Cyber Research

Cyber News

Cyber Info


AUGUST, 2017







 In this issue



*         Maersk Previews NotPetya Impact: Up to $300 Million

*         Self-Driving Cars Can Be Hacked By Just Putting Stickers On Street Signs

*         Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity

*         Customers 'furious' with TNT after cyber-attack meltdown

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Maersk Previews NotPetya Impact: Up to $300 Million

August 17, 2017


Danish shipping giant A.P. Møller - Maersk faces a loss of up to $300 million as a result of the NotPetya global malware outbreak.


After NotPetya infected systems at Maersk, the world's biggest shipping firm had to reroute ships and was unable to dock or unload cargo ships in dozens of ports.

"In the last week of the quarter we were hit by a cyberattack, which mainly impacted Maersk Line, APM Terminals and Damco," Maersk CEO Søren Skou, said in an interim report issued Wednesday. "Business volumes were negatively affected for a couple of weeks in July. We expect that the cyberattack will impact results negatively by $200-$300 million."

The malware known as NotPetya - aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya, Diskcoder.C - hit organizations beginning June 27. Cyber police in Ukraine, as well as such security firms as Cisco Talos, ESET, Microsoft and Symantec, have said the attacks were facilitated by a "cunning backdoor" added to widely used accounting software (see NotPetya Patient Zero: Ukrainian Accounting Software Vendor).

From there, NotPetya spread to businesses with Ukraine-based offices or business partners, in part by targeting an SMB flaw that Microsoft had patched prior to the NotPetya outbreak. But NotPetya could also spread via two legitimate Windows tools - PsExec and Windows Management Instrumentation - as well as use the open source Mimikatz tool to attempt to steal passwords from infected systems (see Ransomware Smackdown: NotPetya Not as Bad as WannaCry).

Ukraine Hit Hard

Organizations in Ukraine, including government agencies, appear to have experienced the brunt of NotPetya infections. The Ukrainian government has yet to detail in full the costs, outages or cleanup - some of which likely continues. But it has blamed the attack on Russia.

After Ukraine, Russia, Poland, Italy and Germany appeared to suffer the greatest number of related infections, according to security firm Kaspersky Lab.

Organizations around the world, however, were disrupted. They include Britain's WPP - the world's biggest advertising agency, Russian oil giant Rosneft, international law firm DLA Piper and French construction materials company Saint-Gobain.

Numerous U.S.-based organizations also reported disruptions, including snacks business Mondelez, whose brands include Oreos, Cadbury and Toblerone; pharmaceutical giant Merck; and Pennsylvania-based Heritage Valley Health System.

Maersk Lauded for Crisis Communications

Unlike some, however, Maersk has been ultra-transparent about its NotPetya disruptions and cleanup efforts. The company first warned on June 28 that it had been hit by NotPetya and has continued to issue regular updates.

Mikko Hypponen, chief research officer of Finnish security firm F-Secure, last month said Maersk exemplifies the right way to handle crisis communications. Its choice to emphasize transparency also stands in sharp contrast to how many firms, even publicly traded ones, choose to handle post-attack communications with customers or users, whether as a result of NotPetya or other incidents (see Breach Transparency Kudos to Hacked Kiosk Maker).

    Crisis communication experts, take note. The Maersk case is going to be textbook material on how to do it right. #Petya https://t.co/byyg2MBLoO

    Mikko Hypponen (@mikko) July 12, 2017

More Cleanup Costs Come to Light

While Maersk may be on the leading edge of communicating its NotPetya incident response efforts, further details about other organizations' disruptions and incident response efforts continue to come to light.

More info https://www.bankinfosecurity.com/maersk-previews-notpetya-impact-up-to-300-million-a-10203

Self-Driving Cars Can Be Hacked By Just Putting Stickers On Street Signs

August 7, 2017

Car Hacking is a hot topic, though it’s not new for researchers to hack cars. Previously they had demonstrated how to hijack a car remotely, how to disable car’s crucial functions like airbags, and even how to steal cars.

But the latest car hacking trick doesn’t require any extra ordinary skills to accomplished. All it takes is a simple sticker onto a sign board to confuse any self-driving car and cause accident.

Isn’t this so dangerous?

A team of researchers from the University of Washington demonstrated how anyone could print stickers off at home and put them on a few road signs to convince “most” autonomous cars into misidentifying road signs and cause accidents.

According to the researchers, image recognition system used by most autonomous cars fails to read road sign boards if they are altered by placing stickers or posters over part or the whole road sign board.

In a research paper, titled “Robust Physical-World Attacks on Machine Learning Models,” the researchers demonstrated several ways to disrupt the way autonomous cars read and classify road signs using just a colour printer and a camera.

By simply adding “Love” and “Hate” graphics onto a “STOP” sign (as shown in the figure), the researchers were able to trick the autonomous car’s image-detecting algorithms into thinking it was just a Speed Limit 45 sign in 100 percent of test cases.

The researchers also performed the same exact test on a RIGHT TURN sign and found that the cars wrongly classified it as a STOP sign two-thirds of the time.

The researchers did not stop there. They also applied smaller stickers onto a STOP sign to camouflage the visual disturbances and the car identified it as a street art in 100 percent of the time.

“We [think] that given the similar appearance of warning signs, small perturbations are sufficient to confuse the classifier,” the researchers told Car and Driver. “In future work, we plan to explore this hypothesis with targeted classification attacks on other warning signs.”

The sign alterations in all the experiments performed by the researchers were very small that can go unnoticed by humans, but since the camera’s software was using an algorithm to understand the image, it interpreted the sign in a profoundly different way.

This small alteration to the signs could result in cars skipping junctions and potentially crashing into one another.

Read more http://thehackernews.com/2017/08/self-driving-car-hacking.html

Updates to Sofacy, Turla Highlight 2017 Q2 APT Activity

August 8, 2017.

Attackers behind advanced persistent threat campaigns have kept busy over the past several months, adding new ways to bypass detection, crafting new payloads to drop, and identifying new zero days and backdoors to help them infect users and maintain persistence on machines.

Juan Andres Guerrero-Saade and Brian Bartholomew, members of Kaspersky Lab’s Global Research and Analysis Team, described some of tactics the researchers have seen in Q2 2017 in a webinar Tuesday morning. The company used the webinar and the quarterly report it was based on to help pull back the veil on threats previously covered by its private intelligence reporting service.

A chunk of the presentation was spent recapping tweaks recently made by Russian-speaking groups Sofacy and Turla.

Sofacy, the group implicated by a December DHS report to election hacks, began using two new macro techniques in April. One abused Windows’ certutil utility to extract payloads—the first time the researchers had seen that technique used—another embedded payloads in the EXIF metadata of malicious Office documents.

“After we started digging into this we found that they were actually using this technique dating back to December 2016,” Bartholomew said, adding that what made the techniques interesting is that they were used to target French political party members prior to the French election on April 23 and May 7.

In June, the researchers noticed that Sofacy had updated a payload, written in Delphi, called Zebrocy. The new iteration, version 5.1 of Zebrocy, implemented new encryption keys and minor string obfuscations, something which helps it bypass detection capabilities, Bartholomew said.

Bartholomew said the researchers were able to tie Zebrocy to Sofacy in mid-2016.

“There were some infrastructure ties there,” Bartholomew said, “There was also another payload called Delphocy that was also written in Delphi. In late 2015 we started seeing Delphi payloads pop up from this group, which we hadn’t seen before. We don’t know why that’s the case, it could be that they hired a developer who just refuses to write anything but Delphi. Either way, once Zebrocy was discovered, it was found in parallel to another Sofacy infection, once we started digging into it there was a little bit of shared code in the Delphi—compared to the other Delphocy payload—and ties to the infrastructure to Sofacy.”

Earlier this spring researchers said they were able to make a potential link between Turla, the APT linked to Moonlight Maze at SAS earlier this year, and Sofacy. Like Sofacy was doing around the same time, Turla was spotted using an EPS zero day (CVE-2017-0261) to target foreign ministries and governments.

“What’s interesting about that is that it may actually indicate a shared supply chain between Turla and Sofacy,” Bartholomew said.

Bartholomew also took time on Tuesday to discuss BlackOasis, a Middle Eastern-speaking group that’s believed to be a client of Gamma Group, the UK-based firm that specializes in surveillance and monitoring equipment, such as FinFisher.

He claims the group, which he’s spent the better chunk of a year and a half researching, has been spotted using several zero days in the past, including CVE-2016-4117, CVE-2016-0984, and CVE-2015-5119. Bartholomew says that what makes it interesting is that the group was the first seen using CVE-2017-0199, an OLE2Link zero-day, in the wild before it was detected. The exploit’s end payload, he adds, is a new variant of FinSpy heavily fortified to prevent analysis by researchers.

“We’re currently trying to look into that, write some decryptors for it and will probably write another report on that in the next couple of months,” Bartholomew said.

Citing their technical sophistication and development, Guerrero-Saade was eager to discuss a crop of English speaking APT actors, including those behind an Equation Group backdoor, EQUATIONVECTOR. While the backdoor has been around since 2006, Guerrero-Saade said what makes it interesting is the fact that it’s the first example of a NOBUS—NObody But US backdoor—they’ve seen in the wild. The backdoor, a passive and active staging backdoor, could be used to execute shellcode payloads, according to the researcher.

Another backdoor, Gray Lambert—an extension of the Lamberts APT group—is much more modern implementation, Guerrero-Saade said. It waits, sleeps, and sniffs the network until it’s ready to be used.

“What makes this NOBUS backdoor particularly interesting is that it provides attackers with a sort of surgical precision over a network of multiple infected machines,” Guerrero-Saade said. “With Gray Lambert installed on these machines [attackers] can essentially decide how they’re going to space their payloads, their commands and attacks.”

The researchers suggest that users should expect more of the same tactics, techniques, and procedures (TTPs) from APT groups going forward. It’s likely countries that have upcoming elections, Germany and Norway for example, will become targets for misinformation campaigns like the one mounted by the Sofacy group. Controversial lawful surveillance tools, like those peddled by the Gamma Group to BlackOasis and those sold by the NSO Group to the Mexican government, will remain popular as well, Guerrero-Saade and Bartholomew said.

The trend of destructive malware disguised as ransomware will likely continue as well, Guerrero-Saade says, but admits it’s a curious question whether or not the technique will ever be embraced by cybercriminals.

“We’ve been talking about incompetent people entering the ransomware space for a quite some time now,” Guerrero-Saade said, “We’re going to see people who are poor coders and won’t even bother to buy an already prepared kit, just essentially trying to leverage something that deletes all the files, or doesn’t do anything but tries to get money out of naïve or unsuspecting victims. The notion of wipers as ransomware is quite different. It’s an interesting phenomenon.”

“Sabotage attacks and wiper attacks are a strange occurrence, they don’t happen that often. I think over the past 10 years we’ve looked at 10 cases tops. They’re very rare components. For the most part I think it has to do with the level of access that you’re burning whenever you use them,” Guerrero-Saade said, “If you’re a cyberespionage actor, if you have access to a network at that point, a Sony or Saudi Aramco, where you can target thousands of machines, the idea of burning that loudly, raising the security profile of the organization as a whole and creating public fallout is extremely costly. It’s a strange circumstance where the calculus pays off.”

While it may not be a popular technique for cybercriminals on a lower level, Guerrero-Saade said, it’s not out of the realm of possibility for APT gangs to continue to use the vector to create havoc.

“Let’s say we have all the means for a sabotage attack and we want to disguise it as ransomware or as something potentially treatable, it’s not necessarily that different from what the Lazarus Group did with Sony, or some other South Korean targets, where first they asked for money and then dumped data anyways. It’s an evolution that’s particularly troubling,” Guerrero-Saade said.

More Info https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/




Customers 'furious' with TNT after cyber-attack meltdown

August 9, 2017.


When Leah Charpentier ordered a vintage coffee table, on 8 June - a birthday present for her brother - she didn't think it would take more than six weeks to be delivered.

She also didn't expect for the furniture to arrive with one of its casters broken off.

This particular coffee table was just one of hundreds of thousands of items caught up in an extraordinary meltdown at courier TNT, which was badly affected by the NotPetya cyber-attack that hit many companies around the world on 28 June.

Businesses in Ukraine were hit hardest, and since many TNT operations and communications are based in the country, a significant proportion of its systems were infiltrated and data encrypted - locking employees out - as a result.

"Manual processes" are still being used to put packages through the system, and TNT says it is "reasonably possible" that some information will never be fully recovered.

The BBC has spoken to several customers who have had exasperating experiences with the courier, which is owned by FedEx.

Small businesses have been affected too - some say they have lost thousands of pounds because of missing or waylaid shipments.

And a source close to FedEx and TNT operations in Europe has told the BBC that depots have been pushed to their limit while both companies continue to try to get the backlog of packages under control.


Ms Charpentier's table faced the disruption of the cyber-attack after its initial delivery had been delayed because of its size.

But when it arrived late to its destination in London following the extended delay, her brother was not expecting the delivery and so was out at the time. The furniture was shipped back to Rome and then sent out again via another courier, DHL.

Ms Charpentier still doesn't know who is responsible for the broken leg, but because of the confusion and the fact that the table was sent back to Italy without TNT contacting her first, she says: "I'm still furious at TNT."

Total shipping costs were 150 euros (£135), and Ms Charpentier says she might have to spend a further 180 euros to get the furniture repaired.

Since the cyber-attack, FedEx itself has been processing large volumes of orders as a contingency, but the BBC understands that this has put a huge strain on the company's infrastructure.

A source with knowledge of operations in Europe says that until very recently some depots were finishing the day with tens of thousands of packages still waiting to be processed, instead of just a handful as usual.

"They didn't have enough loading units to face this," the source says. "It was crazy."

The source adds that some physical hardware - such as conveyor belts - was having to be fixed much more frequently than usual because of the stress caused by increased volumes.

And at one point, staff had to use WhatsApp Messenger for internal communications as company email was inaccessible, the source adds.

'Medical supplies delayed'

The sheer range of customers affected by the breakdown in operations at TNT is staggering - some were left distraught as critical supplies were held up in transit.

"We have urgent air freight stuck at Stansted [airport]," wrote one woman on the courier's Facebook page, "medical equipment required in theatres."

In another case, TNT narrowly missed depriving a bride of her dress on her wedding day, according to the staff at Dolly Blue Bridal Studios in Shrewsbury.

"It was just a complete nightmare," says Adele Nortcliffe.

After many calls to trace missing deliveries, TNT eventually sent an overnight courier to deliver the dress.

"We got a dress on the Thursday and the wedding was on the Saturday," Ms Nortcliffe adds.

Others haven't been so lucky.

Mark Hammersley runs Staffordshire Wrought Iron, a small business that makes gates and other metal fittings.

"We lost £900 on Monday," he says, describing how customers who are unable to track orders - a side-effect of the IT issues - have been able to claim refunds via PayPal but also keep their items if they do arrive.

Despite having used TNT for six years, Mr Hammersley says he is now planning to switch couriers.

The list of cases goes on. One student told the BBC that after their computer had broken they ordered new memory to fix it so they could finish an assignment on time.

When it was delayed, they had had to borrow a friend's laptop to meet the deadline.

And one man waited a month for a shower screen that was supposed to arrive within five days - it materialised only after a series of poorly co-ordinated delivery attempts.

It's nearly a month and a half since NotPetya struck, but TNT has still not recovered operations.

The last update from the company was published on 17 July. It said all TNT depots, hubs and facilities were operational, but added: "Customers are still experiencing widespread service and invoicing delays, and manual processes are being used to facilitate a significant portion of TNT operations and customer service functions.

"We cannot estimate when TNT services will be fully restored."

A spokesman for an online cycling retailer told the BBC it was shipping freight beyond Europe via another courier, as TNT had said only deliveries within the EU could be processed.

After the BBC contacted TNT for comment on 7 August, the company sent through some lines copied almost verbatim from its 17 July notice, adding: "We cannot express strongly enough how much we appreciate our customers' patience and understanding through this period."

Read more: http://www.bbc.com/news/technology-40861982

Latest Cyber Security News

Individuals at Risk

Cyber Privacy

Cars Suck Up Data About You. Where Does It All Go?: Automakers, local governments, retailers, insurers and tech companies are looking to leverage the data that cars generate. New York Times, July 27, 2017

Cyber Warning

New Android malware records calls, intercepts texts, and steals credit card info: A new version of Faketoken was identified by Kaspersky and poses a huge threat to anyone who stores bank card information for in-app purchases. TechRepublic, Aug 18, 2017

Repairing your smartphone? Replacement parts can hijack phone security, steal passwords: Booby-trapped touchscreens can log passwords, install malicious apps, and more. Ars Technica, Aug 18, 2017

Information Security Management in the Organization

Information Security Management and Governance

HBO Hack Illustrates That It’s Hard to Tell Exactly What’s Been Compromised: There may be much more missing than the headlines suggest. Robert Braun, SecureTheVillage Leadership Council, Cybersecurity Lawyer Forum, Jeffer Mangels Butler & Mitchell, Aug 17, 2017

Cyber Warning

New Survey Finds Failure to Remove Access from ex-Employees a Major Contributor to Breaches: Businesses drive the risk for data breaches when they fail to terminate employees’ access to corporate apps after they leave. DarkReading, Aug 18, 2017

Cyber breach at shipper illustrates dangers of business email compromise: Weak defences are leaving cargo vessels vulnerable to cyber-attacks, say experts. BBC, Aug 18, 2017

Cyber Defense

The importance of network segmentation as a key network security strategy: Cybercrime is getting worse. Keep your company safe by following the latest recommendations in network security. Inc, August 18, 2017

Caution advised with information security surveys: Cybersecurity reports based on answers from respondents often produce misleading or inaccurate statistics, and they can lead to industry confusion. CSO, August 15, 2017

Cyber Update

Cybercriminals found exploiting a vulnerability that Microsoft patched in April. Update now!!!: Attackers are targeting companies, and their goal is to get their hands on information that will allow them to steal money from the victims’ accounts. HelpNetSecurity, Aug 18, 2017

Cyber Law

Developments in New York and Colorado Cybersecurity Regulations: For the first time since New York’s Cybersecurity Regulation (23 NYCRR Part 500) became effective on March 1, 2017, the Department of Financial Services (DFS) has issued Frequently Asked Questions to assist Covered Entities in their compliance and provide guidance into the DFS’s interpretation and enforcement of its newly adopted regulation. National Law Review, Aug 18, 2017

Cyber Security in Society

Cyber Crime

Maersk says impact of NotPetya may be as much as $300 Million: Danish shipping giant A.P. Møller – Maersk faces a loss of up to $300 million as a result of the NotPetya global malware outbreak. BankInfoSecurity, Aug 17, 2017

Cyber Privacy

Justice Department wants data on anti-Trump protesters. An L.A. tech firm is resisting: Los Angeles tech company is resisting a federal demand for more than 1.3 million IP addresses to identify who visited a website set up to coordinate protests on President Trump’s Inauguration Day — a request whose breadth the company says violates the Constitution. LA Times, Aug 15, 2017

Cyber Attack

Inside the New York hospital hackers took down for six weeks (video): The medical industry is the new No. 1 target for hackers. CBS News, Aug 18, 2017

Cyber Defense

Amazon Macie automates cloud data protection with machine learning. Can it catch Microsoft and Google?: Amazon promises AWS S3 customers that they will be able to identify and protect sensitive data faster with Macie, but is it enough to catch up to what Microsoft and Google offers? CSO, Aug 17, 2017

LA launches public-private CyberLab to share threat information with region’s businesses: The new tech platform and public-private partnership aims to protect critical IT infrastructure and aid businesses to fight cyberattacks in real time. StateScoop, Aug 16, 2017

Know Your Enemy

Microsoft cloud cybersecurity attacks up 300% in last year, report says: In volume 22 of Microsoft’s Security Intelligence Report, the Redmond giant outlined some of the biggest cyberthreats facing its users. TechRepublic, Aug 18, 2017

Cyber Freedom

In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking: For the first time, an actual witness has emerged in the hack of the Democratic National Comittee, and he has been interviewed by the F.B.I. New York Times, Aug 16, 2017

Did New York Times get the story wrong about Ukraine malware expert: It’s a good read, as long as you can ignore that the premise of the piece is completely wrong. KrebsOnSecurity, Aug 18, 2017

Unprotected Backup of Chicago Voter Roll Found in Cloud. 1.8 Million Voter Records At-Risk: Voter registration data belonging to the entirety of Chicago’s electoral roll—1.8 million records—was found a week ago in an Amazon Web Services bucket configured for public access. ThreatPost, Aug 18, 2017

National Cybersecurity

Russian-Speaking APT Group Said to Be Engaged in G20 Themed Attack: Turla, a long operating advanced persistent threat group (APT) with presumed ties to the Russian government, appears to be actively targeting G20 participants and those interested in its activities including policymakers, member nations and journalists. DarkReading, Aug 18, 2017

Cyber Government

Annual cybersecurity review for state and local government approaches: Non-federal agencies still ride low on the maturity benchmark, but the increased political attention around cybersecurity could improve results in the coming survey period. StateScoop, Aug 18, 2017

Cyber Medical

Commentary: Why information security is a patient safety issue: Cybersecurity requires strategy to succeed and that means putting your priorities in the right place. CISOs and other infosec pros must up their game to make protecting patients the top concern. Healthcare IT News, Aug 15, 2017





Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2017

www.crc-ics.net or www.cyber-research-center.net