• Cybercrime
  • Does spambot Onliner have your email address?

    It’s described as the largest spambot. ZDNet has a report about the finding by Benkow, a cyber-security researcher in Paris, who discovered an open and accessible web server hosted in the Netherlands which stores dozens of text files. They contain a batch of 711 million email addresses, passwords server login information and 80 million email servers used to send spam. The credentials came from other data breaches, such as the LinkedIn and Badoo hacks.

    Malevolent goals are to send email spam through legitimate servers to defeat many spam filters. Onliner delivers Ursnif banking malware into inboxes globally. Ursnif is a Trojan. It steals data such as login details, passwords and credit card data. A spammer then sends a dropper file as normal-looking email attachments. When it’s opened, the malware downloads from a server and infects the machines. Spamming is still an effective way to deliver malware, but email filters are becoming smarter, with many spamming domains blacklisted. 

    There’s been over 100,000 unique infections up to the end of August 2017. Cyber-attackers need large lists of Simple Mail Transfer or Transport Protocol (SMTP) credentials that authenticate them to send bogus legitimate emails that by-pass spam filters. The more servers they find, the bigger the campaign. 

    When bogus emails are opened, they send back to the cyber-crookss the IP address and user-agent information used to identify the type of computer, operating system and other information about the devices. Cyber-attackers use this to identify who to target with Ursnif. They specifically target Windows computers. iPhone or Android users aren't affected by the malware.

    Focused hacking instead of scatter bombing reduces the malevolent campaign’s cyber-noise. It can help to slow down responses from law enforcement agencies. 

    Benkow’s discovery re-emphasises the need for Africa’s eHealth programmes to train, then train again and again, health workers in cyber-security. It’s an essential components in the constant cyber-security response. 

  • Do these 7 steps help you defend against cyber-security breaches?

    Cyber-security breaches are inevitable. Maximising cyber-security can minimise them, but can’t eliminate the risk entirely, so effective responses are essential. 7 Ways to Improve Your Security IncidentResponse, a white paper from R.sam, specialising in governance, risk and compliance, aims to help. A summary’s:

    Integrate with Security Information and Event Management (SIEM), products, services, technology and teams that provide real-time analyses of security alerts generated by network hardware and applications, and ensure the right data reaches the incident response team promptlyPrioritise Incidents using SIEMs and end users, and inform decision-makers by highlighting incidents in dashboards derived from calculated values such as priority or severityLeverage threat and  vulnerability data from a central repository of security operations, including threats, vulnerabilities, incidents, patch managements, asset management and other data sources and provide incident handlers with real-time viewsStandardize playbooks and configure automated dynamic rules to address unique handling requirements and criteria to help avoid mistakes in high-stress situationsAutomate responses for repeatable, measurable and auditable response tasksEnable collaboration so everyone working on an incident has a single view into activitiesShare real-time dashboards to leverage incident and event data.

    These can help to avoid four causes of inappropriate responses:

    Lack of process maturityPoor data quality and  availabilityUnsatisfactory toolsetsChanging policies and disparate teams.

    The seven steps comprise a platform that can overcome these limitations. They offer Africa’s eHealth programmes a way to step up their responses to cyber-security breaches.


    Are you interested in reading more about the implications for African health systems? Download Acfee's paper on Cyber-security: themes for Africa's eHealth.

  • All-Wi-Fi standard has a cyber-security vulnerability

    A serious weakness’s been found in Wi-Fi networks.  Mathy Vanhoef of imec-DistriNet at KU Leuven found it. The paper on Krackattacks says WPA2, a security protocol, can be exploited by cyber-criminals using key reinstallation attacks (KRACK) within victims’ range. Once in, they can read information assumed to be encrypted, and steal sensitive information such as credit card numbers, passwords, chat messages, emails and photos.

    Attack succeed against all modern protected Wi-Fi networks. Depending on the network configuration, data can be injected and manipulated. Ransomware and other malware could find its way to websites.

    Weaknesses are in the Wi-Fi standard itself, not in individual products or implementations. Any correct WPA2 implementation is likely to be affected. Prevention needs users to update affected products when security updates are. If a device supports Wi-Fi, it’s probably affected.

    Vanhoef’s initial research found that Android, Linux, Apple, Windows, OpenBSD, MediaTek and Linksys are affected by variants of attacks. A proof-of-concept executed a key reinstallation attack against an Android smartphone. Attackers could easily decrypt all data transmitted by victims because the key reinstallation attack’s exceptionally devastating against Linux and Android 6.0 or higher. These can be tricked into reinstalling an all-zero encryption key.

    While attacking other devices finds it harder to decrypt all packets, large numbers of packets can be decrypted. A demonstration in Vanhef’s paper shows the type of information that a cyber- attacker can access using key reinstallation attacks.

    Africa’s eHealth programmes need to seek and install patches and updates from their vendors. The findings show, yet again, a cyber-world full of holes, many of which may still be unidentified. Constant vigilance is essential. As participants at Acfee’s recent eHealthAFRO 2017 said, cyber-security is everyone’s business.  

  • Cyber-threats keep evolving

    Cyber-criminals have sent millions of fraudulent emails as crude, random attacks, hoping to trick people to reveal their personal or financial information. As organisations and people worked out how not to respond, cyber-criminals began switching to bespoke targeted attacks. These use advance reconnaissance, research and testing, using use specialised knowledge and details about targets to try by-pass defences and penetrate organisations’ networks. They’re more lucrative than random cyber-attacks.

    Trend Micro, a global cyber-security firm, has published a white paper available through Health IT Security. Navigating the evolving threat landscape with a more complete approach to network security deals with:

    How targeted attacks change network security landscapesResponding to increasingly complex threats A cross-generational approach to network securitySecurity fuelled by market-leading global threat intelligenceDetection techniques comprising a smart network defenceIntegration with other security solutionsSeamless threat intelligence sharingCentralised visibility and control.

    Its findings from 264 organisations are alarming:

    80% had experienced a network-based attack or exploit90% had active command and control activity on their network65% had been infected by zero-day or unknown malware17% were being actively breached.

    Zero-day vulnerability is an important concept in cyber-security. It’s an undisclosed software vulnerability that cyber-criminals and other hackers can exploit to disrupt computer programs, data, additional computers and networks.

    An effective response, Trend Micro says, has to be “smart, optimized and connected.” Part of this is sophisticated cyber-security tools that operate alongside existing platforms and applications. Rigorous integration and interoperability ensures a stronger defence. These other technologies include:

    Security Information and Event Management (SIEM)Vulnerability assessment and managementApplication securityNext-generation firewallsBreach detectionVisibility and enforcement of Transport Layer Security (SSL), derived from Secure Sockets Layer and including encryption Software-defined networking and the cloudNetwork Packet Brokers (NPB) that optimise incident analyses by enabling ICT and security services to acquire situational awareness and security intelligence about intrusion and extrusion incidents, enabling faster incident responsesIncident response automation.

    Africa’s health systems should consider enhanced cyber-security as part of their eHealth strategies. It’s affordability can measured against the estimated costs of cyber-security breaches.

  • Bitpaymer’s offspring disrupts hospitals

    A variant of Bitpaymer ransomware’s been breaching hospital’s ICT. It’s been in Scotland’s Lanarkshire Trust, previously breached earlier this year by WannaCry, reported on eHNA. Some operations were cancelled, GPs’ work disrupted and patients asked to attend Accident and Emergency only if their needs were essential. ZDNet has a report saying systems were taken offline. Perpetrators say they’ve gathered "private sensitive data."

    Unlike most hacks that prefer to be covert, ransomware makes contact with users to ask for a ransom in return for a decryption key. The ransom request was very high, some 50 bitcoins, about £168,000, US$218,000. Failure to pay may result in the cyber-crooks sharing data they’ve acquired.

    ZDNet has short ransomware guide. Ransomware: An executive guide to one of the biggest menaces on the web. Other guides are Remove All Threats has a guide on removing Bitpaymer. Protect PC Health has a guide too. Both are for PCs.

  • IBM’s cyber-threat index shows it’s increasing

    eHNA’s covered many cyber-threats reports. The IBM X-Force Threat Intelligence Index 2017 puts them into perspective. It’s not good. It sees 2016 as a defining year for cyber-security.

    Three themes are Distributed Denial of Service (DDoS) attacks, loads of records leaked through data breaches and a step up by organised cyber-crime on businesses. Over four billion records were leaked, more than the combined total 2014 and 2015. 

    Mega breach was redefined, with one source leaking over 1.5 billion records. The average cyber-security events of IBM® X-Force®’s clients exceeded 54 million, 3% up on 2015. An event’s illicit activity on a system or network detected by a security device or application. 

    Attacks are security events classified by correlation and analytics tools as malicious activity attempting to collect, disrupt, deny, degrade or destroy information system resources or its Information. X-Force found an average of 1,019 attacks, a 12% decrease compared to 1,157 attacks in 2015.

    Incidents are security events worthy of further investigation by IBM security analysts. It’s better news. Average incidents were down to 94 in 2016, a 48% drop from 2015’s 178. This doesn’t automatically mean cyber-security’s safer. It may be that cyber-attackers rely more on proven attacks that need fewer attempts. It’s also inconsistent with the combination of huge record leaks and a record year of vulnerability disclosures.

    There were many notable leaks in 2016 involving hundreds of gigabytes of email archives, documents, intellectual property and source code. They exposed organisations’ digital footprints. Previous data breaches were often fixed sets of structured information. Examples are credit card data, passwords, national ID numbers and Personal Health Information (PHI) data. This’s a paradigm shift.

    X-Force’s report profiles a range of cyber-attack methods. They’re:

    Cross-Site Scripting (XSS)Physical accessBrute forceMisconfigurationMalvertisingWatering holePhishingStructured Query Language Injection (SQLi)DDoSMalwareHeartbleed.

    The analysis and overview are extremely valuable for Africa’s heath executive and ICT teams. Web application vulnerability disclosures made up 22% of all vulnerability disclosures in 2016. Injecting unexpected items manipulating data structures comprised 74% of all cyber-attacks. These are a few of the priorities.

  • WannaCry and NotPetya don’t need eHealth users

    Africa’s health systems need to match ransomware attacker’s sophistication. Neither Wanna Cry nor Not Petya, the latest types of attack, relies on files and users’ clicks to open email attachments. Instead, they seek systems vulnerabilities to access and spread across networks. Barkly, a cyber-security firm, describes it as misusing legitimate system tools and processes. Unlike previous methods of using suspicious executables, the new wave can avoid scrutiny from some cyber-security products. A Barkly’s video shows how they work.

    Its solution includes:

    Learn how cyber-attackers exploit tools to spread ransomware without files and  interaction instead of phishing emailsKnow why attacks that don’t use interaction are becoming more popular, with two thirds of ransomware in Q1 2017 using the Remote Desktop Protocol (RDP) from Microsoft.Test your security against fileless attack scenarios using a malware simulation tool.


    This approach may help Africa’s eHealth programme to step up their cyber-security measures for ransomware. Simulation’s better than dealing with a ransomware aftermath.

  • Is NotPetya a shift in ransomware’s goals?

    After Wanna Cry, came NotPetya. A report from Forbes says it’s not typical ransomware that aims to make illicit money. It describes it as more devastating. It can inflict permanent damage to data and hard drives.

    The Grugg, a research outfit, says NotPetya looks like Petya, ransomware. There’s code sharing, but Petya was a criminal, money-making enterprise. NotPetya’s designed to spread fast and cause damage under a plausible ransomware front. The Grugg says it was a direct attack on Ukraine.

    It spread to organisations globally, so what does it mean for Africa’s eHealth? First, it could be collateral damage to an offensive cyber-attack on an external country. Next, it emphasises the need for regulate backups not connected to the eHealth networks. Third, it’s vital to keep systems and anti-virus and cyber-security services up to date with the latest upgrades and updates.

    As a shift in emphasis for ransomware, NotPetya means that cyber-security measures and performance have to be increasingly effective and vigilant. It looks like there’s more and worse to come. 

  • Symantec’s issued advice about WannaCry

    Now that the dust from WannaCry’s receded, but may not yet be settled, more information’s emerging. It’s an important part of Africa’s eHealth programmes build-up of cyber-security defences. 

    Symantec, the cyber-security firm says it’s confident it can beat WannaCry. The virulent ransomware strain breached hundreds of thousands of computers worldwide since it emerged on 12 May 2017. It’s much more dangerous than other ransomware types because it can spread rapidly across an organisations’ networks by exploiting vulnerabilities in Windows not patched by the Microsoft release MS17-010 in March 2017. The exploit, Eternal Blue, was released online in April as part of a series of leaks by the Shadow Brokers group that claimed it stole the data from the Equation cyber espionage group. 

    WannaCry searches for and encrypts 176 different file types, and appends .WCRY to the end of file names. It than asks users to pay a US$300 ransom in bitcoins. The ransom note says the amount will double after three days. If payment’s not made after seven days, it says the encrypted files will be deleted. Despite this, Symantec hasn’t found any code in the ransomware which would cause files to be deleted. Symantec does not recommend paying the ransom. 

    Decrypting encrypted files isn’t possible yet. Symantec’s researchers are investigating the possibility. If you have backup copies of affected files, you may be able to restore them.

    Symantec’s identified two possible links loosely connecting WannaCry ransomware and the Lazarus Group. Shared code between Lazarus tools and the WannaCry ransomware’s a type of Transport Layer Security (SSL), a computing protocol to ensure data security sent by the Internet using encryption. Symantec sees this as justifying further investigation.

    Some files may be recovered without backups. Files saved on Desktop, My Documents, or removable drives are encrypted and their original copies wiped, so not recoverable. Files stored elsewhere are encrypted and their original copies deleted. They could be recovered using an undelete tool.

    Symantec and Norton customers are protected against WannaCry by a combination of technologies. Proactive protection was provided by:

    IPS network-based protectionSONAR behaviour detectionAdvanced Machine Learning (AML)Intelligent Threat Cloud (ITC).

    Customers should have these technologies enabled for full proactive protection. Symantec Endpoint Protection (SEP) customers are advised to migrate to SEP 14 to take full advantage of AML signatures.


  • A checklist can help combat ransomware

    As ransomware ratchets up as a cyber-security threat, extra and effective vigilance’s essential. WannaCry, reported on eHNA shows how it’s a bigger risk and priority. A ransomware checklist and kit as part of a seven file download from Sophos, a cyber-security firm provides timely advice. It has two main parts, essential technologies and best cyber-security practices. These are valuable for Africa’s eHealth. 

    There are two main types of ransomware attacks. One’s a plausible-looking email that’s booby-trapped email with a malicious attachment. The other’s from a compromised website. Both download ransomware when users click on links that work their way endpoints and servers. It seems that WannaCry stepped this up. It scans and hunts for vulnerabilities and includes a worm that extends across networks.

    If ransomware reaches endpoints and servers it’s essential it’s blocked and removed promptly, This may need tools. An example’s CryptoGuard Technology. Solutions must:

    Complements existing cyber-securityBlock processes trying unauthorised changes to dataWork against local and remote encryptionAutomatically undo changes to avoid data lossExploit prevention by stopping ransomware exploiting weaknesses in other software products.

    Host Intrusion Prevention System (HIPS) with behaviour and file analytics are important too.  Tech Support Alert has a description of HIPS as a program that alerts users to malware programs such as a virus trying to run on users’ computers or that an unauthorised users such as a hacker may have accessed them. It achieve this by examining files’ components and structures of files for malicious elements and seeking code trying to modify registries.

    Other cyber-security technologies include: 

    Web security scans checking web content for ransomware code Malicious Traffic Detection (MTD) looking for traffic to ransomware command and control servers, then blocking it when it’s foundApplication control that restricts applications allowed to runBlocking Wscript often used by ransomwareApplication whitelisting to establishes a default deny policy on servers so only trusted applications can run, so preventing ransomware gaining a footholdStopping email threats using defences blocks ransomware emailsTime-of-click protection stops users clicking on links to websites hosting ransomware, even if they’re safe when they entered inboxesCloud-sandboxing to find zero-day threats that exploit unknown vulnerabilities by rigorously testing files in safe environments before users run themWeb gateways block web-borne ransomware before they reach users’ endpoints, such as:

    o   URL filtering that blocks websites hosting ransomware and stops ransomware communicating with its command and control servers

    o   Web filtering enforcing strict controls on ransomware file types, stopping them downloading

     Sophos’s nine best cyber-security practices are:

    Backup regularly and keep recent backup copies off-line and off-site to minimise data lossEnable file extensions to help identify unusual file type, such as JavaScriptOpen JavaScript files in Notepad because it blocks them from running malicious scriptsDon’t enable macros in document attachments in emails because many infections rely on turning macros onAlways be cautious about unsolicited attachments, and check with sendersDon’t have more login power than needed because admin rights may expand a local infection across networksConsider installing the Microsoft Office viewers to see what documents look like without opening them in Word or ExcelPatch early and often so there are fewer holes for ransomware to exploitKeep up to date with new security features in business applications.

    These activities reveal the considerable range of activities needed for effective cyber-security. As threats become more sophisticated and effective, Africa’s eHealth needs to keep up with modern cyber-security.