Thursday, October 27, 2016



Complete DHS Report for October 27, 2016

Daily Report                                            

Top Stories

• Subaru issued a recall October 26 for over 100,000 of its model years 2007 – 2014 vehicles in select makes due to a faulty relay that controls a secondary air injection pump, which can cause the pump to run continuously and overheat. – Associated Press

2. October 26, Associated Press – (National) Subaru recalls 4 models; turbo air pump can catch fire. Subaru issued a recall October 26 for over 100,000 of its model years 2007 – 2014 vehicles in select makes equipped with turbocharged engines sold in the U.S. due to a faulty relay that controls a secondary air injection pump, which can cause the pump to run continuously and overheat, thereby increasing the risk of a fire. Source: http://www.foxbusiness.com/markets/2016/10/26/subaru-recalls-4-models-turbo-air-pump-can-catch-fire.html

• A Federal judge approved October 25 a nearly $15 billion settlement with the Federal Government, the State of California, and the Volkswagen Group after the automaker admitted that it rigged 11 million vehicles with software designed to cheat emissions standards. – USA Today

3. October 25, USA Today – (National) Judge approves $15B Volkswagen settlement. A Federal judge approved October 25 a nearly $15 billion settlement with the Federal Government, the State of California, and the Volkswagen Group after the automaker admitted that it rigged 11 million vehicles internationally with software designed to cheat emissions standards. As part of the settlement, Volkswagen must pay $2.7 billion for environmental mitigation and initiate a vehicle buyback program which offers 475,000 Volkswagen owners in the U.S. the choice between a buyback or a free fix and compensation, among other requirements. Source: http://www.usatoday.com/story/money/cars/2016/10/25/volkswagen-settlement-approved/92719174/

• Life Care Centers of America Inc. and its owner agreed October 24 to pay $145 million after the company submitted false claims to Medicare and Tricare for rehabilitation therapy services that were medically unnecessary. – U.S. Department of Justice

11. October 24, U.S. Department of Justice – (National) Life Care Centers of America Inc. agrees to pay $145 million to resolve False Claims Act allegations relating to the provision of medically unnecessary rehabilitation therapy services. Life Care Centers of America Inc. and its owner agreed October 24 to pay $145 million to resolve alleged False Claims Act violations after the company submitted false claims to Medicare and Tricare for rehabilitation therapy services that were unreasonable and medically unnecessary, and sought to keep patients at the facilities longer than necessary in order to increase its Medicare and Tricare billings for reimbursement between January 2006 and February 2013. Source: https://www.justice.gov/opa/pr/life-care-centers-america-inc-agrees-pay-145-million-resolve-false-claims-act-allegations

• A therapist at JH Physical Therapy in Walnut, California, pleaded guilty October 24 for his role in a $2.6 million Medicare fraud scheme. – U.S. Department of Justice

12. October 24, U.S. Department of Justice – (California) Licensed occupational therapist pleads guilty to $2.6 million Medicare fraud conspiracy. A licensed occupational therapist at JH Physical Therapy in Walnut, California, pleaded guilty October 24 for his role in a $2.6 million Medicare fraud scheme where he and co-conspirators fraudulently billed Medicare for occupational therapy services that were not provided to Medicare beneficiaries between October 2009 and December 2012. The charges state that of the roughly $2.6 million billed in false claims, Medicare paid the group more than $1.8 million. Source: https://www.justice.gov/opa/pr/licensed-occupational-therapist-pleads-guilty-26-million-medicare-fraud-conspiracy
  
Financial Services Sector

Nothing to report

Information Technology Sector

15. October 26, SecurityWeek – (International) Data leaked by pagers useful for critical infrastructure attacks. Trend Micro security researchers reported that pagers used in industrial control systems (ICS) were susceptible to targeted attacks, as the messages sent to the devices are unencrypted, thereby allowing hackers to easily intercept the information regarding the operation of a facility and potentially use that information in a targeted social engineering attack against the company. Trend Micro found that messages sent by nuclear plants, chemical facilities, defense contractors, HVAC manufacturers, and power substations via pagers leaked potentially sensitive information. Source: http://www.securityweek.com/data-leaked-pagers-useful-critical-infrastructure-attacks

16. October 26, Threatpost – (International) Major vulnerability found in Schneider
Electric Unity Pro. Indegy security researchers discovered that Schneider Electric’s Unity Pro PLC Simulator component of its Unity Pro software was plagued with a critical vulnerability that could allow hackers to remotely execute code on industrial networks if the Internet Protocol (IP) address of the Microsoft Windows PC running the software is accessible to the Internet, as the software allows any user to remotely run code directly on any device with Unity Pro installed. The flaw, which affects all versions prior to and including 11.1, could allow attackers to impact the production process within an industrial control system (ICS) physical environment. Source: https://threatpost.com/major-vulnerability-found-in-schneider-electric-unity-pro/121550/

17. October 25, SecurityWeek – (International) Apple patches multiple flaws in iOS, macOS, Sierra, Safari. Apple released version 10.1 for its mobile operating system (iOS) patching 13 vulnerabilities affecting components such as FaceTime, Kernel, Security, and WebKit, among others, which could allow an attacker to run arbitrary code on the affected devices, leak sensitive user information, and execute arbitrary code with root privileges, among other malicious actions. Apple also released Sierra version 10.12.1 resolving 16 vulnerabilities that could result in privilege escalation, denial-of-service (DoS) conditions, process memory disclosure, and arbitrary code execution, as well as Safari version 10.0.1 resolving 3 vulnerabilities affecting WebKit, among other patches. Source: http://www.securityweek.com/apple-patches-multiple-flaws-ios-macos-sierra-safari

18. October 25, SecurityWeek – (International) Critical vulnerabilities patched in Joomla. Joomla released version 3.6.4 addressing two critical account creation vulnerabilities in its content management system (CMS) versions 3.4.4 through 3.6.3, including a flaw that could allow an attacker to register on a Website even if registration has been disabled due to inadequate checks. The second vulnerability can be exploited by users to register on a Website with elevated privileges due to an incorrect use of unfiltered data. Source: http://www.securityweek.com/critical-vulnerabilities-patched-joomla

For another story, see item 4 below from the Commercial Facilities Sector

4. October 24, Threatpost – (International) Rowhammer vulnerability comes to Android. Security researchers discovered attackers could employ the Rowhammer attack to exploit an Android vulnerability, dubbed Drammer in order to achieve root-level access on millions of Android handsets including Nexus, Samsung, LG, and Motorola due to a hardware flaw in the Dynamic Random Access Memory (DRAM) memory modules. Researchers reported that Rowhammer targets rows of memory cells in DRAM devices to cause cells to flip from one state to another, thereby allowing for memory manipulation. Source: https://threatpost.com/rowhammer-vulnerability-comes-to-android/121480/

Communications Sector

Nothing to report