2017-6-26 Global Cyber Attack Reports

TOP ATTACKS AND BREACHES

• Honda, the Japanese motor conglomerate, has halted its car production in one of its domestic car plants, after finding WannaCry ransomware in its network. The affected plant produces approximately 1,000 vehicles a day. It is unknown how and when Honda’s network got infected. In a related topic, WannaCry has hit 55 speed and red-light cameras in Australia, after a human operator has connected an infected USB device to the cameras, which apparently run on Windows operating system. Check Point SandBlast, IPS, Anti-Bot and Anti-Virus blades provide protection against this threat (Operator.Wcry.*; Trojan.Win32.Wannacry.*; Microsoft Windows EternalBlue SMB Remote Code Execution, Microsoft Windows SMB Remote Code Execution (*); Non- Compliant CIFS; Microsoft Windows NT Null CIFS Sessions; Ransomware Shared Folder Access)
• Nayana, a South Korean web hosting provider, has paid $1 million ransom in bitcoins after suffering a massive Erebus ransomware attack. In the attack, 153 Linux servers hosting data of over 3,400 customers were infected. Erebus first emerged in September 2016. While the original malware targets Windows operating systems, this latest version is targeting Linux.
• Mexican journalists, lawyers and civil societies groups have been attacked using NSO’s framework. NSO is a spyware producer selling to governments worldwide. The source of the attack is unknown, but some researchers accuse the Mexican government for running an ongoing campaign against media and NGOs in the country.
• A new phishing campaign targets customers of Barclays bank, aiming to steal their banking credentials.
• Source-code pieces of Microsoft Windows 10 were leaked online. The leaked code is connected to various Windows 10 drivers and functionalities, and allows threat actors to look for new vulnerabilities. According to Microsoft, the code is part of their “Shared Source Initiative” – pieces of code they share with partners and OEM vendors.

VULNERABILITIES AND PATCHES

• Microsoft has patches a critical remote code execution vulnerability in its Malware Protection Engine Check Point IPS blade provides protection against this threat (Microsoft Malware Protection Engine VFS API Remote Code Execution (CVE-2017-8558))
• Cisco has released security updates for several products addressing 23 vulnerabilities; 3 of which are of high severity and may allow and attacker to perform XML injection and denial-of-service attacks.
• Siemens has released security updates for 2 vulnerabilities in the following products: XHQ 4, XHQ 5 and SIMATIC CP 44x-1 RNA. The vulnerable products are commonly found in industrial control systems. If exploited, they may allow an attacker access to sensitive information without suitable privileges.

GLOBAL THREAT INTELLIGENCE

• Wikileaks has revealed another CIA cyber tool under its “Vault 7” project, named Brutal Kangaroo. It allows accessing closed networks that run Microsoft Windows by air gap jumping over thumbdrives, exploiting a vulnerability in Windows that allows to load and execute files without user interaction.
• Research compares differences in emphasis between computer science education in Russia and US, and the resulting influences, showing a possible correlation between the Russian education system’s high emphasis on computer sciences and the centrality of Russian threat actors in the threat ecosystem.
• The FBI’s Internet Crime Complaint Center (IC3) has released its 2016 Internet Crime Report, according to which, in 2016 IC3 witnessed nearly 300,000 internet crime complaints, causing $1.33 billion in damage. Crimes include web scams, and threat operations and others. According to the report, the FBI estimates that only 15% percent of American fraud victims actually report the incident.
• A new report describes the activity of BlackTech threat group. BlackTech group is running espionage operations in East Asia, and particularly in Taiwan, aiming to steal targets’ technology. Check Point IPS blade provides protection against this threat (Microsoft Outlook Remote Code Execution (CVE-2017-0199); Adobe Flash ActionScript 3 ByteArray Use After Free (APSA15-03: CVE-2015-5119))
• Trickbot banking Trojan has started targeting Customer Relationship Management (CRM) users. Check Point IPS, Anti-Bot and Anti-Virus blades provide protection against this threat (Suspicious Metadata Mail Phishing Containing Attachment; Trojan.Win32.Trickbot, Operator.Trickbot)
• Based on a recent media investigation, Russia demands Western technology companies to review their products’ source-code as a condition to permit their distribution in the country; thus possibly revealing security vulnerabilities to Russian authorities.