|
|
Dienasgrāmatas (blogi)
| solisuz, 18-10-2014 09:30 |
|
17 |
218.77.79.43 Changsha in Hunan
Norse DarkWolf Labs noticed the IP address 218.77.79.43 jumped into the top spot for malicious activity this week. Assigned to the CHINANET-HN-HY CHINANET-HN Hengyang node network, Hunan Telecom on ASN 4134 for China Telecom, this IP has been seen targeting multiple ports and protocols over the last few months, and has been increasing activity in the last week.
FBI Advisory Underscores Dire Healthcare Sector Security Issues
08/26/2014 Last week, in the wake of a massive patient data breach at Community Health Systems, Reuters reported that the FBI had issued a warning to all healthcare companies that the entire sector was at continued risk from criminal hackers, underscoring security shortcomings that have been well d prior to the issuance of the advisory. "The FBI has observed malicious actors targeting healthcare related systems, perhaps for the purpose of obtaining Protected Healthcare Information (PHI) and/or Personally Identifiable Information (PII)," the "Flash" alert obtained by Reuters stated. "These actors have also been seen targeting multiple companies in the healthcare and medical device industry typically targeting valuable intellectual property, such as medical device and equipment development data," the alert continued. Last April, the FBI had also cautioned the industry that its cybersecurity posture was lax in comparison to other industry sectors, a warning that came a full two months after an extensive report on the issue was released by SANS and threat intelligence leader Norse Corporation. The study, titled Healthcare Cyberthreat Report: Widespread Compromises Detected, Compliance Nightmare on Horizon, had warned that the situation could easily lead to a wide range of criminal activities that are currently not being detected, according to principle author Barbara Filkins, Senior SANS Analyst and Healthcare Specialist. Hackers can engage in widespread theft of patient information that includes everything from medical conditions to social security numbers to home addresses, and they can even manipulate medical devices used to administer critical care. The report covered a variety of healthcare-related organizations, from hospitals to insurance carriers and pharmaceuticals, and found that exploited medical devices, conferencing systems, web servers, printers, and edge security technologies were all broadcasting malicious traffic. In addition, the report noted a wide array of compromised devices ranging from radiology imaging software to firewalls and mail servers, with a significant number of compromises being due to some very remedial issues that went unaddressed for long periods of time, such as not changing default credentials. The intelligence provided by the Norse threat intelligence platform that SANS examined for the report was specific to the healthcare sector and collected between September 2012 and October 2013, and over that period they identified 49,917 unique malicious events, 723 unique malicious source IP addresses, and 375 U.S.-based compromised healthcare-related organizations. The data analyzed was alarming. It not only confirmed how vulnerable the industry had become, it also revealed how far behind industry-related cybersecurity strategies and controls have fallen, Filkins wrote in the report. The following is a breakdown of the organizational types detected as compromised and the percentage of malicious IP traffic emanating from them:
Health care providers72.0% of malicious traffic
Health care business associates9.9% of malicious traffic
Health plans6.1% of malicious traffic
Health care clearinghouses0.5% of malicious traffic
Pharmaceutical2.9% of malicious traffic
Other related health care entities8.5% of malicious traffic Many of the organizations were compromised and, therefore, out of compliance for months, and some for the duration of the studymeaning they never detected their compromises or outbound malicious communications, nor did they acknowledge warnings from the Norse response team, the report states. The report notes that there are a variety of reasons why the findings are cause for alarm:
The sheer volume of IP addresses detected in this targeted sample can be extrapolated to assume that there are millions of compromised organizations, applications, devices and systems
Current security practices and strategies around endpoints in general are not keeping pace with attack volumes, attackers are bypassing perimeter protections en-masse, and that once compromised these networks are not only vulnerable to breaches but also available to be used for attacks
Personal health care information (PHI) and organization intellectual property, as well as medical billing and payment organizations, are all increasingly at risk of data theft and fraud because of these attacks
The costs of failed compliance and compromises are increasing, going far beyond regulatory fines, the burden of notification to victims, and immediate remediation coststhere are legal risks from class-action lawsuits, potential fallout in stock prices, and the intangible costs of brand damage The report is a snapshot of whats happening throughout the industry. This data shows that no health care organization is immune. Reports of breaches against health care organizations, large and small, continue to riseas do the regulatory fines they are facing for the exposure of protected patient data, Filkins concluded. The time to act is yesterday. Organizations must become aware of the many attack surfaces in their organizations and follow best practices for configuring these systems and monitoring them for abuse. As of June 12, 2014, we seen over 706,000 events from this IP, with events observed at a frequency between 7,200 and 10,600 each day. There has been minimal variance in the number of events observed Thursdays through Mondays, and the total number of events for Tuesdays and Wednesdays were significantly less by comparison during this time frame. The number of events have gradually increased over the last few weeks, with over 70,200 in just the last week alone:
09/11/2014 It came as no surprise to the folks at Norse DarkWolf Labs that the IP address 218.77.79.43 remains at the top of the list for malicious activity this week, the third week in a row, with over 55,180 events between September 3rd and 8th. As described in the Threat Thursday post previously, and d last week, the IP address 218.77.79.43 is assigned to the CHINANET-HN-HY CHINANET-HN Hengyang node network, Hunan Telecom on ASN 4134 for China Telecom. After last weeks Threat Thursday post, one of our readers Tweeted to @NorseCorp inquiring as to the attribution of this IP address, sharing the Network Threat Blacklist System web site [http://antivirus.neu.edu.cn/scan/] of the Northeastern University Network Center in Shenyang City, Liaoning Province. Their Network Threat Blacklist System shows 218.77.79.43 as being part of Hengyang Telecom ADSL, and has been seen hitting their systems as well. Image one (1) below is a screenshot from the Northeastern University Network Center Network Threat Blacklist System web site [http://antivirus.neu.edu.cn/scan/] listing the current top ten threats, with 218.77.79.43 ranking in at eighth: Image One (1): Screenshot from Northeastern University Network Center Network Threat Blacklist System web site - Click on image to open in a new tab This raises the question as to who or what this IP address is assigned to. The Northeastern University Network Center attributes this IP as Hengyang Telecom ADSL, but the information we receive from the Regional Internet Registry (RIR) regarding this IP is not as concise. As the screenshot from DarkViking in image two (2) indicates, there is no mention of Hengyang Telecom ADSL. The RIR provides the city as Changsha with a latitude and longitude nearby, with the ISP as CHINANET HUNAN PROVINCE NETWORK and the AS Name & Number as CHINANET-BACKBONE. Hengyang province is a considerable distance from Hunan province and the city of Changsha: Image Two (2): Screenshot from Norse DarkViking regarding IP 218.77.79.43 - Click on image to open in a new tab With the owners not providing accurate information regarding IP ownership and routing, the RIRs cannot provide accurate information. Thus, our analysis may not be as accurate, being only as accurate as the information provided. It is interesting that internal to China, the information would be more accurate than what is provided to the RIRs perhaps being purposefully skewed at the RIR. Considering CHINANET is the ISP for the entire country, if ownership and routing information is not accurate or is falsified, this makes subjective analysis problematic at best. Clearly this IP is being a nuisance, scanning internal and external hosts of the host country. As the online conversation regarding our posting last week mentioned, there is perhaps concern regarding all traffic from this ISP, and potentially this country in general, if activity of this nature is ignored. We appreciate the feedback, and the identification of the Northeastern University Network Center Network Threat Blacklist System web site [http://antivirus.neu.edu.cn/scan/]. With this the activity observed from this province being number eleven in the rankings, the members of DarkWolf Labs are curious to see what we would find in the observed activity from the other provinces. Norse will continue monitoring this activity to provide analysis and additional information to help our customers recognize and defend against this sort of suspect and/or malicious activity. For real time protections and insight, reach out to the Norse sales staff for further information and assistance via our contact page.
|
Tavs komentārs
Komentārus var pievienot tikai reģistrēti lietotāji.
Kā ielādēt daudz bilžu ? (4)
Ir viens saits, kurā izvietotas ļoti daudz vajadzīgas fotogrāfijas (skenēti dokumenti).
Tur ir arī subfolderi (tos ...
Diska tīrīšana Linux (10)
Kur var atrast kaut ko tādu, kas pilda funkciju kā disk klīnap, pie apstakļiem, ka datoram ir Linux un turklat viss ...
|
