U.S. Government issues alerts about malware and IP addresses linked to North Korean cyber attacks

US-CERT, the Department of Homeland Security team responsible for analyzing cybersecurity threats, has posted a warning about cyber attacks by the North Korean government, which it collectively refers to as “Hidden Cobra.” The technical alert from the FBI and Department of Homeland Security says a remote administration tool (RAT) called FALLCHILL has been deployed by Hidden Cobra since 2016 to target the aerospace, telecommunications and finance industries.

FALLCHILL allows Hidden Cobra to issue commands to a victim’s server by dual proxies, which means it can potentially perform actions like retrieving information about all installed disks, accessing files, modifying file or directory timestamps and deleting evidence that it’s been on the infected server.

The FBI and Department of Homeland Security also posted a list of IP addresses linked to Hidden Cobra. The FBI says it “has high confidence” that those IP addresses are linked to attacks that infect computer systems with Volgmer, a Trojan malware variant used by Hidden Cobra to target the government, financial, auto and media industries.

For more details, read here.

Author: Catherine Shu

What is BAD RABBIT? Ransomware paralyzes train stations, airports and media in Russia and Europe

“An advanced cyberattack has hit media outlets and infrastructure in Russia, Ukraine and Eastern Europe, causing mass disruption

Cybersecurity researchers from Kaspersky described the malware, dubbed Bad Rabbit, in a blogpost on Tuesday, October 24. They explained how the previously unknown malware takes control of computer systems and encrypts data so that people.

Security researchers are comparing the Bad Rabbit ransomware to WannaCry, which disabled 300,000 computers earlier this year.

“Currently, it’s unclear as to whether or Bad Rabbit will be able to reap the same damage as WannaCry, but undoubtedly businesses will be holding their breath,” Jamie Graves, CEO of security firm ZoneFox, said in an email to Newsweek. “This highlights the need for a robust security posture, based on both technology and education.”

Victims of the Bad Rabbit ransomware include the Kiev Metro and Odessa International Airport in Ukraine, as well as Russian news agency Interfax and other media organisations.can’t access it.”

For more details, read here.

Author: Anthony Cuthbertson

Canadian firm pays $425,000 to recover from ransomware attack

“A major Canadian company was forced to pay $425,000 in Bitcoin over the weekend to restore its computer systems after suffering a crippling ransomware attack that not only encrypted its production databases but also the backups as well.

“They literally had not choice but to pay” because the backups were frozen, said Daniel Tobok, CEO of forensics firm Cytelligence, which is helping with the investigation.

Tobok wouldn’t identify the company for reasons of confidentiality. He believes it to be the largest ransomware payment in Canada to date. By comparison last month a South Korean Web hosting firm reportedly paid the equivalent of US$1 million in ransomware, believed to be the biggest publicly reported payment so far in the world.

Although the forensic investigation is in its early stages, the attack was very sophisticated. It started with spear phishing targeting six senior company officials who were sent a PDF attachment with a malicious payload.

Staff apparently fell for two old ploys: Two of the messages purported to be from a courier company and told recipients the attachments were invoices for packages to be picked up, while the other messages asked officials to open and print the attached document. That led to the insertion of malware.”

Read more details here.

Author: Howard Solomon

Hackers Have Been Targeting US Nuclear And Power Plants, And Russia Is Reportedly Suspected

“Hackers believed to be working for a foreign government have recently penetrated the computer networks of power plants across the US, including a nuclear facility in Kansas, according to reports published Thursday.

Security specialists have been responding to attacks at various nuclear power and energy facilities since May, according to an urgent joint report issued June 28 by the Department of Homeland Security and the FBI and obtained by the New York Times.

In a statement to BuzzFeed News, the two agencies said they “are aware of a potential cyber intrusion affecting entities in the energy sector, but there is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.”

At least a dozen power plants were affected by the attacks, including the Wolf Creek nuclear facility in Kansas, the reports said. The hackers behind the effort are believed to be working for a foreign government, the chief suspect being Russia, sources told Bloomberg.

A DHS spokesperson would not comment on where the attacks came from and how any facilities were compromised.

Wolf Creek said that while it cannot publicly comment on security issues, its operational controls had not been affected and that the plant is operating safely.”

Read more details here.

Author: Brianna Sacks

The Petya ransomware is starting to look like a cyberattack in disguise

“The haze of yesterday’s massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else. The hack’s reach touched some of the country’s most crucial infrastructure including its central bank, airport, metro transport, and even the Chernobyl power plant, which was forced to move radiation-sensing systems to manual.

The ostensible purpose of all that damage was to make money — and yet there’s very little money to be found. Most ransomware flies under the radar, quietly collecting payouts from companies eager to get their data back and decrypting systems as payments come in. But Petya seems to have been incapable of decrypting infected machines, and its payout method was bizarrely complex, hinging on a single email address that was shut down almost as soon as the malware made headlines. As of this morning, the Bitcoin wallet associated with the attack had received just $10,000, a relatively meager payout by ransomware standards.

It leads to an uncomfortable question: what if money wasn’t the point? What if the attackers just wanted to cause damage to Ukraine? It’s not the first time the country has come under cyberattack. (These attacks have typically been attributed to Russia.) But it would be the first time such an attack has come in the guise of ransomware, and has spilled over so heavily onto other countries and corporations.

Because the virus has proven unusually destructive in Ukraine, a number of researchers have come to suspect more sinister motives at work. Peeling apart the program’s decryption failure in a post today, Comae’s Matthieu Suiche concluded a nation state attack was the only plausible explanation. “Pretending to be a ransomware while being in fact a nation state attack,” Suiche wrote, “ is in our opinion a very subtle way from the attacker to control the narrative of the attack.””

Read more details here.

Author: Russel Brandom

Unprotected server leaves 3 million WWE fans’ personal data vulnerable: report

“An employee of German security firm Kromtech uncovered an unprotected WWE database containing more than 3 million users’ personal information, according to a report published Thursday by Forbes.

The data was stored on an Amazon server without any username or password protection, Forbes reported, and was accessible to anyone who knew which web address to search.

Displayed in easily readable plain text, users’ home and email addresses, birthdates, ethnicities, children’s age ranges and genders were included in the leak, Forbes said, among other information.

“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured,” a WWE spokesperson said in a statement.

“WWE utilizes leading cyber security firms Smartronix and Praetorian to manage data infrastructure and cybersecurity and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix and Praetorian to ensure the ongoing security of our customer information,” the spokesperson said.

According to Forbes’ source, another database was left on an Amazon server containing more information on primarily European fans.”

Read more details here.

Author: Kevin Breuninger

What you need to know about the new ransomware ravaging the internet

“A new form of malware hit the internet Tuesday, shutting down systems across Europe and impacting companies from the U.S. to Russia. Unfortunately, the attack, which early reports indicate seems to have hurt Ukrainian organizations and agencies more in particular, is still largely a mystery for security researchers.

A form of ransomware, the malware encrypts a victim’s PC and demands that they pay $300 in exchange for the keys to unlock their computer or lose all of their data. The attack even managed to affect radiation monitoring equipment at the exclusion zone around the Chernobyl nuclear disaster site, forcing workers to rely on manual checks instead.

Cybersecurity firms originally believed the malware to be a perviously known form of ransomware called Petya, but Kaspersky Lab says it’s actually a different, unknown version kind of ransomware, causing the cybersecurity company to dub it NotPetya.

Interestingly, the Petya/NotPetya software uses a Microsoft (MSFT) Windows vulnerability similar to the one exploited by the WannaCry 2.0 ransomware which hit the web a few weeks ago. But it looks like that exploit, which was originally used by the NSA and called EternalBlue, is just one of three attack points this ransomware takes advantage of.”

Read more details here.

Author: Daniel Howley

A new ransomware attack is infecting airlines, banks, and utilities across Europe

“A major ransomware attack has brought businesses to a close throughout Europe, in an infection reminiscent of last month’s WannaCry attack. The most severe damage is being reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier, although a spokesperson said the power supply was unaffected by the attack.

The attack has even affected operations at the Chernobyl nuclear power plant, which has switched to manual radiation monitoring as a result of the attack. Infections have also been reported in more isolated devices like point-of-sale terminals and ATMs.

The virus has also spread internationally. The Danish shipping company Maersk has also reported systems down across multiple sites, including the company’s Russian logistics arm Damco. The virus also reached servers for the Russian oil company Rosneft, although it’s unclear how much damage was incurred. There have also been several recorded cases in the United States, including the pharmaceutical company Merck, a Pittsburgh-area hospital, and the US offices of law firm DLA Piper.

Early reports from a Kaspersky researcher identified the virus as a variant of the Petya ransomware, although the company later clarified that the virus is an entirely new strain of ransomware, which it dubbed “NotPetya.” Kaspersky telemetry indicated that at least 2,000 users had been attacked by the virus as of this afternoon.”

Read more details here.

Author: Russell Brandom

Britain Investigates After U.K. Lawmakers Hit by Possible Cyber Security Attack

“British Parliament on Saturday was investigating an apparent cyberattack that targeted lawmaker’s email accounts.

Cybersecurity officials were alerted to the hacking attempt and reportedly notified the lawmakers on Friday. As a safeguard, they immediately blocked Parliament members from remotely accessing emails outside of the secure network in Westminster.

A spokesman for the House of Commons confirmed to NBC News they were continuing to investigate the incident, which appeared to be over.

“Well, we know that there are regular attacks by hackers attempting to get passwords,” said International Trade Minister Liam Fox.”

Read more details here.

Author: Alex Holmes and Chelsea Bailey

Top 5 cybersecurity facts, figures, and statistics for 2017

1. Cybercrime damage costs to hit $6 trillion annually by 2021. It all begins and ends with cybercrime. Without it, there’s nothing to cyber-defend. The cybersecurity community and major media have largely concurred on the prediction that cybercrime damages will cost the world $6 trillion annually by 2021, up from $3 trillion just a year ago. “Cyber theft is the fastest growing crime in the United States by far” according to incoming U.S. President Donald Trump.

2. Cybersecurity spending to exceed $1 trillion from 2017 to 2021. The rising tide of cybercrime has pushed cybersecurity spending on products and services to more than $80 billion in 2016, according to Gartner. It’s not clear if that includes an accounting of IoT device protection and total consumer spending on security. Global spending on cybersecurity products and services are predicted to exceed $1 trillion over the next five years, from 2017 to 2021.

3. Unfilled cybersecurity jobs will reach 1.5 million by 2019. This year, analysts and the media concluded there is a severe shortage of cybersecurity talent globally. There were 1 million cybersecurity job openings in 2016, and that is expected to reach 1.5 million by 2019. As a result, the cybersecurity unemployment rate has dropped to zero percent.

4. Human attack surface to reach 4 billion people by 2020. As the world goes digital, humans have moved ahead of machines as the top target for cybercriminals. Microsoft estimates that by 2020 4 billion people will be online — twice the number that are online now. The hackers smell blood now, not silicon.

5. Up to 200 billion IoT devices will need securing by 2020. Intel claims that the number of connected devices could surge to 200 billion by 2020, up from 15 billion in 2015. Cisco and Microsoft have both predicted 50 billion devices will be connected to the Internet by 2020. Regardless of which estimate proves right, the bottom line is that the digital attack surface will grow massively over the next five years. Microsoft adds that by 2020 data volumes online will be 50 times greater than today.

What does it all mean? Last year, Ginni Rometty, IBM’s chairman, president and CEO, said “Cybercrime is the greatest threat to every company in the world.”

Read more details here.