Blog

Forescout Cyber Weekly Roundup
November 11, 2019

David Wolf | November 11, 2019

Automated Threats

Remote Desktop Protocol (RDP) leads to major BitPaymer exploits—Windows Server 2012 BlueKeep vulnerability suspected as the way in: Everis, one of the largest managed service providers in Spain, got hit by what seems to be a BitPaymer ransomware attack. Their network connection was allegedly cut off by their ISP to stop the spread of malicious code, and the company warned its associates to keep their PCs off – which gives a pretty grim image of consequences that follow those attacks. On the same day, Spain’s largest radio network was also hit by the BitPaymer – and sources claim the attack was possible thanks to BlueKeep-based RDP vulnerabilities. Cybercriminals are increasingly turning to BitPaymer thanks to its string of successes in achieving ransom delivery. As noted in our recent Cyber Roundup, multiple targets are falling regularly to BitPaymer-based attacks.

https://arstechnica.com/information-technology/2019/11/spanish-companies-networks-shut-down-as-result-of-ransomware/

Operational Technology / Industrial Control Systems

Product security is hard: It’s 2019 and we still have undocumented admin backdoors in new industrial PLCs. Some recent models of programmable logic controllers manufactured by Siemens shipped with backdoors that could allow attackers to bypass the bootloader and inject malicious code directly into the devices. Siemens is aware of the issue and plans to plug the hole, even though it’s still unknown if software updates will be enough without an underlying hardware fix. ProdSec is hard – even Siemens, with its best-in-class ProductCERT team and newly built layers of security controls, is still designing, developing, and deploying critical hardware with secret, undocumented backdoors.

https://www.darkreading.com/vulnerabilities—threats/siemens-plc-feature-can-be-exploited-for-evil—and-for-good/d/d-id/1336277

Retail

Skimmers & Scammers: US DHS warns of increasing retailer cyberattack this holiday season. As the US Department of Homeland Security warns shoppers to stay vigilant during this holiday season, it’s important that retailers listen to this warning too. We expect this year’s holidays to be the most interesting yet from a cyber perspective, and this card-hunting season to be the busiest yet for skimmers and scammers worldwide.

https://www.forbes.com/sites/daveywinder/2019/11/11/black-friday-2019-security-threat-us-government-advises-consumers-to-stay-vigilant/

Financial Services

Santa gives gifts; Magecart takes your money: Continuing the holiday season scams topic, Magecart-related cybercriminal groups are stepping on each other to exploit vulnerable e-commerce platforms and steal credit card data. The ultimate impact of this retail identity theft ultimately hits the Financial Services directly, and this year looks to be a bountiful season for a major trickle-up of cybercrime.

https://threatpost.com/magecart-groups-attack-simultaneous-sites-in-card-theft-frenzy/149872/

Public Sector / State, Local, Education

Post-ransomware Canadian territory of Nunavut left in the cold with frozen IT operations: The attack comes in the wake of slowing attacks against US state and municipal governments, which suggests that attackers may be gunning for softer targets. “US entities are on very high alert, bolstering their IT and so are less likely to be comprised,” the security biz said in a note to The Register. “Because of this, big game hunters are increasingly looking for opportunities in the other countries.”

https://www.theregister.co.uk/2019/11/04/ransomware_freezes_nunavut_canada/

Healthcare

Is it a medical record data breach if the data is destroyed instead? About breach of confidentiality -vs- loss of integrity in healthcare: The US Department of Health and Human Services (HHS) maintains breach-reporting definitions and guidance for US-based healthcare delivery organizations. And in their definition of breach, the HHS Office for Civil Rights suggests that protected health information must actually be acquired or viewed—and should be re-identifiable back to the patients—in order to be classified as a breach. That’s why the Brooklyn Hospital Center must feel relief that their ‘Data Incident’ notification didn’t require the use of the word ‘breach’, and is thus not eligible for major financial penalties under the rules of HIPAA privacy violation.        

https://www.bleepingcomputer.com/news/security/brooklyn-hospital-loses-patient-data-in-ransomware-attack/