The #OpSafePharma is a hacktivist campaign targeting the Italian healthcare and pharma industries, protesting their treatment of ADHD. Hacktivists affiliated with Anonymous Italia perform DDoS attacks and leak information stolen from databases of websites related to the abovementioned sectors. The campaign, which started in March 2016, was relaunched at the beginning of June following a decrease in the number of attacks against Italian targets in the past month.
On August 21, 2016, Anonymous Italia and its affiliated hacktivist collective AntiSec-Italia, relaunched the campaign, this time dubbed #OperationSafePharma, targeting four different healthcare-related Italian institutions with website defacement attacks and substantial data leakages. The outcomes of the operation, namely the screenshots of the defaced websites and the addresses of the downloadable data leakages, uploaded on dedicated file sharing platforms, were announced on the social media outlets of AntiSec-Italia, specifically on their Facebook page and Twitter account.
The Data Leakage
The hacktivists leaked approximately 2.5 GB of data, stolen from the databases of two prominent Italian healthcare institutions, and provided links to file-sharing platforms where they uploaded the dumps.
We acquired the leaked databases and, upon verification, we assess that they mostly contain internal communications, as well as a great volume of personal data relating to the in-house personnel of the two healthcare institutions, mainly CVs of the physicians and administrative executives working in the facilities. We did not find any indications that medical records of patients treated in these healthcare facilities were disclosed or compromised during the data leakage. Notably, the most recent documents we detected within the stolen files are dated August 5, 2016.
The group defaced four distinct websites, explaining in a public statement – recycled from previous operations – the rationale underpinning the protest.
Our assessment is that this latest iteration of #OperationSafePharma originates more from a one-time opportunity window that the hacktivist group AntiSec-Italia spotted in vulnerable websites associated with Italian medical centers and hospitals, than a concerted effort by multiple Anonymous-affiliated collectives to launch a massive hacktivist campaign against the Italian healthcare sector as a whole. We base this assumption on the analysis conducted using our automated SMA (Social Media Analytics) toolset, which indicated a spike in the activity of the attackers.
Nonetheless, the achievements of the operation, in particular the exfiltration of sensitive databases belonging to prominent Italian healthcare institutions, display noteworthy technical capabilities by the initiators of the offensive.
As yet, we have not identified any preparations for future hacktivist campaigns against the Italian healthcare or financial sector, nonetheless we continue to monitor Italian hacktivist threat actors on a daily basis.
The healthcare sector has recently become a desirable target for cyber crooks. According to Symantec ISTR report statistics, healthcare was the most breached sub-sector in 2015, comprising almost 40% of all the attacks. Hospital security systems are generally less secure than those of financial organizations, as monetary theft has always been perceived as the greatest threat for organizations, and dangers to other sectors were usually underestimated. Moreover, awareness of cyber-attacks against hospitals and medical centers is much lower than it is to financial cybercrime, and as a result, the employees are less well-trained on how to avoid falling victim to a cyber-attack.
Only lately, this concept has started to be challenged, revealing the potential damage that can be caused by the theft and leakage of patient data. However, the ‘bad guys’ remain one step ahead and during the last few months, we have witnessed a spate of attacks targeting the healthcare industry: ransomware attacks encrypting essential data and demanding payment of a ransom, numerous data leakages revealing confidential patient data, unauthorized access to medical networks and even the hacking of medical devices, such as pumps and X-ray equipment.
Moreover, the healthcare sector is being targeted by hackers not only directly, but also via third-party companies in the supply chain, such as equipment and drug suppliers. These companies usually store some confidential data that originates in the hospitals’ databases and may even have access to the hospital IT systems, but they are far less secure than the hospitals themselves. Thus, they serve as a preferable infiltration point for malicious actors pursuing the theft of medical data and attempting to infiltrate the hospitals’ networks.
The consequences of attacks on the healthcare industry may be extensive, including the impairment of the medical center functioning, which may result in danger to human lives in the worst case scenario. In other cases, personal data will be stolen and sold on underground markets. Cybercriminals will take advantages of these personal details for identity theft or for future cyber-attacks combining social engineering based on the stolen details.
While monitoring closed Deep-Web and Darknet sources, SenseCy analysts recently noticed a growing interest toward the healthcare sector among cyber criminals. Databases of medical institutions are traded on illicit marketplaces and closed forums, along with access to their servers. In the last few months alone, we came across several occurrences indicating extensive trade of medical records and access to servers where this data is stored.
The first case, in May 2016, was the sale of RDP access for a large clinic group with several branches in the central U.S., which was offered for sale on a Darknet closed forum. For a payment of $50,000 Bitcoins, the buyer would receive access to the compromised workstation, with access to 3 GB of data stored on four hard disks. Additionally, the workstation allows access to an aggregate electronical system (EHR) for managing medical records, where data regarding patients, suppliers, payments and more can be exploited.
Although the seller did not mention the origin of the credentials he was selling, he claimed that local administrator privileges could be received on the compromised system. He also specified that 45 users from the medical personnel were logged into the system from the workstation he hacked.
The relatively high price for this offer indicates the high demand for medical information. With RDP access, the potential attackers can perform any action on the compromised workstation: install malware, encrypt the files or erase them, infect other machines in the network and access any data stored in the network. The consequences can be tremendous.
Just a few weeks later, in June 2016, our analysts detected another cyber-accident related to healthcare. This time, three databases allegedly stolen via an RDP access to a medical organization were offered for sale for more than $500,000 on a dedicated Darknet marketplace. In one of his posts, the seller claimed that one of the databases belongs to a large American health insurer.
Before long, we again discovered evidence of hacking into a medical-related organization, this time by Russian-speaking hackers. On one of the forums we monitor, a member tried to sell an SSH access to the server of an American company supplying equipment to 130 medical center in the U.S. He uploaded screenshots proving that he accessed the server where personal data of patients is stored.
The conclusions following these findings are concerning. An extensive trade in medical information and compromised workstations and servers is a common sight on underground illegal markets. This business generates hundreds of thousands, if not millions of dollars annually, ensuring its continuation as long as there are such high profits to those involved. Since the ramifications can be grave, the healthcare sector must take all necessary measures to protect their systems and data:
Implement a strong password policy, because many hacks are a result of brute-force attack. Strong passwords and two-factor authentications to log into organizational systems should be the number one rule for medical organizations.
Deploy suitable security systems.
Instruct the employees to follow cyber security rules – choosing strong and unique passwords, spotting phishing email messages, avoiding clicking on links and downloading files from unknown sources, etc. Consider periodic training for employees on these issues to maintain high awareness and compliance with the rules.
Use Cyber Threat Intelligence (CTI) – to keep up with the times regarding the current most prominent threats to your organization and industry.
During May 2016, we witnessed the second phase of the #OpIcarus cyber campaign against banks around the world, launched by the Anonymous collective in February 2016. The participants carried out DDoS attacks against bank websites in various countries on a daily basis. Several cyber-attacks succeeded in shutting down the websites of central banks in Greece, Cyprus and other countries.
The initiators created two Facebook event pages and opened an IRC channel to coordinate their cyber-attacks. Approximately 2,000 participants joined the #OpIcarus event pages, but many more hacktivists expressed their support of this campaign via their social media accounts. With regard to the dedicated IRC channel, it appears not to have been as active as the campaign platforms in Facebook and Twitter.
Attacks and Tools
According to news reports, #OpIcarus participants shut down bank websites around the world on a daily basis. We cannot confirm that all of the mentioned banks websites were actually offline, due to the participant DDoS attacks, but we wish to point out several incidents that caught our attention.
A member of the Ghost Squad Hackers group dubbed s1ege took responsibly for shutting down the email server of the Bank of England. The bank did respond to this attack, but according to news reports, the bank’s mail server was offline on May 13, 2016.
In addition, according to a single news report shared on various Facebook accounts, Chase Bank ATMs stopped working on May 14, 2016, as a result of the Anonymous collective cyber activity. The Twitter account of Chase Bank’s technical support tweeted that their ATMs did not accept any deposits on this day, but they did not mention what had caused the problem. Meanwhile, the Ghost Squad Hackers group tweeted that the incident was part of the #OpIcarus campaign.
Additionally, s1ege claimed on May 18, 2016, that they had shut down a website related to the NYSE. The NYSE Twitter account tweeted that they had experienced a technical issue in one of their trading units. They did not mention what had caused the problem. Therefore, it is unclear if there is any connection to the Ghost Squad Hackers group, aside from the latter’s claim of responsibility.
With regard to the attack tools, the participants used a variety of DDoS, some of which were simple online tools with no sophisticated DDoS abilities. However, there were indications that they used DDoS-as-a-Service (DaaS) platforms, such as Booters/Stressers that require payment and registration. In addition, the New World Hackers (NWH) team that took responsibility for shutting down the HSBC Bank website on January 29, 2016, supported the #OpIcarus campaign.
This campaign gained high popularity among hacktivists from all over the world who were motivated to DDoS bank websites protesting corruption and other issues. It is possible that the initiators will decide to engage an additional phase of this campaign, since one of them claimed in an interview that “Operation Icarus will continue as long as there are corrupt and greedy banks out there.”
This year, #OpIsrael hacktivists focused on defacing private websites, carrying out DDoS attacks and leaking databases. Hundreds of private Israeli websites were defaced, mostly by Fallaga and AnonGhost members. Various databases containing Israeli email addresses and credit cards were leaked, but the majority were recycled from previous campaigns.
The hacktivists attacks commenced on April 5, 2016, two days before the campaign was launched, with a massive DDoS attack against an Israeli company that provides cloud services. The fact that no one took responsibility for the attack, alongside the massive DDoS power invested, may indicate that threat actors with advanced technical abilities were responsible.
On April 7, 2016, approximately 2,650 Facebook users expressed their desire to participate in the campaign via anti-Israel Facebook event pages. There are several possible reasons for the low number of participants (compared for example to the 5,200 participants in #OpIsrael 2015). One reason might be disappointment in last year’s lack of significant achievements. Another reason could be the devotion of attention to other topics, such as the cyber campaign against the Islamic State (IS), in the wake of the recent terrorist attacks in Brussels. Moreover, it is possible that anti-Israel hacktivists have abandoned social media networks for other platforms, such as IRC and Telegram.
During the campaign, we detected many indications of the use of common DDoS tools, such as HOIC, and simple DDoS web platforms that do not require any prior technical knowledge in order to operate them. Most of the DDoS attacks were directed against Israeli government and financial websites. Hacktivists claimed they managed to take down two Israeli bank websites. While this could be true, the websites were up and operational again within a short time. In addition, there were no indications of the use of RATs or ransomware against Israeli targets.
As mentioned previously, most of the leaked databases were recycled from previous campaigns. However, we noticed that almost all of the new leaked databases were stolen from the same source – an Israeli company that develop websites. Notably, during the 2014 #OpIsrael campaign, this company website appeared on a list of hacked websites.
There was no immediate claim of responsibility for the leakage of these databases, which raises many questions, since anti-Israel hacktivists typically publish their achievements on social media networks to promote the success of the campaign. Moreover, almost all of these databases were first leaked in the Darknet, but anti-Israel hacktivists do not use this platform at all. In addition, all of the data leakages were allegedly leaked by a hacker dubbed #IndoGhost, but there are no indications to suggest that this entity was involved in the #OpIsrael campaign or any other anti-Israel activity.
Finally, we detected several attempts to organize another anti-Israel campaign for May 7, 2016. As an example, we identified a post calling to hack Israeli government websites on this date. We estimate that these attempts will not succeed in organizing another anti-Israel cyber campaign.
Written and prepared by SenseCy’s Cyber Intelligence analysts.
SenseCy’s 2015 Annual CTI Report spans the main trends and activities monitored by us in the different cyber arenas including the world of Arab hacktivism, the Russian underground, the English-speaking underground, the Darknet and the Iranian underground. In addition, we have listed the major cyber incidents that occurred in 2015, and the most prominent attacks against Israeli organizations.
The following is an excerpt from the report. To receive a copy, please send a request to: firstname.lastname@example.org
2015 was a prolific year for cyber threats, so before elaborating on our main insights from the different arenas covered here at SenseCy, we would like to first summarize three of the main trends we observed in 2015.
Firstly, when reviewing 2015, we recommend paying special attention to the evolving world of ransomware and new applications of this type of malware, such as Ransomware-as-a-Service (RaaS), and ransomware targeting cloud services, as opposed to local networks and more.
Secondly, throughout 2015, we witnessed cyber-attacks against high-profile targets attributed to ISIS-affiliated hackers and groups. One such incident was the January 2015 allegedly attack against the YouTube channel and Twitter account of the U.S. Central Command (CENTCOM).
Thirdly, 2015 revealed a continuing interest in the field of critical infrastructure among hackers. Throughout the year, we witnessed multiple incidents of critical infrastructure firms allegedly targeted by hackers, prompting periodic analyses addressing the potential vulnerabilities of critical sectors such as energy, water, and more. Taking into consideration the advanced capabilities and high-level of understanding of such systems required to execute such attacks, many security firms and experts are confident that these attacks are supported by nation-state actors.
The following are several of our insights regarding activities in different cyber arenas this past year:
During 2015, we detected several indications of anti-Israel cybercrime activity on closed platforms frequented by Arabic-speaking hackers. It will be interesting to see if these anti-Israel hacktivists that usually call to deface Israeli websites or carry out DDoS attacks will attempt to incorporate phishing attacks, spamming methods and tools into their arsenals. Notwithstanding, Islamic hacktivism activity continues unabated, but without any significant success.
Trade on Russian Underground Forums
The prominent products currently traded during 2015 on Russian underground forums are ransomware programs and exploits targeting Microsoft Office. With regard to banking Trojans, we did not notice any major developments or the appearance of new Trojans for sale. The PoS malware field has not yielded any new threats either, in contrast to the impression given by its intensive media coverage.
Mobile malware for Android devices is on the rise as well, with the majority of tools offered being Trojans, but we have also detected ransomware and loaders.
Prices on the Russian Underground have remained unchanged during the past two years, due to the vigorous competition between sellers on these platforms.
Different kinds of services, such as digital signing for malicious files, injections development for MitM attacks and crypting malware to avoid detection were also extremely popular on Russian forums.
The English-Language Underground
Our analysis of password-protected forums revealed that exploits were the best-selling products of 2015. This comes as no surprise, since exploits are a vital part of almost every attack.
The Darknet made the headlines on multiple occasions this year, mostly owing to databases that were leaked on it and media reports recounting FBI activities against Darknet users. Furthermore, this year saw increased activity by the hacking community on the Darknet, manifested in dedicated markets for the sale of 0-day exploits and the establishment of several new hacking forums.
The Iranian Underground
With regard to Iranian threat actors, 2015 was a highly prolific year, with attack groups making headlines around the world. Delving deeper into the Iranian underground, we uncovered several interesting trends, some more clear than others.
One main development in 2015 was the persistent interest in critical infrastructure, with underground forum members sharing and requesting information related to industrial control systems and other related components. With Iranian actors becoming increasingly drawn to this field, we assess that this trend will remain relevant in 2016 as well.
Another growing phenomenon is the stunted life cycles of Iranian cyber groups, many with a life-span of just several months. This trend makes it difficult to monitor the different entities active in the Iranian cyber arena and their activities. To understand the constant changes in this realm, this short life cycle trend must be taken into consideration and the Iranian cyber arena continuously monitored.
That said, we must not overlook one of the most prominent characteristics of Iranian attack groups – confidentiality. With attacks attributed to Iranian actors becoming more sophisticated and high-profile, we believe that the divide between medium-level practices of malicious activity and alleged state-sponsored activity by attack groups will remain pronounced.
ISIS – Cyber-Jihad
On the other side of the Arab-speaking cyber world, we can find ISIS and its evolving cyber activities. There is disagreement between intelligence firms and cyber experts about the cyber offensive capabilities of the Islamic State. In addition, there is a high motivation among hackers that identify with the group’s fundamentalist agenda to carry out cyber-attacks against Western targets, especially against those countries actively involved in the war against the group in Iraq and Syria.
The answer to this question is Yes and No (or Probably Not).
Recently, we noticed a heated debate among Arabic-speaking hackers regarding rumors about a new njRAT version, dubbed v0.8d. Some doubted the credibility of the report, cautioning that the new version was probably a fake that would infect everyone who tried to use it. They also claimed that the original njRAT programmer, njq8, had stopped updating it.
Notwithstanding, there is a tutorial with a download link that shows the features of the new version. The video was published on several YouTube accounts and some of them linked the new version to an unknown hacker called Naseer2012 (whose name is similar to njq8‘s real name). In addition, this new njRAT version has aroused interest among Portuguese-speaking hackers, raising assumptions that the njRAT v0.8d developer is actually “Ajnabi” (foreign in Arabic).
The allegedly new njRAT version piqued our curiosity, so we downloaded it from the tutorial. First, the GUI of the new version closely resembles njRAT v0.7d. In addition, our technical analysis revealed that it belongs to the njRAT malware family, based on its Imphash (hash based on portable executable imports that are the functions of the specific malware) and its network signature.
However, it does not have any unique capabilities that distinguish it from the old 0.7d version. Its capabilities, according to our technical analysis, are keylogging, remote shell, remote desktop, password recovery, registry manager, file manager, remote webcam, microphone control, download & execute and DDoS. Unlike njRAT v0.7d, this malware does not have any security features, other than change icon. It can be spread by USB.
Notably, the fact that Naseer2012 thanks njq8 suggests it this not an official upgraded version of the njRAT malware developed by the original programmer.
Since the source code of the worm version of the famous njRAT malware (Njw0rm) was leaked in May 2013, many hackers have developed new malware under different names with numerous capabilities, security features and propagation protocols. However, they all have a common behavior pattern, since they are based on the same source code. In addition, our technical analysis of different RAT malware samples that we detected during 2015 revealed that almost a dozen of them belong to the njRAT family.
So we can all relax as there is no new official njRAT version, but rather a new GUI and new technical indicators of another njRAT-based malware sample.
The following is a YARA rule based on our technical analysis:
Any ISIS activities become a hot topic after destructive events organized by the Islamic State (IS) during 2015. The whole world is concerned about ISIS plans and afraid of another bloody attacks.
One of the most discussed topic is the Islamic State offensive capabilities in the cyber space. In 2015 various organizations were hit by a number of cyber-attacks allegedly launched by IS hackers. Nevertheless, some cyber security experts presume that a sophisticated group of Russian hackers stands behind the attacks against a French TV station in April 2015 and the hijacking of the CENTCOM Twitter account in January 2015. Anyway, let’s have a look at the timeline of cyber-attacks that are related to ISIS in 2015. Investigate the Infographic. We will appreciate your opinion regarding ISIS cyber capabilities.
During January 2016 we will publish our annual Cyber Threat Intelligence report, in which you could find fascinating information regarding ISIS cyber activities, recent developments in the Russian underground, technical analysis of self-developed malicious tools that we identified this year, new trends in Darknet platforms, and more.
On May 20, 2015, researchers from the University of Michigan announced a new vulnerability in the Diffie-Hellman key exchange, called LogJam.
The vulnerability resides in the basic design of TLS itself, exposing both clients and servers, including mail servers, to a MitM attack, in which a malicious attacker can downgrade SSL-based connections to 512-bit export-grade cryptography, thus bypassing the basic security mechanism and allowing the attacker to read and modify any exposed traffic.
According to the official publication in weakdh.org, “The attack affects any server that supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of the Top one million domains were initially vulnerable.” Moreover, the flaw exploits a vulnerability in the Diffie-Hellman TLS key-exchange protocol, rather than the RSA key exchange exploited by the FREAK vulnerability.
When a client requests a DHE_EXPORT cipher-suite instead of DHE, the server (if it supports DHE_EXPORT) will pick a small, breakable 512-bit parameter for the secret exchange.
According to a CloudFlare publication, this is the protocol flaw at the heart of LogJam “downgrade attack”:
A MitM attacker intercepts a client connection and replaces all the accepted cipher-suites with only the DHE_EXPORT ones.
The server picks weak 512-bits parameters, does its half of the computation, and signs the parameters with the certificate’s private key. Neither the Client Hello, the client cipher-suites, nor the chosen cipher-suite are signed by the server.
The client is led to believe that the server picked a DHE Key Exchange and just willingly opted for small parameters. From its point of view, it has have no way to know that the server was tricked by the MitM into doing so.
The attacker would then break one of the two weak DH shares, recover the connection key, and proceed with the TLS connection with the client.
Moreover, the researchers have speculated that the LogJam vulnerability provides an explanation for how the NSA cracked VPN connections, saying “a close reading of published NSA leaks shows that the agency’s attacks on VPNs are consistent with having achieved such a break.”
Further to the publication of the LogJam vulnerability, SenseCy monitored its popularity among known hacker groups and cyber hacktivist. A general interest was noted, with some questions on the vulnerability.
So how should you approach this vulnerability?
The researchers provided some simple answers to this question:
If you run a server:
If you have a web or mail server, you should disable support for export cipher suites and generate a unique 2048-bit Diffie-Hellman group. Step-by-step instructions can be found here.
If you use a browser:
Make sure you have the most recent version of your browser installed, and check for updates frequently (including smartphones).
If you are a system administrator or developer:
Make sure any TLS libraries you use are up-to-date and that you reject Diffie-Hellman Groups smaller than 1024-bit.
Hacking group AnonGhost has published an official video on #OpUSA, its upcoming cyber campaign against the United States. The video, addressed to the U.S. government, does not mention the date of the campaign or the list of targets, but based on the group’s 2013 #OpUSA campaign, it appears that it is set to take place on May 7. The official video’s YouTube page mentions prominent AnonGhost members Mauritania Attacker, An0nx0xtn, DarkCoder, Donnazmi, and Hussein Haxor, all of whom promote the group’s agenda in social networks.
On May 7, 2013, AnonGhost, along with other groups such as the Tunisian Hackers, threatened to hack American government and financial websites. While they were highly motivated, they failed to achieve much other than to deface several websites and leak emails and personal information. A possible reason for their limited success is that several days before the campaign, hackers speculated on social media that #OpUSA was actually a trap set by the federal government in order to expose and arrest the participants.
One of the groups that participated in 2013, N4m3le55 Cr3w, published a long list of recommended DDoS tools at that time, most of which are common hacking tools that are likely to be used in the current campaign as well.
TorsHammer, a Python-based DDoS tool created by the group called An0nSec.
SYN Flood DOS, a DDoS tool that operates with NMAP and conducts a SYN Flood attack.
Starting at the end of last week, hacktivist groups from around the Muslim world tried to attack Israeli websites, particularly those of government institutions, as part of the #OpIsrael cyber campaign. In the past twenty-four hours they stepped up their activity, but we have seen no signs of major attacks. Despite all the publicity prior to the campaign, the hackers’ successes were limited to defacing several hundred private websites and leaking the email addresses of tens of thousands of Israelis, many of them recycled from previous campaigns. Several dozen credit card numbers were also leaked on information-sharing websites, but our examination shows that some were recycled from past leaks.
AnonGhost, which initiated the campaign, was the main actor behind it. However, other groups of hackers, such as Fallaga, MECA (Middle East Cyber Army), Anon.Official.org, and Indonesian and Algerian groups also participated in the attacks. As the campaign progressed, we saw an increasing number of posts and tweets about it (over 3,000), but this is still significantly less than last year, when there were tens of thousands.
As we noted in previous updates, the campaign was conducted primarily on social networks, especially Facebook and Twitter. IRC channels opened for the campaign were barely active, partly because hackers feared spying by “intelligence agents.” On closed forums and Darknet platforms, we saw no activity related to #OpIsrael.
Following is a summary of the main results of the attacks that we have identified so far:
Defacing of hundreds of websites. Victims included Meretz (an Israeli political party), various Israeli companies, sub-domains of institutions of higher education, municipalities, Israeli artists, and more.
Leaking of tens of thousands of email addresses and personal information of Israelis. A significant portion of the information was recycled from previous campaigns. Databases from third-party websites were also leaked. In addition, two files were leaked and according to the hackers, one had 30,000 email addresses and the other 150,000 records.
Publication of details from dozens of credit cards, some of them recycled.