and customised malware to conduct espionage . A Chinese hacking group with advanced cyber-espionage capabilities has been targeting managed IT services providers across the globe in a campaign to stealAttack.Databreachsensitive data . The cybercriminal gang is using sophisticated phishing attacksAttack.Phishingand customised malware in order to infect victims ' machines and then gain access to IT providers and their customer networks . Dubbed Operation Cloud Hopper , the cyber-espionage campaign has been uncovered by security researchers at PwC , BAE Systems , and the UK 's National Cyber Security Centre . The researchers say the campaign is `` highly likely '' to be the work of the China-based APT10 hacking group . The group has been focusing on espionage since 2009 and has evolved from targeting US defence firms as well as the technology and telecommunications sectors to targeting organisations in multiple industries across the globe . The group was behind the Poison Ivy malware family and has evolved its operations to include using custom tools capable of compromisingAttack.Databreachhigh volumes of data from organisations and their customers , and stealthily moving it around the world . It 's because of the sophisticated nature of the campaign that PwC 's Operation Cloud Hopper report describes how APT10 `` almost certainly benefits from significant staffing and logistical resources , which have increased over the last three years '' . The group 's work shifted significantly during 2016 , as it started to focus on managed service providers , following the significant enhancements to its operations . The move enabled APT10 to exfiltrateAttack.Databreachdata from multiple victims around the world as part of a large scale campaign . Managed service providers ( MSPs ) represent a particularly lucrative target for attackers , because as well as having accessAttack.Databreachto their clients ' networks , they also store significant quantities of customer data , which can provide useful information or be sold for profit . Researchers note that the spear phishing campaignAttack.Phishingundertaken by APT10 indicates that the group conducts significant research on targets , in order to have the best chance of trickingAttack.Phishingthem into opening malicious documents attached to specially crafted emails . Once the hacking group has infiltrated a network , it conducts reconnaissance to ensure legitimate credentials have been gainedAttack.Databreach, before deploying tools such as mimikatz or PwDump to stealAttack.Databreachadditional credentials , administration credentials , and data from infected MSPs . The shared nature of MSP infrastructure enables APT10 's success , allowing the hackers to stealthily move between the networks of MSPs and clients -- hence the name Cloud Hopper . Using this approach , the group has been able to target organisations in the US , Canada , the UK , France , Switzerland , Scandinavia , South Africa , India , and Australia . `` The indirect approach of this attack highlights the need for organisations to have a comprehensive view of the threats they 're exposed to -- including those of their supply chain , '' Kris McConkey , partner , cyber threat detection and response at PwC , said . `` This is a global campaign with the potential to affect a wide range of countries , so organisations around the world should work with their security teams and providers to check networks for the key warning signs of compromise and ensure they respond and protect themselves accordingly . '' The National Cyber Security Centre has issued guidelines following the global targeting of enterprises via managed service providers , and notes how the activity detected `` likely represents only a small proportion of the total malicious activity '' .
A pediatrics practice , ABCD Pediatrics , serving the San Antonio , Texas metropolitan area reported that it was hit with a ransomware attackAttack.Ransom, but existing antivirus software helped to slow down the attack , and the practice 's IT vendor successfully removed the virus and all corrupt data from its servers . However , because hackers may have accessedAttack.Databreachportions of the practice ’ s network , the pediatrics group is offering identity and credit protection services from Equifax Personal Solutions to all of its patients . The pediatrics group , which has four locations , posted a “ HIPAA Notification ” on its website , regarding an incident that may have affected patients ’ protected health information ( PHI ) . The practice stated that the notice was made in compliance with the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) . Prior to the attack , ABCD Pediatrics had a variety of security measures in place , including network filtering and security monitoring , intrusion detection systems , firewalls , antivirus software , and password protection , according to the organization ’ s statement . On February 6 , 2017 , an employee of ABCD Pediatrics discovered that a virus gained access and began encrypting ABCD ’ s servers . The encryption was slowed significantly by existing antivirus software . Upon discovery , ABCD immediately contacted its IT vendor , and ABCD ’ s servers and computers were promptly moved offline and analyzed . The virus was identified as “ Dharma Ransomware , ” which is a variant of an older ransomware virus called “ CriSiS , ” according to the organization ’ s IT vendor . “ ABCD ’ s IT company reported that these virus strains typically do not exfiltrateAttack.Databreach( “ remove ” ) data from the server ; however , exfiltration could not be ruled out . Also , during the analysis of ABCD ’ s servers and computers , suspicious user accounts were discovered suggesting that hackers may have accessedAttack.Databreachportions of ABCD ’ s network , ” the organization stated . The IT vendor successfully removed the virus and all corrupt data from its servers , and the practice said that secure backup data stored separately from its servers and computers was not compromised by the incident , and it was used to restore all affected data . According to the organization , no confidential information was lost or destroyed , including PHI , and the practice group never received a ransom demandAttack.Ransomor other communications from unknown persons . In addition to notifying its patients , ABCD notified the FBI and the U.S. Department of Health and Human Services . According to the HHS ’ Office of Civil Rights ’ data breachAttack.Databreachportal , the incident affected 55,447 patients . While the IT vendor found no evidence that confidential information was actually acquired or removedAttack.Databreachfrom its servers and computers , it could not rule out the possibility that confidential information may have been viewedAttack.Databreachand possibly was acquiredAttack.Databreach, according the ABCD Pediatrics ’ statement . Affected information may have included patients ’ names , addresses , telephone numbers , dates of birth , Social Security Numbers , insurance billing information , medical records , and laboratory reports . Following this incident , ABCD ’ s IT vendor located the source of the intrusion and implemented additional security measures , including state of the art cyber monitoring on its network , the organization said . In addition to the identity and credit protection services from Equifax , the pediatrics group recommended that patients also place a fraud alert on their credit files .
ABCD Pediatrics , PA ( “ ABCD ” ) is committed to providing quality pediatric healthcare in the San Antonio area . Our mission is to provide the best care , to each patient , every time . With that being said , ABCD is writing to inform you about an incident that may have affected its patients ’ protected health information . This notification is made in compliance with the Health Insurance Portability and Accountability Act of 1996 ( HIPAA ) , Public Law 104-191 , and the included Administrative Simplification provisions . During the morning of February 6 , 2017 , an employee of ABCD Pediatrics discovered that a virus gained access and began encrypting ABCD ’ s servers . The encryption was slowed significantly by existing antivirus software . Upon discovery , ABCD immediately contacted its IT Company , and ABCD ’ s servers and computers were promptly moved offline and analyzed . ABCD ’ s IT Company identified the virus as “ Dharma Ransomware , ” which is a variant of an older ransomware virus called “ CriSiS. ” ABCD ’ s IT Company reported that these virus strains typically do not exfiltrateAttack.Databreach( “ remove ” ) data from the server ; however , exfiltration could not be ruled out . Also , during the analysis of ABCD ’ s servers and computers , suspicious user accounts were discovered suggesting that hackers may have accessedAttack.Databreachportions of ABCD ’ s network . ABCD ’ s IT Company successfully removed the virus and all corrupt data from its servers . Secure backup data stored separately from ABCD ’ s servers and computers was not compromised by this incident , and it was used to restore all affected data . As a result , no confidential information was lost or destroyed , including protected health information . Also , please note that ABCD never received any ransom demandsAttack.Ransomor other communications from unknown persons . However , ABCD remains concerned because it discovered user logs indicating that computer programs or persons may have been on the server for a limited period of time . In addition to notifying its patients , ABCD notified the Federal Bureau of Investigations ( “ FBI ” ) , and it will notify the Department of Health and Human Services . While ABCD ’ s IT Company found no evidence that confidential information was actually acquired or removedAttack.Databreachfrom its servers and computers , it could not rule out the possibility that confidential information may have been viewedAttack.Databreachand possibly was acquiredAttack.Databreach. Importantly , ABCD can not confirm with a high degree of likelihood that confidential information remained secure throughout this incident . Generally , affected information may have included one ’ s name , address , telephone , date of birth , other demographic information , Social Security Number , insurance billing information , current procedural technology codes , medical records , and laboratory reports . ABCD takes its patient ’ s privacy and the security of their information very seriously . ABCD had a variety of security measures in place before this incident , including network filtering and security monitoring , intrusion detection systems , firewalls , antivirus software , and password protection . Following this incident , ABCD ’ s IT Company located the source of the intrusion and implemented several measures to ensure this kind of incident does not occur again , which include state of the art cyber monitoring on its network . ABCD and its IT Company continue to assess its physical and cyber security . We have arranged with Equifax Personal Solutions to help protect the identity and credit information of all patients . Patients can call 844-420-6493 Monday through Friday from 9:00 AM to 9:00 PM Eastern Standard Time to determine whether they were affected . Also , if any patient has questions , they can call this same number to speak with a customer service representative about the incident . Patients also can place a fraud alert on their credit files with the three major credit reporting agencies . A fraud alert is a consumer statement added to one ’ s credit report . The fraud alert signals creditors to take additional steps to verify one ’ s identity prior to granting credit . This service can make it more difficult for someone to get credit in one ’ s name , though it may also delay one ’ s ability to obtain credit while the agency verifies identity . Fraud alerts are free and last 90 days unless you manually renew it or use the automatic fraud alert feature within a Credit Watch subscription . Patients also may want to order their credit report . By establishing a fraud alert , patients will receive a follow-up letter that will explain how they can receive a copy of their credit report . When patients receive their credit report , examine it closely and look for signs of fraud , such as credit accounts that are incorrect . Even though a fraud alert has been placed on their account , patients should continue to monitor future credit reports to ensure an imposter has not opened an account . If patients want to place a security freeze , they will need to call all three credit bureaus ( information listed above ) and place a security freeze on thier credit report . Charges to place and/or remove a security freeze vary by state and credit agency . We deeply regret any inconvenience this incident may have caused . If patients have questions , please call 844-420-6493 Monday through Friday from 9:00 AM to 9:00 PM Eastern Standard Time .
The researcher Ralf-Phillip Weinmann , managing director at security firm Comsecuris , has disclosedVulnerability-related.DiscoverVulnerabilitya zero-day baseband vulnerability affectingVulnerability-related.DiscoverVulnerabilityHuawei smartphones , laptop WWAN modules , and IoT components . Baseband is firmware used on smartphones to connect to cellular networks , to make voice calls , and transmit data . An attacker can exploit baseband flaws to eavesdropAttack.Databreachmobile communications , take over the device making calls and sending SMS messages to premium numbers or to exfiltrateAttack.Databreachdata . The expert revealedVulnerability-related.DiscoverVulnerabilitythe flaw this week at the Infiltrate Conference , the vulnerability could be exploitedVulnerability-related.DiscoverVulnerabilityby attackers to execute a memory-corruption attack against affected devices over the air . Fortunately , the attack is quite difficult to conduct . The baseband vulnerability resides inVulnerability-related.DiscoverVulnerabilitythe HiSilicon Balong integrated 4G LTE modems . The Balong application processor is called Kirin , it is produced by the Hisilicon Technologies , a subsidiary of Huawei Technologies . The affected firmware is present in several Huawei Honor smartphones , including the P10 , Huawei Mate 9 , Honor 9 , 7 , 5c and 6 . Weinmann believes that millions of Honor smartphones could be exposed to the to attack . Weinmann presentedVulnerability-related.DiscoverVulnerabilitymultiple baseband vulnerabilities found inVulnerability-related.DiscoverVulnerabilitythe Kirin application processor . The expert also revealed that many laptops produced by IT vendors leverage the HiSilicon Balong integrated modem , such as a number IoT devices . “ This baseband is much easier to exploit than other basebands . Why ? I ’ m not sure if this was intentional , but the vendor actually published the source code for the baseband which is unusual , ” Weinmann said . “ Also , the malleability of this baseband implantation doesn ’ t just make it good for device experimenting , but also network testing. ” Weinmann speculates HiSilicon may have wrong released the Kirin source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data . Weinmann demonstrated several attack scenarios against mobile phones . A first attack scenario presented by the researcher involves setting up a bogus base station using open-source software called OpenLTE that is used by an attacker to simulate a network operator . The attacker can send specially crafted packets over the air that trigger a stack buffer overflow in the LTE stack causing the phone crashing . Once the phone rebooted an attacker can gain persistence installing a rootkit . In a second attack scenario , the attacker with a physical access to the phone and private key pair data would install malicious tools on the firmware . “ It requires key material that is stored both by the carrier and on the SIM card in order to pass the mutual authentication between the phone and the network . Without this key material , a base station can not pose as a legit network towards the device. ” Weinmann used for its test his own VxWorks build environment using an evaluation version of VxWorks 7.0 that shipped with Intel Galileo several years ago . The expert explained that the existence of a Lua scripting interpreter running in the baseband gives him further offensive options . Weinmann did not disclose the technical details to avoid threat actors in the wild will abuse his technology . “ I have chosen to only disclose lower-severity findings for now . Higher severity findings are in the pipeline. ” Weinmann said .
While the company was able to avoid falling victim to the ransomware , the attackers may have been able to accessAttack.Databreachpatient data . On February 6 , 2017 , an employee noticed that a virus had begun encrypting the practice 's servers . The encryption process was slowed by the company 's anti-virus software , and ABCD 's IT company was able to take its servers offline and identify the virus as Dharma Ransomware , a variant of Crysis for which decryption tools are available . `` ABCD 's IT company reported that these virus strains typically do not exfiltrateAttack.Databreach( 'remove ' ) data from the server ; however , exfiltration could not be ruled out , '' the company said in a statement . `` Also , during the analysis of ABCD 's servers and computers , suspicious user accounts were discovered suggested that hackers may have accessedAttack.Databreachportions of ABCD 's network . '' The IT company was able to remove the virus and all corrupt data from its servers , and successfully restored all affected data from a secure backup . `` As a result , no confidential information was lost or destroyed , including protected health information , '' the company said
Two Italian siblings have been arrested on Monday and stand accused of having spied on Italian politicians , state institutions and law enforcement agencies , businesses and businesspeople , law firms , leaders of Italian masonic lodges , and Vatican officials for years . 45-year-old Giulio Occhionero and 49-year-old Francesca Maria Occhionero , both from Rome but currently residing in London , have allegedly used specially crafted malware ( dubbed “ EyePyramid ” ) to compromiseAttack.Databreachthe targets ’ computers and exfiltrateAttack.Databreachall kinds of documents , as well as log keystrokes and stealAttack.Databreachlogin credentials for sensitive accounts . According to court documents ( in Italian ) , the investigation began a few months after a security professional employed by ENAV , an Italian company responsible for the provision of air traffic services ( ATS ) and other air navigation services in Italy , flagged and reported a malicious attachment he received via email . The spear-phishing email was purportedly sentAttack.Phishingby an Italian attorney , but the infosec pro became suspicious and sent the attachment to security company Mentat Solutions for analysis . The attachment was found to contain the EyePyramid malware . After the authorities got involved , the investigation revealed that the email was , indeed , sentAttack.Phishingfrom the attorney ’ s email account , but that it was sentAttack.Phishingby someone who had compromised the account and accessed it via TOR .
Bitdefender researchers have unearthed a previously unknown malware framework that , unlike those used by most APTs , contains many legitimate utilities . Dubbed Netrepser , the framework is used to find and exfiltrateAttack.Databreachall kinds of information from compromised Windows systems . The researchers believe that it is wielded by a dedicated cyber espionage group , as the victims are mostly computer systems of government agencies . Netrepser is usually delivered via spear-phishing emails spoofed to look likeAttack.Phishingthey are coming fromAttack.Phishinga legitimate source . The email purportsAttack.Phishingto deliver a document containing guidelines for discussion or a similar benign DOC file , and the recipient is urged to enable macros in order to view the contents of the file : But doing that will allow the embedded Visual Basic macro to drop a JavaScript file ( JS ) or a JScript Encoded File ( JSE ) . This JS/JSE payload contacts the C & C server , send basic information about the compromised system , and fetches and executes malicious jobs with the help of legitimate tools and malware downloaded directly from it . It uses , among other things : All of these tools are packed with a custom file-packing algorithm that seems unique to this group , but that doesn ’ t tell us who are these hackers . “ Even though the Netrepser malware uses free tools and utilities to carry various jobs to completion , the technical complexity of the attack , as well as the targets attacked , suggest that Netrepser is more than a commercial-grade tool , ” the researchers noted . “ Because of the nature of these attacks , attribution is impossible unless we dig into the realm of speculation . Our technical analysis however , has revealed that some documents and file paths this campaign is using are written in Cyrillic. ” Technical details and indicators of compromise tied to this campaign can be found here .
The industrial company on Tuesday releasedVulnerability-related.PatchVulnerabilitymitigations for eight vulnerabilities overall . Siemens AG on Tuesday issuedVulnerability-related.PatchVulnerabilitya slew of fixes addressingVulnerability-related.PatchVulnerabilityeight vulnerabilities spanning its industrial product lines . The most serious of the patched flaws include a cross-site scripting vulnerability in Siemens ’ SCALANCE firewall product . The flaw could allow an attacker to gain unauthorized accessAttack.Databreachto industrial networks and ultimately put operations and production at risk . The SCALANCE S firewall is used to protect secure industrial networks from untrusted network traffic , and allows filtering incoming and outgoing network connections in different ways . Siemens S602 , S612 , S623 , S627-2M SCALANCE devices with software versions prior to V4.0.1.1 are impactedVulnerability-related.DiscoverVulnerability. Researchers with Applied Risk , who discoveredVulnerability-related.DiscoverVulnerabilitythe flaw , saidVulnerability-related.DiscoverVulnerabilitythat vulnerability exists inVulnerability-related.DiscoverVulnerabilitythe web server of the firewall software . An attacker can carry out the attack by craftingAttack.Phishinga malicious link and trickingAttack.Phishingan administrator – who is logged into the web server – to click that link . Once an admin does so , the attacker can execute commands on the web server , on the administrator ’ s behalf . “ The integrated web server allows a cross-site scripting attack if an administrator is misledAttack.Phishinginto accessing a malicious link , ” Applied Risk researcher Nelson Berg said inVulnerability-related.DiscoverVulnerabilityan analysisVulnerability-related.DiscoverVulnerabilityof the flaw . “ Successful exploitation may lead to the ability to bypass critical security measures provided by the firewall. ” Exploitation of this vulnerability could ultimately enable threat actors to bypass critical security functions provided by the firewall , potentially providing access to industrial networks and putting operations and production at risk . The vulnerability , CVE-2018-16555 , has a CVSS score which Applied Risk researcher calculatesVulnerability-related.DiscoverVulnerabilityto be 8.2 ( or high severity ) . That said , researchers saidVulnerability-related.DiscoverVulnerabilitya successful exploit is not completely seamless and takes some time and effort to carry out – for an attacker to exploit the flaw , user interaction is required and the administrator must be logged into the web interface . Researchers saidVulnerability-related.DiscoverVulnerabilitythat no exploit of the vulnerability has been discoveredVulnerability-related.DiscoverVulnerabilitythus far . Siemens addressedVulnerability-related.PatchVulnerabilitythe reported vulnerability by releasingVulnerability-related.PatchVulnerabilitya software update ( V4.0.1.1 ) and also advised customers to “ only access links from trusted sources in the browser you use to access the SCALANCE S administration website. ” The industrial company also releasedVulnerability-related.PatchVulnerabilityan array of fixes for other vulnerabilities on Tuesday . Overall , eight advisories were released by the US CERT . Another serious vulnerability ( CVE-2018-16556 ) addressedVulnerability-related.PatchVulnerabilitywas an improper input validation flaw in certain Siemens S7-400 CPUs . Successful exploitation of these vulnerabilities could crash the device being accessed which may require a manual reboot or firmware re-image to bring the system back to normal operation , according to the advisory . “ Specially crafted packets sent to Port 102/TCP via Ethernet interface , via PROFIBUS , or via multi-point interfaces ( MPI ) could cause the affected devices to go into defect mode . Manual reboot is required to resume normal operation , ” according to US Cert . An improper access control vulnerability that is exploitableVulnerability-related.DiscoverVulnerabilityremotely in Siemens IEC 61850 system configurator , DIGSI 5 , DIGSI 4 , SICAM PAS/PQS , SICAM PQ Analyzer , and SICAM SCC , was also mitigatedVulnerability-related.PatchVulnerability. The vulnerability , CVE-2018-4858 , has a CVSS of 4.2 and exists inVulnerability-related.DiscoverVulnerabilitya service of the affected products listening on all of the host ’ s network interfaces on either Port 4884/TCP , Port 5885/TCP , or Port 5886/TCP . The service could allow an attacker to either exfiltrateAttack.Databreachlimited data from the system or execute code with Microsoft Windows user permissions . Also mitigatedVulnerability-related.PatchVulnerabilitywere an improper authentication vulnerability ( CVE-2018-13804 ) in SIMATIC IT Production Suite and a code injection vulnerability ( CVE-2018-13814 ) in SIMATIC Panels and SIMATIC WinCC that could allow an attacker with network access to the web server to perform a HTTP header injection attack .
Email addresses , passwords and IP addresses were exposed . The breachAttack.Databreach, which took place in September 2015 but was only recently disclosed , compromisedAttack.Databreachemail addresses , passwords and IP addresses , the Daily Mail reports . The hacker 's likely aim was to profit financially from the stolen information. `` Data breachesAttack.Databreachare often sold via darkweb sites or within closed trading circles , '' Hunt told the Daily Mail . Still , Willy Leichter , vice president of marketing at CipherCloud , told eSecurity Planet by email that while the attack targeted gaming forums , any large scale breach like this should concern businesses as well . `` Users often use common passwords , security questions , or personal email addresses to access personal and work-related systems , making it easier for hackers to break intoAttack.Databreachcorporate networks and stealAttack.Databreachmassive amounts of data , '' he said . And while all users are being advised to change their passwords , Jeff Hill , director of product management at Prevalent , said it may be too late to make a difference. `` The initial breachAttack.Databreachoccurred in September 2015 , giving the attackers 17 months to operate undetected , more than enough time to find and exfiltrateAttack.Databreachenough data to profit greatly from their efforts , '' he said . `` At this point , it ’ s not even clear the breach was actually detected -- possibly the attackers simply [ wrung ] as much return as possible out of their theft , and simply discarded the remaining useless data , '' Hill added .
Polish media reported last week that the IT security teams at many Polish banks have been busy recently searching their systems for a particular strain of malware after several unnamed banks found it on their computers . It 's not clear what the malware 's end goal is , but in at least one case it was used to exfiltrateAttack.Databreachdata from a bank 's computer to an external server . The nature of the stolen information could not be immediately determined because it was encrypted , Polish IT news blog Zaufana Trzecia Strona reported Friday . After the malware program is downloaded and executed on a computer , it connects to remote servers and can be used to perform network reconnaissance , lateral movement and data exfiltrationAttack.Databreach, the BadCyber researchers said in a blog post . The malware is similar to other crimeware tools , but has not been documented before .
Researchers identified over 70 organizations targeted in these attacks , with most located in Ukraine , and especially in the self-declared separatist states of Donetsk and Luhansk , near the Russian border . The target list includes editors of Ukrainian newspapers , a scientific research institute ; a company that designs remote monitoring systems for oil & gas pipeline infrastructures ; an international organization that monitors human rights , counter-terrorism and cyberattacks on critical infrastructure in Ukraine ; and an engineering company that designs electrical substations , gas distribution pipelines , and water supply plants ; among many others . According to CyberX security experts , attacksAttack.Phishingare mostly driven by spear-phishing emails that spread Word documents that contain malicious macros . AttacksAttack.PhishinglureAttack.Phishingvictims into allowing the macros in these documents to execute by telling them the document was created in a newer version of Word , and enabling macros allows them to view their content . Enabling macros downloads several malware families in multiple stages . The downloaded malware does n't include destructive features and uses several mechanisms to remain hidden , an important clue pointing to the fact its authors are using it for reconnaissance only . Using Dropbox instead of a custom web server for collecting dataAttack.Databreachis yet another sign that hackers are trying to stay hidden as long as possible . This is because it would be much easier to detect malicious traffic sent to a remote web server compared to Dropbox , an application whitelisted by firewalls and other security products . CyberX researchers named this particular campaign BugDrop because crooks used the PC 's microphone 's to bug victims , and Dropbox to exfiltrateAttack.Databreachdata . After they analyzed the malware deployed in this campaign , CyberX security experts claim the malware and techniques used in the BugDrop operation are similar to Groundbait , another cyber-espionage campaign discovered in May 2016 by ESET researchers .