This week, Community Health Systems Inc. (CHS), who operates more than 200 hospitals across the United States, reported a major data breach impacting at least 4.5 million people, although this is just the beginning of the story. The 8-K filing made with the U.S. Securities and Exchange Commission regarding the incident provided general information regarding the compromise, but few details regarding how the compromise occurred.
According to the report, the organization brought in security firm Mandiant to investigate the breach, who believes the attack was instigated by an “Advanced Persistent Threat” group originating from China. The group supposedly used advanced malware to exfiltrate the data, stating, “The attacker was able to bypass the Company’s security measures and successfully copy and transfer certain data outside the Company.” However, the method of attack to hack into the company’s network was not stated.
Yesterday, the FBI issued an alert through the FBI Liason Alert System outlining more details of the malware in question. Tripwire has issued a VERT Alert outlining how to create custom Tripwire IP360 rules to detect known versions of the malware used.
The FBI alert provided two potential indicators, as well:
Outgoing traffic through standard HTTP/HTTPS ports 80,443 (possibly others), but obfuscates traffic by XORing the traffic with 0x36. Below is a SNORT signature related to this activity:
alert tcp any any -> any any (content:”|6E|”; depth 1lcontent:”|36 36
36 58 36 36 36|”; offset: 3; depth: 7; msg: “Beacon C2”; sid:1000000001;rev:0)
Once these rules are deployed to IDS/Firewalls and passed to Tripwire Log Center, these events can be correlated to trigger alerts and integrated into reporting.
The malware runs as a Windows service, ‘RasWmi (Remote Acces Service)’, from the malicious .dll C:\Windows\system32\wbem\raswmi.dll. The implant is installed from an executable file (observed under a variety of names), which drops the raswmi.dll file into the same directory and sets it to run as a service.
Attack Vector – Spear Phishing or Heartbleed
There has been two reported methods of intrusion into the network reported. In the FBI report, the initial intrusion method was stated as unknown, but they believe a spear phishing email was used to deliver the initial malware.
However, security firm TrustedSec reports that it has learned from an anonymous source involved in the investigation that the intrusion was the result of an exploit targeting the infamous Heartbleed vulnerability in an unpatched Juniper network device. The attackers were then capable of harvesting system credentials from memory of the system.