Maersk Hit by Ransomware Attack

This week, the Alert Logic team highlights Maersk Hit by Ransomware Attack and WikiLeaks Publishes CIA Tool Suite for Hacking Air-Gapped Networks. Read the full report to learn more and get access to the week’s Top Malicious IP addresses.

Breach

Maersk Hit by Ransomware Attack

Global Shipping Giant Maersk is among a slew of companies across the globe that was hit by the Petya ransomware virus. The cyber attack was among the biggest-ever disruptions to hit global shipping. The computer virus, which researchers are calling GoldenEye or Petya, began its spread on June 27, in Ukraine and affected companies in dozens of countries. The virus, similar to the WannaCry virus, which hit earlier this year, also hit global advertising house WPP, and the Ukrainian government systems.

References: Maersk Ransomware Attack May Hit 'Tens of Thousands' of Shippers, Warns Analyst | Global Shipping Giant Maersk Is Reeling From the Ransomware Fallout | Rosneft, Maersk Hit by Petya Cyber Attack

Mitigation Strategies:

  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • E-Mail filtration would scan incoming files and hyperlinks of any malicious links or code
  • FIM solution would detect any type of file modification or addition
  • Log management could detect any suspicious user account activity.

Malware

WikiLeaks Publishes CIA Tool Suite for Hacking Air-Gapped Networks

The latest CIA documents released by WikiLeaks as part of the Vault 7 dump explain how a tool suite called Brutal Kangaroo can infect Windows machines on air-gapped networks by using USB drives. According to the documents, CIA agents can infiltrate a closed network within an organization or enterprise without direct access.

A Brutal Kangaroo infection requires multiple steps. Brutal Kangaroo utilizes four components to infect isolated computers and execute arbitrary code. Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables.

References: Brutal Kangaroo: CIA-developed Malware for Hacking Air-Gapped Networks Covertly | Brutal Kangaroo is the CIA Tool Suite for Hacking Air-Gapped Networks | WikiLeaks: CIA's Brutal Kangaroo Toolset Lets Malware Hop onto Closed Networks

Mitigation Strategies:

  • FIM solution would detect any type of file modification or addition.
  • Intrusion detection system (IDS) signatures would detect intrusion and network anomalies.
  • Security Operations Center team provides 24x7 security monitoring, daily log review, web application firewall management and advanced anomaly detection.
  • E-Mail filtration would scan incoming files and hyperlinks of any malicious links or code.
  • Log management could detect any suspicious user account activity and collect system log of USB activity.

This Week's Suspicious IP Addresses

111.90.139.247 84.200.16.242 
95.141.115.108 185.165.29.78
212.83.151.223 213.32.7.73

*IP addresses provided by Recorded Future.