2017_7_3 Global Cyber Attack Reports

TOP ATTACKS AND BREACHES

• A large-scale wave of malware, dubbed NotPetya, has hit multiple businesses, organizations and infrastructure companies, primarily centered in the Ukraine. The malware includes pieces of code similar to the Petya Ransomware, but was discovered to intentionally carry broken encryption and communication chains, leading to the conclusion that the malware was designed as a wiper rather thanransomware. The wiper leverages various vulnerabilities to spread laterally, including SMB vulnerabilities attributed to the NSA. It uses the infamous DoublePulsar backdoor, in what Check Point researchers show to be a modified version. Ukraine has blamed Russia for the attacks, but no conclusive evidence has yet been found pointing at a specific actor or initial infection vector.
• An attacker has persuaded the hosting provider for the Classic Ether Wallet, a popular wallet application
  for the Ethereum Classic cryptocurrency, that he was the legitimate owner of the site, and was given control over the domain. The attacker then diverted all transactions into his own wallets, stealing around $300,000 before the site was taken down.
• An information-stealing malware has been found trying to attack 6 hospitals in Israel. The malware is capable of quickly propagating within a network, stealing credentials and files, and avoiding detection. The malware is installed using LNK shortcut files executed by AutoIt.
• Up to 90 email addresses in the British parliament’s network have been breached in a brute-force attack. While it is not clear whether the attackers managed to gain access to contents of the accounts, fears over potential blackmail of Parliament Members or their staffers were raised.
• Information of at least 6 million accounts on popular internet radio service 8tracks was stolen, and is being traded online.

VULNERABILITIES AND PATCHES

• A remote stack buffer overflow vulnerability has been discovered in Skype. Remote users can cause Skype to crash, or even execute malicious code on vulnerable systems. Microsoft has since released version 7.37 for Skype, which includes a patch for this vulnerability.
• An SQL Injection vulnerability has been discovered in the popular WordPress plugin WP Statistics, used
  by 300,000 sites.
• Researchers have found a buffer overflow vulnerability in Linux systems., that allows attackers to gain
  remote code access to affected Linux systems by merely sending a malicious DNS response.
• Microsoft has released a patch and security advisory for a privilege escalation vulnerability in Azure AD
  Connect. Attackers could exploit the vulnerability to reset passwords and gain control of AD accounts
• Siemens has patched 2 critical vulnerabilities in its products. The first vulnerability affects Active Management Technology, a functionality in Siemens products that contain Intel chips, and could lead to remote code execution. The second vulnerability allows attackers to gain remote control over the
  Siemens Web Office Portal, which is used to retrieve data from control centers.

THREAT INTELLIGENCE REPORTS

• WikiLeaks have released manuals describing 2 CIA spying tools. The first, dubbed ELSA, is described as a tool for tracking devices with WiFi capabilities. The second, dubbed OutlawCountry, is used to divert traffic from a Linux machine to a chosen destination.
• Researchers have published an in-depth analysis of a new variant of the Spora Ransomware. This variant obfuscates its malicious HTA file by concatenating it at the end of a file that mimics a PDF.
• An analysis of the popular PlugX malware has been released. The operators of the malware continue to add anti-detection methods to the packaging of the malware, and to refine the initial infection vectors by exploiting new vulnerabilities and techniques.