Threat Intelligence Blog

Posted July 5, 2017

This weekly brief highlights the latest threat intelligence news to provide insight into the latest threats to various industries.


“Three out of four oil and natural gas companies fell victim to at least one cyber attack last year as hacking efforts against the industry become more frequent and sophisticated.

That’s the finding from a report released Monday by industry consultant Deloitte LLP. Technology advances, such as Royal Dutch Shell Plc’s recent control of operations in Argentina from an operating center in Canada, offer new openings for hackers, the authors wrote. At the same time, older equipment retrofitted for cybersecurity, including the pumps known as nodding donkeys, make it tougher to defend against sophisticated attacks.”



“Michigan-based Airway Oxygen was hit by a ransomware attack in April that may have compromised the data of 500,000 clients, the home medical equipment supplier reported to the U.S. Department of Health and Human Services on Friday.

Airway Oxygen reported the breach to the Vermont Attorney General’s office earlier this month.

According to the official notification, Airway Oxygen discovered the breach on April 18. The hacker gained access to the network and installed ransomware, which shut employees out of the system. Personal health information was stored on the affected network.”

– Healthcare IT News

Information Security

“The second global outbreak of file-encrypting malware in as many months sees cyberattackers having designed potent, rapidly spreading malicious code far faster than organizations have been shoring up their defenses.

On Wednesday, computer security experts were analyzing how ransomware – an apparent variant of previously seen malware known as Petya – first struck organizations in the Ukraine. The malware quickly spread across Europe, Asia and North America, including Russian oil producer Rosneft, a Cadbury chocolate factory in Tasmania and global shipping giant Maersk (see Another Global Ransomware Outbreak Rapidly Spreads).

Microsoft said Tuesday that it had seen infections affecting more than 12,500 machines in 65 countries.

“The new ransomware has worm capabilities, which allows it to move laterally across infected networks,” Microsoft says. “Based on our investigation, this new ransomware shares similar codes and is a new variant of [Petya]. This new strain of ransomware, however, is more sophisticated.””

– Bank Info Security

Financial Services

“Researchers are warning of a new iteration of the sophisticated Marcher banking trojan, capable of targeting over 40 financial applications.

Zscaler explained in a blog post that the latest version of the malware is disguised as an Adobe Flash player update: Adobe_Flash_2016.apk.

The malware will also use social engineering to trick users into disabling security on their Android device and allowing third party apps to install.

Once installed, the malware will hide itself from view and remove any icons on the main menu, before registering the victim’s device and any relevant metadata to its C&C server.”

– InfoSecurity Magazine


“The alleged Vietnamese ATP group OceanLotus has evolved its Mac spyware trojan, creating what researchers at Palo Alto Networks are calling” one of the more advanced backdoors we have seen on macOS to date.”

This newer rendition of the backdoor malware has added decoy documents, string encoding, modularity, and custom binary protocol traffic with encryption, while eliminating command-line utilities. Like past versions, the malware is being used primarily within Vietnam itself.

In a blog post published on Thursday, Palo Alto’s Unit 42 threat intelligence team reported that the this version has been active for more than a year, and was spotted in the wild as recently as early June 2017. It is not clear from the report exactly when this variant was first discovered.”

– SC Magazine


“Merck missed two critical opportunities earlier this year to inoculate themselves from the vicious cyberattack they suffered this week, roiling operations and raising questions about their lack of preparation to defend themselves.

The June 27 “Petya/NotPetya” cyberattack hit the multinational Merck and several other companies, such as the law firm DLA Piper, shipping giant Maersk, and even a West Virginia hospital, which was forced to scrap its electronic medical records in favor of paper.

The core technology in Petya is called ETERNALBLUE and it was developed by American spy agencies, the Washington Post previously reported.  Obviously, it was never intended for wide distribution. It relied on bugs in Windows that Microsoft presumably wasn’t aware of until earlier this year, when a group of still-unknown hackers calling themselves ShadowBrokers allegedly broke into the US NSA and demanded payment in exchange not releasing the ultra-secret exploits.”

– EndPoints News


Additional Posts

Real-Time Threat Killers – Threat Intelligence Gateways and Platforms

Threat intelligence has evolved dramatically over the past three years with the volume and speed of ...

Don’t Believe the Hype: The Dark Web is just another source for intelligence

View on Demand - The media, prime time television, and a dozen startups are all hyping the Dark Web ...