Security Alerts & News
by Tymoteusz A. Góral

History
#1032 US Healthcare records offered for sale online
Three US healthcare organisations are reportedly being held to ransom by a hacker who stole data on hundreds of thousands of patients.

The hacker has also put the 650,000 records up for sale on dark web markets where stolen data is traded.

Prices for the different databases range from $100,000 (£75,000) to $411,000.

Buyers have already been found for some of the stolen data, the hacker behind the theft told news site Motherboard.

No information about the size of the ransom payment sought by the data thief has emerged, although he did say it was "a modest amount compared to the damage that will be caused to the organisations when I decide to publicly leak the victims".

The organisations that data was stolen from are known to be based in Missouri, Georgia and the midwest. The attacker told Motherboard that he would not name the organisations, to give them a chance to pay up.
#1031 Malicious app found on Google Play, steals Viber photos and videos
Symantec has discovered an app on Google Play that steals photos and videos from the popular social media app Viber. Beaver Gang Counter masquerades as a score keeping app for a popular card game but secretly searches for media files related to the Viber app and sends them to a remote server.
#1030 New exploits target hospital devices, places patients at risk
It is not just the enterprise, banks and individuals that are targeted by cybercriminals looking to cash in on data and rinse bank accounts.

Things have taken a more sinister turn with the introduction -- and evolution -- of attacks specifically designed to compromise medical devices, which places both patient health and information at serious risk.

A new report released by security firm TrapX on Monday highlights how this trend is becoming more and more serious, and healthcare organizations must sit up and take note of these emerging threats before it is too late.

We've already seen ransomware attacks levied against hospitals this year which have successfully disrupted critical services and taken down full systems, with some hospitals giving in and paying a ransom to resume operating.

This kind of malware, although often heartbreaking for victims and capable of immense disruption, is not in the same ballpark as other attacks which are striking hospitals for the purpose of tampering with devices and data.
#1029 Bart ransomware shows it can be effective without sophisticated encryption
Most ransomware programs encrypt files with a locally generated AES (Advanced Encryption Standard) key, which is then itself encrypted with a public RSA key that's part of a public-private key pair. The private key, which is needed for decryption, is sent to a command-and-control server operated by attackers and deleted from the local computer.

Bart does not use public key cryptography like RSA. It scans for files with certain extensions -- music, photos, videos, archives, documents, databases and more -- and then locks them in password-protected ZIP archives using the naming format: original_name.extension.bart.zip.

The ZIP format supports AES encryption natively, so its creators didn't need to implement AES themselves, which is prone to errors. This doesn't mean Bart is flawless, but, at least for now, there's no known way to recover the affected files.

Because it doesn't use public-private key pairs, the new ransomware program doesn't need a command-and-control server either, significantly reducing the costs of development for its creators.

The attackers use only a Tor-hosted payment gateway where victims can submit their malware-generated unique ID, pay the ransom in bitcoin and receive a decryptor. The ransom amount is 3 bitcoins, or around US$1,920, which is high, especially if the victim is not a company.
#1028 A massive botnet of CCTV cameras involved in ferocious DDoS attacks
A botnet of over 25,000 bots lies at the heart of recent DDoS attacks that are ferociously targeting business around the world. More exactly, we're talking about massive Layer 7 DDoS attacks that are overwhelming Web servers, occupying their resources and eventually crashing websites.

US-based security vendor Sucuri discovered this botnet, very active in the last few weeks, and they say it's mainly composed of compromised CCTV systems from around the world.

Their first meeting with the botnet came when a jewelry shop that was facing a prolonged DDoS attack opted to move their website behind Sucuri's main product, its WAF (Web Application Firewall).

Sucuri thought they had this one covered, just as other cases where companies that move their sites behind their WAF block the attacks, and eventually the attacker moves on to other targets.

Instead, they were in for a surprise. While the initial attack was a Layer 7 DDoS with over 35,000 HTTP requests per second hitting the server and occupying its memory with garbage traffic, as soon as the attackers saw the company upgrade their website, they quickly ramped up the attack to 50,000 requests.

For Layer 7 attacks, this is an extraordinarily large number, enough to drive any server into the ground. But this wasn't it. The attackers continued their assault at this high level for days.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12