This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.
Information Security Risk
“A new variant of the Satori botnet has sprung back to life, and this one is hacking into mining rigs and replacing the device owner’s mining credentials with the attacker’s own. Analysis of the malware’s code suggests the same person behind the original Satori bot is behind this new wave as well. Now, almost three weeks after the botnet went silent, researchers have spotted a new Satori variant. “The infection speed is much slower,” a researcher said. This new version keeps the old exploits, but also adds another one. The third exploit was a total surprise for researchers because it did not target IoT and networking devices, like previous Satori payloads.”
Insurance + Healthcare
“Hancock Health was recently targeted with a SamSam ransomware infection. A hacker used an administrative account set up by one of the hospital’s vendors to gain unauthorized access to a system managed by the vendor and infected its systems with the ransomware. After payment of four Bitcoins, worth approximately $55,000, the files were released, and hospital operations were restored.”
“A new variant of the disk-wiper malware known as KillDisk has been spotted by security firm researchers in attacks aimed at financial organizations in Latin America. The security firm is in the process of examining the new variant and the attacks, but an initial analysis showed that the Trojan appears to be delivered by a different piece of malware or it may be part of a bigger attack. The latest variant, tracked as TROJ_KILLDISK.IUB, goes back to its roots and focuses on deleting files and wiping the disk. The malware, designed to target Windows systems, goes through all drives in order to delete files, except for system files and folders. It then proceeds to wipe the disk, which includes reading the master boot record (MBR) and overwriting the extended boot record (EBR). The file removal and disk wiping procedures involve overwriting files and disk sectors in order to make recovery more difficult.”
“Another site in the booming cryptocurrency wallet sector has been hacked after what looks like a DNS hijacking attack. The victim this time is BlackWallet, whose users reportedly lost 670,000 of a currency called Stellar Lumens (XLMs) worth around $425,000 at the point they were stolen on the afternoon of 13 January.News that something was amiss first emerged in a Reddit posting claiming to be from the site’s admin. The stolen XLMs were reportedly siphoned off to the Bittrex cryptocurrency exchange, before (most likely) being laundered into another cryptocurrency. Once they have control over any domain, attackers clearly have a lot of power to manipulate, monitor or redirect users logging in, but the deeper question always comes down to how they got this far. The person claiming to be BlackWallet’s admin mentions that the attacker accessed the site’s hosting provider account, which could have happened in one of two ways. Either the attackers got hold of the credentials through some kind of remote compromise or had the account reset by tricking staff at the DNS hosting provider. The defence against this is to identify people claiming to be account holders using a combination of multi-factor authentication and phone call checks to more than one registered number. The lack of these checks – and other weaknesses in credential security – has led to a series of attacks on cryptocurrency wallets using DNS hosting as a convenient backdoor. Just before Christmas, currency exchange EtherDelta suffered a reported DNS takeover – the consequences of which are still not clear. Similarly, last July Classic Ether Wallet users lost money to attackers who it was suggested had phoned up the German hosting company and passed themselves off as legitimate.”