Thursday, March 26, 2015

UPDATED 3-25-2014: Third US Health Entity Suspected of being Compromised

While we can't name any particular names at this time we have started seeing indicators of another related attack originating out of China aimed at US Healthcare entities. This time another well known affiliate of a previously breached healthcare entity appears to be attacking other Healthcare entities in California and Arizona.

Additional research is being done at this time but it appears as though a new malware variant is being sent via Phishing emails and they are coming from other healthcare entities so it appears as legitimate traffic which may be problematic as they may be assumed to be trusted entities.

The malware is being sent via email and is in zip, exe and also embedded HTML to infected flash websites. UPDATE: And now we are seeing PDF and word document with the same payload.

Updates will be posted here as we can obtain additional information. It appears as though one individual was also socially engineered to get malware inside an organization in Arizona. Additional reports are coming in from Utah and North Dakota as well.

Additional Details:
After researching we have noted that the botnet post from yesterday seems to be directly related to the compromised host.  - Additional IP's (Indicators) can be seen in this post.

After our report yesterday we also noted similar activity to what was seen prior to the Anthem, Community Health Systems and several University breaches we have been tracking.

If you run snort we have sent out the snort signatures (a total of 5 of them via our alert mailing list).

MOVED TO MAILING LIST - In addition another Intel provider may have already leaked the information this past week.... Have a good weekend everybody!

No comments:

Post a Comment