Cyber Research

Cyber News

Cyber Info


May, 2017







 In this issue



*         Registering a single web address may have stopped the WannaCry global malware attack

*         Microsoft says governments should stop 'hoarding' security vulnerabilities after WannaCry attack

*         The WannaCry ransomware attack has spread over more than 150 countries

*         Renault shut down several French factories after cyberattack

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Registering a single web address may have stopped the WannaCry global malware attack

May 14, 2017

Over the past 24 hours, a ransomware program called WannaCry has shut down more than 75,000 computers across 99 countries, including a string of hospitals in the United Kingdom and critical gas and water utilities in Spain. But despite the massive scale of the attack, stopping new infections from the attack seems to have been as simple as registering a single web address.


This morning, researchers announced they had found a kill switch in the code of the ransomware program — a single domain which, when registered, would prevent any infections from taking place. It’s still unclear whether registering that domain will stop every strain of the infection, but it should severely limit the global spread of the attack.

The crucial web address is found in a small section of code, the purpose of which is still unclear. When the program is infecting a new computer, it first checks an obscure web address — iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com — to see if the domain is registered. As long as the domain is unoccupied, the infection proceeds, encrypting the computer’s hard drive and locking it down until the ransom is paid.

That feature was first noticed by a 22-year-old UK researcher who writes under the name MalwareTech. As an experiment, MalwareTech registered the domain; now when the program ran its check, it found the web address registered and occupied. Only later did the effect of that move become clear: occupying the domain prevented any new infections from taking place. When the ransomware discovers the domain is occupied, it abruptly stops the installation process, leaving the larger system unaffected. The result is a major protection for computers still vulnerable to the attack: even if the ransomware software ends up running on your computer, the flipped kill switch will stop it from holding you for ransom.

#WannaCry propagation payload contains previously unregistered domain, execution fails now that domain has been sinkholed pic.twitter.com/z2ClEnZAD2

It’s still unclear why the ransomware included such a kill switch. Some have speculated it may have been a way for the creator to shut down the system remotely, although there’s no indication that he or she decided to do so. MalwareTech has a different theory: checking the domain was a way to keep the ransomware from being spotted by malware researchers. If the program were being run in a controlled “sandbox” environment, commonly used by researchers to examine code without exposing themselves to malware, the domain may well have come back as occupied as a result of the limitations of the sandbox. In those cases, preventing installation would have been a useful trick.

Flipping the kill switch may not stop the WannaCry ransomware entirely. It’s unclear how many of the observed infections were the result of the specific strain of malware analyzed by MalwareTech. Beyond that, it would be easy for the authors to send out a new version of the ransomware with a different domain or no kill-switch protocol at all. Still, as Microsoft users rush to patch the vulnerability — and hospitals try to regain control of their IT systems — this clever bit of code analysis may have saved more than a few lives.


More info https://www.theverge.com/2017/5/13/15635050/wannacry-ransomware-kill-switch-protect-nhs-attack

Microsoft says governments should stop 'hoarding' security vulnerabilities after WannaCry attack

May 15, 2017

As news of the WannaCry ransomware attack broke last week, companies and governments scrambled first to keep it contained. Now, with more details about its origins and effects clear, those organizations are issuing their official responses.


Among the first is Microsoft, which rushed out an emergency patch for Windows XP on Friday, after formally ending support for the operating system three years ago. The company responded to the attacks with a strongly worded blog post, criticizing governments for "stockpiling" information about cybersecurity vulnerabilities, and likeningthe WannaCry attack to the US military "having some of its Tomahawk missiles stolen."

Microsoft references the WannaCry ransomware's source as an vulnerability known by the NSA, noting that similar security holes were revealed on WikiLeaks in documents stolen from the CIA. It says that the governments of the world should treat the WannaCry attack as "a wake-up call," to consider the "damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits," and to adopt the "Digital Geneva Convention" the company first suggested in February. That Convention would have a new stipulation, too: "a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them."

But Microsoft also calls on customers to keep up their end of the bargain, too. It notes that cybersecurity is increasingly becoming a shared responsibility between tech companies and customers, the former relying on the latter to keep their critical systems updated, just as people rely on companies to put out secure systems. By keeping pace with upgrades and patches, vast networks like the UK's National Health Service will be able to avoid what Microsoft says are the "two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action."

In the United States, the Trump administration called an emergency meeting to discuss the ongoing threat of the ransomware, which according to Europol, has already affected 200,000 computers in 150 countries. In the UK, where WannaCry impacted the work of the National Health Service, experts warned that a second wave may be incoming as still-undetected ransomware could be triggered.

But while Microsoft's advice to keep your computers updated is solid for most standard consumers, it's these government and corporate networks that remain most at risk. The NHS is a good example. The service has been the target of repeated government budget cutbacks, and the country's health minister is apparently unwilling to discuss the security of the huge, ageing network it uses. Around the world, similar organizations are likely to remain juicy targets for increasingly more organized and sophisticated attackers.

Read more https://www.theverge.com/2017/5/15/15639890/microsoft-wannacry-security-vulnerabilities-ransomware

The WannaCry ransomware attack has spread over more than 150 countries

May 15, 2017.

New variations of the ransomware have begun to surface

Since its discovery on Friday afternoon, the WannaCry ransomware attack has continued to spread this weekend, impacting over 10,000 organizations and 200,000 individuals in over 150 countries, according to European authorities. However, while measures have been taken to slow the spread of the malware, new variations have begun to surface.

This morning, Europol Director Rob Wainwright told the BBC that the cyberattack is “unprecedented in its scale,” and noted that it will likely continue as people return to work on Monday. While Microsoft took the unusual step to issue a patch for Windows XP, the patch will only work if installed, and authorities have been warning businesses to ensure that their systems are updated.

Version 1 of WannaCrypt was stoppable but version 2.0 will likely remove the flaw. You're only safe if you patch ASAP.

Researchers have since discovered two new variations of the ransomware. One has been blocked with another domain name registration, but the other variant has no kill switch, but is only partially working.

The software exploits a security flaw in Windows XP, and once it infects a computer, it encrypts the files and spreads to other computers. Victims receive a demand for a payment of $300 in Bitcoin in order to regain access. However, despite the widespread nature of the attack, it’s believed that the perpetrators have only raised around $20,000 in payments.

More Info https://www.theverge.com/2017/5/14/15637888/authorities-wannacry-ransomware-attack-spread-150-countries




Renault shut down several French factories after cyberattack

May 15, 2017.

As the massive WannaCry ransomware attack spread to over 100 countries this weekend, French automaker Renault halted production in several of its factories on Saturday, according to a spokesperson.

Speaking to Automotive News, the spokesperson confirmed that the company shut down production in its Sandouville factory, saying that “proactive measures have been put in place, including the temporarily suspension of industrial activity at some sites," but declined to provide a full list of affected sites. Renault’s partner company Nissan was also affected: a UK spokesperson confirmed that files at its Sunderland factory were impacted on Friday night, but wouldn’t confirm reports that production was halted. A Renault spokesperson told Reuters that the company expects that “nearly all plants” will reopen on Monday.

The WannaCry ransomware attack began on Friday, impacting computers at UK hospitals, utilities in Spain, and Russia’s interior ministry. The attack uses an exploit known as EternalBlue, which is thought to have been developed by the NSA to break through security on Windows computers. Yesterday, Microsoft took the unusual step of issuing a Windows XP patch to help prevent the attack, while a 22-year-old cybersecurity researcher seems to have defused the attack by registering a single web address.


Read more: https://www.theverge.com/2017/5/14/15637472/renault-nissan-shut-down-french-uk-factories-wannacry-cyberattack

Latest Cyber Security News

Individuals at Risk

Cyber Update

HP issues fix for ‘keylogger’ found on several laptop models:
A security researcher says an audio driver is recording every keystroke entered, accessible to any person or malware that knows where to look.
ZDNet, May 12, 2017

Emergency Fix for Windows Anti-Malware Flaw Leads May’s Patch Tuesday: Adobe and Microsoft both issued updates today to fix critical security vulnerabilities in their software. Microsoft actually released an emergency update on Monday just hours ahead of today’s regularly scheduled “Patch Tuesday” (the 2nd Tuesday of each month) to fix a dangerous flaw present in most of Microsoft’s anti-malware technology that’s being called the worst Windows bug in recent memory. Separately, Adobe has a new version of its Flash Player software available that squashes at least seven nasty bugs. KrebsOnSecurity, May 9, 2017

Cyber Defense

Analysis of 500 million passwords shows what you should avoid: A dump of over 550 million username and password combinations is currently being sold on underground forums, and eager crooks are paying for the privilege to test them out against many online services. HelpNetSecurity, May 12, 2017

Cyber Warning

Reminder to Be Cautious as SMS Smishing Fraud Steals Money from UK Bank Customers: NatWest customers are being warned about a new ‘smishing’ scam that allows fraudsters to steal their cash. The Independent, May 11, 2017

Information Security Management in the Organization

Information Security Management and Governance

What the Rise of Russian Hackers Means for Your Business: For years major businesses have contended with hackers attempting to break into their networks and steal their data. In the recent past, that threat mostly emanated from China. Now, a new threat has emerged that companies must address: a savvy, resource-rich, risk-taking gang of hackers with ties to Russia. If the Chinese were the drunk burglars of cyberspace (to quote former FBI director James Comey), these Russians are stone-cold sober thugs. HBR, May 12, 2017

Cybersecurity consciousness in the C-suite: Enterprises are better protected from repercussions of a breach with a board that’s knowledgeable about security and which makes sure a comprehensive set of security policies are in place, reports Greg Masters. SC Magazine, May 12, 2017

Cyber Defense

Extreme Makeover: AI & Network Cybersecurity: In the future, artificial intelligence will constantly adapt to the growing attack surface. Today, we are still connecting the dots. DarkReading, May 10, 2017

Cyber Insurance

Cyber Crime Fears Drive Up Demand for Anti-Hacker Insurance: For companies and organizations, an attack by hackers can inflict financial losses, corporate embarrassment and legal action. For insurers jumping into the brave new world of cyber crime insurance, it’s free marketing for what could be a $10 billion opportunity. Bloomberg, May 9, 2011

Cyber Security in Society

WannaCry Attack

Users and IT Dept’s Need to Take Action as Dangerous Ransomware Attack Circles Globe: A dangerous ransomware attack is occurring today which is having a significant impact on computers globally. The attack has compromised the hospital system in England and severely impacted the Spanish telecommunications company, Telefonica. All told, more than 74 countries have been impacted. Stan Stahl, CitadelOnSecurity, May 12, 2017

Why Is The NHS Ransomware Attack Bigger Than What it Seems? The Experts Chime In [Citadel’s Stan Stahl Quoted]: A massive cyberattack seems to have caught the global corporate arena asleep at the wheel. What do some of the experts have to say about it? Read on to find out. ITSP Magazine, May 2017

WannaCry’s large-scale cyber attack highlights the structural dilemma of the NSA: IN BRITAIN, doctors could neither gain access their patients’ files nor make appointments to see those patients. In Russia, hundreds of the interior ministry’s workers sat idle. In China, students were locked out of their theses. As the latest cyber attack rippled around the globe, infecting at least 45,000 computers in 74 countries, according to Kaspersky Labs, a Russian cyber-security firm, it seemed for a moment that the world was facing digital apocalypse. In the event, catastrophe was averted when somebody found a kill switch, which stopped the malicious software involved spreading further. The attackers will still make a pretty penny, however, and untold hours will have to be spent cleaning up the mess. What is more galling than that is that all of this was entirely avoidable. The Economist, May 13, 2017

WannaCry may be slowing. Stay cautious in preparation for release of next attack wave. Patch now!: Over the past 24 hours, a ransomware program called WannaCry has shut down more than 75,000 computers across 99 countries, including a string of hospitals in the United Kingdom and critical gas and water utilities in Spain. But despite the massive scale of the attack, stopping new infections from the attack seems to have been as simple as registering a single web address. The Verge, May 13, 2017

An NSA-derived ransomware worm is shutting down computers worldwide: A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers. ars technica, May 12, 2017

Malware, described in leaked NSA documents, cripples computers in worldwide ransomware attack: Hackers unleashed an attack that disabled computers in dozens of nations Friday using a software flaw that once was part of the National Security Agency’s surveillance tool kit. The Washington Post, May 12, 2017

Ransom reportedly demanded in cyberattack on England’s health-care system: Hackers unleashed an attack that disabled computers in dozens of nations Friday using a software flaw that once was part of the National Security Agency’s surveillance tool kit. The Washington Post, May 12, 2017

Cyber Culture

Everything is hackable. Computer security broken from top to bottom. Distrust & Caution!!: As the consequences pile up, things are starting to improve. The Economist, April 8, 2017

Cyber Crime

Greenway Health struggles with ransomware attack. Patient info from nearly 4,000 customers at risk: A ransomware attack last week against hospital and ambulatory electronic health records vendor Greenway Health affected 400 client organizations using the vendor’s Intergy cloud-hosted platform. HealthData Management, May 1, 2017

Cyber Privacy

SSA.GOV To Require Stronger Authentication: The U.S. Social Security Administration will soon require Americans to use stronger authentication when accessing their accounts at ssa.gov. As part of the change, SSA will require all users to enter a username and password in addition to a one-time security code sent their email or phone. In this post, we’ll parse this a bit more and look at some additional security options for SSA users. KrebsOnSecurity, May 10, 2017

Cyber Defense

UN Agency Launches Cryptocurrency Cybercrime Training: The United Nations agency dedicated to fighting drug trafficking and organized crime has developed a new cryptocurrency training program. CoinDesk, May 11, 2017

Know Your Enemy

With New Digital Tools, Even Nonexperts Can Wage Cyberattacks: SAN FRANCISCO — Hackers are discovering that it is far more profitable to hold your data hostage than it is to steal it. The New York Times, May 13, 2017

NexGen Malware Will Use Artificial Intelligence: Cybersecurity Friend or Foe?: The next generation of situation-aware malware will use AI to behave like a human attacker: performing reconnaissance, identifying targets, choosing methods of attack, and intelligently evading detection. DarkReading, May 11, 2017

National Cyber Security

A few industry reactions to Trump’s cybersecurity executive order. Pluses. Missed Opportunities: On Thursday, President Donald Trump signed a long-awaited executive order on cybersecurity. HelpNetSecurity, May 12, 2017

US intelligence chiefs don’t trust Kaspersky Lab software: The big question in Thursday’s intelligence hearing on worldwide threats before the US Senate Intelligence Committee was whether the Russian government interfered with US elections. HelpNetSecurity, May 12, 2017

Trump signs executive order. Requires Federal agencies to use NIST Cybersecurity Framework: President Donald Trump has signed a long-awaited executive order that places responsibility for cybersecurity on departmental secretaries and agency directors and emphasizes the use of risk management throughout the federal government to secure digital assets. BankInfoSecurity, May 11, 2017

NYU Accidentally Exposed Military Code-breaking Computer Project to Entire Internet: In early December 2016, Adam was doing what he’s always doing, somewhere between hobby and profession: looking for things that are on the internet that shouldn’t be. That week, he came across a server inside New York University’s famed Institute for Mathematics and Advanced Supercomputing, headed by the brilliant Chudnovsky brothers, David and Gregory. The server appeared to be an internet-connected backup drive. But instead of being filled with family photos and spreadsheets, this drive held confidential information on an advanced code-breaking machine that had never before been described in public. Dozens of documents spanning hundreds of pages detailed the project, a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. And they were available for the entire world to download. The Intercept, May 11, 2017

French Election Security

Macron campaign team used honeypot accounts to fake out Fancy Bear: The failed effort by Russian attackers to influence the outcome of the French presidential campaign in its final hours was in part a forced error, thanks to an active defense by the digital team of French president-elect Emmanuel Macron’s campaign organization, the digital director of the campaign has claimed. Campaign team members told the New York Times that as the phishing attacks mounted, they created a collection of fake e-mail accounts seeded with false information. ars technica, May 10, 2017

Evidence suggests Russia behind hack of French president-elect: Late on May 5 as the two final candidates for the French presidency were about to enter a press blackout in advance of the May 7 election, nine gigabytes of data allegedly from the campaign of Emmanuel Macron were posted on the Internet in torrents and archives. The files, which were initially distributed via links posted on 4Chan and then by WikiLeaks, had forensic metadata suggesting that Russians were behind the breach—and that a Russian government contract employee may have falsified some of the dumped documents. ars technica, May 8, 2017

Cyber Law

How one obscure court case could decide the future of internet business: There’s a huge court case you need to hear about. It might not be on your radar yet because, frankly, some of it gets pretty technical. But the outcome is likely to have enormous repercussions for online privacy, net neutrality and the economy. The Daily Herald, May 13, 2017


75% of health orgs live below cybersecurity poverty line: Kaiser Permanente chief technology risk officer shared predictions for 2017 and touches on the security issues likely to persist into 2018 at the Healthcare IT News Privacy & Security Forum. HealthcareIT News, May 11, 2017

Website Flaw Let True Health Diagnostics Users View All Medical Records: Over the past two weeks readers have pointed KrebsOnSecurity to no fewer than three different healthcare providers that failed to provide the most basic care to protect their patients’ records online. Only one of the three companies — the subject of today’s story — required users to be logged on in order to view all patient records. KrebsOnSecurity, May 8, 2017

Cyber Sunshine

Man fined $318,000. Destroyed boss’ servers after hacking payroll system & committing payroll fraud: Yovan Garcia, a former private security officer, has been fined $318,661.70 after a California court found him guilty of padding his work hours, hacking the company’s servers to steal data on customers, demolishing the servers in the process, defacing the website, ripping off the proprietary software, and setting up a rival business running on that ripped-off program. NakedSecurity, May 12, 2017




Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2017

www.crc-ics.net or www.cyber-research-center.net