What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-05-12 19:08:39 | Global Outbreak of WannaCry (lien direct) | [Updated May 15, 2017] On May 12, 2017 the Check Point Incident Response Team started tracking a wide spread outbreak of the WannaCryp ransomware. We have reports that multiple global organizations are experiencing a large scale ransomware attack which is utilizing SMB to propagate within their networks. To complicate matters there are a number of […] | Wannacry | ||
 |
2017-05-12 18:24:53 | A \'kill switch\' is slowing the spread of WannaCry ransomware (lien direct) | Friday's unprecedented ransomware attack may have stopped spreading to new machines -- at least briefly -- thanks to a "kill switch" that a security researcher has activated.The ransomware, called Wana Decryptor or WannaCry, has been found infecting machines across the globe. It works by exploiting a Windows vulnerability that the U.S. National Security Agency may have used for spying.The malware encrypts data on a PC and shows users a note demanding $300 in bitcoin to have their data decrypted. Images of the ransom note have been circulating on Twitter. Security experts have detected tens of thousands of attacks, apparently spreading over LANs and the internet like a computer worm.To read this article in full or to leave a comment, please click here | Wannacry | ||
 |
2017-05-12 18:07:55 | WanaCrypt0r ransomware hits it big just before the weekend (lien direct) |
Reports of two massive ransomware attacks by a ransomware that Malwarebytes detects as Ransom.WanaCrypt0r. attacks in Europe are dominating the news.
Categories:
Cybercrime
Malware
Tags: NHS WanaCryptornhs wannacryptorransomwaretelefonicaWanaCrypt0rWannaCryWcry
(Read more...)
|
Wannacry | ||
 |
2017-05-12 17:58:00 | Ongoing WannaCry Ransomware Spreading Through SMB Vulnerability (lien direct) |
As of early this morning (May 12th, 2017), the AlienVault Labs team is seeing reports of a wave of infections using a ransomware variant called “WannaCry” that is being spread by a worm component that leverages a Windows-based vulnerability.
There have been reports of large telecommunication companies, banks and hospitals being affected. Tens of thousands of networks worldwide have been hit and the attacks do not appear to be targeted to any specific region or industry. Once infected, victims are asked to pay approximately $300 by Bitcoin, and it appears the attackers have found people willing to pay.
The AlienVault Labs team has created a Pulse in the Open Threat Exchange to share the indicators of compromise we have been able to obtain. These indicators can be used to help identify potential attacks in progress.
One method of command and control and secondary installation has been sinkholed by security researchers, however the attackers can still leverage a second communication mechanism via Tor.
The WannaCry ransomware is using the file extension .wncry, and it also deletes the Shadow Copies, which is a technology introduced into the Microsoft platforms as far back as Windows XP and Windows Vista as the Volume Shadow Copy service. This means that even backup copies produced by this service, such as Windows Backup and System Restore, would be affected as well.
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet (PID: 2292)
The following file is also created in the affected systems: @Please_Read_Me@.txt
Once it gets on a network, WannaCry exploits a known Microsoft Windows vulnerability (MS17-010) to spread. This vulnerability was released as part of the Shadow Brokers leaks back in April. Microsoft released a patch for MS17-010 on March 14th. Administrators are advised to immediately upgrade any systems that do not have this patch to avoid potential compromise by WannaCry. So far the only confirmed vector of the attacks is through an SMB exploit, which provides a worm-like mechanism of spreading WannaCrypt.
AlienVault USM Anywhere and USM Appliance are able to detect attempts to exploit this vulnerability via the following IDS signature released by AlienVault on April 18th:
ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response
Yesterday we noted a sharp increase in external scans against our customers for the exploit, and we are investigating if it is related to today's attacks:
We will update this blog post as we discover more information about the ongoing situation.
 |
Wannacry | ||
 |
2017-05-12 17:54:08 | WannaCry ransomware hits systems worldwide (lien direct) |  The WannaCry ransomware is hitting organisations around the world - including the UK's National Health Service - assisted by a vulnerability that the NSA chose to keep secret from MIcrosoft.
|
Wannacry | ||
 |
2017-05-12 17:32:57 | Leaked NSA Exploit Spreading Ransomware Worldwide (lien direct) | Attackers behind today's WannaCry ransomware outbreak in Europe are spreading the malware using the EternalBlue exploit leaked by the ShadowBrokers. | Wannacry | ||
 |
2017-05-12 17:24:40 | WannaCry / Wana Decryptor / WanaCrypt0r Technical Nose Dive (lien direct) | Today was a big day for the WanaCrypt0r ransomware as it took the world by storm by causing major outbreaks all over the world. While BleepingComputer has covered these outbreaks in-depth, I felt it may be a good idea to take a technical look at the WanaCrypt0r ransomware for those in the IT field who have to support victims. [...] | Wannacry | ||
 |
2017-05-12 17:13:26 | Massive wave of ransomware ongoing, (Fri, May 12th) (lien direct) | For a few hours, bad news are spreading quickly about a massive wave of infections by a new ransomware called WannaCry width:600px" /> (Source: MalwareTech) Big targets have been telecom operators (ex: Telefonica in Spain) and hospitals in UK. Once the malware has infected a computer, it spreads across the network looking for new victims using the SMB protocol. The ransomware usesthe Microsoft vulnerability MS17-10[1]. (This vulnerability was used by ETERNALBLUE[2]) Here are some IOCs that we already collected: SHA256: 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79 SHA1: 45356a9dd616ed7161a3b9192e2f318d0ab5ad10 51e4307093f8ca8854359c0ac882ddca427a813c MD5: 509c41ec97bb81b0567b059aa2f50fe8 7bf2b57f2a205768755c07f238fb32cc 7f7ccaa16fb15eb1c7399d422f8363e8 File extension: .wncry Ransomware notification: padding:5px 10px"> alert tcp $HOME_NET 445 - any any (msg:ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response content:|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0| content:|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|) Until now, the best protection is of course to patch your systems as soon as possible and keep your users aware of the new ransomware campaign to preven them to open suspicious emails/files. [1]https://technet.microsoft.com/en-us/library/security/ms17-010.aspx [2]https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/ We will update this diary with more information if available. Xavier Mertens (@xme) ISC Handler - Freelance Security Consultant PGP Key (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License. | Wannacry | ||
 |
2017-05-12 15:30:00 | \'WannaCry\' Rapidly Moving Ransomware Attack Spreads to 74 Countries (lien direct) | A wave of ransomware infections took down a wide swath of UK hospitals and is rapidly moving across the globe. | Wannacry |
To see everything:
Our RSS (filtrered)
