Tag Archives: Alert

Siemens Device Vulnerabilities: How to Update Your Medical Devices

After the WannaCry outbreak heard ‘round the world, Siemens is working to bolster the security of its medical products.

Practical TIP: If your healthcare practice is using Siemens products, review the notes and advisories below to ensure your devices aren’t left vulnerable to attack.

Siemens Background

Headquartered in Munich, Germany, Siemens specializes in products and devices used in medical imaging and are used globally across the healthcare sector.

Siemens Updates

The well-documented WannaCry ransomware attack leveraged a vulnerability in Microsoft’s Server Message Block. Siemens noted this might impact some of their products and has provided important updates below:

  • This bulletin provides an overview and list of Siemens Healthineers products that can be patched with the Microsoft SMBv1 updates.
  • This security advisory highlights select Laboratory Diagnostics products affected by the SMBv1 vulnerabilities.
    • Siemens notes solutions have been developed for the affected products listed, which are available via customer support.
  • This security advisory from Siemens details certain Molecular Imaging products affected by vulnerabilities in Microsoft Windows 7 and HP Client Automation.
    • The advisory lists the vulnerabilities and provides recommended solutions
    • For more information on these vulnerabilities in the Molecular Imaging products, review the report from ICS-CERT.

Siemens is preparing updates for the affected products and recommends protecting network access to the Molecular Imaging products with appropriate mechanisms.

Siemens Advice

Run the devices in a dedicated network segment and protected IT environment.

If this is not possible, Siemens recommends the following:

  • If patient safety and treatment is not at risk, disconnect the product from the network and use in standalone mode.
  • Reconnect the product only after the provided patch or remediation is installed on the system.
    • Siemens is able to patch systems capable of Remote Update Handling (RUH) much faster by remote software distribution compared to onsite visits.
    • Users of RUH-capable equipment are recommended to clarify the situation concerning patch availability and remaining risk in the local customer network with the Siemens Customer Care Center first and then to reconnect the systems in order to receive patches as quickly as possible via RUH.
    • This ensures smooth and fast receipt of updates and therefore supports reestablishment of system operations.

IRS Warns Tax Professionals of New Scam to Steal Passwords

[This alert highlights a new phishing email campaign targeting tax professionals during a vulnerable time of year – when many software providers issue upgrades and when tax professionals are pushing to meet the October 15 deadline for tax extensions.

This alert comes from the combined efforts of the IRS, state tax agencies, and the tax industry acting as the Security Summit.]

Security Summit Alert

The Internal Revenue Service, state tax agencies and the tax industry warned tax professionals to be alert to a new phishing email scam impersonating tax software providers and attempting to steal usernames and passwords.

This sophisticated scam yet again underscores the need for tax professionals to take strong security measures to protect their clients and protect their business. This is the time of year when many software providers issue software upgrades and when tax professionals are working to meet the Oct. 15 deadline for extension filers.

These types of phishing scams are why the IRS, state tax agencies and the tax industry, acting as the Security Summit, launched the 10-week Don’t Take the Bait campaign currently underway. This awareness effort highlights the many tactics of cybercriminals as well as the steps tax professionals can take to protect their clients and themselves.

This latest scam email variation comes with a subject line of “Software Support Update” and highlights an “Important Software System Upgrade.” It thanks recipients for continuing to trust the software provider to serve their tax preparation needs and mimics the software providers’ email templates.

The e-mail informs the recipients that due to a recent software upgrade, the preparer must revalidate their login credentials. It provides a link to a fictitious website that mirrors the software provider’s actual login page.

Instead of upgrading software, the tax professionals are providing their information to cybercriminals who use the stolen credentials to access the preparers’ accounts and to steal client information.

The Security Summit reminds tax professionals that software providers do not embed links into emails asking them to validate passwords. Also, tax professionals and taxpayers should never open a link or an attachment from a suspicious email.

Tax professionals can review additional tips to protect clients and themselves at Protect Your Clients, Protect Yourself on IRS.gov.

Tax professionals who receive emails purportedly from their tax software providers seeking login credentials should send those scam emails to their tax software provider.

For Windows users, follow this process to help the investigation of these scam emails:

  1. Use “Save As” to save the scam. Under “save as type” in the drop-down menu, select “plain text” and save to the desktop. Do not click on any links.
  2. Open a new email and attach this saved email as a file.
  3. Send a new email containing the attachment to the tax software provider, as well as a copy to Phishing@IRS.gov.

Hovering Over the Link Leads to Malware

Most people are familiar with the commonly-held Internet myth… “Don’t click the link. Hover your mouse over and all will be fine.”

Thanks to the “PowerPoint Mouseover Based Downloader,” simply hovering over a malicious link is now all it takes for attackers to conquer your computer. No macros, JavaScript, or VBA needed.

Attack Details

This attack leverages Windows PowerShell and PowerPoint to execute.

Take your typical social engineering scenario where a user is sent an email with a PowerPoint attachment. Users who open the document are shown the text “Loading…Please wait” in the form of a familiar blue hyperlink:

Since we are all trained not to click on links we don’t know, the user chooses to hover over the link to see where the URL leads.

One ‘feature’ in PowerPoint is that it supports a hover event or action on links. So in this case, when a user hovers their mouse over the text, they are faced with the following screen:

Enabling the content executes PowerShell and the attackers win.

Dodge This Security explains how attackers leverage this for remote access to the computer:

“When that PowerShell is executed it reaches out to the domain “cccn.nl” for a c.php file and downloads it to disk as a file named “ii.jse” in the temp folder.

That gets executed in wscript.exe and then that drops a file named “168.gop” which the JavaScript then executes certutil.exe with the -decode parameter. certutil.exe then supplies 168.gop as the file to decode and saves it in the temp folder as “484.exe”.

Then “484.exe” is executed and it spawns mstsc.exe to allow RDP access to the system.

After this 484.exe was observed being renamed and saved to AppData\Roaming\Microsoft\Internet Explorer\sectcms.exe by mstsc.exe and then it gets re-executed from the new location.

A .bat file was observed being written to disk then executed in cmd.exe. The purpose of this bat file appears to have been to change the attributes of the sectcms.exe program to be hidden, marked as a system file and set as read only.

It also deletes any of the files with the following extensions in the temp folder .txt/.exe/.gop/.log/.jse to get rid of any obvious tracks left behind.”

What can you do to protect yourself?

The typical “patch” solution is not applicable in this case because the issue is not a bug… it’s a PowerPoint feature.

Instead, IT admin can start by updating Office installations on all endpoints. From there implementing a group policy is the next line of defense. Through the policy, ensure all Office documents always open in protected view by default. Then raise awareness by notifying end users of the attack and what to look for.

Users should already be wary about opening Office documents as attachments in emails. And if they do, they should use extra caution before leaving protected mode.

W-2 Phishing Scams Are Back With New Tricks

It’s that time of year again to start thinking about taxes. At the very least, cyber criminals have tax time circled on their calendar once again. This is the perfect time for them to send their scam emails to HR departments posing as the CEO to request W-2 forms and information.

W-2 Phishing Scam

W-2 phishing attacks are typical during this time of year during tax season. W-2 forms and records have a treasure trove of information that cyber criminals dream about: names, addresses, Social Security numbers, wages, etc.

Cyber criminals use this information to commit tax fraud and file fake tax return requests to steal the victim’s refund. W-2 information also makes its way onto the dark web, usually selling for anywhere between $4 and $20 per record.

The typical scenario for this type of attack looks similar to the business email compromise or CEO fraud. Phishers will compromise or spoof the email of a company’s executive, most likely the CEO. They turn their attention over to the HR or payroll department to request W-2 data to be compiled in a file and emailed immediately.

The IRS shares some of the common language to beware of from these scam emails:

  • Kindly send me the individual 2016 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (Name, Social Security Number, Date of Birth, Home Address, Salary).
  • I want you to send me the list of W-2 copy of employees’ wage and tax statement for 2016, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me asap.

Victims of tax return fraud usually learn of the crime after having their returns rejected due to the fraudsters filing before them.

IRS Alert

The IRS issued an urgent alert regarding these types of scams, noting cyber criminals are starting to combine the W-2 phishing scam with wire transfer fraud.

From the criminal’s perspective … why not? Once the HR department sends over the W-2 data requested, the phishers will email the payroll or finance department asking for a wire transfer to be completed.

The IRS notes that the range of targets for these attacks is only increasing. Phishers are targeting school districts, healthcare organizations, chain restaurants, staffing agencies, and non-profits.

Best Practices

Organizations need to make special reminders and educate the HR department to be on the lookout for any requests for W-2 information or other fraudulent requests. If any employee suspects a fraudulent request, ensure they are reporting it to the proper person in your organization immediately.

The IRS asks that organizations receiving a W-2 scam email forward it to phishing@irs.gov and put ‘W2 Scam’ in the subject line.

From an administrative standpoint, organizations need to enforce policies against sharing sensitive data – including W-2 forms – via unencrypted email. Remind employees of these policies and that the CEO should never request this type of information via email. And lastly, before sending any W-2 information, make sure your employees verify the legitimacy of the email with the sender by phone call (to a known number) or in person.

Ransomware Ramping Up

The new trend for cybercrime appears to be ransomware. Attackers gain access to a user’s documents and files and proceed to encrypt them so the user can no longer access the information. The user is usually presented with a message requesting a Bitcoin ransom in exchange for the key to unlock the files.

CryptoWall

Probably the most common form of ransomware is CryptoWall. In the past 18 months since it was first discovered, CryptoWall is responsible for around $325 million in ransom payments. The group behind the successful ransomware released version 4 with some upgraded features.

The new version has improved command-and-control communications, and scrambled filenames to keep victims from identifying the encrypted files. Along with the technical upgrades, the ransom demands have increased. The default payment used to be $300, but has since bumped up to $700 – and doubles after one week.

This diagram shows the life cycle of a CryptoWall attack:

Source: Cyber Threat Alliance
Source: Cyber Threat Alliance

Chimera

A new ransomware called Chimera has burst onto the scene. The attack starts with an email offering fake job applications and business offers. The emails come with a link to Dropbox where the recipient is supposed to download files for the job.

The files are really the Chimera ransomware and if the file is executed, it begins encrypting all local files and files stored in devices connected to the network. The warning message demanding $700 to decrypt the data appears after the computer reboots.

Best Practices

The common advice is to never pay the attackers the requested ransom. There is no guarantee that the attackers will share the key to unlock the data after the ransom is paid. Rather, businesses should maintain a set of backups for their sensitive data. In the event of a ransomware attack, the business can restore the unencrypted backup version.

It’s also recommended to keep backup devices disconnected from the network until it’s needed for backup or restoration. PCWorld released a guide showing users of Windows how to use the backup features in the OS.

A recent horror story happened when ProtonMail paid the $6,000 ransom to get access to their website back after attackers took over. However, after the ransom was paid, the attackers hit the company with the threatened DDoS attack anyway.

Additional Resources

For more information about data breaches, ePlace Solutions is hosting a free webinar on the lessons learned from data breaches over the past 10 years on Wednesday, December 9th, at 10:30 AM PT / 1:30 PM ET. Register and share with others in your organization!

  • Event ID: 2015
  • Event Password: 9870

Remote Access Attack Alert

The Financial Services Information Sharing and Analysis Center (FS-ISAC) released an alert providing threat intelligence for retailers in the area of remote access attacks waged against smaller merchants.

Charles Bretz, director of payment risk at the FS-ISAC, spoke about the shift of attacks towards smaller retailers in an interview with Information Security Media Group. Part of the reason for this is the retailers using common IT and payment systems, in which the managed service providers rely on remote access to the point of sale systems for maintenance and repair. In many instances, hackers are exploiting the retailers and gaining remote access due to the lack of multifactor authentication for remote login as well as default passwords not being changed by the retailer.

With larger organizations implementing more comprehensive security solutions such as end-to-end encryption, tokenization, or EMV compliant point of sale terminals, the trend is moving towards attacks on smaller retailers. Merchants should review the FS-ISAC alert and take note of the simple network controls to protect customer data. Some of these include:

  • Reset default passwords for vendor supplied equipment.
  • Do not use point of sale terminals for Internet surfing, checking email, accessing social media, etc.
  • Implement multifactor authentication for all remote access operations.

Hack of Hacking Team Leads to New Flash Player Malware Alert

Ironically Hacking Team, an Italian-based company that provides intrusion and surveillance tools to governments and law enforcement agencies, is among recent hacking victims. The attackers were able to extract 400 GB of data and are now leaking details about the company’s clients. The attack may have been facilitated by poor password standards within Hacking Team as the leaked information revealed passwords like “Password!’ or “ Pas$word”.

Hacking Team’s reputation was already in question for selling their “spy tools” to oppressive governments, but now researchers are also finding vulnerabilities and exploits among the leaked data. The most concerning is a zero-day Flash vulnerability that the Hacking Team called “the most beautiful Flash bug for the last four years.” Anti-virus firm Symantec has tested and confirmed the malware.

According to a recent Symantec blog, “Since details of the vulnerability are now publicly available, it is likely attackers will move quickly to exploit it before a patch is issued.” The vulnerability is active on the latest version of Adobe Flash Player (18.0.0.204) and exploiting it could cause a crash and allow an attacker to gain control of the affected device.

What To Do

A patch is now available in Adobe Flash Player (18.0.0.209). Visit the Adobe Security Bulletin for information and download links to the updated versions.

Even better, users concerned with this issue are strongly encouraged to remove Flash Player altogether, or temporarily disable Flash Player in their browser by following these steps:

Internet Explorer versions 10 & 11

  1. Open Internet Explorer browser
  2. Click on the “Tools” menu, and click “Manage add-ons”
  3. Under “Show” select “All add-ons”
  4. Select “Shockwave Flash Object” and the click on the “Disable” button
  5. You can enable Adobe Flash Player using the same process

Firefox

  1. Open Firefox browser
  2. Open the browser menu and click “Add-ons”
  3. Select the “Plugins” tab
  4. Select “Shockwave Flash” and click “Disable”
  5. You can enable Adobe Flash Player using the same process

Chrome

  1. Type “chrome:plugins” in the address bar to open the page
  2. On the plug-ins page, find the “Flash” listing
  3. To disable Adobe Flash Player completely, click on the “Disable” link under its name
  4. You can enable Adobe Flash Player using the same process

CryptoWall Just Won’t Go Away – Another Ransomware Alert

cryptowall screenThe Internet Crime Complaint Center (IC3) has issued an alert warning that U.S. individuals and businesses are still at risk of CryptoWall ransomware fraud. Scam operators use ransomware—a type of malicious software—to infect a device and restrict access until a ransom fee is paid­­.

US-CERT encourages users and administrators to review the IC3 Alert for details and refer to the US-CERT Alert TA-295A for information on crypto ransomware.

The CryptoWall threat isn’t new. But it’s spreading again and should be on the radar. Antivirus software, firewalls, popup blockers, and data backups are all tools to help mitigate the risk of being a ransomware victim. Individuals and organizations that are affected by CryptoWall are discouraged from paying the ransom. There are no guarantees the files will be released.

IC3 Alert: University Employee Payroll Scam

The Internet Crime Complaint Center (IC3) issued an alert regarding a spear phishing scam targeting university employees. The fraudulent email urges employees to log on to a website to identify human resource changes. The attacker uses the login information entered to sign into the employee’s official human resource account and change the direct depositing information.

The IC3 alert should be referenced for more details.