threat report - bluvector › ... › 2019 › 05 › q12019-threat-report-healt… · spreading to...

© 2019 BluVector, Inc. bluvector.io

Healthcare Threat Report 2019

1

Healthcare 2019As a highly regulated industry, healthcare organizations struggle to balance patient data security and quick accessibility by both patients and medical staff. Shockingly, the greatest threats to healthcare organizations aren’t all that new, they’re just getting harder to fix. The BluVector Threat Team examines the threats that target healthcare and offers suggestions on how to reduce breach risk.

THREAT REPORT



2

3. Threat Chart4. Infographics5. Infographics Continued6. Summary7. Summary Continued8. APT: Operation Oceansalt9. APT: Rising Sun10. APT: Kwampirs11. APT: Operation GhostSecret12. RANSOMWARE: BitPaymer13. RANSOMWARE: BitPaymer/FriedEx14. RANSOMWARE: SamSam15. RANSOMWARE: Gandcrab16. TROJAN: RtPOS17. About BluVector

Table of Contents



3

MONTHS IN ADVANCE BLUVECTOR WOULD HAVE DETECTED THREATS

BluVector runs all discovered malware samples through historical classifiers to identify when our machine learning engine would have first detected the named threat. BluVector currently supports over 35 file-specific machine learning classifiers.

Rising Sun43

OperationOceansalt

32

OperationGhostSecret

30

Kwampirs

11

BitPaymer

50

BitPaymer/FriedEx

29

SamSam

12

RtPOS

8APTs RANSOMWARE TROJANS

Gandcrab

43

Infographics

MILLI N$1.4AVERAGE COST FOR HEALTHCARE CYBERATTACKRECOVERYSource: https://healthitsecurity.com/news/healthcare-cyberattacks-cost-1.4-million-on-average-in-recovery

MOST CYBER ATTACKED INDUSTRIES:

#1 #2GOVERNMENT HEALTHCARE

Source: https://healthitsecurity.com/news/healthcare-cyberattacks-cost-1.4-million-on-average-in-recovery



4

Infographics Continued

AVERAGE COST PER HEALTHCARE RECORD DURING A DATA BREACH

$335

Source: https://www.cisecurity.org/blog/data-breaches-in-the-healthcare-sector/

AVERAGE CONNECTED DEVICES IN A LARGE HOSPITAL OPEN TO CYBERATTACKS

85,000

Source: https://www.cisecurity.org/blog/data-breaches-in-the-healthcare-sector/



5

SummaryUnhealthy Malware Diagnosis in Healthcare

It’s not only the patients who are infected at hospitals. In 2018, healthcare became the number two most attacked industry sector, second only to government, according to the Radware 2018-2019 Global Application and Network Security Report1. It is a persistent threat that healthcare IT teams need to address - 39% of respondents to the survey said that they face daily or weekly attacks on their networks.

Finding and remediating the threat is only part of the challenge. While IT teams are working to contain the breach, healthcare organizations have to address the impact of any negative publicity that thrust them into the news. The American Journal of Managed Care2 uncovered a shocking statistic for hospitals that were victims of a data breach.

After a breach, hospitals spent 64% more on advertising in order to increase interest, patient branding and reversing negative reactions to the breach. Inside those facilities, respondents reported a 54% drop in productivity and revenue-related tasks. The point is pretty simple: It’s time to increase the health of healthcare security.

Treating Healthcare Networks Like Patients

While healthcare IT teams may have not the medical training that their colleagues have had, their methodologies are similar. They both leverage technologies to diagnose an issue, determine what is working (and what is not) and use their training to determine a treatment plan for resolution. Treating a network like a patient is a good grounding exercise for devising a comprehensive security plan.

First, behavior modification is a huge first step. In the eight malware examples we’ve studied in this report, spearphishing is the most prevalent cause of many of the initial infection events. That can be a malicious macro in a Word or Excel file, attached to an email embedded file attachments that look like an x-ray or a link to

a site that looks official but isn’t. Healthcare workers are well-educated, work under pressure with a lot of complicated equipment and have to pivot to describe diagnoses to patients who don’t understand the terms. Like other modern workforces, healthcare workers assume that the IT team has it figured out. The IT team assumes that medical and support staff are knowledgeable enough to not click on phishing emails. Yet, the data is clearly showing that’s not helping. Unlike a computer worm, these threats are localized to the computer that they infect. The more that a malicious attachment is clicked on and opened, the wider the threat becomes.

Just like diet and exercise, the cure might be as simple as going back to the basics. Enacting a 101-style email security classes is a great place to start. While many will likely already know the basics, it will be a refresher course for many but might help those who aren’t practicing good email security hygiene to elevate their efforts. Internal email examples of sample emails that made it through can also help in solidifying and localizing the impact.

Healthcare organizations with training programs should mandate cybersecurity training courses for all existing employees and should require that all new employees complete this training before they access the organization’s email or networks.

Enabling Cybersecurity 911 in Email

While email is an effective communications tool, it is also the preferred attack plane for threat actors. While existing security defenses are in place to weed out known malicious emails, new threats from external emails continue to appear in end-users’ inboxes. For additional defensive, healthcare organizations should add a mechanism to report suspicious emails to the organization’s (official or designated) cybersecurity officer. This might be as simple as having a “report a cybersecurity problem by clicking here” within the header of the inbound emails. This way, end-users can become proactive participants in the security of organization and gain access to a quick



6

Summary Continuedmechanism to report a cybersecurity incident.

An Ounce of Prevention

Of course, there’s no stronger way to protect IT networks than technology. This is where security teams need to think just like their medical counterparts. Looking for obvious weak points like old systems that offer low-security gains or unpatched ghost servers within their infrastructure are easy places to start. Ensuring that desktop workstations are on a schedule to receive the latest patches and updates is another, but challenges arise with some of the specialized medical devices that have been deployed. Because of the specialized nature of these devices, they might run a proprietary or embedded operating system that is not easy to patch or update. Each should go through rigorous security vulnerability assessments before being attached to the network and then monitored on the network.

Kwampirs, one of the threats discussed in this report, created by the Orangeworm group, not only attacks healthcare facilities and pharmaceutical companies, it’s been going after medical device manufacturers. So far there are no reports of it spreading to those devices. But getting malware installed at the manufacturer could make it harder to detect and control. BluVector’s Threat Team uncovered a Windows malware code that showed up in an Android application. While the malware wouldn’t execute, it showed that attackers are getting very innovative on their attacks.

In addition to monitoring for known threats, healthcare organizations need to proactively monitor their networks for the unknown threats that come every day. Much like how an x-ray can “see” inside the human body, the network needs to be monitored for things that the security team can not see.

Following Up in Three Months

Implementing a top-down security mandate across any healthcare organization in no easy

task but without active security and thoughtful leadership, breaches will come. Come up with realistic goals to help your organization improve its security mindfulness but designing simple but impactful ways of making progress but in two ways: one for end-users and the other for IT staff. Then book a follow-up appointment to check in on the success metrics and access where you’re at, where your teams need to go and deciding on the right solutions that fit your operational needs. Of course, should that be a next generation IDS, powered by AI for your network, BluVector Cortex detected the healthcare-related threats in this report, on average, 29 months before their release into the while.

Healthcare Findings

MONTHS IN ADVANCE IN EARLIEST DETECTION

NEW THREATS FOUND THIS QUARTER



7

APT: Rising Sun 43What Is It?

Researchers at McAfee identified a new Advanced Persistent Threat (APT) campaign they have named Operation Sharpshooter, which uses a cyber espionage payload they named Rising Sun.

The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.

The researchers stated that during October and November of 2018, 87 organizations in 24 countries were infected (although the majority were based in the U.S.). Targeted organizations include defense and government-related, as well as financial, energy, telecommunications and healthcare industries.

The campaign began on October 25, 2018 with links to malicious documents, hosted on Dropbox, sent to targeted organizations via social media. These documents claim to be job descriptions for positions at unknown companies. The documents contain data appear to be created using Korean language versions of Microsoft Word. The documents contain malicious macros that execute shellcode. This shellcode then downloads both a benign decoy document and Rising Sun.

McAfee researchers found similarities between the code of Rising Sun and that of Duuzer, a previous cyber espionage backdoor that has been attributed to the Lazarus APT group (aka Hidden Cobra). They also found indicators potentially

pointing toward Lazarus. However, they make no determination of attribution, as they state it is also potentially an attempted false flag operation aimed at placing the blame on Lazarus.

How Does It Propagate?

The Rising Sun malware does not contain the necessary code to self-propagate. The attack vector in this case is embedded in malicious Word documents containing macros which download the malicious payload. It is believed that targeted individuals were sent messages on social media containing links to the Word documents, claiming to be work recruitment campaigns.

When/How Did BluVector Detect It?

Five samples are listed in the McAfee report and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown these samples would have been detected an average of 43 months prior to their release.



8

APT: Operation Oceansalt 32What Is It?

Researchers at McAfee have released a report detailing the analysis of APT (Advanced Persistent Threat) activity they have named Operation Oceansalt, which has so far consisted of five campaigns. The first three were directed at South Korean universities and public infrastructure, the fourth at several Canadian and U.S. industries including finance, telecommunications and healthcare. The final campaign targeted the U.S. and South Korea. In each case, the attack vector was spear phishing emails containing Excel spreadsheets in Korean, with malicious macros that resulted in the installation of Oceansalt malware.

Once installed, Oceansalt attempts to connect to its command and control (C2) server. It is capable of sending information regarding the drives, files and processes on the infected system, execute commands, delete and create files, terminate processes and create command shells.

Researchers have named these campaigns Operation Oceansalt due to the fact they found significant similarities to a piece of malware named Seasalt dating all the way back to 2010. Oceansalt has only a few differences compared to Seasalt, Oceansalt encodes the data it sends, it uses a hardcoded C2 server address and does not survive reboots of the infected system.

Seasalt has been attributed to a Chinese APT (Advanced Persistent Threat) group known as Comment Crew and APT1, originally exposed in a Mandiant report. The report, released in 2013, examined attacks on U.S. corporations that resulted in the theft of hundreds of terabytes of data.

While it is highly unlikely that APT1 has suddenly resurfaced, it is believed that the source code for Seasalt was never released or sold on the dark web. There is speculation as to the reasons why Oceansalt is so similar to Seasalt. One reason is an attempt to falsely attribute the attacks to Chinese interests, which is quite plausible given

the ease with which origins of malware can be spoofed.


The malware does not contain the necessary code to self-propagate. The attack vector is spear phishing emails containing Excel files with malicious macros.


Fourteen samples relating to Oceansalt are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 32 months prior to their release.

USA

Countries Targeted by Operation Oceansalt

Canada

South Korea



9

APT: Operation GhostSecret 30What Is It?

Researchers from the McAfee Advanced Threat Research team have released a report regarding a new campaign from the Lazarus APT Group (aka Hidden Cobra) which is believed to have, at the very least, strong ties to North Korea. The initial stage of this campaign, named Operation GhostSecret, occurred at the end of February 2018 and targeted the Turkish financial sector.

From March 18 to 26, researchers observed additional attacks on organizations in 17 countries, mainly in the Asia-Pacific region, but also including the United States. The attacks covered a broad range of industries including critical infrastructure, healthcare, telecommunications, entertainment, higher education and finance. The purpose of this campaign is the exfiltration of sensitive data, and the infrastructure related to this attack is still operational at the time of publication.

Researchers found sections of code in the malware associated with these attacks that strongly resemble other Lazarus group-related malware, including the Sony Pictures attack in 2014. The malware communicates with its C2 server using port 443. Despite utilizing the standard SSL port, the traffic uses a custom format, which has been seen in previous Lazarus group malware. The malware contains a list of IP addresses it will not accept connections from, all of which are associated with Indian ISPs. All expected functionality is present in the

malware, including manipulation of files, wiping and deletion of files, executing commands on an infected system, exfiltrating data and files and gathering various system information.

The investigation found the C2 servers were located in Thailand, as was the case for previous Lazarus group attacks. McAfee worked with the Thai government to have the servers taken down but kept the servers intact so they can be forensically analyzed by law enforcement agencies.


The malware does not self-propagate.

The initial infection vector is not currently publicly known; however, previous Lazarus Group attacks have leveraged spearphishing with malicious attachments or compromising remote access tools utilizing easily guessed or brute-forced passwords.


Three samples are publicly available, and BluVector’s patented Machine Learning Engine (MLE) detected all three. Regression testing has shown the samples would have been detected, on average, 30 months prior to their release.



10

APT: Kwampirs 11What Is It?

Researchers at Symantec detailed their findings into the activities of a new attack group and the backdoor Trojan they have been using to target healthcare-related organizations.

The group, dubbed Orangeworm, is believed to be comprised of a small number of individuals and has been operating for several years. The origin, location and motivations of the group are currently unknown. Approximately 17% of systems infected with Orangeworm are located in the U.S.

The organizations known to have been targeted by Orangeworm are either directly involved in the healthcare sector (including healthcare providers or pharmaceutical companies) or organizations that provide goods and services to the healthcare industry (including IT solution providers and equipment manufacturers). Researchers believe this to be a component of a larger supply-chain attack resulting in Orangeworm gaining access to their primary healthcare targets.

This malware, named Kwampirs, gives attackers backdoor access to compromised systems to extract system information and sensitive data. The backdoor has even been found on systems used for operating X-ray and MRI machines. The attackers also seem to favor systems used by patients to complete consent forms.

The Kwampirs malware utilizes built-in system commands to gather various system information, particularly that which would assist in lateral movement through a network, such as recently

accessed systems, network shares, mapped drives and network adapters. The malware decrypts and drops the main payload DLL contained within itself. When it does so, it inserts a randomly created string into the DLL in an attempt to defeat hash- and pattern-based detection. The malware also copies itself to network shares and contains a list of command and control (C2) servers with which it attempts to establish connections. Both of these actions are considered noisy, but it appears not to have concerned the authors as these behaviors have not changed over time.


If the attackers determine an infected system is a high-value target based on system information gathered by the malware, the attack will attempt to use open network shares to spread within the network.

No information is available concerning the initial infection vector, however, the most common vector for similar attacks is social engineering, either as malicious attachments or downloads performed by malicious documents. It is believed the Orangeworm group is selecting its targets carefully, making spearphishing a likely infection vector.


There are nine publicly available samples and BluVector’s patented Machine Learning Engine (MLE) detected all of them. Regression testing has shown samples would have been detected an average of 11 months prior to their release, which mainly occurred during mid-to-late 2016.

OF SYSTEMS INFECTED WITH ORANGEWORM ARE LOCATED IN THE U.S.

APPROXIMATELY



11

RANSOMEWARE: BitPaymer 50What Is It?

While some cybersecurity pundits claim the demise of ransomware, their prognostications were at best a premature conclusion. In recent weeks, variants of BitPaymer ransomware have infected systems at the Professional Golfers Association of America (PGA) and the local government offices of Matanuska-Susitna, a municipal borough of greater Anchorage.

BitPaymer, first identified in July 2017, was responsible for ransomware attacks on a number of Scottish hospitals in August 2017. BitPaymer is also known for making large ransom demands, up to 53 bitcoin (currently in excess of $332,000). In most cases, the initial attack vector of BitPaymer ransomware is compromising internet-facing Remote Desktop Protocol (RDP) servers. The passwords to these RDP servers are brute forced.

In the case of Matanuska-Susitna, based on a report from the IT Director, the BitPaymer ransomware was part of an attack consisting of several malware payloads, including the Emotet trojan. His investigation believes the ransomware payload was activated 4 to 6 weeks after their network was initially compromised. He incorrectly characterizes this attack as a zero-day, based on the fact their legacy anti-virus product did not detect any malware components of the attack until it was too late.

The attack affected all 500 of their user endpoint systems and 120 of their 150 servers, requiring

the IT department to essentially shutdown their entire network, resulting in staff being forced to use typewriters. Other systems impacted included email, telephone, swipe card and even their backup and disaster recovery servers. They are currently planning on reimaging 650 systems at a rate of about 38 per day.

FORE! According to reports, staff at the PGA of America began receiving pop-up ransom messages on their workstation screens on August 7, 2018. Though not yet confirmed by the PGA but based on the wording, it is believed BitPaymer ransomware is responsible. Another aspect consistent with BitPaymer ransomware is the offer to email two encrypted files to the attackers, who would decrypt them as proof of their “honest intentions.” It is reported that encrypted files include digital marketing assets related to the PGA Championship tournament and the Ryder Cup.


The malware does not contain the necessary code to self-propagate. The most common attack vector for BitPaymer ransomware is compromising internet-facing RDP servers by brute forcing poor or common passwords where there are no security policies in place to enforce password lockouts.


Specific samples have not yet been publicly attributed to either incident. Therefore, a random selection of 25 recent BitPaymer samples were tested and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown that samples would have been detected an average of 50 months prior to their release.



12

RANSOMWARE: GandcrabWhat Is It?

Researchers have previously noted that the developers of Gandcrab ransomware appear to have adopted an agile development model as they’ve been releasing new versions that improve both the functionality and the underlying code.

This trend appears to be continuing as security vendor Fortinet discovered version 4.1 of Gandcrab only two days after the release of version 4.0. Due to such a rapid release schedule, Gandcrab is currently considered to be the most prolific ransomware family, responsible for over 50,000 infections and $600,000 in ransom payments in a two-month period earlier in 2018.

The new Gandcrab 4.1 added the more efficient Salsa2.0 encryption algorithm, removing the most commonly used RSA-2048. The most significant change is the malware now contains a lengthy list (in one case, nearly 1,000 long) of hardcoded C2 websites. The remainder of the C2 URLs is created from lists of words, allowing the final URL to appear to be randomly generated. The malware sends a variety of system information to the C2 site, including if the keyboard is using a Russian layout and any installed anti-virus product(s). Currently there appears to be no good reason to send this information, but it is potentially a feature that’s still under development. The malware will also terminate various processes belonging to Office, database, email and similar applications prior to encrypting files. Though not unique to Gandcrab, this ensures the user’s most current files will be encrypted, therefore maximizing the user’s motivation to pay the ransom.

According to Fortinet, one feature that Gandcrab does not yet include is the ability to propagate using network file shares, through the use of the EternalBlue exploit. This functionality is expected to be included in future versions.


The malware does not yet contain the necessary code to self-propagate. In this case, it has been observed being downloaded from compromised websites that claim to offer pirated software, but instead (somewhat ironically) serve the ransomware.


Five samples are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 43 months prior to their release.

43

Avast Internet Security SuiteAvira Antivirus

Comodo Firewall Pro ESET Antivirus

Kaspersky AntivirusF-Secure Internet Security

McAfee On-Access Antivirus ScannerMicrosoft Windows Defender

Panda Titanium AntivirusSymantec Antivirus engine

Symantec Endpoint ProtectionTiny Personal Firewall

Trend Micro PC-Cillin Firewall

Gandcrab Searches For AV Software Including:



13

RANSOMWARE: BitPaymer/FriedEx 29What Is It?

Researchers at legacy anti-virus vendor ESET have published findings that show strong evidence that the authors of the Dridex banking trojan are also responsible for writing the code for the BitPaymer ransomware. Owing to the connections they found with Dridex, ESET refers to this malware as FriedEx.

The Dridex banking trojan has been seen in the wild since 2014 and since its initial release has been significantly updated and improved, becoming one of the most sophisticated and successful banking trojans.

The BitPaymer/FriedEx ransomware was first seen in July 2017 and received significant media coverage when it was responsible for infecting several National Health Service hospitals in Scotland during August 2017. Much like the recently discussed SamSam ransomware, BitPaymer/FriedEx tends to target higher-profile companies and entities, rather than home users, and usually uses brute force Remote Desktop attacks to initially infect systems.

Researchers showed screenshots that appear to come from the Hex-Rays decompiler tool, showing almost identical code in key areas of Dridex and BitPaymer/FriedEx functions. There were also commonalities in the compiler information and compiler timestamps. Their findings make a strong case for the same authors being behind both families of malware. It appears the authors saw an opportunity to take their existing Dridex codebase and modify it as necessary to create a ransomware revenue stream for themselves.


Similar to the SamSam ransomware, BitPaymer/FriedEx spreads by attackers manually brute forcing Remote Desktop Protocol (RDP) servers, which then gives them access to devices within the networks. Again, best practice dictates that RDP servers should not be accessible from the internet.


BluVector’s patented machine learning malware detection engine detects the BitPaymer/FriedEx ransomware as malicious. Regression testing on samples has shown the ransomware would have been detected by BluVector 29 months prior to its release.



14

RANSOMWARE: SamSamWhat Is It?

Researchers from Cisco TALOS recently released details of a new variant of the SamSam ransomware, which has affected organizations in several industry verticals, including government, healthcare and ICS.

Media reports have advised various healthcare organizations have been affected in recent days, including MedStar, a non-profit group that manages 10 hospitals in the Baltimore and Washington, DC area, Chicago-based AllScripts and Hancock Health Hospital, as well as Adams Memorial Hospital in Indiana. The government municipality of Farmington, New Mexico has also been impacted.

The initial infection vector has not yet been determined, though it is believed to be consistent with previous SamSam variants, where the attackers manually install the ransomware after compromising the corporate network and moving laterally to identify which business critical servers would make the best targets.

The ransomware consists of two components, a loader and an encrypted payload, both delivered as .NET executables. By design, the attackers must manually activate the ransomware using a randomly generated encryption key. SamSam is not a mass market ransomware such as WannaCry, but it is designed to be deployed on high-value targets.

Researchers have determined at least one Bitcoin wallet is being used to collect ransom payments. Currently this wallet has collected 30.4 Bitcoin, which at the time of writing is worth approximately US$270K.


Unlike many other strains of ransomware, SamSam does not self-propagate.

Researchers have not yet determined with certainty the initial infection vector which then allowed the attackers to install the SamSam

ransomware. However, they believe it may be compromised RDP and VNC servers that gave the attackers their first foothold into entering corporate networks. This is another reminder that a determined attacker will find any weakness in your perimeter defense. Best practice dictates that RDP and VNC servers should not be accessible from the internet.


BluVector’s patented machine learning malware detection engine detects SamSam ransomware as malicious. Regression testing on several samples has shown they would have been detected by BluVector an average of 12 months prior to their release.

12



15

TROJAN: RtPOSWhat Is It?

A new report from Booz Allen Hamilton Cyber (BAHC) describes a piece of POS malware named RtPOS that appears to have been undiscovered for a year. In previous Threat Reports, we have discussed the concept of dwell time in (RadRAT and InvisiMole) as the period of time between a network being compromised and when that breach was detected.

POS malware, such as LockPOS, is designed to steal payment card data from terminals and other systems used to process card payments in stores and other businesses. Most often, the card data is extracted directly from the memory of the infected system. Readers may remember the news around the use of POS malware, such as in well publicized attacks on customers of Home Depot and Target in 2014.

BAHC did not describe how or where they obtained the sample from, though they named it RtPOS based on a debug string found in the sample. The metadata of the sample shows the language code to be Russian, which could indicate a possible location of the authors (or at least their chosen language). The sample’s apparent lack of sophistication and functionality has caused speculation as to whether it is an example of malware that’s under development. Although these same attributes could also indicate deliberate intent on the part of the authors to make the malware more stealthy.

Unlike the majority of current malware, RtPOS malware is not packed or otherwise obfuscated. However, this may actually make the sample appear less suspicious to endpoint-specific anti-malware solutions. In a departure from most POS malware, this sample also does not contain the capability to exfiltrate stolen card data, that data is merely logged in plain text to a file stored in the Windows\SysWOW64 directory. The malware is very specific in its function, it only accepts two parameters (either “install” or “remove”) and only looks for card data but not other data that could be commoditized by attackers, such as social

security numbers.

Given its narrow focus, it is believed that RtPOS is used in conjunction with additional malware in order to compromise the payment processing system and exfiltrate the extracted data. The compile date of the sample is August 2017 and there is no evidence to suggest this is not accurate, indicating the malware has been unnoticed in the wild for a full year.


The malware does not self-propagate and the infection vector is currently unknown.


BluVector’s patented Machine Learning Engine (MLE) detected the RtPOS malware. Regression testing has shown the sample would have been detected 20 months prior to its discovery, which appears to be 12 months after it was created, meaning BluVector would have detected this sample 8 months before it was even created.

8

Jan: AetnaFeb: FedExMar: Orbitz

Mar: Under ArmourApr: Saks Fifth Avenue, Lord & Taylor

Apr: Panera BreadApr: SunTrust Banks

May: Chili’sMay: Nuance Communications

June: TaskRabbitJune: Ticketmaster

June: AdidasJuly: Macy’s

July: U.S. Air ForceJuly: LabCorp Diagnostics

July: LifeLockAugust: Fortnite

Sept: British AirwaysSept: Facebook

Oct: U.S. Department of Defense

Source: https://www.identityforce.com/blog/2018-data-breaches

Biggest POS Breaches In 2018:



16

About BluVector, A Comcast Company

www.bluvector.io 571.565.2100

As a leader in network security, BluVector is empowering security teams to get answers about real threats, allowing businesses and governments to operate with greater confidence that data and systems are protected.

BLUVECTOR MLEBluVector MLE is a patented supervised Machine Learning Engine that was developed within the defense and intelligence community to accurately detect zero-day and polymorphic malware in real time. Unlike unsupervised machine learning, which is leveraged by most security vendors today, BluVector MLE algorithms were pre-trained to immediately identify malicious content embedded within common file formats like Office documents, archives, executables, .pdf, and system updates. The result: 99.1%+ detection accuracy upon installation.

BLUVECTOR SCEBluVector SCE is the security market’s first analytic specifically designed to detect fileless malware as it traverses the network. By emulating how the malware will behave when it is executed, the Speculative Code Execution engine determines, at line speed, what an input can do if executed and to what extent these behaviors might initiate a security breach. By covering all potential execution chains and focusing on malicious capacity rather than malicious behavior, the analytic technology vastly reduces the number of execution environments and the quantity of analytic results that must be investigated.



17

threat report - bluvector › ... › 2019 › 05 › q12019-threat-report-healt… · spreading to...

Documents