Cyber Weekly Roundup – September 8, 2017

Written September 8th, 2017

Post Tags: cyber news, cyber weekly roundup

By Andrew Paulette and Mesay Degefu

1.) Hackers Gain Direct Access to US Power Grid Controls (September 6, 2017)


Summary: In an era of hacker attacks on critical infrastructure, even a run-of-the-mill malware infection on an electric utility’s network is enough to raise alarm bells. But the latest collection of power grid penetrations went far deeper: Security firm Symantec is warning that a series of recent hacker attacks not only compromised energy companies in the US and Europe but also resulted in the intruders gaining hands-on access to power grid operations—enough control that they could have induced blackouts on American soil at will.

Why it matters: Attempts at infiltrating power grids across the world continue to be a worrying trend, but this most recent set of attempts discovered by Symantec went much further than before. While there are easy threat actors to “point to” as the hackers behind this intrusion, Symantec has not directly attributed these attacks to any particular groups. Time will tell if the culprit will be identified.

2.) Who is Marcus Hutchins? (September 5, 2017)


Summary: In early August 2017, FBI agents in Las Vegas arrested 23-year-old British security researcher Marcus Hutchins on suspicion of authoring and/or selling “Kronos,” a strain of malware designed to steal online banking credentials. Hutchins was virtually unknown to most in the security community until May 2017 when the U.K. media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before. At first, I did not believe the charges against Hutchins would hold up under scrutiny. But as I began to dig deeper into the history tied to dozens of hacker forum pseudonyms, email addresses and domains he apparently used over the past decade, a very different picture began to emerge.

Why it matters: While Kreb’s article focuses on Marcus Hutchins’ past and doesn’t delve into the current charges against the accidental hero of WannaCry, it does provide an interesting read on how Krebs (and others) attribute seemingly disconnected bits of evidence to build a clearer picture that Hutchins’ past has some questionable links to blackhat hacking.

In addition to the topics discussed in this article, there is another interesting point to consider. If the accusations that Mr. Hutchins helped develop and sell a banking RAT are correct, what is the appropriate action to take?  Mr. Hutchins does seem to have turned around his life for the better, and may have committed these crimes as a minor. It is a difficult problem that will require careful consideration by a judge if Mr. Hutchins is found guilty of the charges brought against him.

3.) Exploit Goes Public for Severe Bug Affecting High-Impact Sites (September 6, 2017)


Summary: Banks, insurance companies, and Fortune 500 corporations take note: attack code has just gone public for a hard-to-patch vulnerability that hackers can exploit to take control of your website. The critical vulnerability is located in Apache Struts 2, an open-source framework that large numbers of enterprise-grade organizations use to develop customer-facing Web applications. The bug, which has been active since 2008, allows end users to execute malicious code or commands by plugging maliciously modified data into search boxes or similar features hosted on the site.

Why it matters: As we discovered six months ago with another serious Apache Struts bug, patching Struts can be a challenge due to the fact that it can impact web apps developed on the platform. For many companies, the risk of negatively impacting their availability due to a new Apache Struts patch breaking their webb app is a serious consideration which may delay patching. In these cases where extended testing is necessary, IT services for these organizations should look at additional steps to mitigate this vulnerability, such as disabling the REST plugin.

​For those tech-saavy individuals looking for more information on how this vulnerability works, and how to mitigate it while waiting to patch, Sophos has a useful artivle here: https://nakedsecurity.sophos.com/2017/09/06/apache-struts-serialisation-vulnerability-what-you-need-to-know/.

4.) Equifax Says Cyberattack May Have Affected 143 Million Customers (September 7, 2017)



Summary: Equifax, one of the three major consumer credit reporting agencies, said on Thursday that hackers had gained access to company data that potentially compromised sensitive information for 143 million American consumers, including Social Security numbers and driver’s license numbers. The attack on the company represents one of the largest risks to personally sensitive information in recent years, and is the third major cybersecurity threat for the agency since 2015.

Why it matters: Consumers would be wise to keep an eye on their credit scores and monitor their accounts for any suspicious activity, even after this story dies. Consumers can pull their credit report for free once a year, and many lenders now offer a free credit monitoring service.

The second article offers the details of the hack, as well as recommended steps to take in order to protect your information. The quotation by Sen. Mark Warner (D-Va) underscores the need for both standard data breech notifications, as well as further regulation on the amount of regulation that should be placed on companies collecting large swaths of data on individuals both within and outside of the US.

5.) The DNC’s Technology Chief is Phishing His Staff. Good. (September 7, 2017)


Summary: If you are among the millions of Americans concerned about cybersecurity at the Democratic National Committee—and how could you not be?—then the home of the party’s tech braintrust might not give you much hope. The tiny, charmless office, with “DNC Tech” scribbled in dry-erase marker on the door, contains one desk and two computer monitors. Nearby, an overturned couch pokes out from an elevator shaft, a leftover from the widespread departures that followed Hillary Clinton’s defeat. And that, of course, came after intruders, believed to be tied to Russia, hacked into the DNC’s computers.

If the office itself seems lacking, the resume of its newish occupant is anything but. Raffi Krikorian, the Massachusetts Institute of Technology grad who joined the DNC as chief technology officer this summer, most recently led Uber’s Advanced Technologies Center, meaning he was responsible for getting Uber’s self-driving cars on the road in Pittsburgh. Before that, he rose through the ranks at Twitter to vice president of engineering, where he managed the infrastructure that runs the platform.

Why it matters: After the hacks against the DNC, the organization must show that it is taking steps to secure its infrastructure against future attackers. The use of secure methods to log on such as two factor authentication, the use of end-to-end encryption such as signal, and social engineering tests are signs that the DNC is on the right track, and hopefully will be better prepared for hacking attempts in the future.

6.) Why It’s So Easy to Hack Cryptocurrency Startup Fundraisers (September 8, 2017)


Summary: This summer was punctuated by scams and hacks of “initial coin offerings,” startup fundraisers that issue coins, tokens, or cryptocurrency to anyone who wants to invest in fledgling blockchain-related companies. In mid-July, a startup called CoinDash lost $7 million dollars during its ICO after a hacker altered the address investors were sending funds to so the money went to a malicious digital wallet instead of CoinDash. Days later, at least three ICOs were affected by a bug in a cryptocurrency wallet called Parity that allowed crooks to nab $30 million. And thieves stole more than $500,000 during a fake, hacker-staged coin pre-sale for the digital financial services developer Enigma. As ICOs proliferate, there is a lot at stake for both the startups that rely on them for funding as well as the investors, many of them everyday internet users, who stand to lose millions of dollars.

Why it matters: As scams and hacks against initial coin offerings (ICOs) continue in conjunction with the growth of this form of venture capital funding, there is little doubt that governments will begin to take more notice.  We have already seen similar interest in “cryptocurrencies” by the IRS to track down users who attempting to evade taxes using Bitcoins (http://fortune.com/2017/08/22/irs-tax-cheats-bitcoin-chainalysis/) and China has already banned ICOs altogether. Federal regulation will no doubt follow in the future and will hopefully reduce the amount of scams.