Wednesday, 18 March 2015 PREMERA BLUE CROSS BREACHED, MEDICAL INFORMATION EXPOSED FROM THE MEDIA Premera Blue Cross announced that they had been breached yesterday, affecting 11 million customers. According to the news release, personal information including names, addresses and other contact information was compromised. Clinical records and data may have also been accessed. Premera Blue Cross is a healthcare provider concentrated in the US Pacific Northwest region. Read the Story: Reuters ThreatScape® ACCURACY JUDGMENT WITHHELD iSIGHT PARTNERS ANALYST COMMENT The Premera Blue Cross breach was reportedly first discovered on January 29, 2015, two days after Anthem, Inc. discovered it had been compromised by cyber espionage actors. The Anthem incident leveraged Derusbi malware which communicated with the domain we11point.com (similar to Anthem’s previous name, “WellPoint”). iSIGHT Partners has identified a suspicious domain, "prennera.com" which is likely a spoof of Premera, and a malicious payload signed with the same digital certificate as malware from the Anthem hack. The domain “prennera.com” was registered on December 9, 2013, and the malicious payload identified was compiled December 7, 2013. Additionally, one sample related to the Anthem compromise was compiled on December 20, 2013. The similarities in the timeline combined with the usage of the same code signing certificate, suggests that the same threat actor was responsible for both compromises. RELATED iSIGHT PARTNERS REPORTS Intel-1346271 (Cyber Espionage Operators Breached Anthem, Inc. in Long Running Campaign), 10 Feb. 2015 15-00000396 (Anthem Health Insurance Previously Compromised by Identified Malicious Activity), 5 Feb. 2015 ©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved. SOUTH KOREA BLAMES NORTH KOREA FOR DECEMBER HACK ON NUCLEAR OPERATOR FROM THE MEDIA South Korea has blamed North Korea for December cyber attacks against its nuclear reactor operator. The cyber attacks were made between December 9 and 10 and involved 5,986 phishing e-mails. According to South Korea’s investigation, the malware used in the attack is the same malware (“kimsuky”) used by North Korean hackers. Read the Story: Reuters ThreatScape® ACCURACY JUDGMENT WITHHELD iSIGHT PARTNERS ANALYST COMMENT iSIGHT Partners reported on suspected Chinese cyber espionage actors targeting KHNP in December 2014, utilizing PH_King malware. However, the posting of allegedly exfiltrated documents online and demanding ransom is inconsistent with such actors and may suggest KHNP was successfully targeted by multiple groups within the same timeframe. If the actors responsible are carrying out intrusions in alignment with North Korean state policy, further activity may focus on targets of the current North Korean regime. RELATED iSIGHT PARTNERS REPORTS 15-00000128 (Updated Baseline of North Korean Cyber Capabilities), 15 Jan. 2015 15-00000196 (Chinese Espionage Operators Target KHNP), 28 Jan. 2015 Intel-944852 (‘Kimsuky’ Malware Targets South Korean Government, Think Tanks, and Industry), 20 Sept. 2013 MICROSOFT WARNS OF FAKE SSL CERTIFICATE FOR WINDOWS LIVE FROM THE MEDIA Microsoft has issued a warning that an SSL certificate for the website, “live.fi” has been improperly issued and that it could be used to spoof content and conduct manin-the-middle attacks. Allegedly, all versions of Microsoft Windows operating systems are vulnerable. The fake certificate has been revoked by the certificate authority. Read the Story: Computer Weekly ThreatScape® ACCURACY MEDIA ON-TARGET iSIGHT PARTNERS ANALYST COMMENT The improperly issued SSL certificate for live.fi has been revoked, and we have no reason to believe that it has been employed by malicious actors to date. While systems that do not employ automatic updates (or manually apply update 2917500) may be at risk from this certificate, we suggest the more concerning aspect of this incident for most enterprise environments is the overall security surrounding the issuance of certificates. RELATED iSIGHT PARTNERS REPORTS Intel-1048155 (Common SSL Validation Failure), 27 Feb. 2014 08-2044 (Example of Another SSL Verification Vulnerability), 31 Aug. 2014 ©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved. ADVANTAGE DENTAL REPORTS HACKER BREACH FROM THE MEDIA Advantage Dental has indicated that unnamed actors gained unauthorized access to its systems between February 23 and 26, resulting in the compromise of over 150,000 patients’ records. The company has notified the affected individuals and indicated that patients’ names, Social Security numbers and home addresses, among other information, was compromised. Read the Story: Register Guard ThreatScape® ACCURACY MEDIA ON-TARGET iSIGHT PARTNERS ANALYST COMMENT Advantage Dental is an Oregon-based dental practice, with more than 20 clinics. Although not a major breach like those of national retailers, the compromise of 150,000 records will likely enable cyber criminals to conduct numerous types of fraud, most probably spamming and identity theft. Advantage Dental was likely an opportunistic compromise. Cybercrime actors often utilize spam services to broadly target as many potential victims as possible, increasing the likelihood that the infected victims are valuable targets, such as Advantage Dental. RELATED iSIGHT PARTNERS REPORTS 15-00000074 (Discussion of High-Level Trends including Breaches in Cyber Crime), 27 Jan. 2015 14-00000170 (Underground Sales during Late 2014 Indicate Databases Remain Valuable), 30 Dec. 2014 RESEARCHERS FIND SAME RSA ENCRYPTION KEY USED 28,000 TIMES FROM THE MEDIA More than two weeks after the FREAK flaw was released, 2.2 million hosts are still accepting 512-bit encryption keys, according to researchers at the University of London. The researchers also found that 28,394 routers running SSL VPN use the same 512-bit public RSA key. It is possible that the manufacturers involved generated one key and installed it on many devices. Read the Story: CSO Online ThreatScape® ACCURACY MEDIA ON-TARGET iSIGHT PARTNERS ANALYST COMMENT Because it improves the ease of exploitation for malicious actors, re-use of keys drastically reduces the security of cryptographic implementations. Weak cryptography and poor encryption implementation can severely undermine SSL implementations. A vendor fix is available for the FREAK flaw that would prevent exploitation of this issue. At this point, iSIGHT Partners is unaware whether malicious actors are targeting vulnerable networks relying on with these re-used keys. RELATED iSIGHT PARTNERS REPORTS ThreatScape Media Highlights (Microsoft Warns PCs are also Vulnerable to 'Freak' Security Flaw), 9 March 2015 15-34130 (Vulnerability Report the “FREAK” Flaw – CVE-2015-0204), 4 March 2015 Intel-1267065 (Similar “POODLE” Attack Method Capable of Exploiting Flaws in SSL 3.0), 15 Oct. 2014 ©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved. GOOGLE APP STORE GETS MORE OVERSIGHT FROM THE MEDIA Google apps are now being screened by a new Google team for malware and sexually explicit material. Additionally, Google will be tightening their age-based rating system. Prior to this system, Google only used an automated system to screen new apps. Furthermore, developers will now have to answer special questions to help determine the age based ratings. Read the Story: The Verge ThreatScape® ACCURACY MEDIA ON-TARGET iSIGHT PARTNERS ANALYST COMMENT This development will almost certainly contribute to a safer Google Android marketplace. iSIGHT Partners has previously observed malicious apps available in the Google app store that have bypassed the marketplace's security checks. The human reviewers will be better able to detect emerging techniques for evading automatic security scans, such as the use of packers to defeat static analysis. However, this development may not affect malware that is already hosted in Google Play, as indicated by the continued presence of previously observed malware. RELATED iSIGHT PARTNERS REPORTS Intel-1292224 (Mobile Malware Android.WeChat Highlights Potential Risks from Packing Android Malware), 20 Nov. 2014 Intel-1239369 (KorBanker Mobile Malware Very Likely Used by Chinese Actors; Highlights Risk Posed by Third-Party Appstores), 29 Sept. 2014 15-00000624 (Havildar Team Mobile Malware Analysis; Once Available Through Legitimate Channels), 23 Feb. 2015 About this Product The expert analysts at iSIGHT Partners™ highlight and provide context to current media trends each day as they analyze and encapsulate the events in cyber security. Topics selected cover a broad array of cyber threats and are intended to aid readers in framing key publically discussed threats. iSIGHT Partners does not specifically endorse any third-party claims made in this material or related links, and the opinions expressed by third parties are theirs alone. The enclosed iSIGHT Partners comments and accuracy rankings are based on information available at the time of publication, and iSIGHT Partners reserves the right to hone its analytical perspectives as the threats evolve and as further intelligence is made available. Rank Meaning ThreatScape® ACCURACY This ranking denotes a media trend in which the information reported is generally verifiable and can be correlated with our additional intelligence sources. MEDIA ON-TARGET ©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved. ThreatScape® ACCURACY This ranking refers to a story in which key elements are unsubstantiated or inaccurate. A story can have a key element which is inaccurate, and the rest accurate, and still receive the ranking Off Target. MEDIA OFF-TARGET ThreatScape® ACCURACY This ranking refers to a story which is complex enough that we cannot validate it in a short time, or in which the content is on the edge between on and off target. JUDGMENT WITHHELD The accuracy rating is applied through analysis of the data behind each trend based on iSIGHT Partners closed sources of information. The reason for this rating is so that our readers can quickly be alerted to trends, which are not yet substantiated or are based on information in conflict with iSIGHT Partners intelligence. This document is developed and provided by iSIGHT Partners for direct distribution to your organization. Re-distribution or publication outside of your organization is not permitted without the expressed written permission of iSIGHT Partners. For more information on these highlights or other details on iSIGHT Partners products, please contact info@isightpartners.com or +1-214-731-4585. If you would like to stop receiving the ThreatScape® l Media Highlights, please reply to this report and at the top of the reply state “Please unsubscribe.” ©Copyright 2014. iSIGHT PartnersSM Inc. All Rights Reserved.
© Copyright 2024