Forescout Cyber Weekly Roundup
September 23, 2019
Russia went all in: In 2016, mysterious circumstances surrounded the Obama administration regarding the decision to expel numerous Russian diplomats from the country. Now we are finding out this action was in response to a cyberattack on FBI systems by the Russian Federation’s counterintelligence operations. The attacks were previously undisclosed but might have many unforeseen consequences.
U.S. Treasury sanctions North Korean FinServ hacking groups: The U.S. Treasury sanctioned three North Korean government hacking groups last week, including the well-known Lazarus Group and its two sub-groups, Ludendorff and Andariel. While the DPRK regime says it’s willing to renegotiate its denuclearization with the Trump administration, North Korean hackers don’t appear to be stopping any time soon. The groups are credited with widespread, successful attacks against financial institutions and cryptocurrency exchanges.
The type of customers you wouldn’t want: Reportedly almost a third of e-commerce retail traffic is coming from automated bots, attempting to scrape data and perform other malicious actions, including customer account takeover, gift card abuse, transaction fraud, spamming, and more. Around 80 percent of those attacks could be classified as sophisticated enough to fool security measures, which forces retailers to take new steps in combating automated threats.
Speaking your language, reading your data: Many companies employ translation partners to localize their e-commerce business, but not enough is being done to protect the data that can be accessed by the translators, which could lead to huge security gaps. It’s important to remember that compliance and proper procedures are key in this situation.
The hottest cybercrime product to buy is admin access to healthcare portals: Healthcare IT admin creds are now extremely valuable in the cybercrime market, a new study from IntSights finds. According to the firm’s CSO, not only is the healthcare industry has much weaker security than the financial industry, but medical data can be used for nefarious activities like “insurance fraud, account takeover, financial fraud, and the creation of static IDs to order drugs”. When it comes to data breaches and usable EHR data supply, healthcare IT admin workstations are more dangerous than any medical device.
20 reasons to love IoT in Healthcare: IoT applications in Healthcare can reduce cost and create more home-centric treatments. Examples include remote patient monitoring, hearing aid apps, wearable technology for mental health issues, cancer detection, drug distribution & monitoring, robotic surgical devices, and more. As the Internet of Medical Things (IoMT) proliferates, so too do the interconnected risks to cybersecurity and patient privacy.
Russian JPMorgan Chase hacker pleads guilty to theft impacting 80 million clients: Andrei Tyurin, a 36 year old Russian hacker accused of stealing financial data of over 80 million JPMorgan Chase & Co. clients back in 2014, is set to plead guilty to the crime later this month. Tyurin, who allegedly worked in concert with an Israeli whom the U.S. accuse of masterminding the scheme, was extradited by the Republic of Georgia to the U.S. last year and is also alleged to have hacked E*Trade. “Tyurin’s alleged hacking activities were so prolific, they lay claim to the largest theft of U.S. customer data from a single financial institution in history, accounting for a staggering 80 million-plus victims,” said Manhattan U.S. Attorney Geoffrey S. Berman.
A click too far: A Chicago-based brokerage company, Philips Capital Inc., has been fined $500,000 by the U.S. Commodity Futures Trading Commission after a data breach caused by a phishing e-mail sent to one of its IT engineers. The unfortunate click on an attachment resulted in theft of $1,000,000 from client accounts and a leak of credentials for multiple mailboxes, including one belonging to the company’s CEO.
Operational Technology / Industrial Control Systems
New clues show that Ukrainian energy grid cyberattack intended to cause far more than a one-hour blackout: The Ukrenergo grid hack continues to retain researcher interest, as experts at Dragos reconstructed the Russian cyberattack on Ukrenergo, Ukraine’s national grid operator, in December 2016. The research validates yet again the value of centralized logging and a SIEM-based approach to forensics in incident response.
Is Iran behind the drone attacks on Saudi Arabia oil facilities? Two major Saudi oil installations were hit by 10 drones and set on fire, and further attacks could be expected in the future, state media say. While the U.S. government blames Tehran for the attack, expert opinions vary on its involvement in the drone campaign. Iran said the accusations are “ridiculous”.
State, Local & Education
No need to call-in for music requests: Philadelphia-based Entercom Communications, the second-largest broadcasting network operating in the U.S, was the target of a ransomware attack which resulted in the disruption of email service and crashed computers, an internal Entercom memo stated. The company reportedly will not pay the ransom, following in the footsteps of a Christian radio station in Missouri and Tampa’s WMNF 88.5 FM, both attacked during the summer. Similar tactics have been used in the past, but the modern advent of ransomware brings a new twist to broadcast signal intrusion.
Iranian Hackers get an A for effort: 60 universities in the United States, the United Kingdom, Australia, Canada, Hong Kong, and Switzerland were targeted by Cobalt Dickens, a suspected Iranian threat group, in a new global attack campaign to steal intellectual property. This is not the first time that the hackers have targeted universities; the group, who has been using fake library emails as part of a global phishing operation, used a similar campaign in August 2018.
Most everyone in Ecuador now at risk of identity theft: The private data of approximately 20 million people, most of whom reside in Ecuador, were leaked in an unsecured server, researchers at vpnMentor said on Monday. The server is owned by Ecuadorian company Novaestrat, and the leaked data include names, phone numbers, and birth dates. Ecuador “is home to just over 17 million people, meaning nearly everyone could have been exposed.”
The Air Force Will Let Hackers Try to Hijack an Orbiting Satellite: The USAF is one-upping its August 2019 DEFCON target of a F-15 fighter jet system – next year, it’s bringing a satellite. The hacker’s objective? To shift the satellite cameras from the Earth toward the moon, thus taking “A literal moon shot.”