Cyber Weekly Roundup – June 16, 2017

Written June 16th, 2017

Post Tags: Cyber, cyber weekly roundup, cybersecurity, news, weekly roundup

By Andrew Paulette, Mesay Degefu, and Josh Hunter, with contributions by Loilette Loderick and Robert Gardiner

1.) Why Car Companies Are Hiring Computer Security Experts (June 7, 2017)


Summary: Recently, two “white hat” hackers were able to gain access to a Jeep Cherokee disabling its transmission in the middle of a highway. Through its entertainment system, the two experts identified an electronic route that allowed them remotely exploit the vehicles steering, brakes and transmission. These are the many reasons why automakers are looking to hire more security experts hoping to find and fix vulnerabilities that could potentially affect the vehicles functionality.

Why it matters: Not long ago, when faced with budget constraints, the security and training workforce were among the first to be released. Now, with the challenges of self-driving cars, automakers have started to move away from that strategy, and are instead hiring more security experts. There are two main reasons why security is prioritized: first, it’s cheaper to incorporate security at early stages of development, and secondly, it protects brand reputation.​

2.) Ex-Admin Deletes All Customer Data and Wipes Servers of Dutch Hosting Provider (June 9, 2017)


Summary: Verelox, a provider of dedicated KVM and VPS servers based in The Hague, Netherlands, suffered a catastrophic outage after a former administrator deleted all customer data and wiped most of the company’s servers.

Details of what exactly happened aren’t available, but according to posts on various web hosting forums [1, 2, 3], the incident appears to have taken place yesterday, when users couldn’t access their servers or the company’s website.

Why it matters: While often times threat analysis focuses on external risks to the organization, it is equally important for organizations to have a handle on potential insider threats. Whether accidental or intentional, understanding the risks posed by those in the organization (especially with admnistrative privileges) is critical.

There are steps businesses can take to reduce their risk. As an example, ensure that user access is revoked to an organization’s network concurrently with that employee’s departure from the company. Again, while this may not be the cause of this incident, it does not take much of a leap in logic to see this as a possible cause for the failure.

3.) First Malware Designed Solely for Electric Grids Caused 2016 Ukraine Outage (June 12, 2017)


Summary: Attackers used CrashOverride/Industroyer to cause a partial power outage in Kiev, Ukraine, but it can be used anywhere, say researchers at Dragos and ESET.

Why it matters: While this is not the first case of malware that targets industrial control systems, the use of it in such an overt public setting is a worrying trend that can lead to much more serious attacks against large populations.  It is also possible, however, that the point of this attack was not to cause serious repercussions to the Ukrainian Power Grid, but rather signal to other powers in the region of the capabilities of the Electrum group. In essence, this attack could have been a warning to others of the capabilities of threat actors in that region.

4.) New malware gets installed via mouse hover (June 12, 2017)


Summary: Security researchers have warned that cybercriminals have recently started sending spam campaigns with PowerPoint files which contain mouseover link that installs a variant of the Zusy malware onto a computer. The downloader installs a banking Trojan into your PC the moment your mouse pointer hovers over it.

Why it matters: This unique method of malware delivery is especially interesting because it can be leveraged to counter a recommendation found in most cyber awareness training. Users are usually instructed to hover over links before clicking them to ensure the link leads to where they expect it to go (usually the linked web address will appear while hovering over an HTML link). It’s important that organizations revisit and update their cybersecurity training courses and materials, and of course communicate information about the new attack to their user base. The offensive and defensive strategies in cybersecurity continue to evolve.

5.) Win XP patched to avert new outbreaks spawned by NSA-leaking Shadow Brokers (June 13, 2017)


Summary: On Tuesday, Microsoft took the highly unusual step of issuing security patches for XP and other unsupported versions of Windows. The company did this in a bid to protect the OSes against a series of “destructive” exploits developed by, and later stolen from, the National Security Agency.

Why it matters: Microsoft’s decision to provide patching to unsupported software and Micorsoft’s subsequent announcements regarding these releases suggests a serious possibility of these vulnerabilities being exploited by threat actors. Organizations should work to ensure these patches are applied ASAP if they are still running unsupported software to avoid another weekend like WannaCry.

6.) Why linguistics can’t always identify cyber attackers’ nationality (June 13, 2017)


Summary: Malware. Data theft. Ransomware. Everyone wants to know who was behind the latest audacious attack. Several attempts have been made over the years to use linguistics to identify perpetrators, but when it comes to attribution, there are limitations to using this method.

Why it matters:​ Much like cybersecurity relies on defense-in-depth to provide a holistic defense against threats, good attribution must rely on data points from multiple forms of analysis to provide a good picture of the attacker and their motives. While language is an important point, it is only one point, and therefore cannot be the end-all to analysis. Other observations, such as the history of similar attacks, code comparison, additional info from intelligence agencies, and even the simple question of “who does this attack benefit the most?” are all pieces in the puzzle of attribution that must be used to form the best guess as to the attacker’s identity.

7.) DISA ‘reimagining the workplace’ (June 13, 2017)


Summary: In the future, a combination of biometrics and behaviors associated with an individual’s mobile device will be used to determine the level of access he or she has on DOD networks, said DISA director and Joint Force Headquarters – DOD Information Networks commander Army Lt. Gen. Alan R. Lynn at the Armed Forces Communications and Electronics Association’s (AFCEA) Defensive Cyber Operations Symposium in Baltimore today.

Why it matters: The commercial world has already started leveraging biometric data. Aetna, for example, uses behavior models for authentication, and Facebook leverages phone sensors to identify individuals (i.e., using the accelerometer in the phone to capture individual walking gaits). What’s interesting is that now the government is considering using similar biometric data to control employee access to various networks. While this may simplify security for the users by putting the onus of security on the devices instead of the employee, it also opens up additional opportunities for attack. As cyber professionals make advances, so too do cyber adversaries continue to creatively evolve.

8.) US-CERT issues North Korean cyberattack patch warning (June 15, 2017)


Summary: The US has issued an unusually stark public warning to businesses about the threat posed by North Korean cyberattacks and the urgent need to patch old software to defend against them.

Why it matters: The fact that the information provided for this US-CERT advisory comes from information provided by both DHS and the FBI suggests the possibility of an attack coming soon. Between the DPRK’s use of attacks targeting unpatched software, and Microsoft’s warning regarding the need to apply the unusual patch releases for XP and Server 2003, once cannot help but wonder if there is a connection. Regardless, organizations should have one simple take away from this article – ensure your systems are patched, and spend some time seeking out unpatched boxes on the network for the purposes of remediating them.