Equifax Security Breach Synopsis

Posted by: Greyson Schwing      Date: September 08, 2017

On September 7, 2017, Equifax publicly announced a major data security breach that impacts up to 143 million individuals that had their personal information including Social Security Numbers exposed to criminals.  The root cause for the data breach was web server software (called Struts) that was not patched with a security patch made available in April (CVE-2017-5638).  This breach was followed by a series of missteps by Equifax leadership including forcing a limitation of liability to the firm from individuals who determine if they are victims by registering on a specific Equifax website (Equifax has since walked this requirement back).

On September 15th, Equifax announced that they replaced the Chief Information Officer (David Webb) and the Chief Information Security Officer (Susan Mauldin) with interim leaders.

The implications for enterprises that deal with consumers, include a significant increase in consumer demographic and personal information available in the dark web for criminals to use to bypass current identity management controls that use passwords. This is additive to the over 3 billion user credentials harvested in 2016 which together drives the obsolescence of passwords.

The implications for the credit bureau industry and specifically Equifax are more significant.

Equifax announced on September 7, 2017 that a data breach at the company could have affected 143 million Americans.  Information said to be compromised includes Social Security Numbers, birth dates, addresses, driver’s license numbers and credit card numbers in some cases.  Even if you have never heard of Equifax or used them, they may still have your information.  Equifax is one of the “big-three” when it comes to credit reporting and rating of credit history of U.S. Consumers.  They get their information from credit card companies, banks, retailers and lenders.

The Breach was discovered on July 29th of this year, and Equifax immediately stopped the intrusion.  The company engaged a leading outside cybersecurity firm to conduct a review and determine the scope of the breach.  The company also notified local law enforcement and continues to work with authorities as the investigation is ongoing.

Equifax will NOT be contacting everyone that was affected.  They will only send mail notices to those whose credit card numbers or dispute records were accessed.  The company is suggesting that you sign up for free credit file monitoring service offered through TrustedIDhttps://www.equifaxsecurity2017.com/trustedid-premier/Premier.

  • Visit the https://www.equifaxsecurity2017.com/page to get all of your questions answered and to sign up for the free credit monitoring
  • Equifax has setup a designated phone line 866-447-7559for questions
  • Review your bank statements and credit card statements regularly (recommend weekly).  If you see unauthorized activity, immediately report it to the bank or credit card company
  • Request a copy of your credit report.  You are entitled to a free credit report once a year from all three of the major credit reporting agencies. (Equifax, TransUnion and Experian)
  • Place fraud alerts on your credit reports.  Lenders must verify your identity before issuing  credit in your name
  • For a Fee, you can place a long-term freeze on your account.  This will take your credit report out of circulation and credit cannot be issued unless you lift the freeze
  • Visit the Federal Trade Commission’s website, ftc.gov/idtheftfor additional information on how to protect yourself

 

Open source information:

https://www.equifaxsecurity2017.com/

https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/

http://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/

Open source information:
https://www.equifaxsecurity2017.com/
https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/
http://money.cnn.com/2017/09/07/technology/business/equifax-data-breach/

8-31-17 Harvey Update (1700Z)

Posted by: Greyson Schwing      Date: August 31, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

Please note that this is still an ongoing flooding event for many areas as this system moves eastward across Eastern Texas into Louisiana. Rescue / response teams are fully engaged in response activities. As flood waters recede, concern for displaced personnel continues to be a priority. Release of stored water at dam impounds has increased flooding to many.

Operational Priorities remain the same – summarized as:
  • Protection of life and property.
  • Support of rapid & effective response
  • Collection and dissemination of accurate incident information to improve decision-making.
  • Accurate recording of incident costs associated with assigned resources for cost recovery.

 

Quick Look:
  • Flooding rains continue across far eastern Texas and western Louisiana with heavy rainfall spreading northeastward through the lower Mississippi valley today and into the Tennessee and Ohio valleys and central Appalachians over the next day or two…
  • The center of tropical depression Harvey continues to move north-northeast and the center of the storm will cross from Louisiana into Mississippi around noon.
  • This forecast track takes Harvey into northern Mississippi by Thursday evening, middle Tennessee by Friday, and into the Ohio valley states on Saturday as a post-tropical low.
  • No significant rainfall is expected to affect the areas impacted by Harvey over the next
    three days.
  • There will be increased chances for rain along the Texas coast and into southeast Texas. There is the potential for another tropical system to develop in the Gulf of Mexico early
    next week.

 

SITREP
  • HOU and IAH airports have been reopened
  • Extensive Major Flooding and loss of power.
  • Looting remans a concern for both residents and first responders.
  • Transportation- Access/Re-Entry information – For those with vehicles carrying “life-saving or life-sustaining commodities,” you can coordinate access through the Region 6 private sector desk. This is NOT if you need to find transportation vehicles.
    R6-privatesector@fema.dhs.gov
  • What life-safety commodities are you transporting? (Only-
    life-saving/life-sustaining commodities will be allowed)
  • How many trucks, and how are trucks marked?
  • What is end destination and known route?
  • What IDs do drivers have?
  • ETA for destination?
  • Law enforcement must have all information being requested in order to work your access!!!
  • The cascading Hazard of cyber threat “bad actors” has not yet been active. Everyone should be aware of scams however such as, Phishing, Vishing activity as well as opportunistic attacks.
  • Verify your intended charitable contribution

 

Links of interest:

Sheltering and Immediate Assistance Available after Hurricane Harvey

https://www.fema.gov/news-release/2017/08/30/sheltering-and-immediate-assistance-available-after-hurricane-harvey

National Hurricane Center:

http://www.nhc.noaa.gov/graphics_at4.shtml?cone#contents

Texas Department of Transportation Hurricane Harvey Information

http://www.txdot.gov/inside-txdot/division/traffic/safety/weather/hurricane.html

Chemical Hazards in Floods & Disasters

http://www.sciencecorps.org/Chemical_Hazards_in_Floods_and_Disasters.pdf

ASPR- After a Hurricane: Key Facts About Infectious Disease

https://asprtracie.s3.amazonaws.com/documents/tips-for-retaining-and-caring-for-staff-after-disaster.pdf

CDC- After a Hurricane: Key Facts About Infectious Disease

https://www.cdc.gov/disasters/hurricanes/pdf/infectiousdisease.pdf

CDC – Flood Water After a Disaster or Emergency

https://www.cdc.gov/disasters/floods/cleanupwater.html

FEMA Flood tips

https://www.ready.gov/floods

8-29-17 Tropical Storm Harvey (1700Z)

Posted by: Greyson Schwing      Date: August 29, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

Please note that this is still an ongoing event for many areas as rescue/ response teams are in early response “posture.” Initial damage assessments are being performed. However, all activities are priorities per the following guidelines:

Operational Priorities are summarized as:
  • Protection of life and property.
  • Support of rapid & effective response
  • Collection and dissemination of accurate incident information to improve decision-making.
  • Accurate recording of incident costs associated with assigned resources for cost recovery.

 

Quick Look:
  • Tropical Storm Harvey continues to produce devastating flooding as it slowly moves back towards the Texas coast.
  • Heavy rains continue to spread over the Houston area and other locations in southeastern Texas and southern Louisiana, exacerbating what is already a catastrophic flood event.

Rainfall totals of nearly 50 inches have been observed at several locations in the Greater Houston area and southeastern Texas.

  • Storm totals could reach higher amounts in some locations, which would be historic for the area. Texas Gov. Greg Abbott activated his state’s entire National Guard, deploying 12,000 servicemen to respond to the hurricane.
  • The Harris County Sheriff’s Office used motorboats, airboats, and other vehicles to rescue more than 2,000 people in the greater Houston area on Sunday, a spokesman said.
  • The National Weather Service has issued flood watches and warnings from near San Antonio to New Orleans, an area home to more than 13 million people.

 

SITREP
  • Rescue operations continues with use of public and private sector volunteer activities.
  • Release of Water behind dams has increased flooding and the extent of duration.
  • Concerns for biological / environmental hazards such as sewage / chemical infiltration are rising. Toxicity and hazards to humans of concern
  • Substantial road closure in the impacted areas exist affecting rescue and response activities.
  • Both IAH and HOU airports remain closed. Possible reopen between the 30th /31st

 

Links of interest.
National Hurricane Center:

http://www.nhc.noaa.gov/graphics_at4.shtml?cone#contents

Texas Department of Transportation Hurricane Harvey Information

http://www.txdot.gov/inside-txdot/division/traffic/safety/weather/hurricane.html

Chemical Hazards in Floods & Disasters

http://www.sciencecorps.org/Chemical_Hazards_in_Floods_and_Disasters.pdf

CDC – Flood Water After a Disaster or Emergency

https://www.cdc.gov/disasters/floods/cleanupwater.html

FEMA Flood tips

https://www.ready.gov/floods

Airport Status

http://www.fly.faa.gov/flyfaa/scmap.jsp

8-28-17 Tropical Storm Harvey (1200Z)

Posted by: Greyson Schwing      Date: August 28, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

Please note that this is still an ongoing event and in “Ride-out and early response “posture. Unmet needs mitigation/response and recovery operations are not yet occurring unless activity is capable of being performed per priorities.

Operational Priorities are summarized as:
  • Protection of life and property.
  • Support of rapid & effective response
  • Collection and dissemination of accurate incident information to improve decision-making.
  • Accurate recoding of incident costs associated with assigned resources for cost recovery.
Quick Look:
  • Tropical Storm Harvey continues to produce devastating flooding as it slowly moves back towards the Texas coast.
  • Sustained winds of 40 mph with higher gusts. The center of the storm is located about 15 miles northnortheast of Port O’Connor and is slowly moving southeast at three mph
  • The primary threat with this storm over the next few days will remain the devastating, life threatening flooding
  • Tornadoes are likely within the storm’s rain bands over the next couple days near the upper Texas coast.
SITREP
  • Mandatory / voluntary evacuations underway across impacted arrears
  • Army Corps of Engineering’s relieving dam pressure through controlled release. Impacts to lower regions anticipated as result.
  • Concerns for biological / environmental hazards such as sewage / chemical infiltration are rising.
  • Fuel availability along evacuation routes of concern but not critical.

 

Links of interest.
National Hurricane Center:

http://www.nhc.noaa.gov/graphics_at4.shtml?cone#contents

Texas Department of Transportation Hurricane Harvey Information

http://www.txdot.gov/inside-txdot/division/traffic/safety/weather/hurricane.html

Chemical Hazards in Floods & Disasters

http://www.sciencecorps.org/Chemical_Hazards_in_Floods_and_Disasters.pdf

FEMA Flood tips

https://www.ready.gov/floods

NH-ISAC Threat Intel Committee Advisory on Improved Petya (1530 EDT 28 June 2017)

Posted by: Greyson Schwing      Date: June 28, 2017

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

This information is marked TLP White for widest distribution. Subject to standard copyright rules, TLP: WHITE information may be distributed without restriction.

Update summarizing NH-ISAC current understanding of the event, the ransomware, it’s capabilities, and custom developed mitigations.

What is it?

Petya is a derivative of GoldenEye commodity ransomware, equipped with several self-replicating mechanisms.  The self-replicating behavior is what sets it apart from other ransomware, and it is directly responsible for widespread impact.

What is the initial infection vector?

The only confirmed infection vector is a MeDoc update. MeDoc is accounting software in widespread use in Ukraine produced by a Ukranian company. Virtually all Ukranian companies, in virtually all sectors use MeDoc. This includes American companies operating in Ukraine. The MeDoc software suite features an auto-update mechanism through which software updates can be distributed to clients.  In May 2017, an unidentified attacker compromised the MeDoc autoupdate server and caused it to distribute XData malware to MeDoc customers. Yesterday, a different (or possibly the same) attacker compromised MeDoc autoupdate servers and caused it to distribute the Petya malware. This is the only confirmed initial infection vector at this time.

Additionally, MeDocs appears to still be compromised. We found a webshell backdoor on their main website, and we were able to obtain a copy of the file. MeDoc was made aware of this discovery.

Kaspersky researchers tweeted that Petya was additionally distributed through a watering hole attack using a compromised Ukranian news site. This report is unconfirmed at this time.   

There are no known methods of initial infection other than ones listed above. To put it explicitly – there are no known instances of spread through email, driveby downloads, exploit kits or any other means traditionally associated with delivering malware.

How does it spread?

Once a machine is infected, Petya uses several mechanisms to attempt to spread to other computers, and it uses several mechanisms to decide which computers to attempt to spread to.

To determine which hosts to attempt to infect, Petya uses more than one mechanism. The first mechanism is calling WNetOpenEnum Windows API which returns all active SMB connections on the infected computer.  Each of these connections will be targeted regardless of which network they’re in.  For example, if the infected computer has a mapped drive to a file server that’s on a completely different network, that file server will be targeted by Petya.

The second mechanism is a scan of the local network, as defined by the IP address and network mask of the infected computer.  For example, if the infected machine is 10.0.0.5/255.255.0.0, Petya will target all IPs from 10.0.0.0 to 10.0.255.255.

Petya will attempt to copy itself to each identified target.  In order to copy the file to target machine, Petya will harvest credentials from the infected system. There are two types of harvests Petya appears to implement. The first is a call to CredEnumerateW which returns all currently logged on user’s credentials. The second method appears to be MimiKatz (which requires Administrative privileges).

In order to copy itself to targets, Petya will attempt to connect to the ADMIN$ share of each identified target, using the harvested credentials until it either succeeds or it runs out of credentials.  On success, Petya copies itself to C:\Windows\perfc.dat on the target machine.

As a final step, Petya will attempt to execute the new copy of itself on the target.  For this, it uses two methods as well.  First it will invoke psexec. If that approach fails, it will try to do it using WMI.

If the approaches above have failed to result in execution on the target, as a final resort, Petya will attempt to use ETERNALBLUE and ETERNALROMANCE exploits to both copy and execute itself on the target.  The vulnerabilities targeted by these exploits have been patched some months ago under MS17-010.

As with any patch/update, any modifications should be evaluated before implementation by your appropriate system security personnel. NH-ISAC Threat Intel Committee has vetted the following mitigations to the extent available.

Killswitch / Vaccine

On execution, the known Petya samples delete themselves and perform a check to verify if this deletion is successful. If the file is still present, Petya will exit. This behavior can be turned into a protection mechanism of sorts.  If you create a vaccine file:

            C:\Windows\perfc

and set the permissions of the file to deny write permissions to everyone, including system administrators, infection can’t succeed as Petya will be unable to copy itself over.

Keep in mind that some security tools operate on very simple signatures, and it’s possible you’ll get alerts. This prevents all currently known lateral spread methods.

Other mitigations:

  • If Petya is unable to reach ports 139 and 445 it can’t spread.  Local firewalls can facilitate this.
  • If Petya is unable to mount the ADMIN$ share it can’t spread (Except through exploits).  You can administratively disable ADMIN$ share through GPO
  • Apply Microsoft Patch MS17-010 to all internal systems.
  • Enable protective signatures on all security devices to prevent EternalBlue from spreading.

CONFIRMED Technical IOCs

 Targeted extensions:

.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.

ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.

mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.

py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.

vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip,.

IOCs:

71b6a493388e7d0b40c83ce903bc6b04 (main 32-bit DLL)

https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

e285b6ce047015943e685e6638bd837e (main 32-bit DLL)

https://www.virustotal.com/en/file/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1/analysis/

Drops…..

7e37ab34ecdcc3e77e24522ddfd4852d (64-bit EXE)

https://www.virustotal.com/en/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/

2813d34f6197eb4df42c886ec7f234a1 (32-bit EXE)

https://www.virustotal.com/en/file/eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998/analysis/

 Attacker Email –  (decryption key request after payment) :

wowsmith123456@posteo.net

Bitcoin Wallet:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

NH-ISAC Alert :TLP White distribution regarding ongoing Petya attack

Posted by: Greyson Schwing      Date: June 27, 2017

This information is marked TLP White: Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

Summary

This new ransomware attack was first observed on June 27, 2017. The impacted entities are mostly focused in the EU at this time but we do have reports of a US healthcare entity being impacted as well. Multiple sectors including financial, telecom, transportation, healthcare and energy have reported that their operations are impacted.

The initial infection vector is still unknown at this time.

There are public reports that Petya is using ETERNALBLUE/DOUBLEPULSAR for lateral movement, and that seems to be a part of it.  We can’t confirm this yet (still looking for code or behavior that would indicate eternalblue).

There is a lateral movement component that performs the following:

  1. Enumerate active connections using WNetOpenEnum (enumerate currently active connections)
  2. Enumerate current users credentials using CredEnumerateW
  3. Attempt to establish connection to enumerated machines using enumerated credentials using WNetAddConnection2

After the malware executes, it will establish a scheduled task to reboot the machine after 1 hour. This will allow it time to infect other victims on the network. Once the reboot occurs, a fake CHKDSK screen appears and encrypts the master file table and displays the ransom message.

Technical Indicators

Targeted extensions:

.3ds,.7z,.accdb,.ai,.asp,.aspx,.avhd,.back,.bak,.c,.cfg,.conf,.cpp,.cs,.

ctl,.dbf,.disk,.djvu,.doc,.docx,.dwg,.eml,.fdb,.gz,.h,.hdd,.kdbx,.mail,.

mdb,.msg,.nrg,.ora,.ost,.ova,.ovf,.pdf,.php,.pmf,.ppt,.pptx,.pst,.pvi,.

py,.pyc,.rar,.rtf,.sln,.sql,.tar,.vbox,.vbs,.vcb,.vdi,.vfd,.vmc,.vmdk,.

vmsd,.vmx,.vsdx,.vsv,.work,.xls,.xlsx,.xvd,.zip,.

IOCs:

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745

https://www.virustotal.com/en/file/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745/analysis/

Drops….

02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f

https://www.virustotal.com/en/file/02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f/analysis/

Attacker Email:

wowsmith123456@posteo.net

Bitcoin Wallet:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

……………………………………………………………………………

Ransomware Note:

Ooops, your important files are encrypted. If you see this text, then

your files are no longer accessible, because they have been encrypted.

Perhaps you are busy looking for a way to recover your files, but don’t

waste your time. Nobody can recover your files without our decryption

service.

We guarantee that you can recover all your files safely and easily. All

you need to do is submit the payment and purchase the decryption key.

Please follow the instructions:

Send $300 worth of Bitcoin to following address:

1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

Send your Bitcoin wallet ID and personal installation key to e-mail

wowsmith123456@posteo.net. Your personal installation key:

*************

If you already purchased your key, please enter it below/ Key:

…………………………………………………………………………………………………….

*Any reproduction or reposting of this content requires proper credit / attribution to NH-ISAC.

Petya Ransomware Resource Information

Posted by: Greyson Schwing      Date: June 27, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry

https://thehackernews.com/2017/06/petya-ransomware-attack.html

Massive GoldenEye Ransomware Campaign Slams worldwide users

https://labs.bitdefender.com/2017/06/massive-goldeneye-ransomware-campaign-slams-worldwide-users/

WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe

https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/

Analysts Confirm Petya Using EternalBlue Exploit to Spread

https://twitter.com/threatintel/status/879716609203613698

Chaos as National Bank, State Power Provider and Airport Hit by Hackers

https://www-independent-co-uk.cdn.ampproject.org/c/www.independent.co.uk/news/world/europe/ukraine-cyber-attack-hackers-national-bank-state-power-company-airport-rozenko-pavlo-cabinet-a7810471.html?amp&utm_content=buffer0a3d8&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer

A Ransomware Outbreak Is Infecting Computers Across the World Right Now

https://motherboard.vice.com/en_us/article/qv4gx5/a-ransomware-outbreak-is-infecting-computers-across-the-world-right-now

May 16, 2017 WannaCry Update

Posted by: Greyson Schwing      Date: May 16, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

On May 12, 2017 at 4:00am ET, multiple companies in Europe started reporting ransomware infections with the most damage impacting the National Health System (NHS) Trust in the UK and a large telecom company, Telefonica in Spain.

16 hospitals within the NHS have canceled surgeries, had their phone systems disabled or have had to turn away emergency patients. It is reported that many of the affected hospitals were using an older version of Microsoft Windows, known as XP that is no longer supported by Microsoft.

This new ransomware variant is called “WannaCry / WCry / WanaCrypt0r”.

The total amount of money paid for the ransom campaign is being reported at approximately 207 payments across 3 bitcoin wallets totaling 31 BTC or $55k. The actual revenue generated versus the impact the ransomware had seem to be at odds.

Initial research shows that the ransomware is spreading using SMB vulnerability MS17-010 that was patched by Microsoft in March 2017. Microsoft has since taken the extraordinary step to send out a patch to Windows XP, Windows 8, and Windows Server 2003 versions of software.

No one has been able to pinpoint how this ransomware variant was initially distributed to victims, although several theories persist (malvertising, exploit kits, email spam, etc.). Remote Desktop Protocol (RDP), email, and phishing do not appear to be propagation vectors of the current variants.

Many of the large entities impacted had SMB exposed to the Internet, specifically port TCP-445. Some of that exposure has been remediated as part of the response to the WannaCry ransomware.

There have been reports in the media and amongst the vendor community as information flowed in initially. The story and information was fast moving and this event was being confused with indicators from another ransomware strain (JAFF). Researchers have had time to digest and validate information and are now able to provide additional clarity. For example, seeing Wannacry infections coming from email or phishing or Remote Desktop Protocol (RDP). Currently there is no evidence to support the theory that Wannacry is being distributed via a spam campaign or RDP. Be sure to check for factual reports from trusted sources like the NH-ISAC. Other phishing attacks are taking advantage of the situation.

Please also be aware the secondary scams (phishing and vishing) leveraging the WannaCry event for their own unrelated purposes are likely. Organization Staff should be made aware and referred to proper communication channels for information.

POSSIBLE MITIGATION ACTIONS:

– Ensure all patches are up to date. Microsoft has patches available for all software versions Microsoft XP and higher specifically for MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx).

Issue a companywide communication alerting staff and proper remediation activities relative to this event.
Prevent delivery and download of .exe attachments both direct and contained inside zip files.
Ensure SMB (disable ports TCP-139 and especially TCP-445) is not permitted into your environment from external sources. Note especially 3rd party connections including VPNs.
Apply anti-virus patches, many new updates provided since May 12th.
Detect/block known hashes. There are multiple lists, including those shared with NH-ISAC membership.
Block attempts to communicate to unauthorized and new domains.
Review the list of IP hits against the sink holed domain keeping in mind some positive hits might be from your own security team.
Continue to share and participate on NH-ISAC forums.

There is a wealth of information sharing with actionable IOCs and mitigation strategies including scripts and patching results being discussed over the NH-ISAC sharing mechanisms. NOW MORE THAN EVER you need to join the NH-ISAC and participate in the community. Your member dues (in many cases less than a cup of coffee per day) will pay you back ten-fold with the factual information and strategies. NH-ISAC serves as an extension to your security operation!

May 15, 2017 – US-Cert – Indicators Associated with WannaCry Ransomware

Posted by: Greyson Schwing      Date: May 15, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

Full report can be read here, or viewed below.

US-CERT - TA17-132A Indicators Associated With WannaCry Ransomware - 15 ...

May 13, 2017 – HHS Update #2: International Cyber Threat to Healthcare Organizations

Posted by: Greyson Schwing      Date: May 13, 2017

This information is marked TLP White; Subject to standard copyright laws. TLP: White information may be distributed without restriction.

*Any reproduction or reposting of this content requires proper credit/attribution to NH-ISAC.

Where can I find the most up-to-date information from the U.S. government?

– For overall Cyber Situational Awareness visit the US-CERT National Cyber Awareness System webpage at: https://www.us-cert.gov/ncas

– NCCIC portal for those who have access: hsin.dhs.gov

– FBI FLASH: Indicators Associated With WannaCry Ransomware

https://content.govdelivery.com/attachments/USDHSCIKR/2017/05/13/file_attachments/816377/FLASH_WannaCry_FINAL.PDF

Where can I find the latest Microsoft Security Information?

Visit the Microsoft Update Catalog for the latest security updates – http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

ASPR TRACIE: Healthcare Cybersecurity Best Practices

Our message from May 12, 2017 including information on how to protect from email-based and open RDP ransomware attacks can be found on the TRACIE portal here – https://asprtracie.hhs.gov/documents/newsfiles/NEWS_05_13_2017_08_17_11.pdf

ASPR TRACIE (https://asprtracie.hhs.gov/) also has the best and promising healthcare cybersecurity practices available in our Technical Resources domain. Issue 2 of The Exchange (released in 2016 – https://asprtracie.hhs.gov/documents/newsletter/ASPR-TRACIE-Newsletter-The-Exchange-Issue-2.pdf) highlights lessons learned from a recent attack on a U.S. healthcare system and features articles that demonstrate how collaboration at all levels is helping healthcare facilities implement practical, tangible steps to prevent, respond to, and recover from cyberattacks. The video Cybersecurity and Healthcare Facilities (https://www.youtube.com/watch?v=sWTIIQZxAG4&feature=youtu.be&ab_channel=PHEgov) features subject matter experts describing last year’s attack on MedStar, steps we can take to prevent and mitigate attacks, and what the federal government is doing to address cybersecurity. The Cybersecurity and Information Sharing Topic Collections (https://asprtracie.hhs.gov/technical-resources/80/information-sharing-partners-and-employees/77) include annotated resources reviewed and approved by a variety of subject matter experts.

How to request an unauthenticated scan of your public IP addresses from DHS

The US-CERT’s National Cybersecurity Assessment & Technical Services (NCATS) provides integrated threat intelligence and provides an objective third-party perspective on the current cybersecurity posture of the stakeholder’s unclassified operational/business networks.

– NCATS focuses on increasing the general health and wellness of the cyber perimeter by broadly assessing for all known external vulnerabilities and configuration errors on a persistent basis, enabling proactive mitigation prior to exploitation by malicious third parties to reduce risk.

– Attributable data is not shared or disseminated outside of DHS or beyond the stakeholder; non-attributable data is used to enhance situational awareness.

– NCATS security services are available at no-cost to stakeholders. For more information please contact NCATS_INFO@hq.dhs.gov

If you are the victim of ransomware or have cyber threat indicators to share

If your organization is the victim of a ransomware attack, please contact law enforcement immediately.

Contact your FBI Field Office Cyber Task Force immediately to report a ransomware event and request assistance. These professionals work with state and local law enforcement and other federal and international partners to pursue cyber criminals globally and to assist victims of cyber-crime.
Report cyber incidents to the US-CERT and FBI’s Internet Crime Complaint Center.
For further analysis and healthcare-specific indicator sharing, please also share these indicators with HHS’ Healthcare Cybersecurity and Communications Integration Center (HCCIC) at HCCIC_RM@hhs.gov