Category Archives: Cyber Security News

Chinese Man Jailed For Selling VPNs that Bypass Great Firewall

In an effort to continue its crackdown on VPNs, Chinese authorities have arrested a 26-year-old man for selling VPN software on the Internet.
China’s Supreme Court has sentenced Deng Jiewei from Dongguan in Guangdong province, close to Hong Kong, to nine months in prison for selling virtual private network (VPN) software through his own small independent website.VPN encrypts users’ Internet traffic and routes it through a distant connection so that web surfers can hide their identities and location data while accessing websites that are usually restricted or censored by any country.
Chinese citizens usually make use of VPNs to bypass the Great Firewall of China, also known as the Golden Shield project, which employs a variety of tricks to censor the Internet in the country.
The project already blocked access to some 171 out of the world’s 1,000 top websites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay in the country.
But to tighten grip over the Internet and online users, the Chinese government announced a 14-month-long crackdown on VPNs in the country at the beginning of this year, requiring VPN service providers to obtain prior government approval.
The move made most VPN vendors in the country of 730 million Internet users illegal, and has now resulted in the arrest of Deng, who was convicted of “providing software and tools for invading and illegally controlling the computer information system.”

According to the court documents posted on the China’s Supreme People’s Court website, Deng has been selling two VPN services on his website since October 2015, and was first detained in August last year.
Deng along with his partner Jiang Moufeng made nearly 14,000 Chinese yuan (just US$2,138) selling the VPN software, which allowed users to “visit foreign websites that could not be accessed by a mainland IP address.”
Deng has been found guilty of intrusions and “illegal control of computer information system procedures,” and has been sentenced to nine months imprisonment and fined 5,000 Chinese yuan.
Deng was actually sentenced in March this year, but the online court documents were circulated on a Chinese blog tracking social media trends in China, called What’s on Weibo, only on Sunday.
We reported in July that Apple also removed some of the popular VPN apps, including ExpressVPN and Star VPN, from its official Chinese app store in order to comply with the government crackdown that will remain in place until March 31, 2018.

 

Critical Flaw in Apache Struts2 Lets Hackers Take Over Web Servers

Security researchers have discovered a critical remote code execution vulnerability in the popular Apache Struts web application framework, allowing a remote attacker to run malicious code on the affected servers.
Apache Struts is a free, open-source, Model-View-Controller (MVC) framework for developing web applications in the Java programming language, which supports REST, AJAX, and JSON.
The vulnerability (CVE-2017-9805) is a programming blunder that resides in the way Struts processes data from an untrusted source. Specifically, Struts REST plugin fails to handle XML payloads while deserializing them properly.All versions of Apache Struts since 2008 (from Struts 2.5 to Struts 2.5.12) are affected, leaving all web applications using the framework’s REST plugin vulnerable to remote attackers.

According to one of the security researchers at LGTM, who discovered this flaw, the Struts framework is being used by “an incredibly large number and variety of organisations,” including Lockheed Martin, Vodafone, Virgin Atlantic, and the IRS.
“On top of that, [the vulnerability] is incredibly easy for an attacker to exploit this weakness: all you need is a web browser,” Man Yue Mo, an LGTM security researcher said.
All an attacker needs is to submit a malicious XML code in a particular format to trigger the vulnerability on the targeted server.
Successful exploitation of the vulnerability could allow an attacker to take full control of the affected server, eventually letting the attacker infiltrate into other systems on the same network.Mo said this flaw is an unsafe deserialization in Java similar to a vulnerability in Apache Commons Collections, discovered by Chris Frohoff and Gabriel Lawrence in 2015 that also allowed arbitrary code execution.
Many Java applications have since been affected by multiple similar vulnerabilities in recent years.
Since this vulnerability has been patched in Struts version 2.5.13, administrators are strongly advised to upgrade their Apache Struts installation as soon as possible.
More technical details about the vulnerability and proof-of-concept have not been published by the researchers yet, giving admins enough time to upgrade their systems.

Game of Thrones and HBO — Twitter, Facebook Accounts Hacked

The Game of Thrones hacking saga continues, but this time it’s the HBO’s and GOT’s official Twitter and Facebook accounts got compromised, rather than upcoming episodes.
As if the leak of episodes by hackers and the accidental airing of an upcoming episode of Game of Thrones by HBO itself were not enough, a notorious group of hackers took over the official Twitter and Facebook accounts for HBO as well as Game of Thrones Wednesday night.The hacker group from Saudi Arabia, dubbed OurMine, claimed responsibility for the hack, posting a message on both HBO’s official Twitter and Facebook accounts, which read: “Hi, OurMine are here, we are just testing your security, HBO team, please contact us to upgrade the security,” followed by a contact link for the group.This message was followed by another one, wherein hackers asked people to make the hashtag #HBOhacked trending on Twitter, which it did.Ourmine is the same group of hackers from Saudi Arabia that previously compromised social media accounts of major companies CEOs, including Twitter CEO Jack Dorsey, Facebook CEO Mark Zuckerberg, Google CEO Sundar Pichai, and Facebook-owned virtual reality company Oculus CEO Brendan Iribe.
In most of the cases, Ourmine hackers gain access to the social media accounts by credentials exposed in previous, publicly known data breaches.

However, the hacking group does not seem to ever go beyond just demonstrating its ability to take over the account, without doing much damage to the accounts or its protected information.
OurMine offers companies security against hacking, charging up to $5,000 for a “scan” of their social media accounts, site security holes, and other security vulnerabilities, and advertises its commercial services by breaking into famous accounts.HBO managed to remove the offending tweets shortly after the hackers posted them.
Just yesterday, in a devastating blunder, HBO Spain accidentally aired Episode 6 of Game of Thrones season 7 five days prior to its official premiere.
The popular entertaining company is also facing a threat from hacker or group of hackers who claimed to have obtained nearly 1.5 terabytes of information from HBO.
Over two weeks ago, the unknown hackers dropped episodes of “Ballers” and “Room 104,” along with a script of the fourth episode of Game of Thrones on the internet.
This leak was followed by another dump of a half-gigabyte sample of stolen data, including the company’s emails, employment agreements, balance sheets, and the script of the upcoming GOT episode, demanding a ransom—nearly $6 Million in Bitcoins.Although it was revealed that the company offered hackers $250,000 for extending the ransom payment deadline by one week, the proposal apparently failed to satisfy hackers, and they threatened to release more data every Sunday until the full ransom was paid.

Cyberspies Are Using Leaked NSA Hacking Tools to Spy On Hotels Guests

An infamous Russian-linked cyber-espionage group has been found re-using the same leaked NSA hacking tool that was deployed in the WannaCry and NotPetya outbreaks—this time to target Wi-Fi networks to spy on hotel guests in several European countries.
Security researchers at FireEye have uncovered an ongoing campaign that remotely steals credentials from high-value guests using Wi-Fi networks at European hotels and attributed it to the Fancy Bearhacking group.
Fancy Bear—also known as APT28, Sofacy, Sednit, and Pawn Storm—has been operating since at least 2007 and also been accused of hacking the Democratic National Committee (DNC) and Clinton Campaign in an attempt to influence the U.S. presidential election.The newly-discovered campaign is also exploiting the Windows SMB exploit (CVE-2017-0143), called EternalBlue, which was one of many exploits allegedly used by the NSA for surveillance and leaked by the Shadow Brokers in April.
EternalBlue is a security vulnerability which leverages a version of Windows’ Server Message Block (SMB) version 1 networking protocol to laterally spread across networks and also allowed the WannaCry and Petya ransomware to spread across the world quickly.
Since the EternalBlue code is available for anyone to use, cyber criminals are widely trying to use the exploit to make their malware more powerful.
Just last week, a new version of credential stealing TrickBot banking Trojan was found leveraging SMB to spread locally across networks, though the trojan was not leveraging EternalBlue at that time.
However, researchers have now found someone deploying the exploit to upgrade their attack.

“To spread through the hospitality company’s network, APT28 used a version of the EternalBlue SMB exploit,” FireEye researchers write. “This is the first time we have seen APT28 incorporate this exploit into their intrusions.”

Researchers have seen ongoing attacks targeting a number of companies in the hospitality sector, including hotels in at least seven countries in Europe and one Middle Eastern country.

Here’s How the Attack is Carried Out

The attacks began with a spear phishing email sent to one of the hotel employees. The email contains a malicious document named “Hotel_Reservation_Form.doc,” which uses macros to decode and deploy GameFish, malware known to be used by .
Once installed on the targeted hotel’s network, GameFish uses the EternalBlue SMB exploit to laterally spread across the hotel network and find systems that control both guest and internal Wi-Fi networks.

Once under control, the malware deploys Responder, an open source penetration testing tool created by Laurent Gaffie of SpiderLabs, for NetBIOS Name Service (NBT-NS) poisoning in order to steal credentials sent over the wireless network.

While the hacking group carried out the attack against the hotel network, researchers believe that the group could also directly target “hotel guests of interest”—generally business and government personnel who travel in a foreign country.
The researchers revealed one such incident that occurred in 2016 where Fancy Bear accessed the computer and Outlook Web Access (OWA) account of a guest staying at a hotel in Europe, 12 hours after victim connected to the hotel’s Wi-Fi network.
This is not the only attack that apparently aimed at guests of hotels. South Korea-nexus Fallout Team (also known as DarkHotel) has previously carried out such attacks against Asian hotels to steal information from senior executives from large global companies during their business trips.
Duqu 2.0 malware also found targeting the WiFi networks of European hotels used by participants in the Iranian nuclear negotiations. Also, high-profile people visiting Russia and China may have their laptops and other electronic devices accessed.
The easiest way to protect yourself is to avoid connecting to hotel Wi-Fi networks or any other public or untrusted networks, and instead, use your mobile device hotspot to get access to the Internet.

Hackers Hijacked Chrome Extension for Web Developers With Over 1 Million Users

From past few years, spammers and cyber criminals were buying web extensions from their developers and then updating them without informing their users to inject bulk advertisements into every website user visits in order to generate large revenue.
But now they have shifted their business model—instead of investing, spammers have started a new wave of phishing attacks aimed at hijacking popular browser extensions.
Just two days ago, we reported how cyber criminals managed to compromise the Chrome Web Store account of a German developer team and hijacked Copyfish extension, and then modified it with ad-injection capabilities to distribute spam correspondence to users.
Now just yesterday, another popular Chrome extension ‘Web Developer’ was hijacked by some unknown attackers, who updated the software to directly inject advertisements into the web browser of over its 1 million users.
Chris Pederick, the creator of Web Developer Chrome extension that offers various web development tools to its users, alerted late Wednesday that some unknown hackers apparently phished his Google account, updated the extension to version 0.4.9, and pushed it out to its 1,044,000 users.
In both the cases, cyber criminals used phishing first to gain access to the developers’ Google accounts, hijacked their respective extensions and then updated the extension to perform malicious tasks.
However, the Firefox version of both the extensions was unaffected.
According to the developer, the malicious software build fetched JavaScript code from the web and ran it within users’ web browsers to forcibly inject advertisements on web pages.
The plugin has access to pretty much everything that’s happening on a user’s browser—can do anything from reading all the website content to intercept traffic, sniff keystrokes, or any task one can imagine.
So, hijacking the Web Developer extension could be a nightmare for users—especially for those who are professional designers and access their official accounts (website, hosting, or email) using the same browser.
Pederick said version 0.4.9 of the software might have done worse, but within five to six hours of its compromise, he came to know of the malicious build, pulled it down from the Chrome store, and fixed the extension about an hour later.
However, the compromised code would have allowed the miscreants to make a sizable commission from the advertisements during the few hours the evil javascript was active.
Web Developer users are strongly recommended to update their extension to version 0.5 immediately.
Users should also consider changing their passwords for all web accounts, as well as nullify login tokens and cookies used on websites they visited while using the infected extension.

Security Vulnerability management enhances cyber security defense for businesses

Over the last several years, the number and magnitude of cyber security breaches has steadily increased. To date, numerous institutions, big and small, both private and public, have disclosed that databases containing customer identities and other private information have been exposed and compromised.

Yet, there is hope for organizations and their employees alike, in the form of sophisticated cyber defense tools and security safeguards and solutions. There are numerous strategies and tools currently available that can create friction for hackers and discourage those who would       attempt to breach security.Frost & Sullivan’s latest article, “Leveraging Vulnerability Management for Enhanced Security,” discusses how security is becoming more complex, requiring sophisticated processes and approaches such as Vulnerability Management (VM). The article reveals that North America accounted for the most VM sales, 76.8 percent, in 2016. By 2021, that share will increase to 77.8 percent.

“The importance of vulnerability assessment scanning cannot be overstated. The best cyber security posture is not threat incident detection and response, nor is it other threat mitigation techniques.” noted Frost & Sullivan Network Security Industry Analyst Christopher Kissel. “The best threat response is prevention.”

There are many challenges related to the accuracy of data and measurement in dynamic network environments. Accuracy is very important with VM and the sharing of data obtained. One particular challenge involves scan to scan host correlation.To start, there are many different scanning technologies to choose from. Often, organizations will use a technique known as network unauthenticated scanning, where scanning is remote to the devices, then sends out internet messaging, based upon device responses. This technique allows for the scanning of devices and open ports and can highlight configuration issues and other vulnerabilities.

“VM tools must be easy and intuitive to use and in the case of smaller and mid-sized companies, there has to be a mechanism where VM tools can be integrated into every day IT workflow,” continued Kissel. “For example, the fundamental strength of Digital Defense, Inc.’s VM solution is that it accurately tracks the host controls in a network, and as such, the host environment is understood, and the chance for the false positives from scan data from endpoints is greatly diminished.”

Source Code For SLocker Android Ransomware That Mimics WannaCry Leaked Online

Bad news for Android users — Source code of for one of the oldest mobile and popular Android ransomware families has been leaked online, making it available for cyber criminals who can use it to develop more customised and advanced variants of Android ransomware.
Source code for the SLocker ransomware, which saw a six-fold increase in the number of new versions over the past six months, has just been leaked on GitHub and is now available to anyone who wants it.
The SLocker source code has been leaked by a user who uses ‘fs0c1ety’ as an online moniker and is urging all GitHub users to contribute to the code and submit bug reports.SLocker or Simple Locker is mobile lock screen and file-encrypting ransomware that encrypts files on the phone and uses the Tor for command and control (C&C) communication. The malware also posed as law enforcement agencies to convince victims into paying the ransom.
Famous for infecting thousands of Android devices in 2016, security researchers discovered more than 400 new variants of SLocker ransomware in the wild in May, and just after a month, the nasty Android ransomware was spotted copying the GUI of WannaCry.
Once infected, SLocker runs silently in the background of a victim’s device without their knowledge or consent and encrypts images, documents and videos on mobile devices.
Once it has encrypted files on the device, the Android ransomware hijacks the phone, blocking its user access completely, and attempts to threaten the victim into paying a ransom to unlock it.

Why Should You Worry?

Being in action from 2015, SLocker stands out as one of the first ransomware samples to encrypt Android files. The malware has modified beyond just locking screens and demanding payment to taking over administrative rights and controlling the device’s microphone, speakers, and the camera.And now since the source code of this nasty Android ransomware has been released online on GitHub, Android devices are most likely to receive an increasing number of ransomware attacks in upcoming days.
The leaked source code would be a golden opportunity for those who always look for such opportunities as these kinds of malware programs are only offered for sale in underground forums, but SLocker is now accessible to cybercriminals and fraudsters for FREE.Earlier this year, researchers discovered a variant of BankBot banking trojan in the wild which was developed using the leaked source code for the malware on an underground hacking forum.
Last year, the source code for the MazarBot (improved version of GM Bot) was also leaked online by its author in order to gain reputation on an underground forum.

How to Protect Yourself?

As I previously mentioned, users are always advised to follow some basic precautions in order to protect themselves against such threats:

  • Never open email attachments from unknown sources.
  • Never click on links in SMS or MMS messages.
  • Even if the email looks legit from some company, go directly to the source website and verify any possible updates.
  • Go to Settings → Security, and Turn OFF “Allow installation of apps from sources other than the Play Store.”
  • Always keep your Android devices, apps and Antivirus app up-to-date.
  • Avoid unknown and unsecured Wi-Fi hotspots and keep Wi-Fi switched off when not in use.

What is the hype around Firewall as a Service?

Admit it. Who would not want their firewall maintenance grunt work to go away?
For more than 20 years, companies either managed their edge firewall appliances or had service providers rack-and-stack appliances in their data centers and did it for them.
This was called a managed firewall — an appliance wrapped with a managed service, often from a carrier or managed security service provider (MSSP).
The provider assumed the management of the firewall box, its software, and even its policy and management from the over-burdened IT team. But customers ended up paying for the inefficiency of dealing with appliances (i.e. “grunt work”) because the problem just shifted to the provider. A new architecture was needed – a transformation from an appliance form factor to a true cloud service.In a 2016 Hype Cycle for Infrastructure Protection report, Gartner analyst Jeremy D’Hoinne initiated the emerging category of Firewall as a Service (FWaaS).

He defined FWaaS as “…a firewall delivered as a cloud-based service or hybrid solution (that is, cloud plus on-premises appliances). The promise of FWaaS is to provide simpler and more flexible architecture by leveraging centralized policy management, multiple enterprise firewall features and traffic tunneling to partially or fully move security inspections to a cloud infrastructure

Recently, in the 2017 Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls), the analysts reference a Gartner client survey indicating 14% of respondents were likely (8%) or very likely (6%) to consider moving all the firewall security functions to FWaaS.
FWaaS isn’t merely packaging of legacy appliances into a managed service. It is challenging the decades-old concept of the appliance as the primary form factor to deliver network security capabilities.

What is an FWaaS?

FWaaS offers a single logical firewall that is available anywhere, seamlessly scales to address any traffic workload, enforces unified policy, and self-maintained by a cloud provider.
Let’s look at these elements in more detail.

• Single, global firewall instance — One firewall instance for the entire global organization is radically different than the current architecture that places a network security stack at each location, a regional hub or a datacenter.
With FWaaS every organizational resource (data center, branch, cloud infrastructure or a mobile user) plugs into the FWaaS global service and leverages all of its security capabilities (application control, URL filtering, IPS, etc).

• Seamlessly scales to address inspection workload — FWaaS provides the necessary compute resources to perform all security processing on all traffic regardless of source or destination.
IT teams no longer need complex sizing processes to determine the appliance capacity needed to plan for today’s business requirements and future growth.For example, the increase in SSL traffic volume pressures appliance processing capacity and can force unplanned. FWaaS can scale to accommodate these needs without disrupting the customer’s business operations.

• Enforcing a unified policy — A single firewall, by design, has a single security policy. While legacy appliance vendors created centralized management consoles to ease managing distributed appliances, IT must still consider the individual firewalls instances per location and often customize policies to the locations’ unique attributes.
In heterogenous firewall environments (often created due to M&A) security policy is hard to configure and enforce increasing exposure to hackers and web-borne threats. Contrast that with a single cloud-based firewall that uniformly applies the security policy on all traffic, for all locations and users.

• Self-maintained — One of the most painful aspects of firewall management is maintaining the software through patches and upgrades. It is a risky process that could impact business connectivity and security.
Many IT teams tend to skip or completely avoid software upgrades, leaving enterprise exposed. Because the cloud-based firewall software is maintained by the FWaaS provider and is shared by all customers, the firewall is kept up to date by quickly fixing vulnerabilities and bugs, and rapidly evolving with new features and capabilities that the customers can immediately access.
FWaaS is bringing genuine relief to overburdened IT teams within enterprises and service providers. Instead of wasting cycles on sizing, deploying, patching, upgrading and configuring numerous edge devices, work can now shift to delivering true security value to the business through early detection and fast mitigation of true risk.

FWaaS Providers

FWaaS is not a mere concept. It has been deployed in production deployments and by several vendors.
Cato Networks is a provider of the Cato Cloud, built from the ground up to deliver Firewall as a Service.
Cato provides an optimized, global SD-WAN, ensuring resilient connectivity to its FWaaS in from all regions of the world. Cato can completely eliminate edge firewalls by inspecting both WAN and Internet-bound traffic. The Cato Cloud FWaaS further extends to mobile users and cloud datacenters.
Zscaler provides FWaaS for Internet-bound traffic from remote branches and mobile users. To secure WAN traffic, customers must rely on other means.

Palo Alto Networks recently announced a similar service. It uses its next generation firewall within a cloud service to protect users, whether in remote locations or mobile, accessing the Internet.
FWaaS is a viable alternative for IT teams that waste time and money to sustain their distributed edge firewall environments — the so-called appliance sprawl.
With FWaaS, they can now reduce the operational and capital expense of upgrading and refreshing appliances as well as the attack surface resulting from delayed patches and unmitigated vulnerabilities.
By simplifying the network security architecture, FWaaS makes IT more productive and the business secure.

Your Linux Machine Can Be Hacked Remotely With Just A Malicious DNS Response

A critical vulnerability has been discovered in Systemd, the popular init system and service manager for Linux operating systems, that could allow remote attackers to potentially trigger a buffer overflow to execute malicious code on the targeted machines via a DNS response.The vulnerability, designated as CVE-2017-9445, actually resides in the ‘dns_packet_new’ function of ‘systemd-resolved,’ a DNS response handler component that provides network name resolution to local applications.According to an advisory published Tuesday, a specially crafted malicious DNS response can crash ‘systemd-resolved’ program remotely when the system tries to lookup for a hostname on an attacker-controlled DNS service.
Eventually, large DNS response overflows the buffer, allowing an attacker to overwrite the memory which leads to remote code execution.
This means the attackers can remotely run any malware on the targeted system or server via their evil DNS service.”In systemd through 233, certain sizes passed to dns_packet_new in systemd-resolved can cause it to allocate a buffer that’s too small,” explains Chris Coulson, Ubuntu developer at Canonical. “A malicious DNS server can exploit this by responding with a specially crafted TCP payload to trick systemd-resolved into allocating a buffer that’s too small, and subsequently write arbitrary data beyond the end of it.”This vulnerability has been present since Systemd version 223 introduced in June 2015 and is present in all the way up to, including Systemd version 233 launched in March this year.
Of course, systemd-resolved must be running on your system for it to be vulnerable.
The bug is present in Ubuntu versions 17.04 and version 16.10; Debian versions Stretch (aka Debian 9), Buster (aka 10) and Sid (aka Unstable); and various other Linux distributions that use Systemd.
Security patches have been rolled out to address the issue, so users and system administrators are strongly recommended to install them and update their Linux distros as soon as possible.

 

Another Massive Ransomware Outbreak Has Battered Ukraine And Is Spreading Fast

Ukraine’s government, National Bank and biggest power companies all warned of cyberattacks Tuesday. Airports and metro services in the country were also reportedly affected, though it appears they’re victims of another massive ransomware outbreak that’s spreading across the world fast and hitting a significant number of critical infrastructure providers.Whispers of WannaCry abound, though security experts said a different breed, named Petya, is to blame. “[We’re seeing] several thousands of infection attempts at the moment, comparable in size to Wannacry’s first hours,” said Kaspersky Lab’s Costin Raiu. “We are seeing infections from many different countries.”This morning saw major Danish transport and energy company Maersk report a cyber attack, noting on its website: “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” And Russian oil industry giant Rosnoft said it was facing a “powerful hacker attack.” Neither said what kind of attack they were under.The impact currently appears to be most severe in Ukraine, including major energy companies such as the state-owned Ukrenergo and Kiev’s main supplier Kyivenergo. Government officials have reportedly sent images of their infected computers, including this from deputy prime minister Pavlo Rozenko:

A Ukrenergo spokesperson told Forbes  power systems were unaffected, adding: “On June 27, a part of Ukrenergo’s computer network was cyberattacked. Similarly, as it is already known with the media, networks and other companies, including the energy sector, were attacked.Our specialists take all the necessary measures for the complete restoration of the computer system, including the official [website].” The site remains down at the time of publication.The National Bank blamed an “unknown virus” as the culprit, hitting several Ukrainian banks and some commercial enterprises. “As a result of cyber attacks, these banks have difficulties with customer service and banking operations,” a statement on the organization’s website read.The deputy general director of Kiev’s Borispol Airport, Eugene Dykhne, said in a Facebook post: “Our IT services are working together to resolve the situation. There may be delays in flights due to the situation… The official Site of the airport and the flight schedules are not working.”

Kiev Metro, meanwhile, said today in a Twitter alert that it wasn’t able to accept bank card payments as a result of a ransomware infection.It’s currently unclear whether the attacks are purely ransomware, or if myriad attacks are currently hitting various parts of Ukraine. Attacks on Ukraine’s power grid in 2015 and 2016 were believed to have been perpetrated by Russia, though the country denies all cyberattacks on foreign soil.Though ransomware is typically used by cybercriminals, with WannaCry it was alleged a nation state was likely responsible for spreading the malware: North Korea. Cyber intelligence companies and the NSA believe with medium confidence that the nation used leaked NSA cyber weapons to carry out the attacks that took out hospitals in the U.K and infected hundreds of thousands of others.