By The CyberWire Staff
M.E. Doc, patient zero of NotPetya?
Ukrainian authorities think it was. On Tuesday they raided Intellect Service, whose M.E. Doc tax accounting software is believed to be the initial source of Petya/Nyetya/NotPyeta (which we'll henceforth call simply "NotPetya") and seized servers the authorities believe were primed to release a second wave of the non-ransomware (Talos). Intellect Service says it's not responsible for the malware, that its networks had been compromised by hackers (Reuters). For all the patch-now advice the incident has prompted, the attackers' choice of a compromised software update as their infection mechanism seem, retrospectively, unpleasantly clever (WIRED) and ironic, given reports of laggard updating in Intellect Service's servers (Bleeping Computer). Ukraine continues to blame the Russian government (Statement of Interior Minister Arsan Arvakov), which attribution, of course, Russia continues to deny (Fifth Domain | Cyber).
The relatively small amount of ransom paid in the course of this global attack (a bit more than $10,000 since the beginning of the attack, according to reports) was moved on Tuesday from the Bitcoin wallet nominally established to collect payment. People who claimed responsibility for the malware surfaced in dark web chatrooms to offer decryption for 100 Bitcoin (slightly more than $260,000), but their offer was met with general skepticism (Bleeping Computer).
Motherboard got in touch with the offerers to arrange a demonstration of their ability to decrypt affected files, but the demonstration was too limited to carry conviction. The analysts the publication consulted concluded that the people who demonstrated decryption had some connection to the malware, and that the demonstration showed there might be some possibility, in principle, of decryption. As Motherboard put it, "The capability to decrypt a single file shows the hackers are connected to the NotPetya attack, but that does not necessarily mean they will be able to decrypt files en masse." Security experts as a whole continue to regard NotPetya as being functionally intent upon disruption, not extortion, and that victims remain very unlikely to recover their files by paying the ransom (Computing).
It appears there was some attempt at misdirection in the NotPetya campaign. FakeWannaCry, a secondary attack also staged through M.E. Doc servers, represented itself as "made in China." Kaspersky assesses this as a false flag (SecureList).
With the latest "Petya/PetrWrap ransomware" outbreak on the rise, are you protected?
Learn how to detect and respond to "Petya/PetrWrap ransomware" with AlienVault USM.
NotPetya recovery.
Affected firms' recovery from NotPetya continued this week, but slowly and painfully (SC Magazine). The shipping industry in particular appears to be taking the lessons of NotPetya to heart, especially as the industry increasingly depends upon robotic material handling equipment in ports and on more widespread use of autonomous vehicles (Freight Waves). Some of the sector's self-examination has found lapses in cyber hygiene and indifferently crafted, poorly exercised resilience and recovery plans (Splash 24/7).
Maersk, the shipping industry leader that was particularly troubled by NotPetya, is not among those companies who found deficiencies in their security practices. "There was nothing in terms of patches that we missed, there was no cyber security measures that we didn't take, so we were already in quite a strong position," Robbert van Trooijen, Maersk's Asia Pacific chief executive said in a call to reporters early Friday. Van Trooijen also said that Maersk did not believe it was specifically targeted, so in the company's view the incident was the adventitious result of a global infestation. Maersk says it's too soon to quantify the malware's effect on quarterly revenue. The company said the disruptions it experienced had little effect on the physical handling of cargo. Instead, NotPetya's effect on the seventy-six ports the Maersk operates was to disrupt documentation and data flow, including customs and cargo release processes, which led to congestion and caused some customers to cancel orders. How many cancellations isn't clear, yet. Maersk continues to assess the damage (Reuters).
FedEx, which experienced disruptions to its TNT Express unit, said Thursday that "All TNT depots, hubs and facilities around the globe are open, operational and working to quickly clear any backlogs, and most TNT services are now available." The company also stressed that it had not sustained a data breach, and that customer information remained secure. Recovery continues, and, while it's too soon for the shipping company to assess the financial impact of the incident, "it could be material" (FedEx). TNT Express is a Netherlands-based courier company FedEx acquired in May 2016.
Manufacturing was also hit, and companies have yet to fully recover in that sector, either: consumer goods company Reckitt Benckiser said Thursday that manufacturing disruption by NotPetya had cost it, so far, £100 million (Computing). (UK-based Reckitt Benckiser produces several familiar brands, including Dettol, Harpic, Gaviscon, Cillit Bang, Clearisil and Durex.) Mondelez, best known for its Cadbury chocolate subsidiary, also said it had lost money in the incident (Independent). Unlike Reckitt Benckiser, Mondelez says it believes it will make up the revenue in future quarters (Computing).
Information is harder to come by with respect to NotPetya's effect on big pharma's Merck, but the company has said that they "see no indication that the company's data have been compromised." Merck has also said, "Government authorities working with us have confirmed that the malware responsible for the attack contained a unique combination of characteristics that enabled it to infect company systems despite installation of recent software patches," essentially the same note Maersk sounded about patching (Science).
The companies who sustained NotPetya infections found their IT far more affected than their OT. That, of course, could change with subsequent evolution of such threats. Another thing that's likely to change is the economics of risk transfer. Insurance companies have so far not seen crippling payouts, even in attacks like WannaCry or NotPetya, but the possibility of more widespread and destructive campaigns is making insurers queasy (Denver Post).
The author of the original Petya ransomware released a decryption key for his malware on Wednesday. It won't help you with NotPetya, now clearly an entirely distinct attack (Threatpost).
Compliance risk can be a business killer.
Regulations, laws, and the standards of care that follow them are shifting rapidly, struggling to keep up with new technologies and a continually changing threat landscape. In this increasingly complex environment, how can organizations manage risk systematically and effectively? Learn more about how organizations are achieving situational awareness, while automating the labor-intensive tasks associated with managing IT risk and compliance.
Persistent worries about attacks on US nuclear power facilities.
Cyberattackers operating against Ukraine have consistently returned to portions of that country's electrical power grid. This pattern has lent concern to reports this week, sourced to the US FBI and Department of Homeland Security, that US nuclear power generating facilities had themselves come under cyberattack (New York Times). Industry representatives were quick to assert that their critical systems had not been compromised, and indeed that no penetrations of note had been observed. It seems that, if there were any hacking attempts, they were probably confined to business as opposed to operational systems, and that even with respect to business systems, it's not clear that the attackers had much success. Suspicion turns to Russia, but authorities aren't even close to attribution (NBC News).
The warning was issued in the course of work to defend US enterprises from the NotPetya pandemic, and media quickly picked up the mention-in-dispatches of the Wolf Creek nuclear power plant in Kansas as among the possible targets (WIRED). It would be unwise to dismiss the story as alarmist, with interest in it driven by the association of "nuclear" with "hacking" during a period of heightened tension and alert, but so far at least there seems to be little immediate danger. Nonetheless, a concern: most observers agree that there are a great many vulnerabilities in power generation and distribution systems (CSO).
Medical device manufacturers must lead on cybersecurity in an increasingly connected healthcare system.
While connected medical devices provide patients and physicians with technology to better manage chronic conditions, improve outcomes and reduce overall cost of care, it also increases cybersecurity risk exposure. In a new white paper, The Chertoff Group and Abbott evaluate the risk-benefit tradeoff of connected medical device use and identify ways for the medical device industry to come together and implement trusted security measures that will anticipate and address emerging cyber challenges.
WannaCry and NotPetya: with de-worming still in progress, let the blaming begin.
A measured scorecard of blame for recent non-ransomware worm infestations is taking shape. There's plenty to go around: the North Koreans, the Russians, enterprises who blow off patching, vendors who develop vulnerable software, NSA (for not being able to keep its exploits to itself)...as Hamlet asked, "use every man after his desert, and who should 'scape whipping?" Not that anyone advocates whipping, but there's much scope here for self-examination (and in the case of the DPRK and the Two Bears, much scope for rebuke). In any case, the episodes should prompt some serious introspection, and some think that, while it ought to start with the Vulnerability Equities Process, it shouldn't end there (CipherBrief).
Most observers are inclined to credit Ukraine's suspicions, and other governments remain wary of Russian intentions. Germany, for one, expects to be on the receiving end of attempts to disrupt its September elections. That country's domestic security service doesn't think there will be an effort to support one candidate over another, but rather that hostile actors—read, "Russia" will seek generally to discredit German political institutions (Fifth Domain | Cyber).
NATO's Cooperative Cyber Defense Center of Excellence (CCDCOE) has been conducting its own inquiry into NotPetya (Guardian). Their sense is that it's the work of a state actor, although the Tallinn-based organization didn't specify which state. A statement issued by the CCDCOE did point out that, in principle, an attack like NotPetya could fall under the collective defense provisions of Article 5.
In Poland Wednesday President Trump reaffirmed US commitment to NATO, notably to Article 5, and called out "cyberwarfare" as one of the challenges the Alliance needed to address (NBC News). At the G20 meetings in Hamburg Presidents Trump and Putin had a longer than expected private meeting, which the US President is said to have opened, unexpectedly, by pressing President Putin on Russia's election meddling, which of course the Russian President denied. (Mr. Putin later remarked that the whole G20 seemed entirely satisfied that Russia wasn't at all up to no good.) US Secretary of State Tillerson later suggested disagreement over the issue between the two countries may be "intractable" (New York Times). This did not prevent the two presidents from mooting the idea of cooperation on cybersecurity (Reuters). Vague and aspirational, the suggestion has drawn poor reviews (Reuters).
What do AI and machine learning mean for cybersecurity?
We hear about them everywhere in cybersecurity. They sound cutting-edge, but what do they mean? And what value do they add? Find out exactly how significant AI and machine learning are, and how small nuances in their use can make a big difference.
More Vault7 leaks.
On Thursday WikiLeaks continued its weekly dump of alleged CIA tools with documents purporting to describe two implants, "Gyrfalcon" (for Linux) and "BothanSpy" (for Windows) (HackRead). As has been the case with the ShadowBrokers' releases, there's no plausible public explanation yet of how WikiLeaks is getting its material.
Anonymized data remain personal data (under some circumstances).
The UK's Information Commissioner's Office (ICO) ruled this week that the Royal Free National Health System Trust illegally shared data with Google's DeepMind. Although the data were anonymized, the ICO ruled that since the NHS Trust shared the data without the knowledge and consent of the 1.6 million patients involved, the Trust was in violation of the Data Protection Act. The "implied consent" Royal Free and Google argued didn't fly, especially since Royal Free didn't conduct its required privacy assessment until after it had shared the information with DeepMind. Royal Free will be fined up to £500,000 (a 20% discount is available for early payment). Computing notes darkly that "After 25 May next year, when the EU's General Data Protection Regulation (GDPR) comes into force, the ICO would be empowered to levy a much bigger maximum fine against both parties."
Cumbersome infrastructure and a burdensome compliance regime have been seen to foster the growth of shadow IT, and the NHS isn't alone in this regard (Naked Security). It seems worth noting that whatever problems may surround this particular information-sharing arrangement, sending patient files via Snapchat hardly seems an improvement (Infosecurity Magazine) but it's hard not to feel some sympathy for beleaguered doctors.
Whistling past the GDPR.
Some see a silver lining even in the looming wall cloud that is GDPR. A piece in Healthcare Informatics argues that GDPR will have a salutary effect by driving faster international adoption of interoperability standards, including HL7’s FHIR (Fast Healthcare Interoperability Resources). Still other observers see GDPR as fostering the growth of a healthy security culture (SC Magazine).
GDPR takes full effect in ten months, and there's much advice available on how to prepare now (Help Net Security). The UK's Information Commissioner has published guidelines designed to ease compliance, conveniently reduced to twelve steps:
- Build awareness of the new law in your organization.
- Conduct an information audit to determine what personal data your organization holds, their source, and where they're shared.
- Review procedures to protect individuals’ rights, especially in deletion or provision of data.
- Review your organization's privacy notices and ensure they're compliant with the GDPR.
- Identify and document your organization's lawful basis for processing personal data (and explain it in your privacy notices).
- Plan to handle subject access requests.
- Review how your organization seeks, records, and manages consent, ensuring that policies meet the GDPR standard.
- Establish compliant procedures to detect, report, and investigate a personal data breach.
- Ensure procedures are in place to verify ages and obtain parental or guardian consent to process data on children.
- Develop compliant Data Protection by Design and Data Protection Impact Assessments.
- Designate Data Protection Officers.
- Determine your organization's lead data protection supervisory authority, if you operate in more than one EU country.
Data toxicity.
Enterprises are growing increasingly leery of the data they hold, as regulatory risk shouts down Big Data's siren song (Dark Reading). Those who'd like a shorter list of steps on dealing with data that regulation could render toxic might start with five steps recommended by CardConnect: "Don’t keep data around," "Archive the important stuff," "Segment your network," "Sanitize sensitive data with tokens," and "Put someone in charge" (Help Net Security).
Surveillance gag orders challenged.
Facebook continues to fight restrictions on its ability to communicate with its users about search warrants (Naked Security). A US Federal Court ruled Thursday that Twitter's lawsuit against surveillance request gag orders can proceed. The judge found that the US Government had failed to show the sort of clear and present danger that might justify such restrictions (Fortune).
The Right to Repair may join the Right to be Forgotten.
The European Parliament is considering enacting a "right to repair" (Motherboard). One of our stringers was required to study the California state constitution in his Los Angeles high school. The Golden State's elaborate enumeration of very specific rights (he particularly remembers the "right to fish") now strikes him as ahead of its time, at least insofar as the European Union is concerned. Like California rights, EU rights are likely to be conditioned, and not nearly so absolute as one might think on first acquaintance. Some of the motivations for the right to repair are external to the right itself. It's seen as both a green policy move, encouraging reuse as opposed to disposal, and a jobs-creation policy, with Brussels envisioning many new places opening up in repair shops across the Continent.
Honor among thieves? Sort of ... we guess ... not really ... if you're into that kind of thing.
Curious about the fate of AlphaBay, the dark web souk where the raconteurs and roustabouts say "buddy, come on in" to miscreants looking to buy weapons, drugs, and other contraband? (You're asking for a friend, of course.) Well, AlphaBay did go down, but its proprietors haven't absconded with their customers' cryptocurrency. They're back up and still in business. Terbium analysts, who keep an unblinking eye on the dark web, aren't surprised. It's not that AlphaBay's proprietors are honest dealers, but if they were going to flake, they'd do so more elegantly: "If they're going to go out, they'd do a good job of it." (Gizmodo)
Also, again, not that you would, but if you were using a Kodi box to stream content to your TV illicitly, then according to an alert from Check Point, you'd probably also be streaming malware into your systems. The words "illicit streaming" might serve usefully as a do-not-touch warning on any device (Help Net Security).