Viry a Červi

Microsoft Patches 15 Critical Bugs in March Patch Tuesday Update - 13 Březen, 2018 - 23:25
Products receiving the most patches included Microsoft browsers and browser-related technologies such as the company’s JavaScript engine Chakra.
Kategorie: Viry a Červi

It's March 2018, and your Windows PC can be pwned by a web article (well, none of OURS)

The Register - Anti-Virus - 13 Březen, 2018 - 22:03
Plus plenty of other Microsoft and Adobe bugs to fix

Patch Tuesday  Microsoft delivered another hefty bundle of patches with its scheduled monthly update.…

Kategorie: Viry a Červi

AMD Investigating Reports of 13 Critical Vulnerabilities Found in Ryzen, EPYC Chips - 13 Březen, 2018 - 21:04
Researchers on Tuesday disclosed over a dozen critical security vulnerabilities in several AMD chips, opening them up for attackers who want to steal sensitive data and install malware on AMD servers, workstations and laptops.
Kategorie: Viry a Červi

Samba Patches Two Critical Vulnerabilities in Server Software - 13 Březen, 2018 - 17:56
Samba released fixes for its networking software to address two critical vulnerabilities that allowed attackers to change admin password or launch DoS attacks.
Kategorie: Viry a Červi

SecurEnvoy SecurMail, you say? Only after this patch is applied, though

The Register - Anti-Virus - 13 Březen, 2018 - 17:38
Flaws meant others could read, meddle with encrypted emails

Recently resolved vulnerabilities in SecurEnvoy's encrypted email transfer SecurMail created a way for encrypted emails in users' inboxes to be read, overwritten and deleted by others.…

Kategorie: Viry a Červi

China-Linked APT15 Used Myriad of New Tools To Hack UK Government Contractor - 13 Březen, 2018 - 17:16
Cyber espionage group APT15 is back, this time stealing sensitive data from a UK government contractor.
Kategorie: Viry a Červi

Mozilla wants to seduce BOFHs with button-down Firefox

The Register - Anti-Virus - 13 Březen, 2018 - 16:41
Control. Control. Control

The Mozilla Foundation has released a Firefox for Enterprise with sysadmin controls to manage deployment. F4E arrives in beta form today.…

Kategorie: Viry a Červi

Time of death? A therapeutic postmortem of connected medicine

Kaspersky Securelist - 13 Březen, 2018 - 16:00

#TheSAS2017 presentation: Smart Medicine Breaches Its “First Do No Harm” Principle

At last year’s Security Analyst Summit 2017 we predicted that medical networks would be a titbit for cybercriminals. Unfortunately, we were right. The numbers of medical data breaches and leaks are increasing. According to public data, this year is no exception.

For a year we have been observing how cybercriminals encrypt medical data and demand a ransom for it. How they penetrate medical networks and exfiltrate medical information, and how they find medical data on publicly available medical resources.

The number of medical data breaches and leaks per year (source: HIPAA Journal)

Opened doors in medical networks

To find a potential entry point into medical infrastructure, we extract the IP ranges of all organizations that have the keywords “medic”, “clinic”, “hospit”, “surgery” and “healthcare” in the organization’s name, then we start the masscan (port scanner) and parse the specialized search engines (like Shodan and Censys) for publicly available resources of these organizations.

Masscan report extract

Of course, medical perimeters contain a lot of trivial opened ports and services: like web-server, DNS-server, mail-server etc. And you know that’s just the tip of the iceberg. The most interesting part is the non-trivial ports. We left out trivial services, because as we mentioned in our previous article those services are out of date and need to be patched. For example, the web applications of electronic medical records that we found on the perimeters in most cases were out of date.

The most popular ports are the tip of the iceberg. The most interesting part is the non-trivial ports.

The most popular opened ports on medical perimeters (18,723 live hosts; 27,716 opened ports)

Using ZTag tool and Censys, we identify what kinds of services are hidden behind these ports. If you try to look deeper in the embedded tag you will see different stuff: for example printers, SCADA-type systems, NAS etc.

Top services on medical network perimeters

Excluding these trivial things, we found Building Management systems that out of date. Devices using the Niagara Fox protocol usually operate on TCP ports 1911 and 4911. They allow us to gather information remotely from them, such as application name, Java version, host OS, time zone, local IP address, and software versions involved in the stack.

Example of extracted information about Niagara Fox service

Or printers that have a web interface without an authentication request. The dashboard available online and allows you to get information about internal Wi-Fi networks or, probably, it allows you to get info about documents that appeared in “Job Storage” logs.

Shodan told us that some medical organizations have an opened port 2000. It’s a smart kettle. We don’t know why, but this model of kettle is very popular in medical organizations. And they have publicly available information about a vulnerability that allows a connection to the kettle to be established using a simple pass and to extract info about the current Wi-Fi connection.

Medical infrastructure has a lot of medical devices, some of them portable. And devices like spirometers or blood pressure monitors support the MQTT protocol to communicate with other devices directly. One of the main components of the MQTT communication – brokers (see here for detailed information about components) are available through the Internet and, as a result, we can find some medical devices online.

Not only Smart Home components, but also medical devices are available via MQTT Spirometer

Threats that affect medical networks

OK, now we know how they get in. But what’s next? Do they search for personal data, or want to get some money with a ransom or maybe something else? Money? It’s possible… anything is possible. Let’s take a look at some numbers that we collected during 2017.

The statistics are a bit worrying. More than 60% of medical organizations had some kind of malware on their servers or computers. The good news is that if we count something here, it means we’ve deleted malware in the system.

Attacks detected in medical organizations, 2017

And there’s something even more interesting – organizations closely connected to hospitals, clinics and doctors, i.e. the pharmaceutical industry. Here we see even more attacks. The pharmaceutical industry means “money”, so it’s another titbit for attackers.

Attacks detected in pharmaceutical organizations, 2017

Let’s return to our patients. Where are all these attacked hospitals and clinics? Ok, here we the numbers are relative: we divided the number of devices in medical organizations in the country with our AV by the number of devices where we detected malicious code. The TOP 3 were the Philippines, Venezuela and Thailand. Japan, Saudi Arabia and Mexico took the last three spots in the TOP 15.

So the chances of being attacked really depend on how much money the government spends on cybersecurity in the public sector and the level of cybersecurity awareness.

Attacked devices in medical organizations, TOP 15 countries

In the pharmaceutical industry we have a completely different picture. First place belongs to Bangladesh. I googled this topic and now the stats look absolutely ok to me. Bangladesh exports meds to Europe. In Morocco big pharma accounts for 14% of GDP. India, too, is in the list, and even some European countries are featured.

Attacked devices in pharmaceutical organizations, TOP 15 countries

On one in ten devices and in more than 25% of medical and 10% of pharmaceutical companies we detected hacktools: pentesting tools like Mimikatz, Meterpreter, tweaked remote administration kits, and so on.

Which means that either medical organizations are very mature in terms of cybersecurity and perform constant audits of their own infrastructure using red teams and professional pentesters, or, more likely, their networks are infested with hackers.

Hacktools: Powerpreter, Meterpreter, Remote admin, etc.


Our research showed that APT actors are interested in information from pharmaceutical organizations. We were able to identify victims in South East Asia, or more precisely, in Vietnam and Bangladesh. The criminals had targeted servers and used the infamous PlugX malware or Cobalt Strike to exfiltrate data.

PlugX RAT, used by Chinese-speaking APT actors, allows criminals to perform various malicious operations on a system without the user’s knowledge or authorization, including but not limited to copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity. PlugX, as well as Cobalt Strike, is used by cybercriminals to discreetly steal and collect sensitive or profitable information. During our research we were unable to track the initial attack vectors, but there are signs that they could be attacks exploiting vulnerable software on servers.

Taking into account the fact that hackers placed their implants on the servers of pharmaceutical companies, we can assume they are after intellectual property or business plans.

How to live with it
  • Remove all nodes that process medical data from public
  • Periodically update your installed software and remove unwanted applications
  • Refrain from connecting expensive equipment to the main LAN of your organization

More tips at “Connected Medicine and Its Diagnosis“.

Firefox turns out the lights on two privacy-sucking features

Sophos Naked Security - 13 Březen, 2018 - 15:08
Thanks to some illuminating privacy research, it's "lights out" for another pair of esoteric APIs.

‘Hacked’ Facebook taunt leads to 1-star restaurant reviews

Sophos Naked Security - 13 Březen, 2018 - 15:04
Rival football fans either punished the eatery with fake reviews after the "zombies" remark or there was a sudden plague of gastroenteritis.

Tweet thieves suspended by Twitter

Sophos Naked Security - 13 Březen, 2018 - 14:36
'Tweetdecking' plagiarists have been making thousands per month, ripping off jokes and tweets and selling retweets.

Cryptomining isn’t going to make you rich

Sophos Naked Security - 13 Březen, 2018 - 14:05
Is cryptomining-with-consent the simple alternative to web advertising that some publishers think it is? Perhaps not.

CEO of smartmobe outfit Phantom Secure cuffed after cocaine sting, boast of murder-by-GPS

The Register - Anti-Virus - 13 Březen, 2018 - 07:01
No 'legitimate users' of modded Blackberries, says FBI

An arrest by US authorities last week has brought to light alleged associations between encrypted phone supplier Phantom Secure and international drug trafficking.…

Kategorie: Viry a Červi

Yahoo<i>!</i> Can't<i>!</i> Toss<i>!</i> Hacking<i>!</i> Lawsuit<i>!</i>

The Register - Anti-Virus - 13 Březen, 2018 - 00:45
Judge Koh trims class-action complaint, but suit will proceed

The remains of Yahoo! will be forced to defend the class action complaint filed by customers whose data was exposed in the 2014 megahack.…

Kategorie: Viry a Červi

Yahoo<i>!</i> Can't<i>!</i> Toss<i>!</i> Hacking<i>!</i> Lawsuit<i>!</i>

The Register - Anti-Virus - 13 Březen, 2018 - 00:45
Judge Koh trims class-action complaint, but suit will proceed

The remains of Yahoo! will be forced to defend the class action complaint filed by customers whose data was exposed in the 2014 megahack.…

Kategorie: Viry a Červi

Air gapping PCs won't stop data sharing thanks to sneaky speakers

The Register - Anti-Virus - 12 Březen, 2018 - 21:00
Boffins shows that sound output devices secretly capture audio

Computer speakers and headphones make passable microphones and can be used to receive data via ultrasound and send signals back, making the practice of air gapping sensitive computer systems less secure.…

Kategorie: Viry a Červi

FireEye’s Marina Krotofil On Triton and ICS Threats - 12 Březen, 2018 - 18:23
At the Security Analyst Summit this year in Cancun, FireEye's Marina Krotofil talks about the Triton malware, first disclosed in December 2017, that targets industrial control systems.
Kategorie: Viry a Červi

China ALTERED its public vuln database to conceal spy agency tinkering – research

The Register - Anti-Virus - 12 Březen, 2018 - 18:02
Report claims vuln-botherers share building with Ministry of State Security

China has altered public vulnerability data to conceal the influence of its spy agency in the country's national information security bug reporting process.…

Kategorie: Viry a Červi

CCleaner Attackers Intended To Deploy Keylogger In Third Stage - 12 Březen, 2018 - 17:49
As investigations continue about the backdoor that was planted in CCleaner, Avast said it has found that the actors behind the attack were planning to install a third round of malware on compromised computers.
Kategorie: Viry a Červi

UK's air accident cops are slurping data from pilots' fondleslabs

The Register - Anti-Virus - 12 Březen, 2018 - 16:26
'We need the families' assistance' says AAIB

A British government agency has been downloading data from iPads and similar devices used by pilots of crashed aircraft, it has emerged.…

Kategorie: Viry a Červi
Syndikovat obsah