Bi-Weekly

Cyber Threat
Report
October Week One

Prepared By:
Bear Trap Cyber Security
01 Cyber News

Ten hospitals—three in Alabama and

seven in Australia—have been hit with
paralyzing ransomware attacks that
are affecting their ability to take new
patients, it was widely reported on
Tuesday. All three hospitals that make
up the DCH Health System in Alabama
were closed to new patients on
Tuesday as officials there coped with
an attack that paralyzed the health
network's computer system. The
hospitals—DCH Regional Medical
Center in Tuscaloosa, Northport
Medical Center, and Fayette Medical
Center—are turning away "all but the
most critical new patients" at the time
this post was going live. Local
ambulances were being instructed to
take patients to other hospitals when
possible. Patients coming to DCH
emergency rooms faced the possibility
of being transferred to another hospital
once they were stabilized. Details
about the specific strain of malware
weren't immediately available.
Typically, the malware encrypts
production and backup hard drives
used to store data and run computer
systems.
"A CRIMINAL IS LIMITING OUR
ABILITY TO USE OUR COMPUTER
SYSTEMS," HOSPITAL OFFICIALS
WARN.
See more at:https://arstechnica.com/information-technology/2019/10/hamstrung-by-ransomware-10-hospitals-are-turning-away-some-
Victims can only receive the decryption
key needed to restore systems after
paying a ransom, usually using bitcoin
or another cryptocurrency. In some
cases, it's possible to decrypt data
without paying the ransom. In other
cases, it's impossible. At least seven
hospitals in Australia, meanwhile, were
also feeling the effects of a
ransomware attack that struck on
Monday. The hospitals in Gippsland and
southwest Victoria said they were
rescheduling some patient services as
they responded to a "cyber health
incident.""The cyber incident, which was
uncovered on Monday, has blocked
access to several systems by the
infiltration of ransomware, including
financial management," hospital
officials said. "Hospitals have isolated
and disconnected a number of
systems... to quarantine the infection."
patients/
 Suspicious 
Findings  02
IP ADDRESSES DOMIANS
216[.]218[.]185[.]162 brureservtestot[.]cc
74[.]208[.]236[.]145 mail[.]comcast[.]net
190[.]158[.]19[.]141 pop-mail[.]outlook[.]com
139[.]5[.]237[.]27 smtp[.]outlook[.]com
5[.]45[.]108[.]146 smtp[.]mail[.]me[.]com
https://blog.talosintelligence.com/2019/09/threat-roundup-0920-0927.html#more
CHART 1.TOP SUPICIOUS FINDINGS [DO NOT GO TO THESES]
Vulnerabilitiies
Microsoft issued two emergency Windows updates Monday to protect
against "critical" and "important" vulnerabilities impacting Internet Explorer
and Windows Defender, the anti-virus software. The Internet Explorer flaw,
which affects versions 9, 10 and 11, could enable attackers to gain the same
user rights as the current user and infect a computer. Although Microsoft
replaced Internet Explorer with the Edge browser in Windows 10, the
software is still pre-installed on all versions of Windows.The Windows
Defender bug makes it possible for a remote attacker to take over a target
system and prevent legitimate users from using the software.
https://www.cnn.com/2019/09/24/tech/microsoft-windows-security-threat/index.html

Recommended Action
UPDATE INTERNET EXPLORER 
Users must install the security update for Internet Explorer manually
as Microsoft (MSFT) will not release an updated scan file until the next
security release in October 2020, but the update for Windows Defender
will be installed automatically.Recently there have been complaints
from users about Windows updates breaking and slowing computers,
which could deter users from installing the updates. However, Gartner
analyst Peter Firstbrook told CNN Business that users should go ahead
with the updates because a blue screen is much easier to cleanup than
an attack."From a security perspective, you're much better off to stay
current and stay with the latest updates," Firstbrook said.Although it
might seem like bad updates are a common occurrence, Firstbrook
said attacks are actually more frequent. Bad updates typically receive
more user reaction compared to attacks that occur when users don't
install updates.
https://www.cnn.com/2019/09/24/tech/microsoft-windows-security-threat/index.html
03 Security
Awareness
What is a Brute Force Attack?
RDP (Remote Desktop Protocol) is a
network communications protocol
developed by Microsoft, which allows
users to connect to another
computer.Remote desktop protocol is
available for Windows, Linux and Mac
operating systems.Simplified: With
Remote Desktop Protocol, one can
connect to any computer that runs
windows. Let’s say if you want to
access your PC from a laptop or any
other device, with RDP you can connect
to the remote PC, view the same
display and interact as if working on
that machine locally.
https://www.ericom.com/whatis/rdp/
Rise of RDP as a target vector
Recent reports of targeted attacks using RDP as an initial entry vector have
certainly caused significant headlines in lieu of the impact they have caused.
In the midst of city wide impacts, or even million dollar (plus) demands it is
easy to overlook the initial entry vector.What began as ‘targeted’ emails
focusing on predominantly consumers, the evolution of ransomware has
widened to incorporate pseudo attacks intended purely for destruction (e.g. no
viable decryption capability, or limited), to precision extortion against
corporations or public sector organizations.What was particularly surprising
is the speed with which RDP was quickly adopted as the initial entry vector as
was depicted in research by Coveware.As we contemplate the meaning of the
term targeted, we have to recognise that in many cases victims are targeted
merely due to the cybercrime eco-system. The advent of RDP shops selling
RDP credentials is undoubtedly fuelling the rise of such attacks, coupled with
the release of vulnerabilities against the protocol suggests the worst could
well be yet to come.Whilst measures to reduce the risk of RDP being exploited
focus around advice of maintaining good cyber hygiene its renewed focus
should encourage particular measures that go above and beyond generic
advice.
https://www.helpnetsecurity.com/2019/09/25/rdp-target-vector/