Cyberbit Identifies New Code Injection Technique used by Malware

The security company Cyberbit has identified three cases of a new code injection technique, dubbed “Early Bird”. The name of this technique is based on how the different malwares that utilize it operate. The malware will inject malicious code into a legitimate suspended process on the victim’s computer and then make a call for the operating system to run the process, which executes the malicious code. This allows the malware to run it’s commands under the cover of a program the system already trusts.

What makes this technique unique though is that the malware using Early Bird will load it’s malicious code early on in the initialization of a process. Because of this, most anti-malware programs are unable to detect the malicious code in time to prevent it from executing. Because of the API calls the technique makes use of, malware that can take advantage of this code injection is limited to affecting hosts running the Windows operating system.

The Early Bird code injection technique was found in several samples of malware, the most notable of which is a backdoor called “TurnedUp“, accredited to the Iranian hacker group APT33. Other malware discovered to be using this technique include a variant of banking malware known as “Carberp”, and “DorkBot“, a general purpose malware that can download instructions for conducting bot-net style attacks and stealing user passwords.

Sources:

-Alex Noel

Firefox Master Password Security Issues

A lot of people use the save password feature in browsers so that they don’t have to be bothered to enter their passwords on websites they visit often. Firefox offered users the option of implementing a master password, so that the user would need to enter that password in order to use their bank of saved passwords.

What was just brought to light is that Firefox uses a very low standard of encryption that can be cracked in just a few seconds if the hash is found. SHA-1 hashes were used, which are very insecure as they are easily broken. Although a salt was used, according to the article, 1 iteration count is considered very low, and makes it easy for hackers to obtain the master password through brute force. For comparison, the article provides information that 10,000 iterations is considered the minimum acceptable value, and other password managers, like LastPass, use 100,000 iterations.

What is strange is that someone reported this bug nine years ago, and the Mozilla team just never fixed the issue. They did not provide a reason that they did not fix it, but used the chance to generate excitement for its upcoming password manager called Lockbox. According to the post on the bug report, a solution of switching to the Argon2 library for hashing passwords would be more secure than SHA-1, but based on the above comments it does not seem like Mozilla wants to invest any resources into fixing this issue. In order to protect themselves, users can stop using the Firefox password saving feature and turn off their master password and store their passwords in a third party password manager, such as KeePass, 1Password, Enpass or LastPass.

– Justin Stein

Source: https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/

Iranian Hackers Target US Professors

On March 23rd the Justice Department charged nine Iranians with multiple counts of identity theft and conspiracy to commit computer intrusions.  The main targets of the attack were professors at both US and foreign universities. Also targets were several US and European based private companies as well as multiple government agencies. The hackers were accused of being affiliated with the Mabna Institute and acted under behest of an Iranian intelligence agency. The attorney who brought the case claims that the Mabna Institute may seem legitimate, but that it only exists for the sole reason of stealing scientific resources from around the world. They used phishing emails that appeared to come from other universities to target more than 100,000 accounts belonging to professors worldwide and compromised about 8,000. They also compromised at least 37 US based companies, 11 based in Europe, and at least 5 government agencies including the Labor Department, the Federal Energy Regulatory Commission, and the UN. With this attack dating back to 2013, the hackers were able to steal more than 31 terabytes of information, worth about $3 billion in intellectual property. The justice department has recently said that the nine hackers are still at large.

–  Owen Ryan

Sources:

https://www.cnbc.com/2018/03/23/us-indicts-iranian-nationals-in-iran-government-backed-scheme-on-us-universities.html

https://www.wired.com/story/iran-cyberattacks-us-universities-indictment/

Why Healthcare Security Is So Prone To Attack – Verizon Report

We already know that health care is extremely vulnerable to cyberattacks relative to many other industries, but Verizon has just released a new cybersecurity report that reveals the true internal actors involved in the data breaches that target so many health organizations. The report emphasizes that the medical industry is the “only industry in which internal actors are the biggest threat to an organization” (Mukherjee). It states that 48% of these actors are motivated by financial gain, 31% by just the fun or curiosity of it, and 10% simply by convenience.

Improper employee practices and human error contribute to “threat actions” within health organizations due to inadequate delivery of personal health information, or getting rid of data in inappropriate ways— mainly because of the widespread use of paper documents and the failure to shred or properly dispose of them.

Healthcare workers have frequent and easy access to patients’ personal information, and the convenience and fun of committing fraud provide a main cause of data breaches in the medical industry. Verizon does provide solutions to help prevent such breaches of medical and financial information: create secure passwords, get rid of data efficiently, train employees not to fall for phishing emails with malicious software; but it warns that none of these potential threats are mutually exclusive.

Source:

http://fortune.com/2018/03/02/healthcare-cybersecurity-verizon-report/

Cyber Security team will ‘lie, cheat and steal’ to protect blue cross patients data —-Mark Minio

Kevin Charest is the chief information security officer for health care security officer for Health Care Service Core. They are responsible for protecting the records of roughly 15 million participants in Blue Cross Blue Shield plans in Texas and four other (unnamed by the source) states. Access to medical data is a “new frontier” for hackers as the health care shifts from paper records to electronic records. Electronic Health records, Clinical data-sharing tools and connected devices such as blood pressure and heart rate monitors might benefit patients and be more efficient but it leaves health information at risk of illegal access. All technology connected to the internet has some security risk, since it is a possible entry into a network. Hackers are able to create programs that knock on every door quickly and if the computer is not configured correctly sometimes they are able to get in. So far Health Care Service Corp. hasn’t experienced a major disruption. But the extreme vigilance  is still fairly reasonable. The sources provide a list of the Largest Health Data Breaches in Texas. One of which was from Stephenville medical & Surgical Clinic which exposed 75,000 patients’ information, this occurred in 2017. A patient list was emailed to an unauthorized recipient. By the time of the first source article, there have been more than 1700 similar security breaches nationally, affecting over 162 million Americans. Theft of computers or other hardware is the most commonly reported type of breach, followed by unauthorized access. The numbers may be higher since many incidents go unreported, either because of malice or lack of knowledge about what constitutes a reportable event. There are numerous reasons health care data can be valuable on the dark web. For example, a person in a country where communicable diseases are prevalent may be asked to provide medical documentation which will demonstrate that they don’t pose a health risk when they enter the U.S.

Sources:

-https://www.dallasnews.com/business/health-care/2018/03/27/dallas-based-cybersecurity-team-will-lie-cheat-steal-protect-patient-data

-https://www.beckershospitalreview.com/cybersecurity/cybersecurity-team-will-lie-cheat-and-steal-to-safeguard-bcbs-data.html