Cyber Research

Cyber News

Cyber Info


 December, 2016







 In this issue



*         Hack of Saudi Arabia Exposes Middle East Cybersecurity Flaws

*         Hacking Millions with Just an Image — Recipe: Pixels, Ads & Exploit Kit

*         NATO trains Iraqi experts in Cyber Defence

*         SWIFT confirms new cyber thefts, hacking tactics

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Hack of Saudi Arabia Exposes Middle East Cybersecurity Flaws

December 13, 2016



More than a year after a drowned Syrian toddler washed up on a beach in Turkey, the tiny refugee’s body, captured in a photograph that shocked the world, reappeared on computer screens across Saudi Arabia -- this time as a prelude to a cyberattack.

The strike last month disabled thousands of computers across multiple government ministries in Saudi Arabia, a rare use of offensive cyberweapons aimed at destroying computers and erasing data. The attackers, who haven’t claimed responsibility, used the same malware that was employed in a 2012 assault against Saudi Arabian Oil Co., known as Saudi Aramco, and which destroyed 35,000 computers within hours.

The Middle East, home to almost half of global oil reserves and much of its natural gas, is also a magnet for some of the world’s costliest cyberattacks, PricewaterhouseCoopers LLP said in a March 2016 report. The threat is set to grow as online activity mushrooms amid the region’s myriad geopolitical conflicts and tensions.

“For the last couple of years the U.S. Department of Defense has been trying to get the Gulf states to harden their defenses,” said James Lewis, senior vice president at the Center for Strategic and International Studies in Washington, D.C. “Some of them are in OK shape. Saudi Arabia is not.”

Damage Unclear

The extent of the damage isn’t clear, though two people informed of the security breach said it targeted the Saudi central bank, the transportation ministry and the agency that runs the country’s airports. One bright spot is that the Saudis have been able to restore some lost data via back-ups, recovering faster than they did after the 2012 strike, said one person familiar with the clean-up.

The central bank, known as the Saudi Arabian Monetary Authority, denied that its systems were breached. The country’s General Authority of Civil Aviation said damage to its networks was limited to some office systems and employee e-mails.

While the assault was similar to the one that hit Saudi Aramco four years ago, the impact was “much smaller” and didn’t disrupt transportation or aviation services, said Abbad Al Abbad, executive director for Strategic Development and Communication at the Riyadh-based National Cyber Security Center.

Online Market

“We will always have a race between those who are exploiting security vulnerabilities and those who are defending against them,” said Wael Fattouh, a Saudi-based PwC partner specializing in technology risk assurance.

Cyberattacks in the Middle East threaten more than governments and public facilities -- they put economic development at risk. A unified regional online market could expand to include 160 million users by 2025 and add about $95 billion to gross domestic product, according to consultant McKinsey & Co. Saudi Arabia, the United Arab Emirates and other Arab states in the Gulf are leading this growth.

“The rapid adoption of digitization in the U.A.E. and Gulf Cooperation Council countries has made the region an attractive target for a wide array of security breaches,” Mohit Shrivastava, a senior analyst for information security at consultant MarketsandMarkets, said in an e-mail.

Six months ago, FireEye Inc. detected cybercriminal strikes on Middle Eastern banks that were launched through e-mail attachments. The California-based cybersecurity company said the attackers appeared to be probing for targets.

Stuxnet, Flame

U.S. officials have said Iran was behind the 2012 attack against Saudi Aramco, and investigators also suspect Iranian hackers of involvement in the November blitz on Saudi government bodies. Media officials at Iran’s Foreign Ministry weren’t immediately available for comment. 

Iran too has been a victim of cybersabotage. A computer worm known as Stuxnet derailed work at the country’s main uranium-enrichment facilities in 2010, and the Flame virus crippled the Iranian energy industry two years later. Iran suggested that both incidents involved Israel, which doesn’t comment on its reported involvement in cyberattacks.

Last month’s attack in Saudi Arabia suggests that investment alone doesn’t ensure protection. Middle Eastern companies are among the world’s top 10 in terms of buying cybersecurity technology but in the bottom 50 for education and training, according to the PwC report, which surveyed 10,000 businesses, 300 of them in the Middle East. Of 700 executives in GCC countries polled by the Dubai-based Gulf Business Machines this year, about half thought they were incapable of preventing cyberattacks.

“It will take more than just the allocation of financial resources to keep ourselves safe from today’s cyberthreats,” Mohammed al Zarooni, acting director general of information and e-government at the U.A.E.’s Telecommunications Regulatory Authority, said at a November conference in Abu Dhabi. “Building human capacity is just as critical.”

Jens Monrad, a senior intelligence analyst at FireEye, said he sees positive signs for cybersecurity in the Middle East, including a growing awareness of the issue and stronger government support.

“But this is a complex challenge,” he said by e-mail. “It is important for organizations to recognize their cybersecurity challenges cannot ever be solved with technology alone.”

More info https://www.bloomberg.com/news/articles/2016-12-12/hack-of-saudi-arabia-exposes-middle-east-cyber-security-flaws

Hacking Millions with Just an Image — Recipe: Pixels, Ads & Exploit Kit

December 06, 2016


If you have visited any popular mainstream website over the past two months, your computer may have been infected — Thanks to a new exploit kit discovered by security researchers.

Researchers from antivirus provider ESET released a report on Tuesday stating that they have discovered an exploit kit, dubbed Stegano, hiding malicious code in the pixels of banner advertisements that are currently in rotation on several high profile news websites.

Stegano originally dates back to 2014, but since early October this year, cyber crooks had managed to get the malicious ads displayed on a variety of unnamed reputable news websites, each with Millions of daily visitors.

Stegano derived from the word Steganography, which is a technique of hiding messages and content inside a digital graphic image, making the content impossible to spot with the naked eye.

In this particular malvertising campaign, operators hide malicious code inside transparent PNG image's Alpha Channel, which defines the transparency of each pixel, by altering the transparency value of several pixels.

The malvertising campaign operators then packed the altered image as an advertisement and managed to display those malicious ads on several high-profile websites.

According to the researchers, the malicious ads promote applications called "Browser Defense" and "Broxu," and the methodology makes it tough for ad networks to detect.

Here's How the Stegano Attack Works:

Once a user visits a site hosting malicious advertisement, the malicious script embedded in the ad reports information about the victim's computer to the attacker's remote server without any user interaction.

The malicious code then uses the CVE-2016-0162 vulnerability in Microsoft's Internet Explorer (IE) browser in order to scan the target computer to see if it is running on a malware analyst's machine.

After verifying the targeted browser, the malicious script redirects the browser to a website that hosts Flash Player exploits for three now-patched Adobe Flash vulnerabilities: CVE-2015-8651, CVE-2016-1019, and CVE-2016-4117.

 "Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cybercriminals behind this attack – yet another check to verify that it is not being monitored," ESET researchers wrote in a blog post. "If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image."

When downloaded to the victim's computer, the encrypted payload is then decrypted and launched via regsvr32.exe or rundll32.exe in Microsoft Windows.

Just Visit a Site, and You'll be Hacked in Just 2-3 Sec

Below is an ESET infographic that explains the working of Stegano's exploit attack:

All the above operations execute automatically without any user interactions and takes place in the span of just 2-3 seconds.

So far, the Stegano exploit kit has pushed various trojan downloaders, the Ursnif and Ramnit banking trojans, backdoors, spyware, and file stealers.

The Stegano exploit kit was initially used in 2014 to target people in the Netherlands, and then in 2015, moved on to residents in the Czech Republic. The latest attack campaign is targeting people in Canada, the UK, Australia, Spain, and Italy.

The best way to protect yourself against any malvertising campaign is always to make sure you are running updated software and apps. Also use reputed antivirus software that can detect such threats before they infect your system.

Read more at  http://thehackernews.com/2016/12/image-exploit-hacking.html

NATO trains Iraqi experts in Cyber Defence

December 9, 2016.

Iraqi experts were trained on cyber defence at the Middle East Technical University (METU) in Ankara, Turkey to improve their expertise and technical knowledge and to contribute to the strengthening of Iraqi national cyber defence capabilities. This course was supported by the Science for Peace and security (SPS) Programme and took place from 21 November to 2 December 2016.


This training course aimed at Iraqi system/network administrators was tailored specifically to Iraq’s needs by focusing on its cyber security and defence requirements presented to NATO. Overall, 16 civil servants from the new Iraqi Computer Incident Response Team (CIRT) were trained during the course.

The hands-on training programme included both theoretical sessions as well as practical laboratory exercises of core aspects of cyber defence, including cryptanalysis, prevention of data exfiltration, advanced digital forensics, and conducting vulnerability assessment.

Mr Aldulsamad, Director of the CIRT, remarked “we appreciate the broad approach that covered cyber security as a whole because it enabled each expert to be exposed to areas that are very different from the one they specialise in, together with the security implications that they have to be aware of in order to be better equipped at tackling their everyday challenges.”

The course focused on raising cyber security awareness and provided the trainees with the expertise and technical knowledge to help increase resilience of their national networks. Upon their return, the trainees will be able to apply the gained knowledge in the daily operation of their institutions thereby significantly contributing to the strengthening of Iraqi national cyber defence capabilities.

The co-director for this advanced training course, Mr Murad Assafi (National Security Council of Iraq), expressed his satisfaction with this training for the CIRT cyber defence experts and proposed a follow-up training stating that “a further training would be very useful, allowing Iraq’s institutions to benefit from the expertise of METU lecturers.”

Contributing to Iraq’s defence capacity building

The SPS training was delivered as part of the Defence Capacity Building (DCB) Initiative endorsed by Allied leaders at the 2014 NATO Summit in Wales. “Upon the request from the Iraqi authorities, the SPS Programme rapidly reacted and provided this tailor-made, high-level expert course, significantly contributing NATO’s strategic objectives in the area of defence capacity-building,” noted Dr Deniz Beten, Senior SPS & Partnership Cooperation Advisor.

The SPS Programme provides strong support to the DCB Initiative. Currently, the programme supports several activities in this area. This is the second SPS activity implemented under the DCB Package for Iraq. The SPS Programme also assists Iraq through a multi-year project in the field of counter-IED, composing of expert training and related specialist equipment.

More Info http://www.nato.int/cps/en/natolive/news_139179.htm?selectedLocale=en

SWIFT confirms new cyber thefts, hacking tactics

December 12, 2016.

Cyber attacks on the global banking system have continued - and succeeded - since February's heist of $81 million from the Bangladesh central bank, underscoring the continuing vulnerability of the SWIFT messaging network, a SWIFT official told Reuters.

The network, which handles trillions of dollars in transfers daily, has warned banks of the escalating threat to their systems, according to a SWIFT letter obtained by Reuters.

"The threat is very persistent, adaptive and sophisticated - and it is here to stay," SWIFT said last month in a letter to client banks, which has not been previously reported.

Client banks been have been hit with a "meaningful" number of attacks - about a fifth of them resulting in stolen funds, said Stephen Gilderdale, Head of SWIFT's Customer Security Programme. Gilderdale's comments are the first confirmation of new thefts involving the SWIFT network since the February heist.

The revelations provide fresh evidence that SWIFT remains at risk of copycat attacks nearly a year after the massive theft from a Bangladesh Bank account at the New York Fed. The unprecedented cyber heist prompted regulators around the globe to tighten bank security requirements.

SWIFT'S letter to customers warned that hackers have refined their methods for compromising local bank systems. One new tactic, the letter said, involved using software that allows technicians to access computers to provide technical support.

"We unfortunately continue to see cases in which some of our customers' environments are being compromised" by thieves who then send fraudulent payment instructions through the SWIFT network - the same kind of messages used to steal Bangladesh Bank funds.

On Monday, a top investigator in Dhaka told Reuters that some Bangladesh central bank officials deliberately exposed its computer systems and enabled the theft. The comments by Mohammad Shah Alam of the Dhaka police are the first sign that investigators have got a firm lead in one of the world's biggest cyber heists. Arrests are likely soon, he said.

SWIFT's Gilderdale declined to provide further details about more recent attacks or to name victims or amounts stolen. Asked how many heists had been attempted, he said only that it was "a meaningful number of cases."

The intrusions had been detected in a variety of ways, Gilderdale said. In some cases, anti-virus software had identified malware. In one case, a financial supervisory body had notified SWIFT of an attempted attack.

The additional attacks SWIFT disclosed to Reuters do not include others that have already come to light since the Bangladesh Bank heist.

Thieves stole $250,000 from Bangladesh's Sonali bank in 2013. More than $12 million was stolen from Ecuador's Banco del Austro in 2015. Vietnam's Tien Phong Bank said in May that it foiled an attempt to steal money via SWIFT.


Read more: http://www.cnbc.com/2016/12/12/swift-confirms-new-cyber-thefts-hacking-tactics.html




Latest Cyber Security News

Individuals at Risk

Cyber Privacy

The Future of Privacy: This is an article from Turning Points, a magazine that explores what critical moments from this year might mean for the year ahead.William Gibson, The New York Times, December 6, 2016

Cyber Defense

How to avoid online shopping fraud this holiday season: As e-commerce takes more of Americans’ shopping dollars, the opportunity for web-based fraud increases. Chicago Tribune, December 6, 2016

Information Security Management in the Organization

Information Security Management and Governance

NIST’s Cybersecurity Framework offers small businesses a vital information security toolset: Small businesses run lean, and bad guys know that means security may be less than adequate. NIST researchers share ways that small businesses can protect their information. TechRepublic, December 7, 2016

US-CERT Federal Incident Notification Guidelines Provides Framework for Business: This document provides guidance to Federal Government departments and agencies (D/As); state, local, tribal, and territorial government entities; Information Sharing and Analysis Organizations; and foreign, commercial, and private-sector organizations for submitting incident notifications to the National Cybersecurity and Communications Integration Center (NCCIC)/United States Computer Emergency Readiness Team (US-CERT). US-CERT, December 2016

Cyber Warning

This ‘highly personalized’ malware campaign targets retailers with phony customer queries: Cybercriminals are using personalized malware campaigns against staff at retailers in order to steal credentials and sensitive documents. ZDNet, December 9, 2016

Malware infects computers by hiding in browser ad graphics: Unless you still use Internet Explorer (and please don’t do that), you probably don’t have to worry about new malware discovered by Eset researchers. However, the Stegano exploit kit shows how adept hackers have become at slipping infected ads past major networks and then hiding the malware from discovery. It’s been operating stealthily for the last two years and specifically targeting corporate payment and banking services. engadget, December 8, 2016

Goldeneye ransomware: Phishing attack carries legit PDF resumé & ‘addl info’ in infected Excel file: Hindsight is a wonderful thing. With hindsight, few of us would ever fall victim to ransomware: most ransomware attacks rely on talking us past at least one security speed bump… NakedSecurity, December 8, 2016

Massive Malvertising Campaign Hits MSN, Yahoo: A massive malicious advertising campaign has resurfaced on major publishing websites, including Yahoo and MSN, just a few months after researchers thought they’d nipped it in the bud. BankInfoSecurity, December 8, 2016


Windows XP ‘still widespread’ among healthcare providers: Microsoft ended Windows XP support a couple years ago, and any veteran security practitioner will remember the constant barrage of malware hurled their way through trivial exploits of the old OS. Naked Security, December 9, 2016

Cyber Law

Gridlock on cyber laws likely to persist: Botnets, ransomware, child pornography and other cyber crimes continue to proliferate. And the Department of Justice says despite some progress, existing laws and tools aren’t up to the growing task. FCW, December 8, 2016

Cyber Security in Society

Cyber Crime

Admin spied on Expedia executive emails to make share killing: A former IT admin for travel company Expedia has admitted spying on senior executives to carry out a series of insider trading frauds that netted $331,000 (£265,000). Naked Security, December 9, 2016

China Stole Data From Major U.S. Law Firms: A series of security breaches that stuck prestigious law firms last year was more pervasive than reported and was carried out by people with ties to the Chinese government, according to evidence seen by Fortune. Fortune, December 7, 2016

Cyber Attack

Fast-Spreading Mirai Worm Disrupts UK Broadband Providers: Mirai, a fast-spreading worm that knocked 900,000 Deutsche Telekom customers offline earlier this week, has also caused hiccups for broadband customers in the U.K. BankInfoSecurity, December 2, 2016

Saudi Central Bank Systems Said to Be Struck by Iran Malware: State-sponsored hackers who unleashed a digital bomb in key parts of Saudi Arabia’s computer networks over the last two weeks damaged systems at the country’s central bank, known as the Saudi Arabian Monetary Agency, according to two people briefed on an ongoing investigation of the breach. Bloomberg, December 2, 2016

There’s a new DDoS army, and it could soon rival record-setting Mirai: For more than a week, someone has waged massive attacks on a daily basis. ars technica, December 1, 2016

New Mirai Worm Knocks 900K Germans Offline: More than 900,000 customers of German ISP Deutsche Telekom (DT) were knocked offline this week after their Internet routers got infected by a new variant of a computer worm known as Mirai. The malware wriggled inside the routers via a newly discovered vulnerability in a feature that allows ISPs to remotely upgrade the firmware on the devices. But the new Mirai malware turns that feature off once it infests a device, complicating DT’s cleanup and restoration efforts. KrebsOnSecurity, November 30, 2016

Know Your Enemy

Ransomware Gives Free Decryption Keys to Victims Who Infect Others: Researchers say they have uncovered ransomware still under development that comes with a novel and nasty twist. ThreatPost, December 9, 2016

DDoS platform lures hackers to attack websites for points and prizes: A Turkish cyberattack group is luring individuals to join a DDoS platform to compete for points through games which can be redeemed foDer hacking tools. ZDNet, December 8, 2016

The cybercrime business model and its value chain: The security landscape has evolved to a point where most IT threats occur with the intention of generating financial gain for their creators and financiers. Based on this premise, various attack or threat types have proliferated and evolved to affect a greater number of users and organizations. WeLiveSecurity, December 8, 2016

‘Avalanche’ Crime Ring Leader Eludes Justice: The accused ringleader of a cyber fraud gang that allegedly rented out access to a criminal cloud hosting service known as “Avalanche” is now a fugitive from justice following a bizarre series of events in which he shot at Ukrainian police, was arrested on cybercrime charges and then released from custody. KrebsOnSecurity, December 8, 2016

US National Cyber Security

Trump, CIA on collision course over Russia’s role in U.S. election: The simmering distrust between Donald Trump and U.S. intelligence agencies escalated into open antagonism Saturday after the president-elect mocked a CIA report that Russian operatives had intervened in the U.S. presidential election to help him win. Washington Post, December 10, 2016

Trump, Mocking Claim That Russia Hacked Election, at Odds with G.O.P.: An extraordinary breach has emerged between President-elect Donald J. Trump and the national security establishment, with Mr. Trump mocking American intelligence assessments that Russia interfered in the election on his behalf, and top Republicans vowing investigations into Kremlin activities. New York Times, December 10, 2016

The CIA concluded that Russia worked to elect Trump. Republicans now face an impossible choice: The Washington Post is now reporting that the CIA has concluded something widely suspected but never flatly stated by the intelligence community: that Russia moved deliberately to help elect Donald Trump as president of the United States — not just to undermine the U.S. political process more generally. Washington Post, December 9, 2016

Russia Hacked Republican Committee but Kept Data, U.S. Concludes: WASHINGTON — American intelligence agencies have concluded with “high confidence” that Russia acted covertly in the latter stages of the presidential campaign to harm Hillary Clinton’s chances and promote Donald J. Trump, according to senior administration officials. The New York Times, December 9, 2016

Fancy Bear ramping up infowar against Germany—and rest of West: US intelligence agencies have been forthright in their insistence that the Russian government was behind not only the hacking of the Democratic National Committee (DNC) and other political organizations in the US, but a concerted effort to undermine confidence in the results of the US presidential election, including attacks on state election officials’ systems. But the US is not the only country that the Russian government has apparently targeted for these sorts of operations—and the methods used in the DNC hack are being applied increasingly in attempts to influence German politics, Germany’s chief of domestic intelligence warned yesterday. ars technica, December 9, 2016

The report the president’s cybersecurity commission should have created: On Dec. 1, The Commission on Enhancing National Cybersecurity issued its key deliverable, the report on Securing and Growing The Digital Economy. That is a good report. For policy-makers new to cybersecurity, the introduction recaps issues the nation has been dealing with for quite some time, and the many recommendations are things we should all support. cyberscoop, December 9, 2016

Putin Signs New Information Security Doctrine: Russian President Vladimir Putin has signed off on a new “information security doctrine,” replacing the one he issued in 2000, during the first year of his rule. While experts in Moscow saw no surprises in the new document, they also said it reflects the Kremlin’s increasingly repressive policy toward the media and civil society more generally. VoiceOfAmerica, December 8, 2016

Influential Republican lawmaker proposes new cybersecurity-focused agency: House Homeland Security Committee Chairman Michael McCaul announced plans Wednesday to push for the creation of a new federal agency during the Trump administration that would consolidate the government’s disjoined cybersecurity efforts. He said the eventual launch of such an agency will be one of his highest priorities in 2017. fedscoop, December 7, 2016

US Tech Firms Promise Terror Content Crackdown: Facebook, Google, Microsoft and Twitter have promised to better identify and remove terror-related videos and imagery that get posted to their online properties by sharing information. BankInfoSecurity, December 6, 2016

DDoS, IoT Top Cybersecurity Priorities for 45th President: Addressing distributed denial-of-service (DDoS) attacks designed to knock Web services offline and security concerns introduced by the so-called “Internet of Things” (IoT) should be top cybersecurity priorities for the 45th President of the United States, according to a newly released blue-ribbon report commissioned by President Obama. KrebsOnSecurity, December 5, 2016

Cyber Politics

NYU Students Apply Blockchain Solution to Electronic Voting Security: The contentious U.S. presidential election elevated a number of critical security issues to the forefront, perhaps none more important for the long-term than questions of voter fraud and electronic voting security. ThreatPost, December 9, 2016

Financial Cyber Security

Bangladesh Bank Heist Probe Finds ‘Negligent’ Insiders: An internal investigation into the February theft of $81 million from the central bank of Bangladesh reportedly found that a handful of negligent and careless bank officials inadvertently helped facilitate the heist by outside hackers. BankInfoSecurity, December 9, 2016

Internet of Things

Researchers Find Fresh Fodder for IoT Attack Cannons: New research published this week could provide plenty of fresh fodder for Mirai, a malware strain that enslaves poorly-secured Internet of Things (IoT) devices for use in powerful online attacks. Researchers in Austria have unearthed a pair of backdoor accounts in more than 80 different IP camera models made by Sony Corp. Separately, Israeli security experts have discovered trivially exploitable weaknesses in nearly a half-million white-labeled IP camera models that are not currently sought out by Mirai. KrebsOnSecurity, December 6, 2016

Cyber Sunshine

Bank fraud scheme lands Newark man in prison: A 26-year-old Newark man has been sentenced to two years in prison followed by three years of probation for a bank fraud scheme that netted nearly half a million dollars, according to the U.S. Attorney’s Office for Delaware. DelawareOnline, December 5, 2016







Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2016

www.crc-ics.net or www.cyber-research-center.net