Cyber Weekly Roundup – July 7, 2017

Written July 12th, 2017

Post Tags: cyber weekly roundup

By Andrew Paulette

1.) This Dark Web Site Creates Robocalls to Steal People’s Credit Card PINs (June 20, 2017)


Summary: A new service offers cybercriminals automated social engineering as a service. In the internet underground, cybercriminals regularly exchange stolen credit card and debit card numbers and people’s personal information—data they usually refer to as “dumps.” But having someone’s credit card number isn’t great if you just want to get some cash. For that you’d need their ATM pin too.

Why it matters: Software-as-a-Service, Security-as-a-Service – why not Social Engineering-as-a-Service? As automation and the desire for cost savings drives the IT and Cyber Security​ industry to offer new products to simplify the lives of their customers, cyber criminals will also attempt to line their pockets by offering products to make the lives of their fellow cyber criminals easier.  Regardless of the service’s current effectiveness, these types of offerings will continue to grow in the future, creating more attack vectors for cybersecurity professionals to monitor.



Summary: Researchers have found links between the BlackEnergy APT group and threat actors behind the ExPetr malware used in last month’s global attacks. According to researchers at Kaspersky Lab, there are strong similarities between older versions of BlackEnergy’s KillDisk ransomware compared to ExPetr code.

Why it matters: ​While threat actors may not leave their name on their malware, attribution in cybersecurity helps give analysts insight into the probable attacker, which also providing perspective on their motives. Linking the NotPetya/ExPetr attacks to the BlackEnergy APT sheds light on the intent of the attackers, while also providing a somewhat concerning revelation that the techniques and tactics used by this group have accelerated quickly, going from spearphishing attempts to steal credentials from admins within an organization to breaching the supply chain of a software vendor to launch wiper attacks against Ukraine’s business sector.

3.) Ukrainian police seize software company’s servers (July 5, 2017)


Summary: Ukraine’s national cybercrime unit seized servers belonging to a small company at the center of a global outbreak of malicious software after “new activity” was detected there, the service said in a statement early Wednesday.

Why it matters: While Ukrainian company M.E. Doc has continued to deny that its servers were compromised and used as the initial vector for the spread of the NotPetya “Ransomware,” analysis from multiple security firms and intervention by Ukrainian law enforcement seems to all but definitively confirm that this company was compromised and used as the vector to start this attack. There are two lessons learned from the NotPetya attack:

1) cybersecurity is not only about securing your company’s infrastructure, but analyzing access to your network from partners and other third parties, and

2) cybersecurity matters for all companies, big and small.

While all accounts suggest that M.E. Doc is a smaller company compared to some of the more obvious targets for threat actors, the reality is that even as a small organization, their software’s use across much of Ukraine’s business sector ensured that as a company with vulnerabilities in their software and update service, they became the perfect target to attack a larger number of businesses.

4.) In quest to replace Common Access Card, DoD starts testing behavior-based authentication (July 5, 2017)


Summary: A year after then-chief information officer Terry Halvorsen first publicly floated the idea of killing DoD’s Common Access Card in favor of a collection of more flexible authentication technologies, the Pentagon is beginning to test drive at least one of the potential replacements for the CAC.

Why it matters: In addition to biometrics being considered a stronger security measure than “something you have” (such as a CAC Card), measuring the user’s biometrics also opens the opportunity to collect a number of metrics to give the user an identity access score.  In conjunction with various other attributes, this collection of metrics can establish a identity score for the user, which allows identity and authentication systems to grant a granular level of access to a user based on how much they can prove they are who they claim to be. If a user is working from home, for example, a system may restrict administrative access. On the other hand, if a user is working at their desk during normal working hours, administrative access privileges could be granted. This granular access management will increase identity security if it is implemented correctly.