Cyber security weekly summary 8 - 14 May

On May 9 security experts from Trend Micro company published a report about a new Internet of Things (IoT) botnet called Persirai. With the help of searching tool Shodan, the researchers discovered 120 thousand cameras endangered by the malware, which compromises targeted platforms via vulnerability founded in March 2017. The virus was constructed with the partial use of the source code of malware Mirai, which controlled eponymous IoT botnet, infamous for multiple DDoS attacks in 2016.

Swiss company Modzero revealed that a keylogger (malware that records keystrokes) has been installed into some HP notebook and tablet models from since winter 2015. The exact component with the keylogging function is a part of an audio driver made by Conexant, which allows processing input from certain keys. In this case, however, due to the applied diagnostics and debugging features, all the keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory. To protect its customers HP has already published a patch that blocks keylogging ability.

According to Reuters, Russia-backed hackers are responsible for cyber operations aimed at the energy industry in Baltics region. As interviews with multiple law-enforcement and private investigators and insiders revealed, the hackers have been penetrating Baltic networks for more than two years. The incidents ascribed to these actors include previously unrecorded cases of DDoS attacks from 2015. The technique was used against the infrastructure of the Baltic petrol-distribution system and an internet gateway used to control a local electricity grid. A separate malware-based campaign against another undisclosed local grid was also mentioned. The used virus was designed to target network devices (serial-to-ethernet converters), which enable communication between industrial control systems and standard computers. The NATO representatives are concerned that such activities are meant for probing for the critical infrastructure networks weaknesses, which could be used later for its complete shutdown as in the case of Ukrainian power grid attacks in 2015 and 2016.

Friday12 May marked the start of global ransomware campaign that hit hundreds of thousands users in more than 150 world countries. The virus known as WannaCry severely incapacitated British public health sector, and many other institutions like the Russian Ministry of Interior, the Spanish branch of Telefonica phone company and car manufacturer Renault, which was forced to stop production across several of its European plants. The spread of the virus was curbed by a security patch that was issued for older Windows versions and by the information that the malware connects to a certain unregistered domain, which served as a built-in kill switch. The reason why the attackers built in the kill switch was not known, but it allowed for a quick and short-term solution of the spread. Apart from common PC's WannaCry also infected at least one specialised medical device running on the Windows Embedded platform. The perpetrators are still unknown, however, based on the analyses of the campaign, North Korean APT group Lazarus is aong the suspects.

About author: Roman Šulc

Partners

Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace