Cyber Research

Cyber News

Cyber Info


June, 2017







 In this issue



*         Petya Goldeneye ransomware attack using ‘stolen NSA cyber-weapon’ called EternalBlue sweeps the world – and it could get WORSE

*         The highly virulent strain of malicious software

*         What is Petya? An expert explains the origin of this new strain of ransomware

*         Security Researcher creates 'Vaccine' against Petya ransomware attack.

*         Latest Cyber Security NewsLatest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


Petya Goldeneye ransomware attack using ‘stolen NSA cyber-weapon’ called EternalBlue sweeps the world – and it could get WORSE

June 27, 2017


Expert says global onslaught is 'only the tip of the iceberg' as world counts the cost of second major cyber-attack in two months


THE ransomware cyber attack that started in Ukraine and swept across the world could get WORSE, experts have warned.


Yesterday, companies across the globe were clobbered by a virus referred to as Petya, NotPetya or Goldeneye in an incident with chilling echoes of the “WannaCry” assault which crippled the NHS.

This is the screen shown on computers infected by the Petya ransomware

Now one British tech expert has said the situation could be the “tip of the iceberg”.


Dr David Day, a senior lecturer in cyber security at Sheffield Hallam University, slammed America’s National Security Agency (NSA) for creating the “Eternal Blue” exploit used by both Petya and WannaCry.


Following last month’s WannaCry incident, some of the blame was directed at US intelligence agencies the CIA and the NSA who were accused of “stockpiling” software code which could be exploited by hackers.


Companies have been crippled by an attack dubbed ‘Petya’, which is also being referred to as ‘GoldenEye

Dr Day said: “Basically what [the NSA] have done is they have created something which can be used as a weapon, and that weapon has been stolen and that weapon is now being used.


“And I think it underlines the whole need for debate over privacy versus security.


“The NSA will argue that the tool was developed with a need to ensure privacy, but actually what it’s being used for is a weapon against security.”

More info https://www.thesun.co.uk/tech/3900464/petya-goldeneye-ransomware-attack-nsa-cyber/#

The highly virulent strain of malicious software

June 27, 2017

The highly virulent strain of malicious software that is crippling computers globally appears to have first struck in Ukraine.

Hospitals, government offices and major multinationals were among the casualties of the ransomware, which locks up computer files with all-but-unbreakable encryption and then demands a ransom for its release.

This graphic shows the spread of the ransomware

Ukraine suffered more than 60 per cent of the attacks, followed by Russia with more than 30 per cent, according to initial findings by researchers at the cybersecurity firm Kaspersky Lab.

In the United States, it affected companies such as drugmaker Merck and Mondelez International, the conglomerate which owns Cadbury.

It listed Poland, Italy and Germany, in that order, as the next-worst affected.

British advertising giant WPP and law firm DLA Piper were affected by the ransomware.

Its origins and the motive for its release remained unclear, but the time and place of release could have been a clue.

It was let loose on the eve of a national holiday marking Ukraine’s 1996 constitution – its first after independence from Soviet rule.

Ukraine has been a persistent target of pro-Russia hackers in recent years.

They have been blamed for twice shutting down large swathes of its power grid and sabotaging its elections network in a bid to disrupt a May 2014 national vote.

A view of another computer that has been infected by the Petya ransomware

Researchers picking the program apart found evidence its creators had borrowed from leaked National Security Agency code, raising the possibility that the digital havoc had spread using US taxpayer-funded tools.

“The virus is spreading all over Europe, and I’m afraid it can harm the whole world,” said Victor Zhora, the chief executive of Infosafe IT in Kiev, where the first reports of it emerged early Tuesday afternoon.

After the attack, Ukrainian officials posted photos of darkened computer screens.

Energy companies, the country’s biggest airport, the post office, banks, cash machines, gas stations and supermarkets were also infected.

In a Facebook post, infrastructure minister Volodymyr Omelyan said: “It’s no coincidence that the word ‘virus’ ends in RUS.”

Read more https://www.thesun.co.uk/tech/3900464/petya-goldeneye-ransomware-attack-nsa-cyber/#

What is Petya? An expert explains the origin of this new strain of ransomware

June 27, 2017.

New variations of the ransomware have begun to surface


·         “The ransomware, called Petwrap, is based on an older Petya variant, originating from the GoldenEye malware in December 2016.

·         “The new ransomware variant also includes the SMB exploit known as EternalBlue that was created by the United States National Security Administration (NSA), and leaked by the Shadow Brokers hacker group in April 2017.

·         “This malware appears to have been targeted at Ukrainian infrastructure groups such as government workstations, power companies, banks, ATMs, state-run television stations, postal services, airports, and aircraft manufacturers.

·         “Since the initial infection, it has spread to other markets, and beyond the Ukraine borders.

·         “The actual malware is ransomware, requesting a ransom equivalent to $300 USD in bitcoins.

·         “The Petya component includes many features that enable the malware to remain viable on infected systems, including attacking the Master Boot Record.

·         “The EternalBlue component enables it to proliferate through an organisation that doesn’t have the correct patches or antivirus/antimalware software.

·         “This is a great example of two malware components coming together to generate more pernicious and resilient malware.”


Rozenko Pavlo, the Ukrainian deputy Prime Minister, tweeted this image after saying ‘all the computers of the government’ were affected

More Info https://www.thesun.co.uk/tech/3900464/petya-goldeneye-ransomware-attack-nsa-cyber/#




Security Researcher creates 'Vaccine' against Petya ransomware attack.

June 28, 2017.


A vaccination for the global cyber-attack that infected thousands of machines in dozens of countries has been discovered by an American security researcher. 

The simple antidote to the Petya ransomware, which stops computers from being able to launch and demands a $300 (£234) payment, uses an empty folder to block the virus from working. 

It could prevent further companies from falling victim to the attack that hit the Ukrainian National Bank, advertising giant WPP and US law firm DLA Piper. In total the incident affected 12,500 machines in 64 countries, according to Microsoft. 

The fix is reminiscent of the "kill switch" for the WannaCry attack earlier this year that stopped the rapidly spreading virus after it had already infected more than 200,000 machines. But it can't stop the Petya ransomware from spreading to more computers. 

Unlike the WannaCry kill switch, discovered by 22-year-old self-taught Marcus Hutchins, the Petya antidote must be manually downloaded onto computers ahead of their being affected.

Amit Serper, the security researcher from Boston who discovered the solution, warned that it is probably a "temporary fix" rather than a tool to stop the problem completely.

Serper found the solution to the problem working with a UK-based cyber expert who goes by the name of Hacker Fantastic. Serper was on holiday with his family in Israel when the problem started. 

    That family trip to Israel was intense as it is. Yesterday didn't make it easier. Reminder: Always have a windows VM.

    — Amit Serper (@0xAmit) June 28, 2017


    100% certainty! Create a file called perfc with no extension in %windir%. And now I celebrate with friends! pic.twitter.com/JB03xab2BZ

    — Amit Serper (@0xAmit) June 27, 2017

When the Petya ransomware infects a machine it searches for a folder called "perfc.dll". If it can't find the folder it takes hold of the computer, locking files and part of the hard drive. In the event that it finds the file the ransomware is not able to work.

Following his discovery, Serper was inundated with messages of praise and some job offers. He eventually turned off notifications for people he doesn't follow on Twitter and said he didn't want a new job.

"I'm very happy with working for Cyber Reason, please stop emailing me. Also, appreciate the praises but let's not go crazy. I'm not that good," said Serper.

In a follow-up tweet he added: "Thanks for all the kind words. This is a temporary fix, let's focus on patching, less on thanking me. Thanks again, I'm humbled." 

A kill switch for Petya appeared to be less pressing than it was for WannaCry as the former doesn't spread in the same rapid way.

"There is low risk of new infections more than one hour after the attack," Hutchins said

The attack could have infected computers in the first instance through a flaw in accounting software, according to Cisco.

It is not clear who is behind the attack, which appeared to inflict most damage in Ukraine, but research indicates it could have been a nation state assault.

"Based on initial analysis by CyberArk Labs, what we know now is that NotPetya is different from WannaCry in that it appears to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been seen in nation state attacks," said

Companies in more than a dozen countries were affected by the ransomware, including the UK, US, Ukraine, Russia, Italy, Germany, France, Japan and China.

The first incident appeared in Kiev before spreading across Ukraine and Russia. At the time of writing there hadn't been any new instances of the infection but computer systems remained crippled.

Read more: http://www.telegraph.co.uk/technology/2017/06/28/security-researcher-creates-vaccine-against-ransomware-attack/

Latest Cyber Security News

Cyber Update

June 28, 2017

A vaccination for the global cyber attack that infected thousands of machines in dozens of countries has been discovered by an American security researcher. The simple antidote to the Petya ransomware, which stops computers from being able to launch and demands a $300 (£234) payment, uses an empty folder to block the virus from working. It could prevent further ...

June 28, 2017

Britain could launch military retaliation such as air strikes against a future cyber attack, the Defence Secretary has suggested. Sir Michael Fallon warned potential attackers that a strike on UK systems “could invite a response from any domain – air, land, sea or cyberspace”. The Defence Secretary said the UK’s ability to carry out its own cyber ...

June 27, 2017

Major firms, airports and government departments in Ukraine have been struck by a massive cyber attack which began to spread across Europe on Tuesday afternoon. In Ukraine, government departments, the central bank, a state-run aircraft manufacturer,  the airport in Kiev and  the metro network have all been paralysed by the hack. In the UK, the advertising firm WPP said ...

June 27, 2017

Fears have been raised that Britain’s largest ever warship could be vulnerable to cyber attacks after it emerged it appears to be running the outdated Microsoft Windows XP. As HMS Queen Elizabeth left its dockyard for the first time to begin sea trials, it was revealed the £3.5billion aircraft carrier is apparently using the same software that left the NHS exposed. Screens ...

June 27, 2017

Three out of four oil and natural gas companies fell victim to at least one cyber attack last year as hacking efforts against the industry become more frequent and sophisticated. That’s the finding from a report released Monday by industry consultant Deloitte LLP. Technology advances, such as Royal Dutch Shell Plc’s recent control of operations in Argentina ...

June 25, 2017

A cyberattack on MPs and Peers’ emails has prompted Parliament’s security team to shut down external access to its systems. An email sent to parliamentarians on Friday and shown to Sky News said: “Earlier this morning we discovered unusual activity and evidence of an attempted cyberattack on our computer network.” It claimed that “hackers were carrying out ...

June 23, 2017

Siemens patched two vulnerabilities in products commonly found in industrial control system setups this week. If exploited the flaws could allow an attacker to perform administrative actions or gain read access to sensitive data on affected systems. Siemens patched one issue (.PDF) on Tuesday and the other on Thursday (.PDF) this week. ICS-CERT, the Department of ...

June 23, 2017

Side-channel attacks that monitor a computer’s electromagnetic output to snaffle passwords are nothing new. They usually require direct access to the target system and a lot of expensive machinery – but no longer. Researchers at Fox‑IT have managed to wirelessly extract secret AES-256 encryption keys from a distance of one metre (3.3 feet) – using €200 ...

June 23, 2017

Virgin Media is advising more than 800,000 customers with a specific router to change their password immediately after an investigation found hackers could gain access to it. Virgin Media said the risk to customers with a Super Hub 2 router was small, but advised them to change both their network and router passwords if they were ...

June 23, 2017

With one of the most commonly cited threats to an enterprise being the human element, the Australian arm of Cisco is investing in cyber-focused courses to bring people up to date with the role they can play in preventing an attack. Speaking with ZDNet, Anthony Stitt, GM of Security for Cisco in Australia and New Zealand, ...

June 23, 2017

A key figure in American business has urged all companies to take the cyber security threat more seriously after chastising his own accountant for paying a ransomware demand. Jorge Fernandez, VP global commerce for the Metro Atlanta Chamber, said it is time that firms took the same care in cyberspace as they do when installing physical ...

June 23, 2017

Richard Dabate told police a masked intruder assaulted him and killed his wife in their Connecticut home. His wife’s Fitbit told another story and Dabate was charged with the murder. James Bates said an acquaintance accidentally drowned in his hot tub in Arkansas. Detectives suspected foul play and obtained data from Bates’s Amazon Echo device. Bates ...

June 23, 2017

The economics of cybersecurity are skewed in favor of attackers, who invest once and can launch thousands of attacks with a piece of malware or exploit kit. That’s why Neal Ziring, technical director for the NSA’s Capabilities Directorate, wants to flip the financial equation on bad guys. “We need to conduct defenses in a way that ...

June 23, 2017

A massive archive of Microsoft’s top-secret Windows 10 builds, and the source codes for private software has been reportedly leaked online, which could lead to a nasty wave of Windows 10 exploits, journalist at the Reg claims. The Leaked files – uploaded on BetaArchive website – contains more than 32 terabytes of data, which includes many ...

June 23, 2017

US Secretary of State Rex Tillerson has expressed a willingness to work directly with Russia on cybersecurity and other issues. The proposed partnership is surprising, given the continued controversy over allegations that the Russians interfered with last year’s US presidential election – a serious accusation at the center of an ongoing Congressional inquiry. Secretary of State Tillerson ...

June 22, 2017

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a tool suite – which is being used by the CIA for Microsoft Windows that targets “closed networks by air gap jumping using thumb drives,” mainly implemented in enterprises and critical infrastructures. Air-gapped computers that are isolated from the Internet or ...

June 21, 2017

The operation behind the UK government’s Cyber Essentials scheme has suffered a breach exposing the email addresses of registered consultancies, it told them today. The scheme’s badges are required by all suppliers bidding for “certain sensitive and personal information-handling contracts”. Companies were notified of the problem, which leaves them at greater risk of phishing attack, through ...

June 21, 2017

American corporations have a high degree of cybersecurity risk awareness, and yet many enterprises, especially in non-regulated sectors, fall short in their cybersecurity stance.  This is mainly because executives see security as an ROI-less investment mandated by regulation. Even worse, executives suffer from two psychological biases: “We haven’t suffered a breach this year, so no need ...

June 20, 2017

The Server Message Block version 1 (SMBv1) — a 30-year-old file sharing protocol which came to light last month after the devastating WannaCry outbreak — will be removed from the upcoming Windows 10 (1709) Redstone 3 Update. The SMBv1 is one of the internet’s most ancient networking protocols that allows the operating systems and applications to ...

June 20, 2017

Cybercriminals targeting casinos and mining firms in North America have extorted as much as $620,000 per theft during a four-year run in which they threaten victims with the destruction or public release of stolen data. Between 2013 and 2016, mostly Canadian firms were hit with nearly a dozen seemingly unrelated hacks, but after an analysis of the ...

June 20, 2017

‘Do I really need to give this website so much about me?’ That’s exactly what I usually think after filling but before submitting a web form online asking for my personal details to continue. I am sure most of you would either close the whole tab or would edit already typed details (or filled up by browser’s ...

June 20, 2017

A “massive” increase in spending is needed to prevent another “avoidable” cyber attack on NHS computer systems, an expert has warned. A ransomware attack hit 11 health boards in Scotland last month, as well as many other organisations worldwide. Prof Bill Buchanan told MSPs the attack should act as a “wake-up call” to the government and health ...

June 20, 2017

For at least the whole of the current century, militaries have understood the critical role cyberdefense plays in every aspect of operations. Yet most military organizations appear reluctant to train for network defense outside of specialist cyber units. Unlike with land, sea, air and space, cyberwarfare cannot be conducted only by specialists. Mistakes in configuration or ...

June 19, 2017

When we think about critical infrastructures, we tend to think about energy. Whether electric power lines or supplies to oil and gas, cut off access to energy, and our worlds go dark. Though you can certainly argue that other industries are just as critical—pharmaceuticals, food supply and others—it is the energy sector that seems to ...

June 19, 2017

Australia’s top chief executives are more concerned about cyber security threats and are spending more money to defend against them than their global counterparts, according to new research from KPMG. Figures extracted from the big four accounting firm’s latest Global CEO Outlook study showed that 71 per cent of Australian business leaders running companies turning over more than $500 ...

June 19, 2017

Employees are a company’s greatest asset, but also its greatest security risk. “If we look at security breaches over the last five to seven years, it’s pretty clear that people, whether it’s through accidental or intentional introduction of malware, represent the single most important point of failure in terms of security vulnerabilities,” said Eddie Schwartz, chair ...

June 19, 2017

All banks regulated by the European Central Bank (ECB) will be forced to reveal all major cyber security breaches, according to one of the supervisor’s bosses. Starting this summer, banks directly supervised by the ECB will have to “report all significant cyber incidents”, said Sabine Lautenschlaeger, a member of the ECB’s executive board. At a speech in ...

June 16, 2017

The University College London (UCL) has been hit by a major ransomware attack on June 15, with the infection reaching personal and shared drives in the network. UCL admins explained in updates posted on the official website that the infection was most likely possible because of a zero-day, pointing out that antivirus systems failed to detect ...

June 16, 2017

Agencies in the federal government are working to develop tools and software that would automate cybersecurity – essentially, an effort to remove human error from the equation. A new report out by NextGovdetails the automation effort, and why these tools aren’t yet ready for government-wide deployment. Much of the cybersecurity efforts in government currently, revolve around ...

June 16, 2017

A UK-based computer hacker has admitted stealing hundreds of usernames and email addresses from a US military communications system. Sean Caffrey, 25, of Sutton Coldfield in the West Midlands, broke in and pinched the ranks, usernames and email addresses of more than 800 users of a satellite communications system and of about 30,000 satellite phones, back ...

June 15, 2017

European banks could face fines totalling €4.7bn in the three years after General Data Protection Regulation comes into force, according to a report from data security solutions firm AllClear ID. The latest in a string of sales pitches reports on businesses’ preparedness for GDPR to land in The Reg‘s inbox says that banks are not properly ...

June 15, 2017

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a framework – which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices. Dubbed “Cherry Blossom,” the framework was allegedly designed by the Central Intelligence Agency (CIA) with the ...

June 14, 2017

As part of June’s Patch Tuesday, Microsoft has released security patches for a total of 96 security vulnerabilities across its products, including fixes for two vulnerabilities being actively exploited in the wild. This month’s patch release also includes emergency patches for unsupported versions of Windows platform the company no longer officially supports to fix three Windows ...

June 14, 2017

The United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation. The joint report from the FBI and U.S. Department of Homeland Security (DHS) provided details on “DeltaCharlie,” a malware variant used by “Hidden Cobra” hacking group to infect hundreds of thousands of computers globally as part of its ...

June 13, 2017

Mac users are being warned about new variants of malware that have been created specifically to target Apple computers. One is ransomware that encrypts data and demands payment before files are released. The other is spyware that watches what users do and scoops up valuable information. Experts said they represented a threat because their creators were letting anyone ...

June 12, 2017

Researchers have uncovered a new data extraction hole inside air-gapped networks that takes advantage of the blinking LED lights on top of routers to steal data. In a report published last week, researchers at Ben-Gurion University in Israel demonstrated how a router or switch running malware called xLed could use the flashing LED lights as a ...

June 12, 2017

Last December, a cyber attack on Ukrainian Electric power grid caused the power outage in the northern part of Kiev — the country’s capital — and surrounding areas, causing a blackout for tens of thousands of citizens for an hour and fifteen minutes around midnight. Now, security researchers have discovered the culprit behind those cyber attacks ...

June 12, 2017

German police have arrested a man they suspect of being the administrator of a dark net website. The site is said to have been used to buy a gun used in a 2016 mass murder. The unnamed 30-year-old man was arrested on 8 June in “south west Germany”, according to Sky News. The server used to host ...

June 10, 2017

Two weeks ago we reported about a 7-year-old critical remote code execution vulnerability in Samba networking software (re-implementation of SMB networking protocol) that allows a remote hacker to take full control of a vulnerable Linux and Unix machines. To know more about the SambaCry vulnerability (CVE-2017-7494) and how it works, you can read our previous article. At ...

June 9, 2017

Hackers are becoming more and more innovative when it comes to finding ways to infect your computer. This time, you could get infected if you so much as hover your mouse over a link embedded in a malicious PowerPoint file. According to security firm Trend Micro, this technique is employed by a Trojan downloader which has ...





Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing research center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2017

www.crc-ics.net or www.cyber-research-center.net