IT Security News Blast 6-30-2017

U.S. hospitals have been hit by the global ransomware attack

Today, one of the largest drug makers in the U.S., Merck, reported being infected by the malware, as did the multinational law firm DLA Piper, which counts more than 20 offices in the U.S. Heritage Valley Health Systems, a health care network that runs two hospitals in Western Pennsylvania, also confirmed in a statement to Recode on Tuesday that it was a victim of the same ransomware attack that has spread around the globe.

https://www.recode.net/2017/6/27/15881666/global-eu-cyber-attack-us-hackers-nsa-hospitals

 Next wave of cyberattacks could target health devices

Saxon and representatives of medical device manufacturers said the threat of a hacking attack on the 15 million devices in the U.S. that would kill the wearer were “highly unlikely” at present. But hacks could be used to gain access to health care networks and a trove of increasingly valuable data, Saxon said at a June 28 event hosted by the Bipartisan Policy Center. However, such devices will present a big target for ransomware and data exfiltration and potentially lead to physical dangers to patients, former CIA Deputy Director Michael Morell said.

https://fcw.com/articles/2017/06/29/health-cyber-iot-rockwell.aspx

 Information-stealing malware found targeting Israeli hospitals

The malware, named WORM_RETADUP.A, attempts to infiltrate not just the infected system but also shared folders located within the connected local network, the company warned in a blog post on Thursday. It is designed to steal login credentials and other browser-based information, as well as to collect keystrokes and system information. Moreover, the info stealer is wormable, Trend Micro reported, propagating itself by creating copies of itself, “including shortcut files, a non-malicious AutoIt executable, and a malicious AutoIt script into the affected system’s root directory, i.e., C:\WinddowsUpdated\<file copy>”.

https://www.scmagazine.com/information-stealing-malware-found-targeting-israeli-hospitals/article/672261/

 How prepared are law firms for cyber breaches? And how often are firms being attacked?

On the same day that a massive ransomware attack hit DLA Piper, cybersecurity startup firm LogicForce released a chilling report that found that law firms are still woefully unprepared for all sorts of cyber threats. […] The report created an “implementation scale” to measure how far along the legal industry was when it came to adopting safe cybersecurity standards. Out of a possible score of 100 percent, LogicForce gave the legal industry a weighted average score of 29.6 percent.

http://www.abajournal.com/news/article/how_prepared_are_law_firms_for_cyber_breaches_and_how_often_are_they_being_

 Time For Transportation & Logistics To Up Its Cybersecurity As Hackers Put It On Target List

While up until now hackers have seemed more preoccupied penetrating computer systems at banks, retailers, and government agencies – places where a hacker can find access to lots of money and data and create substantial disruption – the most recent ransomware attacks demonstrate that the transportation and logistics industry is now on hackers’ radar.

https://www.forbes.com/sites/oliverwyman/2017/06/28/time-for-transportation-logistics-to-up-its-cybersecurity-as-hackers-put-it-on-target-list/#7d11a7eb6fb9

 Digitization of Operational Technologies to Drive Transportation Cybersecurity Spending to $14 Billion by 2022

This evolution, however, is fraught with obstacles, notably around security. Cyber-based vulnerabilities render the infrastructure weak and prone to exploitation, whether malicious or accidental. Industrial control systems (ICS) play a heavy role in transportation systems and connecting these operational technologies (OT) will require stakeholders to develop and implement adapted cybersecurity technologies.

http://www.marketwatch.com/story/digitization-of-operational-technologies-to-drive-transportation-cybersecurity-spending-to-14-billion-by-2022-2017-06-29-420317

 The Latest: Retailers issue warnings after cyberattack

Online retailers are warning customers to prepare for delays as the disruption caused by Tuesday’s cyberattack spreads across the shipping industry. Several firms have issued warnings after the sudden outbreak of malicious software that centered on Ukraine and spread to major multinationals, including global shipping firm A.P. Moller-Maersk and FedEx Corp. subsidiary TNT. Enrique Frisancho, the owner of Barcelona, Spain-based smartphone film accessory firm Shoulderpod, says he has warned customers it might be difficult to say when TNT-fulfilled deliveries would arrive.

http://abcnews.go.com/Technology/wireStory/latest-danish-firm-struggling-engine-parts-48346595

 The Latest: FedEx cyberattack damage ‘could be material’

In an announcement Wednesday, the company based in Memphis, Tennessee, said it had been “significantly affected” by the malicious program, which emerged in Ukraine on Tuesday before spreading around the world. FedEx said that the domestic, regional and intercontinental operations of TNT Express, a courier delivery unit, were “largely operational, but slowed.” The company added that the impact of the cyberattack “could be material.”

https://www.washingtonpost.com/business/technology/the-latest-port-terminals-in-india-affected-by-cyberattack/2017/06/28/3fcffb36-5bf2-11e7-aa69-3964a7d55207_story.html

 Cyber-attack was about data and not money, say experts

Although the Petya variant that struck this week has superficial similarities to the original virus, it differs in that it deliberately overwrites important computer files rather than just encrypting them, he said. Mr Suiche wrote: “2016 Petya modifies the disk in a way where it can actually revert its changes, whereas, 2017 Petya does permanent and irreversible damages to the disk.”

http://www.bbc.com/news/technology-40442578

 Petya: Using blast radius to deduce attribution

As the global ransomware attack coined Petya continues to proliferate globally, identifying the culprits is an important piece of the puzzle. At this point, it’s prudent to attempt to rule out who it doesn’t appear to be through process of elimination. […] One of the first things I consider regarding potential attribution is the blast radius of the victims.  Sometimes blast radius might not tell you who the culprits are, but in some cases, it can tell you who is it likely NOT.

https://www.scmagazine.com/petya-using-blast-radius-to-deduce-attribution/article/671730/

 Original Author of Petya Ransomware is Back & He Wants to Help NotPetya Victims

“We’re back having a look in NotPetya,” tweeted Janus, a name Petya creator previously chose for himself from a James Bond villain. “Maybe it’s crackable with our privkey. Please upload the first 1MB of an infected device, that would help.” This statement made by Petya author suggests he may have held on a master decryption key, which if worked for the new variant of Petya infected files, victims would be able to decrypt their files locked in the recent cyber outcry.

http://thehackernews.com/2017/06/petya-ransomware-decryption-key.html

 Enabling citywide cybersecurity: Lessons from Dallas

Once those systems are installed, there are a whole host of vulnerabilities. In a paper titled “The (in)security of smart cities: vulnerabilities, risks, mitigation and prevention,” two cyber security researchers broke down all the common ways that cities are hacked. […] There are so many vulnerabilities and weak spots that guarding against them all is impossible. Even if systems were once secure, systems can be put at risk if updates aren’t installed promptly.

http://www.smartcitiesdive.com/news/enabling-citywide-cybersecurity-lessons-from-dallas/446106/

 How Russia and others use cybercriminals as proxies

“You have to appreciate that [Russians] always use proxies to do their dirty work,” says Tom Kellermann, chief executive officer at Strategic Cyber Ventures in Washington. “The US hunts their hackers and they go behind bars; in Russia, [it’s] well known who they are, and they’re called upon to act. They’re considered untouchable as long as they pay homage to the state.”

https://www.csmonitor.com/USA/2017/0628/How-Russia-and-others-use-cybercriminals-as-proxies

 ‘NotPetya’ Ransomware Attack Shows Corporate Social Responsibility Should Include Cybersecurity

The overall idea is that companies should make corporate decisions that reflect obligations not just to owners and shareholders, customers and employees, but to society at large and the natural environment. As a scholar of cybersecurity law and policy and chair of Indiana University’s new integrated program on cybersecurity risk management, I say it’s time to add cyberspace to that list.

http://www.govtech.com/security/NotPetya-Ransomware-Attack-Shows-Corporate-Social-Responsibility-Should-Include-Cybersecurity.html

 Private Sector Cyber Intelligence Could Be Key to Workable Cyber Arms Control Treaties

Signatories to conventional and WMD arms-control treaties routinely accuse one another of violating some aspect of their agreement, but without scuttling the overall framework. Industrial espionage by a generally friendly nation may also get overlooked when the same activity by an unaligned nation would lead to an indictment. The point is that a host of factors, including legal assessments, go into decisions to publicly hold nations to account for their cyber activities, and those decisions obviously lie outside the province of the private sector.

https://www.lawfareblog.com/private-sector-cyber-intelligence-could-be-key-workable-cyber-arms-control-treaties

 Bill Would Bar Pentagon From Business With Russian Cyber Firm Kaspersky

The Congressional action comes amid mounting concerns about the Moscow-based company, which sells anti-virus software across the world to consumers, businesses and government agencies, including some elements of the U.S. government.In recent months, U.S. intelligence officials have expressed concerns that the company is a security risk, without specifying the basis of those concerns.

http://www.nbcnews.com/news/us-news/fbi-interviews-employees-russia-linked-cyber-security-firm-kaspersky-lab-n777571

 What the nightmare cybersecurity scenario looks like

The problem is you can take these vulnerabilities and develop a cyber weapon, but can you keep that cyber weapon from leaking out onto the web where anyone can take them and dismantle them and retrofit them for their own purposes? And what we’re seeing over the last two months is that even the NSA couldn’t keep its most coveted cyber weapons and stockpile of vulnerabilities safe.

https://www.marketplace.org/2017/06/28/tech/what-nightmare-cyber-security-scenario-looks

 NATO: ‘Cyber’ is a military domain

Article 5 of the Washington Treaty that establishes NATO embodies the principle of collective defence – in other words, an attack on one is an attack on all, and that includes cyber-attacks. Speaking in response to a question from Euronews, Stoltenberg said NATO is “in the process of establishing cyber as a military domain meaning that we will have land, air, sea and cyber as military domains”. This is a process that’s been rumbling on since July last year, mind you.

https://www.theregister.co.uk/2017/06/29/nato_cyber_is_a_military_domain/

 DHS S&T Awards $200K to Washington State Startup for Defense Against Cyber-Threats

This research-and-development effort will focus on adding cyber-intrusion deception, moving-target defense, and isolation and containment capabilities to strengthen detection and response capabilities. Veramine will automate the collection of security-relevant events and detection of commodity and advanced attackers as well as provide flexible searches of collected data and rapid response to detected attacks.

http://www.newswise.com/articles/dhs-s-t-awards-200k-to-washington-state-startup-for-defense-against-cyber-threats

 Your Linux Machine Can Be Hacked Remotely With Just A Malicious DNS Response

The vulnerability, designated as CVE-2017-9445, actually resides in the ‘dns_packet_new’ function of ‘systemd-resolved,’ a DNS response handler component that provides network name resolution to local applications. According to an advisory published Tuesday, a specially crafted malicious DNS response can crash ‘systemd-resolved’ program remotely when the system tries to lookup for a hostname on an attacker-controlled DNS service. Eventually, large DNS response overflows the buffer, allowing an attacker to overwrite the memory which leads to remote code execution.

http://thehackernews.com/2017/06/linux-buffer-overflow-code.html

====

Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.

//]]>