• Cybercrime
  • IBM’s cyber-threat index shows it’s increasing

    eHNA’s covered many cyber-threats reports. The IBM X-Force Threat Intelligence Index 2017 puts them into perspective. It’s not good. It sees 2016 as a defining year for cyber-security.

    Three themes are Distributed Denial of Service (DDoS) attacks, loads of records leaked through data breaches and a step up by organised cyber-crime on businesses. Over four billion records were leaked, more than the combined total 2014 and 2015. 

    Mega breach was redefined, with one source leaking over 1.5 billion records. The average cyber-security events of IBM® X-Force®’s clients exceeded 54 million, 3% up on 2015. An event’s illicit activity on a system or network detected by a security device or application. 

    Attacks are security events classified by correlation and analytics tools as malicious activity attempting to collect, disrupt, deny, degrade or destroy information system resources or its Information. X-Force found an average of 1,019 attacks, a 12% decrease compared to 1,157 attacks in 2015.

    Incidents are security events worthy of further investigation by IBM security analysts. It’s better news. Average incidents were down to 94 in 2016, a 48% drop from 2015’s 178. This doesn’t automatically mean cyber-security’s safer. It may be that cyber-attackers rely more on proven attacks that need fewer attempts. It’s also inconsistent with the combination of huge record leaks and a record year of vulnerability disclosures.

    There were many notable leaks in 2016 involving hundreds of gigabytes of email archives, documents, intellectual property and source code. They exposed organisations’ digital footprints. Previous data breaches were often fixed sets of structured information. Examples are credit card data, passwords, national ID numbers and Personal Health Information (PHI) data. This’s a paradigm shift.

    X-Force’s report profiles a range of cyber-attack methods. They’re:

    Cross-Site Scripting (XSS)Physical accessBrute forceMisconfigurationMalvertisingWatering holePhishingStructured Query Language Injection (SQLi)DDoSMalwareHeartbleed.

    The analysis and overview are extremely valuable for Africa’s heath executive and ICT teams. Web application vulnerability disclosures made up 22% of all vulnerability disclosures in 2016. Injecting unexpected items manipulating data structures comprised 74% of all cyber-attacks. These are a few of the priorities.

  • WannaCry and NotPetya don’t need eHealth users

    Africa’s health systems need to match ransomware attacker’s sophistication. Neither Wanna Cry nor Not Petya, the latest types of attack, relies on files and users’ clicks to open email attachments. Instead, they seek systems vulnerabilities to access and spread across networks. Barkly, a cyber-security firm, describes it as misusing legitimate system tools and processes. Unlike previous methods of using suspicious executables, the new wave can avoid scrutiny from some cyber-security products. A Barkly’s video shows how they work.

    Its solution includes:

    Learn how cyber-attackers exploit tools to spread ransomware without files and  interaction instead of phishing emailsKnow why attacks that don’t use interaction are becoming more popular, with two thirds of ransomware in Q1 2017 using the Remote Desktop Protocol (RDP) from Microsoft.Test your security against fileless attack scenarios using a malware simulation tool.


    This approach may help Africa’s eHealth programme to step up their cyber-security measures for ransomware. Simulation’s better than dealing with a ransomware aftermath.

  • Is NotPetya a shift in ransomware’s goals?

    After Wanna Cry, came NotPetya. A report from Forbes says it’s not typical ransomware that aims to make illicit money. It describes it as more devastating. It can inflict permanent damage to data and hard drives.

    The Grugg, a research outfit, says NotPetya looks like Petya, ransomware. There’s code sharing, but Petya was a criminal, money-making enterprise. NotPetya’s designed to spread fast and cause damage under a plausible ransomware front. The Grugg says it was a direct attack on Ukraine.

    It spread to organisations globally, so what does it mean for Africa’s eHealth? First, it could be collateral damage to an offensive cyber-attack on an external country. Next, it emphasises the need for regulate backups not connected to the eHealth networks. Third, it’s vital to keep systems and anti-virus and cyber-security services up to date with the latest upgrades and updates.

    As a shift in emphasis for ransomware, NotPetya means that cyber-security measures and performance have to be increasingly effective and vigilant. It looks like there’s more and worse to come. 

  • Symantec’s issued advice about WannaCry

    Now that the dust from WannaCry’s receded, but may not yet be settled, more information’s emerging. It’s an important part of Africa’s eHealth programmes build-up of cyber-security defences. 

    Symantec, the cyber-security firm says it’s confident it can beat WannaCry. The virulent ransomware strain breached hundreds of thousands of computers worldwide since it emerged on 12 May 2017. It’s much more dangerous than other ransomware types because it can spread rapidly across an organisations’ networks by exploiting vulnerabilities in Windows not patched by the Microsoft release MS17-010 in March 2017. The exploit, Eternal Blue, was released online in April as part of a series of leaks by the Shadow Brokers group that claimed it stole the data from the Equation cyber espionage group. 

    WannaCry searches for and encrypts 176 different file types, and appends .WCRY to the end of file names. It than asks users to pay a US$300 ransom in bitcoins. The ransom note says the amount will double after three days. If payment’s not made after seven days, it says the encrypted files will be deleted. Despite this, Symantec hasn’t found any code in the ransomware which would cause files to be deleted. Symantec does not recommend paying the ransom. 

    Decrypting encrypted files isn’t possible yet. Symantec’s researchers are investigating the possibility. If you have backup copies of affected files, you may be able to restore them.

    Symantec’s identified two possible links loosely connecting WannaCry ransomware and the Lazarus Group. Shared code between Lazarus tools and the WannaCry ransomware’s a type of Transport Layer Security (SSL), a computing protocol to ensure data security sent by the Internet using encryption. Symantec sees this as justifying further investigation.

    Some files may be recovered without backups. Files saved on Desktop, My Documents, or removable drives are encrypted and their original copies wiped, so not recoverable. Files stored elsewhere are encrypted and their original copies deleted. They could be recovered using an undelete tool.

    Symantec and Norton customers are protected against WannaCry by a combination of technologies. Proactive protection was provided by:

    IPS network-based protectionSONAR behaviour detectionAdvanced Machine Learning (AML)Intelligent Threat Cloud (ITC).

    Customers should have these technologies enabled for full proactive protection. Symantec Endpoint Protection (SEP) customers are advised to migrate to SEP 14 to take full advantage of AML signatures.


  • A checklist can help combat ransomware

    As ransomware ratchets up as a cyber-security threat, extra and effective vigilance’s essential. WannaCry, reported on eHNA shows how it’s a bigger risk and priority. A ransomware checklist and kit as part of a seven file download from Sophos, a cyber-security firm provides timely advice. It has two main parts, essential technologies and best cyber-security practices. These are valuable for Africa’s eHealth. 

    There are two main types of ransomware attacks. One’s a plausible-looking email that’s booby-trapped email with a malicious attachment. The other’s from a compromised website. Both download ransomware when users click on links that work their way endpoints and servers. It seems that WannaCry stepped this up. It scans and hunts for vulnerabilities and includes a worm that extends across networks.

    If ransomware reaches endpoints and servers it’s essential it’s blocked and removed promptly, This may need tools. An example’s CryptoGuard Technology. Solutions must:

    Complements existing cyber-securityBlock processes trying unauthorised changes to dataWork against local and remote encryptionAutomatically undo changes to avoid data lossExploit prevention by stopping ransomware exploiting weaknesses in other software products.

    Host Intrusion Prevention System (HIPS) with behaviour and file analytics are important too.  Tech Support Alert has a description of HIPS as a program that alerts users to malware programs such as a virus trying to run on users’ computers or that an unauthorised users such as a hacker may have accessed them. It achieve this by examining files’ components and structures of files for malicious elements and seeking code trying to modify registries.

    Other cyber-security technologies include: 

    Web security scans checking web content for ransomware code Malicious Traffic Detection (MTD) looking for traffic to ransomware command and control servers, then blocking it when it’s foundApplication control that restricts applications allowed to runBlocking Wscript often used by ransomwareApplication whitelisting to establishes a default deny policy on servers so only trusted applications can run, so preventing ransomware gaining a footholdStopping email threats using defences blocks ransomware emailsTime-of-click protection stops users clicking on links to websites hosting ransomware, even if they’re safe when they entered inboxesCloud-sandboxing to find zero-day threats that exploit unknown vulnerabilities by rigorously testing files in safe environments before users run themWeb gateways block web-borne ransomware before they reach users’ endpoints, such as:

    o   URL filtering that blocks websites hosting ransomware and stops ransomware communicating with its command and control servers

    o   Web filtering enforcing strict controls on ransomware file types, stopping them downloading

     Sophos’s nine best cyber-security practices are:

    Backup regularly and keep recent backup copies off-line and off-site to minimise data lossEnable file extensions to help identify unusual file type, such as JavaScriptOpen JavaScript files in Notepad because it blocks them from running malicious scriptsDon’t enable macros in document attachments in emails because many infections rely on turning macros onAlways be cautious about unsolicited attachments, and check with sendersDon’t have more login power than needed because admin rights may expand a local infection across networksConsider installing the Microsoft Office viewers to see what documents look like without opening them in Word or ExcelPatch early and often so there are fewer holes for ransomware to exploitKeep up to date with new security features in business applications.

    These activities reveal the considerable range of activities needed for effective cyber-security. As threats become more sophisticated and effective, Africa’s eHealth needs to keep up with modern cyber-security.

  • Cyber-criminals like Ransomware

    Ransomware’s a favourite with many cyber-criminals. It’s cheap to produce and can provide big, illegal returns by encrypting users’ data. Decryption comes with a fee, but experts say users should never pay, but fix it by relying on up to date offline back-ups. It offers good returns because it mainly relies on unsuspecting users clicking on illicit links in emails and webpages so malicious ransomware’s downloaded. Acfee’s cyber-security overview eBook reports that  ransomware restricts access to computers, which is reinstated after paying a ransom often in Bitcoin to remove the restriction.. Cyber-criminals know this phishing approach that kidnaps information is  significantly more profitable than stealing  it. WannaCry made headlines  when cybercriminals launched a global cyber-attack. It’s a step up on lucrative conventional ransomware, being extremely predatory, scanning and hunting for networks’ vulnerabilities. It’s not clear if it used phishing, or was more sophisticated and sought vulnerabilities.


    An article in the NewYorkTimes says the cyber-attack affected more than 150 countries and inflicted 200,000 Windows computers.  Hackers mainly targeted hospitals, academic institutions and high profile global companies. Perpetrators used a digital code previously leaked as part of a document dump. A report by News 24 says it explains the virus’s rapid spread

    Healthcare news has an alarming estimate that  72% of malware attacks on healthcare used ransomware. Healthcare is particularly targeted by hackers as they know how crucial data is to daily hospital operations, and the gravely result it might have when leaked or placed in the wrong hands.   Verizon researched this. Its 2017 Data Breach Investigation Report    found  that 602 of 2,000 breaches stemmed from phishing emails. Symantec identified ransomware’s growth. Its report said  the number of ransomware detections increased by 36% during 2016, up from 340,000 in 2015 to 463,000 in 2016.

    Any organisation can fall victim to these attack, so they must impose strict measures to increase cyber-security  and ensure that all employees remain vigilant and alert.

  • WannaCry hack hits Africa

    As big scale hacks go, WannaCry’s malicious spread’s approaching an unprecedented pandemic. Data Protection Report from Norton Rose Fulbright, a global law firm, says the ransomware attack started infecting companies and healthcare organisations across the US, Europe and Asia early Friday morning, 12 May. Then it was 70 countries affected. On Sunday, the head of Europol told the BBC there’s more than 200,000 victims in 150 countries. Hacker News has posted that WannaCry v2.0 can by-pass the kill switch that stops v1 from spreading. This global cyber-attack may keep expanding. 

    Hackatrick has an article saying it’s believed to be the biggest ransomware attack ever seen. Over 75,000 PCs in 99 countries were infected, including US, Russia, Germany, Turkey, Italy, Philippines, Vietnam, India and UK in less than 24 hours. It has a map showing organisations in Angola, Egypt, Kenya, Nigeria, Tunisia and South Africa are affected. Affected systems have six hours to pay up. Delayed responses lead to an increased ransom.

    WannaCry’s spread by using a Windows vulnerability. On 14 March, Microsoft released a security patch, MS17-010, to close it. Some large organisations with far-reaching ICT networks can take up to four months to install it and update their systems, so can still be vulnerable. The attack’s huge scale means there are equivalent large-scale lessons to be learnt. 

    Initial ransom payments for the decryption key are about US$300, usually paid in Bitcoin within six hours. Delaying payment can result in increased ransoms. It seems the cyber-criminals haven’t raised much relative to the extent of the infections, maybe some US$20,000 in Bitcoins so far from under 200 payments, says the Guardian.

    Basic advice from Hackatrick’s:

    Patch you operating system and reboot, especially MS17-010 for Windows machines and servers against EternalBlue exploit (MS17-010)Beware of bogus emailsBackup your files remote from operational systemsAlways have an up to date anti-virus software.

    A report from the BBC says WannaCry seems to have spread like a worm. It can move around network unaided. It’s more sophisticated that basic ransomware that relies on phishing emails to tricking users into clicking on attachments that download malicious code. When WannaCry’s inside a network, it scans and hunts for vulnerable machines to infect.

    WannaCry seems to stem from a bug found by the US National Security Agency (NSA). When its details were leaked, many security researchers predicted it would trigger the production of self-starting ransomware worms. 

    Africa’s health systems must learn and act on the lessons from WannaCry. Its wrecking effect on parts of the UK’s NHS is salutary, and partly attributed to using obsolete software, such as Windows XP.

  • Phishing attacks are a challenge for South Africa

    Phishing is one of the most common, dangerous and frequent cyber-attacks that poses serious threats. Phishingbox has an estimate saying that at least one in 1,846 emails is a phishing attack. Emails are not the only source. Cyber-criminals use fake websites and adverts to trap people too.

    In Acfee’s cyber-security overview eBook phishing is when cyber-criminals send apparently legitimate emails or website adverts to entice recipients to respond either by clicking on malicious links that can download ransomware, or by providing sensitive information like passwords, usernames and personal data, that can be used mainly for email fraud. Cyber-criminals are increasingly using invitations to connect to bogus websites to entrap unsuspecting users too.


    This form of cyber-attack is successful because some users are easily fooled by the emails or adverts which appear legitimate. These hoaxes convey a sense of urgency which prompt a respone for security reasons by clicking on a link in the email that directs them to the spoofed website. This type of bogus website is designed  to acquire information and identity theft and encrypt users for a ransom payment.


    An article in ITNewsAfrica says South Africa’s the second most targeted for phishing attacks. In 2013, phishing cost South Africa about US$320 million, about  ZAR4,256,340,017 billion. Since then, spear phishing has become aa common form of phishing. It bypasses most security defences by sending emails that  are significant to users. Anyone can fall victim to this scam. Banking has some tips to avoid phishing:      

    Keep online IDs, passwords and PINs private and never write them down or share them with anyone Always log off or sign out at the end of a sessionsNever respond to emails that request personal details. Never use links in emails or adverts to access websites,  always use web address provided by their organisationsType web addresses in browsers and ensure sites are secure by looking for the lock icon on browsers before logging onDon’t open emails from unknown sources, even if the email addresses, titles and sender details look legitimate, and delete them immediatelyCreate longer passwords that combine letters, both lowercase and capitals, numbers and symbols that cannot be attributed to youAvoid passwords that are too personal, too simple such as 1234 and don’t duplicate one password for several accountsEnsure up-to-date anti-virus software  and frequently update security patches your operating systems.

    While these are generic, they’re essential for all Africa’s eHealth users. They fit personal use too. They require constant vigilance.

  • Microsoft fixes a dangerous email bug

    Where are all the bugs? All organisations or users are vulnerable. It seems they can’t be sure if their systems have vulnerability waiting to be exploited. Microsoft’s the latest.

    The Register has a report saying it’s released a security patch to fix a bug, MS14-068, in Windows Kerberos authentication system. It’s used by default in the operating system so users can ramp up their privileges and access rights to match those of domain administrators. With simple emails, hackers are exploiting it to compromise whole networks of computers by impersonating domain accounts, joining groups, installing programs, viewing, changing and deleting data, and creating new accounts. Cyber-criminals can use these to compromise computers in the domain.

    Microsoft has released an urgent update to stop hackers taking control of computers with a single email. The BBC has said Microsoft’s anti-malware software such as Windows Defender, could have been exploited without the recipient opening malicious emails. Windows 8, 8.1, 10 and Windows Server operating systems are all affected by the bug.

    The BBC said the bug was discovered by two Google Project Zero researchers, Tavis Ormandy and Natalie Silvanovich. The vulnerability enables remote code execution, malicious attackers golden goal. While the bug’s been there for some time, once Microsoft was alerted, it issued a patch rapidly. Windows users can check if they now have the latest Windows Defender version 1.1.13704.0. It should download automatically.

  • Will cyber-criminals go for medical devices next?

    Nothing on ICT landscape’s off limits for cyber-criminals. Attacking medical devices could be their next target. In the Rise of the Machines:  The Dyn Attack Was Just a Practice Run, the US Institute for Critical Infrastructure Technology (ICIT), a cyber-security think tank, says the Mirai Internet of Things (IoT) botnet has inspired more Distributed Denial of Service ( DDoS) botnet innovation. Its value’s enhanced by the lack of good practice cyber-security at design stages in the Internet and IoT devices. This harsh reality’s an opportunity for Africa’s eHealth to prepare for rigorous evaluations of IoT projects.

    Krebs on Security, a cyber-security news and investigation service, says  IOT’s botnet source code was responsible for the DDoS attack against it. A conclusion drawn from the incident by Kerbs is

    that the Internet will soon be flooded with threats and attacks from many new botnets powered by insecure routers, Internet protocol (IP) cameras, digital video cameras that can send and receive data with a computer network and the Internet, and used for surveillance, digital video recorders and other networked devices that are easy to hack. 

    ICIT provides a comprehensive and detailed analysis of the new threat. Stakeholders have been driven to recognise and accept the design security weakness and the prevalence of vulnerabilities inherent in IoT devices. Its report includes:

     A concise overview of the basic Internet structure, including key players and protocols of the International Organization for Standardization (ISO) Open Systems Interconnection (OSI) and Transmission Control Protocol/Internet Protocol (TCP/IP), used to govern computer systems’ connections to the InternetDDoS anatomy,  including details on constructing botnets, conventional  botnets compared to IoT botnets and launching a DDoS attacksAn overview of the Mirai Incidents, including KrebsonSecurity, OVH cloud and  Internet Service Provider (ISP), Dyn, Liberia, Finland, the US Trump and Clinton presidential campaigns, WikiLeaks and Russian banksEvolution of IoT malware, including profiles Linux.Darlloz, a worm, Aidra, QBot and Qakbot, BASHLITE, Lizkebab, Torlus, gafgyt and MiraiA discussion on the sectors at greatest risk including healthcareRecommendations and remediation to combat these threats.

    The ICIT report is essential reading for Africa’s health systems. It can help to prepare cyber-security plans for their forthcoming IoT initiatives.