Copyright © 2017 HITRUST & Trend Micro · CRYSIS Cryptoransomware variant first seen in 2016 that...
16
Copyright © 2017 HITRUST & Trend Micro
Transcript of Copyright © 2017 HITRUST & Trend Micro · CRYSIS Cryptoransomware variant first seen in 2016 that...
Copyright©2017HITRUST&TrendMicro
AboutThisBulle.nTheHealthcareITSecurityBulle@nisaspecializedcommunica@onfromTrendMicroandHITRUST’sindustry-leadingsecuritylabthatwillregularlyprovideinforma@onsecurity,privacyandriskmanagementprofessionalswithfastfactsandobserva@onseachmonth.Thebulle@nswillalsoincludeinforma@vespotlightsonspecificchallengesthatfacetheindustry,predic@onsonfuturetrends,industryandthreat-relatedresearchtopicsandhelpfulreportsonresultsandobserva@onsregardingspecificHITRUSTprograms.
Copyright©2017HITRUST&TrendMicro 2
SecuritySpotlight
Copyright©2017HITRUST&TrendMicro 3
SecurityHighlights
Source:TrendMicroTMSmartProtec@onNetworkTM(September2017)
22187154
Newspyware(TSPY)indicatorsofcompromise(IoCs)
Newbackdoor(BKDR)IoCs
Newransomware(RANSOM)IoCs
FastFacts:CountriesAffectedbyMalwareSource:TrendMicroSmartProtec2onNetwork
Copyright©2017HITRUST&TrendMicro 4
*Thesharesofothercountriesaffectedbymalwarecomprising25.29percentofthetotalarenotshownhere.
FastFacts:TopMalwareFamiliesSource:TrendMicroSmartProtec2onNetwork
Copyright©2017HITRUST&TrendMicro 5
Malware Descrip.on Share
WCRY/WANNACRYPT RansomwarevariantthatexploitsCVE-2017-0144tospreadseenintheU.K.,Taiwan,Chile,Japan,India,andtheU.S. 7.55%
DOWNAD AlsoknownastheConfickerworm,usestheServerServicevulnerabilitytospread 4.44%
CCHACK Backdoorthatwaitsforatleast10minutesbeforeproceedingwithrou@nesbutterminatesifthecurrentcomputeruserdoesnothaveadminrights 3.58%
SALITY [email protected] 1.81%
COINMINE RelatedtoBitcoinminers 0.95%
DOWNADJOB Detec@onnameforjobfilesdroppedbyDOWNAD 0.91%
ANDROMChecksifitrunsinavirtualenvironmentandiftheinfectedcomputerrunsanetworkmonitoringsoiware;ifthatisthecase,itwillputthesystemintoinfinitesleep
0.86%
AUTORUN Wormthatdrops19differentfiles 0.83%
POWLOAD UsesPowerShelltodownloadandexecuteamaliciousfile 0.75%
DLOADR AgenericTrojandownloader 0.71%
*Thesharesofothermalwarecomprising77.61percentofthetotalarenotshownhere.
FastFacts:RansomwareIncidentsSource:TrendMicroSmartProtec2onNetwork
Copyright©2017HITRUST&TrendMicro 6
Ransomware Descrip.on Share
WCRY/WANNACRYPT RansomwarevariantthatexploitsCVE-2017-0144tospreadseenintheU.K.,Taiwan,Chile,Japan,India,andtheU.S. 94.92%
CERBER Rapidlyevolving,recentlyseenstealingfrombitcoinwallets 2.43%
LOCKY Firstseenin2016,usesmaliciousWordmacrostoinfectsystems 1.21%
CRYPTESLA Encryptsgame-relatedfiles 0.37%
CRYSIS Cryptoransomwarevariantfirstseenin2016thatchangesinfectedcomputers’wallpapersintoransomnotes 0.33%
KOVTER Knownforitsuseinvariousamacksevenifitislackinginencryp@onsophis@ca@oncomparedwithCryptoLocker 0.15%
CRYPJAFF Changesinfectedcomputers’desktopwallpapersbymodifyingregistriesanddeletesitselfaierexecu@on 0.11%
CRYPCTB Displaystheransommessageinsixdifferentlanguages—Spanish,Latvian,German,Dutch,Italian,andEnglish 0.04%
CRYPEC Typicalvariantthatappends.pectoencryptedfiles’names 0.04%
CRYPHYDRA DeletesshadowcopiesandthebackupcataloganddisablestheVolumeShadowService,StartupRepair,andWindowsErrorRecovery 0.04%
*Thesharesofotherransomwarecomprising0.36percentofthetotalarenotshownhere.
SecuritySpotlightWannaCryRansomwareWannaCryransomwarespreadbyexploi@ngavulnerabilityinServerMessageBlock(SMB)servers(CVE-2017-0144,code-namedEternalBlue).Onceasystemisinfectedandfilesonitareencrypted,WannaCrydemandsapaymentofUS$300tobemadeoutinbitcoins. 7Copyright©2017HITRUST&TrendMicro
SecuritySpotlightTrendMicrodetectsthevariantsusedinsuchanamackRANSOM_WANA.AandRANSOM_WCRY.I.CustomersarealreadyprotectedagainstthisthreatthroughPredic@veMachineLearningandotherrelevantransomwareprotec@onfeaturesfoundinTrendMicroXGen™Security.MoreintheTrendLabsSecurityIntelligenceBlog.
8Copyright©2017HITRUST&TrendMicro
Observa.onsfromPhysicianPrac.ces:SeptemberSource:CyberAidProgramFeedbackData
UndertheCyberAidProgram,wewereabletoobservethenetworksecurityviola@onsbelow.Healthcareorganiza@onscanusetheinforma@onbelowtogaugehowtheyfarecomparedwithotherorganiza@ons.
Copyright©2017HITRUST&TrendMicro 9
7percentofpar@cipantloca@onshadoneormoregraywareevents.Mostofthesefellundertrackingcookiesorgraywaresuchasad-orientedplug-insandtoolbaradd-ins.
16percentofpar@[email protected]@corbehavior-baseddetec@[email protected]@onsinvolvedknownmalware.
16%ofthetotalnumberofloca@onshadvirusevents
7%ofthetotalnumberofloca@onshadspywareevents
Observa.onsfromPhysicianPrac.ces:SeptemberSource:CyberAidProgramFeedbackData
UndertheCyberAidProgram,wewereabletoobservethenetworksecurityviola@onsbelow.Healthcareorganiza@onscanusetheinforma@onbelowtogaugehowtheyfarecomparedwithotherorganiza@ons.
Copyright©2017HITRUST&TrendMicro 10
38percentofpar@cipantloca@onshadmalicious-URL-blockingevents.Thesewererelatedtolinksembeddedinspamorthatledtositesknownforspamming.
9percentofpar@cipantloca@onshadransomware-relatedURL-blockingevents.Thesemostlikelyoriginatedfrommalver@singamemptswhenusersbrowselegi@matesites.
38%ofthetotalnumberofloca@onshad
malicious-URL-blockingevents
9%ofthetotalnumberofloca@onshad
ransom-URL-relatedevents
Observa.onsfromPhysicianPrac.ces:SeptemberWealsoobservedthefollowingeventsthroughoutthemonthfromvariousIPaddressesaroundtheworld,mostofwhichcanbelinkedtothreatactorsscanning
IPrangesforvulnerabili@estoexploit:• RemoteDesktopProtocol(RDP)BruteForceLog-In:Mul@pleamemptsthroughout
themonthamackingapublic-facingWindowsserverfromIPaddresseslocatedinChina,[email protected].
• SMBMicrosoiWindowsSearchTypeConfusion-2.1(CVE-2017-8620):Mul@plesitesmostlikelyrelatedtoascanperformedtolookforsystemsaffectedbyCVE-2017-8620.
• EXPLOITMicrosoiWindowsOLEAutoma@onRemoteCodeExecu@on(CVE-2011-0658):AmemptstoexploitavulnerabilityinMicrosoiWindowsObjectLinkingandEmbedding(OLE)Automa@onmostlybythreatactorslookingforsystemsaffectedbyCVE-2011-0658.
Copyright©2017HITRUST&TrendMicro 11
Observa.onsfromPhysicianPrac.ces:September• WEBRemoteCommandExecu@onviaShellScriptusingSHELLCODEEggHunter
Exploit:Mul@plesitessofartarge@ngroutersorfirewalls(SonicWall).Inoneloca@on,thetargetwasapublic-facingHPprinter.
• EXPLOITRemoteCommandExecu@onviaShellScript:Amackstarge@ngroutersandfirewalls.
• EXPLOITNetcoreRouterDefaultCreden@alRemoteCodeExecu@on:Backdooramemptsonrouters.
• MALWAREMIRAIHTTP:Botac@vityamemptstoexploitpublic-facingprinters.
Copyright©2017HITRUST&TrendMicro 12
Observa.onsfromPhysicianPrac.ces:SeptemberItisinteres@ngtonotethatloca@onsthathadpublic-facingdevices,suchasWindowsserversandSonicWallroutersorprinters,registeredhigheramemptnumbersthanthosethatdidnothavepublic-facingsystems.Ifitisunnecessarytohavepublic-facingdevicesandservices,itisbesttounplugthemfromtheinternet.Iftheyareneeded,makesuretheyareconstantlypatchedandsufficientlysecured.
Copyright©2017HITRUST&TrendMicro 13
WhatAretheRisksofNotHavingAdequateSecurity?
Copyright©2017HITRUST&TrendMicro 14
Year-to-DateSta.s.csforCyberAid
Copyright©2017HITRUST&TrendMicro 15
ContactHITRUSTIfyouhaveanyques@onsabouttheHealthcareITSecurityBulle@n,[email protected].
Copyright©2017HITRUST&TrendMicro 16
