CYBER SECURITY – WEEKLY REPORT (July 5, 2017)

0
23

SUMMARY REMARKS

India and other developing countries are proving to be `Ideal Testing Ground’ for unknown state-sponsored hackers to test their newest, most creative and potentially most dangerous types of cyberattacks using artificial intelligence.  One of the earliest instances of that sort of malware was found in India, not in Britain or the USA.  As developing economies rush to go online, they provide a fertile testing ground for hackers trying their skills in an environment where they can evade detection before deploying them against most advanced defenses. The cyberattack in India used malware that could learn as it was spreading, and altered its methods to stay in the system for as long as possible. Those were “early indicators” of A.I., according to the cybersecurity company Darktrace. Essentially, the malware could figure out its surroundings and mimic the behavior of the system’s users, though Darktrace said the firm had found the program before it could do any damage.

With China raising `battle cry’ against India following recent border skirmishes, the latter may face new cyber threats from Beijing.  India is better served if it focuses on strengthening its cyber security measures on a war footing.

Last week’s “NotPetya” ransomware attack, that hit Europe and the US, appears to be more `targeted’ and `destructive’ than other recent attacks, according to the Symantec. It is different in its ability to spread within a network and destructive nature.  Contrary to experts’ opinion that the attackers were not financially motivated, the hackers behind the NotPetya ransomware picked up more than 8,000 British Pounds worth of Bitcoins in the form of ransom.  They also offered to decrypt every single infected computer for a one-off payment of 200,000 British Pounds.  This suggests that the cash motivation may be more significant than it was earlier thought.  But that could still be a `smoking screen’.  The perpetrators of the attack may never be traced, but researchers have found links between BlackEnergy APT group and hackers behind the NotPetya code.  This may prove useful in identifying the culprits.

INTER-STATE CYBER WARFARE

Hackers Find ‘Ideal Testing Ground’ for Attacks: Developing Countries

https://www.nytimes.com/2017/07/02/technology/hackers-find-ideal-testing-ground-for-attacks-developing-countries.html?rref=collection%2Fsectioncollection%2Ftechnology&action=click&contentCollection=technology&region=rank&module=package&version=highlights&contentPlacement=2&pgtype=sectionfront  Malicious software using artificial intelligence that could lead to a new digital arms race in which A.I.-driven defenses battled A.I.-driven offenses while humans watched from the sidelines. But what was not as widely predicted was that one of the earliest instances of that sort of malware was found in India, not in a sophisticated British banking system or a government network in the United States. Security researchers are increasingly looking in countries outside the West to discover the newest, most creative and potentially most dangerous types of cyberattacks being deployed. As developing economies rush to go online, they provide a fertile testing ground for hackers trying their skills in an environment where they can evade detection before deploying them against a company or state that has more advanced defenses.

Germany Warns of Hacking Leaks by Russia Ahead of Election

https://www.wsj.com/articles/germany-warns-of-hacking-leaks-ahead-of-election-1499171739  German Interior Minister said, “We have witnessed efforts to influence the elections in America, we have witnessed efforts to influence the vote in France. We have every reason to believe that this originated in Russia.” “We can therefore not rule out, and must prepare ourselves for, similar attempts with regards to the elections in Germany,” he said. The minister said it was noteworthy that an extensive amount of communication from the Bundestag, parliament’s lower house, had been siphoned off in the 2015 attack but never released. Germany’s domestic intelligence agency said later a suspected Russian hacker group known as Sofacy or APT28 and linked to politically motivated hacks across the world, appears to have conducted the hack.

Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons

https://www.nytimes.com/2017/06/28/technology/ransomware-nsa-hacking-tools.html?rref=collection%2Fsectioncollection%2Ftechnology&action=click&contentCollection=technology&region=stream&module=stream_unit&version=latest&contentPlacement=9&pgtype=sectionfront   Twice in the past month, National Security Agency cyberweapons stolen from its arsenal have been turned against two very different partners of the United States — Britain and Ukraine. The N.S.A. has kept quiet, not acknowledging its role in developing the weapons. White House officials have deflected many questions, and responded to others by arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons.  But the silence is wearing thin for victims of the assaults, as a series of escalating attacks using N.S.A. cyberweapons have hit hospitals, a nuclear site and American businesses. Now there is growing concern that United States intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands. The calls for the agency to address its role in the latest attacks grew louder, as victims and technology companies cried foul.

Attacks on Israeli hospitals not linked to ransomware virus

http://www.timesofisrael.com/staying-humble-is-key-to-staying-safe-says-israels-cyber-chief/ Israeli National Cyber Authority said that a cyberattack targeting Israeli hospitals was smaller than previously believed and was not in fact connected to a ransomware virus affecting computers worldwide, despite earlier reports. While eight hospitals were originally thought to have been targeted, it turned out that only two were affected. It also said that the incident was not linked to an international ransomware attack targeting computer networks last week — namely in Ukraine and Russia — and emphasized that no damage was caused. Israeli CERT is connected via a specially dedicated cyber-net to some 100 organizations and can immediately know if the attacks are isolated incidents or widespread. Accordingly, they issue instructions of how to deal with the problem, and if necessary a team is dispatched to the site of the attack.

NotPETYA RANSOMWARE

Hackers who targeted Ukraine clean out bitcoin ransom wallet

https://www.theguardian.com/technology/2017/jul/05/notpetya-ransomware-hackers-ukraine-bitcoin-ransom-wallet-motives The hackers behind the NotPetya ransomware, which wiped computers in more than 60 countries in late June, have moved more than £8,000 worth of bitcoins out of the account used to receive the ransoms. The transfer has added credence to messages purporting to be from the attackers offering to decrypt every single infected computer for a one-off payment of £200,000, after security researchers suggested they may be state-sponsored actors. As majority of infections occurred in Ukraine, many, including the Ukrainian government, suspected Russian involvement as part of the ongoing cyberwar between the two countries.  Hackers offering to decrypt files for money suggests that the cash motivation may be more significant than thought – but that too could be misdirection.

Symantec views Petya as more ‘destructive’ than other ransomware attacks

https://insidecybersecurity.com/daily-news/symantec-views-petya-more-destructive-other-ransomware-attacks  The latest ransomware attack to hit Europe and the United States is more “targeted” and “destructive” than other recent attacks, said Symantec Director of Governmental Affairs William Wright in a presentation to government advisers. Petya attack that originated this week in Ukraine, and extended throughout Europe and targeted the United States, reflects a year-long trend of increased ransomware attacks, but is different in its ability to spread within a network and destructive nature. This was not financially motivated. He said the design of the attack made it difficult for perpetrators to “unencrypt” data and networks held hostage and that ransom messages written in English, rather than in the local language of affected areas, were indications of the malicious rather than profit-driven nature of the attack.

Researchers find Blackenergy APT links in ExPetr Code

https://threatpost.com/researchers-find-blackenergy-apt-links-in-expetr-code/126662/  Researchers have found links between the BlackEnergy APT group and threat actors behind the ExPetr malware used in last month’s global attacks. According to researchers at Kaspersky Lab, there are strong similarities between older versions of BlackEnergy’s KillDisk ransomware compared to ExPetr code.  “Of course, this should not be considered a sign of a definitive link, but it does point to certain code design similarities between these malware families,” they wrote. The research could prove beneficial at determining who the threat actors behind ExPetr, the wiper malware that sabotaged thousands of PCs, are. Similar research by ESET also found links between ExPetr and BlackEnergy. According to ESET, a group with ties to BlackEnergy called TeleBots was behind the ExPetr outbreak. Both BlackEnergy and TeleBots have a history of targeting critical infrastructure and banks in the Ukraine

Analysis of TeleBots’ cunning backdoor

https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/  The June 27 attack by the malware Diskcoder.C (aka ExPetr, Petya or NotPetya) is attributed to the TeleBots group.  This article reveals details about the initial distribution vector that was used during the DiskCoder.C outbreak.  As the analysis shows, this is a thoroughly well-planned and well-executed operation. We assume that the attackers had access to the M.E.Doc application source code. They had time to learn the code and incorporate a very stealthy and cunning backdoor. The size of the full M.E.Doc installation is about 1.5GB, and we have no way at this time to verify that there are no other injected backdoors. There are still questions to answer. How long has this backdoor been in use? What commands and malware other than DiskCoder.C or Win32/Filecoder.AESNI.C has been pushed via this channel? What other software update supply chains might the gang behind this attack have already compromised but are yet to weaponize?

ExPetr called a Wiper attack, not Ransomware

https://threatpost.com/expetr-called-a-wiper-attack-not-ransomware/126614/  The outbreak of the ExPetr malware isn’t a ransomware attack, but more precisely, it’s a wiper attack that sabotaged PCs globally, overwriting their Master Boot Record forever. That’s the analysis of security experts from Kaspersky Lab and Comae Technologies who shared their latest research on this outbreak. The good news about the outbreak is the initial attack wave is over. Suiche said most of the damage from ExPetr has already been done. “So, if you haven’t been effected by now it’s very unlikely you are going to be,” he said. The initial infection, unlike WannaCry, was one big wave, he said.

Cybersecurity: Learn What a Wiper is Before It Affects You

https://www.spe.org/en/ogf/ogf-article-detail/?art=3139  The malware that hit many businesses around the world on 27 June—including Rosneft, Maersk, and the Chernobyl nuclear power plant—and was initially reported as ransomware, wasn’t. It was worse: a “wiper” disguised as ransomware. And many cybersecurity experts think it may have been an initial test run of a new concoction of crimeware.  A wiper erases data from victims’ computer drives, unlike ransomware which holds the data hostage until payment is made to the attacker. It appears to be a hybrid of WannaCry (ransomware that hit in mid-May) and Mimikatz, an open-source utility that enables the capture of credential information. Mimikatz steals network credentials and then infiltrates the whole network as an impersonator of legitimate users. A single infected system on the network processing administrative credentials is capable of spreading the infection to all the other computers.

CYBER CRIME

Four arrested as Microsoft and UK police team up to crack down on technical support scammers

https://www.welivesecurity.com/2017/06/28/four-arrested-microsoft-uk-police-team-crack-technical-support-scammers/  Four people have been arrested after a two-year investigation by Microsoft and British police forces into telephone scams which prey upon the vulnerable, tricking them into believing their computers have been infected by malware. In a typical technical support scam operation, fraudsters will work their way through the telephone book, ringing up people under the guise of working for Microsoft or an affiliated company. In other instances, the scam begins with a pop-up message appearing on a user’s computer telling them to call “Microsoft Technical Support.” Action Fraud, the UK’s centre for reporting fraud and cybercrime, says that it received 34,504 reports of tech support scams in the financial year 2016/17, and believes the losses sustained amount to £20,698,859. The figures account for 12% of all reports to Action Fraud, making it the third most reported type of fraud.

Hackers steal Bitcoin funds from Bithumb exchange traders

http://www.bbc.com/news/technology-40506609  One of the world’s largest cyber-currency exchanges is under investigation after it acknowledged that one of its employee’s PCs had been hacked. South Korea-based Bithumb has said that it believes personal details of more than 30,000 of its customers were stolen as a result.  It appears the data was subsequently used to fool users into letting thieves steal funds from their accounts.

CYBER-SECURITY

For Infosys, blockchain and AI are opening new doors in India’s digital payments market

https://qz.com/1020325/for-infosys-blockchain-and-artificial-intelligence-are-opening-new-doors-in-indias-digital-payments-business/  Digital payments are rapidly disrupting the cash-friendly nation’s spending habits. In an April 2017 global survey on internet security and trust, a whooping 86% of Indians said they would likely use mobile payments over the next year, well above the world average of 57%. By 2020, Asia’s third-largest economy is poised to have a $500 billion digital payments market, contributing to 15% of the country’s GDP.  And IT giant Infosys is at the forefront of this change.

The State of IoT Security: Not Good 

https://www.enterprisetech.com/2017/06/30/state-iot-security-not-good/  IOT security today is very much in its infancy. Yet IOT is growing at an explosive rate. Research firm Statista, one of the leading statistics companies on the internet, projects the number of internet connected devices to grow from 17 billion in 2016 to 75 billion by 2025. A nascent security landscape coupled with tremendous growth has the potential to result in security attacks larger than we have ever seen and with higher impact to our society. For example, a malware named “Mirai” brought down a significant part of the internet in North America in 2016 when it created a deliberate spike in internet traffic by turning cameras and baby monitors into a BOT attack.

Hackers could use brainwaves to steal passwords

http://www.homelandsecuritynewswire.com/dr20170630-hackers-could-use-brainwaves-to-steal-passwords  Researchers at the University of Alabama at Birmingham suggest that brainwave-sensing headsets, also known as EEG or electroencephalograph headsets, need better security after a study reveals hackers could guess a user’s passwords by monitoring their brainwaves. EEG headsets are advertised as allowing users to use only their brains to control robotic toys and video games specifically developed to be played with an EEG headset. These emerging devices open immense opportunities for everyday users.  However, they could also raise significant security and privacy threats as companies work to develop even more advanced brain-computer interface technology.

NIST emerges as key player in implementing Trump’s cybersecurity agenda

https://insidecybersecurity.com/daily-news/nist-emerges-key-player-implementing-trumps-cybersecurity-agenda  The National Institute of Standards and Technology is playing an active and central role in implementing President Trump’s cybersecurity agenda, as laid out in his executive order issued in the spring, which is intended to overhaul the government’s information technology systems to make them more secure, strengthen global ties and deter foreign cyber adversaries, and boost the resiliency of the nation’s critical infrastructure to growing threats.  Trump’s order, issued in May, lays out about 20 deadlines and reports for assessing and mitigating cyber risks, with NIST having an active role in about half those report, while leading the drafting of three key efforts on international cooperation, cyber resiliency and workforce gaps.

Eshoo bill requires development of ‘baseline’ cyber practices based on NIST framework

https://insidecybersecurity.com/daily-news/eshoo-bill-requires-development-%E2%80%98baseline%E2%80%99-cyber-practices-based-nist-framework  A bipartisan House bill directing federal agencies to develop voluntary “baseline” cyber best practices for government, industry, and consumers calls for consistency with the federal framework of cybersecurity standards while directing the Department of Homeland Security to assess emerging threats from the Internet of Things. The practices would be voluntary, according to the bill, and should not be construed as mandatory actions. NIST must update the best practices on an annual basis, and they must be published “in a clear and concise format” and “made available prominently on the public websites.” DHS must within one year of enactment submit to Congress a study on cyber threats from the Internet of Things.

Banks tap hackathons for ideas to compete in digital world

http://www.business-standard.com/article/finance/banks-tap-hackathons-for-ideas-to-compete-in-digital-world-117062700723_1.html   Banks are opening up their platforms and data to people with ideas to improve their business in a digitally disruptive environment. Unlike in the past, banks such as State Bank of India, RBL and Axis Bank are organising hackathons to welcome youngsters to innovate digital solutions. HackerEarth, a start-up in Bengaluru that helps tech firms and banks to conduct hackathons and discover ideas and talent, says the exercise is a low cost and high impact programme for organisations to achieve their objectives.

VULNERABILITIES / PATCHES

Siemens Patches critical Intel AMT Flaw in Industrial products

https://threatpost.com/siemens-patches-critical-intel-amt-flaw-in-industrial-products/126652/  Siemens patched two critical vulnerabilities that affected its industrial products this week. One, tied to a recently disclosed flaw in Active Management Technology – a function of certain Intel processors – could have allowed an attacker to gain system privileges. Another vulnerability could have let an attacker upload and execute arbitrary code. Each issue received a CVSS v3 rating of 9.8, something that indicates the vulnerabilities are critical in nature.

Majority of sites fail Mozilla’s comprehensive security review

https://threatpost.com/majority-of-sites-fail-mozillas-comprehensive-security-review/126646/  A majority of the top 1 million websites earn an “F” letter grade when it comes to adopting defensive security technology that protect visitors from XSS vulnerabilities, man-in-the-middle attacks, and cookie hijacking. The failing grades come from a comprehensive analysis published this week by the Mozilla Foundation using its Mozilla Observatory tool. According to a scan of Alexa ranked top 1 million websites, a paltry 0.013 percent of sites received an “A+” grade compared to 93.45 percent earning an “F”.

RESOURCES

How to deter hackers: Follow these digital safety best practices

http://www.techrepublic.com/article/how-to-deter-hackers-follow-these-digital-safety-best-practices/?ftag=TREa988f1c&bhid=27547637924291379434650709219148  There is no hack-proof device. There is no single cure for the security challenges that trouble businesses, governments, and consumers. There are, however, best practices that can help you stay secure, deter hacking, and mitigate the damage if you are hacked.  But, checklists given in this website will help lock down and protect your digital life, keeping you one step ahead of the bad guys.

WhoDunit: The Mystery of the APT

http://www.techrepublic.com/resource-library/whitepapers/whodunit-the-mystery-of-the-apt/?promo=036&tag=nl.e036.em&ttag=e036&s_cid=e036&ftag=TREa988f1c&cval=wit2-fluid&bhid=27547637924291379434650709219148  Advanced Persistent Threats (APTs) are complex attacks, consisting of many different components. APTs pose a direct threat to businesses and organizations worldwide. Download eBook from this website to learn more about APT, how Kaspersky studies and investigates them and how to protect your business from the attack.

Special report: Cybersecurity in an IoT and mobile world

http://www.techrepublic.com/resource-library/whitepapers/special-report-cybersecurity-in-an-iot-and-mobile-world-free-pdf/?ftag=TREa988f1c&bhid=27547637924291379434650709219148  Mobile and IoT adoption continue to rise, enhancing communication and productivity across the enterprise—and unleashing an avalanche of security concerns. This ebook, based on the latest ZDNet/TechRepublic special feature, looks at the risks of IoT and mobile and offers strategies and recommendations that can help protect your organization against cyberattack.

Act now to protect yourself against future attacks

http://www.business-standard.com/article/markets/act-now-to-protect-yourself-against-future-attacks-117070400742_1.html  Most malwares exploit vulnerabilities within the OS. “These vulnerabilities are frequently patched by the creators of the OS. But if people use pirated OS, or don’t upgrade it regularly, they could land in trouble,” says Tiwari. Soon after the WannaCry attack, Microsoft had issued a patch. People who updated their computers regularly didn’t get affected by it. Also, use the latest version of an OS. The article offers other safeguards you should adopt to protect your systems.

LEAVE A REPLY