At a glance.
- Cloud Snooper infests cloud infrastructure servers.
- A commodity infostealer earns black market share in English-speaking hacker souks.
- US patient survey tool vendor NRC cyberattack suggests risk to patient data.
Cloud Snooper found in servers hosted in the AWS cloud.
We're accustomed to seeing insecure implementations of cloud-based databases as a common source of privacy problems. But there are sophisticated attacks that can also threaten private data. Sophos reports finding a sophisticated infestation of cloud infrastructure servers hosted in the AWS cloud. The researchers call it “Cloud Snooper,” and they emphasize that this isn’t “an AWS problem per se.” Cloud Snooper is distinctive in the way its command-and-control traffic rides on top of legitimate, normal web traffic, doing so in a way that bypasses many firewalls. The capability and complexity of the attack, along with its use of purpose-built malware, suggests to Sophos that the threat actor may be a nation-state, or at the very least an unusually capable criminal group. Sophos commendably doesn't speculate further than this on attribution, but they do note that such English as appears in the code is mostly non-native, and some de-bug code contains a good bit of Chinese. Cloud Snooper exists in versions that affect Windows and Linux systems. Sophos recommends using Amazon Web Services firewalls and paying attention to patching: "When it comes to prevention against this or similar attacks, AWS SGs provide a robust boundary firewall for EC2 instances. However, this firewall does not eliminate the need for network administrators to keep all external-facing services fully patched."
Raccoon: a commodity infostealer.
CyberArk describes the current state-of-play involving the Raccoon information-stealing malware. It's a good example of the sort of commodity infostealer hawked in the black market as malware-as-a-service. Also known as "Racealer," "Legion," or "Mohazo," Raccoon was noticed in the wild in April of last year. It was originally offered in Russian-language souks, but has since gained popularity among English-speaking cybercriminals. It's cheap (you can hire it for $75 a week, or if you prefer at the low, low price of just $200 a month), and has the kinds of features hoods want (it's designed to grab login credentials, paycard information, browser data--cookies, autofill text, or history--and of course the contents of alt-coin wallets). It's usually delivered by either phishing or by exploit kits that redirect vulnerable browser-based apps to an appropriate malicious site. High-end cybercriminals may sniff at Raccoon's relative lack of sophistication, but the malware does the job, and the low-end hoods who buy it are into cash, not cachet. They seem generally happy with their subscription and the customer support that comes with malware-as-a-service. Common-sense, decent anti-virus solutions, and sound cyber hygiene are, CyberArk recommends, the best first steps to defend against Raccoon. That the malware remains successful suggests that many fail to take even these measures.
NRC incident prompts concerns about security of patients' personal information.
NRC Health, which administers patient satisfaction surveys for medical facilities, detected a ransomware attack on February 11th, and according to CNBC "shut down its 'entire environment'" as a precautionary measure. We're now accustomed to regarding ransomware infections as carrying a significant risk of data exposure. The extortionists using most of the more popular ransomware strains increasingly exfiltrate their victims' data before they encrypt them. The threat of data exposure not only lends additional weight to ransom demands, but it also represents a potential additional revenue stream as the data may be sold on the black market. NRC Health says it's working to restore its systems and return to full operation, and no data exposure has so far been reported. Patient surveys have become increasingly important to healthcare providers. Healthcare regulators increasingly require evidence of patient satisfaction to determine the amount they'll reimburse hospitals.