The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) has issued a high priority alert warning enterprises of the risk of cyberattacks involving Taidoor malware, a remote access Trojan (RAT) used by the Chinese government in cyber espionage campaigns.

Taidoor was first identified in 2008 and has been used in many attacks on enterprises. The alert was issued after CISA, the FBI and the Department of Defense (DoD) identified a new variant of the Taidoor RAT which is being used in attacks on US enterprises. Strong evidence has been found suggesting the Taidoor RAT is being used by threat actors working for the Chinese government.

CISA explains in the alert that the threat actors are using the malware in conjunction with proxy servers to hide their location and gain persistent access to victims’ networks and for further network exploitation.

Two versions of the malware have been identified which are being used to target 32-bit and 64-bit systems. Taidoor is downloaded onto victims’ systems as a service dynamic link library (DLL) and consists of two files: A loader that is started as a service, which decrypts and executes a second file in the memory. The second file is the main Taidoor Remote Access Trojan (RAT). The Taidoor RAT provides gives the attackers persistent access to enterprise networks and allows data exfiltration and other malware to be downloaded.

CISA has published a Malware Analysis Report that includes confirmed indicators of compromise (IoCs), suggested mitigations, and recommended actions that can improve protection against Taidoor malware attacks. In the event of an attack, victims should give the activity the highest priority for enhanced mitigation and the attack should be reported to either CISA or FBI Cyber Watch.

CISA recommended actions for administrators include maintaining up to date antivirus signatures, keeping operating systems and software patched, disabling file and printer sharing (or using strong passwords if file and printer sharing is needed), restricting the use of admin privileges, exercising caution when opening email attachments, implementing a strong password policy, enabling firewalls on all workstations to deny unsolicited connection requests, disabling unnecessary services on workstations, monitoring users’ web browsing habits, and scanning all software downloaded from the Internet prior to execution.

The IOCs, mitigations, and recommendations can be found here.

The malware warning follows a joint alert issued by CISA and the FBI in May about attempts by Chinese hackers to gain access to the networks of organizations involved in COVID-19 research and vaccine development to steal intellectual property and public health data. The agencies have observed an increase in attacks spreading malware under the guise of updates on COVID-19 and spear phishing attacks using COVID-19 themes lures. In July, the Department of Justice announced that two Chinese hackers had been indicted for hacking US healthcare firms, government agencies, medical research institutions and other targets.

The post CISA Warns of Increase in Cyberattacks by Chinese Nation State Threat Groups using the Taidoor RAT appeared first on HIPAA Journal.

This week, the Federal Bureau of Investigation (FBI) issued a (TLP:WHITE) FLASH alert following an increase in attacks involving NetWalker ransomware. NetWalker is a relatively new ransomware threat that was recognized in March 2020 following attacks on a transportation and logistics company in Australia and the University of California, San Francisco. UC San Francisco was forced to pay a ransom of around $1.14 million for the keys to unlock encrypted files to recover essential research data. One of the most recent healthcare victims was the Maryland-based nursing home operator, Lorien Health Services.

The threat group has taken advantage of the COVID-19 pandemic to conduct attacks and has targeted government organizations, private companies, educational institutions, healthcare providers, and entities involved in COVID-19 research.

The threat group initially used email as their attack vector, sending phishing emails containing a malicious Visual Basic Scripting (.vbs) file attachment in COVID-19 themed emails. In April, the group also started exploiting unpatched vulnerabilities in Virtual Private Networking (VPN) appliances such as the Pulse Secure VPN flaw (CVE-2019- 11510) and Telerik UI (CVE-2019-18935).

The threat group is also known to attack insecure user interface components in web applications. Mimikatz is deployed to steal credentials, and the penetration testing tool PsExec is used to gain access to networks. Prior to encrypting files with NetWalker ransomware, sensitive data is located and exfiltrated to cloud services. Initially, data was exfiltrated via the MEGA website or by installing the MEGA client application directly on a victim’s computer and more recently through the website.dropmefiles.com file sharing service.

Earlier this year, the NetWalker operators started advertising on hacking forums looking to recruit a select group of affiliates that could provide access to the networks of large enterprises. It is unclear how successful the group has been at recruiting affiliates, but attacks have been increasing throughout June and July.

The FBI has advised victims not to pay the ransom and to report any attacks to their local FBI field office. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” explained the FBI in the alert. “Paying the ransom also does not guarantee that a victim’s files will be recovered. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

A range of different techniques are being used to gain access to networks so there is no single mitigation that can be implemented to prevent attacks from being successful. The FBI recommends keeping all computers, devices, and applications up to date and applying patches promptly. Multi-factor authentication should be implemented to prevent stolen credentials from being used to access systems, and strong passwords should be set to thwart brute force attempts to guess passwords. Anti-virus/anti-malware software should be installed on all hosts and should be kept updated, and regular scans should be conducted.

To ensure recovery from an attack is possible without paying the ransom, organizations should backup all critical data and store those backups offline on a non-networked device or in the cloud. The backup should not be accessible from the system where the data resides. Ideally, create more than one backup copy and store each copy in a different location.

The post FBI Issues Flash Alert Warning of Increasing NetWalker Ransomware Attacks appeared first on HIPAA Journal.

The biomedical community is working hard to develop vaccines against SARS-CoV-2 and discover new treatments for COVID-19 and nation-state hackers and cybercriminal organizations are targeting those organizations to gain access to their research data.

Recently, security agencies in the United States, Canada, and the United Kingdom issued alerts about state-sponsored Russian hackers targeting organizations involved in COVID-19 research and vaccine development. The security agencies had found evidence that the Russian hacking group APT29 was actively conducting scans against the external IP addresses of companies engaged in COVID-19 research and vaccine development, and that it was almost certain that the hackers were working with the Russian intelligence services.

An joint alert was also issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI indicating hackers linked to China were conducting similar attacks on pharmaceutical companies and academic research facilities to obtain intellectual property and sensitive data related to COVID-19. There have also been reports that hackers in Iran are conducting similar attacks.

In light of the recent attacks and targeting of research facilities, BitSight conducted a study to determine how well COVID-19 vaccine manufacturers and biomedical companies are performing at protecting their systems and data from hackers. BitSight researchers assessed 17 companies for the study, each of which has a major role in COVID-19 research and vaccine development. Those companies ranged from small firms with fewer than 200 employees to large companies with more than 200,000 employees.

BitSight found several security vulnerabilities that could be exploited by hackers to gain access to intellectual property and vaccine and COVID-19 research data. The security vulnerabilities were divided into four areas: Open ports, unpatched vulnerabilities, web application security, and systems that had already been compromised.

BitSight found 8 of the 17 companies had their systems compromised in the past year and had computers that were part of a botnet, and 7 companies had computers added to a botnet in the past 6 months. BitSight searched for software running on systems that the companies likely did not install. These Potentially Unwanted Programs (PUPs) were found on 9 company systems and 8 companies had PUPS installed in the past 6 months. Five companies had computers that were sending spam and the researchers identified unsolicited communications at three companies. Compromised systems show the companies’ security controls have failed and that the companies could, or already have been, hacked by adversaries seeking access to COVID-19 data.

The majority of companies had open ports which exposed insecure services over the internet, including 7 companies with exposed Microsoft RDP and a further 7 with LDAP exposed. 5 companies had exposed MySQL, MS SQL or Postgres SQL databases and a further 5 had an exposed Telnet service. The exposed Microsoft RDP was of particular concern, since hackers and ransomware gangs are actively searching for exposed RDP devices.

14 of the 17 companies were found to have unpatched vulnerabilities that could potentially be exploited remotely by hackers.  10 companies had more than 10 unpatched vulnerabilities and 6 had unpatched vulnerabilities with a CVSS score greater than 9.

Web application security issues were also common, such as insecure redirects from HTTPS to HTTP, insecure authentication, and a mixture of secure and insecure content on web pages. Many of the companies had more than one web application security issue. These security issues placed the companies at risk of man-in-the-middle and cross-site scripting attacks, which could potentially result in hackers capturing sensitive data, obtaining credentials, and compromising email systems.

“In light of these risks, the bioscience community must step up its cyber vigilance. It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials,” warned BitSight. “[Companies] must revisit basic cybersecurity hygiene practices and find proven and efficient ways to continuously discover and manage risk exposure — across the extended attack surface and third-party ecosystem. Only then can remediation be prioritized, and life-saving science innovation assured.”

The post Study Reveals COVID-19 Research Companies are Vulnerable to Cyberattacks appeared first on HIPAA Journal.

The Emotet botnet has been reactivated after a 5-month period of dormancy and is being used to send large volumes of spam emails to organizations in the United States and United Kingdom.

The Emotet botnet is a network of compromised computers that have been infected with Emotet malware. Emotet malware is an information stealer and malware downloader that has been used to distribute a variety of banking Trojans, including the TrickBot Trojan.

Emotet hijacks email accounts and uses them to send spam emails containing malicious links and email attachments, commonly Word documents and Excel spreadsheets containing malicious macros. If the macros are allowed to run, a PowerShell script is launched that silently downloads Emotet malware. Emotet malware can also spread to other devices on the network and all infected devices are added to the botnet.

The emails being used in the campaign are similar to previous campaigns. They use fairly simple, yet effective lures to target businesses, typically fake invoices, purchase orders, receipts, and shipping notifications. The messages often only include one line of text requesting the recipient click a link or open the email attachment. The emails are often personalized and contain the name of the targeted company and typically have a subject line starting with “RE:” that suggests the email has been sent in response to an email previously sent by the targeted individual – RE: Invoice 422132, for example. Several of the emails in this campaign have an attachment called “electronic.form.”

The latest campaign was been detected by several security companies. The first test emails were sent on July 13, and the spam campaign commenced on July 17. Proofpoint detected 30,000 messages on July 17, but now around 250,000 emails are being sent each day.

Malwarebytes rates Emotet as the biggest malware threat of 2018 and 2019, even with the regular breaks in botnet activity. Typically, activity stops around holiday periods for a few days or weeks, but the latest hiatus is one of the longest breaks in activity since the malware first appeared.

Emotet itself is a dangerous malware variant, but it is the additional payloads that Emotet downloads that cause the most damage. The TrickBot Trojan is a modular malware that can perform a range of malicious functions, such as stealing login information, sensitive files and emails, and Bitcoin wallets. The TrickBot Trojan often downloads Ryuk ransomware after the operators have achieved their own objectives.

If Emotet malware is detected, a rapid response is required to isolate the infected device and remove the malware. If Emotet is found on one device, it is likely that other devices will also have been compromised.

To reduce the risk of infection, organizations should send an alert to their employees warning them of the threat and advising them to take extra caution, especially with emails containing Word documents and Excel spreadsheets, even if those emails appear to have been sent from trusted contacts.

The post Emotet Botnet Reactivated and Sending Large Volumes of Malicious Emails appeared first on HIPAA Journal.