Cyber Weekly Roundup – June 30, 2017

Written June 30th, 2017

Post Tags: Cyber, cyber weekly roundup

By Andrew Paulette and Mesay Degefu with contributions by Loilette Loderick and Robert Gardiner



Summary: The clocks read zero when the lights went out. It was a Saturday night last December, and Oleksii Yasinsky was sitting on the couch with his wife and teenage son in the living room of their Kiev apartment. The 40-year-old Ukrainian cybersecurity researcher and his family were an hour into Oliver Stone’s film Snowden when their building abruptly lost power.

Why it matters: Although a longer read, it is definitely worth it. While for the US, the effects of “Cyber Warfare”​ have not been experienced on a large scale by the public, this article shows what to expect for future attacks. These attacks against the Ukraine continue to refine the capabilities of their adversary, which will no doubt be used against other targets in the future. The cybersecurity community needs to continue watching these developments carefully to be aware of similar attacks against the infrastructure of different nations in the future.

2.) NSA Advocates Data Sharing Framework (June 26, 2017)


Summary: The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys.

Why it matters: The ideas put forth by Neal Ziring make perfect sense. Due to the lack of information sharing throughout the industry, attackers are able to re-use their code against various “silos” who may not be aware of attacks that have already been launched against other organization. By unifying the data pool of threats to include all industry, attackers gain less opportunities to use their attacks before they are discovered and systems are tuned to detect these new attacks.

One thing this article doesn’t address is how to ensure information on the company compromised is kept confidential. By ensuring that embarrassing cyber attacks are unable to be revealed to the public, more companies will be willing to join a data sharing platform as it will not risk further profit loss due to attacks becoming public.

3.) ‘Shadow Brokers’ Threatens to Unmask a Hacker who worked with the NSA (June 26, 2017)


Summary: The Shadow Brokers, a notorious hacking group that leaked US cyberweapons — which were also abused by the recent ransomware disasters WannaCry and Petya or NotPetya — has now threatened to unmask the identity of a former hacker who worked for the NSA.

Why it matters: In an escalation of their tactics, the Shadow Brokers are now not only threatening to release information related to their hacks against the equation group, but also are threatening to “dox” a supposed member of the group. Understanding the motive behind this decision is difficult due to the nature of the group being somewhat difficult to ascertain.

If the Shadow Brokers are a group of hackers with no links to or funding from a government entity, this threat looks to be nothing more than pure and simple blackmail.  If, however, this group has ties to a foreign power, then this action can be a signal to the US that not only has information related to the equation group’s activities been breached, but so have details on individuals associated with US cyber operations.  Regardless, this escalation in tactics does not bode well for the current state of cyber attacks.

4.) Britain’s new £3 billion aircraft carrier is reportedly running on Windows XP (June 27, 2017)


Summary: Britain’s new £3 billion ($3.8 billion) aircraft carrier is running on Windows XP, according to journalists given a tour of the ship. HMS Queen Elizabeth launched on Monday amid huge fanfare, with senior military figures declaring “a new era of British maritime power.” The 280-metre craft left the Rosyth Dockyard in Scotland to begin its first tests on the open seas.

Why it matters: Cyber threats should not be taken lightly. With recent attacks like WannaCry, governments should make it a point to update all hardware and software for maximum security. Longer-term cyber strategies should address end to end inspections and include a process for maintaining the latest virus definitions.

5.) Hacker Behind Massive Ransomware Outbreak Can’t Get Emails from Victims Who Paid (June 27, 2017)


Summary: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker’s account, leaving victims with no obvious way to unlock their files.

Why it matters: The fact that such a well coded piece of malware had such a poor method of receiving payment and ensuring decryption of the infected machines suggests that ransomware was not the true purpose of this malware. It is likely that more and more threat actors will continue to use the appearance of ransomware to mask their true intentions when deploying malware. This tactic also works to give the impression of cyber criminals, rather than nation-state actors.

6.) Pnyetya: Yet Another Ransomware Outbreak (June 27, 2017)


Summary: The worm uses three different infection vectors: ETERNALBLUE, Harvested password hashes, psexec. The code is well written, obfuscated to protect against AV detection using at least two techniques: Fake Microsoft signature (apparently fools some AV) and XOR encrypted shellcode payload (to bypass signature checks).

Why it matters: While the general public will remember this incident as another case of “ransomware” run amok, the worldwide outbreak of the Petya/NotPetya​ “ransomware” appears to be a smokescreen for its real intent – destruction of data against its intended targets. The additional suspected compromise of a Ukrainian tax provider to spread the malware to its intended targets (anyone who does business and pays taxes in the Ukraine) is a successful use of a supply chain compromise that has far reaching consequences, and serves as a reminder: you are only as secure as the weakest link in your network.