The Monday Media Wrap Up: Threat Intelligence Sharing, Petya Ransomware, and WannaCry

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Articles from June 24-30

Don’t panic, but Linux’s Systemd can be pwned via an evil DNS query

The Register | Shaun Nichols | June 29, 2017

Systemd, the Linux world’s favorite init monolith, can be potentially crashed or hijacked by malicious DNS servers. Patches are available to address the security flaw, and should be installed ASAP if you’re affected. Looking up a hostname from a vulnerable Systemd-powered PC, handheld, gizmo or server can be enough to trigger an attack by an evil DNS service: the software’s resolved component can be fooled into allocating too little memory for a lookup response, and when a large reply is eventually received, this data overflows the buffer allowing the attacker to overwrite memory. This can crash the process or lead to remote code execution, meaning the remote evil DNS service can run malware on your box. “A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved in to allocating a buffer that’s too small, and subsequently write arbitrary data beyond the end of it,” explained Chris Coulson, of Ubuntu maker Canonical, who discovered the out-of-bounds write in systemd-resolved.

Barracuda Sentinel Uses AI to Detect Spear Phishing Attacks

eWeek | Sean Michael Kerner | June 29, 2017

Asaf Cidon sold his security startup Sookasa to Barracuda in March 2016 and has been busy helping to build new technologies for Barracuda ever since. One of those new technologies was announced on June 28, with the debut of the Barracuda Sentinel service designed to help detect spear phishing and improve email security. “Our team from Sookasa has been working on communication and content security which led lead us to this new product, Barracuda Sentinel,” Cidon told eWEEK. “Sentinel leverages a lot of the work we had already done using the APIs of cloud services.” The new Barracuda Sentinel service uses machine learning and artificial intelligence technology to help identify potentially malicious email attacks and targeted spear phishing. Cidon said that Sentinel uses a combination of different machine learning technologies including Apache Spark, to conduct analysis of email messages.

5 Things Marketers Should Do After the Next Cyberattack (And There Will Be a Next One)

AdAge | Steven Wolfe Pereira | June 29, 2017

The week after Cannes typically involves recovering from too much rosé, following up on some great meetings and for a lucky few, perhaps an extended holiday. A worldwide cyberattack was not part of the agenda for folks across adland. It’s a sobering reality that most brands and agencies are not prepared for. This is an industry wake-up call. Cybersecurity is a $445 billion problem, and some predict that figure could rise to $6 trillion by 2021. CEO and boards are rightfully worried about the risks to their business: A March 2017 report by executive search firm SpencerStuart found that 39% of board directors said they discuss cybersecurity at every meeting and that 40% of respondents reported their board has at least one director with cyber expertise. An additional 7% who are in the process of recruiting one.

‘Petya’ Ransomware Hits At Least 65 Countries; Microsoft Traces It To Tax Software

NPR | Bill Chappell | June 28, 2017

The “Petya” cyberattack that has now struck computers in at least 65 countries can be traced to a Ukrainian company’s tax accounting software, Microsoft says. “We saw the first infections in Ukraine — more than 12,500 machines encountered the threat,” Microsoft says. “We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.” The complexity of the attack has fueled debate over whether the malware is a new threat or a more sophisticated version of the Petya malware that was used in an attack last spring. But Microsoft says the ransomware is “a new variant” of Petya, adding that it has issued new security updates to protect computers running its Windows software. Other anti-virus companies have also updated their software, in an attempt to limit the damage.

Cybersecurity firm Trend Micro announces $100M startup fund

TechCrunch | Jon Russell | June 27, 2017

Security firm Trend Micro is the latest corporate to jump into the startup investment world after it unveiled a $100 million corporate fund today. It is predominantly looking at opportunities in the internet-of-things (IoT) space, but the exact scope of how it will operate is not clear. The company is headquartered in Japan and listed on the Tokyo Stock Exchange, where its current value is around $7.5 billion, but it was initially founded in the U.S. in 1988. Today it is present in over 50 countries, with over 5,000 staff, and is best known for IT security products that include threat detection and antivirus. Now it is looking to the startup world for fresh ideas, innovation and approaches. The idea, in its own words, is “to dive into new areas without disrupting core business resources.”

Petya Or NotPetya: Why The Latest Ransomware Is Deadlier Than WannaCry

Forbes | Thomas Fox-Brewster | June 27, 2017

The world suffered another ransomware nightmare Tuesday, with pharmaceutical companies, Chernobyl radiation detection systems, the Kiev metro, an airport and banks all affected. One U.S. hospital also appears to be a victim. Worse is expected, thanks to some pernicious features in the ransomware sample. The malware widely believed to be responsible is a version of Petya which security researchers are calling “NotPetya.” It’s similar to Petya, but different enough to qualify as an entirely new form of ransomware, researchers say. Backing up NotPetya is an exploit method borrowed from a leaked NSA hack called EternalBlue, the same which WannaCry used to infect hundreds of thousands of computers and take down hospital networks. Though with the new strain, only computers on a local network are scanned, not the entire internet, as WannaCry attempted. That’s cause for embarrassment among infected companies: Microsoft released a patch earlier this year which prevented any EternalBlue hacks, even pushing out updates for older, unsupported Windows systems like XP. Businesses should have patched by now, especially given the carnage WannaCry caused.

Cyber attack sweeps globe, researchers see ‘WannaCry’ link

Reuters | Jack Stubbs, Pavel Polityuk and Dustin Volz | June 27, 2017

A major global cyber attack on Tuesday disrupted computers at Russia’s biggest oil company, Ukrainian banks and multinational firms with a virus similar to the ransomware that last month infected more than 300,000 computers. The rapidly spreading cyber extortion campaign underscored growing concerns that businesses have failed to secure their networks from increasingly aggressive hackers, who have shown they are capable of shutting down critical infrastructure and crippling corporate and government networks. It included code known as “Eternal Blue,” which cyber security experts widely believe was stolen from the U.S. National Security Agency (NSA) and was also used in last month’s ransomware attack, named “WannaCry.” “Cyber attacks can simply destroy us,” said Kevin Johnson, chief executive of cyber security firm Secure Ideas. “Companies are just not doing what they are supposed to do to fix the problem.” The ransomware virus crippled computers running Microsoft Corp’s (MSFT.O) Windows by encrypting hard drives and overwriting files, then demanded $300 in bitcoin payments to restore access. More than 30 victims paid into the bitcoin account associated with the attack, according to a public ledger of transactions listed on Microsoft said the virus could spread through a flaw that was patched in a security update in March. “We are continuing to investigate and will take appropriate action to protect customers,” a spokesman for the company said, adding that Microsoft antivirus software detects and removes it.

Threat Intelligence Sharing: The New Normal?

Dark Reading | Danelle Au | June 23, 2017

The spirit of cooperation seems to be taking hold as demonstrated by the growing number of thriving services and organizations whose sole purpose is to analyze specific threats against specific communities. “When bad men combine, the good must associate; else they will fall, one by one, an unpitied sacrifice in a contemptible struggle” – Edmund Burke. This quote from Edmund Burke in Thoughts on the Cause of Present Discontents, was meant to be a political statement in 18th century England, when the Whigs and Tories were dominant. But many centuries later, it’s an appropriate call-to-action for those of us in the cybersecurity industry to collaborate and share. The kind of sharing I mean is when you give the IT security community information about the attacks you’re seeing against your own organization. When you do that, that data becomes useful to everyone as threat intelligence. Gartner describes threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” In other words, threat intelligence is the stuff that informs the good guys about how the bad guys operate. It helps the IT security community learn how the hackers operate, and how they might attack a given organization.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About DomainTools
DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at
Promoted Content
The Distribution of Malicious Domains
In our previous reports, we profled malicious domains by describing patterns in theirregistration details: top level domain (TLD), free email provider, Whois privacy provider, andhosting location. In this edition, we compared the distributions of malicious domains vs neutraldomains across a measure of age (both of the domain and of the name server domain) anda measure of the entropy of the domain name. We also examined malicious domains acrossregistrars to fnd additional clues as to how and when these domains were registered.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?