Cyber Research

Cyber News

Cyber Info


october, 2017







 In this issue



*         Hackers are attacking power companies, stealing critical data: Here's how they are doing it

*         North Korean hackers suspected of targeting Nepali bank SWIFT codes

*         New EU framework allows members to consider cyber-attacks acts of war

*         Millions of Networks Compromised by New Reaper Botnet

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Hackers are attacking power companies, stealing critical data: Here's how they are doing it

October 23, 2017

Attackers are particularly interested in industrial control systems -- and they're still at it right now.

Hackers are continuing to attempt to gain access to the networks of nuclear power companies and others involved with critical national infrastructure, raising concerns about cyber-espionage and sabotage.

A report compiled by the FBI and US Department of Homeland Security (DHS) has warned of an ongoing hacking campaign that has seen attackers infiltrate the networks of power companies and others to steal details of their control systems, including information from control systems within energy-generation facilities.

Hackers are targeting the systems of government agencies and companies working in energy, nuclear, water, aviation, and critical manufacturing sectors, according to the report.

While it has long been known that state-backed hackers are keen to access critical infrastructure, the report provides one of the most detailed looks at how state-backed hackers are attempting to gather data on critical national infrastructure through a sophisticated and multi-stage project.

It details how hackers work their way through the supply chain for these major companies, starting by attacking small companies with low security and small networks, which are then used as a stepping stone into the networks of "major, high value asset owners within the energy sector".

DHS said these infiltration efforts are ongoing, and the attackers are "actively pursuing their ultimate objectives over a long-term campaign". It said that in some cases the hackers have successfully managed to compromise their victims' networks.

The energy sector has become an area of increased interest to cyber-attackers recently, starting with the Ukrainian blackouts in 2015 and 2016, which were blamed on hackers, plus more recent reports of attempts to infiltrate the networks of power companies in Europe and the US.

While it did not speculate on the motives of the hackers behind this most recent campaign, the report warned: "Historically, cyber threat actors have targeted the energy sector with various results, ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict. Historically, threat actors have also targeted other critical infrastructure sectors with similar campaigns."


Image: Getty Images/iStockphoto

Researchers have long warned about increased activity from hackers -- from many different countries -- probing the systems and networks of their rivals for vulnerabilities that could be exploited at a later date, and mapping out weaknesses that could be used in any potential future cyberwar conflict.

The attacks are made up of a number of stages. According to the analysis, published by the US computer emergency response team (CERT), the initial victims of the hacking campaign are suppliers with less secure networks.

DHS said the hackers appear to have deliberately chosen to target companies with an existing relationship with many of the actual intended targets, most likely discovering this through publicly available information.

The hackers are also looking for information about the network and organizational design, as well as control system capabilities, and often companies give away such sensitive information by mistake. In one instance, the hackers downloaded an apparently innocuous small photo from an publically accessible human resources page, CERT said.

"The image, when expanded, was a high-resolution photo that displayed control systems equipment models and status information in the background."

After identifying targets, the hackers then begin a spearphishing campaign to attempt to gain details of users, which could then be used to try to crack passwords the hackers could use to masquerade as authorized users.

The attackers use a slightly different spear-phishing email campaign against target networks, which included the subject line 'AGREEMENT & Confidential', and that contained a PDF document. A link in the PDF prompts the reader to click on a link should a download not automatically begin, however, doing so would actually download malware. All the emails referred to common industrial control systems, equipment, or process control systems, reflecting the interests of the attackers.

The campaign also used the websites of trade publications and information websites as a way to leapfrog onto the networks of their final target, by altered them to contain malicious content.

Once inside the target network, the hackers searched for file servers belonging to their intended victim, looking for files about industrial control systems, known as Supervisory Control and Data Acquisition (SCADA) systems, such as files mentioning vendor names or reference documents with names like 'SCADA Wiring Diagram' or 'SCADA panel layouts'.

It's not entirely clear who is behind the attack. The analysis describes the hackers involved as an 'advanced persistent threat', a phrase usually used to refer to cyber-attackers with state backing. The CERT alert also references work done by security company Symantec, which refers to the attackers are 'Dragonfly' -- a group previously known as 'Energetic Bear'. Symantec said the campaign bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability.

"The group is well resourced, with a range of malware tools at its disposal and is capable of launching attacks through multiple attack vectors while compromising numerous third party websites in the process. Its main motive appears to be cyber espionage, with potential for sabotage a definite secondary capability."

The group has been blamed for attacks on the energy sector going back to at least 2011 according to Symantec. Energetic Bear is generally thought to be a Russian hacking group, but the security company also noted that while some code strings in the malware used by the group were in Russian, others were in French, "which indicates that one of these languages may be a false flag".

More worryingly, the security company noted that sabotage attacks are typically preceded by an intelligence-gathering phase where attackers collect information about target networks and systems and acquire credentials that will be used in later campaigns. The firm warned that this new campaign could mean the attackers may be entering into a new phase, "with recent campaigns potentially providing them with access to operational systems, access that could be used for more disruptive purposes in future".

Symantec's earlier report said the "most concerning evidence of this" was the use of screen captures, apparently capturing data from operational systems. The CERT report goes into more detail, noting that: "In one instance, the threat actors accessed workstations and servers on a corporate network that contained data output from control systems within energy generation facilities," and captured images from it. The CERT report also includes a number of recommendations for companies to implement to protect themselves from attack.

More info http://www.zdnet.com/article/hackers-are-attacking-power-companies-stealing-critical-data-heres-how-they-are-doing-it/

North Korean hackers suspected of targeting Nepali bank SWIFT codes

October 23, 2017

KATHMANDU: International media have reported that few Nepali banks have become latest to fall victim to hackers siphoning off millions of dollars by targeting the backbone of the world financial system, SWIFT.

SWIFT, or Society for Worldwide Interbank Telecommunication, is a global financial messaging system that thousands of banks and commercial organisations across the world use to transfer billions of dollars every day.

It has been learned that the concerned authorities of the banks have already requested the Nepal Rastra Bank to initiate the cancellation of transfer of funds with the Central Banks of other countries where the money have already been transferred of lately.

The incident occurred on the day of Laxmi Puja during the Tihar Festival.

Meanwhile, it has not been clear, how, where and how much money have been transferred from Nepali banks.

It has been learned that NIC Asia Bank among others’ SWIFT codes have been hacked by unknown hackers by using malware in their system.

Despite repeated attempts for comments, from the concerned authorities of the Central bank and other victim banks, were unavailable.

The Cable News Network (CNN) said the North Korea based hackers might have been involved in latest hacking.  It had suspected that the similar SWIFT code used by the group in South Korean banks hacking in 2013 have been used again.

CNN further said that cash strapped nation might have used hackers to steal funds.

Earlier, a Turkish hacking group “Bozkurtlar” or “Grey Wolves” had hacked two Nepali banks, based in Kathmandu, Business Universal Development Bank and Sanima Bank.

The hackers normally exploit vulnerabilities in the systems of member banks, allowing them to gain control of the banks’ legitimate SWIFT credentials.

The hackers then use those credentials to send SWIFT funds transfer request to other banks, which, trusting the messages to be legitimate, then sent the funds to accounts controlled by them.

Lately, numbers of developed nations have been struggling to address cyber attack as it has posed serious threat to the global financial market.

Read more https://thehimalayantimes.com/business/swift-codes-targeted-nepali-banks-cyber-attack/

New EU framework allows members to consider cyber-attacks acts of war

October 31, 2017.

A forthcoming policy framework from the EU will declare that cyber-attacks from hostile actors can be considered an act of war that under the most serious of circumstances justifies a response with conventional weapons.

The Framework on a Joint EU Diplomatic Response to Malicious Cyber Activities is intended to be a strong measure of deterrence against countries known for launching offensive cyber-operations, such as Russia and North Korea, according to UK news outlet The Telegraph, which reportedly obtained a draft of the document.

The framework reportedly will also affirm that EU member nations that suffer a cybe-rattack not only can defend themselves under international law, but also are entitled to assistance from other EU governments, under Article 42(7) of the EU Treaty. Such coordinated responses would likely include diplomatic pressure, public condemnation, and sanctions.

The document will remain vague in defining the limits of coordinated aid and assistance operations; however, the Telegraph notes that the EU itself cannot wage war.

An EU source told the Telegraph that the framework "will make an attacker weigh the consequences of a cyberattack more carefully," adding that formalizing a response strategy "shows we are serious."

In a June 2017 press release, the EU's European Council announced its intention to develop the framework, noting that the EU "is concerned by the increased ability and willingness of state and non-state actors to pursue their objectives through malicious cyber-activities."

"Such activities may constitute wrongful acts under international law and could give rise to a joint EU response," the release stated. 

Nathan Wenzler, chief security strategist at security consulting company AsTech, said in an email interview that the framework is a “significant step" that "puts any aggressor nation or entity on notice that technology-based attacks can be viewed in the same way as a conventional physical attack..."

Wenzler expects that the policy could be very effective against some, but not all malicious actors: "For aggressor nations who are still participating in the global community and have the potential for great losses should sanctions or military actions take place, this may absolutely serve as a deterrent to continue conducing cyber-attacks," said Wenzler. "However, for nations such as North Korea, who have little left to lose in the global community, this may be seen as simply another place to provoke other countries and force their hand into... having to back up what they've said they'll do if targeted by a cyber-attack."

Kenneth Geers, senior research scientist at Comodo, commended the leadership of EU, as well as NATO, in an email interview.

"The EU and NATO have begun to collaborate closely on cyber-security, in part due to the Snowden revelations, but even more so in response to Russia's invasion of Ukraine and interference in the US presidential election," said Geers, also a senior fellow with the Atlantic Council and an ambassador with the NATO Cyber Centre. "The combined power of 28 sovereign democracies, including their network security, law enforcement, and counterintelligence agencies, fundamentally changes the game in cyber-space, and bolsters deterrence, investigation, and retaliation."

More Info https://www.scmagazineuk.com/new-eu-framework-allows-members-to-consider-cyber-attacks-acts-of-war/article/703965/




Millions of Networks Compromised by New Reaper Botnet

October 24, 2017.

A new and growing botnet called Reaper or Troop (detected by Trend Micro as ELF_IOTREAPER.A) has been found currently affecting more than one million organizations. According to the security researchers from Check Point and Qihoo 360 Netlab, the botnet they discovered is more sophisticated and potentially more damaging than Mirai. Reaper actually uses some of the code from the Mirai malware but uses a different method for compromising devices.

Mirai generally scanned open ports or took advantage of unsecured devices with default or weak passwords. Reaper is more aggressive, using exploits to take over devices and enlist these with their command and control server. Reports note that there are already millions of devices just on standby, waiting to be processed by Reaper’s C&C servers.

Reaper uses a combination of nine attacks targeting known Internet of Things (IoT) vulnerabilities. These attacks affect many popular router brands as well as IP cameras, Network Attached Storage devices, and servers.

So far the Reaper botnet hasn't been used to launch a DDoS attack, as Mirai famously did last year. But Reaper is capable of more complex attacks. It integrates a LUA (a lightweight programming language typically used for embedded systems) execution environment in the malware. This allows the operator to deliver code modules for tasks such as DDoS, traffic proxying or other attacks. The report notes that the botnet is not particularly aggressive, but it could quickly change and potentially cause damage on an even larger scale than Mirai.

IoT devices like IP cameras and routers are particularly susceptible to exploits. Users should check with their vendors to see if there are any available updates. They should also make it a point to regularly update all connected devices in their homes. Also, simply using a strong password will do a lot to secure IoT devices commonly targeted by hackers.

Trend Micro™ Security and Trend Micro Internet Security offer effective protection for this threat, with security features that can detect malware at the endpoint level. To protect IoT devices like home routers, security solutions like Trend Micro Home Network Security can check internet traffic between the router and all connected devices. Enterprises can use Trend Micro™ Deep Discovery™ Inspector which is a network appliance that monitors all ports and over 105 different network protocols to discover advanced threats and targeted attacks.

Read more: https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/millions-of-networks-compromised-by-new-reaper-botnet

Latest Cyber Security News

Individuals at Risk

Identity Theft

Lax Equifax security culture ignored warning entire database was exposed on Internet: Last year, a security researcher alerted Equifax that anyone could have stolen the personal data of all Americans. The company failed to heed the warning. MotherBoard, October 26, 2017

Equifax under FCA in UK investigation over data breach: The Financial Conduct Authority has launched an investigation into the US credit checking company Equifax, which had the data of almost 700,000 Britons stolen in a catastrophic data breach earlier this year. The Telegraph, October 24, 2017

Cyber Privacy

Dating apps have major security vulnerabilities that could expose users’ private information: Singles looking for love using mobile dating apps could be putting their device security at risk, experts have warned. BetaNews, October 27, 2017

Googler proves any iPhone app with camera permission can secretly record you: This is pretty disturbing. Google engineer Felix Krause has detailed an alarming privacy setting in Apple’s iOS that enables iPhone apps with camera permission to surreptitiously take photos and videos of you – without your knowledge. The Next Web, October 25, 2017

Cyber Update

Security flaw in LG IoT software left home appliances vulnerable: LG has updated its software security after researchers found flaw that left dishwashers, washing machines, air conditioners, and even a robot vacuum cleaner accessible by hackers. ZDNet, October 26, 2017

Cyber Defense

WPA2 Design Flaw. KRACK Happens: How Bad Is The Vulnerability? What To Do?: After rumors hit the wire over the weekend (possibly even Friday night), Dan Goodin for ArsTechnica broke a story about a flaw in the core Wi-Fi Protected Access II (WPA2) protocol that allows bad actors within physical range of a vulnerable device to intercept and read passwords and, as a consequence, intercept and read information crossing the Wi-Fi channel. Sample information could be e-mails, files shared, and other data transferred to and from a variety of online (a.k.a. “cloud”) services. ITSP Magazine, October 2016

Cyber Warning

Online ads redirecting browsers to malicious landing pages hosting the Terror exploit kit: Security experts are warning some “Quit Smoking” and “20 Minute Fat Loss” ads online are delivering more than sales pitches. According to researchers at Zscaler, ads are redirecting browsers to malicious landing pages hosting the Terror exploit kit. ThreatPost, October 25, 2017

Dell Lost Control of Key Customer Support Domain for a Month in 2017: A Web site set up by PC maker Dell Inc. to help customers recover from malicious software and other computer maladies may have been hijacked for a few weeks this summer by people who specialize in deploying said malware, KrebsOnSecurity has learned. KrebsOnSecurity, October 24, 2017

Fake Cryptocurrency Trading Apps Harvest Credentials and Steal Cash: Hackers are targeting users of the cryptocurrency exchange Poloniex, with two credential-stealing apps that masquerade as official mobile apps for the service. InfoSecurity Magazine, October 23, 2017

Eltima Software’s Elmedia Player and Folx Said to Be Infected With Malware: Mac owners who have recently downloaded Elmedia Player or Folx from Eltima Software may have unwittingly installed malware on their machines, reports ZDNet. MacRumors, October 20, 2017

Information Security Management in the Organization

Information Security Management and Governance

Most SMBs insufficiently concerned about their business being hacked, says Paychex survey: America’s small business owners may want to consider placing a greater emphasis on cyber awareness and best practices year-round. According to a new survey by Paychex, 68 percent of small business owners are not worried about their business being hacked. HelpNetSecurity, October 27, 2017

Cybersecurity is now top concern in third-party risk management: While concerns about third-party risk remain high – particularly regarding cyber security – 58% of organizations ranked their programs as maturing or advanced, according to NAVEX Global. HelpNetSecurity, October 27, 2017

Facebook is struggling to meet the burden of securing itself, security chief says: Facebook is Struggling to live up to the responsibility it faces for adequately securing the vast amount of personal information it amasses, the social network’s top security executive said in a leaked phone call with company employees. ars technica, October 19, 2017

Cyber Defense

Strong Authentication Still Elusive for Businesses: Businesses are continuing to rely on passwords, and those that are implementing additional authentication factors are choosing outdated options like static questions and SMS codes that leave them vulnerable to data breaches. InfoSecurity Magazine, October 25, 2017

Cybersecurity in Society

Cyber Attack

Postmortem Finds NHS ‘Could Have Prevented’ WannaCry: The National Health Service in England should have been able to block the “unsophisticated” WannaCry ransomware outbreak that hit the world in May, government auditors say. But the failure of so many NHS trusts and organizations to block WannaCry means that unless substantial cybersecurity improvements get made, the NHS will remain easy pickings for online attackers (see British Security Services Tie North Korea to WannaCry). BankInfoSecurity, October 27, 2017

EternalRomance Exploit Found in Bad Rabbit Ransomware: One day after clear ties were established between the Bad Rabbit ransomware attacks and this summer’s NotPetya outbreak, researchers at Cisco today strengthened that bond disclosing that the leaked NSA exploit EternalRomance was used to spread the malware on compromised networks. ThreatPost, October 26, 2017

BadRabbit Attack Appeared To Be Months In Planning: Repeat question from this year’s NotPetya outbreak: Who’s gunning for Ukraine and how many organizations in other countries will be caught in the crossfire? BankInfoSecurity October 27, 2017

Cyber Warning

Hackers target security researchers with malware-laden document: State-backed hackers are trying to deliver malware to people interested in cybersecurity, using malicious documents about a real conference as a lure. ZDNet, October 23, 2017

APT28: A complex Mac virus that may signal the shape of tomorrow’s malware: Macs are the go-to device for professionals and high-level officials the world over. Beautifully designed, extremely optimized for performance, and tagged with a price that reflects a premium product, Macs are more than a tool – they are a statement. In keeping with this reputation, you would not expect malware designed for Macs to be the run-of-the-mill, easy-to-block creations we see on other platforms. Advanced Mac threats cost a fortune to develop— but when they hit the designated target, it’s jackpot for the cyber-criminals. MacWorld, October 17, 2017

Reaper: Calm Before the IoT Security Storm?: It’s been just over a year since the world witnessed some of the world’s top online Web sites being taken down for much of the day by “Mirai,” a zombie malware strain that enslaved “Internet of Things” (IoT) devices such as wireless routers, security cameras and digital video recorders for use in large-scale online attacks. KrebsOnSecurity, October 23, 2017

Know Your Enemy

Dark Web Marketplaces’ New Home: Mobile Messaging Apps: Telegram, Discord, Whatsapp grow in popularity as criminals look for more alternatives to fly under the radar. DarKReading, October 26, 2017

Cyber Privacy

Bermuda law firm warns rich clients of Panama Papers-style data breach: 120-year-old law firm admits that it’s been busted and sensitive documents spilled to investigative journalists. Computing, October 26, 2017

Cyber Freedom

Georgia E-voting Server Wiped Clean after Lawsuit Challenges Reliability & 6th District Race Outcome: (APN) ATLANTA — A new revelation has sent shockwaves statewide and may be the final nail in the coffin of Georgia’s faith-based electronic voting regime. Atlanta Progressive News, October 27, 2017

Twitter bans ads from RT and Sputnik over election interference: Twitter has announced that it will stop taking advertising from all accounts owned by RT and Sputnik, effective immediately as US lawmakers continue to investigate the impact of foreign-sponsored fake news on the 2016 election. The Guardian, October 26 ,2017

Massive 30-state voter registration database has major security flaws. Info on 100 million exposed: For several years, a nationwide voter-fraud prevention coalition has been using poor security methods in sending and storing millions of voter registration records, according to an advocacy group’s examination of official emails pertaining to the program. CyberScoop, October 24, 2017

Cybersecurity essential to protecting our economy, democracy, and way of life, says Google exec: In November 2014, the Guardians of Peace — a group affiliated with the North Korean government — hacked Sony Pictures because the studio was planning to release “The Interview,” a movie they felt insulted their CNN, October 20, 2017

Financial Cybersecurity

Unpatched Bugs Rampant on Mobile Devices in Financial Services Firms: More than a quarter of mobile devices used by financial services employees carry known vulnerabilities, according to a recent report. DarkReading, October 23, 2017

North Korean hackers suspected of targeting Nepali bank SWIFT codes: Cybercriminals used stolen SWIFT codes to transfer money from multiple Nepali banks on Oct. 19, 2017. SC Magazine, October 23, 2017

Cyber Medical

Hackers Can Exploit Zoom Latitude Medical Device to Access Patient Information, Feds Advise: (TNS) — The Department of Homeland Security said a medical device from Boston Scientific called the Zoom Latitude programmer, used by doctors to communicate with implanted pacemakers and defibrillators, can be exploited by computer hackers to give out patients’ personal health information. GovTech, October 26, 2017

Critical Infrastructure

Hackers are attacking power companies, stealing critical data: Here’s how they are doing it: Attackers are particularly interested in industrial control systems — and they’re still at it right now. ZDNet, October 23, 2017



Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2017

www.crc-ics.net or www.cyber-research-center.net