Weekly Threat Report 12th May 2017

Created:  12 May 2017
Updated:  12 May 2017
NCSC building with logo
This report is drawn from recent open source reporting

International cyber incident affecting the NHS

On Friday a set of global cyber attacks took place against thousands of organisations, including the NHS, and individuals in dozens of countries.

The NCSC statement on the incident can be read here and guidance on how to defend your organisation against ransomware can be found here.

US restaurant chain payment process system compromised

A US restaurant chain, Chipotle Mexican Grill, recently announced that unauthorised activity had been detected on its payment processing network. Investigations indicate that criminals probably accessed credit card and other payment information between 24 March and 18 April 2017. It is currently unclear how many locations and customers were affected.

Although this compromise appears to be linked to the Carbanak group responsible for the theft of over 1 billion USD from 100 financial organisations worldwide, it is also possible that other criminal actors with access to Carbanak's malware could be responsible.

Criminal actors exploiting Carbanak malware have been responsible for a large proportion of recent payment system compromises. For example more than 20 US-based hospitality companies have been targeted since summer 2016 and hospitality companies in Australia, England and Ireland were victims of similar attacks in early 2017. 

This activity whether by the Carbanak group or another organisation with similar malware and capabilities, appears to be aimed at companies with a high volume of payment transactions. If the Carbanak group, which previously mainly focused on the finance sector is responsible, it shows the group has now broadened its targeting base to encompass the hospitality and retail sectors too. 

En Marche phishing attack

Thousands of internal En Marche party documents apparently obtained from a cyber attack were published on the internet on 5 May a few hours before the French campaign blackout deadline, meaning that neither Macron nor his rivals could respond substantively.

The attack involved phishing which successfully compromised En Marche staff personal email accounts, including the campaign speechwriter’s, when a malicious link - embedded in the email – was clicked.  This meant the hackers could take over the email accounts, accessing all the content of the mailboxes. 

Once they had gained access, hackers could then send emails appearing to be from the respective campaign staff.  Sending email posing as trusted staff members could easily dupe fellow campaign workers to click on malicious links thereby giving hackers further access to the contents of mailboxes.


The main news this week was the Intel AMT and Windows zero- days, but in addition Microsoft’s regularly scheduled updates fell this week with updates, many rated critical, for all supported versions of Windows and Microsoft Server products, as well as updates for Edge, IE, .Net Framework and MS Office. F5 released two updates for BIG-IP, both of which could lead to denial of service conditions. BIND saw an update for a DNSSEC flaw that could cause the target to crash. WordPress has a bug in its password reset server that could allow remote users to obtain passwords. BlackBerry Enterprise Server has an input validation flaw that could allow for cross-site scripting attacks.

Cisco have released a number of updates for various of their products (Aironet, TelePresence, WebEx Meetings Server, Finesse, Unity, ASA, CallManager, CVR100W Wireless-N VPN Routers, etc.) that could variously allow execution of arbitrary code, obtaining of sensitive information or causing the target system to reload or crash.

Elsewhere IBM fixed an unspecified flaw in WebSphere, HPE fixed multiple bugs in their Network Automation product, CA Client Automation suffers from a flaw that could allow local users to view passwords, Brocade has updates for Fabric OS and NetIron to fix and elevation or privilege bug and a bug that could cause the target to reload. QNAP released a fix for their NAS devices to address an unspecified flaw that could allow for remote code execution.

Debian related updates this week for Git, tiff, libtirpc & libytnef.

ICS specific updates this week came from Advantech, Duhua, Hikvision, Rockwell Automation (Stratix & ControlLogix) and Siemens (devices using PROFINET, S7, SIMATIC).

Was this report helpful?

We need your feedback to improve this content.

Yes No