Report

Weekly Threat Report 22nd December 2017

Created:  22 Dec 2017
Updated:  22 Dec 2017
NCSC Threat Report
This report is drawn from recent open source reporting.

Ransomware fears cause companies to hoard Bitcoin

Companies are reportedly stockpiling cryptocurrencies to hedge against the possible need to pay off cyber criminals. Some firms are said to be investing in Bitcoin and Ethereum to ensure that they have cryptocurrency funds available if they are affected by a ransomware attack. A survey carried out earlier this year by Citrix found that 42% of companies surveyed were building cryptocurrency stockpiles for ransomware payments, with 28% holding more than 30 bitcoins. The cost of paying ransoms is increasing rapidly along with the value of the cryptocurrencies in which they are paid, so by investing now, some companies hope to ensure that the cost of a ransom is less pricey than it might be later.

However, this approach comes with its own risks, as such holdings may themselves be targeted. With a single bitcoin now worth over $17,000 (£12,000), a company’s cryptocurrency wallet can be worth a substantial amount to a cyber criminal.

The NCSC’s website provides further advice to organisations that may be affected by ransomware. The NCSC does not offer advice on whether or not companies should invest in Bitcoin. While it is a matter for the victim whether or not to pay a ransom, the National Crime Agency encourages industry and the public not to do so.

Daesh cyber threats fail to materialise

Pro-Daesh hacking group “Caliphate Cyber Ghosts” recently threatened to hack US government and corporate websites, declaring electronic war against those countries fighting against the terrorist group. They have subsequently claimed to have successfully hacked the sensitive sites of the US Army, the Interior Ministry, the State Department and other government websites. They also claim to have breached sites such as the Geological Society of Nevada and legal website ‘Divorce Store’.

However, there has been no evidence of hacking of sensitive government data. This follows the general trend over the last year of a number of pro-Daesh cyber groups who have threatened to conduct cyber attacks to no real effect.

New Android malware can melt mobile phones

A newly discovered family of Android malware can put so much load on mobile phones that it can cause physical damage, according to cyber security researchers.

The Loapi family of Android Trojans has been described as a “jack of all trades” for its wide variety of functionality, ranging from participating in distributed denial of service attacks to signing the user up to paid subscription services. It also includes a module that mines the cryptocurrency Monero by using the phone to generate new coins for the malware’s authors. These activities put so much demand on the phone’s CPU that it generates considerable heat, which the researchers found caused the battery in their test phone to bulge and deform the cover after two days of activity.

Loapi is being distributed via advertising campaigns which mimic genuine antivirus products and adult websites. It repeatedly asks the user for device administrator permissions and, once installed, seeks to delete antivirus software already on the device. It can then carry out a range of malicious functions.

The NCSC recommends in its guidance that enterprise-managed devices are configured to only run apps that have been added to a whitelist (hence blocking other malicious apps). Where this approach is not feasible, users should only install apps from a device’s built-in store such as Google Play.

Zeus Panda (Panda Banker) Targeting Festive Shoppers

Shoppers are being reminded to be careful when purchasing goods online following a recent code update for Zeus Panda (aka Panda Banker) malware. In time for the festive season, the code update included a newly configured hit list targeting high street shops online as well as travel and online streaming sites – all intended to reflect the festive holiday shopping and habits of users.

The malicious code is injected into the websites and is designed to steal login credentials such as name, address, date of birth, mother’s maiden name, credit card information and mobile telephone number. Zeus Panda previously targeted the financial sector and has seen a relatively quiet 2017. As it is sold as a commercial malware, Zeus Panda is used by many criminal groups, and no particular group has been identified as being responsible for its use. Different variants of the malware over the past two years have been used to target payment systems, banks, airlines and online gaming sites. The NCSC would remind users of the importance of keeping antivirus services up to date, following safety warnings if shown by the web browser, and avoiding clicking on unknown links in unsolicited emails.

Wannacry attributed to North Korea

Media outlets reported the US attribution of the “WannaCry” cyber attack to North Korea. Writing in the Wall Street Journal, Homeland security adviser Tom Bossert stated:

“The attack was widespread and cost billions, and North Korea is directly responsible. We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree.”

Mr Bossert’s assertions were followed up with a statement from UK Foreign Office Minister Lord Ahmad who said:

“Britain's National Cyber Security Centre (NCSC) assesses it is highly likely that North Korea's Lazarus hacking group were behind the WannaCry campaign.”

The NCSC started investigating a potential DPRK link on Friday 12 May and, within a week, had identified malware code overlaps linking the incident to Lazarus Group. The NCSC led the technical investigation into the WannaCry attack and published guidance on its website to help organisations and home users mitigate the impact of the incident..

  • NCSC advice and guidance can be seen here.
  • Lord Ahmad’s full statement can be seen here.

Was this report helpful?

We need your feedback to improve this content.

Yes No