August 14, 2017
Investigation Uncovers Iran-Backed Cyber-Espionage Group – Global
The Iran-backed cyberespionage group CopyKittens has increased activities, launching attacks on governments, defense companies and academic institutions in support of Tehran's political agenda, a report said. An investigative study by Israeli firm ClearSky Cybersecurity and Trend Micro called Operation Wilted Tulip traced CopyKittens' activities to 2013, shedding light on its work patterns and possible motivations. The report revealed that CopyKittens' activities mostly centered on espionage of strategic targets, particularly Saudi Arabia, Jordan, Turkey, Israel, Germany and the United States. The group extracted information from government organizations, academic institutions, online news sites and NGOs with the objective of gathering "as much information and data from target organizations as possible," the report said. CopyKittens used rudimentary techniques, such as phishing, malicious email attachments and, more recently, watering hole attacks to gather information.
3,400 Patients’ Protected Health Information Potentially Compromised in City of Hope Phishing Attack – United States
A phishing attack on City of Hope has resulted in cyber criminals gaining access to the email accounts of four employees. The emails made it past spam filtering controls and were delivered to employees on May 31 and June 2, 2017. Four employees responded to the requests and disclosed their login credentials to the attackers. City of Hope says the emails appeared to have been sent from a trustworthy source. The attackers used the login credentials to access the accounts, although City of Hope was unable to determine the scope or nature of access. On July 21, City of Hope confirmed that three of the accounts contained patients’ protected health information. The protected health information in the emails included names, addresses, email addresses, contact telephone numbers, dates of birth, dates of service, diagnoses, test results, medication information, and other clinical data. No financial information, insurance details, or Social Security numbers were exposed or accessed. Phishing attacks such as this are not always concerned with obtaining protected health information. Oftentimes, access to the email accounts is gained in order to use the accounts to send spam emails. City of Hope believes that was the intention of the phishers in this case. However, since PHI access cannot be ruled out, patients affected by the incident have been advised to remain cautious and monitor their accounts for any sign of suspicious activity. The incident has been reported to law enforcement and a leading forensic information technology firm has been retained to assist with the investigation. The firm will also evaluate City of Hope systems and processes and will assist with strengthening existing security protections to prevent future incidents of this nature from occurring.
New Trojan Malware Campaign Sends Users to Fake Banking Site – Global
A notorious banking Trojan is targeting customers of a major bank with a new email spam campaign that directs victims to a fake login page indistinguishable from their real bank. The credential-stealing Trickbot banking malware has been hitting the financial sector since last year and targets online banking customers in the US, UK, Australia and other countries. Those behind this particular banking Trojan are continually developing it and have even been experimenting with EternalBlue, the Windows exploit that helped spread WannaCry and Petya. But no matter how advanced malware gets, phishing remains a common attack vector for distributing malicious payloads. Uncovered by cyber security researchers at Cyren, this latest Trickbot distribution campaign sent over 75,000 emails in 25 minutes, all claiming to be from Lloyds Bank, one of the UK's biggest banks. Emails were sent with the subject 'Incoming BACs', referring to BACs, a system for making payments directly from one email account to another and claim that the target needs to review and sign attached documents. After downloading and opening the Excel attachment - IncomingBACs.xlsm - the user is asked to enable macros to allow the document to be edited, but as with many malicious email campaigns, it's this process that allows the malware payload to be deployed.
FOR MORE INFORMATION:
To sign up for the complete daily G4S Corporate Risk Services Intelligence Bulletin, as well as regular intelligence and risk updates and news, click here to subscribe!