Thursday, June 29, 2017

Cyber Updates - 29th June 2017

Well it was a relatively quiet few weeks, until it wasn't....

Here are some of the key stories that stuck out from the last few weeks.

The #NotPetya/Nyetya worm

We have already written at length about ransomware and about this specific attack. This worm hit a number of different companies, appearing like ransomware but in practice having no effective decryption mechanism. It appears to have originated from a breached Ukrainian software house from where it was distributed as part of a forged updates file. Once it infected a machine, it spread throughout the network using both the EternalBlue exploit but also by dumping passwords and reusing them on other networked machines via psexec and wmic. This blog post gives a good overview of why this attack should be especially concerning for blue-teamers.

Key takeaways:

  • More impetus to apply the MS17-010 if somehow this has not yet been done.
  • Reportedly, the malware spread incredibly fast so detection solutions maybe not have been enough in this case. Frequent, robust and offline backups would have been crucial for recovery.
  • The malware traversed networks in the same way as manual attackers. It's important to use different local passwords on all endpoints and segment the network as much as possible.

Malware that attacks power-grids

Dragos Inc who specialise in Industrial Control System (ICS) security and ESET released a report with detailed information about malware they have observed in the wild targeting power grid networks. They have seen this malware on attacks in the United States, Europe and Ukraine.

Key takeaways:

  • If you run industrial control networks, reading this report will provide valuable information for better protecting your network.
  • Even if you are not an ICS company, it is still important to consider what similar elements may exist in your environment, e.g. smart building components.

Threats from your routers

Wikileaks have alleged that the CIA have the capability to infect routers with malware and intercept sensitive traffic. Similarly, researchers from Ben Gurion University demonstrated a technique of exfiltrating sensitive data using the LEDs on a router.

Key takeaways:

  • Whilst neither of these threats may be particularly realistic for most company's threat models, it is important to consider the risk from all devices in the technology environment.
  • This is especially important in the "Internet of Things(IoT) age" where so many regular items have computers inside.

From weak password to RCE

This week’s nice hack is documented at the “” blog. The author found an external facing messaging server with a weak password and then reverse engineered the product to find a vulnerability which led to remote code execution.

Key takeaways:

  • Ensure that as little as possible is externally exposed. Consider mitigating controls where this is necessary.
  • Make sure external services in particular are kept up to date.
  • Make sure your security planning includes the “0 day” scenario

Josh Grossman
Senior Information Security Consultant and Team Leader