Weekly Threat Report 17th March 2017

Created:  17 Mar 2017
Updated:  17 Mar 2017
This report is drawn from recent open source reporting

Ransomware for political ends

Cyber security company PaloAlto networks has recently identified a new type of ransomware, seemingly designed for political ends. Ransomware is generally used by cyber criminals for monetary gain, encrypting data and forcing infected users to pay a financial ransom to decrypt their files. However, in this case, ‘RanRan’ ransomware demanded a political statement in return for the encryption key. The victim was supposed to create a sub-domain of their public-facing website with a defamatory name relating to a political leader, and announce they had been hacked.

PaloAlto does not provide details of the actor responsible, but notes several mistakes in the ransomware code, as well as the reuse of publicly available source code. Importantly, the ransomware did not achieve its objective in this case, in that the ransom demands appear not to have been met. This represents a novel use of ransomware and an interesting evolution of the threat. Although this iteration was unsuccessful, it is possible that these or other actors may seek to develop more sophisticated ways of achieving political ends through ransomware. The NCSC provides guidance on protecting your organisation against ransomware threats.

Researchers investigate zero-day vulnerabilities

RAND Corporation has published a report into zero-day exploits, estimating their lifespan and the likelihood of vulnerabilities being discovered by multiple researchers independently. A vulnerability or exploit is called ‘zero-day’ if it is not yet publicly known, and a patch is not available.

Analysing the databases of a security researcher, the study estimates that a typical zero-day will remain viable for 6.9 years. Some exploits were patched after discovery by other actors, while others were fixed inadvertently during routine software updates.

The report notes that affordable zero-day vulnerabilities can be bought for almost any target. Since network defenders cannot anticipate the details of such attacks, they may choose instead to accept that occasional intrusions are inevitable, and design networks in a way that minimises the impact of a successful attack through monitoring for suspicious activity.

Most attacks target well known vulnerabilities on unpatched systems, or socially engineer users into inadvertently compromising their own machines. Regular patching, and the other elements in the NCSC’s 10 Steps to Cyber Security, remain best practice.

Joint NCA and NCSC annual report launched

The first joint National Cyber Security Centre (NCSC) and National Crime Agency (NCA) annual report was published this week. ‘Cyber threat to UK business 2016’ provides an in-depth analysis of evolving threats.

The report elaborates on five ‘game-changing’ events (the Ukraine power attack, the Bangladesh Bank heist, the DNC hack, the Mirai botnet and the Yahoo! data breaches).  It also provides a thematic assessment for industry, drawing out trends of events we have seen in cyberspace and predictive analysis of what could happen over the next 12 months.


The main headline this week is the Apache Struts remote code execution vulnerability for which an emergency patch was released last week [CVE-2017-5638]. An advisory has been released on CiSP for this vulnerability and readers are encouraged to read this and refer to the linked thread on CiSP for up-to-date findings, IOCs and discussion with the rest of the community.

Microsoft has released 18 bulletins this month, of which 9 are rated critical. This is a higher number of updates than normal but this includes the updates from last month that were held back. There is, amongst these, an SMB zero-day but there have been no reports of any breaches involving this vulnerability.

VMware released updates for Workstation and Fusion to fix ‘elevation of privileges’ bugs.

Symantec Web Gateway fixed an input validation flaw, HPE Intelligent Management Center fixed a vulnerability whereby remote users could bypass authentication on the target system, and IBM WebSphere also provided a fix to prevent ‘elevation of privileges’.

Elsewhere this week there were updates from WatchGuard, MantisBT, Xen Qemu and Adobe Shockwave Player.

On the Debian side, there were updates for the Linux Kernel itself, along with updates for Ubuntu network manager, Firefox- ESR, imagemagick, mariadb, Pidgin and icoutils.

Not much happened on the ICS side with only one update this week from Schneider Electric ClearSCADA to fix an input validation error.

Was this report helpful?

We need your feedback to improve this content.

Yes No