Go to listing page

| Cyware Weekly Cyber Threat Intelligence | March 26 - 30, 2018

| Cyware Weekly Cyber Threat Intelligence | March 26 - 30, 2018

Share Blog Post

The Good

This week inculcated new vigor in internet security with the approval of TLS 1.3 protocol. In addition, big technology news revolved around the development of a new tool that could sniff even the most feeble activity by a malicious actor in an electrical grid network. The other news was related to DARPA which has started working on a new cyber technology that could change the entire dynamics of warfare.
  • A new tool has been developed that will enable electrical grid operators to better detect not only a physical attack but also raise an alarm for a hacker looking out for vulnerabilities in the critical links of the grid. The motivation for developing this tool came after a rifle attack on an electrical substation near California’s Silicon Valley in April 2013. The tool uses micro phasor measurement units to collect information regarding the physical state of the power distribution grid. When this data is combined with SCADA, it provides real-time insights into system performance and issues alert for even minor disruptions.
  • After 4 years and 28 drafts, Internet Engineering Task Force (IETF) has passed the much-needed update to internet security. TLS 1.3, as it is known, will be implemented in various software products ranging from Oracle’s Java to Google Chrome browser. The updates protocol will strive towards thwarting any attempts by state or non-state actors to eavesdrop and intercept HTTPS and other encrypted network traffic. Furthermore, it will also help fasten secure communication owing to its streamlined approach.
  • DARPA has started working on a new program, Collection and Monitoring via Planning for Active Situational Scenarios (COMPASS), that would use technology to get inside the enemy’s head thereby learning about their intent in the nebulous “gray zone” of conflict. The programme would work towards developing a new software that would monitor the enemy response to stimuli and attempt to discern enemy intentions. If this technology is successfully developed, it will completely change the course of future warfare.

The Bad

WannaCry ransomware made news this week again when it innocuously infected some machines at the Boeing facility. In other big attacks of the week, Fancy Bears were once again targeted a sports-related body. This time, Britain’s anti-doping agency was on their target. Amongst, the big breaches, An Post and a Long Island medical practice suffered data exposure impacting their customers.
  • The Russian-linked Fancy Bears hacker group was found targeting Britain’s anti-doping agency attempting to disrupt its systems. However, as per the statement released by the agency, none of the data was compromised and no core activity including their testing program suffered any kind of impact. While the agency did not point towards any hacker group but given the past cyber incidents in which Fancy Bears targeted WADA and IOC, the experts did not have to brainstorm much to guess the actor involved.
  • An Post customers suffered a security incident when the company shared their sensitive details without their knowledge with a subsidiary. The incident impacted about 8,000 customers who had asked the company to redirect their mail to a new address. The file containing the data was sent to Dublin-based Precision Marketing Information Limited which trades as Data Ireland. As per the information disclosed, the data breach occurred between April 2016 to September 2017.
  • Medical records of at least 42,000 patients were impacted when Long Island, N.Y., a medical center left exposed a port normally used for remote synchronization. Security researchers found that port 873, used for remote synchronization and moving data between devices, on the server belonging the medical practice was configured open, allowing access to anyone who knew the server’s IP address.
  • The WannaCry ransomware attack was once again in the news when it infected few computers at Boeing’s production facility. After the initial scare that the ransomware might have brought down the production equipment, the company executive dispersed fear-mongering by stating that the attack had been contained with minimal damage. As per the company’s statement, the infection was limited to a few machines and there was no interruption to the 777 jet program or any other program.

New Threats

This week witnessed the discovery of multiple new threats. First, a malware targeting Linux-based systems and loaded with intriguing features was discovered. Second, an Android cryptominer that could heat up the infected device up to the point of failure was found unleashed by the hackers. Third, a new exploit kit that delivers multiple payloads bringing in life into the exploit kit mechanisms was found being used by advanced threat actors. Last but not the least, a new MBR bootlocker targeting Windows-based machines was also unearthed.
  • GoScanSSH, a malware that targets vulnerable Linux-based systems, has been discovered by the security experts. One of the surprising features of this malware is that it avoids infecting devices on government and military networks. Coded in Go, the malware uses infected hosts to scan for new ones. It also uses the SSH port as the entry point. The malware has been carefully designed with a sophisticated infection process. The way it carefully avoids infecting devices on government or military networks leaves a strong suspicion that the malware is the handiwork of an advanced threat actor.
  • A new MBR bootlocker called UselessDisk or DiskWrites has been unearthed. The malware overwrites the MBR and then displays a ransom screen on reboot window instead of booting into Windows which is the normal procedure. As per the displayed ransom note, the hackers have been asking for $300 in bitcoins for returning Windows access to the victim. Once the malware executes the infection, it replaces the MBR with its own bootloader which is followed by the computer reboot using “shutdown-r-t 0” command. Thereafter, the normal procedure is disrupted and a ransom note is displayed.
  • Security analysts discovered a new exploit builder kit that targets Microsoft Office and comes with a variety of features including a mechanism to report infection statistics. It was found out that the documents produced by this kit bore similar features to Microsoft Word Intruder. The new kit has been dubbed as ThreadKit and is being used to deliver a variety of malicious payloads including Trickbot banking trojan, Chthonic banking trojan, FormBook RAT and Loki Bot. The ThreadKit was also found out to be used by threat actors including Carbanak and Cobalt gang.
  • Researchers have discovered a new Android malware dubbed ANDROIDOS_HIDDENMINER that can clandestinely first infect a mobile device then use its computing power to mine Monero. The self-protection and persistence mechanism of the app include hiding itself from the unwitting user and abusing the Device Administrator feature that was last seen in SLocker Android ransomware. Researchers also found the Monero mining pools and wallets being connected to the malware, an indication of an active campaign that uses infected devices to mine the cryptocurrency.


android os
goscanssh malware
fancy bears
wannacry ransomware
an post
tls 13

Posted on: March 30, 2018

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.