Threat Intelligence Blog

This weekly brief highlights the latest threat intelligenceThreat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... news to provide insight into the latest threats to various industries.

Information Security Risk

“A Chinese phone manufacturer admitted it had been breached back in November and that as many as 40,000 of its customers could’ve had their credit card information stolen. The news came after a week in which hundreds of customers reported fraud on their accounts after paying over the manufacturer’s website. A U.K.-based cybersecurityCybersecurity: A set of security techniques that are designed to protect the integrity of computer systems, programs and data from theft and damage to their hardware, software or other information as well as the disruption and misappropriation of their services. LookingGlass Cyber (n) - Professional paid ninjas who protect the cyber world from cyber attacks. Everybody is doing it, but we have the double black belt with the Versace logo. So yeah, we’re really good. company detailed some security failings on the site. After an investigation and a temporary block enforced on credit card payments, the manufacturer determined hackers had broken into its website server and installed malicious JavaScript code that would grab credit card data once it was entered.”



“A Reuters investigation has found that Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O), and McAfee, have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government. U.S. lawmakers and security experts said that the practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies. Reuters already revealed in October that Hewlett Packard Enterprise (HPE.N) software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services. This last investigation shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.”


Operational Risk

“A new ransomwareRansomware: A type of malware that serves as a form of extortion by one party on a group of persons or organizations. Oftentimes takes the form of encrypting a victim’s hard drive denying them access to files or other information with demands taking the form of a ransom before access is restored. LookingGlass Cyber (n) - when an organization, group, or hacker takes control of your system to extort a user or organization for money.  Ch-ching! that only accepts Monero for payment has emerged, attempting to trick victims by masquerading as a password-protected storage mechanism for SpriteCoin. SpriteCoin doesn’t exist, however – it’s a fictional cryptocurrency. According to security researchers, the malwareMalware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs. claims to be a wallet and asks the user to create their desired password. It doesn’t actually download blockchain, however; rather, it secretly encrypts the victim’s data files and then demands a ransom in Monero cryptocurrency. The use of Monero, an open source cryptocurrency created in 2014, signals a shift away from the widely used and accepted standard Bitcoin in the ransomware space.”

Infosecurity Magazine


“Hancock Health, headquartered in Greenfield, Indiana, was infected with the SamSam ransomware. This past weekend, Allscripts — a major electronic health record (EHR) company headquartered in Chicago, IL — confirmed that it had also been hit by Ransomware, which it described as a SamSam (also known as Samas) variant. The methodologies employed in each attack are different. SamSam is not usually delivered by email phishingPhishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait.. It is more usually introduced after the target has already been breached. This method was described in the Threat Report : “In the case of SamSam (Ransom.SamSam) the attackers’ initial point of entry was a public-facing web server. They exploited an unpatched vulnerability to compromise the server and get a foothold on the victim’s network.” This bears a strong similarity to what we know about the attack against Hancock Health, Greenfield, disclosed last week. The Greenfield Reporter wrote, “…the hacker gained access to the system by using the hospital’s remote-access portal, logging in with an outside vendor’s username and password. The attack was not the result of an employee opening a malware-infected email.” On Jan. 15, Hancock released a statement saying, “At approximately 9:30 PM on Thursday, January 11, 2018, an attack on the information systems of Hancock Health was initiated by an as-yet unidentified criminal group.” One day later it announced that it had decided to pay the ransom. CEO, Steve Long, said, “Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.” Payment was made on Friday, January 12, and, “By Monday, January 15, 2018, critical systems were restored to normal production levels and the hospital was back online.” Long notes that when the hospital made the business decision to pay the ransom (set at 4 bitcoins, thought to be worth $55,000 at the time), the hospital believed that it could recover its files from backup, but that the time and cost involved made it more efficient to pay the ransom.”


Additional Posts

Technical Threat Indicators (TTI)

These high-quality intelligent threat data feeds are delivered in real-time to protect against ...

A Hope for Cybersecurity in 2018

In 2017 we continued to see a stream of security vulnerabilities that were exploited and a host of ...