Threat Intelligence

3/13/2018
12:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Kaspersky Lab: Chinese-Speaking APT Actor Spying on Pharmaceutical Firms

Woburn, MA – March 13, 2018 – Kaspersky Lab researchers have discovered evidence of anemerging and alarming trend: an increasing amount of advanced cyberthreat actors are turning their attention to attacks against the healthcare sector. The infamous PlugX malware has been detected in pharmaceutical organizations in Vietnam, aimed at stealing drug formulas and business information.

PlugX malware is a well-known remote access tool (RAT). It is usually spread via spear phishing and has previously been detected in targeted attacks against the military, government and political organizations. The RAT has been used by a number of Chinese-speaking cyberthreat actors, including Deep Panda, NetTraveler or Winnti. In 2013, it was discovered that the latter - responsible for attacking companies in the online gaming industry - had been using PlugX since May 2012. Interestingly, Winnti has also been present in attacks against pharmaceutical companies, where the aim has been to steal digital certificates from medical equipment and software manufacturers.

PlugX RAT allows attackers to perform various malicious operations on a system without the user’s permission or authorization, including (but not limited to) copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity. PlugX, as with other RATs, is used by cybercriminals to discreetly steal and collect sensitive or profitable information for malicious purposes.

RAT usage in attacks against pharmaceutical organizations indicates that sophisticated APT actors are showing an increased interest in capitalizing on the healthcare sector.

Kaspersky Lab products successfully detect and block the PlugX malware.

“Private and confidential healthcare data is steadily migrating from paper to digital form within medical organizations,” said Yury Namestnikov, security researcher, Kaspersky Lab. “While the security of the network infrastructure of this sector is sometimes neglected, the hunt by APTs for information on advancements in drug and equipment innovation is truly worrying. Detections of PlugX malware in pharmaceutical organizations demonstrate yet another battle that we need to fight – and win - against cybercriminals.”

Other key findings for 2017 in the research include:

  • More than 60 percent of medical organizations had malware on their servers or computers;
  • Philippines, Venezuela and Thailand topped the list of countries with attacked devices in medical organizations.

In order to stay protected, Kaspersky Lab experts advise businesses to take the following measures:

  • Remove all nodes that process medical data from public and secure public web portals;
  • Automatically update installed software using patch management systems on all nodes, including servers;
  • Perform network segmentation: refrain from connecting expensive equipment to the main LAN of your organization;
  • Use a proven corporate grade security solution in combination with anti-targeted attack technologies and threat intelligence, such as Kaspersky Threat Management and Defense solution. These are capable of spotting and catching advanced targeted attacks by analyzing network anomalies and giving cybersecurity teams full visibility over the network and response automation.

To learn more about PlugX attacks and healthcare cybersecurity, read our blogpost onSecurelist.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.
CVE-2018-12698
PUBLISHED: 2018-06-23
demangle_template in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30, allows attackers to trigger excessive memory consumption (aka OOM) during the "Create an array for saving the template argument values" XNEWVEC call. This can occur during execution of objdump.
CVE-2018-12699
PUBLISHED: 2018-06-23
finish_stab in stabs.c in GNU Binutils 2.30 allows attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact, as demonstrated by an out-of-bounds write of 8 bytes. This can occur during execution of objdump.
CVE-2018-12700
PUBLISHED: 2018-06-23
A Stack Exhaustion issue was discovered in debug_write_type in debug.c in GNU Binutils 2.30 because of DEBUG_KIND_INDIRECT infinite recursion.
CVE-2018-11560
PUBLISHED: 2018-06-23
The webService binary on Insteon HD IP Camera White 2864-222 devices has a stack-based Buffer Overflow leading to Control-Flow Hijacking via a crafted usr key, as demonstrated by a long remoteIp parameter to cgi-bin/CGIProxy.fcgi on port 34100.