What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2019-09-26 07:01:34 | Emsisoft releases a free decryptor for the WannaCryFake ransomware (lien direct) | Researchers at Emsisoft security firm have released a new free decryption tool for the WannaCryFake ransomware. Good news for the vicitms of the WannaCryFake ransomware, researchers at Emsisoft have released a FREE decryption tool that will allow decrypting their data. WannaCryFake is a piece of ransomware that uses AES-256 to encrypt a victim's files. The […] | Ransomware Tool | Wannacry | |
 |
2019-09-25 15:05:01 | Ransomware Decryptors Released for Yatron, WannaCryFake, & FortuneCrypt (lien direct) | Security vendors released decryptors for three ransomware infections today that allow victims to recover their files for free. These decryptors are for the WannaCryFake, Yatron, and FortuneCrypt Ransomware infections. [...] | Ransomware | Wannacry | |
 |
2019-09-09 13:00:00 | Category 1 cyber threat for UK businesses (lien direct) |
Julia Solonina
Britain should be prepared for a Category 1 cyber security emergency, according to the National Cyber Security Centre (NCSC). This means that national security, the economy, and even the nation’s lives will be at risk. However, despite this harsh warning, UK businesses still aren’t taking proactive and potentially preventative action to stop these attacks from happening. So just where are UK businesses going wrong and can they turn things around before it’s too late?
How businesses have responded
Since Brexit was announced in June 2016, 53% of UK businesses have increased their cyber security, according to latest statistics. This is as a direct result of industry data being published which revealed that malware, phishing, and ransomware attacks will become the biggest threats once Britain leaves the EU. However, despite these efforts being made, figures reveal that British businesses have the smallest cyber security budget compared to any other country. They typically spend less than £900,000, whereas the average across the world is $1.46 million.
At risk of a Category 1 cyber attack
A Category 1 cyber attack is described by the NCSC as “A cyber attack which causes sustained disruption of UK essential services or affects UK national security, leading to severe economic or social consequences or to loss of life.” To date, the UK has never witnessed such an attack. Although, one of the most severe attacks in recent times was the 2017 NHS cyber attack which was classed as a Category 2 due to there being no imminent threat to life.
The NCSC says that they typically prevent 10 cyber attacks from occurring on a daily basis. However, as the organization believes that hostility from neighbouring nations is what drives these attacks every single day, they say that it’s only a matter of time before a Category 1 attack launches the country into chaos. NCSC's CEO Ciaran Martin states that "I remain in little doubt we will be tested to the full, as a centre, and as a nation, by a major incident at some point in the years ahead, what we would call a Category 1 attack."
UK businesses under attack
The UK government’s ‘Cyber Securi |
Ransomware Threat Guideline | Wannacry | |
 |
2019-07-29 22:07:03 | No Jail Time for “WannaCry Hero” (lien direct) | Marcus Hutchins, the "accidental hero" who helped arrest the spread of the global WannaCry ransomware outbreak in 2017, will receive no jail time for his admitted role in authoring and selling malware that helped cyberthieves steal online bank account credentials from victims, a federal judge ruled Friday. | Ransomware Malware | Wannacry | |
 |
2019-07-26 17:36:00 | Marcus \'MalwareTech\' Hutchins gets no prison time, one year supervised release (lien direct) | US legal case against security researcher who helped stop WannaCry ransomware outbreak comes to an end. | Ransomware | Wannacry | |
 |
2019-07-18 12:43:05 | Thousands of NHS computers are still running Windows XP from beyond the grave (lien direct) | Two years after the WannaCry ransomware outbreak shone a light on the computer security of the the UK's National Health Service, and five years after Microsoft said it would no longer release patches for Windows XP, the NHS still has 2300 PCs running the outdated operating system. Read more in my article on the Tripwire State of Security blog. | Ransomware | Wannacry | |
 |
2019-07-11 16:21:03 | Wannacry ransomware attack: Industry experts offer their tips for prevention (lien direct) | Wannacry remains a significant threat for companies. Learn how your organization can guard against it. | Ransomware Threat | Wannacry | |
|
2019-07-08 13:00:00 | File transfer security risks and how to avoid them (lien direct) |
Ransomware attacks increased by 105% in the first quarter of 2019, according to Beazley’s tally of insurance claims and data analytics. Other alarming reports show that new variants of Ransomware keep appearing almost every month. In addition, two years after the WannaCry Ransomware attacks, 1.7 million computers still remain at risk in 2019 according to TechCrunch. Fortunately, there are cybersecurity solutions that can protect your data during file transfer and file storage.
File transfer and storage risks
Cloud adoption continues to grow as more businesses discover the cost saving potential and convenience that comes with it. However, misconfigured servers are still a major risk for companies using infrastructure and platform as a service. Misconfigured servers are characterized by default accounts and passwords, unrestricted outbound access, enabled debugging functions, and more. The number of files exposed on misconfigured servers, storage and cloud services in 2019 is 2.3 billion according to an article on ZDNet.
However, not all businesses primarily use the cloud for file transfer and data storage. Some people still prefer using bulk USB drives because they do not require an internet connection, and can be physically protected. Apart from this, their use cannot be restricted for the owner, and they have been reducing in size yet their storage capacity has been increasing. However, USB’s could come from a vendor preloaded with malware that can infect everything they are plugged into.
You can protect your computer system
The greatest risk of USBs is that they are very small yet someone can use them to steal massive amounts of data and easily take that data anywhere. Some companies and organizations like the US military have responded to this risk by banning their use completely. To ensure employees or workers stick to this ba |
Ransomware Malware | Wannacry | |
 |
2019-07-04 11:52:01 | Cost-cutting could put the NHS at risk of suffering another cyberattack. (lien direct) | A new report has concluded that the United Kingdom's NHS remains vulnerable to cyberattacks two years on the from WannaCry ransomware attack that cost the healthcare provider £92m in damages and lost productivity. According to a new report on NHS Cyber Security by Imperial College London's Institute of Global Health Innovation, outdated computer systems, lack […] | Ransomware | Wannacry | |
 |
2019-06-13 13:00:03 | May 2019\'s Most Wanted Malware: Patch Now to Avoid the BlueKeep Blues (lien direct) | In May, the most significant event in the threat landscape was not a new type of malware: it was a serious vulnerability in older versions of Windows operating systems that – if exploited by criminals – could lead to the type of mega-scale ransomware attacks we saw in 2017 with WannaCry and NotPetya. The… | Ransomware Vulnerability Threat Guideline | NotPetya Wannacry | ★★★ |
 |
2019-05-28 06:20:06 | Almost One Million Vulnerable to BlueKeep Vuln (CVE-2019-0708) (lien direct) | Microsoft announced a vulnerability in it's "Remote Desktop" product that can lead to robust, wormable exploits. I scanned the Internet to assess the danger. I find nearly 1-million devices on the public Internet that are vulnerable to the bug. That means when the worm hits, it'll likely compromise those million devices. This will likely lead to an event as damaging as WannaCry and notPetya from 2017 -- potentially worse, as hackers have since honed their skills exploiting these things for ransomware and other nastiness.To scan the Internet, I started with masscan, my Internet-scale port scanner, looking for port 3389, the one used by Remote Desktop. This takes a couple hours, and lists all the devices running Remote Desktop -- in theory.This returned 7,629,102 results (over 7-million). However, there is a lot of junk out there that'll respond on this port. Only about half are actually Remote Desktop.Masscan only finds the open ports, but is not complex enough to check for the vulnerability. Remote Desktop is a complicated protocol. A project was posted that could connect to an address and test it, to see if it was patched or vulnerable. I took that project and optimized it a bit, rdpscan, then used it to scan the results from masscan. It's a thousand times slower, but it's only scanning the results from masscan instead of the entire Internet.The table of results is as follows:1447579 UNKNOWN - receive timeout1414793 SAFE - Target appears patched1294719 UNKNOWN - connection reset by peer1235448 SAFE - CredSSP/NLA required 923671 VULNERABLE -- got appid 651545 UNKNOWN - FIN received 438480 UNKNOWN - connect timeout 105721 UNKNOWN - connect failed 9 82836 SAFE - not RDP but HTTP 24833 UNKNOWN - connection reset on connect 3098 UNKNOWN - network error 2576 UNKNOWN - connection terminatedThe various UNKNOWN things fail for various reasons. A lot of them are because the protocol isn't actually Remote Desktop and respond weirdly when we try to talk Remote Desktop. A lot of others are Windows machines, sometimes vulnerable and sometimes not, but for some reason return errors sometimes.The important results are those marked VULNERABLE. There are 923,671 vulnerable machines in this result. That means we've confirmed the vulnerability really does exist, though it's possible a small number of these are "honeypots" deliberately pretending to be vulnerable in order to monitor hacker activity on the Internet.The next result are those marked SAFE due to probably being "pached". Actually, it doesn't necessarily mean they are patched Windows boxes. They could instead be non-Windows systems that appear the same as patched Windows boxes. But either way, they are safe from this vulnerability. There are 1,414,793 of them.The next result to look at are those marked SAFE due to CredSSP/NLA failures, of which there are 1,235,448. This doesn't mean they are patched, but only that we can't exploit them. They require "network level authentication" first before we can talk Remote Desktop to them. That means we can't test whether they are patched or vulnerable -- but neither can the hackers. They may still be exploitable via an insider threat who knows a valid username/password, but they aren't exploitable by anonymous hackers or worms.The next category is marked as SAFE because they aren't Remote Desktop at all, but HTTP servers. In other words, in response to o | Ransomware Vulnerability Threat Patching Guideline | NotPetya Wannacry | |
|
2019-05-27 19:59:38 | A lesson in journalism vs. cybersecurity (lien direct) | A recent NYTimes article blaming the NSA for a ransomware attack on Baltimore is typical bad journalism. It's an op-ed masquerading as a news article. It cites many to support the conclusion the NSA is to be blamed, but only a single quote, from the NSA director, from the opposing side. Yet many experts oppose this conclusion, such as @dave_maynor, @beauwoods, @daveaitel, @riskybusiness, @shpantzer, @todb, @hrbrmst, ... It's not as if these people are hard to find, it's that the story's authors didn't look.The main reason experts disagree is that the NSA's Eternalblue isn't actually responsible for most ransomware infections. It's almost never used to start the initial infection -- that's almost always phishing or website vulns. Once inside, it's almost never used to spread laterally -- that's almost always done with windows networking and stolen credentials. Yes, ransomware increasingly includes Eternalblue as part of their arsenal of attacks, but this doesn't mean Eternalblue is responsible for ransomware.The NYTimes story takes extraordinary effort to jump around this fact, deliberately misleading the reader to conflate one with the other. A good example is this paragraph: That link is a warning from last July about the "Emotet" ransomware and makes no mention of EternalBlue. Instead, the story is citing anonymous researchers claiming that EthernalBlue has been added to Emotet since after that DHS warning.Who are these anonymous researchers? The NYTimes article doesn't say. This is bad journalism. The principles of journalism are that you are supposed to attribute where you got such information, so that the reader can verify for themselves whether the information is true or false, or at least, credible.And in this case, it's probably false. The likely source for that claim is this article from Malwarebytes about Emotet. They have since retracted this claim, as the latest version of their article points out. In any event, the NYTimes article claims that Emotet is now "relying" on the NSA's EternalBlue to spread. That's not the same thing as "using", not even close. Yes, lots of ransomware has been updated to also use Eternalblue to spread. However, what ransomware is relying upon is still the Wind |
Ransomware Malware Patching Guideline | NotPetya Wannacry | |
|
2019-05-14 17:11:03 | Microsoft Patches \'Wormable\' Flaw in Windows XP, 7 and Windows 2003 (lien direct) | Microsoft today is taking the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003, citing the discovery of a "wormable" flaw that the company says could be used to fuel a fast-moving malware threat like the WannaCry ransomware attacks of 2017. The vulnerability (CVE-2019-0709) resides in the "remote desktop services" component built into supported versions of Windows, including Windows 7, Windows Server 2008 R2, and Windows Server 2008. It also is present in computers powered by Windows XP and Windows 2003, operating systems for which Microsoft long ago stopped shipping security updates. | Ransomware Malware Vulnerability Threat | Wannacry | |
 |
2019-04-22 19:22:00 | Kronos : Le tueur de Wanacry face à 10 ans de prison pour la création d\'un logiciel pirate (lien direct) | En 2017, Marcus Hutchin, connu sous le pseudonyme de MalwareTech, stoppait le rançongiciel WannaCry. Deux ans plus tard, il fait face à 10 ans de prison. Il a avoué la création et la diffusion du logiciel pirate Kronos. En 2017, le ransomware Wannacry faisait la Une de la presse. Ce logiciel pirate ... Cet article Kronos : Le tueur de Wanacry face à 10 ans de prison pour la création d’un logiciel pirate est apparu en premier sur ZATAZ. | Ransomware | Wannacry | |
 |
2019-04-09 15:36:04 | Get Ready for the First Wave of AI Malware (lien direct) | While viruses and malware have stubbornly stayed as a top-10 “things I lose sleep over as a CISO,” the overall threat has been steadily declining for a decade. Unfortunately, WannaCry, NotPetya, and an entourage of related self-propagating ransomware abruptly propelled malware back up the list and highlighted the risks brought by modern inter-networked business systems and the explosive growth of unmanaged devices. | Ransomware Malware Threat | NotPetya Wannacry | |
 |
2019-04-04 03:00:02 | 3 Stages to Mounting a Modern Malware Defense Program (lien direct) | You would be hard-pressed these days to remain ignorant of the growth of ransomware incidents experienced by organizations large and small. We've seen a ton of press around these events, from CryptoLocker to WannaCry. The impact of this type of malware is newsworthy. The landscape of malware is changing, however. While ransomware is still a […]… Read More | Ransomware Malware | Wannacry | |
 |
2019-03-19 19:40:03 | Podcast: The High-Risk Threats Behind the Norsk Hydro Cyberattack (lien direct) | Threatpost talks to Phil Neray with CyberX about Tuesday's ransomware attack on aluminum producer Norsk Hydro, and how it compares to past manufacturing attacks like Triton, WannaCry and more. | Ransomware | Wannacry | |
 |
2019-02-26 11:00:03 | Cryptojacking Rises 450 Percent as Cybercriminals Pivot From Ransomware to Stealthier Attacks (lien direct) | >Cybercriminals made a lot of noise in 2017 with ransomware attacks like WannaCry and NotPetya, using an in-your-face approach to cyberattacks that netted them millions of dollars from victims. But new research from IBM X-Force, the threat intelligence, research and incident response arm of IBM Security, revealed that 2018 saw a rapid decline in ransomware […] | Ransomware Threat | NotPetya Wannacry | ★★ |
|
2019-02-09 21:14:02 | Ransomware as a Service : le juteux business model de Satan & Co (lien direct) | Ces dernières années, des attaques de ransomware très médiatisées, comme WannaCry et NotPetya, ont fait les gros titres au niveau mondial pour avoir infecté des milliers d'ordinateurs en chiffrant les fichiers qui restent ensuite " tenus en otage " jusqu’au paiement d'une rançon par la victime... Cet article Ransomware as a Service : le juteux business model de Satan & Co est apparu en premier sur ZATAZ. | Ransomware | NotPetya Wannacry | |
 |
2018-12-05 12:30:04 | Ransomware Is Constantly Evolving But We Can Defeat It Through Innovation (lien direct) | When two large-scale ransomware campaigns – WannaCry and NotPetya – caused widespread disruption in 2017 the headlines suggested they heralded a new era of large-scale attacks. WannaCry spread across 150 countries and severely affected the NHS in the UK and many other large organisations in the US including hospitals, vehicle manufacturers, petrol stations, railways and … The ISBuzz Post: This Post Ransomware Is Constantly Evolving But We Can Defeat It Through Innovation | Ransomware | NotPetya Wannacry | |
|
2018-11-12 16:00:04 | Wannacry Is Still Alive Hitting Almost 75,000 Users In Q3 2018 (lien direct) | One and a half years after its epidemic, WannaCry ransomware tops the list of the most widespread cryptor families and the ransomware has attacked 74,621 unique users worldwide. These attacks accounted for 28.72% of all users targeted by cryptors in Q3 2018. The percentage has risen over the last year, demonstrating more than two thirds … The ISBuzz Post: This Post Wannacry Is Still Alive Hitting Almost 75,000 Users In Q3 2018 | Ransomware | Wannacry | |
 |
2018-11-06 18:05:01 | Compromising vital infrastructure: transport and logistics (lien direct) |
Transport and logistics are vital infrastructure, because we need them to deliver our daily necessities, but who is responsible for protecting them?
Categories:
Business
Cybercrime
Tags: cyberattackshackinginfrastructurelogisticsNotPetyaphishingprevent ransomware attacksprotectionransomwaretransportWannaCry
(Read more...)
|
Ransomware | NotPetya Wannacry | |
|
2018-10-22 13:13:00 | Ransomware: A cheat sheet for professionals (lien direct) | This guide covers Locky, WannaCry, Petya, and other ransomware attacks, the systems hackers target, and how to avoid becoming a victim and paying cybercriminals a ransom in the event of an infection. | Ransomware | Wannacry | |
|
2018-10-12 23:30:04 | Wannacry Cyberattack Cost NHS £92m – DHSC (lien direct) | Following the news around the Department of Health and Social Care (DHSC) estimating that the WannaCry ransomware attack cost the NHS £92m in disruption to services and IT upgrades, Matt Lock, Director of Sales Engineers at Varonis offers the following comments. Matt Lock, Director of Sales Engineers at Varonis: “When ransomware hits an organization, much is discussed about … The ISBuzz Post: This Post Wannacry Cyberattack Cost NHS £92m – DHSC | Ransomware | Wannacry | |
 |
2018-09-07 18:26:02 | North Korean hacker charged for WannaCry and Sony cyberattacks (lien direct) | U.S. charges North Korean hacker for WannaCry, Sony cyber attacks The U.S. government on Thursday charged and sanctioned a North Korean hacker for the 2014 Sony hack and the 2017 WannaCry global ransomware cyberattack, U.S. officials said. The accused, Park Jin Hyok worked as part of a team of hackers, also known as the Lazarus […] | Ransomware Hack | Wannacry APT 38 | |
|
2018-09-07 09:22:01 | US charges North Korea agent over Sony Pictures hack and WannaCry (lien direct) | The U.S. Department of Justice charged a North Korea agent over WannaCry and 2014 Sony Pictures Entertainment Hack. The U.S. Department of Justice announces charges against a North Korean government spy that was involved in the massive WannaCry ransomware attack and the 2014 Sony Pictures Entertainment hack. “the Justice Department charged on Thursday in a 174-page criminal complaint that detailed how […] | Ransomware Hack | Wannacry | |
|
2018-09-06 15:35:00 | DOJ to charge North Korean officer for Sony hack and WannaCry ransomware (lien direct) | After charging Chinese, Iranian, and Russian cyberspies, US preparies indictment against North Korean officer. | Ransomware Hack | Wannacry | |
 |
2018-09-06 10:31:03 | U.S. to Charge North Korean Spy Over WannaCry and Sony Pictures Hack (lien direct) | The U.S. Department of Justice is preparing to announce criminal charges against a North Korean government spy in connection with the 2017 global WannaCry ransomware attack and the 2014 Sony Pictures Entertainment hack.
According to multiple government officials cited by the NY Times who are familiar with the indictment, the charges would be brought against Park Jin Hyok, who works for North
|
Ransomware Hack | Wannacry | |
|
2018-08-07 13:54:04 | (Déjà vu) TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware (lien direct) | TSMC shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware. Early in August, a malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories, the plants where Apple produces its devices. TSMC is the world's biggest contract manufacturer of chips for tech giants, including Apple […] | Ransomware Malware | Wannacry | |
|
2018-08-07 02:03:00 | TSMC Chip Maker Blames WannaCry Malware for Production Halt (lien direct) | Taiwan Semiconductor Manufacturing Company (TSMC)-the world's largest makers of semiconductors and processors-was forced to shut down several of its chip-fabrication factories over the weekend after being hit by a computer virus.
Now, it turns out that the computer virus outbreak at Taiwan chipmaker was the result of a variant of WannaCry-a massive ransomware attack that wreaked havoc across
|
Ransomware Malware | Wannacry | |
|
2018-08-06 11:29:05 | Flaw in Popular Framework Exposes ICS Devices to Attack (lien direct) |
Type:
Story
Image:
Link:
Chip Giant TSMC Says WannaCry Ransomware Behind Production Halt
Chip Giant TSMC Says WannaCry Ransomware Behind Production Halt
|
Ransomware | Wannacry | |
|
2018-07-25 12:36:05 | How Ransomware Is Still Hitting Businesses With Heavy Costs (lien direct) | One year on from the global outbreaks of WannaCry and NotPetya, which established ransomware as one of the most notorious cyber threats on any businesses' radar, organisations around the world are continuing to fall prey to new attacks. A fully-fledged ransomware infection can potentially cripple an organisation by locking away mission critical files and systems, … The ISBuzz Post: This Post How Ransomware Is Still Hitting Businesses With Heavy Costs | Ransomware | NotPetya Wannacry | |
|
2018-07-25 11:15:01 | Could complacency be setting in when it comes to ransomware? (lien direct) | By Chris Ross, SVP International, Barracuda Ransomware may be a headline favourite, but the attack itself is nothing new. In fact, it's been around in some form or another for decades. Since last year's high profile global campaigns such as WannaCry and NotPetya you'd be hard pressed to find anyone who isn't aware of the ... | Ransomware | NotPetya Wannacry | |
|
2018-07-25 03:00:05 | Why Computer Criminals Are Targeting the NHS (lien direct) | We all know what happened on 12 May 2017. That's the day when an updated version of WannaCry ransomware announced itself to the world. In a matter of days, the malware encrypted data stored on 200,000 computers across 150 countries. One of the victims affected by WannaCry was the United Kingdom's National Health Service (NHS). […]… Read More | Ransomware Malware | Wannacry | |
|
2018-06-27 15:49:15 | Lessons from nPetya one year later (lien direct) | This is the one year anniversary of NotPetya. It was probably the most expensive single hacker attack in history (so far), with FedEx estimating it cost them $300 million. Shipping giant Maersk and drug giant Merck suffered losses on a similar scale. Many are discussing lessons we should learn from this, but they are the wrong lessons.An example is this quote in a recent article:"One year on from NotPetya, it seems lessons still haven't been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains." This is an attractive claim. It describes the problem in terms of people being "weak" and that the solution is to be "strong". If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn't happen.But this is wrong, at least in the case of NotPetya.NotPetya's spread was initiated through the Ukraining company MeDoc, which provided tax accounting software. It had an auto-update process for keeping its software up-to-date. This was subverted in order to deliver the initial NotPetya infection. Patching had nothing to do with this. Other common security controls like firewalls were also bypassed.Auto-updates and cloud-management of software and IoT devices is becoming the norm. This creates a danger for such "supply chain" attacks, where the supplier of the product gets compromised, spreading an infection to all their customers. The lesson organizations need to learn about this is how such infections can be contained. One way is to firewall such products away from the core network. Another solution is port-isolation/microsegmentation, that limits the spread after an initial infection.Once NotPetya got into an organization, it spread laterally. The chief way it did this was through Mimikatz/PsExec, reusing Windows credentials. It stole whatever login information it could get from the infected machine and used it to try to log on to other Windows machines. If it got lucky getting domain administrator credentials, it then spread to the entire Windows domain. This was the primary method of spreading, not the unpatched ETERNALBLUE vulnerability. This is why it was so devastating to companies like Maersk: it wasn't a matter of a few unpatched systems getting infected, it was a matter of losing entire domains, including the backup systems.Such spreading through Windows credentials continues to plague organizations. A good example is the recent ransomware infection of the City of Atlanta that spread much the same way. The limits of the worm were the limits of domain trust relationships. For example, it didn't infect the city airport because that Windows domain is separate from the city's domains.This is the most pressing lesson organizations need to learn, the one they are ignoring. They need to do more to prevent desktops from infecting each other, such as through port-isolation/microsegmentation. They need to control the spread of administrative credentials within the organization. A lot of organizations put the same local admin account on every workstation which makes the spread of NotPetya style worms trivial. They need to reevaluate trust relationships between domains, so that the admin of one can't infect the others.These solutions are difficult, which is why news articles don't mention them. You don't have to know anything about security to proclaim "the problem is lack of patches". It's moral authority, chastising the weak, rather than a proscription of what to do. Solving supply chain hacks and Windows credential sharing, though, is hard. I don't know any universal solution to this -- I'd have to thoroughly analyze your network and business in order to | Ransomware Malware Patching | FedEx NotPetya Wannacry | |
|
2018-06-25 20:02:05 | WannaCry Extortion Fraud Reemerges (lien direct) | The emails claim that all of the victim's devices have been hacked and infected with the infamous ransomware -- and then ask for Bitcoin to "fix" it. | Ransomware | Wannacry | |
|
2018-06-22 22:19:05 | WannaCry ransomware scam tries to extort money without actually infecting your computer (lien direct) |  Someone is trying to pull a fast one, attempting to trick unsuspecting users into paying a ransom… even though they *haven't* infected your computer with ransomware.
|
Ransomware | Wannacry | |
|
2018-06-01 15:00:00 | Satan Ransomware Spawns New Methods to Spread (lien direct) |
Today, we are sharing an example of how previously known malware keeps evolving and adding new techniques to infect more systems.
BleepingComputer first reported on Satan ransomware in January 2017. Recently, Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments (BartBlaze’s blog). This is the same exploit associated with a previous WannaCry Ransomware campaign. While Microsoft patched the vulnerability associated with EternalBlue in March 2017, many environments remain vulnerable.
Unusually, we’ve identified samples of Satan Ransomware that not only include EternalBlue,but also a far larger set of propagation methods:
This Satan variant attempts to propagate through:
JBoss CVE-2017-12149
Weblogic CVE-2017-10271
EternalBlue exploit CVE-2017-0143
Tomcat web application brute forcing
Malware Analysis
Below is a sample from early May 2018 of Satan Ransomware using all the previously mentioned techniques, which we are going to analyze.
Name: sts.exe
File size: 1.7 Mb
MD5: c290cd24892905fbcf3cb39929de19a5
The first thing we see in the analyzed sample is that the malware was packed with the MPRESS packer:
The main goal of this sample is to drop Satan Ransomware,encrypt the victim's host, and then request a Bitcoin payment. Afterwards, the sample will also try to spread in the network using exploits such as EternalBlue.
EternalBlue
The malware drops several EternalBlue files in the victim’s host. These files are a public version of the exploit without any modifications or custom implementations. All are dropped in the folder C:\Users\All Users\ in the infected system:
Sts.exe initiates the process of spreading across the network by scanning all the systems within the same network segment. Through the following command line, systems vulnerable to SMB EternalBlue exploit will execute the previously dropped library down64.dll.
The down64.dll attempts to load code in the target’s memory, and then downloads sts.exe, using the legitimate Microsoft certutil.exe tool. This is a known download technique described as Remote File Copy - T1105 in Mitre ATT&CK.
So Many Exploits....
The sample uses some other network activity to continue to spread across the network.
A compromised system will make a HTTP PUT request to /Clist1.jsp to execute a jsp file that downloads another sample of sts.exe in the target server.
Another interesting technique used to infect other systems is the ability to identify an Apache Tomcat server and bruteforce it. It make |
Ransomware | Wannacry | |
 |
2017-06-02 08:00:00 | Les acteurs de la menace tirent parti de l'exploit éternel pour livrer des charges utiles non de la wannacry Threat actors leverage EternalBlue exploit to deliver non-WannaCry payloads (lien direct) |
L'exploit «eternalblue» ( MS017-010 ) a d'abord été utilisépar Wannacry Ransomware et Adylkuzz Cryptocurrency Miner.Maintenant, plus d'acteurs de menaces tirent parti de la vulnérabilité à MicrosoftProtocole de bloc de messages du serveur (SMB) & # 8211;Cette fois pour distribuer Backdoor.Nitol et Trojan Gh0st Rat.
Fireeye Dynamic Threat Intelligence (DTI) a historiquement observé des charges utiles similaires livrées via l'exploitation de la vulnérabilité CVE-2014-6332 ainsi que dans certaines campagnes de spam par e-mail en utilisant Commandes de versions .Plus précisément, Backdoor.Nitol a également été lié à des campagnes impliquant une exécution de code distante
The “EternalBlue” exploit (MS017-010) was initially used by WannaCry ransomware and Adylkuzz cryptocurrency miner. Now more threat actors are leveraging the vulnerability in Microsoft Server Message Block (SMB) protocol – this time to distribute Backdoor.Nitol and Trojan Gh0st RAT. FireEye Dynamic Threat Intelligence (DTI) has historically observed similar payloads delivered via exploitation of CVE-2014-6332 vulnerability as well as in some email spam campaigns using powershell commands. Specifically, Backdoor.Nitol has also been linked to campaigns involving a remote code execution |
Ransomware Spam Vulnerability Threat | Wannacry | ★★★★ |
|
2017-05-23 12:30:00 | Profil de logiciel malveillant Wannacry WannaCry Malware Profile (lien direct) |
MALWARE WANNACRY (également connu sous le nom de WCRY ou WANACRYPTOR) est un ransomware d'auto-propagation (semblable à des vers) qui se propage dans les réseaux internes et sur Internet public en exploitant une vulnérabilité dans le bloc de messages du serveur de Microsoft \\ (SMB)Protocole, MS17-010.Le wannacry se compose de deux composants distincts, unqui fournit des fonctionnalités de ransomware et un composant utilisé pour la propagation, qui contient des fonctionnalités pour permettre les capacités d'exploitation des SMB.
Le malware exploite un exploit, nommé «EternalBlue», publié par les Shadow Brokers le 14 avril 2017.
le
WannaCry (also known as WCry or WanaCryptor) malware is a self-propagating (worm-like) ransomware that spreads through internal networks and over the public internet by exploiting a vulnerability in Microsoft\'s Server Message Block (SMB) protocol, MS17-010. The WannaCry malware consists of two distinct components, one that provides ransomware functionality and a component used for propagation, which contains functionality to enable SMB exploitation capabilities. The malware leverages an exploit, codenamed “EternalBlue”, that was released by the Shadow Brokers on April 14, 2017. The |
Ransomware Malware Vulnerability Technical | Wannacry | ★★★★ |
|
2017-05-15 08:01:01 | Campagne de ransomwares Wannacry: Détails de la menace et gestion des risques WannaCry Ransomware Campaign: Threat Details and Risk Management (lien direct) |
Mise à jour 3 (17 mai & # 8211; 19 h 00 HE)
Nous avons observé l'émergence d'une nouvelle variante de Wannacry avec l'URL de vérification Internet www.iffferfsodp9ifjaposdfjhgosurijfaewrwergwea [.] Test.Un bogue dans la logique de code fait que les logiciels malveillants interrogent réellement www.iffefsodp9ifjaposdfjhgosurijfaewrwergwea [.] Test.Le malware ne cryptera vos fichiers que s'il ne peut pas contacter ce domaine (en particulier, s'il ne peut pas faire une demande HTTP réussie à la résolution du domaine).Les chercheurs en sécurité ont pu enregistrer ces domaines «Killswitch» pour les variantes précédentes pour arrêter le chiffrement;Cependant, ce domaine particulier
UPDATE 3 (May 17 – 7:00 p.m. ET) We observed the emergence of a new WannaCry variant with the internet-check URL www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]testing. A bug in the code logic causes the malware to actually query www.ifferfsodp9ifjaposdfjhgosurijfaewrwergwea[.]test. The malware will encrypt your files only if it cannot contact this domain (specifically, if it cannot make a successful HTTP request to the resolution of the domain). Security researchers were able to register these “killswitch” domains for previous variants to stop encryption; however, this particular domain |
Ransomware Malware Threat | Wannacry | ★★★ |
To see everything:
Our RSS (filtrered)
