Cyber Weekly Roundup – September 1, 2017

Written September 1st, 2017

Post Tags: cyber weekly roundup

By Andrew Paulette and Mesay Degefu

1.) This Is How Cops Trick Dark-Web Criminals Into Unmasking Themselves (August 25, 2017)


Summary: Last month the FBI took down AlphaBay, the largest dark-web marketplace in existence. As part of the same operation, European authorities announced they had infiltrated Hansa, another online market, and claimed they had somehow obtained information that could help identify users who would have usually been protected by veils of digital anonymity.

Why it matters: The use of a token in an Excel document that would beacon information back to a C2 server operated by law enforcement is a fairly low impact way to decloak TOR users using their ​​anonymity for the purchase and sale of illegal goods. It should serve as a reminder to users of the darkweb for both honest and criminal reasons that even though your web session may be secure, it is still possible to have your identity revealed through other means if your operational security is not up to snuff.

2.) 711 million email addresses ensnared in ‘largest’ spambot (August 29, 2017)


Summary: A huge spambot ensnaring 711 million email accounts has been uncovered. A Paris-based security researcher, who goes by the pseudonymous handle Benkow, discovered an open and accessible web server hosted in the Netherlands, which stores dozens of text files containing a huge batch of email addresses, passwords, and email servers used to send spam.

Why it matters: It’s time to change your passwords again! Aside from the massive amount of data harvested by this spambot to use against it targets, the malware campaign took additional steps to reduce the amount of “noise” generated by the attacks (and increasing the chances of being detected) and performed a targeted campaign against its victims. It will be interesting to learn more about this malware as additional information is released. Unfortunately, such a large number of harvested usernames and passwords may eventually find their way into the hands of less scrupulous individuals, who will no doubt look for instances of credential reuse to compromise user accounts for apps such as banking.

3.) Abbott Recalls 645,000 Pacemakers for Cybersecurity Patch (August 30, 2017)


Summary: Medical device maker Abbott on Monday announced it is voluntarily recalling some 465,000 pacemakers to install a firmware update to patch cybersecurity vulnerabilities in the devices.

Why it matters: Because pacemakers have wireless connectivity capabilities, they are considered susceptible to attack. In this case, the vulnerability is improper authentication. An attacker can bypass the authentication algorithm via radio frequency. Like any other IT product, pacemakers should go through a regularly scheduled vulnerability assessment, including testing and validating the authentication mechanism.

4.) Intel Confirms its Much-Loathed ME Feature has a Kill Switch (August 30, 2017)


Summary: Researchers at Positive Technologies forced Intel’s hand at revealing that a previously undocumented kill switch exists for its oft-criticized Intel Management Engine, a remote management component of Intel CPUs.

Why it matters: ​An interesting bit of news regarding Intel’s Management Engine, which allows for remote management of devices using Intel CPUs. Recent, serious vulnerabilities have been found in Intel ME which would allow users to gain access to a large number of functions of the remote device. What makes this killswitch so interesting is it appears to have been possibly added to the Intel ME at the behest of the NSA, to help reduce the risk of their devices.

5.) Massive Ransomware Attack Unleashes 23 Million Emails In 24 Hours (August 31, 2017)

a https://www.forbes.com/forbes/welcome/?toURL=https://www.forbes.com/sites/leemathews/2017/08/31/massive-ransomware-attack-unleashes-23-million-emails-in-24-hours/&refURL=https://intranet.netcentrics.wpengine.com/sites/circlesofinterest/cybersavers/Lists/News_Roundup/DispForm.aspx?ID=208&Source=https%3A%2F%2Fintranet%2Enetcentrics%2Ecom%2Fsites%2Fcirclesofinterest%2Fcybersavers%2FSitePages%2FNews%2520Roundup%2520%2D%2520Contributor%2520View%2Easpx&ContentTypeId=0x01004574D0C4CC454E46BF57BFDAEE4A4A27&IsDlg=1&referrer=https://intranet.netcentrics.wpengine.com/sites/circlesofinterest/cybersavers/Lists/News_Roundup/DispForm.aspx?ID=208&Source=https%3A%2F%2Fintranet%2Enetcentrics%2Ecom%2Fsites%2Fcirclesofinterest%2Fcybersavers%2FSitePages%2FNews%2520Roundup%2520%2D%2520Contributor%2520View%2Easpx&ContentTypeId=0x01004574D0C4CC454E46BF57BFDAEE4A4A27&IsDlg=1#2106df99394b

Summary: Sometimes cyberattacks are incredibly sophisticated. They succeed through careful planning and methodical execution. Other times hackers will launch wholesale attacks, setting as many traps as possible and waiting to see how many people walk into them. The latter is the approach taken by cybercriminals with a recent email barrage that is spreading a nasty new strain of the notorious Locky ransomware. Security experts at AppRiver have been watching the campaign unfold. In just 24 short hours, their systems have watched the attack fire off a jaw-dropping 23 million infected emails.

Why it matters: ​The number of emails sent out for this ranswomare campaign stands at a impressive 23 million. While it is unlikely (hopefully) that many people will fall for the unsophisticated email or pay the ransomware of .5 bitcoins (equal to $2300), it will only take a small percentage of the users who received this email (0.004%) to pay the ransom in order for the attacker to make $1 million. This reflects a form of hacking that stands in direct contrast to the extortion attempts of targeted attacks, such as the recent exfiltration of 1.5 TB of data from HBO, but both can potentially result in a big payday for the attacker.