What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-10-11 21:53:00 | Exaramel Malware Links Industroyer ICS malware and NotPetya wiper (lien direct) | ESET researchers have spotted a new strain of malware tracked as Exaramel that links the dreaded not Petya wiper to the Industroyer ICS malware. A few months ago, researchers from ESET discovered a new piece of malware that further demonstrates the existence of a link between Industroyer and the NotPetya wiper. In June 2017, researchers at antivirus firm ESET […] | Malware | NotPetya | |
 |
2018-10-11 12:01:05 | Exaramel Malware Reinforces Link Between Industroyer and NotPetya (lien direct) | A new piece of malware discovered a few months ago by researchers at ESET provides more evidence that Industroyer (aka Crashoverride) is linked to the NotPetya wiper. | Malware | NotPetya | ★★★ |
 |
2018-10-11 12:00:00 | Security researchers find solid evidence linking Industroyer to NotPetya (lien direct) | A web of code reuse and shared infrastructure links together a slew of famous cyber-attacks. | NotPetya | ||
 |
2018-10-11 11:57:01 | New TeleBots backdoor: First evidence linking Industroyer to NotPetya (lien direct) | >ESET's analysis of a recent backdoor used by TeleBots – the group behind the massive NotPetya ransomware outbreak – uncovers strong code similarities to the Industroyer main backdoor, revealing a rumored connection that was not previously proven | Ransomware | NotPetya | |
 |
2018-10-11 08:23:04 | New Backdoor Ties NotPetya and Industroyer to TeleBots Group (lien direct) | Security researchers found the missing link that helps them prove that the NotPetya disk-wiping malware and the Industroyer backdoor for electric power systems are the work of the TeleBots group. [...] | Malware | NotPetya | |
 |
2018-10-10 09:52:00 | Top cybersecurity facts, figures and statistics for 2018 (lien direct) | Looking for hard numbers to back up your sense of what's happening in the cybersecurity world? We dug into studies and surveys of the industry's landscape to get a sense of the lay of the land-both in terms of what's happening and how your fellow IT pros are reacting to it.Ransomware is down, cryptomining is up With last year's outbreak of NotPetya, ransomware-malicious programs that encrypt your files and demand a ransom payment in bitcoin to restore them-became one of the most talked about forms of malware of 2017. Yet at the same time, the actual rates of malware infection began to plummet around the middle of the year, until by December 2017 it represented only about 10 percent of infections. | Malware Studies | NotPetya | |
 |
2018-10-03 11:30:03 | NotPetya Horror Story Highlights Need for Holistic Security (lien direct) | The NotPetya malware’s ability to cripple even sophisticated, global firms is a cautionary tale about the need for businesses to understand their risk and take a holistic view of security says Fadi Albatal, Chief Strategy Officer at Hitachi Systems Security.* If you're keen on information security and happen to enjoy horror stories, point...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/572593864/0/thesecurityledger -->» | NotPetya | ||
 |
2018-09-21 16:06:03 | Xbash, le futur Petya ? (lien direct) | Xbash : dans la lignée de NotPetya, une nouvelle menace et famille de malware ciblant les serveurs Windows et Linux risque de faire grand bruit. L’Unit42, unité de recherches de Palo Alto Networks, a découvert cette menace qui a toutes les caractéristiques de NotPetya. Baptisé Xbash, cette menace est un malware destructeur de données qui se fait […] L'article Xbash, le futur Petya ? est apparu en premier sur Data Security Breach. | Malware | NotPetya | ★★ |
 |
2018-09-11 13:00:00 | Explain Cryptojacking to Me (lien direct) | Last year, I wrote that ransomware was the summer anthem of 2017. At the time, it seemed impossible that the onslaught of global ransomware attacks like WannaCry and NotPetya would ever wane. But, I should have known better. Every summertime anthem eventually gets overplayed. This year, cryptojacking took over the airwaves, fueled by volatile global cryptocurrency markets. In the first half of 2018, detected cryptojacking attacks increased 141%, outpacing ransomware attacks. In this blog post, I’ll address cryptojacking: what it is, how it works, how to detect it, and why you should be tuning into this type of threat. What is Cryptojacking? Crytojacking definition: Cryptojacking is the act of using another’s computational resources without their knowledge or permission for cryptomining activities. By cryptojacking mobile devices, laptops, and servers, attackers effectively steal the CPU of your device to mine for cryptocurrencies like Bitcoin and Monero. Whereas traditional malware attacks target sensitive data that can be exploited for financial gain, like social security numbers and credit card information, cybercriminals that launch cryptojacking campaigns are more interested in your device’s computing power than your own personal data. To understand why, it’s helpful to consider the economics of cryptocurrency mining. Mining for cryptocurrencies like Bitcoin and Monero takes some serious computing resources to solve the complex algorithms used to discover new coins. These resources are not cheap, as anyone who pays their organization’s AWS bill or data center utility bill can attest to. So, in order for cryptocurrency mining to be profitable and worthwhile, the market value of the cryptocurrency must be higher than the cost of mining it – that is, unless you can eliminate the resource costs altogether by stealing others’ resources to do the mining for you. That’s exactly what cryptojacking attacks aim to do, to silently turn millions of devices into cryptomining bots, enabling cybercriminals to turn a profit without all the effort and uncertainty of collecting a ransom. Often, cryptojacking attacks are designed to evade detection by traditional antivirus tools so that they can quietly run in the background of the machine. Does this mean that all cryptomining activity is malicious? Well, it depends on who you ask. Cryptomining vs. Cryptojacking As the cryptocurrency markets have gained value and become more mainstream in recent years, we’ve seen a digital gold rush to cryptomine for new Bitcoin, and more recently, Monero. What began with early adopters and hobbyists building home rigs to mine for new coins has now given way to an entire economy of mining as a service, cryptoming server farms, and even cryptomining cafes. In this sense, cryptomining is, more or less, considered a legal and legitimate activity, one that could be further legitimized by a rumored $12 Billion Bitman IPO. Yet, the lines between cryptomining and cryptojacking are blurry. For example, the cryptomining “startup” Coinhive has positioned its technology as an alternative way to monetize a website, instead of by serving ads or charging a subscription. According to the website, the folks behind Coinhive, “dream about it as an alternative to micropayments, artificial wait time in online games, intrusive ads and dubious marketing tactics.” Yet at the same time, Coinhive has been one of the most common culprits found | Malware Threat | NotPetya Wannacry Tesla | |
 |
2018-09-10 17:33:17 | California\'s bad IoT law (lien direct) | California has passed an IoT security bill, awaiting the government's signature/veto. It's a typically bad bill based on a superficial understanding of cybersecurity/hacking that will do little improve security, while doing a lot to impose costs and harm innovation.It's based on the misconception of adding security features. It's like dieting, where people insist you should eat more kale, which does little to address the problem you are pigging out on potato chips. The key to dieting is not eating more but eating less. The same is true of cybersecurity, where the point is not to add “security features” but to remove “insecure features”. For IoT devices, that means removing listening ports and cross-site/injection issues in web management. Adding features is typical “magic pill” or “silver bullet” thinking that we spend much of our time in infosec fighting against.We don't want arbitrary features like firewall and anti-virus added to these products. It'll just increase the attack surface making things worse. The one possible exception to this is “patchability”: some IoT devices can't be patched, and that is a problem. But even here, it's complicated. Even if IoT devices are patchable in theory there is no guarantee vendors will supply such patches, or worse, that users will apply them. Users overwhelmingly forget about devices once they are installed. These devices aren't like phones/laptops which notify users about patching.You might think a good solution to this is automated patching, but only if you ignore history. Many rate “NotPetya” as the worst, most costly, cyberattack ever. That was launched by subverting an automated patch. Most IoT devices exist behind firewalls, and are thus very difficult to hack. Automated patching gets beyond firewalls; it makes it much more likely mass infections will result from hackers targeting the vendor. The Mirai worm infected fewer than 200,000 devices. A hack of a tiny IoT vendor can gain control of more devices than that in one fell swoop.The bill does target one insecure feature that should be removed: hardcoded passwords. But they get the language wrong. A device doesn't have a single password, but many things that may or may not be called passwords. A typical IoT device has one system for creating accounts on the web management interface, a wholly separate authentication system for services like Telnet (based on /etc/passwd), and yet a wholly separate system for things like debugging interfaces. Just because a device does the proscribed thing of using a unique or user generated password in the user interface doesn't mean it doesn't also have a bug in Telnet.That was the problem with devices infected by Mirai. The description that these were hardcoded passwords is only a superficial understanding of the problem. The real problem was that there were different authentication systems in the web interface and in other services like Telnet. Most of the devices vulnerable to Mirai did the right thing on the web interfaces (meeting the language of this law) requiring the user to create new passwords before operating. They just did the wrong thing elsewhere.People aren't really paying attention to what happened with Mirai. They look at the 20 billion new IoT devices that are going to be connected to the Internet by 2020 and believe Mirai is just the tip of the iceberg. But it isn't. The IPv4 Internet has only 4 billion addresses, which are pretty much already used up. This means those 20 billion won't be exposed to the public Internet like Mirai devices, but hidden behind firewalls that translate addresses. Thus, rather than Mirai presaging the future, it represents the last gasp of the past that is unlikely to come again.This law is backwards looking rather than forward looking. Forward looking, by far the most important t | Hack Threat Patching Guideline | NotPetya Tesla | |
|
2018-08-27 17:07:03 | Cyber Risk = Business Risk. Time for the Business-Aligned CISO (lien direct) | Data breaches, ransomware and other cyber attacks causing massive reputation issues (Equifax), knocking down merger prices (Yahoo!) or interrupting operations on a global scale (the NotPetya virus victims), have elevated cybersecurity concerns from the server room to the boardroom. | Ransomware | NotPetya Equifax Yahoo | |
 |
2018-08-16 09:45:01 | Quickly Gauge Your Security\'s Generation With This 5-Question Quiz (lien direct) | by Bob Matlow, Cyber Security Advocate The cyber-security world entered a new day and age when WannaCry and NotPetya wrecked havoc across hundreds of countries, causing billions of dollars of damage. Cyber criminals have adapted to this new reality by launching multi-vector, polymorphic, globally-scaled attacks – but IT professionals are lagging behind. Only 3 percent… | NotPetya Wannacry | ||
 |
2018-07-25 12:36:05 | How Ransomware Is Still Hitting Businesses With Heavy Costs (lien direct) | One year on from the global outbreaks of WannaCry and NotPetya, which established ransomware as one of the most notorious cyber threats on any businesses' radar, organisations around the world are continuing to fall prey to new attacks. A fully-fledged ransomware infection can potentially cripple an organisation by locking away mission critical files and systems, … The ISBuzz Post: This Post How Ransomware Is Still Hitting Businesses With Heavy Costs | Ransomware | NotPetya Wannacry | |
 |
2018-07-25 11:15:01 | Could complacency be setting in when it comes to ransomware? (lien direct) | By Chris Ross, SVP International, Barracuda Ransomware may be a headline favourite, but the attack itself is nothing new. In fact, it's been around in some form or another for decades. Since last year's high profile global campaigns such as WannaCry and NotPetya you'd be hard pressed to find anyone who isn't aware of the ... | Ransomware | NotPetya Wannacry | |
|
2018-07-12 19:54:20 | Your IoT security concerns are stupid (lien direct) | Lots of government people are focused on IoT security, such as this recent effort. They are usually wrong. It's a typical cybersecurity policy effort which knows the answer without paying attention to the question.Patching has little to do with IoT security. For one thing, consumers will not patch vulns, because unlike your phone/laptop computer which is all "in your face", IoT devices, once installed, are quickly forgotten. For another thing, the average lifespan of a device on your network is at least twice the duration of support from the vendor making patches available.Naive solutions to the manual patching problem, like forcing autoupdates from vendors, increase rather than decrease the danger. Manual patches that don't get applied cause a small, but manageable constant hacking problem. Automatic patching causes rarer, but more catastrophic events when hackers hack the vendor and push out a bad patch. People are afraid of Mirai, a comparatively minor event that led to a quick cleansing of vulnerable devices from the Internet. They should be more afraid of notPetya, the most catastrophic event yet on the Internet that was launched by subverting an automated patch of accounting software.Vulns aren't even the problem. Mirai didn't happen because of accidental bugs, but because of conscious design decisions. Security cameras have unique requirements of being exposed to the Internet and needing a remote factory reset, leading to the worm. While notPetya did exploit a Microsoft vuln, it's primary vector of spreading (after the subverted update) was via misconfigured Windows networking, not that vuln. In other words, while Mirai and notPetya are the most important events people cite supporting their vuln/patching policy, neither was really about vuln/patching.Such technical analysis of events like Mirai and notPetya are ignored. Policymakers are only cherrypicking the superficial conclusions supporting their goals. They assiduously ignore in-depth analysis of such things because it inevitably fails to support their positions, or directly contradicts them. IoT security is going to be solved regardless of what government does. All this policy talk is premised on things being static unless government takes action. This is wrong. Government is still waffling on its response to Mirai, but the market quickly adapted. Those off-brand, poorly engineered security cameras you buy for $19 from Amazon.com shipped directly from Shenzen now look very different, having less Internet exposure, than the ones used in Mirai. Major Internet sites like Twitter now use multiple DNS providers so that a DDoS attack on one won't take down their services.In addition, technology is fundamentally changing. Mirai attacked IPv4 addresses outside the firewall. The 100-billion IoT devices going on the network in the next decade will not work this way, cannot work this way, because there are only 4-billion IPv4 addresses. Instead, they'll be behind NATs or accessed via IPv6, both of which prevent Mirai-style worms from functioning. Your fridge and toaster won't connect via your home WiFi anyway, but via a 5G chip unrelated to your home.Lastly, focusing on the ven |
Hack Patching Guideline | NotPetya | |
|
2018-06-29 13:00:00 | Things I Hearted this Week – 29th June 2018 (lien direct) |
It's been an absolutely lovely warm week in London. The sun has been shining, allergies have been high, and kids have been missing out on all the wonders because they're too busy being indoors staring at a mobile device or tablet.
Things were very different back in my days... and just like that, I've turned into my Dad!
Have I Been Pwned - The Saga Continues
I like to think of myself as a bit of a hipster because I was following Troy Hunt before he was widely recognised as being cool. I remember reading his posts on OWASP top 10 for .NET developers and thinking to myself that this guy really knows his stuff.
Which is why I was optimistic when Troy launched Have I been Pwned - but I don't think I foresaw how big the project would become and now it is being integrated into Firefox and 1Password. Not bad going for the blogger from down under.
We're Baking Have I Been Pwned into Firefox and 1Password| Troy Hunt
Defining Hacker In 2018
If you do a Google Image Search against the word hacker, you’ll get images of scary-looking balaclava-clad cybercriminals hunched over a quintessentially green computer terminal. They’re up to no good… Stealing your data, crashing critical systems, or causing general Internet badness.
In reality, the word “hacker” applies to a much broader group of people, one that extends well beyond cybersecurity. Merriam-Webster defines a “hacker” as “an expert at programming and solving problems with a computer”.
Defining "Hacker" in 2018| BugCrowd
Lessons From nPetya One Year Later
This is the one year anniversary of NotPetya. It was probably the most expensive single hacker attack in history (so far), with FedEx estimating it cost them $300 million. Shipping giant Maersk and drug giant Merck suffered losses on a similar scale. Many are discussing lessons we should learn from this, but they are the wrong lessons.
An example is this quote in a recent article:
"One year on from NotPetya, it seems lessons still haven't been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains."
This is an attractive claim. It describes the problem in terms of people being "weak" and that the solution is to be "strong". If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn't happen.
But this is wrong, at least in the case of NotPetya.
Lessons from nPetya one year later| Errata Security
German Researcher Defeat Printers' Doc-Tracking Dots
Beating the unique identifiers that printers can add to documents for security purposes is possible: you just need to add extra dots beyond those that security tools already add. The trick is knowing where to add them.
Many printers can add extra dots to help identify which device printed a document, as it's handy to know that when they fall into the wrong hands. The |
FedEx NotPetya Wannacry | ||
|
2018-06-27 15:49:15 | Lessons from nPetya one year later (lien direct) | This is the one year anniversary of NotPetya. It was probably the most expensive single hacker attack in history (so far), with FedEx estimating it cost them $300 million. Shipping giant Maersk and drug giant Merck suffered losses on a similar scale. Many are discussing lessons we should learn from this, but they are the wrong lessons.An example is this quote in a recent article:"One year on from NotPetya, it seems lessons still haven't been learned. A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains." This is an attractive claim. It describes the problem in terms of people being "weak" and that the solution is to be "strong". If only organizations where strong enough, willing to deal with downtime and disruption, then problems like this wouldn't happen.But this is wrong, at least in the case of NotPetya.NotPetya's spread was initiated through the Ukraining company MeDoc, which provided tax accounting software. It had an auto-update process for keeping its software up-to-date. This was subverted in order to deliver the initial NotPetya infection. Patching had nothing to do with this. Other common security controls like firewalls were also bypassed.Auto-updates and cloud-management of software and IoT devices is becoming the norm. This creates a danger for such "supply chain" attacks, where the supplier of the product gets compromised, spreading an infection to all their customers. The lesson organizations need to learn about this is how such infections can be contained. One way is to firewall such products away from the core network. Another solution is port-isolation/microsegmentation, that limits the spread after an initial infection.Once NotPetya got into an organization, it spread laterally. The chief way it did this was through Mimikatz/PsExec, reusing Windows credentials. It stole whatever login information it could get from the infected machine and used it to try to log on to other Windows machines. If it got lucky getting domain administrator credentials, it then spread to the entire Windows domain. This was the primary method of spreading, not the unpatched ETERNALBLUE vulnerability. This is why it was so devastating to companies like Maersk: it wasn't a matter of a few unpatched systems getting infected, it was a matter of losing entire domains, including the backup systems.Such spreading through Windows credentials continues to plague organizations. A good example is the recent ransomware infection of the City of Atlanta that spread much the same way. The limits of the worm were the limits of domain trust relationships. For example, it didn't infect the city airport because that Windows domain is separate from the city's domains.This is the most pressing lesson organizations need to learn, the one they are ignoring. They need to do more to prevent desktops from infecting each other, such as through port-isolation/microsegmentation. They need to control the spread of administrative credentials within the organization. A lot of organizations put the same local admin account on every workstation which makes the spread of NotPetya style worms trivial. They need to reevaluate trust relationships between domains, so that the admin of one can't infect the others.These solutions are difficult, which is why news articles don't mention them. You don't have to know anything about security to proclaim "the problem is lack of patches". It's moral authority, chastising the weak, rather than a proscription of what to do. Solving supply chain hacks and Windows credential sharing, though, is hard. I don't know any universal solution to this -- I'd have to thoroughly analyze your network and business in order to | Ransomware Malware Patching | FedEx NotPetya Wannacry | |
 |
2018-05-04 17:13:01 | WannaCry Dominates Ransomware News in 2017, Drives 415 Percent Attack Boost (lien direct) | >WannaCry drove a 415 percent increase in ransomware attacks and accounted for 90 percent of all detection reports in 2017. In addition to these eye-popping numbers, F-Secure’s “The Changing State of Ransomware” report also offered some positive ransomware news: The lack of big paydays for campaigns such as WannaCry and NotPetya are now causing a […] | NotPetya Wannacry | ||
|
2018-05-03 16:36:04 | Commodity Ransomware Declines as Corporate Attacks Increase (lien direct) | 2017 was a landmark year for ransomware, with WannaCry and NotPetya grabbing headlines around the world. Ransomware attacks grew by more than 400% over the year, while the number unique families and variants increased by 62%. These statistics, however, disguise an apparent change in the ransomware industry following the summer of 2017. | NotPetya Wannacry | ||
|
2018-04-13 16:10:02 | Illumio, Qualys Partner on Vulnerability-based Micro-Segmentation (lien direct) | Vulnerability management has two major components: discovering vulnerabilities, and mitigating those vulnerabilities. The first component is pointless without the second component. So, for example, Equifax, WannaCry, NotPetya, and many other breaches -- if not most breaches -- are down to a failure to patch, which is really a failure in vulnerability management. | NotPetya Wannacry Equifax | ||
 |
2018-04-06 04:41:01 | Microsoft Office 365 Gets Built-in Ransomware Protection and Enhanced Security Features (lien direct) | Ransomware has been around for a few years, but it has become an albatross around everyone's neck, targeting big businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars.
Last year, we saw some major ransomware outbreaks, including WannaCry and NotPetya, which wreaked havoc across the world, hitting hundreds of thousands of computers and
|
NotPetya Wannacry | ||
|
2018-03-26 14:12:04 | (Déjà vu) Pentagon Looks to Counter Ever-stealthier Warfare (lien direct) | The US military has for years enjoyed a broad technological edge over its adversaries, dominating foes with superior communications and cyber capabilities. Now, thanks to rapid advances by Russia and China, the gap has shrunk, and the Pentagon is looking at how a future conflict with a "near-peer" competitor might play out. Air Force Secretary Heather Wilson recently warned that both Russia and China are experimenting with ways to take out the US military's satellites, which form the backbone of America's warfighting machine. "They know that we are dominant in space, that every mission the military does depends on space, and in a crisis or war they are demonstrating capabilities and developing capabilities to seek to deny us our space assets," Wilson said. "We're not going to let that happen." The Pentagon is investing in a new generation of satellites that will provide the military with better accuracy and have better anti-jamming capabilities. Such technology would help counter the type of "asymmetric" warfare practised by Russia, which combines old-school propaganda with social media offensives and cyber hacks. Washington has blamed Moscow for numerous cyber attacks, including last year's massive ransomware attack, known as NotPetya, which paralyzed thousands of computers around the world. US cyber security investigators have also accused the Russian government of a sustained effort to take control of critical US infrastructure systems, including the energy grid. Russia denies involvement and so far, such attacks have been met with a muted US military response. - Public relations shutdown - General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain. He also warned that the military still does not have clear authorities and rules of engagement for when and how it can conduct offensive cyber ops. "Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace, we need to have the authorities to respond," Hyten told lawmakers this week. Hyten's testimony comes after Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, last month said President Donald Trump had no | Guideline | NotPetya | |
|
2018-03-23 19:45:03 | (Déjà vu) Ransomware Hits City of Atlanta (lien direct) | A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police department, water services and airport are not affected. The attack was detected early on Thursday morning. By mid-day the city had posted an outage alert to Twitter. In a press conference held Thursday afternoon, mayor Keisha Bottoms announced that the breach had been ransomware. She gave no details of the ransomware demands, but noticeably declined to say whether the ransom would be payed or refused. Bottoms could not at this stage confirm whether personal details had also been stolen in the same breach, but suggested that customers and staff should monitor their credit accounts. Questions on the viability of data backups and the state of system patches were not clearly answered; but it was stressed that the city had adopted a 'cloud first' policy going forwards specifically to improve security and mitigate against future ransomware attacks. A city employee obtained and sent a screenshot of the ransom note to local radio station 11Alive. The screenshot shows a bitcoin demand for $6,800 per system, or $51,000 to unlock all systems. It is suggested that the ransom note is similar to ones used by the SamSam strain of ransomware. Steve Ragan subsequently tweeted, "1 local, 2 remote sources are telling me City of Atlanta was hit by SamSam. The wallet where the ransom is to be sent (if they pay) has collected $590,000 since Jan 27." SamSam ransomware infected two healthcare organizations earlier this year. SamSam is not normally introduced via a phishing attack, but rather following a pre-existing breach. This could explain the concern over data theft on top of the data encryption. It also raises the question over whether the initial breach was due to a security failure, an unpatched system, or via a third-party supplier. Ransomware is not a new threat, and there are mitigations -- but it continues to cause havoc. Official advice is, wherever at all possible, refuse to pay. The theory is if the attackers cease getting a return on their attacks, they will turn to something easier with a better ROI on their time. This approach simply isn't working. Sometimes payment can be avoided by recovering data from backups | NotPetya Wannacry | ||
|
2018-03-19 13:51:04 | (Déjà vu) Russian Cyberspies Hacked Routers in Energy Sector Attacks (lien direct) | A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported on Friday. The United States last week announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the NotPetya attack and campaigns targeting energy firms. Shortly after, US-CERT updated an alert from the DHS and FBI to officially accuse the Russian government of being responsible for critical infrastructure attacks launched by a threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear. A warning issued last year by the UK's National Cyber Security Centre (NCSC) revealed that hackers had targeted the country's energy sector, abusing the Server Message Block (SMB) protocol and attempting to harvest victims' passwords. An investigation conducted by Cylance showed that the attacks were likely carried out by the Dragonfly group. The security firm has observed a series of phishing attacks aimed at the energy sector in the UK using two documents claiming to be resumes belonging to one Jacob Morrison. When opened, the documents fetched a template file and attempted to automatically authenticate to a remote SMB server controlled by the attackers. This template injection technique was detailed last year by Cisco Talos following Dragonfly attacks on critical infrastructure organizations in the United States. When a malicious document is opened using Microsoft Word, it loads a template file from the attacker's SMB server. When the targeted device connects to the SMB server, it will attempt to authenticate using the current Windows user's domain credentials, basically handing them over to the attackers. In a separate analysis of such attacks, Cylance noted that while the credentials will in most cases be encrypted, even an unsophisticated attacker will be able to recover them in a few hours or days, depending on their resources. According to Cylance, Dragonfly used this technique to harvest credentials that were later likely used to hack the systems of energy sector organizations in the United Kingdom. One interesting aspect noticed by Cylance researchers is that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy congl | NotPetya | ||
|
2018-03-16 14:40:02 | Sofacy Targets European Govt as U.S. Accuses Russia of Hacking (lien direct) | Just as the U.S. had been preparing to accuse Russia of launching cyberattacks against its energy and other critical infrastructure sectors, the notorious Russia-linked threat group known as Sofacy was spotted targeting a government agency in Europe. The United States on Thursday announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the destructive NotPetya campaign and operations targeting energy firms. The Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert via US-CERT last year to warn about attacks launched by a group known as Dragonfly, Crouching Yeti and Energetic Bear on critical infrastructure. Researchers previously linked Dragonfly to the Russian government and now the DHS has officially stated the same. US-CERT has updated its alert with some additional information. The new version of the alert replaces “APT actors” with “Russian government cyber actors.” The DHS said that based on its analysis of malware and indicators of compromise, Dragonfly attacks are ongoing, with threat actors “actively pursuing their ultimate objectives over a long-term campaign.” This is not the first time the U.S. has imposed sanctions on Russia over its attempt to influence elections. Russia has also been accused by Washington and others of launching the NotPetya attack last year. The Kremlin has always denied the accusations, but President Vladimir Putin did admit at one point that patriotic hackers could be behind the attacks. If Dragonfly and Sofacy (aka Fancy Bear, APT28, Sednit, Tsar Team and Pawn Storm) are truly operating out of Russia, they don't seem to be discouraged by sanctions and accusations. On March 12 and March 14, security firm Palo Alto Networks spotted attacks launched by Sofacy against an unnamed European government agency using an updated variant of a known tool. Sofacy has been using a Flash Player exploit platform dubbed DealersChoice since at least 2016 and it has continued improving it. The latest version has been delivered to a government organization in Europe using a spear phishing email referencing the “Underwat | NotPetya APT 28 | ||
|
2018-03-15 15:32:02 | US slaps new sanctions on Russia over NotPetya cyberattack, election meddling (lien direct) | The FBI also warned of Russian government actors targeting the energy grid and other critical infrastructure. | NotPetya | ||
|
2018-03-15 13:37:02 | US Sanctions Russia Over NotPetya Outbreak, Energy Grid Hacks, Election Meddling (lien direct) | The United States has imposed sanctions against Russian entities for the NotPetya ransomware outbreak, cyber-attacks on the US power grid, and their attempts to influence the 2016 US presidential election process. [...] | NotPetya | ||
|
2018-03-15 13:03:01 | (Déjà vu) Microsoft Publishes Bi-annual Security Intelligence Report (SIR) (lien direct) | !function(){if("undefined"==typeof powerbiresize){powerbiresize=1;var e=function(){for(var e=document.querySelectorAll("[pbi-resize=powerbi]"),i=0;i | NotPetya Wannacry | ||
|
2018-03-15 12:07:02 | More countries are learning from Russia\'s cyber tactics (lien direct) | When British and US officials blamed Russian military hackers for last summer's NotPetya ransomware attack, they were confirming long-held suspicions among western governments that Russia is stepping up its hostile cyber capabilities. View full story ORIGINAL SOURCE: The FT | NotPetya | ||
|
2018-03-13 15:50:02 | (Déjà vu) Usual Threats, But More Sophisticated and Faster: Report (lien direct) | Almost Every Type of Cyber Attack is Increasing in Both Volume and Sophistication Eight new malware samples were recorded every second during the final three months of 2017. The use of fileless attacks, primarily via PowerShell, grew; and there was a surge in cryptocurrency hijacking malware. These were the primary threats outlined in the latest McAfee Lab's Threat Report (PDF) covering Q4 2017. The growth of cryptomining malware coincided with the surge in Bitcoin value, which peaked at just under $20,000 on Dec. 22. With the cost of dedicated mining hardware at upwards of $5,000 per machine, criminals chose to steal users' CPU time via malware. It demonstrates how criminals always follow the money, and choose the least expensive method of acquiring it with the greatest chance of avoiding detection. Since December, Bitcoin's value has fallen to $9,000 (at the time of publishing). Criminals' focus on Bitcoin is likewise being modified, with Ethereum and Monero becoming popular. Last week, Microsoft discovered a major campaign focused on stealing Electroneum. "We currently see discussions in underground forums that suggest moving from Bitcoin to Litecoin because the latter is a safer model with less chance of exposure," comments Raj Samani, chief scientist and McAfee fellow with the Advanced Threat Research Team. The speed with which criminals adapt to their latest market conditions is also seen in the way they maximize their asymmetric advantage. "Adversaries," writes Samani, "have the luxury of access to research done by the technical community, and can download and use opensource tools to support their campaigns, while the defenders' level of insight into cybercriminal activities is considerably more limited, and identifying evolving tactics often must take place after malicious campaigns have begun." Examples of attackers making use of legitimate research include Fancy Bear (APT28) leveraging a Microsoft Office Dynamic Data Exchange technique in November 2017 that had been made public just a few we | NotPetya Equifax APT 28 | ||
|
2018-03-02 15:45:05 | Nuance Estimates NotPetya Impact at $90 Million (lien direct) | Nuance Communications, one of the companies to have been impacted by the destructive NotPetya attack last year, estimates the financial cost of the attack at over $90 million. | NotPetya | ||
|
2018-02-18 14:29:02 | Germany\'s defense minister: Cyber security is going to be the main focus of this decade. (lien direct) | On Saturday, Germany defense minister Ursula von der Leyen told CNBC that cyber attacks are the greatest challenge threatening global stability. The cybersecurity is a pillar of modern states, the string of recent massive attacks including NotPetya and WannaCry is the demonstration that we are all potential targets. Cyber attacks could hit governments, private companies and citizens in every […] | NotPetya Wannacry | ||
|
2018-02-18 05:50:02 | All Five Eyes Countries Formally Accuse Russia of Orchestrating NotPetya Attack (lien direct) | All the countries part of the Five Eyes intelligence-sharing alliance â the US, the UK, Canada, Australia, and New Zealandâ have made formal statements accusing the Russian Federation of orchestrating the NotPetya ransomware outbreak. [...] | NotPetya | ||
|
2018-02-16 16:34:05 | Russia blamed again for NotPetya (lien direct) | Australia has joined the UK and US in blaming Russia for the NotPetya attacks. This comes after much consultation with the Australian intelligence services and the UK and US governments. View Full Story ORIGINAL SOURCE: ZDNet | NotPetya | ||
|
2018-02-16 16:01:05 | The Week in Ransomware - February 16th 2018 - NotPetya & Saturn (lien direct) | The biggest news this week is the UK formally attributing NotPetya to Russian attackers. Also if interest this week is the release of the Saturn Ransomware, which has a more organized feel compared to other ransomware distributions currently being distributed [...] | NotPetya | ||
|
2018-02-16 15:14:03 | The Destructive nature of North Korean Cyber-Attacks (lien direct) | Attacks like WannaCry and NotPetya were highly destructive on a scale never seen before. The disruption has still left some organisations suffering from the financial repercussions. The reach of the attacks shocked many within the cyber industry and just this month, Ciaran Martin, the head of the National Cyber Security Centre, warned UK organisations to ... | NotPetya Wannacry | ★★ | |
|
2018-02-16 14:00:00 | Things I Hearted this Week 16th Feb 2018 (lien direct) |
Rolling in the bounty
We hear a lot about bug bounties and how some people are potentially making a lucrative living off it.
HackerOne has paid out over $24m in bounties in the last five years. That’s some serious cash, considering how far that translates into local currencies. So, they asked some of their top hackers how they spent their money.
How hackers spend their bounties | HackerOne
SIM hijacking, the aftermath
In last week’s roundup there was a story about SIM swapping and how T-mobile USA was sending texts to customers stating they may be victims of fraud.
We often cover such stories, shake our heads and tut loudly before moving on. But Motherboard got in touch with nine victims of SIM hijacking and told their stories. It’s quite a wake-up call to the real-life impact scams and fraud can have on individuals.
‘I Lived a Nightmare:’ SIM Hijacking Victims Share Their Stories | Motherboard
Cryptocurrencies
Not entirely security related news, but hey if everyone is referring to it as ‘crypto’ I can include it here right?
Joseph Steinberg considers what the future holds for Bitcoin, which sits at the head of the table of cryptocurrencies today, while other currencies are nipping at its heels.
Will Bitcoin become the MySpace of Cryptocurrencies? | Joseph Steinberg
Another cryptocurrency theft
Italian Cryptocurrency Exchange BitGrail Lost $170 Million Worth of Nano to Hackers | InterestingEngineering
Mining stuff
There are lessons to be learned from government websites serving cryptocurrency miners | Virus Bulletin
Could Bitcoin break the NHS? Latest crypto-jack attack ‘the first of many’, say experts | Express
AI recognition
.jpg)
Chinese police are wearing sunglasses that can recognize faces. No, that’s not a plot of a movie, but what’s actually happening. Railway police in Zhengzhou, a central Chinese city, are the first in the country to use facial-recognition eyewear to screen passengers during the Lunar New Year travel rush. The devices have allegedly already helped nab seven fugitives related to major criminal cases such as human trafficking and hit-and-runs, and 26 others who were traveling with fake identities.
While that may be well and good, there are some issues with facial recognition. Joy Ruolamwini, a researcher at the M.I.T. media lab, has shown how real-life biases can creep into A.I. The result is that for a white man, facial |
NotPetya Wannacry | ||
|
2018-02-16 06:00:03 | U.S., Canada, Australia Attribute NotPetya Attack to Russia (lien direct) | The United States, Canada, Australia and New Zealand have joined the United Kingdom in officially blaming Russia for the destructive NotPetya attack launched last summer. Moscow has denied the accusations. | NotPetya | ||
 |
2018-02-15 22:12:05 | UK and US blame Russia for \'malicious\' NotPetya cyber-attack (lien direct) | Britain and the US say the Russian military was behind the NotPetya attack which hit firms worldwide. | NotPetya | ||
|
2018-02-15 20:47:03 | What the UK Knows: Five Things That Link NotPetya to Russia (lien direct) | The UK’s Foreign Office Minister Lord Ahmad said that the UK Government believes Russia was responsible for the destructive NotPetya cyber-attack of June 2017. How can they be sure? We look at five, strong clues pointing back to the Kremlin. The government of the United Kingdom has formally attributed the June 2017 NotPetya wiper attacks to...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/526630924/0/thesecurityledger -->» | NotPetya | ||
|
2018-02-15 19:13:00 | UK Foreign Office Minister blames Russia for NotPetya massive ransomware attack (lien direct) | The United Kingdon’s Foreign and Commonwealth Office formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack. The UK Government formally accuses the Russian cyber army of launching the massive NotPetya ransomware attack. The United Kingdon’s Foreign and Commonwealth Office “attributed the NotPetya cyber-attack to the Russian Government.” According to the UK, […] | NotPetya | ||
|
2018-02-15 14:00:00 | North Korean Cyber-Attacks and Collateral Damage (lien direct) |
WannaCry was incredibly destructive. The attackers made about $150,000 - but the total damage caused by WannaCry has been estimated in the billions of dollars.
There is strong evidence linking WannaCry to a group of hackers known as ‘Lazarus’, reportedly operating out of the DPRK (North Korea). Whilst WannaCry is perhaps the most famous attack by Lazarus, it isn’t the only ‘collateral damage’ caused by the DPRK’s cyber actions.
Below we disclose new details on three attacks that have spread out of control. Two likely originating from the DPRK - and one targeting the DPRK.
The Voice of Korea and the Rivts Virus
This section describes a piece of malware that may have been created within the DPRK as part of a test project - and accidentally leaked out onto the wider internet.
A simple file-infector
We triage many millions of malicious files automatically every day in an effort to ensure our customers are covered from new threats. One malware family we regularly see, called Rivts by antivirus vendors, was originally created in 2009 but still continues to spread.
Rivts is a file-infecting worm - it spreads across USB drives and hard drives attaching itself to files to spread further. The new files we see everyday are the result of new files being infected with the original worm from 2009 - not new developments by the attacker.
Overall, it’s a fairly boring file infector (or “virus”). But there was one very strange thing that caught our eye.
North Korean Software
As part of its initial infection process, Rivts checks for the presence of system files normally found on Windows XP to infect first. But it seems to expect two pieces of uncommon software in the Windows System folder:
Below are the details of these two files, nnr60.exe and hana80.exe:
Whilst the DPRK is well known for developing its own Linux based operating system, and there is evidence of some DPRK hackers using |
NotPetya Wannacry Yahoo APT 38 | ||
 |
2018-02-15 12:04:05 | UK Government Publicly Attributes NotPetya Outbreak to Russia (lien direct) | UK government officials have publicly attributed the NotPetya malware attacks of June 2017 to actors in the Russian government. Foreign Office Minister Lord Ahmad made his thoughts known in a statement released on 15 February: The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of […]… Read More | NotPetya | ||
|
2018-02-14 23:57:05 | Sour Patch: NotPetya\'s Cleanup Cost to Mondelez Tops $80 million (lien direct) | The NotPetya wiper malware took a bite out of candy maker Mondelez International’s 2017 earnings, the company has reported. Mondelez, which was hit by the outbreak in June, said that it spent $84 million in “incremental costs” to investigate the incident, remove the malware and restore systems infected by the so-called...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/526362354/0/thesecurityledger -->» | NotPetya | ||
|
2018-02-05 04:00:45 | Three Leaked NSA Exploits Rewritten to Affect All Windows OSes Since Windows 2000 (lien direct) | >The WannaCry and NotPetya outbreaks were by far among the most significant digital attack campaigns that took place in 2017. Together, the crypto-ransomware and wiper malware affected hundreds of thousands of computers all over the world. They achieved this reach by abusing EternalBlue. Allegedly developed by the U.S. National Security Agency (NSA) and leaked online […]… Read More | NotPetya Wannacry | ||
|
2018-01-26 08:31:06 | Maersk Reinstalled 50,000 Computers After NotPetya Attack (lien direct) | Jim Hagemann Snabe, chairman of Danish shipping giant A.P. Moller–Maersk, revealed this week at the World Economic Forum in Switzerland that the company was forced to reinstall software on nearly 50,000 devices following the NotPetya attack. | NotPetya | ||
|
2018-01-25 21:58:15 | Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack (lien direct) | >The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack. The shipping giant Maersk was one of the companies that suffered the NotPetya massive attack, in August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive […] | NotPetya | ||
|
2018-01-25 06:45:31 | Maersk Reinstalled 45,000 PCs and 4,000 Servers to Recover From NotPetya Attack (lien direct) | The world's largest container shipping company —A.P. Møller-Maersk— said it recovered from the NotPetya ransomware incident by reinstalling over 4,000 servers, 45,000 PCs, and 2500 applications over the course of ten days in late June and early July 2017. [...] | NotPetya | ||
|
2018-01-23 05:37:52 | Cybersecurity Certification Courses – CISA, CISM, CISSP (lien direct) | The year 2017 saw some of the biggest cybersecurity incidents-from high profile data breaches in Equifax and Uber impacting millions of users to thousands of businesses and millions of customers being affected by the global ransomware threats like WannaCry and NotPetya.
The year ended, but it did not take away the airwaves of cybersecurity incidents, threats, data breaches, and hacks.
The
|
NotPetya Wannacry Equifax Uber | ||
 |
2018-01-04 08:30:00 | The 5 Motives of Ransomware (lien direct) | Who would have foreseen the impact of both WannaCry and NotPetya | NotPetya Wannacry |
To see everything:
Our RSS (filtrered)
