Researchers offer motive behind China cyberattacks

Roundup: A new report may explain China's cyber targeting of health insurers. Plus, malware activity shows a big rise at year-end; more software vulnerabilities were reported.

New security research shed light on the China cyberattacks against U.S. healthcare companies last year, and also...

warned of an increase in such attacks for 2016. In its 2015 Global Threat report, cybersecurity firm CrowdStrike speculated that the breaches of health insurers in the U.S. "may have been executed to better understand how other countries have structured their systems, and to obtain an understanding of large, multinational healthcare providers to support negotiations for foreign investment."

CrowdStrike's claim, based on China's continuing efforts reported in its latest five-year plan, is that the "targeting of the Western healthcare sector may be as much about logistics and know-how for running national-level health insurance schemes as it is about siphoning data."

However, CrowdStrike suggested another, more sinister scenario, based on the fact that the health insurer breaches attributed to China last year were all against members of the Blue Cross Blue Shield Association -- the same insurers that cover state and federal employees through the Federal Employees Health Benefit Plan.

CrowdStrike noted that, according to Katherine Archuleta, former OPM director, testifying before an oversight committee on June 16, 2015, the data on the compromised OPM systems did not include employee medical records -- but it did include healthcare provider information. "It is likely that a combination of these two data sets would be extremely valuable to gain deeper insight into the lives and vulnerabilities of federal employees," the CrowdStrike report claimed.

CrowdStrike speculated that the goal of the China cyberattacks, especially when considered in context of the OPM breach, may have been to build profiles of government employees for traditional human intelligence espionage purposes, or to be able to deploy more effective spear-phishing attacks against government employees.

The CrowdStrike researchers also said they expect an increase in China cyberattacks and malware this year, and that state-sponsored threat actors will likely target other vertical industries.

"As China looks to transform its standard of living and become less reliant on foreign technology, there most likely will be an increase in attacks targeting areas such as agriculture, healthcare and alternative energy," the report stated.

Malware threats way up in last quarter of 2015

Viruses, worms and Android threats were all way up in the last quarter of 2015, managed security services provider Solutionary reported this week, while "reconnaissance activity has plummeted nearly 88% from levels seen in [the second quarter of 2015]." According to Solutionary's Security Engineering Research Team (SERT) Quarterly Threat Report for Q4 2015, the number of viruses and worms observed skyrocketed by 236%.

"This type of malware is often indicative that an organization may have been otherwise compromised and infected with a virus or worm to retain a persistent presence and potentially laterally expand compromises within the targeted environment," the report stated.

There was more bad news, too. "Over 77% of application-specific attacks during [Q4 2015]were Shellshock attacks," according to the report. As for Android, Solutionary reported "over 6,400 new instances of malware targeted Android devices every day in the third quarter of 2015 -- or 575,000 different malware strains in [Q3 2015] alone."

Vulnerabilities to spare

The popular open source network utility Socat was found to be using a hardcoded, nonprime Diffie-Hellman parameter. Socat, an all-purpose command-line network tool, can connect almost any type of network resource, linking ports or processes, and it supports virtually any network protocol.

The backdoor was caused by a hardcoded Diffie-Hellman parameter used to negotiate key exchange for secure communications. The parameter used by Socat was nonprime, meaning that an attacker aware of the flaw would easily be able to discover keys negotiated using that parameter. The parameter was also only 1024 bits long, which would make it vulnerable to brute-force cracking by attackers, even if it was an actual prime.

The parameter was apparently added to Socat early last year, according to a commenter posting on the Hacker News discussion site. Some commenters speculated on whether the flaw was introduced by mistake or as an intentional backdoor, and noted that it was included in a patch submitted by a person named Zhigang Wang and committed after review by one of the project's administrators. At this time, there is no further information about the individual who allegedly introduced the flaw, other than that Wang appeared to be an employee of Oracle.

Speaking of bad implementations, this week saw more antimalware backdoor news. This time, it was Malwarebytes' turn. According to Google Project Zero team member Tavis Ormandy, "Malwarebytes fetches their signature updates over HTTP, permitting a man-in-the-middle attack."

Malwarebytes CEO Marcin Kleczynski responded to the report, acknowledging that Ormandy had notified them of security vulnerabilities in early November, and noting that a patched version is expected to be available "in the next three to four weeks."

"The research seems to indicate that an attacker could use some of the processes described to insert their own code onto a targeted machine. Based on the findings, we believe that this could only be done by targeting one machine at a time," Kleczynski wrote.

Finally, another piece of unexpected backdoor news this week came from Kaspersky Lab security researcher Stefan Ortloff, who reported finding a new family of cross-platform backdoors that run on both Windows and Linux. The malware "is full of features to monitor the victim's activities, including code to capture audio and take screenshots." The Windows version included a valid code-signing signature as well.

"Since this software was intentionally designed to be platform independent, we might see also corresponding Mac OS X samples in the future," Ortloff said.

In other news

  • The National Security Agency will undergo a major reorganization, according to The Washington Post. The new Directorate of Operations is expected to merge the Signals Intelligence directorate, responsible for offensive data gathering against foreign targets, with the Information Assurance directorate, whose mission is defensive, protecting classified networks against foreign data-gathering attacks. Speaking at the Atlantic Council last month, NSA Director Admiral Michael Rogers hinted at the possibility of a reorganization. "This traditional approach we have where we created these two cylinders of excellence and then built walls of granite between them really is not the way for us to do business," Rogers said.
  • Cybersecurity firm FireEye announced this week their acquisition of security automation and orchestration provider Invotas, based in Alexandria, Va. According to FireEye's announcement, the purchase will allow them to "unify the security product, threat intelligence and incident response elements of the FireEye platform into a single console, giving enterprises the ability to respond more quickly to attacks through automation." FireEye plans to use Invotas' orchestration technology to "automate responses based on playbooks developed by FireEye's Mandiant consultants." The sale price for the privately held firm was not disclosed.
  • Microsoft just released version 5.5 of its Enhanced Mitigation Experience Toolkit (EMET). With this update, EMET is now compatible with Windows 10. The new version also includes several improvements, including in the way that configuration of various mitigations is done using Group Policy Object, the way mitigations are written to the registry and some performance improvements. Support has also been added for untrusted font mitigation in Windows 10. Although EMET can now be used with Windows 10, Microsoft noted that they have "implemented many features and mitigations that can make EMET unnecessary on devices running Windows 10," pointing to Device Guard, AppLocker and Control Flow Guard as better for protecting those systems. They said that for Windows 10 uses, "EMET is most useful to help protect down-level systems, legacy applications, and to provide Control Flow Guard protection for third-party software that may not yet be recompiled using CFG."
  • Little more than a month after laying off 20 employees, security firm Norse reportedly fired its CEO. And according to security reporter Brian Krebs, Norse is "imploding." After several days of uncertainty, during which the Norse website was sometimes completely offline, former CEO and co-founder Sam Glines broke his silence with a statement, in which he admitted to mistakes that led to the need for layoffs in January. Glines also blamed the media attention for Norse's problems, writing that after Krebs' published his article, "everything quickly began to fall apart."

Next Steps

Learn about the first high-level talks on cyber issues between the U.S. and China.

Find out how China's antiterror law calls for tech firm cooperation on surveillance, encryption.

Read about what steps to take to avoid another OPM breach.

Dig Deeper on Identity Theft and Data Security Breaches

PRO+

Content

Find more PRO+ content and other member only offers, here.

Related Discussions

Peter Loshin asks:

How plausible is it that Chinese hackers have been targeting health insurance providers to get information about government employees?

5  Responses So Far

Join the Discussion

3 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close