Petya Ransomware Using Disk Level Encryption

The latest ransomware is using disk level encryption infecting master files that can only be un-encrypted if payment is made. The new ransomware is called Petya and victims are being targeted through phishing emails.

Travis Smith, Senior Security Research Engineer at Tripwire commented,

“By encrypting the entire disk, it increases the cost to legitimately recover files without paying the ransom.  Consumers may not have the technical capability to re-install their operating system and other applications accumulated over the life of the PC.  For businesses, the increased costs means criminals can charge a higher ransom knowing their targets will have to also spend more on an alternative solution. 

End users must stay vigilant in the fight against ransomware.  Don’t click on links or open attachments which are unsolicited.  Backups should be kept up to date and offline to reduce the likelihood of having to pay to recover critical data.”



1,400 vulnerabilities found in CareFusion medical equipment

An ICS-CERT advisory has alerted the public of vulnerabilities found in CareFusion’s Pyxis SupplyStation system (a product that dispenses medical supplies, but does not dispense medication). The flaw could allow for remote exploitation, and due to the affected versions of the system being end-of-life it appears unlikely that they will be patched. CareFusion is offering customers not pursing the remediation path of upgrading devices, compensating measures to help reduce the risk of exploitation.

Fraser Kyne, Regional Systems Engineering Director at Bromium offered @DFMag the following expert opinion,

“This vulnerability announcement provides further proof of the dangers of continuing to use unprotected, out of support Operating Systems and tools. However, all businesses (and particularly hospitals) are faced with the need to avoid costs by sweating their computing tools and assets for as long as possible.

The report states clearly that “These vulnerabilities could be exploited remotely”, and provides sane advice such as “Isolate affected products from the Internet and untrusted systems”. The problem is that we want to use our systems to run critical secure processes, and at the same time we want to run completely unsafe processes such as web browsing and email on the same devices. Isolation is a solid security principle, but we shouldn’t have to compromise between security and functionality.

There are ways to achieve this isolation with today’s technology, hardware and Operating Systems – so that we can really get the best of both worlds. However, to achieve this we have to take a step forward from the past, and realise that it’s not possible to simply place a band-aid over the truly legacy systems on our networks.

So, isolation is the best approach. Either isolate the as-is affected systems as advised, or move to a hardware-isolation model on current OS and hardware that will allow you to blend security and functionality; and to avoid such threats in the future.”

Details on CareFusion products security and privacy is located here.

Specific info for end of life Pyxis SupplyStation can be found here.



TreasureHunt malware strain stealing payment data – expert comment

FireEye announced the discovery of new POS malware earlier this week, called TreasureHunt (also known as TreasureHunter). The malware taps card information from processes running in the systems’ memory and then transmits it to a server operated by cyber criminals. They’re attributing this, and the overall rise in POS malware, to the ongoing EMV transition. Two out of five US retailers still haven’t converted to EMV systems, which they say are resistant to interception malware such as TreasureHunt.

You can see some reports on this malware below:

Malware Strikes Merchants Behind The EMV Curve

POS Malware Tool ‘Treasurehunt’ Targets Small US-Based Banks, Retailers

Commenting on the EMV angle, George Rice, senior director, payments at HPE Security – Data Security, said:

“First, EMV provides no protection for the transmission of sensitive payment information to the acquiring bank. After the EMV card validation process, the cardholder data must be delivered safely to the payment processor. By default, EMV does not provide ANY protections of data in transit to the processor. Criminals use POS malware, memory scrapers and other covert technologies to capture all of the payments data they need from unsuspecting retailers, despite the use of EMV. When such data breaches occur, retailers pay a hefty toll in the form of lost revenue, fines and penalties, executive job loss and even board-level lawsuits.

Second, EMV does nothing to stop the use of stolen card information in online and mobile transactions. Criminals know they can monetise their card data heists by using the information in card-not-present purchase environments. And for the time being, criminals can use stolen cardholder data to create and use bogus mag-stripe cards until EMV has been ubiquitously deployed across the US market. The Merchant Advisory Group estimates that only 20 percent of 13.9 million POS devices at U.S. merchant locations will be EMV capable by October or shortly thereafter.”



NIST Cybersecurity Framework Adoption Linked to Higher Security Confidence According to New Research

More organisations plan to adopt the NIST Cybersecurity Framework in the next 12 months than any other IT security framework, yet many struggle to implement the full range of best practices

Tenable Network, revealed that overall security confidence was higher for organisations leveraging the U.S. National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework), according to findings from the Trends in Security Framework Adoption Survey (PDF).

The survey tallied responses from more than 300 U.S. security professionals from organisations of all sizes across key industry verticals to better understand the adoption patterns of the top security frameworks. While 84 percent of survey respondents reported using at least one security framework, 16 percent still do not leverage any security framework. According to survey data, the NIST Cybersecurity Framework is the most likely security framework to be adopted by organizations over the next year.

“Historically, CISOs have been hesitant to take full advantage of the NIST Cybersecurity Framework because of a high investment requirement and a lack of regulatory mandate,” said Ron Gula, CEO, Tenable Network Security. “This is changing as organisations begin to shift their mindset from moment-in-time compliance with frameworks like PCI DSS to continuous conformance with the NIST Cybersecurity Framework.”

Despite 70 percent of respondents praising the NIST Cybersecurity Framework as an industry best practice, more than 50 percent of current and future adopters said the level of investment needed in order to fully conform with the framework was high.

The lack of regulatory requirement and high perceived investment means many organizations that have already adopted the NIST Cybersecurity Framework do not implement all of its recommendations. Sixty-four percent of respondents from organisations currently using the NIST CSF reported implementing some of the NIST recommended controls, but not all of them. Similarly, 83 percent of organisations that plan to adopt the NIST Cybersecurity Framework in the next year said they will adopt some, but not all of the NIST Cybersecurity Framework controls.

To make it easier for companies and government organisations to adopt and benefit from the NIST Cybersecurity Framework, Tenable recently introduced its NIST CSF solution, which includes the industry’s first and only NIST CSF dashboards, in Tenable’s SecurityCenter Continuous View™.

“The NIST Cybersecurity Framework is one of the most thorough and reliable cybersecurity frameworks available, but it can be challenging for CISOs to conform to these standards all the time,” said Gula. “Tenable’s NIST Cybersecurity Framework solution helps automate and simplify NIST framework adoption, giving organizations the complete visibility and critical context needed to continuously conform to NIST best practices.”

For more information on how organisations can automate the assessment and operation of more than 90 percent of NIST Cybersecurity Framework technical controls to measure conformance across the entire IT environment, visit

Original research for the Trends in Security Framework Adoption Survey was commissioned by Tenable and conducted by Dimensional Research, a market research firm providing practical insights for technology companies. To view or download an executive summary of the research findings, visit



Tripwire on the encryption debate

The legal battle between Apple and the FBI over the Federal Government’s right to require built-in smartphone encryption software that could aid law enforcement investigations might be coming to an end, but the debate is just heating up on Capitol Hill and now over in Europe where recent terrorist attacks have law enforcement pushing for access to digital data.

Tripwire recently took a survey of 198 security professionals attending the RSA Conference 2016. Of those surveyed, 82 percent of respondents said it is either very likely or certain that cybercriminals would abuse the government’s capability to access encrypted data if technology companies are required to provide it.

Tim Erlin, Director of IT Security and Risk Strategy for Tripwire told @DFMag,

“The encryption debate is truly a collision of politics and technology. It’s as if the two sides speak completely different languages. While one side of the debate demands legislated access to encrypted data, the other side expounds how it’s not technically feasible without compromising encryption generally.
The question of government access to encrypted data is the tip of the spear for an ongoing battle over the trustworthiness of government. The majority of citizens want to catch terrorists and other criminals, but they also don’t trust law enforcement, or government generally, not to abuse such access.”



Expert insight on Malware Scam Using Fake Speeding Ticket Email but Accurate Speed Data

In Tredyffrin, Pennsylvania near Philadelphia, a new malware scam is underway where some residents are receiving fake email speeding tickets, but which contain accurate speed data. Officials think users are being infected by an app with permission to track phone GPS data. The email itself asks users to click on a link and then downloads malware.

Craig Young, Cybersecurity Researcher for Tripwire told @DFMag;

“Many consumers will readily dismiss the possibility that someone would care about their location data but this is a prime example of how this seemingly low value data can play into a larger attack.   While a fake speeding ticket email might ordinarily be recognized as fake and ignored, including a person’s name along with a road they regularly drive immediately gives authenticity to the scam making it far more likely that the attack will succeed.  Social engineering is one of the most fundamental tools in the hacking toolkit and every hacker knows that realism is key in these efforts.

There are a variety of possibilities for how this attack is being orchestrated but the very localized nature of the attack could be an indicator of where the personal data is coming from.  One scenario which comes to mind is that the attacker is actually local to that area and is making use of malicious Wi-Fi networks to collect unencrypted data sent from victimized mobile phones.  Many apps are known to send location and other personal data to ad networks with an insecure connection but it is questionable whether someone could collect enough location data in this manner to produce fake speeding tickets.  Another possibility is that an app which is legitimately collecting location data may have been breached on the backend revealing a trove of personal data.  The attacker may have then decided to limit initial attacks to a small area while attempting to perfect the technique.  I would recommend that the local police look for common apps installed across residents who have been targeted by the scam.”



Expert Insight: ‘Trolls’ who create fake profiles face criminal prosecution

Following the news that lawyers will be advised to prosecute “trolls” who use fake online profiles to harass others, I’d like to share with you the following insights from Lee Munson, Researcher at

“The fact that the Crown Prosecution Service is considering charging online trolls who create fake profiles is, by and large, to be welcomed. 

“While existing legislation already allows for prosecutions in the most serious of cases, such as the systematic abuse of journalist Caroline Criado-Perez and MP Stella Creasy on Twitter, it is not much help to lower profile victims of what can only be described as a hate crime. 

“Considering how widespread the problem is, it will be interesting to see just how many cases an overworked judiciary system can cope with but, at the least, this move should send out a message that will deter a proportion of online abusers who lack the skills required to mask their identities. 

“On the flip-side, I can only hope the legal profession do not see the new guidelines as a carte blanche opportunity to out all anonymous posters or target parody accounts – after all, none of us in the information security industry would wish to see the end of Swift On Security, would we?”



Peering through the cloud – Expert Digital Forensics Insight

By Shahaf Rozanski, director of forensic products at Cellebrite
Obscured by clouds
With there now being more mobile phones on the planet than people and smartphones set to achieve saturation in just 10 years, unlocking the data held on them has increasingly needed to be used as vital evidence for police forces. However as apps – and the data held within them – have moved into the cloud, police forces have struggled to follow this data into the ether. Law enforcement agencies could in fact be missing out on critical evidence if they don’t have technology in place to extract and analyse this evidence.
What makes it so valuable is that an increasingly large proportion of information now accessed on a modern device – whether that be via Gmail, Dropbox or WhatsApp – is actually stored in the cloud, not on the device itself. Therefore, it is not data that can be easily accessible from traditional mobile or PC extraction techniques. Yet, this data is rich in potential case-solving content for police officers. For example, there are applications that are designed to provide a more accurate search experience for the user, which in turn provides a minute by minute accurate log of where they were at any given moment. Thus being important evidence to either place a suspect at the scene of a crime or to corroborate an alibi.
The issue is that, historically, there has been no streamlined or standard method for gaining access to cloud-based data as there are a number of challenges to extracting it. One of the main issues has been the paradigm shift in a consumer’s view of their own security and privacy in the wake of numerous scaremongering media stories. This has led to consumers not allowing global access to their data, but making their social media content and information ‘private’ so that it is restricted to only friends and family being able to view it. This has made it more difficult and time consuming for law enforcement agencies to extract the required data without the subject revealing their credentials and the fear that the data may not be forensically preserved.
The Goldilocks effect
Identifying evidence in the cloud is a particular challenge because of the sheer amount of data now housed in the cloud, with current estimates suggesting that at least 2.5 quintillion bytes of data is added every day[1]. Too much, and a search might be overbroad; too little, and investigators could miss important data for their case.
There are a number of challenges law enforcement agencies experience when relying on service providers to extract and provide them with the desired data. Firstly there is the costly legal procedures associated in filing a MLAT (mutual legal assistance treaty) request as the data often resides cross-border. Secondly is the fact that a provider’s response will often be far from swift and more likely measured in weeks or months. Finally, there is the difficulty of a silo-ed analysis of a likely incomplete data set from multiple providers.
For investigators, this collection and analysis of data from distributed and disparate sources is challenging but an unavoidable truth as perpetrators will likely use multiple services from different providers. Yet, they need to persevere as data from multiple social media, file sharing, or location-based data accounts (or mobile device) will enable them to contextualise a suspect’s or victim’s activities, whilst showing an investigator’s due diligence in building a case.
Extinguishing the burner phone
By investigators being able to effectively infiltrate the cloud, it reduces the risk of missing content, its context and meaning. By viewing and capturing data in context, and placing it alongside other data available from a suspect’s mobile device or operator’s call detail records, gives investigators further insight into how evidence correlates and can build up a solid case.
Even in cases where a wily suspect has used a so called ‘burner phone’ to conceal their identity, commonalities will likely exist between devices and cloud accounts. Therefore, investigators will still be able to tie devices and accounts to a suspect.
Be mindful of legal obligations
It is important for police forces to be mindful of legal obligation in regard to data privacy. To ensure this, an investigation will begin with extracting user data, including credentials and cloud access keys, found on a subject mobile device with the proper legal authority. This account-based approach means that they will only selectively acquire data residing in the cloud that is associated with a specific user, unless the account is shared.  .By doing so preserves the privacy of other tenants collocated on the same cloud server and minimises issues with evidence being scattered around different storage locations.
Specific cloud analysers designed for police forces promote forensic best practices around validation and authentication by relying on provider APIs to perform extractions. They will then hash (disguise) each individual artefact and, separately, the associated metadata. Not only does this ensure repeatability; it also allows for proper validation using records obtained directly from the service provider. This in turn helps speed the access to evidence and makes them instantly actionable for the investigation.
Prepare for the future
Most legacy digital forensic training materials are outdated as they were authored before the emergence of cloud-based environments. Therefore, investigators need training not just on cloud forensics policy and procedure, but also the foundation of cloud computing technology itself. Otherwise, the lack of knowledge about cloud technology may interfere with remote investigations where systems are not physically accessible and there is an absence of proper tools to effectively investigate the cloud computing environment.
Cloud data sources represent a virtual goldmine of potential evidence for modern day forensic investigators. Together with mobile device data, they can capture the details and critical connections investigators need to solve crimes. By peering through the cloud to correlate evidence from multiple cloud-based accounts and disparate data formats, police forces can reduce the risk of missing valuable evidence for their investigations.



Practical Advice for avoiding Cyber Extortion

By – Luis Corrons, Director of PandaLabs

In recent years, the massive growth in cyberattacks has led to companies having to devote more time and resources to combatting the problem, now cyber extortion has become the major threat, with high-profile Ransomware attacks being reported on a daily basis.

“We have seen that during 2015 the number of security breaches in businesses is growing, they have become a clear and profitable target for cybercriminal gangs.”

For relatively little effort and technical know-how a hacker can target an organization using an off-the-shelf Ransomware variant and lock-down vital company data or deny operations – The attacker then demands a ransom (often payable by Bitcoin) in order to restore the system.

By pitching a ‘Goldilocks’ level of ransom the hackers maximize the number of organizations, without suitable disaster recovery plans (Backups), who consider it a cost effective risk to pay up. Although payment doesn’t always guarantee that the company will be able to retrieve their files, or that they won’t become a victim again in the future.

In order to stop an organization becoming a victim of cyber extortion a combination of security technology, company policy and training are the most important factors to avoid attack by cybercriminals.

This is why Panda Security has launched its Practical Security Guide to Prevent Cyber Extortion, in which gives advice on avoiding cyber extortion:

Advise your users: keep them up to date with good practice, current security risks and ‘con’-techniques
Set out rules for Internet use at work: assign a series of rules that control the reputation of websites that access is granted to.

Implement a security solution for your needs: make sure you have the right solution for your business according to your infrastructure and requirements.

Establish protocols: control installation and running of software. Also check which applications have been installed on a regular basis.

Always update: set out an update policy and block certain applications on your computers.

The tips above will help reduce the risk of attack and having a reliable ‘off-network’ back-up solution is indispensable in the event of a successful Ransomware attack.

How can you really protect your company?

“It is time for a change of mentality and applying a new approach, Endpoint Detection and Response (EDR) solutions are becoming a must for companies that want to be ready for current and emerging threats.”

Panda Adaptive Defense 360 is the first solution that guarantees to completely protect computers and servers, thanks to continuously monitoring 100% of the processes, allowing only legitimate programs to run.

“As a CISO, having the ability to know what processes are running in each endpoint / server, if their behavior is proper, with forensic capabilities in case a breach happens… is a game changer. It will give you the knowledge and facts to act fast and prevent / mitigate new threats in your organization.”

Adaptive Defense 360 includes its own security event management and storage system for real-time forensic analysis of all applications and processes run on your systems.

This and more information on how Panda Adaptive Defense 360 can help protect IT networks against all forms of cyberattack is available at



Expert Comment: Microsoft adds OneDrive to bug bounty program

Following the news that Microsoft has decided to open up their bug bounty programme to find flaws in OneDrive, Terry Ip, Security Consultant at MWR InfoSecurity shared the following expert comment with @DFMag:

“Adding a product to a bug bounty program does not necessarily indicate poor security and it also shouldn’t be used to indicate lack of prior testing. Some companies add products to bug bounty programs to ensure wider coverage of testing by what is essentially a crowdsourcing effort from the security research community, either in place of or in addition to testing by their security vendor. Whilst the bounty can seem large in some cases, the payout is often lower than the costs involved in employing full-time security researchers.

“One of the key things for security researchers to be aware of is adhering to the scope of the bounty program. Going out of scope could result in legal issues or pay out disputes, despite the good intentions of the researcher. Always read the small print before you proceed with testing!”