Threat Intelligence Blog

Posted July 24, 2018

This weekly brief highlights the latest news to provide insight into the latest threats to various industries.

Energy

“House Democrats recently requested the U.S. Government Accountability Office (GAO) to investigate cybersecurity issues related to the U.S. electricity grid. the request appears to be in reaction to multiple attacks against U.S. infrastructure components that have been launched by hackers from Russia, China, Iran and North Korea, the lawmakers said, citing the Department of Homeland Security. These hackers have been implicated in attacks against U.S. nuclear power plants and other elements of the electric grid. In 2017, DHS issued a directive banning the use of Moscow-based Kaspersky Lab computer security products by U.S. government agencies due to concerns that Russian intelligence agencies may influence the company. However, this directive does not apply to the operators of U.S. public utility companies. In the letter, the Democratic lawmakers are asking the GAO to evaluate cybersecurity risks to the electric grid. They also want to know if electric utilities have cybersecurity staff and training and whether they are employing best practices and implementing cybersecurity standards. Further, they want to know if these utilities use Kaspersky Lab products.”

 –Reuters

Technology

“Researchers have released  a vaccine app that blocks the GandCrab from taking root and encrypting users’ files. This vaccine app works by creating a special file on users’ computers that the GandCrab ransomware checks before encrypting user data. This file is named [hexadecimal-string].lock and is saved. The hexadecimal ID is generated based on the computer’s volume information of the root drive and a custom Salsa20 algorithm and is unique per user. GandCrab creates this file to know if a computer has already been infected and prevent users from running the ransomware executable twice and double-encrypting and permanently destroying their data. The vaccine app can create this file in advance, before a user might get infected, hence tricking the ransomware into thinking it has already locked the victim’s data. Unfortunately, this vaccine app works only with the latest version of the GandCrab ransomware, version 4.1.2, the version that’s currently distributed in the wild since this week, July 17.”

BleepingComputer

Information Security Risk

“Hackers have stolen personal data in Singapore belonging to some 1.5 million people, or about a quarter of the population, officials say. They broke into the government health database in a “deliberate, targeted and well-planned” attack, according to a government statement. Those targeted visited clinics between 1 May 2015 and 4 July of this year. Data taken include names and addresses but not medical records, other than medicines dispensed in some cases. “Information on the outpatient dispensed medicines of about 160,000 of these patients” was taken, the statement says. “The records were not tampered with, i.e. no records were amended or deleted. No other patient records, such as diagnosis, test results or doctors’ notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems.” The data of a senior Singapore government official, including information on his outpatient dispensed medicines, was “specifically and repeatedly targeted”.”

BBC

Operational Risk

“A notorious hacker group known as MoneyTaker has stolen roughly $1 million from a Russian bank after breaching its network via an outdated router. The victim of the hack lost at least $920,000 in money it had stored in a corresponding account at a separate Russian bank. A Russian cyber-security firm that was called in to investigate the incident, says that after studying infected workstations and servers at the affected bank, they collected “irrefutable digital evidence implicating MoneyTaker in the theft.” Experts tied the group to thefts at US, UK, and Russian banks and financial institutions going back as far as 2016. According to researchers, the MoneyTaker attacks that hit banks were focused on infiltrating inter-banking money transfer and card processing systems such as the First Data STAR Network and the Automated Work Station Client of the Russian Central Bank (AWS CBR) system.”


Additional Posts

How to Improve Your Cyber Threat Intelligence Automation

Do any of these quotes resonate with you? “If CTI vendors would provide more context to their ...

Protection via Deception: How Honeypots Confuse – and Defeat – Hackers

To tweak a traditional saying, you can do a better job catching flies with honey than vinegar. In ...