Monthly Archives: July 2017

Ransomware Attack on Merck Caused Widespread Disruption to Operations

Ransomware Attack on Merck Caused Widespread Disruption to Operations

Pharmaceutical giant’s global manufacturing, research and sales operations have still not be full restored since the June attacks.

New information released last week by pharmaceutical giant Merck reveals that a cyberattack that hit the company on June 27 caused significantly more disruption to its operations than many might have assumed.

In details included during Merck’s earnings announcement July 28, the company described the attack as disrupting worldwide manufacturing, research and sales operations, and impacting its ability to fulfill orders for some products in certain markets.

Even more than one month after the attack, certain operations at Merck, continue to be impacted and the company still does not know the full magnitude of the disruption. Merck so far only been able to fully restore its packaging operations since the attack.

Manufacturing and formulation operations are still only in the process of being restored and so too is Merck’s Active Pharmaceutical Ingredient (API) operations. Bulk product production, which was halted after the attack, has not yet resumed.

“The company’s external manufacturing was not impacted,” Merck noted in its earnings statement.

Neither, apparently, was production of some of Merck’s biggest products including cancer drug Keytruda, anti-diabetes medication Januvia, and Hepatitis C drug Zepatier. “In addition, Merck does not currently expect a significant impact to sales of its other top products,” it said.

Merck has so far not publicly released technical details of the June 27 cyberattack, so it’s not clear just what caused the widespread disruption reported in the earnings announcement. But many security experts believe the company was among the many caught up in the NotPetya ransomware outbreak last month.

Security analysts tracking NotPetya had at the time described it as a more sophisticated version of May’s WannaCry global ransomware pandemic. Like WannaCry, NotPetya also attempted to spread via Server Message Block (SMB) shares using EternalBlue, a leaked exploit from the National Security Agency (NSA). Unlike WannaCry, however, NotPetya employed other methods to spread as well and was generally considered more professional and harder to eradicate than its predecessor.

Kaspersky Lab and others tracking the malware estimated that NotPetya hit at least 2,000 organizations globally including Merck, A.P. Moller-Maersk of Denmark, metal giant Evraz of Russia, and Ukraine’s Boryspyl Airport.

Merck is the second major organization in recent weeks to publicly disclose a major disruption after a ransomware attack. In June, automaker Honda disclosed that it had to shutter a manufacturing plant in Sayama Japan for a couple of days after WannaCry infected plant floor systems at the facility. Production on some 1,000 vehicles was disrupted as a result of the shutdown.

“When it comes to ransomware and how it takes hold in every organization, nothing surprises me anymore,” says Eldon Sprickerhoff, founder and chief security strategist of eSentire. “Best practice in manufacturing environments will mandate a strong network segregation stance between corporate and industrial, but the reality is that there are always access overlaps.”

Such incidents highlight the need for any organization with highly sensitive networks to conduct risk assessments to identify critical assets, identify all access methods, and to identify the risks to those assets via the access methods.

They need to identify the controls they have in place to determine if they are sufficient and continuously monitor for signs of exploits and compromise, Sprickerhoff says.

Related content:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

from Dark Reading – All Stories

Iranian Hackers Ensnared Targets via Phony Female Photographer

Iranian Hackers Ensnared Targets via Phony Female Photographer

US, Indian, Saudi Arabian, Israeli, Iraqi IT, security, executives in oil/gas and aerospace swept up in elaborate social media ruse used for cyber espionage operations.

She’s a London-based young professional photographer, an Arsenal FC fan, and she’s interested in learning more about the region where her LinkedIn, Facebook, and Blogger connections live. Her relationship status on Facebook: “It’s complicated.”

Meet “Mia Ash,” a phony but apparently very convincing online persona used by the infamous Iran-based hacker team behind the destructive data-wiping attack on Saudi Aramco as well as other Middle East targets. The highly detailed and creative social engineering ruse employs “Mia” as the lure in order to ultimately drop information-stealing spy malware onto the victim’s machine.

Researchers at SecureWorks last week at Black Hat USA in Las Vegas published a report on their findings of this attack campaign, which began in January of this year first as a pure phishing campaign that soon evolved with Mia Ash’s phony LinkedIn, Facebook, and blog accounts, to further social-engineer the targets and earn their trust.

The so-called Oil Rig, aka Cobalt Gypsy, hacking team hit petroleum giant Saudi Aramco in 2012 with a massive attack that damaged or wiped the had drives of some 25,000 of the oil company’s computers. The same attackers came back with fresh Shamoon attacks hitting thousands of computers across more than 10 government and civil organizations in Saudi Arabia and the Gulf States.

“This is the most active Iranian group we’re aware of,” says Allison Wikoff, lead researcher on the so-called Mia Ash research by SecureWorks. “We see infrastructure on a weekly basis and new activity all the time” by them, she says.

SecureWorks believes that Mia Ash may be just one of several personas used by the group to gather intel on their targets, mainly energy firms and technology companies in the Middle East. The company has been tracking OilRig/Cobalt Gypsy since 2015, when they first spotted them creating a network of phony LinkedIn profiles

While the researchers weren’t able to determine the specific information the attackers were going after via the Mia persona attacks, they spotted them attempting to obtain the user’s network credentials.

Once Mia and her connections had established their social media relationship, the attackers sent a phishing email to the target. That included a rigged attachment with enabled Macros to install PupyRAT, which gives an attacker full access to the targeted machine.

Wikoff says her team believes this was just the early stages of the full attack. The first stage is to get the targeted individual’s credentials via PupyRAT, which would give the attackers a foothold in the target’s organization. It’s unclear if Shamoon data-wiping would be next in the attack chain, but it’s a “plausible hypothesis,” she says.

Some of the targets moved their communique with “Mia” to WhatsApp, so it’s unclear what information the victims shared with “Mia” in private, she says.

SecureWorks in its report says one of the victims appears to have even registered a domain for Mia, and Mia reciprocated. They aren’t sure why the domains were registered, but they believe it was either a gesture of trust; or the victim’s information was compromised and used for the domain; or the victim actually works with the attackers. “The domains are parked, no malware on them or services set up,” Wikoff says. “It’s strange, but it gave us a timeline of activity.”

That victim is a cybersecurity expert in a large consulting firm with a background in the oil and gas industry, she says. SecureWorks reached out to the security expert to alert him of the scam, but hasn’t heard back as of this posting, she says.

Remember ‘Robin Sage?’

Mia Ash was reminiscent of the 2010 “Robin Sage” social engineering research project conducted by security expert Thomas Ryan, who presented his findings that year at Black Hat USA. Ryan created an online persona of Robin using a photo of a twenty-something real model and set her up on LinkedIn, Facebook, and Twitter, who purportedly worked for the Naval Network Warfare Command. Robin attracted connections from people in the Joint Chiefs of Staff, the CIO of the NSA, an intelligence director for the US Marines, a chief of staff for the US House of Representatives, and several Pentagon and DoD employees. Her profiles also attracted defense contractors the likes of Lockheed Martin, Northrop Grumman, and Booz Allen Hamilton. 

Phony personas are really nothing new in the spying world. John Bambenek, threat systems manager at Fidelis Cybersecurity, says phony personas have been around for a long time in espionage circles as well as in cyber espionage. “But it’s not efficient” for the attackers as an MO, he says, nor is it the most sophisticated MO. “But to a certain point, social engineering works,” he says.

“They do bulk collection and then figure out how to target [their marks] from there,” he says.  

Iranian nation-state hackers in general are becoming more sophisticated since their early days of defacing websites. “They continue to evolve. They’re not in the top tier in terms of capabilities,” says Dmitri Alperovitch, co-founder and CTO of CrowdStrike.

“We’ve seen several waves of Shamoon. Last fall and winter, they were able to cause quite a bit of damage,” Alperovitch notes.

So far, Iran’s nation-state hacking operations have been more about spying in their Western targets. But Alperovitch notes that indeed could change to more destructive attacks in the future. “There’s no question that there’s a great deal of concern. Tensions over the bill passed on sanctions on Iran [for instance] … cyber is one of the ways they can hit back at us,” he says.

Palo Alto Networks meawhile late last week revealed some new details on OilRig’s activity: they spotted the gang using a new variant of another Iranian threat group’s Trojan – called ISMAgent. ISMAgent is a more “limited but flexible” version of the so-called Greenbug attack group’s Trojan, according to PAN.

“With the inclusion of ISMAgent within the OilRig toolset, we are beginning to see stronger relationships between the various documented groups operating in the Middle East. This region has proven to be a hot bed of espionage motivated activity over the last couple of years, and there appear to be no signs of this changing,” PAN researchers Robert Falcone and Bryan Lee wrote in a blog post

PAN’s team has not, however, seen the fake social media profiles SecureWorks found, the researchers said in response to a Dark Reading inquiry.

Related Content:

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

from Dark Reading – All Stories

ShieldFS Can Detect Ransomware, Recover Files

LAS VEGAS—Researchers from Italy’s Politecnico di Milano unveiled at Black Hat last week an add-on Windows driver and filesystem that detects ransomware and recovers files.

ShieldFS was officially unveiled during the hacker conference by researchers Andrea Continella and Federico Maggi, who said the tool was tested against more than a dozen ransomware strains—including WannaCry—and successfully detected the malware in 97 percent of occasions with zero file loss.

Once ShieldFS learns and models filesystem activity over a period of time, it can then compare that against potentially malicious behavior exhibited by ransomware. If an attack is detected, the malware is blocked and a protection layer similar to copy-on-write kicks in allowing the original files stored on a hard drive to be preserved and recovered if necessary.

“It monitors and then performs copy-on-write on the first write; files are modified just the first time,” Continella said. “When the ShieldFS detector collects information to detect if something is malware or not, it can transparently and automatically recover and restore the original copies. If it’s benign, the clean, old copies are presented.”

Copy-on-write, or COW, is a programming technique where pointers to resources are provided and that resource is shared until it is modified, rather than created over and over.

Continella and Maggi said they’ve been working on ShieldFS for 18 months, and that it also successfully detects WannaCry, in addition other ransomware stalwarts such as TeslaCrypt, CryptoWall, CryptoLocker and many others.

“The protection is embedded in the filesystem,” Maggi said. “When ShieldFS detects something suspicious, it takes additional protection to save files.”


The research, they said, began with the profiling of a month’s worth of low-level filesystem behavior on 11 clean machines used by volunteers. The researchers collected 1.7 billion I/O Request Packets from 2,245 applications running on those computers. Those machines were then set up to look like a realistic environment complete with filetypes targeted by the malware, an emulated directory tree, browser extensions and more.

“We tried to make realistic-looking machines,” Maggi said, “and provide all the triggers ransomware needs.”

With ShieldFS running on the test machines, it began looking for the remarkable way ransomware interacts with the low-level file system and compares the differences to how benign systems interact with the filesystem, discerning benign from malicious processes in the operating system along with detecting the usage of crypto primitives for encrypting of files.

The machines were then infected collectively with 383 samples from five ransomware families: Cryptowall, Crowti, Critroni, CryptoDefense and TeslaCrypt.

The researchers said that because ShieldFS essentially makes a filesystem ransomware-aware, they liken it to a self-healing system.

“When ShieldFS is installed, when it sees a write operation, it will save the file before letting the write operation through,” Maggi said.

The researchers said that ShieldFS could be a good complement to backups, which are considered the top strategic countermeasure to ransomware, in addition to timely patching.

“We argue that, although older files can be asynchronously backed up with on-premise systems (because they have less strict time constraints), recent files may be of immense value for a user (e.g., time-sensitive content); even the loss of a small update to an important file may end up in the decision to pay the ransom, because the existing backup is simply too old,” the researchers said in a paper published earlier.

from Threatpost – English – Global – thr…

Anthem Hit with Data Breach of 18,580 Medicare Members

Anthem Hit with Data Breach of 18,580 Medicare Members

Third-party service provider for the insurer discovered one of its employees allegedly engaged in identity theft of thousands of Anthem Medicare members.

Anthem recently learned that 18,580 of its Medicare members may have been victims of identity theft, after its third-party coordination services vendor LaunchPoint Ventures discovered an employee had emailed a file containing the sensitive information to his personal email account.

The Anthem file contained Medicare ID numbers, which also includes social security numbers, Health Plan ID numbers, Medicare contract numbers, dates of enrollment, and, in some cases, the last names and dates of birth of the members. LaunchPoint, which hired a forensics company to investigate the breach, currently does not have any information that the pilfered data was misused, according to Anthem.

On April 12, LaunchPoint discovered one of its employees was allegedly engaged in identity theft activities and hired a forensics company. Then on July 8, LaunchPoint discovered the employee had emailed the Anthem file to his personal account, which violated LaunchPoint’s policies. The company learned the file contained Protected Health Information (PHI) on July 12 and two days later it reported the breach to Anthem.

LaunchPoint terminated the employee and is working with law enforcement to look into the matter. In the meantime, the former employee is incarcerated and under investigation for an unrelated issue, LaunchPoint noted.

Read more about the Anthem breach here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

More Insights

from Dark Reading – All Stories

Voting Machines Hacked with Ease at DEF CON

LAS VEGAS—Hackers at DEF CON last week made quick work of finding vulnerabilities in electronic pollbooks and voting machines, needing just 90 minutes to find exploitable flaws in every piece of voting equipment.

More than 30 machines were available for hackers to crack at the conference’s Voting Machine Hacker Village, ranging from vendor equipment Diebold TSX, WinVote, ES7S iVotonic, and Sequoia AVC Edge. All of the systems were compromised in some way, said event co-coordinator Matt Blaze, a professor at the University of Pennsylvania and election security expert.

“What surprised me was how quickly the community was able to jump in and discover and exploit the vulnerabilities in these machines. We knew they could be exploited, we just didn’t know easily a broad community with this kind of expertise would be able to accomplish it,” said Blaze, below, in an interview with Threatpost Monday.

The first and easiest hack was found in a decommissioned WinVote system running an unpatched version of Windows XP that used WEP-based Wi-Fi.Matt Blaze speaking at DEF CON 2017

“This one was particularly easy, because it had wireless access. I don’t need physical access to the machine. As long as you were within proximity, you would be able to access these machines and nobody would notice,” said Carsten Schuermann, associate professor at IT University of Copenhagen working in the Democracy Technology program, who hacked the system.

He said the WinVote system was used between 2002 and 2014 in many parts of the United States election system. Using Kali Linux, Schuermann said he scanned the environment to see what kind of vulnerabilities were available on the voting machine that was running an unpatched version of Windows XP. In under two hours, he was able to “own” the voting machine.

“We can install Pac-Man on it. We can delete all the data or change vote totals. We can turn off the machine if we want. Or we can install malware, so when the USB storage device is taken out with vote totals it can infect anything it plugs into,” he said.

Blaze said all of the electronic voting machines in the United States have weaknesses of some kind in them. “What the Voting Village experiment demonstrated was just how quickly someone can take a never-before-seen machine and find ways to exploit it from top to bottom,” he said.

Many researchers who examined voting machines in the past dismissed vulnerabilities as being impractical, too difficult to find, or would require specialized expertise to exploit.

A sampling of teams at the Voting Village said they were able to easily access firmware or device storage and manipulate or destroy pollbook or voting data. One team said an electronic pollbook they were dissecting used commodity storage cards that could easily be popped out or swapped.

Blaze acknowledges that hacking into systems might not always be stealth or practical in real-world elections. But, he said, hacking a voting system or pollbook that contains voter data isn’t always the chief objective.

“The goal isn’t always changing votes to steal an election. It’s often to bring into question the vote itself, to create disorder or cast doubt on the legitimacy of the person who won.”

Blaze said the 2016 election was the first large-scale attempt to influence a U.S. election and didn’t include targeting of electronic voting machines.

“Why, given how vulnerable these machines are, would an attacker not use voting machines as an attack vector?” Blaze said. “The reason is, as easy as it is to attack a voting system, it’s even easier to mail your malware to an election official wrapped inside of a .Doc file.”

Last month, a leaked National Security Agency report claimed days before the U.S. presidential election attackers targeted a U.S. voting software supplier in a spear-phishing campaign that contained a malware-laced Word document.

from Threatpost – English – Global – thr…

Android Banking Trojan Svpeng Adds Keylogger

The authors behind the Android banking malware family Svpeng have added a keylogger to a recent strain, giving attackers yet another way to steal sensitive data.

Roman Unuchek, a senior malware analyst with Kaspersky Lab, said Monday he spotted a new variant of the Trojan in mid-July. Unuchek says the keylogger takes advantage of Accessibility Services, an Android feature that assists users with disabilities or assists users access apps while driving.

Unuchek specializes in digging up Android malware; earlier this summer he helped alert Google of two apps in its Play marketplace that were really Ztorg Trojans and another app that was a rooting Trojan, Dvmap.

According to the researcher the most recent iteration of Svpeng checks the device’s language. If the language isn’t Russian, it asks the device to use Accessibility Services, something that can subject the device to a number of dangerous outcomes.

“It grants itself device administrator rights, draws itself over other apps, installs itself as a default SMS app, and grants itself some dynamic permissions that include the ability to send and receive SMS, make calls, and read contacts,” Unuchek wrote Monday, “Furthermore, using its newly gained abilities the Trojan can block any attempt to remove device administrator rights – thereby preventing its uninstallation.”

Once afforded the ability to access to the inner workings of other apps on the device, Unuchek says Svpeng can steal text entered on other apps and take screenshots, information that’s promptly fired off to the attackers’ command and control server.

Unuchek said that as part of his research he managed to intercept an encrypted configuration file from the malware’s C&C server. The file helped him determine some of the sites and services that Svpeng targets. He claims the file contained phishing URLs for both the PayPal and eBay mobile apps, along with URLs for banking apps from the UK, Germany, Turkey, Australia, France, Poland, and Singapore.

The file also contained an overlay for a rewards app – not a financial app: Speedy Rewards, an app distributed by the US gas station/convenience store chain Speedway.

In addition to including URLs, the file helps the malware receive the following commands from the server:

  • To send SMS
  • To collect info (Contacts, installed apps and call logs)
  • To collect all SMS from the device
  • To open URL
  • To start stealing incoming SMS

The most recent version of the Trojan, dubbed, isn’t exactly widely deployed, Unuchek says. Only a small number of users were attacked over the course of a week, but it could stretch further. While the malware may have not hit a lot of users, those that were hit came from all corners of Europe – 23 countries, including Russia, Germany, Turkey, Poland, and France, according to Unuchek.

Researchers with Kaspersky Lab, which first identified the malware back in 2013, said last month Svpeng and another family, Fusob, were tied to a spike in mobile ransomware attacks during the first quarter of this year.

The researcher says the version of Svpeng he spotted in July was being distributed through malicious websites disguised as a fake Flash Player.

The main capability of Svpeng, which was initially spread via SMS messages in 2013, was phishing. Users hit by the malware were displayed a phishing window after opening up their banking app of choice. The window would ask for the users’ name and password, information that was ultimately sent back to an attacker’s server. The malware was modified with a ransomware component that demanded $500 from users fairly early on, back in the spring of 2014. The ransomware eventually evolved, telling users their devices had been locked by the FBI because they were used to visit websites containing pornography. Users would then have to pay a lesser fee, $200, to unlock the device.

Unuchek said Monday he wasn’t surprised the attackers behind Svpeng had begun embracing keyloggers and abusing Android’s accessibility functionality.

“[Svpeng] was among the first to target attacks at SMS banking, to use phishing pages to overlay apps in order to intercept credentials, and to block devices and demand money. That is why it is so important monitor and analyze every new version,” Unuchek said.

from Threatpost – English – Global – thr…

News in brief: Roomba data not for sale; thief-catching wallet; Windows Bounty Program

Your daily round-up of some of the other stories in the news

iRobot not selling data

Roomba – you know, the robotic vacuum that navigates itself around your floors collecting debris and data – makers iRobot were in the news last week for their plans to sell maps of users’ homes to voice assistant big wigs Google, Apple and/or Amazon.

In an interview with ZDNet, CEO Colin Angle responded to privacy concerns, clarifying that it was a “misinterpretation”.

On all WiFi-enabled Roombas, usage data (e.g. how long did it clean, how far did it go, did it encounter any error codes, is it functioning correctly) can be sent to the cloud so it can be shown on the customer’s mobile device.

Angle explained that robots collect data in order to carry out their job but customers are in control and that “iRobot will never sell your data”.

Thief-catching wallet

What do you keep in your wallet? Money, credit cards, business cards, receipts? What about GPS, a chunk of RAM, a Wi-Fi hotspot, wireless phone charging and an anti-theft camera?

That’s what you’ll get with the Volterman, a crowdfunded Tardis-lite for your money that caught the eye of The Verge’s Paul Miller.

Miller was particularly taken by the wallet’s camera:

The creepiest feature, though, is the built-in camera. When the wallet is in “lost” mode, it will take a picture of anybody who is peeking into it. Perhaps in recognition of how strange some people might feel about having a camera in their wallet, the feature is listed as optional.

If you’re keen to keep an eye on the people keeping an eye on your money you’ll have to wait though. Right now the wallet is still in its vapour state and isn’t due to ship until December, a target that Miller considers “improbable”.

Until then Volterman Inc. are going to need somewhere safe to keep their cash because their smartphone/wallet mash-up has attracted a whopping 1723% of its $45,000 funding target.

Windows Bounty Program

Microsoft has announced the arrival of the Windows Bounty Program, an expansion of the existing Windows Insider Preview. The company promises that:

Any critical or important class remote code execution, elevation of privilege, or design flaws that compromises a customer’s privacy and security will receive a bounty

Microsoft is keen that hackers concentrate on its chosen “focus areas”. Bounty hunters focussing on the Hyper-V system in Windows 10, Windows Server 2012 (and 2012 R2) and Windows Server Insider Preview can chase rewards of up to $250,000.

Catch up with all of today’s stories on Naked Security

Image of Linus and Isaac courtesy of Flickr user Eirik Newth under a Creative Commons license.

from Naked Security – Sophos