The Monday Media Wrap Up: WannaCry Cyberattack, Ransomware Attack, and Login-Stealing Phishing Sites

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Articles from June 10-16

U.K. Says North Korea Behind WannaCry Cybertattack

The Wall Street Journal | Stu Woo | June 16, 2017

British intelligence officials believe that a group linked to North Korea perpetrated last month’s massive cyberattack, which crippled computer networks at British hospitals and other organizations around the world, a person familiar with the investigation said Friday. South Korea and some major cybersecurity firms have previously concluded the attack was perpetrated by the North Korean hacking group, dubbed “Lazarus,” which had previously been implicated in the 2014 hacking of Sony Entertainment. Most other governments, including British officials, haven’t publicly commented on any conclusions about who they believe was responsible for the attack. South Korean officials believe the Lazarus group is part of North Korea’s cyber-attacking operation. North Korea has denied involvement in the Sony hacking and last month’s attack. May’s cyberattack used a worm called WannaCry, which locked hundreds of thousands of computers around the world and demanded payment to unlock them. The attack hit dozens of Britain’s National Health Service organizations, including hospitals. British officials conducted similar detective work as cybersecurity firms to determine who was responsible for the attack. That involved examining WannaCry’s code for similarities to worms used in previous attacks. They also used tools unavailable to private researchers, the person familiar the investigation said, and are now confident the attacker was the North Korean group.

Ransomware Attack On University College London Causes Student And Staff Disruption

Silicon UK | Roland Moore-Coyler | June 15, 2017

Students and academic staff from University College London (UCL) are facing disruption after a ransomware attack encrypted shared and networked files belonging to the university. Silicon was first informed of the cyber attack by a source familiar with the issue, but further details later emerged that the attack appears to be have occurred through the exploitation of a zero-day flaw. UCL has warned staff and students that they may face “very substantial disruption” from the ransomware attack as the university has shut off access to the infected drives in a bid to tackle the attack and will then likely restore the drives back to a previous working state; this could lead to a loss of data and thus add further disruption into the mix. Clear details on the attack are unclear; UCL informed Silicon that it is still looking into the attack.

Login-stealing phishing sites conceal their evil with lots of hyphens in URL

Ars Technica | Sean Gallagher | June 15, 2017

Researchers at PhishLabs recently spotted a trend emerging in malicious websites presented to customers: mobile-focused phishing attacks that attempt to conceal the true domain they were served from by padding the subdomain address with enough hyphens to push the actual source of the page outside the address box on mobile browsers. “The tactic we’re seeing is a tactic for phishing specifically mobile devices,” said Crane Hassold, a senior security threat researcher at PhishLabs’ Research, Analysis, and Intelligence Division (RAID). Hassold called the tactic “URL padding,” the front-loading of the Web address of a malicious webpage with the address of a legitimate website. The tactic, he said, is part of a broad credential-stealing campaign that targets sites that use an e-mail address and password for authentication; PhishLabs reports that there has been a 20 percent increase overall in phishing attacks during the first quarter of 2017 over the last three months of 2016. The credentials are likely being used in other attacks based on password reuse. The phishing attacks that PhishLabs RAID has observed thus far “target primarily Facebook,” Hassold said. Apple, Comcast, Craigslist, and OfferUp have also been spoofed by the campaign. The Web addresses used for the phishing pages are hosted on sites using legitimate domain names that have been compromised. The spoofed addresses also show that the attack is focusing on mobile users, Hassold noted, as they use the URL for the mobile versions of the sites they target, such as: The technique was first spotted in a few phishing attacks in January, according to Hassold. “It ramped up in March, and has been pretty heavy since.”

Why the solution to ransomware may be predictive analytics

Enterprise Apps Tech | Rick Delgado | June 14, 2017

Ransomware is quickly becoming a problem for both businesses and personal computer users. It is also becoming more sophisticated; users may not even have to click or download something to become victim to this scam. Ransomware can spread between networked PCs and servers quite quickly, which leaves the owners of these machines at the mercy of hackers demanding money for access to the owner’s’ most valuable files. As these threats to steal information and hold technology hostage become more real, so does the need for a way to stop such attacks. Predictive analytics may be the key to preventing ransomware from getting a hold on computers and servers. Here are several reasons why predictive analytics may be the most essential tool to use when trying to avoid ransomware.

Microsoft Windows XP Gets More Updates To Avoid Another WannaCry Nightmare

Forbes | Thomas Fox-Brewster | June 13, 2017

Microsoft just did the internet another solid. After the NSA cyberweapon-powered WannaCry ransomware epidemic of last month, the company said it wanted to help users of all its operating systems avoid another catastrophe and so it’s providing updates to those on unsupported software this Patch Tuesday, including the now-geriatric Windows XP. The tech giant was a little mysterious about just why it was providing more patches for Windows XP; it had already issued emergency fixes for the supposedly out-of-service OS in the midst of the WannaCry outbreak. In one of Microsoft’s two blog posts on the new patches, handed to Forbes ahead of their publication, one detail stood out: that the vulnerabilities being addressed were “at heightened risk of exploitation due to past nation-state activity and disclosures.” Another blog post read: “Due to the elevated risk for destructive cyberattacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt.”

Cyber Experts Identify Malware That Could Disrupt U.S. Power Grid

The Wall Street Journal | Robert McMillan | June 12, 2017

Computer-security researchers said Sunday they have discovered the malicious software that knocked out electricity in Ukraine’s capital last year, and warned U.S. companies that the code could be repurposed to disrupt systems in the U.S. The discovery sheds light on an incident that security experts have been watching closely, hoping to understand the risk to the U.S. electrical grid. It follows a 2014 cyber-campaign against the U.S. in which networks at 17 energy companies, including four electric utilities, were compromised. The malicious software, called Crashoverride, has been analyzed over the past week by Dragos Inc., a Washington, D.C., firm specializing in securing the industrial-control systems in manufacturing plants or power facilities. Robert M. Lee, Dragos’s chief executive, said the software was discovered earlier this year by ESET, a Slovakia-based antivirus vendor. ESET obtained the sample though the company’s “regular research channels, which include victims, established malware sample sharing platforms, public sources and our own detection technology,” a company spokeswoman said Monday. U.S. officials have expressed concern about cyberattacks on the industrial-control systems that run power plants and factory systems. Software specifically designed to infect these systems is relatively rare, however—Crashoverride is only the fourth example, according to Dragos.

Spyware- and Ransomware-as-a-Service Target Macs

Infosecurity Magazine | Tara Seals | June 12, 2017

A free malware-as-a-service (MaaS) platform known as MacSpy and a ransomware-as-a-service (RaaS) program dubbed MacRansom have both been purpose-built to appeal to bad actors lacking in technical expertise. According to Alien Vault, running MacSpy is as simple as emailing its authors for a ZIP file. Once unpacked, the service launches. It collects and exfiltrates data, including photos, audio files, clipboard content and browser information, and it can take screenshots and log keystrokes. All of the information can be viewed via a web portal hosted on TOR. “Upon execution, successfully passing the anti-analysis checks and setting persistence, the malware then copies itself and associated files from the original point of execution to ~/Library/.DS_Stores/ and deletes the original files in an attempt to stay hidden from the user AlienVault researcher Peter Ewane explained. “The malware then checks the functionality of its tor proxy by utilizing the curl command to contact the command and control server. After connecting to the CnC, the malware sends the data it had collected earlier, such as system information, by sending POST requests through the TOR proxy. This process repeats again for the various data the malware has collected. After exfiltration of the data, the malware deletes the temporary files containing the data it sent.”

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About DomainTools
DomainTools helps security analysts turn threat data into threat intelligence. We take indicators from your network, including domains and IPs, and connect them with nearly every active domain on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. Fortune 1000 companies, global government agencies, and leading security solution vendors use the DomainTools platform as a critical ingredient in their threat investigation and mitigation work. Learn more about how to connect the dots on malicious activity at
Promoted Content
The Distribution of Malicious Domains
In our previous reports, we profled malicious domains by describing patterns in theirregistration details: top level domain (TLD), free email provider, Whois privacy provider, andhosting location. In this edition, we compared the distributions of malicious domains vs neutraldomains across a measure of age (both of the domain and of the name server domain) anda measure of the entropy of the domain name. We also examined malicious domains acrossregistrars to fnd additional clues as to how and when these domains were registered.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?