Cedar APT IOC's Added to the commercial feed.
A total of 6 IOC's related to Cedar have been updated.
The purpose of this page is to provide awareness to individuals and organizations that are leaking information and the information of their customers. The entities listed on this site are verified to be leaking personal information sometimes without the company even being aware. SLC Security is now owned and operated by Jigsaw Security Enterprise. We are currently in process and as such this blog will eventually be taken offline and merged with Jigsaw Security resources.
Tuesday, March 31, 2015
Sunday, March 29, 2015
BREACH: Advantage Dental
Advantage Dental ("Advantage"), an Oregon-based dental services
provider notified 151,626 patients of a breach of personal patient
protected health information (PHI/HIPAA) after its intrusion detection
system discovered an internal database at Advantage was illegally
accessed. The unauthorized access occurred between February 23, 2015
and February 26, 2015. The intruder was able to gain access to this
database through a computer that had been infected with malware.
Advantage terminated the illegal access immediately upon discovery on
February 26, 2015. The intrusion resulted in the unauthorized access to
the name, date of birth, phone number, social security number, and home
address. No treatment, payment, or any other financial data was
accessed.
First reported 16 March 2015.
Read More: https://secure.advantagedental.com/index.asp?din=598
First reported 16 March 2015.
Read More: https://secure.advantagedental.com/index.asp?din=598
Friday, March 27, 2015
BREACH: Startup Slack Reports Data Breach
Looks like they have implemented 2 factor authentication.
http://www.usatoday.com/story/tech/2015/03/27/slack-data-breach/70545436/
http://www.usatoday.com/story/tech/2015/03/27/slack-data-breach/70545436/
Thursday, March 26, 2015
Under Attack - This Pattern Looks Familiar
Just like in previous disclosures that we have provided information within a few hours we end up coming under attack and just like the last time we say please by all means hit us so we can map out your networks and infected host...
This is a lesson in how to map out a botnet in real time. Thanks guys!
This is a lesson in how to map out a botnet in real time. Thanks guys!
UPDATED WITH INDICATORS AND NOTES: Large BOTNET exposed
SLC Security Services LLC has discovered a previously unknown BOTNET network. We will be adding the indicators to our paid feeds. We had previously been seeing the nodes responding to various internet host but we couldn't get the host to respond to any of the request we sent. Apparently the bot command and control requires a certain sequence of ports to be queried prior to the C+C actually responding to the infected bot request in a normal fashion.
More information is being sent out via our alert feed to our paid subscribers.
UPDATE: Updated indicators have been rolled out to our client systems. If you see any indicators triggering with "BOTLICK" as the alert type page our on call contact specified in your contract. We would love to catch an active client so we can determine the initial infection vectors.
ADDITIONAL INDICATORS:
If you see encrypted traffic going to any of the following IP addresses please check your source for processes that should not be running. This is affecting Windows 7 and Windows 8 PC's.
179.111.212.221
81.149.12.77
89.156.44.210
38.108.61.227
37.110.214.124
86.126.135.242
112.211.182.241
125.62.97.218
95.31.88.21
112.198.90.89 - Additional C+C Detected
36.79.181.47 - Additional C+C Detected
190.107.244.151 - C+C
80.82.64.201 - C+C
ADDITIONAL DETAILS:
Our security analyst have been able to determine that there are at least 300+ host connected to the last indicator 36.79.171.47. We were able to pull in some additional data from our partners honeypots and network sensors to get a rough count of the activity level going to this system.
UPDATE: We are also seeing large numbers of connections to 80.82.64.201 as well.
The system appears to be in Indonesia and is connected via cable modem. We are actively working with the ISP to see if they can provide any additional details.
UPDATES MOVED TO MAILING LIST
UPDATE: Updated indicators have been rolled out to our client systems. If you see any indicators triggering with "BOTLICK" as the alert type page our on call contact specified in your contract. We would love to catch an active client so we can determine the initial infection vectors.
ADDITIONAL INDICATORS:
If you see encrypted traffic going to any of the following IP addresses please check your source for processes that should not be running. This is affecting Windows 7 and Windows 8 PC's.
179.111.212.221
81.149.12.77
89.156.44.210
38.108.61.227
37.110.214.124
86.126.135.242
112.211.182.241
125.62.97.218
95.31.88.21
112.198.90.89 - Additional C+C Detected
36.79.181.47 - Additional C+C Detected
190.107.244.151 - C+C
80.82.64.201 - C+C
ADDITIONAL DETAILS:
Our security analyst have been able to determine that there are at least 300+ host connected to the last indicator 36.79.171.47. We were able to pull in some additional data from our partners honeypots and network sensors to get a rough count of the activity level going to this system.
UPDATE: We are also seeing large numbers of connections to 80.82.64.201 as well.
The system appears to be in Indonesia and is connected via cable modem. We are actively working with the ISP to see if they can provide any additional details.
UPDATES MOVED TO MAILING LIST
UPDATED 3-25-2014: Third US Health Entity Suspected of being Compromised
While we can't name any particular names at this time we have started seeing indicators of another related attack originating out of China aimed at US Healthcare entities. This time another well known affiliate of a previously breached healthcare entity appears to be attacking other Healthcare entities in California and Arizona.
Additional research is being done at this time but it appears as though a new malware variant is being sent via Phishing emails and they are coming from other healthcare entities so it appears as legitimate traffic which may be problematic as they may be assumed to be trusted entities.
The malware is being sent via email and is in zip, exe and also embedded HTML to infected flash websites. UPDATE: And now we are seeing PDF and word document with the same payload.
Updates will be posted here as we can obtain additional information. It appears as though one individual was also socially engineered to get malware inside an organization in Arizona. Additional reports are coming in from Utah and North Dakota as well.
Additional Details:
After researching we have noted that the botnet post from yesterday seems to be directly related to the compromised host. - Additional IP's (Indicators) can be seen in this post.
After our report yesterday we also noted similar activity to what was seen prior to the Anthem, Community Health Systems and several University breaches we have been tracking.
If you run snort we have sent out the snort signatures (a total of 5 of them via our alert mailing list).
MOVED TO MAILING LIST - In addition another Intel provider may have already leaked the information this past week.... Have a good weekend everybody!
Additional research is being done at this time but it appears as though a new malware variant is being sent via Phishing emails and they are coming from other healthcare entities so it appears as legitimate traffic which may be problematic as they may be assumed to be trusted entities.
The malware is being sent via email and is in zip, exe and also embedded HTML to infected flash websites. UPDATE: And now we are seeing PDF and word document with the same payload.
Updates will be posted here as we can obtain additional information. It appears as though one individual was also socially engineered to get malware inside an organization in Arizona. Additional reports are coming in from Utah and North Dakota as well.
Additional Details:
After researching we have noted that the botnet post from yesterday seems to be directly related to the compromised host. - Additional IP's (Indicators) can be seen in this post.
After our report yesterday we also noted similar activity to what was seen prior to the Anthem, Community Health Systems and several University breaches we have been tracking.
If you run snort we have sent out the snort signatures (a total of 5 of them via our alert mailing list).
MOVED TO MAILING LIST - In addition another Intel provider may have already leaked the information this past week.... Have a good weekend everybody!
Apple Credential Phishing Attempts - As reported by MalwareBytes
We have been seeing many reports of Apple phishing schemes to include over 100 pages hosted at ovh.net. The scheme starts by emailing users purchase confirmations that look nearly identical to Apples legitimate purchase notifications but the links to cancel or verify the purchase lead to ovh.net and we have also noted xcelwings.com to be hosting similar content.
Ensure that you are verifying that you are connected to Apple to use secure pay or any of the other methods of purchase from the Apple store and be leary of any verification emails received. At a minimum verify that the domain is an actual Apple domain before proceeding.
Original Source: MalwareBytes
Additional Domain Indicator: SLC Security Services LLC
Researched by Analyst
Ensure that you are verifying that you are connected to Apple to use secure pay or any of the other methods of purchase from the Apple store and be leary of any verification emails received. At a minimum verify that the domain is an actual Apple domain before proceeding.
Original Source: MalwareBytes
Additional Domain Indicator: SLC Security Services LLC
Researched by Analyst
Wednesday, March 25, 2015
Following the News - Intelligence Agency's Lacking Actionable Data
It goes without saying that the number of terrorist events over the past 2 weeks is quite alarming and as of the last 2 months the activity worldwide has increased. The number of attacks outside of traditional unstable areas has risen as well as the Iran and Israel debacle has some intelligence analyst shaking their heads.
With the revelation that the pilot of the Germanwings crash was locked out of the cockpit, US terror attack of TSA agents and many other incidents not being covered in the mainstream media we have to take note. In addition a constant barrage of hacking from China's "PANDA" crew, Iran hashing deals with long reaching effects in the middle east and many areas of instability. Things are about to get interesting.
The recent revelation that the US is supporting Iranian fighters in the region with air strikes things lately have seemed to be turned on their heads. What's next? We can tell you that we have picked up additional activity with some well financed groups in the middle east, messages hidden in images (stenography) with cryptic messages from the middle east and plenty more items that just cause us to wonder what is really going on out there.
Keep your eyes and ears open folks. Things are changing quicker than intelligence agency's can keep up and private entities are also struggling to keep up with changing conditions to keep our travelers and employees safe.
There are many types of terror related activities to be aware of in addition to the theft of your corporate secrets and we will be expanding the scope of intelligence that we post in the coming weeks. No longer will we simply focus on data leaks (although we will continue to provide the information we have been providing). There comes a time when information needs to be put out there so that business leaders and enterprises can maintain situational awareness and security of personnel and assets. While there are many organizations out there that claim to provide these types of service and Government bulletins and advisories come out often time this information is released to the public well after the fact so our goal is to get you actionable intelligence before it's too late.
We thank you all for your continued support. We recommend that if you read out blog frequently and find the information useful that you subscribe to our alerts mailing list. We will only mail you once a day or when critical information needs to be put out in a timely fashion and we include much more granular details in our mailing list that may assist you in making smarter and safer business decisions in an effective manner.
With the revelation that the pilot of the Germanwings crash was locked out of the cockpit, US terror attack of TSA agents and many other incidents not being covered in the mainstream media we have to take note. In addition a constant barrage of hacking from China's "PANDA" crew, Iran hashing deals with long reaching effects in the middle east and many areas of instability. Things are about to get interesting.
The recent revelation that the US is supporting Iranian fighters in the region with air strikes things lately have seemed to be turned on their heads. What's next? We can tell you that we have picked up additional activity with some well financed groups in the middle east, messages hidden in images (stenography) with cryptic messages from the middle east and plenty more items that just cause us to wonder what is really going on out there.
Keep your eyes and ears open folks. Things are changing quicker than intelligence agency's can keep up and private entities are also struggling to keep up with changing conditions to keep our travelers and employees safe.
There are many types of terror related activities to be aware of in addition to the theft of your corporate secrets and we will be expanding the scope of intelligence that we post in the coming weeks. No longer will we simply focus on data leaks (although we will continue to provide the information we have been providing). There comes a time when information needs to be put out there so that business leaders and enterprises can maintain situational awareness and security of personnel and assets. While there are many organizations out there that claim to provide these types of service and Government bulletins and advisories come out often time this information is released to the public well after the fact so our goal is to get you actionable intelligence before it's too late.
We thank you all for your continued support. We recommend that if you read out blog frequently and find the information useful that you subscribe to our alerts mailing list. We will only mail you once a day or when critical information needs to be put out in a timely fashion and we include much more granular details in our mailing list that may assist you in making smarter and safer business decisions in an effective manner.
NC REN - North Carolina Research and Eduation Network - Public Proxy
Why on earth would NC REN be running a publicly accessible proxy server on their networks? This would definitely indicate either a misconfiguration or an attempt to research what Internet users would do with such a system.
Interesting to say the least...
SOURCE:
Information was researched by Maxmind as part of this statement.
Interesting to say the least...
SOURCE:
Information was researched by Maxmind as part of this statement.
Monday, March 23, 2015
BREACH: Berkeley Get's Whacked
Our OSINT monitoring is showing that a server at Berkeley has been compromised. Currently the site is reporting to be on IP 181.224.147.237 but indications show that problems started on the 19th of March. It's not a good time to be in the educational sector as sites are getting hit nearly daily.
Friday, March 13, 2015
William Farrell CPA - Cary NC
CPA leaks payroll information. Interesting thing happened today while we were reviewing faxes received by our company. We started receiving faxes from a local CPA firm containing payroll information. It could be that the CPA firm did not verify whom it was sending the information to before sending the fax and did not verify that the fax was received.
We are reaching out to the CPA firm for comment and will update this information once we receive a response.
Total Number of Records: 7 Pages
Received via: Fax Machine
Type: Inadvertent Disclosure
Update: We attempted to contact the organization via their website and guess what...
We are reaching out to the CPA firm for comment and will update this information once we receive a response.
Total Number of Records: 7 Pages
Received via: Fax Machine
Type: Inadvertent Disclosure
Update: We attempted to contact the organization via their website and guess what...
A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: info@williamfarrellcpapc.com The mail server could not deliver mail to info@williamfarrellcpapc.com. The account or domain may not exist, they may be blacklisted, or missing the proper dns entries.
Highmark - Related to Anthem Attack
More than 51,000 current Highmark health insurance customers in
Pennsylvania will receive letters this week notifying them that their
personal information may have been stolen as part of the larger Anthem
Inc. data heist.
Those customers are in Highmark’s Western and Central Pennsylvania markets, 49 counties in all. “Letters are going out now,” spokesman Aaron Billger said.
What is interesting is that Highmark has been noted in Open Source feeds as having compromised systems in the past as well. This may have been part of the vectors used to gain access to Anthem and deserves a second look.
Those customers are in Highmark’s Western and Central Pennsylvania markets, 49 counties in all. “Letters are going out now,” spokesman Aaron Billger said.
What is interesting is that Highmark has been noted in Open Source feeds as having compromised systems in the past as well. This may have been part of the vectors used to gain access to Anthem and deserves a second look.
Thursday, March 12, 2015
NOTICE: Phone System Outage
SLC Security will be performing upgrades to our internal telephone system on 13 March between 12:00AM and 4:00AM (CDT). During this event all calls to our 24X7 monitoring staff may experience unexpected disconnects and/or periods where technical staff may not be available.
During this time you may page us by reviewing your contract. All contracts include a paging support number where you can get an immediate call back. This service will be available without interruption during this time period.
During this time you may page us by reviewing your contract. All contracts include a paging support number where you can get an immediate call back. This service will be available without interruption during this time period.
Monday, March 2, 2015
Wow you don't say...
Previously we have reported as has DataBreaches.net on University of Chicago. I saw today where they have indicated that they have been breached by Carbonic. It goes without saying that unless these organizations take our warnings seriously they will all fall one by one.
SLC Security Services LLC is the leader in Cloud predictive analytics. We have been naming potential breach victims with a 98% success rate since last June when we started our cloud computing system.
See our previous report on University of Chicago
SLC Security Services LLC is the leader in Cloud predictive analytics. We have been naming potential breach victims with a 98% success rate since last June when we started our cloud computing system.
See our previous report on University of Chicago
Sunday, March 1, 2015
Health Care Audits are a Joke
It goes without saying that the Government even with their many billions of dollars on security have failed to stop the ex-filtration of highly classified material. Just look at Wikileaks and the Bradley Manning (or Chelsea to be correct now) case. While the Government performs background checks on individuals, facilities, etc. these leaks do happen. Think about how companies are being affected today. They have less money invested and the auditors that give them the all clear are not checking the very hacking vectors that are being used to steal peoples information, trade secrets and more.
It really irritates us when we see companies being breached that have hired these large security firms that only concentrate on the infrastructure, malware and viruses. You folks do realize that over85% of the time a successful attack is the result of successful social engineering or bypassing weak security features in products that are not usually checked in an audit.
While we won't give away all of our auditing steps we can tell you that the normal audit only covers about 30% of the areas that should be checked. And while you should be checking other areas before giving a certification we understand that you are there to do only one job. Keep hiring the Mandiants, the Dell SecureWorks and others (oh and by the way Dell's feed data is all out of date and inaccurate in most cases) and wonder why your companies still get breached. Your getting breached folks because your not checking the actual vectors that are being used and your not changing with the times.
Sure your employees may pickup on somebody calling them claiming to be from the help desk, or maybe they won't. And maybe your employees are using secure (truly insecure) corporate messaging products away from the office and leaving a clear way into your network (you are paying attention here right?). Have you checked to make sure what the company claims is in fact the case? Can their encryption be hijacked? I bet it can with the right knowledge and time. Stop taking these large companies at their word just because they are large companies that have been around for awhile.
Good luck folks. If you want a real audit conducted contact us. It will be extensive, concise and complete.
It really irritates us when we see companies being breached that have hired these large security firms that only concentrate on the infrastructure, malware and viruses. You folks do realize that over85% of the time a successful attack is the result of successful social engineering or bypassing weak security features in products that are not usually checked in an audit.
While we won't give away all of our auditing steps we can tell you that the normal audit only covers about 30% of the areas that should be checked. And while you should be checking other areas before giving a certification we understand that you are there to do only one job. Keep hiring the Mandiants, the Dell SecureWorks and others (oh and by the way Dell's feed data is all out of date and inaccurate in most cases) and wonder why your companies still get breached. Your getting breached folks because your not checking the actual vectors that are being used and your not changing with the times.
Sure your employees may pickup on somebody calling them claiming to be from the help desk, or maybe they won't. And maybe your employees are using secure (truly insecure) corporate messaging products away from the office and leaving a clear way into your network (you are paying attention here right?). Have you checked to make sure what the company claims is in fact the case? Can their encryption be hijacked? I bet it can with the right knowledge and time. Stop taking these large companies at their word just because they are large companies that have been around for awhile.
Good luck folks. If you want a real audit conducted contact us. It will be extensive, concise and complete.
Despite our Warnings - Wake Health
Despite our previous warnings we are now seeing indications that Wake Health is being specifically targeted by external actors. While we have talked to them on at least one occasion by phone and several post have been made to the blog they have continued to ignore the information we have sent to them.
Today we started seeing information indicating that they are specifically being targeted. These are the same types of indicators that we noted from Anthem months before they acknowledged that they were breached. It is our belief that Wake Health will be the next entity to see similar issues.
What starts out as probes end up with infiltration and we can tell you from previous visits that Wake Health is not protecting PHI concerning patients. They have taken the same route as some other entities in ignoring our warnings and are not a client so we are helpless to help them.
Specifically we are seeing that compromised servers in Switzerland and in Russia are being used to target their employees. It will only take one slip up and they will suffer the same fate as Anthem and some of the educational institutions we have been alerting on.
Again Wake you should seriously hire us to secure your network. I am pretty sure it's probably already too late but you can't say we didn't warn you numerous times to this type of activity.
Here is what is known to date:
1. Wake Health has been leaking PHI for well over a year. The information was more than likely being used to collect information such as usernames (which we have observed as well).
2. Domains and existing malicious actors are utilizing previously compromised host to send email to Wake's employees to infect their infrastructure with targeted malware (cannot confirm but this is the same pattern we have previously observed).
3. Patient information and PHI is currently being shopped in underground markets so this is an indicator that they may have already been compromised yet they have not acknowledged (and they ignored our previous warnings).
We will update if we see any information but will only talk to Wake Health directly concerning this matter and only if under contract.
Today we started seeing information indicating that they are specifically being targeted. These are the same types of indicators that we noted from Anthem months before they acknowledged that they were breached. It is our belief that Wake Health will be the next entity to see similar issues.
What starts out as probes end up with infiltration and we can tell you from previous visits that Wake Health is not protecting PHI concerning patients. They have taken the same route as some other entities in ignoring our warnings and are not a client so we are helpless to help them.
Specifically we are seeing that compromised servers in Switzerland and in Russia are being used to target their employees. It will only take one slip up and they will suffer the same fate as Anthem and some of the educational institutions we have been alerting on.
Again Wake you should seriously hire us to secure your network. I am pretty sure it's probably already too late but you can't say we didn't warn you numerous times to this type of activity.
Here is what is known to date:
1. Wake Health has been leaking PHI for well over a year. The information was more than likely being used to collect information such as usernames (which we have observed as well).
2. Domains and existing malicious actors are utilizing previously compromised host to send email to Wake's employees to infect their infrastructure with targeted malware (cannot confirm but this is the same pattern we have previously observed).
3. Patient information and PHI is currently being shopped in underground markets so this is an indicator that they may have already been compromised yet they have not acknowledged (and they ignored our previous warnings).
We will update if we see any information but will only talk to Wake Health directly concerning this matter and only if under contract.