Monday, 15 May 2017

Cyber Attack: Ransomware causing chaos globally

'Unprecedented' cyber attack hits 100 countries
Experts warn of more assaults as firms grapple with worm's impact
The Sunday Times, 14 May 2017

FRANKFURT • It may not be over yet, warned security experts, after a devastating cyber attack described as unprecedented in scale caused disruptions in nearly 100 countries from Europe to Asia.

Capitalising on spying tools believed to have been developed by the US National Security Agency (NSA), hackers launched the cyber assault on Friday that infected tens of thousands of computers, with Britain's health system suffering the worst.

Cyber extortionists, using a malicious software called WannaCry, tricked victims into opening attachments to spam e-mails that seemed to contain invoices, job offers, security warnings and other legitimate files. The so-called ransomware encrypted data on infected computers, demanding payments of US$300 to US$600 (S$420 to S$840) to restore access.

Once inside the targeted network, the ransomware made use of recently leaked spy tools to silently infect other out-of-date machines.

This, security experts said, marked a risk of attacks spreading in the coming days and weeks.

Yesterday, finance chiefs from the Group of Seven nations meeting in Bari, Italy, vowed to join forces to fight the growing threat of international cyber attacks.

The ministers said in a statement that cyber incidents represent a growing threat to their economies and that tackling them should be a priority.

In Singapore, the Cyber Security Agency (CSA) yesterday said no government agencies or critical information infrastructure had been affected. The attack took place on the same day that the CSA said hackers had tried to steal data from the networks of the National University of Singapore and Nanyang Technological University.

Europol's European Cybercrime Centre said it was working closely with country investigators and private security firms to combat the threat and help victims. "The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits," it said.

Researchers with security software maker Avast said they had observed 126,534 ransomware infections in 99 places, with Russia, Ukraine and Taiwan the top targets.

Among those affected were French automotive giant Renault, which was forced to halt production at sites in France and its factories in Slovenia and Romania as part of measures to stop the spread of the virus.

Germany's Deutsche Bahn national railway operator's information screens and ticket machines were hit. Travellers tweeted pictures of hijacked departure boards showing the ransom demand instead of train times. But the company insisted that trains were running as normal.

Several medical facilities in Britain were forced to cancel or delay treatment for patients, but Interior Minister Amber Rudd said the system has almost fully recovered from the disruption as of yesterday.

Despite the scale of the attack, experts working with investigators told The Guardian that the hackers appear to have raised just US$20,000.

The hackers, who have not come forward to claim responsibility or been identified, took advantage of a worm, or self-spreading malware, by exploiting a piece of NSA spy code known as "Eternal Blue" that was released last month by a group known as the Shadow Brokers, according to researchers with several private cyber security firms.

Researchers said the worm deployed in the latest attack, or a similar tool released by Shadow Brokers, is likely to be used for fresh assaults not just with ransomware but other malware to break into firms, seize control of networks and steal data.


Chaos as hospitals, telcos and schools hit
Full extent of damage still to be determined as initial impact was over the weekend
The Sunday Times, 14 May 2017

LONDON • Last Friday's cyber attack affected some hospitals, schools, universities and other institutions in Asia, though the full extent of the damage is not yet known because it is the weekend.

"I believe many companies have not yet noticed," said Mr William Saito, a cyber-security adviser to Japan's government. "Things could likely emerge on Monday" as staff return to work.

China's information security watchdog said "a portion" of Windows systems users in the country were infected, according to a notice posted on the official Weibo page of the Beijing branch of the Public Security Bureau yesterday. Xinhua state news agency said some secondary schools and universities were hit.

In Vietnam, Mr Vu Ngoc Son, a director of Bkav Anti Malware, said dozens of cases of infection had been reported there, but he declined to identify any of the victims.

South Korea's Yonhap news agency reported a university hospital had been affected, while a communications official in Indonesia said two hospitals there had been hit.

The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers last Friday.

International shipper FedEx said some of its Windows computers were also breached. "We are implementing remediation steps as quickly as possible," a FedEx statement said.

Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

Russia's interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted by ransomware. The Interior Ministry said about 1,000 computers had been infected but it had localised the virus.

Only a small number of United States-headquartered organisations were hit because the hackers appear to have begun the campaign by focusing on targets in Europe, said Mr Vikram Thakur, principal research manager at Symantec.

By the time they turned their attention to the US, spam filters had identified the new threat and flagged the ransomware-laden e-mails as malicious, he added.

The spread of the ransomware capped a week of cyber turmoil in Europe that began when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

On Wednesday, hackers disrupted the websites of several French media companies and aerospace giant Airbus.

The hack happened four weeks before a British general election on June 8, in which national security and the management of the state-run National Health Service (NHS) are important issues.

The attack caused some British hospitals to stop accepting patients, doctor's offices to shut down, emergency rooms to divert patients, and critical operations to be cancelled as a decentralised system struggled to cope.

At some hospitals, nurses could not even print out name tags for newborn babies.

At the Royal London Hospital in East London, hotel cook George Popescu, 23, showed up with a forehead injury.

"My head is pounding and they say they can't see me," he said. "They said their computers weren't working. You don't expect this in a big city like London."

Many of the NHS computers still run Windows XP, whose maker Microsoft discontinued the security updates for it in 2014. It made a patch, or fix, available in newer versions of Windows for the flaws that were exploited in Friday's attack.

Several news reports have addressed the outdated systems of the NHS that potentially left confidential patient data vulnerable to attack. Last November, Sky News did an investigation showing that units of the NHS, serving more than two million people, spent nothing on cyber security in 2015.

Ms Jennifer Arcuri, of Hacker House, which worked with Sky on the report, said then: "I would have to say that the security across the board was weak for many factors."

Last Friday, she said on Twitter: "We told every(one) back in Nov this would happen! @myhackerhouse identified NHS trusts putting patient data at risk."

Ms Esther Rainbow, a manager of cardiac services at the Barts unit of the NHS in London, described how they had to revert to the old paper system.

"For us, the main issue has been getting information," she said. "At Barts, we were told not to use our work mobiles and to turn off all Wi-Fi. Later in the day, we were told to unplug everything from the network. The main impact in terms of the diagnostics was that we had no idea who was turning up and which patient was seeing which unit," she added.

"As the day went on, it felt a little bit more scary as we were told to shut things down and unplug things. We also don't know what other patients are due to come in," she said.


No Singapore govt agencies or info infrastructure hit
By Chew Hui Min, The Sunday Times, 14 May 2017

No government agencies or critical information infrastructure here were affected by the cyber attacks that hit nearly 100 countries, the Cyber Security Agency of Singapore (CSA) said yesterday.

"To date, no government agencies or critical information infrastructure (CII) in Singapore have been affected by the global hacking attacks (on Friday night)," Mr Dan Yock Hau, director of the National Cyber Incident Response Centre, said in a media release.

The CIIs have been notified to be on heightened alert, he added.

The CSA advised affected organisations, businesses and members of the public to seek help from its Singapore Computer Emergency Response Team (SingCERT) at singcert@ or its hotline on 6323-5052.

All Windows users should make sure their computer systems are fully patched, the agency added.

Users should ensure that their anti-virus software is updated with the latest malware definitions, perform file backups and store them offline in case they need to restore their systems following an attack.

A fast-moving wave of cyber attacks swept the globe on Friday, apparently exploiting a flaw exposed in documents leaked from the US National Security Agency.

The malware's name is WCry, but analysts were also using variants such as WannaCry, AFP said.

The attacks used a technique known as ransomware that locks users' files unless they pay the attackers a designated sum in the virtual currency bitcoin. It has the ability to automatically spread across large networks by exploiting a known bug in Microsoft's Windows operating system.

Researchers with security software maker Avast told Reuters they had observed 57,000 infections in 99 countries, with Russia, Ukraine and Taiwan the top targets.

Key facts about WannaCry virus
The Sunday Times, 14 May 2017

Q What does the WannaCry virus do?

A It locks computers so that users cannot access their files or programs. Hackers ask for payment to safely release the computer. This type of virus is also known as ransomware. WannaCry and its variants like Wana- Crypt and Wanna Decryptor target computers that use Microsoft's Windows operating system.

Q How does it infect computers?

A By e-mail. Users receive a file, usually in a .zip format. When the user clicks on the file or opens it, the virus will automatically spread and lock up files and programs. Once the computer is fully infected, the user can access only two files - instructions on what to do next and the virus program itself.

Other forms of ransom- ware lure users into clicking on a fake link in an e-mail or on a bogus website. It will then release a virus that corrupts the computer.

Q Ransomware is not new. Why the panic?

A The speed and scale of WannaCry's spread has alarmed security experts.

Within hours of it being discovered on Friday, over 57,000 attacks were reported across 99 countries, with Russia, Ukraine and Taiwan reportedly the top targets.

Operations in large organisations like Britain's National Health Service, global shipper FedEx in the United States and the Russian Interior Ministry have been affected.

Experts say the malicious software is spreading at a rate of five million e-mails per hour.

This virus has been designed as a "worm", which means it can automatically spread to other computers in the same network.

Q How can one protect one's computer?

A Microsoft has issued automatic Windows updates to defend its clients from it. Additional measures include using a reputable antivirus software and a firewall, backing up files in a separate system and setting a popup blocker. Beware of clicking links or files in e-mails or on suspicious websites. Users who receive a ransom note should disconnect the computer from the Internet and alert the authorities.

Q Who are these hackers?

A No one has claimed responsibility so far. Experts speculate that it could be a large cyber-criminal gang or even state governments like Russia and China.

Q What do they want?

A The hackers are asking for payment of US$300 (S$418) to US$600 in bitcoin, a digital currency, to restore access. Users are warned that if they do not pay up in a few days, their files will be deleted. The hackers give instructions on how to buy bitcoin and which bitcoin address to send it to.

Governments have advised users not to pay the ransom, as it encourages these hackers.

Q Where did this virus come from?

A The US National Security Agency was the first to discover a flaw in Microsoft's Windows operating system that allowed it to develop a way to hack, or gain access to, computers used by terrorists and enemy states. The flaw, and a tool to exploit it with malicious software, was made public last month by a hacker collective known as Shadow Brokers.

UK researcher slows malware with 'kill switch'
The Sunday Times, 14 May 2017

LONDON • As the world began to understand the dimensions of Wanna Decrypt0r 2.0, a British cyber-security researcher was already several steps ahead. He bought an unusually long and nonsensical domain name ending with "".

The 22-year-old says he paid US$10.69 (S$15), but his purchase might have saved companies and governmental institutions around the world billions of dollars. By purchasing the domain name and registering a website, he claims he activated a "kill switch". It immediately slowed the spread of the malware and could ultimately stop its current version, cyber-security experts said yesterday.

When Mr Darien Huss, a researcher with US cyber-security firm Proofpoint, came across the strange domain in the code on Friday evening, he immediately flagged his discovery on social media.

Alerted by the finding, an unidentified 22-year-old researcher who tweets using the handle @MalwareTechBlog took action, without knowing what impact registering the domain would have. While spreading to computers, the malware made requests to the unregistered website ending with "". All of those requests went unanswered - likely triggering the activation of the malware. For hours, a non-existent website helped to cripple computers worldwide. But as soon as the researcher registered the website out of curiosity, automatic requests immediately surged, according to screenshots published on his Twitter account. It was only then he realised that they might have accidentally activated a kill switch in the ransomware.

"The crisis isn't over, they can always change the code and try again," @MalwareTechBlog cautioned.


'White hat' who foiled hackers says he is no hero
The Straits Times, 17 May 2017

LONDON • Just 22 years old, Mr Marcus Hutchins insists he is no hero.

But to victims and potential victims of the WannaCry ransomware that ran riot and infected computers across the globe last Friday, the young British cyber security researcher is a saviour, no less.

Mr Hutchins, known initially by only his Twitter handle @MalwareTechBlog, found a "kill switch" by accident that slowed the spread of the WannaCry ransomware.

"I am definitely not a hero," he told the Associated Press. "I am just someone doing my bit to stop botnets."

Given the praise he has earned, it may come as a surprise that Mr Hutchins failed IT in school.

In 2010, he was suspended from school after teachers accused him of hacking the school's system, the Daily Mail reported on Monday.

"The school server had been attacked and the network was down," he recalled.

"They handed me some papers which showed I was online at the time... Then that was it, I was suspended for something I never did."

Mr Hutchins lives with his family in England and works for Kryptos Logic, a US-based cyber security company.

In the Wild West of the Internet, good guys such as Mr Hutchins and US-based cyber security expert Darien Huss, 28, whom he teamed up with to halt the infections, are known as white hats, said Agence France-Presse. Mr Huss works for US cyber security firm Proofpoint.

"The white hat is a researcher that does work for the good of the industry/society, the black hat's motivation is more nefarious in nature," said Mr Raj Samani, chief scientist at McAfee, a leading producer of antivirus software.

They are in a perpetual race to discover vulnerabilities in software, which hackers will exploit to profit from, while cyber security experts will develop solutions to protect their clients and the public.

For a job well done, Mr Hutchins' bosses have rewarded him with a free trip to Los Angeles.

But now that his identity has come to light, the researcher is afraid that hackers might go after him, the Daily Mail said.

Mrs Janet Hutchins said that while she was ''very proud'' of her son, she wished he had been able to remain anonymous for his part in bringing down the ransomware attack.

Hacking group with Russian links blamed
The Sunday Times, 14 May 2017

LONDON • A hacking group calling itself the "Shadow Brokers" and with possible links to Russia is being blamed for the unprecedented wave of cyber attacks that swept across the world on Friday.

Last month, it claimed to have stolen a "cyber weapon" from a US spy agency that gives unprecedented access to all computers using Microsoft Windows, the world's most popular operating system.

The hacking tool - "Eternal Blue" - was developed by the National Security Agency and used to gain access to the computers of terrorists and enemy states. The hackers, who have not come forward to claim responsibility or otherwise been identified, "dumped" the computer bug on an obscure website on April 14. This took place just a week after US President Donald Trump ordered the bombing of Syria, The Telegraph reported.

Some experts believe the timing is significant and indicates that the group has links to the Russian government, the British newspaper added.

In an Internet posting on April 8, a day after the first air strikes, the group appeared to issue a warning to Mr Trump.

In a statement, it said in broken English: "Respectfully, what the f*** are you doing? The Shadow Brokers voted for you. The Shadow Brokers supports you. The Shadow Brokers is losing faith in you. Mr Trump helping the Shadow Brokers, helping you. Is appearing you are abandoning 'your base', 'the movement', and the peoples who getting you elected."

Nobody knows who is behind the group but in a statement to a specialist technology website last December, it said: "The Shadow Brokers is not being irresponsible criminals. The Shadow Brokers is opportunists. The Shadow Brokers is giving 'responsible parties' opportunity to making things right."

Spy agencies' cyber approach flawed: Experts
The Sunday Times, 14 May 2017

WASHINGTON • A global cyber attack on Friday renewed concerns about whether the US National Security Agency (NSA) and other countries' intelligence services too often hoard software vulnerabilities for offensive purposes, rather than quickly alerting technology companies to such flaws.

Hacking tools believed to belong to the NSA that were leaked online last month appear to be the root cause of a major cyber attack spreading through Europe and beyond, security researchers have said, stoking fears that the spy agency's powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.

Some cyber security experts and privacy advocates said the massive attack reflected a flawed approach by the United States to dedicate more cyber resources to offence rather than defence, a practice they argued makes the Internet less secure.

Across the US federal government, about 90 per cent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters in March.

"These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world," Mr Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.

The NSA did not respond to a request for comment.


Cyber attacks on NUS, NTU in bid to steal sensitive data
Attacks not the work of casual hackers; no classified info stolen
By Irene Tham, Senior Tech Correspondent, The Straits Times, 13 May 2017

Sophisticated hackers have broken into the networks of National University of Singapore (NUS) and Nanyang Technological University (NUS), in an effort to steal government and research data.

Revealing this yesterday, the Cyber Security Agency (CSA) of Singapore said the attacks, which were discovered last month, were not the work of casual hackers.

"We know who did it, and we know what they were after. But I cannot reveal this for operational security reasons," said Mr David Koh, chief executive of CSA.

Hackers have been in the news of late after trying to sabotage both the American and French presidential elections.

Singapore, meanwhile, has been taking precautions against attacks by delinking computers of public servants from the Internet.

The attacks on the universities may have been a roundabout way to try to access government-related information.

Experts say NTU and NUS have research links with the Government, being involved in projects for the defence, foreign affairs and transport sectors, among others. The Straits Times understands that the attacks were executed from overseas.

"The plans and progress for Singapore's Smart Nation agenda could be a subject of interest to the attackers," said Mr Bill Taylor-Mountford, American security intelligence firm LogRhythm's vice-president in Asia-Pacific and Japan.

The breaches were said to be advanced persistent threats in which hackers gain unauthorised access to computer networks and lurk hidden. Experts said such attacks require considerable resources and are typically state-sponsored.

The intrusions were detected when the universities ran their regular system checks - on April 19 for NTU, and April 11 for NUS.

Both universities alerted CSA, after which forensic investigations were carried out.

No classified information or personal data was stolen. The affected systems have since been removed.

NTU said it has since tightened "security controls at all levels".

NUS said it is beefing up its system defences. "This incident highlights the rising sophistication of cyber security attacks," it added.

CSA added that it had not noticed signs of suspicious activities in critical systems or government networks.

But it has advised other universities and critical sectors such as energy, telecoms and finance to step up security efforts.

Last month, the Government completed an exercise to delink the computers of all 143,000 public servants from the Internet to prevent classified information from being accessed. A spokesman for the Government Technology Agency, which coordinates the delinking effort, said: "The decision to separate Internet surfing from work devices is a difficult but necessary move to protect government systems and data from these increasingly frequent and sophisticated cyber threats."

The NUS and NTU breaches come on the heels of a cyber attack on the Ministry of Defence, in which the personal details of 850 national servicemen and staff were stolen.

Cyber attacks on NUS, NTU: Singapore latest target of ever-growing cyber threat
Hackers using advanced persistent threats require much sophistication and resources
By Irene Tham, Senior Tech Correspondent, The Straits Times, 13 May 2017

Cyber attacks on governments and institutions have become a weapon of choice - and Singapore has not been spared the threat, said the Cyber Security Agency (CSA) of Singapore.

"Attackers are not just targeting government systems; they are (also) looking for any network that is remotely related to the Government," said Mr David Koh, chief executive of CSA. "Attackers are... always looking for the weakest link to exploit."

The attacks by hackers on National University of Singapore (NUS) and Nanyang Technological University (NTU), discovered last month, were aimed at stealing government and research data, CSA revealed yesterday.

The breaches were said to be advanced persistent threats (APTs) in which hackers gain unauthorised access to and lurk within computer networks undetected for a long period of time.

State-sponsored APTs have plagued the French presidential election, which concluded last week, and last year's US presidential election, said security software firm Trend Micro.

Newly elected French President Emmanuel Macron's campaign team was repeatedly hit by phishing e-mails to trick his staff into parting with their passwords. Confirming the attacks, Mr Macron had said no campaign data was compromised. The same hacking group, dubbed Pawn Storm, was also believed to be behind the attacks last year on the e-mail accounts of the US Democratic National Committee to undermine Mrs Hillary Clinton's presidential bid.

Trend Micro said that one in five US organisations has suffered a cyber espionage-related attack in the past year.

Mr Nick Savvides, a security advocate for Asia-Pacific and Japan at cyber security software firm Symantec, said cyber attacks are either financially or politically driven.

"State-sponsored attacks are highly sophisticated and capable of obfuscating their source," he said.

Money could also be a motive.

Mr Aloysius Cheang, executive vice-president of global computing security association Cloud Security Alliance, said: "There is definitely valuable research data of commercial value."

In the case of NUS and NTU, hackers may have also assumed that the universities' systems had links to government systems, Mr Cheang added.

Mr Bill Taylor-Mountford, American security intelligence firm Log- Rhythm's vice-president in Asia-Pacific and Japan, said: "Any entities using APT need to have considerable resources."

Such threats demand a lot of sophistication, he added.

In a Facebook post yesterday, Communications and Information Minister Yaacob Ibrahim urged everyone to do their part to defend important data. For instance, individuals can practise good cyber hygiene.

"As we become more digitally connected, such threats will continue to increase in sophistication, and both public- and private-sector organisations are equally vulnerable," he said.

No comments:

Post a Comment