Weekly Threat News: 30th April

  • 30 April 2019
  • 0 replies

Userlevel 7
Badge +48
Hello Community! I wanted to share Kelvin's latest Weekly Threat article with you. (If you missed it, we did this last week too.) I find these helpful and hope that you do too.

Weak targets

When it comes to cybercrime some targets are weaker than others. Criminals are getting better and better at target selection and there have been plenty of examples over the last month of the weak being hit with better and better accuracy.

Hastily Googled image-search for "weak target"

There’s no one factor that leads to organisational weakness but these types of orgs are always in the news due to poor defences: Transport, Health, SMEs, Education and Government.
Weakness is not the only reason to select a target, but most criminals prefer the easier game.


Any downtime is a killer for the transport industry. Airports, are sensitive to delays of any kind as they can have a knock-on effect on flights worldwide. The attack surface is huge and they are usually very spread-out and varied operations. For these reasons, ransomware is often the preferred criminal tactic for ports, airports, transport authorities etc.
“By the time city had fully recovered from the infection the total bill reached almost $17 million.”


Health organisations such as hospitals provide an essential service. They also usually have a huge attack surface. The sheer number of machines and variety of IT devices present is going to be a headache for any admin to keep track of, never mind secure. Disrupting palliative care, cancer patient care and serious children’s care is completely evil but makes brutal criminal sense when trying to elicit a ransom and sadly instances of these attacks have all been seen in the last year..

Singapore has previously made the new for huge attacks on its health service and government. The NHS has been a massive victim itself over the last 5 years or so and is passing on some of the other lessons it has learned over this time to help improve defences in the island city-state.


Whatever is happening to the bigger “headline” organizations that make the news is happening to smaller companies at a massive scale. The increasing use of automation is really accelerating attacks on SMEs and they are usually not as prepared as larger enterprises to defend, plan, suffer or remediate any attacks.

“Researchers have discovered a previously unknown, file-based cryptominer worm that has been heavily targeting enterprises based in Asia.”

This infection drops Cryptominers onto machines and spreads by using famous “NSA” exploit ETERNALBLUE. This was the same exploit that was used in the devastating 2017 Wannacry and NotPetya attacks. It also spreads using the same kind of credential stealing tactics employed by infections such as Emotet and Trickbot. The other way the malware spreads is by password cracking/stealing which is massive right now and can affect any machine in theory.

The NSA part of it is a little old-hat these days. The vulnerability itself was patched in March 2017, months before the Wanncry outbreak but the fact people are usually slow to carry out updates made the attack (along with NotPetya) so devastating.

Last year WannaMine made Webroot’s list of nastiest infections and it similarly spread using ETERNALBLUE, proving that even after a whole year folks weren’t performing security updates.
These days things have changed a bit. There is much greater uptake of Windows 10 and Microsoft is informing users that Windows 7 (along with previous versions) is being discontinued. Windows 10 is great insofar as it doesn’t really ask users to perform updates, it just goes ahead and does them. This can be a little annoying sometimes (see the current update drama) but this approach makes Win 10 much, much safer and immune to these old exploits. Webroot research shows that Windows 10 machines are half as likely to get infected.

Most of the victims here are in China. China has traditionally been much slower to upgrade operating systems. The government famously asked Microsoft for an extension on killing Win XP. Suspicious rip-offs of old Microsoft OS platforms were widely used after XP was killed and it’s MS OS adoption would be years behind countries like the US.

Cryptomining is really on the decline over the last 10 months mirroring the drop in price/mining profitability of monero but it’s all free money as long as you aren’t footing the power bill.


Governments provide a lot of essential services. They have relatively deep pockets to pay ransom demands and are also a target of information stealing due to the huge amounts of sensitive data they often hold. They have a colossal attack surface and usually more complicated (and messy) than any other organization is likely to get. Even if one department is well funded and secured, it’s data might still be stolen through sharing with other, weaker depts.

There can be no doubt that countries are also targeting other countries on a massive scale. These attacks are not just limited to the traditional spy wars conducted by intelligence agencies but also involve armies of criminals affiliated with nation states operating at various levels of cooperation and collaboration. The gloves are off in the political cybersphere and there’s no meaningful rules of engagement which is worrying more than a few people in the political and IT world.

“The city of Greenville, N.C., [usa], said it is recovering from the April 10 ransomware attack that had effectively knocked the city offline, without having to resort to paying the ransom demand.”

“Cyberattackers, possibly Russian, recently struck numerous embassies in Europe with a malicious email attachment that uses a weaponized version of the TeamViewer remote desktop tool to gain control of the target computer.”

0 replies

Be the first to reply!