Cyber Weekly Roundup – July 14, 2017

Written July 14th, 2017

Post Tags: cyber weekly roundup

By Andrew Paulette, Mesay Degefu, and Michelle Miranda

1.) Hackers Linked to NotPetya Ransomware Decrypted a File for Us (July 5, 2017)


Summary: The hackers successfully decrypted a file provided by Motherboard, but that does not necessarily mean victims will be able to get their files back.

Why it matters: A large part of the discussion on this malware attack is whether it was meant as a legitimate ransomware attack with the purpose of making profit, or if it was actually meant to serve as a wiper (malware only meant to destroy data) masked as ransomware. While some security researchers had indicated that encryption seemed impossible, hackers connected with the NotPetya malware have provided proof that they can indeed decrypt the encrypted data, and provided decryption of one file as proof.

While it is indeed possible this attacks was truly meant to be a ransomware attack, it is also possible that this decryption ability is a tactic to continue muddying the waters as to the intent of NotPetya’s creators. Was this a case of the attackers attempting to make a profit from their attack, or disrupt business and infrastructure?  Understanding their intent can assist researchers with attributing who is behind an attack, so this disinformation (if it indeed meant as such) regarding the ability to decrypt could help confuse the process of attribution.​

2.) Owners of “VirusTotal-for-Crooks” Service Arrested (July 6, 2017)


Summary: Ruslans Bondars and Jurijs Martisevs, two Latvian citizens, are facing charges in the US for running a portal that allowed cybercrooks to scan and see if their malware was detected by antivirus software.

Why it matters: This article showcases another technique commonly used by security researchers that was repurposed for use by cyber criminals. Legitimate services such as VirusTotal have been used by the community to allow individuals to upload Virus samples which are then provided to antivirus vendors. This service was instead used as a method to allow cyber criminals to test their malware against a scanning service to see if it would be detected – if the sample was not detected, it would stand to reason that the malware could be distributed in the wild without immediately being stopped by antimalware services. Luckily, it looks like many services such as these have been stopped in 2017, including AnonScanner, RazorScanner, and BlackShades Scanner. ​

It is interesting to see how criminals take the tools used by the cybersecurity community, and flip the service around to make a profit off of shadier services.​  As is mentioned in so many of these article round ups, these types of nefarious twists on current cyber services are certain to continue as long as there is a profit to be made – and there always will be.

3.) FBI-DHS “amber” alert warns energy industry of attacks on nuke plant operators (July 6, 2017)


Summary: The Department of Homeland Security and FBI have issued a joint report providing details of malware attacks targeting employees of companies that operate nuclear power plants in the US, including the Wolf Creek Nuclear Operating Corporation, The New York Times reports. The attacks have been taking place since May, as detailed in the report issued by federal officials last week and sent out to industry.

Why it matters: On the one hand, this report isn’t anything new – performing reconnaissance against infrastructure has been going on for years. However, there is some degree of concern over this report given the recent blackouts in Ukraine caused by cyber attacks. In addition, the concept of “air-gapping” a system, while it may block off direct attacks from external sources, does not guarantee attacks will not reach the system via a device like a USB thumb drive. Ensuring continued information sharing about potential SCADA and ICS incidents/compromises will help ensure that potential attacks against other organizations are detected sooner (ideally during the reconnaissance phase), which may prevent attacks from successfully being executed.

4.) ‘Exit Scam’ Fears Grow as Drug Market AlphaBay Stays Dark One Week Later (July 10, 2017)


Summary: The site, AlphaBay, operated for years on the so-called dark web, which can only be accessed by users who employ special software that masks their location and identity. But on July 4th, AlphaBay suddenly went dark and has been inaccessible ever since.

Why it matters: This is an interesting article showing the risks of serving a dark market clientele. If this dark web service provider did not have iron-clad operational security to cover his tracks to his true identity, the threat of doxxing that is mentioned in the article is a very real possibility.

5.) Security lapse leaks data from millions of Verizon customers (July 12, 2017)


Summary: Gartner analyst Avivah Litan says the issue comes down to human error and it doesn’t make sense to blame cloud service providers like Amazon and Google. She says such lapses are likely common, but it’s hard to know since we only know what’s disclosed.

Why it matters: The key take away from this article is that utilizing a cloud solution does not absolve the data owner (Verizion) from protecting that data – ​if the data is lost, the resonsibility for that loss ultimately rests with Verizon.

6.) Cyber threats could cost lives unless NHS improves security (July 12, 2017)


Summary: Cyber threats could put the lives of patients at risk unless the NHS swiftly overhauls its security, a leading surgeon has said. Lord Darzi said the widespread use of outdated computer systems had made hospitals a “soft target” for hackers. Improving security was vital, he said, not just to protect services from hackers, but to rebuild public confidence in projects which rely on shared access to medical records, in order to save lives.

Why it matters: The additional funding provided to NHS should assist with modernizing their aging IT infrastructure and allow for procurement of security tools to help monitor their network, reducing the risk of exploitation of their IT infrastructure and customer data.

7.) New Ransomware Threatens to Send Your Internet History & Private Pics to All Your Friends (July 13, 2017)


Summary: After WannaCry and Petya ransomware outbreaks, a scary (but rather creative) new strain of ransomware is spreading via bogus apps on the Google Play Store, this time targeting Android mobile users.

Why it matters: A logical evolution for Ransomware, LeakerLocker does not focus on encrypting data, but instead threatens that it has exfiltrated and will disclose the user’s personal information if a ransom is not paid. As the article notes, security researchers do not believe the entire contents of the user’s phone are exfiltrated (as the malware claims), but it does appear to have the capability to access the user’s information on the device. Regardless, this tactic defeats the common countermeasure of user backups of data which counters ransomware’s process of encrypting data. The use of the android platform to attack the user is also expected to become more common in the future as ransomware seeks new platforms to export.

One of the big questions on this sort of ransomware is whether or not users will actually pay the ransom. Unlike traditional ransomware, where you know when the data has been decrypted, it’s unclear how this ransomware will ensure the user that the data they claim to have purloined is in fact deleted after the ransom is paid. Only time will tell if this method of extortion becomes successful.


Summary: Many digital trees have died for the cause of informing Windows admins about the SMBv1 vulnerability that spawned the WannaCry and ExPetr/NotPetya malware attacks. Yet a relatively small sample of data collected from a freely available tool shows that thousands have not gotten the message, or have some significant blind spots in their networks.

Why it matters: The reality of information security is that, for a lot of organizations, it is impossible to remain aware of all the vulnerabilities that reside on their network at any given time.  As a result, even some of the biggest, most publicized vulnerabilities such as EternalBlue will go un-remediated on a percentage of networks – the networks queried in this study showed a total of 11% of all devices on the tested networks still vulnerable.

This article helps illustrate why defense-in-depth is so important. At this point, most organizations should not be confident that all of their devices are being patched in a timely manner. Instead, good patching practices should be a piece of the puzzle, where other security mechanisms such as anti-malware agents, prevention and detection systems, and incident response teams are in place to help prevent, detect, and respond in the event a device is still vulnerable.