View Full Version : Security breach/compromise - 2015

2015-02-07, 16:30

Anthem ...
- http://www.nytimes.com/2015/02/07/business/data-breach-at-anthem-may-lead-to-others.html
Feb 6, 2015 - "After an online attack on Anthem, by far the largest breach in the industry, security experts warned on Friday that more attacks on health care organizations were likely because of the high value of the data on the black market. Anthem, one of the country’s largest health insurers, said the hackers did not appear to have stolen information about its customers’ medical claims. But medical identification numbers were taken, along with Social Security numbers, addresses and email addresses, which could be used for medical fraud. According to a federal database, many much smaller attacks across the country have included both medical records and financial information. Medical identity theft has become a booming business, according to security experts, who warn that other health care companies are likely to be targeted as a result of the hackers’ success in penetrating Anthem’s computer systems. Hackers often try one company to test their methods before moving on to others, and criminals are becoming increasingly creative in their use of medical information... The publicity surrounding the breach, which exposed information on about 80 million people, is already generating phishing email scams, in which criminals posing as legitimate businesses try to persuade people to sign up for bogus credit protection services and provide personal information about themselves. On Friday, Anthem sent out an alert to its customers warning them of the scam, which the company described as an “opportunistic” attempt to take advantage of news of the breach, but the company emphasized it had no evidence that the scam artists were the hackers. The company, which operates under a series of Blue Cross plans in states like California, Connecticut and New York, is working with federal investigators to determine the source of the attack. Some signs continued to point to China, which has previously been thought to target health care companies, although the investigation is still in its early stages..."

- http://www.reuters.com/article/2015/02/07/us-anthem-cybersecurity-warning-idUSKBN0LA24F20150207
Feb 6, 2015 - "Health insurer Anthem Inc on Friday warned U.S. customers about an email -scam- targeting former and current members whose personal information was suspected to have been breached in a massive cyber attack..."
- http://krebsonsecurity.com/2015/02/phishers-pounce-on-anthem-breach/
Feb 7, 2015 - "... variations on the -scam- pictured below, which -spoofs- Anthem and offers recipients a free year’s worth of credit monitoring services for those who click the embedded link
Do-not-click or respond to these phishing emails:
> http://krebsonsecurity.com/wp-content/uploads/2015/02/anthemphish.jpg
... The company says it will begin sending notifications to affected consumers via snail mail in the coming weeks. In the meantime, if you’re a current or former Anthem member, be aware that these types of -scams- are likely to escalate in the coming days and weeks."

- http://www.anthemfacts.com/faq

- http://www.anthemfacts.com/

- http://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/
Feb 9, 2015
> https://www.virustotal.com/en-gb/file/8d168092d5601ebbaed24ec3caeef7454c48cf21366cd76560755eb33aff89e9/analysis/

> http://krebsonsecurity.com/wp-content/uploads/2015/02/hitrustalert-600x457.png

- https://isc.sans.edu/diary.html?storyid=19299


2015-04-08, 00:44

Destructive hack attempts target critical infrastructure ...
- http://www.reuters.com/article/2015/04/07/us-cybersecurity-americas-idUSKBN0MY06Z20150407
Apr 7, 2015 - "Hacking attacks that destroy rather than steal data or that manipulate equipment are far more prevalent than widely believed, according to a survey of critical infrastructure organizations throughout North and South America. The poll by the Organization of American States, to be released on Tuesday, found that 40 percent of respondents had battled attempts to shut down their computer networks, 44 percent had dealt with bids to delete files and 54 percent had encountered “attempts to manipulate” their equipment through a control system. Those figures, provided exclusively to Reuters ahead of the official release, are all the more remarkable because only 60 percent of the 575 respondents said they had detected any attempts to steal data, long considered the predominant hacking goal. By far the best known destructive hacking attack on U.S. soil was the electronic assault last year on Sony Corp's Sony Pictures Entertainment, which wiped data from the Hollywood fixture’s machines and rendered some of its internal networks inoperable... Destruction of data presents little technical challenge compared with penetrating a network, so the infrequency of publicized incidents has often been ascribed to a lack of motive for attackers. Now that hacking tools are being spread more widely, however, more criminals, activists, spies and business rivals are experimenting with such methods... The survey did allow anonymous participants to provide a narrative of key events if they chose, although those will not be published... one story of destruction involved a financial institution. Hackers stole money from accounts and then deleted records to make it difficult to reconstruct which customers were entitled to what funds... In another case, thieves manipulated equipment in order to divert resources from a company in the petroleum industry... Trend Micro which compiled the report for the OAS, vice president Tom Kellerman said additional destructive or physical attacks came from political activists and organized crime groups. “We are facing a clear and present danger where we have non-state actors willing to destroy things,” he said. “This is going to be the year we suffer a catastrophe in the hemisphere, and when you will see kinetic response to a threat actor.” So-called “ransomware,” which encrypts data files and demands payment be sent to remote hackers, could also have been interpreted as destructive, since it often leaves information unrecoverable..."
* https://www.trendmicro.com/us/security-intelligence/research-and-analysis/critical-infrastructures-security/index.html

:fear: :fear:

2015-05-05, 16:15

CareerBuilder cyberattack delivers malware ...
- https://www.proofpoint.com/threat-insight/post/Foot-in-the-Door
Apr 29, 2015 - "... recently detected a clever email-based attack that combines phishing and social engineering techniques in order to trick users into opening a malicious document. In this attack, the actor browses open positions listed on CareerBuilder .com, a popular online job search and recruiting service, and -attaches- resumes to job postings as malicious documents in Microsoft Word format. In this specific case, we observed the actor attach a Word document named “resume.doc,” or “cv.doc”. Delivery: When a resume has been submitted to a listed job opening, the CareerBuilder service automatically generates a notification email to the job poster and attaches the document, which in this case is designed to deliver malware... the probability of the mail being delivered and opened is higher... the attackers here have instead capitalized on the brand and service of a real site: the recipients are likely to read them and open the attachments because not only are they legitimate emails from a reputable service, but these emails are expected and even desired by the recipient:
Phishing email containing malicious attachment:
> https://www.proofpoint.com/sites/default/files/styles/large/public/foot-in-the-door-1.png?itok=ew3S8AM-
In this campaign, Proofpoint detected seemingly indiscriminate, low-volume (less than ten emails) documents targeting of stores, energy companies, broadcast companies, credit unions, and electrical suppliers. The actor appeared to target positions in engineering and finance, such as “business analyst,” “web developer,” and “middleware developer”: the skills listed for these positions can reveal valuable information about the tools and software that is running in the target organization and thus enable the actor to tailor their attack. Malicious Document: Instead of following the recent trend of using macro-based malware of Office document attachments, the attachment is -built- using the Microsoft Word Intruder Service (MWI) and -exploits- a memory corruption vulnerability for Word RTF (such as CVE-2014-1761, CVE-2012-0158, and others). MWI is an underground crime service... that builds CVE-weaponized dropper or downloader documents for any malware. A seller with handle “Object” has been observed offering the service since May 31, 2013 on underground Russian forums for approximately US$2,000 to US$3,000.
Name: resume.doc
SHA-256: d61abd2f4fdb5a4c9e2cb11a2af69ec18627335f7e0e3ddf880d30590292fa6d
Name: cv.doc
SHA-256: 648c7985f833ad4e001ab3d1727a1837df640fd3457c808e0ff0d2e4cf61bfa7
Upon successfully executing the exploit, the attachment opens a connection to a command and control (C2) server in order to download the payload executable... attackers – as part of an overall shift to targeting businesses – adjusted the strategy of their URL-based campaigns to rely on -piggybacking- on web marketing emails (such as newsletters and opt-in marketing) with links to legitimate sites that have been compromised in order to deliver malware to end-users who click-on-the-link in their message. High-volume unsolicited email campaigns instead use attachments more often than URLs to deliver their malware, with a particular emphasis on malicious Office documents. This clever attack demonstrated techniques similar to those now used for URL-based campaigns, but this time to deliver malicious attachments, and exemplifies the practice of piggybacking on legitimate email services and sites in order to trick wary end-users and compromise targeted businesses."

- http://thestack.com/career-builder-cyber-attack-malware-employers-010515
May 1, 2015

:fear::fear: :mad:

2015-06-19, 00:06

Canada: 'Anonymous' says it cyberattacked federal gov't ...
- http://www.cbc.ca/news/politics/anonymous-says-it-cyberattacked-federal-government-to-protest-bill-c-51-1.3117360
Last Updated: Jun 18, 2015 - "The online hacker group Anonymous has claimed responsibility for a cyberattack on federal government websites, in protest against the recent passing of the government's anti-terror Bill C-51... A number of federal government websites appear to be back online after the brief blackout, including websites for the Senate, the Justice Department and Canada's spy agencies, CSEC and CSIS. However, it's unclear whether the attacks have stopped, as government websites seem to be flashing on and offline intermittently. Public Safety Minister Steven Blaney said at no point was personal information or sensitive government compromised... The government's servers were hit with a denial of service attack, the statement reads..."


2015-07-02, 22:03

Harvard hacked - affects 8 colleges and admins
- https://fortune.com/2015/07/02/harvard-data-breach/
July 2, 2015 - "The school discovered a cyberintrusion in June. Last month Harvard University uncovered “an intrusion” on its computer networks, the school disclosed late Wednesday. The discovery, which was made June 19, affects two IT systems that impact eight colleges and administrations, the school says. These include the Faculty of Arts and Sciences, Harvard Divinity School, Radcliffe Institute for Advanced Study, Central Administration, the Graduate School of Design, Harvard Graduate School of Education, Harvard John A. Paulson School of Engineering and Applied Sciences, or Harvard T.H. Chan School of Public Health. Meanwhile, the Harvard Kennedy School as well as Harvard’s business, law, medicine, and dental schools, appear to be unaffected by the breach. Anyone associated with the first four groups listed above should change-the-password to their school network login, the university recommends. People affiliated with the next four groups should instead change-the-password, the school says, to their university email account, a service powered by Microsoft Exchange. Don’t expect that new passcode to last long though. The school notes that it will require a future password refresh as well: “Password changes will be required again at a later time as the University takes further steps to enhance security,” per a letter from Provost Alan Garber* and executive vice president Katie Lapp. Harvard’s administration says it is as yet uncertain about what data has been stolen..."
* http://security.harvard.edu/cyber-alert

:fear: :mad: