers to a story which is complex enough that we cannot validate it in
a short time, or in which the content is on the edge between on and off target.
JUDGMENT
WITHHELD
The accuracy rating is applied through analysis of the data behind each trend based on iSIGHT Partners
closed sources of information. The reason for this rating is so that our readers can quickly be alerted to
trends, which are not yet substantiated or are based on information in conflict with iSIGHT Partners
intelligence.
This document is developed and provided by iSIGHT Partners for direct distribution to your organization.
Re-distribution or publication outside of your organization is not permitted without the expressed
written permission of iSIGHT Partners. For more information on these highlights or other details on
iSIGHT Partners products, please contact info@isightpartners.com or +1-214-731-4585.
If you would like to stop receiving the ThreatScape® l Media Highlights, please reply to this report and at
the top of the reply state “Please unsubscribe.”
©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved.