• Senator Seeks Input on Health Care Cyber Strategy
    Sen. Mark Warner, D-Va., is on a mission to strengthen the cybersecurity posture of the nation’s health care sector and is starting by soliciting feedback from the sector itself. The senator sent a letter to 12 health care organizations, including hospital and insurance associations and the cybersecurity information sharing and analysis organizations, or ISAOs, that cover the medical industry. “I would like to work with you and other industry stakeholders to develop a short- and long-term strategy for reducing cybersecurity vulnerabilities in the health care sector,” Warner wrote. The most high-profile attack on the health sector to date, the 2017 WannaCry ransomware worm, took hospitals and health networks offline in the United Kingdom, among other far-reaching disruptions. A study by Accenture in the same year pegged the total cost of cyberattacks against health care providers at more than $305 billion over five years, he noted. “Despite past breaches, private and public sector security experts have observed that our nation’s vast health care economy is still fraught with cybersecurity vulnerabilities.”Read More
  • Warning Issued Over Attacks on Internet Infrastructure
    Key parts of the internet infrastructure face large-scale attacks that threaten the global system of web traffic, the internet's address keeper warned Friday. ICANN specialists and others say these attacks have a potential to snoop on data along the way, sneakily send the traffic elsewhere or enable the attackers to impersonate or "spoof" critical websites. The list of targets included website registrars and internet service providers, particularly in the Middle East. The attack itself is technically simple, but its scope and targeting of internet service providers along with large government entities made it "a big deal," according to Meyers. DNSSEC can also prevent internet users from being misdirected from intended websites, according to ICANN. "It aims to assure that Internet users reach their desired online destination by helping to prevent so-called 'man in the middle' attacks where a user is unknowingly re-directed to a potentially malicious site," ICANN said in the release.Read More
  • Sydney Airport Gets 24/7 SOC
    Sydney Airport is preparing to open a new 24/7 Security Operations Center (SOC) to mitigate the growing risk of data and information security threats. The organization revealed the news in its annual report, claiming the first phase of the SOC, also described as a “Security Control Centre,” would be complete by April 2019 in concert with an unnamed managed security services provider. “With the security threat landscape evolving rapidly, we have continued to focus on managing current and emerging cyber risks. A refreshed Information and Cyber Security 2020 strategy has been at the center of our cyber programs to drive security governance, improved maturity levels, and stronger user awareness via security culture campaigns,” the report said. “We work closely with the Australian government via the Joint Cyber Security Centre (JCSC) and are partnering with the Aviation Information Sharing and Analysis Centre (ISAC) on global aviation cyber security intelligence.” Also last year, a New South Wales firm that issues aviation security identity cards was hacked, leading to concerns that security at Australia’s airports may have been compromised.Read More
  • Trojan Attack Masked as Payment Confirmation
    A sophisticated attack is leveraging the ability to evade detection with the use of a rapidly changing Trojan attack pattern, according to researchers at GreatHorn. The research team identified what it called a widespread Trojan pattern that uses multiple different subject lines, email content, email addresses, display name spoofs and destination URLs to disguise itself as a confirmation on a paid invoice. The lack of consistency found in a typical volumetric attack makes this particular threat sophisticated because it is more difficult for email security tools to identify and block, researchers said. In addition, the Trojan appears to be using email addresses from compromised accounts in some cases, while in others the threat spoofs the name of an employee in the target company or uses an unrelated name combined with the email address of a compromised account. What is thus far understood about the Trojan is that the initial point of infection is via a phishing email sent to employees, often with a display name of a fellow employee, but using an external email address from what appears to be one of several compromised accounts, according to the research team.Read More
  • The Advanced Persistent Threat Files: APT1
    As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target. While the targets may be anyone or anything—a person, business, or other organization—APTs are often associated with government or military operations, as they tend to be the organizations with the resources necessary to conduct such an attack. (Note: These groups have a panoply of different names, but for simplicity’s sake, we’re going to borrow Mandiant’s naming conventions for Chinese groups.) Targeting industries noted as internal development areas by China’s 12th 5 year plan, APT 1 was notable in contrast to more familiar threat groups by their persistence (average observed persistence on target was 356 days), and their ability to compromise a target using multiple attack vectors. As a refresher, APTs are prolonged, aimed attacks on specific targets with the intention to compromise their systems and gain information from or about that target.Read More
  • ECS Wins a $38 Million Contract to Secure FBI Networks
    The FBI on Wednesday announced it would reboot a nearly $38 million deal with ECS Federal to strengthen the bureau’s cyber defenses. Under the contract, the company will be responsible for standing up and running two initiatives within the FBI Cybersecurity Operations Unit—the Cybersecurity Red and Blue Team program, or REBL, and the Enterprise Compliance and Continuous Monitoring Support program. Both efforts aim to build teams of cyber experts to bolster the bureau’s networks against internal and external threats. “We are proud to provide the skills, knowledge, and creativity needed to secure the systems and networks of the FBI,” ECS President and CEO George Wilson said in a statement. For the REBL program, ECS will deploy a team of cyber specialists to scour FBI networks for vulnerabilities and respond to threats. Under the Enterprise Compliance and Continuous Monitoring Support program, the company will staff and support a group to regularly assess the latest threats to FBI networks and manage the bureau’s cyber infrastructure and operations.Read More
  • Tax Returns Exposed in TurboTax Credential Stuffing Attacks
    Financial software company Intuit discovered that tax return info was accessed by an unauthorized party after an undisclosed number of TurboTax tax preparation software accounts were breached in a credential stuffing attack. A credential stuffing attack is when attackers compile username and passwords that were leaked from previous security breaches and use those credentials to try and gain access to accounts at other sites. In the notice of data breach sent to the TurboTax users impacted by this security breach incident, Intuit says that: Following the discovery of the security breach, Intuit decided to temporarily disable the TurboTax accounts which were breached in the credential stuffing attack. TurboTax users who had their accounts temporarily deactivated have to contact Intuit using the company's Customer Care department at 1-800-944-8596 and say "Security" when prompted, after which Intuit employees will walk them through an identity verification procedure designed to help them reactivate their accounts.Read More
  • Russian national, author of NeverQuest banking trojan, pleads guilty
    More specifically, DOJ officials say Lisov was the one responsible with renting and then managing the servers that supported the NeverQuest trojan's backbone, the servers to which infected computers would connect, get instructions, and send stolen information. US authorities say Lisov worked on NeverQuest between June 2012 and January 2015, defrauded banks of around $855,000 by emptying user accounts, and also attempted to sell the information he gathered from some of his victims. Lisov's guilty plea today represents the last pahses of an investigation into NeverQuest trojan operations that US authorities started back in 2014. Investigations broke through when they identified and seized NeverQuest servers located in France and Germany, which Lisov was managing and where authorities found data stolen from infected victims. At the time of Lisov's arrest, NeverQuest was one of the larger and active banking trojans. Months after Lisov's arrest, NeverQuest activity took a nose dive.Read More
  • Office 365 Phishing Page Comes with Live Chat Support
    Security researcher Justin Miller, the author of the Phishing Kit Tracker, a collection of emails from 500 phishing kits, says that he's probably seen less than ten cases of phishing where chat was available. Probably in an effort to compensate for the lack of professionalism, the fraudsters integrated live chat support into the page using the legitimate chat software tawk.to to provide fake customer support service. Scammer banned, gets new chat account Gillespie's interaction with the fake Microsoft support staff member ended abruptly. 'This site is a phishing scam.'" After this, the scammer closed the chat. Gillespie reported the scammer to Tawk.to chat service who said in a tweet that they acted to reduce them to silence, at least on the phishing site, by banning their account. Gillespie captured a snapshot of the chat screen showing his attempt to poke fun at the fraudster, but it looks like the researcher's hints are too subtle as after giving an obviously fake name the interaction continued.Read More
  • New Malware Campaign Targets Job Seekers
    New Malware Campaign Targets Job Seekers LinkedIn profiles provide a persistent, patient threat actor with the information required to craft spear-phishing messages. The person targets the potential victim through LinkedIn direct messaging, builds rapport, and then begins follow-up through fake websites stuffed with malicious links, email with malware payloads, or both. LinkedIn profiles provide the threat actor with the information required to craft spear-phishing messages. The malicious payloads are not unique to the campaign: More_eggs is a JScript downloader, while VenomKit and Taurus Builder are malware builders that have been made available for purchase by their developers. In addition, the threat actor in these campaigns is showing early signs of moving beyond the basic malware loaded in these instances to more advanced RATs, banking credential skimmers, and other malware.Read More