CYBER SECURITY – WEEKLY REPORT (JUNE 28, 2017)

0
23

SUMMARY REMARKS

Hacker attacks using Ransomware malware and its variants have become a new “normal”.  Even as the world is recovering from `WannaCry’ ransomware attacks in May, another massive attack unfolded last week from Ukraine’s accounts’ software.  Its Government systems, banks and electricity grid were the worst affected.  Petya malware fast spread to companies across the globe from Europe to America.  China, which was badly affected in the attacks in May, is spared of any serious damage this time around.  India is too spared except its largest container port in Mumbai, whose operations were affected due to crippling of the contractor’s head office in The Hague, Netherlands. Reports from other Asian countries too suggested that many of the companies hit were the local arms of European and American corporations. The cybercrime unit of the Ukrainian police said that a software upgrade from M.E.Doc unwittingly contained the virus.

Many Western experts, who investigated the series of attacks, have concluded that these are not simple criminal acts of some `rogue’ hackers but well-planned state-sponsored experiments in preparation for a future `cyber-war’.  The Ukraine attack was meant to paralyze, not profit, they say.  Many hitherto unknown cyber tools, stolen from the tool-kit of the National Security Agency (NSA), American Technical Intelligence agency, are increasingly being used in these attacks.  New malware pieces like KillDisk, EternalBlue, DoublePulsar, etc., are at work.  All fingers point to Russian hackers, who are said to be sponsored by the government.  Some of the evidence quoted was that the above tools were available on Russian language hacker sites and Moscow’s adversarial relationship with Ukraine, which bore the brunt of the recent series of attacks. The experts believe that Russia is using the country as a cyberwar testing ground—a laboratory for perfecting new forms of global online combat.

Whether Russia is involved or not, the most scariest fact is that a number of malware variants are sitting unnoticed in our computer software for months together, if not years.  No one is seriously investigating them until the time there was a major break-down like the ransomware attacks.  Someone, be it the US, Russia or China, is watching our every movement and the resultant database is a mine of information when a full-scale war breaks out.

China is fast heading toward operationalizing cyberspace in pursuit of its national strategies and the establishment of the Strategic Support Force as its competition with the US is getting more sharper. CIMSEC, which calls this competition as `geoeconomic and geoinformational struggle’, has brought out a two-part series on the centrality of information operations and information war to the PRC’s approach toward its current struggle against the US.  China, meanwhile, signed a strange agreement with Canada vowing not to conduct state-sponsored cyberattacks against each other aimed at stealing trade secrets and other confidential business information.  This is a clear admission of its ongoing active operations.

India needs to gear-up itself to defend and chase out any offenders.  It has a large `ethical hacker’ community which could be mobilized.  Its cyber giants, like the Infosys, TCS, Mahindra, etc., should feel some national responsibility and help the government to arm itself to be in the `big league’.

NEW PETYA RANSOMWARE ATTACK

‘Petya’ ransomware attack strikes companies across Europe and US

https://www.theguardian.com/world/2017/jun/27/petya-ransomware-attack-strikes-companies-across-europe  Ukraine government, banks and electricity grid hit hardest, but companies in France, Denmark and Pittsburgh, Pennsylvania also attacked. Those who pay, for releasing data, are asked to send confirmation of payment to an email address. However, that email address has been shut down by the email provider. “We do not tolerate any misuse of our platform,” said the German email provider Posteo in a blog post. The attack was first reported in Ukraine, where the government, banks, state power utility and Kiev’s airport and metro system were all affected. The radiation monitoring system at Chernobyl was taken offline, forcing employees to use hand-held counters to measure levels at the former nuclear plant’s exclusion zone.  Kaspersky Lab analysts say new attacks are not a variant of #Petya ransomware as publicly reported, but a new ransomware they call NotPetya!

New Petya Distribution Vectors bubbling to surface

https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/  While Microsoft and others continue to shore up links between June 27 global ransomware outbreak and the update mechanism for Ukrainian financial software provider MEDoc, others are finding even more distribution vectors used by the malware.  Kaspersky Lab said that a government website for the city of Bakhmut in Ukraine was compromised and used in a watering hold attack to spread the malware via a drive-by download.  “To our knowledge no specific exploits were used in order to infect victims.  Instead, visitors were served with a malicious file that was disguised as a Windows update,” the Lab said in a statement. Experts continue to stress the importance of applying the MS17-010 update to unpatched machines, and advise disabling PSEXEC and WMIC on local networks.

`Little Hope’ to recover data lost to Petya Ransomware

https://threatpost.com/little-hope-to-recover-data-lost-to-petya-ransomware/126598/  Researchers at Kaspersky Lab have discovered an error in the malware’s code that prevents recovery of data.  This, combined with the actions of German email provider Posteo in shutting down the attacker’s email address preventing victims from contacting the attacker in order to verifying payments, has left thousands of victims in dire straits. “We have analyzed the high level code of encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks,” said Kaspersky Lab.  This issue is the lack of an installation ID that contains the information necessary for key recovery.  The original Petya infections, for example, contained the necessary installation ID.

Ransomware attack ‘not designed to make money’, researchers claim

https://www.theguardian.com/technology/2017/jun/28/notpetya-ransomware-attack-ukraine-russia   A ransomware attack that affected at least 2,000 individuals and organisations worldwide on Tuesday appears to have been deliberately engineered to damage IT systems rather than extort funds, according to security researchers. The researcher said the software was “definitely not designed to make money” but “to spread fast and cause damage, [using the] plausibly deniable cover of ‘ransomware’”. This analysis was supported by UC Berkley academic Nicholas Weaver, who told the infosec blog Krebs on Security: “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”

Ukraine Cyberattack Was Meant to Paralyze, not Profit, Evidence Shows

https://www.nytimes.com/2017/06/28/world/europe/ukraine-ransomware-cyberbomb-accountants-russia.html?mabReward=ACTM_TC4&recp=7&action=click&pgtype=Homepage&region=CColumn&module=Recommendation&src=rechp&WT.nav=RecEngine  In Ukraine’s case, a more sinister motive — paralysis of the country’s vital computer systems — may have been at work, cybersecurity experts said. Brian Lord, a former deputy director for intelligence and computer operations at Britain’s Government Communications Headquarters, the country’s equivalent to the National Security Agency, said, “This isn’t about the money.” “This attack is about disabling how large companies and governments can operate,” he added. Yet to be determined is the source of the virus. But Russia was seen as the prime suspect because it has been engaged in overt and covert warfare with Ukraine since the 2014 revolution that deposed a Kremlin-friendly government. A Russian role has yet to be proven and may never be. Nevertheless, analysts said on Wednesday that if the attackers’ object was to sow chaos at the highest levels in Ukraine, M.E.Doc provided an ideal way.

Ransomware Attack Raises Concerns Over Future Assaults

https://www.nytimes.com/2017/06/28/business/ramsonware-hackers-cybersecurity-petya-impact.html?hpw&rref=technology&action=click&pgtype=Homepage&module=well-region&region=bottom-well&WT.nav=bottom-well  The worldwide cyberattack, which began and was most prevalent in Ukraine, has raised concerns that similar attempts will become more widespread as hackers mimic the techniques in future digital assaults. Experts said that the most recent attack was less severe than a similar hacking in May, when software called WannaCry introduced the term “ransomware” to much of the world. Yet as law enforcement, governments and companies from the United States to India assessed the damage of the new attack, many cautioned that people should be prepared for such events to become a regular danger as criminals worldwide look to take advantage of the vulnerabilities in organizations’ digital infrastructure.

India’s largest container port JNPT hit by ransomware

http://timesofindia.indiatimes.com/india/indias-largest-container-port-jnpt-hit-by-ransomware/articleshow/59346704.cms  Operations at the terminal of the nation’s largest container port Jawaharlal Nehru Port Trust (JNPT) were impacted last night as a fallout of the global ransomware attack, which crippled some central banks and many large corporations in Europe. AP Moller-Maersk, one of the affected entities globally, operates the Gateway Terminals India (GTI) at JNPT, which has a capacity to handle 1.8 million standard container units. The Hague-based APM Terminals also operates the Pipavav terminal in Gujarat.

INTER-STATE CYBER-WARFARE

Entire Nation of Ukraine became Russia’s Test Lab for Cyberwar

https://www.wired.com/story/russian-hackers-attack-ukraine/   Many global cybersecurity analysts have a much larger theory about the endgame of Ukraine’s hacking epidemic: They believe Russia is using the country as a cyberwar testing ground—a laboratory for perfecting new forms of global online combat. And the digital explosives that Russia has repeatedly set off in Ukraine are ones it has planted at least once before in the civil infrastructure of the United States. Beneath all the cloaking and misdirection was a piece of malware known as KillDisk, a data-destroying parasite that had been circulating among hackers for about a decade.  The piece of malware that had served as the hackers’ initial foothold: an all-­purpose Trojan known as BlackEnergy.  Russia isn’t only pushing the limits of its technical abilities, says Thomas Rid, a professor in the War Studies department at King’s College London. It’s also feeling out the edges of what the international community will tolerate.

Vladimir Putin ordered Russian hackers to help elect Donald Trump, says explosive new report

http://www.independent.co.uk/news/world/americas/us-politics/putin-russia-hacking-us-election-trump-hillary-clinton-report-a7805541.html  Mr Putin’s direct involvement in the effort to undermine the US election systems was disclosed to former President Barack Obama in August, just months before the election that saw a surprise victory for Mr Trump, according to a Washington Post investigation into the Obama administration’s internal deliberations on how to handle the meddling. Instead of acting against Putin before the election, the White House attempted to stop future meddling, and to work to ensure that US voting systems weren’t significantly impacted.

`Thousands’ of British MPs and Police officers hit by Password Hack linked to Russia

http://www.independent.co.uk/life-style/gadgets-and-tech/news/mps-password-hack-justine-greening-greg-clark-russia-westminster-it-security-data-breach-a7804261.html  The passwords of thousands of British politicians, senior police officers and other top officials have been stolen and traded by hackers, it has been reported. According to the Times, two lists of stolen login details were available to buy on Russian-speaking hacking sites, and included the details of 1,000 British MPs and parliamentary staff, 7,000 police employees and over 1,000 Foreign Office staff.  The lists were later made available for free. The three most commonly used passwords used by the compromised accounts of police officers were “police”, “password” and “police1”.  The majority of the credentials were reportedly seized as part of a major hack on LinkedIn in 2012, in which millions of passwords were exposed.  LinkedIn users were advised to change their passwords in the wake of the attack, not only on the professional networking site but across other platforms and services too.

A Cyberattack ‘the World Isn’t Ready For’

https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html?hpw&rref=technology&action=click&pgtype=Homepage&module=well-region&region=bottom-well&WT.nav=bottom-well  On April 29, someone hit IDT Corporation, with two cyberweapons that had been stolen from the National Security Agency. The strike on IDT was similar to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to unlock it. But the ransom demand was just a smoke screen for a far more invasive attack that stole employee credentials. With those credentials in hand, hackers could have run free through the company’s computer network, taking confidential information or destroying machines. Scans for the two hacking tools used against IDT indicate that the company is not alone. In fact, tens of thousands of computer systems all over the world have been “backdoored” by the same N.S.A. weapons. Both WannaCry and the IDT attack used a hacking tool the agency had code-named EternalBlue. The attack on IDT went a step further with another stolen N.S.A. cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate computer systems without tripping security alarms

CHINA’S CYBERWARFARE

China’s views on Norms in Cyberspace and Cyber Warfare Strategy

http://cimsec.org/beijings-views-norms-cyberspace-cyber-warfare-strategy-pt-1/33099  This is a two-part series looking at PRC use of cyberspace operations in pursuit of its national strategies and the establishment of the Strategic Support Force. Part 1 considers the centrality of information operations and information war to the PRC’s approach toward its current struggle against the U.S. Part 2 looks at the PRC’s use of international norms and institutions in cyberspace, and possible U.S. responses. The nature of this competition is slowly taking shape, and it is a much different struggle than the Cold War against the Soviet Union – however, with stakes no less important. This is a geoeconomic and geoinformational struggle. Both U.S. and PRC views on cyber warfare strategy, military cyber doctrine, and relevant norms and capabilities remain in the formative, conceptual, and empirical stages of understanding.

China, Canada vow not to conduct cyberattacks on private sector

http://timesofindia.indiatimes.com/world/china/china-canada-vow-not-to-conduct-cyberattacks-on-private-sector/articleshow/59317988.cms   China and Canada have signed an agreement vowing not to conduct state-sponsored cyberattacks against each other aimed at stealing trade secrets or other confidential business information.  The agreement was reached during talks between Canada’s national security and intelligence adviser, Daniel Jean, and senior communist party official Wang Yongqing, a statement dated June 22 on the Canadian government’s website showed. The new agreement only covers economic cyber-espionage, which includes hacking corporate secrets and proprietary technology, but does not deal with state-sponsored cyber spying for intelligence gathering.

China introduces emergency cybersecurity plan

http://www.globaltimes.cn/content/1053849.shtml  The plan was formulated and released by the Office of the Central Leading Group for Cyberspace Affairs, to “improve handling of cybersecurity incidents, prevent and reduce damage, protect the public interest and safeguard national security, public safety and social order.”  The plan divides cybersecurity incidents into six categories, including pernicious procedural incidents, cyber attacks and information security incidents. It also defines four-levels of security warnings and response systems according to threat conditions ranging from “general” to “extremely serious.” Serious incidents will trigger measures including establishment of emergency headquarters, 24-hour monitoring and multi-department coordination in handling the aftermath. The plan is also an implementation of the Cybersecurity Law adopted last year, which requires an emergency response mechanism from cyberspace authorities to avoid threats.

China’s All-Seeing Surveillance State Is Reading Its Citizens’ Faces

https://www.wsj.com/articles/the-all-seeing-surveillance-state-feared-in-the-west-is-a-reality-in-china-1498493020  China is rushing to deploy new technologies to monitor its people in ways that would spook many in the U.S. and the West. Unfettered by privacy concerns or public debate, Beijing’s authoritarian leaders are installing iris scanners at security checkpoints in troubled regions and using sophisticated software to monitor ramblings on social media. By 2020, the government hopes to implement a national “social credit” system that would assign every citizen a rating based on how they behave at work, in public venues and in their financial dealings. Their goal: to influence behavior and identify lawbreakers.

CYBER-TERROR

Many government websites in Ohio hacked with pro-IS message

http://www.thehindu.com/news/international/many-government-websites-in-ohio-hacked-with-pro-is-message/article19148476.ece?homepage=true  Several government websites in the US state of Ohio were apparently hacked to broadcast an anti-government and pro-Islamic State (IS) message, the media reported.  “You will be held accountable Trump, you and all your people for every drop of blood flowing in Muslim countries,” said the message on June 25, which was left by “Team System Dz”, Xinhua news agency reported. USA Today reported that “Team System Dz” is actually a group of “anti-Israeli Arab teenagers.” It has hacked numerous random websites such as the University of New Brunswick’s student union site and a Canadian food truck’s sandwich site.

CYBER-SECURITY

Israel security chief: Agency strikes back at online hackers

http://www.ynetnews.com/articles/0,7340,L-4981703,00.html?utm_source=Boomtrain&utm_medium=manual&utm_campaign=20170628   Israel’s security chief said Tuesday that the Shin Bet has gone on the offensive against hackers trying to carry out cyberattacks against Israel on the internet. He said that “passive defense” is not enough, and that the Shin Bet studied hackers’ strategies and developed “a variety of ways and methods” on how to strike back. Mossad, officially launched Libertad Ventures, a technological innovation fund, which the organization says seeks to “strengthen both startup companies and the Mossad’s knowledge base, operating at the forefront of technological innovation.”  Libertad—the Latin word for freedom and also the name of a ship that carried immigrants from Bulgaria to mandatory Palestine during World War II—will invest up to NIS 2 million in five startups every year working on groundbreaking technologies at the R&D stage.

Intel teams up with Israeli cybersecurity incubator to foil hacking attacks

http://www.thetower.org/5128-intel-teams-up-with-israeli-incubator-to-foil-cyberattacks/  Intel, the world’s largest chip-maker, is joining forces with the Israeli cybersecurity incubator Team8 to locate innovative technology that will fend off increasingly sophisticated cyberattacks. In joining forces with Team8 and their syndicate members, which include big names like Microsoft and Cisco, Intel is further advancing its desire to be a major player in the cybersecurity market. Israel is home to around 450 cybersecurity startups and receives around 20 percent of global investment in the field.

Blockchain tech is joining egov dots in AP, Telangana states in India

http://economictimes.indiatimes.com/small-biz/security-tech/technology/blockchain-tech-is-joining-e-gov-dots-in-ap-telangana/printarticle/59330625.cms  As cybersecurity becomes paramount, blockchain seems to have piqued interest among state governments as a technology to protect sensitive data. Blockchain, widely known as the technology driving digital currency bitcoins, is a distributed database technology for storing continuously growing records. Blockchains are secure by design as data is kept in `blocks’ that cannot be tampered with. While several state governments, including Karnataka, Gujarat and Maharashtra, have started evaluating the technology for purposes of e­governance, according to people ET spoke to, Telangana and Andhra Pradesh are leading the race with both looking to move government data to blockchains within a few months.

VULNERABILITIES/PATCHES

Router hack risk ‘not limited to Virgin Media’

http://www.bbc.com/news/technology-40382877  A weakness that left thousands of Virgin Media routers vulnerable to attack also affects devices by other providers, security experts suggest. Virgin Media’s Super Hub 2 was criticised for using short default passwords that could easily be cracked by attackers.  But experts raised concerns that older routers provided by BT, Sky, TalkTalk and others were also at risk.  They recommend users change their router password from the default. “This problem has been known about for years, yet still ISPs [internet service providers] issue routers with weak passwords and consumers don’t know that they should change them.”

LEAVE A REPLY