Weekly Threat Report 13th January 2017

Created:  13 Jan 2017
Updated:  13 Jan 2017
This report is drawn from recent open source reporting.

The year of ransomware... how 2016 has been widely described in the cyber security media.

There has been numerous UK incidents targeting academia, Government departments, industry, CNI sectors and individual users.  Using ransomware as an attack technique has become popular because it is easy to carry out and can be financially lucrative.

Ransomware can infect a system via  unpatched software vulnerabilities or duping unsuspecting users into installing the ransomware themselves. Once downloaded ransomware will typically lockdown a system or encrypt data files. A message usually appears with 'helpful' instructions about how to restore the system or data by paying a fee.

Many victims have paid for their systems or data to be restored. However, there is evidence that despite paying ransoms some victims are still unable to access their data. Although it is a matter for the victim whether to pay, industry and members of the public are encouraged to contact ActionFraud should they see themselves targeted.

Recently criminals have been targeting departments or individuals within an organisation that are more likely to open an unknown attachment. For example, UK schools were targeted by telephone phishing scams where criminals obtained individual email addresses by claiming to have sensitive documents (e.g. exam guidance) that only the head teacher could view. Human resource departments have also been targeted by spear-phishing emails supposedly from potential candidates containing job application attachments. 

In 2017 there will most likely be further innovations in ransomware and its delivery as cyber criminals exploit new opportunities. NCSC guidance on how to defend against ransomware can be found here:

MongoDB databases being held to ransom

This week, security researchers have reported a significant increase in cyber-attacks involving a ransom demand against users of MongoDB: a free open-source database program used by millions of customers, including some high profile companies.

Alternate to the more common ransomware method of encrypting the victim’s data, this current campaign has seen malicious actors access and copy data held in databases, delete the original data and replace it with a ransom note demanding at least 1 bitcoin (approx. £870) for the data to be returned.

Approximately 200 MongoDB databases across the world were known to have been targeted at the end of December 2016. But security researchers have now reported a significant increase, with the number of databases attacked spiking from 12,000 to 27,000 in a single day. Malicious actors are taking advantage of companies using default configurations, which do not require password authentication to access databases. We recommend users upgrade to the latest version that requires authentication or enable authentication on older versions.

Open source software used by small to large businesses provides a wide target base for malicious actors who can successfully infiltrate them, which can not only be exploited for monetary gain but also commercial intelligence. We also assess that this variation of a ransom attack could be an attempt by malicious actors to circumvent existing joint initiatives between industry and law enforcement that seek to help ransomware victims decrypt data without having to pay the ransom.

Italian siblings arrested for cyber espionage

A London-based Italian nuclear engineer and his sister have been arrested on cyber espionage charges in a joint operation between Italian police and the FBI. The pair are accused of using a malware product called EyePyramid to target over 18,000 email accounts, including those of two Italian prime ministers, the head of the European Central Bank, businessmen, bankers, academics, major companies, police officials and even Vatican cardinals.

The pair are said to have carried out a cyber espionage campaign from at least 2010 using a botnet to acquire information from people in senior financial political positions. The stolen data was stored on servers in the US that have now been seized by the FBI. The malware reportedly included a keylogger that enabled the suspects to capture usernames and passwords.

The campaign came to light after the head of security of the state-owned Italian air traffic services company ENAV received a spear-phishing email. A cyber security company analysed it and found similarities with previous targeted malware campaigns, prompting a police investigation which exposed the suspects’ activities.

The suspects’ motives are unclear. According to Italian police, they may have used confidential information to make investments through a company they owned. If so, it would illustrate how criminals can use cyber espionage to engage in so-called “outsider trading” by stealing market-sensitive information which can then be used to generate income.


Microsoft has issued its smallest ever Patch Tuesday this week with only 4 bulletins, only two of which were rated critical. The critical updates related to MS Office (MS17-002) and Adobe Flash Player (MS17-003), the two important updates relate to the Edge browser (MS17-003) and Local Security Authority Subsystem Service (LSASS) (MS17-004).

Adobe has separately released its own updates this week to update Adobe Flash Player ( and Acrobat ( The latest Flash Player updates fix multiple bugs which could allow remote users to obtain sensitive information or execute arbitrary code [CVE-2017-2938]. The Acrobat update addresses multiple flaws which could let remote users bypass security controls and execute arbitrary code [CVE-2017-2947].

Was this report helpful?

We need your feedback to improve this content.

Yes No