This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.
Information Security Risk
“A Reuters investigation has found that Major global technology providers SAP (SAPG.DE), Symantec (SYMC.O), and McAfee, have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government. U.S. lawmakers and security experts said that the practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies. Reuters already revealed in October that Hewlett Packard Enterprise (HPE.N) software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services. This last investigation shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.”
“A new ransomware that only accepts Monero for payment has emerged, attempting to trick victims by masquerading as a password-protected storage mechanism for SpriteCoin. SpriteCoin doesn’t exist, however – it’s a fictional cryptocurrency. According to security researchers, the malware claims to be a wallet and asks the user to create their desired password. It doesn’t actually download blockchain, however; rather, it secretly encrypts the victim’s data files and then demands a ransom in Monero cryptocurrency. The use of Monero, an open source cryptocurrency created in 2014, signals a shift away from the widely used and accepted standard Bitcoin in the ransomware space.”
“Hancock Health, headquartered in Greenfield, Indiana, was infected with the SamSam ransomware. This past weekend, Allscripts — a major electronic health record (EHR) company headquartered in Chicago, IL — confirmed that it had also been hit by Ransomware, which it described as a SamSam (also known as Samas) variant. The methodologies employed in each attack are different. SamSam is not usually delivered by email phishing. It is more usually introduced after the target has already been breached. This method was described in the Threat Report : “In the case of SamSam (Ransom.SamSam) the attackers’ initial point of entry was a public-facing web server. They exploited an unpatched vulnerability to compromise the server and get a foothold on the victim’s network.” This bears a strong similarity to what we know about the attack against Hancock Health, Greenfield, disclosed last week. The Greenfield Reporter wrote, “…the hacker gained access to the system by using the hospital’s remote-access portal, logging in with an outside vendor’s username and password. The attack was not the result of an employee opening a malware-infected email.” On Jan. 15, Hancock released a statement saying, “At approximately 9:30 PM on Thursday, January 11, 2018, an attack on the information systems of Hancock Health was initiated by an as-yet unidentified criminal group.” One day later it announced that it had decided to pay the ransom. CEO, Steve Long, said, “Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.” Payment was made on Friday, January 12, and, “By Monday, January 15, 2018, critical systems were restored to normal production levels and the hospital was back online.” Long notes that when the hospital made the business decision to pay the ransom (set at 4 bitcoins, thought to be worth $55,000 at the time), the hospital believed that it could recover its files from backup, but that the time and cost involved made it more efficient to pay the ransom.”