Friday, August 19, 2016



Complete DHS Report for August 19, 2016

Daily Report                                            

Top Stories

• Authorities are searching August 17 for a group suspected of stealing tens of thousands of dollars from more than 100 people in St. Paul, Minnesota, after installing skimming devices on 2 ATMs at area banks. – KARE 11 Minneapolis

3. August 17, KARE 11 Minneapolis – (Minnesota) Thousands stolen with ATM skimmers in St. Paul. Authorities are searching August 17 for a group suspected of stealing tens of thousands of dollars from more than 100 people in St. Paul, Minnesota, after installing skimming devices on 2 ATMs at a Bremer Bank branch and a Top Line Federal Credit Union branch in St. Paul. Source: http://www.kare11.com/news/suspects-stealing-atm-card-information/300877065

• A Miami resident pleaded guilty August 15 for his role in a $4.2 million health care fraud scheme where he facilitated the submission of fraudulent claims to Medicare beginning in March 2014. – U.S. Department of Justice

12. August 15, U.S. Department of Justice – (Florida) Miami man pleads guilty to fraud charges for role in $4.2 million home health care scheme. A Miami resident pleaded guilty August 15 for his role in a $4.2 million health care fraud scheme where he was recruited by the owners of Golden Home Health Care Inc. to falsely and fraudulently represent himself as an owner of the company, and signed Medicare applications and other documents in order to facilitate the submission of fraudulent claims to Medicare beginning in March 2014. Officials stated that two co-conspirators were charged for their roles in the scheme in June 2016. Source: https://www.justice.gov/opa/pr/miami-man-pleads-guilty-fraud-charges-role-42-million-home-health-care-scheme

• Cisco released security patches after The Shadow Brokers, a group selling stolen hacking tools, leaked tools that contain exploits to leverage a zero-day vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) software, which can lead to remote code execution. – Softpedia See item 17 below in the Information Technology Sector

• The governor of Pennsylvania issued $25.7 million in funding August 17 for repairs at 5 high-hazard damns in the State, including Donegal Lake in Westmoreland County and Somerset Lake in Somerset County. – Pittsburg Tribune-Review

23. August 17, Pittsburg Tribune-Review – (Pennsylvania) State releases $25.7M to repair unsafe dams at Donegal, Somerset lakes. The governor of Pennsylvania issued $25.7 million in funding August 17 for repairs at 5 high-hazard dams in the State, including Donegal Lake in Westmoreland County and Somerset Lake in Somerset County, as well as 3 other dams. Officials stated the funding will also pay for the start of design work on dams in Belmont Lake and Lower Woods Pond in Wayne County. Source: http://triblive.com/news/westmoreland/10985948-74/lake-dams-county

Financial Services Sector

3. August 17, KARE 11 Minneapolis – (Minnesota) Thousands stolen with ATM skimmers in St. Paul. Authorities are searching August 17 for a group suspected of stealing tens of thousands of dollars from more than 100 people in St. Paul, Minnesota, after installing skimming devices on 2 ATMs at a Bremer Bank branch and a Top Line Federal Credit Union branch in St. Paul. Source: http://www.kare11.com/news/suspects-stealing-atm-card-information/300877065

Information Technology Sector

16. August 18, SecurityWeek – (International) Cisco patches critical flaws in Firepower Management Center. Cisco released patches for its Firepower Management Center to address several flaws in the appliance’s Web-based graphical user interface (GUI) including a medium-severity cross-site scripting (XSS) flaw, a critical vulnerability that could allow an authenticated attacker to remotely execute arbitrary commands on a device with root-level privileges, and a flaw that could allow an authenticated attacker to elevate user account privileges due to insufficient authorization checking in the Fire Management Center and the Cisco ASA 5500-X series with select versions of FirePOWER Services. Cisco researchers stated there is no evidence the flaws have been exploited in the wild. Source: http://www.securityweek.com/cisco-patches-critical-flaws-firepower-management-center

17. August 17, Softpedia – (International) Cisco patches zero-day included in Shadow Brokers leak. Cisco released security patches after The Shadow Brokers, a group selling hacking tools stolen from the Equation Group, leaked tools that contain exploits to leverage two vulnerabilities, one of which is a zero-day vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) software, which can allow an unauthenticated attacker to cause a reboot of affected products and lead to remote code execution (RCE). Cisco researchers found that the exploits also leverage a vulnerability in the command-line interface (CLI) parse of ASA software that could allow an authenticated, local attacker to execute arbitrary code on the device or create a denial-of-service (DoS) condition. Source: http://news.softpedia.com/news/cisco-patches-zero-day-exposed-in-shadow-brokers-leak-507410.shtml

18. August 17, Softpedia – (International) WordPress plugin hijacks websites to show payday loan ads. WordFence researchers discovered the authors of the 404 and 301 WordPress plugin were hijacking the content of other Web sites by adding code to the original Web site in order to show search engine optimization (SEO) spam email on a user’s homepage and to display ads for payday loan services. The plugin authors removed the code responsible for delivering the ads and researchers stated version 2.3.0 is safe to use. Source: http://news.softpedia.com/news/wordpress-plugin-hijacks-websites-to-show-payday-loan-ads-507402.shtml

19. August 17, Softpedia – (International) Adwind RAT rebrands yet again, this time as JBifrost. Fortinet researchers discovered that the criminal group behind the Adwind remote access trojan (RAT) rebranded the malware as JBifrost and updated the malware to include a new column that shows an infected system’s keyboard status, a column that shows the title of the victim’s current window, a new feature that enables attackers to steal data from Web forms displayed in the Google Chrome browser, and a new tab called Misc that enables users to configure additional JBifrost servers. Researchers also found that JBifrost only accepts Bitcoin and that the RAT’s Web site now requires an invitation code to register and purchase the malware. Source: http://news.softpedia.com/news/adwind-rat-rebrands-yet-again-this-time-as-jbifrost-507395.shtml

Communications Sector

Nothing to report