What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2024-01-03 02:50:11 | La cybercriminalité va-t-elle empirer? Is Cybercrime Only Going to Get Worse? (lien direct) |
Au tournant du millénaire, peu de gens s'inquiétaient de la cybercriminalité.L'accord du Vendredi Saint venait de entrer en vigueur, les États-Unis ont expulsé un diplomate russe pour espionnage, et la menace du bug Y2K se profile.Iloveyou, le ver informatique qui a catapulté la cybercriminalité dans la conscience du public, était encore dans cinq mois.Aujourd'hui, les choses ne pourraient pas être plus différentes.En 2001, six personnes ont été victimes de la cybercriminalité par heure.D'ici 2022, ce nombre était passé à 97, soit une augmentation de 1517%.À cette époque, les attaques Solarwinds, Colonial Pipeline et Wannacry ont établi une cybercriminalité comme potentiellement ...
At the turn of the millennium, few people were worried about cybercrime. The Good Friday Agreement had just come into effect, the US expelled a Russian diplomat for spying, and the threat of the Y2K bug loomed. ILOVEYOU , the computer worm that catapulted cybercrime into the public consciousness, was still five months away. Today, things couldn\'t be more different. In 2001, six people fell victim to cybercrime an hour. By 2022, that number had risen to 97, an increase of 1517% . At that time, the SolarWinds, Colonial Pipeline, and WannaCry attacks established cybercrime as a potentially... |
Threat Threat | Wannacry | ★★★ |
 |
2023-11-28 11:00:00 | Pour le manque de cyber ongle, le royaume est tombé For want of a cyber nail the kingdom fell (lien direct) |
An old proverb, dating to at least the 1360’s, states: "For want of a nail, the shoe was lost, for want of a shoe, the horse was lost, for want of a horse, the rider was lost, for want of a rider, the battle was lost, for want of a battle, the kingdom was lost, and all for the want of a horseshoe nail," When published in Ben Franklin’s Poor Richard’s Almanack in 1768, it was preceded by the cautionary words: “a little neglect may breed great mischief”. This simple proverb and added comment serve as emblematic examples of how seemingly inconsequential missteps or neglect can lead to sweeping, irreversible, catastrophic losses. The cascade of events resonates strongly within the increasingly complex domain of cybersecurity, in which the omission of even the most elementary precaution can result in a spiraling series of calamities. Indeed, the realm of cybersecurity is replete with elements that bear striking resemblance to the nail, shoe, horse, and rider in this proverb. Consider, for example, the ubiquitous and elementary software patch that may be considered the proverbial digital "nail." In isolation, this patch might seem trivial, but its role becomes crucial when viewed within the broader network of security measures. The 2017 WannaCry ransomware attack demonstrates the significance of such patches; an unpatched vulnerability in Microsoft Windows allowed the malware to infiltrate hundreds of thousands of computers across the globe. It wasn\'t just a single machine that was compromised due to this overlooked \'nail,\' but entire networks, echoing how a lost shoe leads to a lost horse in the proverb. This analogy further extends to the human elements of cybersecurity. Personnel tasked with maintaining an organization\'s cyber hygiene play the role of the "rider" in our metaphorical tale. However, the rider is only as effective as the horse they ride; likewise, even the most skilled IT professional cannot secure a network if the basic building blocks—the patches, firewalls, and antivirus software—resemble missing nails and shoes. Numerous reports and studies have indicated that human error constitutes one of the most common causes of data breaches, often acting as the \'rider\' who loses the \'battle\'. Once the \'battle\' of securing a particular network or system is lost, the ramifications can extend much further, jeopardizing the broader \'kingdom\' of an entire organization or, in more extreme cases, critical national infrastructure. One glaring example that serves as a cautionary tale is the Equifax data breach of 2017, wherein a failure to address a known vulnerability resulted in the personal data of 147 million Americans being compromised. Much like how the absence of a single rider can tip the scales of an entire battle, this singular oversight led to repercussions that went far beyond just the digital boundaries of Equifax, affecting millions of individuals and shaking trust in the security of financial systems. | Ransomware Data Breach Malware Vulnerability | Wannacry Wannacry Equifax Equifax | ★★ |
 |
2023-10-26 13:08:32 | Ransomware one year after WannaCry: attack vectors still commonly exploited by attackers (lien direct) | This article discusses some of the most common infection vectors and how the Darktrace Enterprise Immune System can assist security teams in catching ransomware threats.
This article discusses some of the most common infection vectors and how the Darktrace Enterprise Immune System can assist security teams in catching ransomware threats. |
Ransomware | Wannacry | ★★ |
|
2023-08-29 10:00:00 | Lutte contre les logiciels malveillants dans la chaîne d'approvisionnement industrielle Battling malware in the industrial supply chain (lien direct) |
The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. Here\'s how organizations can eliminate content-based malware in ICS/OT supply chains. As the Industrial Internet of Things (IIoT) landscape expands, ICS and OT networks are more connected than ever to various enterprise systems and cloud services. This new level of connectivity, while offering benefits, also paves the way for targeted and supply chain attacks, making them easier to carry out and broadening their potential effects. A prominent example of supply chain vulnerability is the 2020 SolarWinds Orion breach. In this sophisticated attack: Two distinct types of malware, "Sunburst" and "Supernova," were secretly placed into an authorized software update. Over 17,000 organizations downloaded the update, and the malware managed to evade various security measures. Once activated, the malware connected to an Internet-based command and control (C2) server using what appeared to be a harmless HTTPS connection. The C2 traffic was cleverly hidden using steganography, making detection even more challenging. The threat actors then remotely controlled the malware through their C2, affecting up to 200 organizations. While this incident led to widespread IT infiltration, it did not directly affect OT systems. In contrast, other attacks have had direct impacts on OT. In 2014, a malware known as Havex was hidden in IT product downloads and used to breach IT/OT firewalls, gathering intelligence from OT networks. This demonstrated how a compromised IT product in the supply chain could lead to OT consequences. Similarly, in 2017, the NotPetya malware was concealed in a software update for a widely-used tax program in Ukraine. Though primarily affecting IT networks, the malware caused shutdowns in industrial operations, illustrating how a corrupted element in the supply chain can have far-reaching effects on both IT and OT systems. These real-world incidents emphasize the multifaceted nature of cybersecurity risks within interconnected ICS/OT systems. They serve as a prelude to a deeper exploration of specific challenges and vulnerabilities, including: Malware attacks on ICS/OT: Specific targeting of components can disrupt operations and cause physical damage. Third-party vulnerabilities: Integration of third-party systems within the supply chain can create exploitable weak points. Data integrity issues: Unauthorized data manipulation within ICS/OT systems can lead to faulty decision-making. Access control challenges: Proper identity and access management within complex environments are crucial. Compliance with best practices: Adherence to guidelines such as NIST\'s best practices is essential for resilience. Rising threats in manufacturing: Unique challenges include intellectual property theft and process disruptions. Traditional defenses are proving inadequate, and a multifaceted strategy, including technologies like Content Disarm and Reconstruction (CDR), is required to safeguard these vital systems. Supply chain defense: The power of content disarm and reconstruction Content Disarm and Reconstruction (CDR) is a cutting-edge technology. It operates on a simple, yet powerful premise based on the Zero Trust principle: all files could be malicious. What does CDR do? In the complex cybersecurity landscape, CDR stands as a unique solution, transforming the way we approach file safety. Sanitizes and rebuilds files: By treating every file as potentially harmful, CDR ensures they are safe for use while mainta | Malware Vulnerability Threat Industrial Cloud | NotPetya Wannacry Solardwinds | ★★ |
 |
2023-08-08 15:00:00 | Opération des ransomwares d'origine vietnamienne imite les traits de Wannacry Vietnamese-Origin Ransomware Operation Mimics WannaCry Traits (lien direct) |
Cisco Talos a déclaré que ce qui distingue cette opération est la nouvelle approche pour fournir des notes de rançon
Cisco Talos said what sets this operation apart is the novel approach to delivering ransom notes |
Ransomware | Wannacry Wannacry | ★★ |
 |
2023-06-15 18:10:00 | Les pirates infectent les joueurs russophones avec de faux ransomwares de Wannacry Hackers infect Russian-speaking gamers with fake WannaCry ransomware (lien direct) |
Les chercheurs ont découvert une campagne de phishing ciblant les joueurs russophones de Enrôlé, un tireur à la première personne multijoueur.Les pirates ont utilisé un faux site Web qui ressemble étroitement à la page Web officielle enrôlée pour distribuer des ransomwares, selon un rapport publié cette semaine par la société de cybersécurité Cyble.Alors que les chercheurs n'ont pas attribué cette attaque à un groupe particulier, ils croient que
Researchers have uncovered a phishing campaign targeting Russian-speaking players of Enlisted, a multiplayer first-person shooter. The hackers used a fake website that closely resembles the official Enlisted webpage to distribute ransomware, according to a report published this week by cybersecurity firm Cyble. While researchers haven\'t attributed this attack to any particular group, they believe that |
Ransomware | Wannacry Wannacry | ★★ |
 |
2023-05-23 15:09:13 | Wannacry : L\'histoire d\'une cyberattaque spectaculaire (lien direct) | Ces dernières années, les pirates informatiques sont entrés dans l'inconscient collectif comme une menace bien réelle. Devant la multiplication des cyberattaques, de tentative de phishing ou de vol de données, nous avons tous intégré le hacking comme une nuisance à laquelle les particuliers et les e... | Wannacry Wannacry | ★★ | |
 |
2023-05-15 13:32:45 | Six ans après Wannacry: Pourquoi le ransomware est toujours un problème Sechs Jahre nach WannaCry: Warum Ransomware nach wie vor ein Problem ist (lien direct) |
Le 12 mai, non seulement la "Journée anti-ransomware" internationale, mais aussi le sixième anniversaire du Ber & uuml;. On peut constater que la réputation d'une entreprise est arrêtée, la réputation d'une entreprise est donnée et Des conséquences réelles surviennent. & ouml;, mais les attaques de ransomware représentent toujours tous les types et grands;
-
malware
/ /
ransomware ,
cybersecurite_home_droite
Der 12. Mai kennzeichnet nicht nur den internationalen „Anti-Ransomware-Tag", sondern auch den sechsten Jahrestag der berüchtigten und verheerenden WannaCry-Angriffe. Auch heute noch stellt Ransomware eine ständige Bedrohung für Organisationen dar. Sie kann dazu führen, dass Geschäftsabläufe gestoppt werden, der Ruf eines Unternehmens geschädigt wird und reale Folgen entstehen. Öffentlichkeitswirksame Angriffe auf z.B. Krankenhäuser und Kommunen sind bei der Bevölkerung zumeist besser bekannt, doch Ransomware-Attacken stellen nach wie vor für alle Arten und Größen von Unternehmen eine äußerst ernstzunehmende Bedrohung dar. - Malware / Ransomware, cybersecurite_home_droite |
Ransomware | Wannacry | ★★ |
|
2023-05-09 12:04:35 | "Ma semaine avec Wannacry" “My Week with Wannacry” (lien direct) |
«Ma semaine avec Wannacry» - Mikko Hypp & ouml; Nen, chef de la recherche, Withsecure
«L'épidémie de logiciels malveillants Wannacry du printemps 2017 était unique dans le domaine de la sécurité de l'information.Tout à fait par accident, j'avais promis de tenir un journal de ma semaine de travail pour le magazine de la culture informatique Skrolli.Wannacry a frappé cette semaine même, ajoutant une attaque de logiciels malveillants historique à un horaire déjà mouvementé.Ce fut l'une des plus grandes épidémies de tous les temps.Ce qui suit est mon journal pour ma semaine avec Wannacry.
-
opinion
“My Week with Wannacry” - Mikko Hyppönen, Chief Research Officer, WithSecure “The Wannacry malware epidemic of spring 2017 was unique in the field of information security. Quite by accident, I had promised to keep a diary of my working week for the computer culture magazine Skrolli. Wannacry struck that very week, adding a historic malware attack to an already hectic schedule. This was one of the biggest epidemics of all time. What follows is my diary for my week with Wannacry. - Opinion |
Malware | Wannacry Wannacry | ★★ |
|
2023-03-22 12:30:00 | Le Royaume-Uni émet une stratégie pour protéger les services de santé nationaux contre les cyberattaques [UK issues strategy to protect National Health Service from cyberattacks] (lien direct) |
Le gouvernement britannique a publié mercredi sa nouvelle stratégie de cybersécurité pour le National Health Service, visant à rendre le secteur de la santé du pays \\ «durcie considérablement à la cyberattaque, au plus tard en 2030».La stratégie vient dans le sillage de la [Wannacry] (https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group) Ransomware Attack en 2017, parallèlement à une attaque criminelle contre le fournisseur de logiciels [Advanced] (https://www.bbc.co.uk/news/technology-62725363) l'année dernière,
The British government published on Wednesday its new cybersecurity strategy for the National Health Service, aiming to make the country\'s healthcare sector “significantly hardened to cyber attack, no later than 2030.” The strategy comes in the wake of the [WannaCry](https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group) ransomware attack in 2017, alongside a criminal attack on the software supplier [Advanced](https://www.bbc.co.uk/news/technology-62725363) last year, |
Ransomware General Information | Wannacry APT 38 | ★★ |
 |
2023-02-28 18:55:00 | WannaCry Hero & Kronos Malware Author Named Cybrary Fellow (lien direct) | Marcus Hutchins, who set up a "kill switch" that stopped WannaCry's spread, later pled guilty to creating the infamous Kronos banking malware. | Malware | Wannacry Wannacry | ★★★ |
 |
2022-12-22 12:01:37 | Critical Microsoft Code-Execution Vulnerability (lien direct) | A critical code-execution vulnerability in Microsoft Windows was patched in September. It seems that researchers just realized how serious it was (and is): Like EternalBlue, CVE-2022-37958, as the latest vulnerability is tracked, allows attackers to execute malicious code with no authentication required. Also, like EternalBlue, it’s wormable, meaning that a single exploit can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. The wormability of EternalBlue allowed WannaCry and several other attacks to spread across the world in a matter of minutes with no user interaction required... | Vulnerability | Wannacry Wannacry | ★★★ |
 |
2022-11-28 14:00:00 | Worms of Wisdom: How WannaCry Shapes Cybersecurity Today (lien direct) | >WannaCry wasn’t a particularly complex or innovative ransomware attack. What made it unique, however, was its rapid spread. Using the EternalBlue exploit, malware could quickly move from device to device, leveraging a flaw in the Microsoft Windows Server Message Block (SMB) protocol. As a result, when the WannaCry “ransomworm” hit networks in 2017, it expanded […] | Ransomware Malware | Wannacry Wannacry | ★★ |
|
2022-11-22 12:43:51 | Le prochain WannaCry et le piratage de drones : quelles menaces persistantes avancées en 2023 ? (lien direct) | Les experts de Kaspersky ont présenté leurs prévisions concernant l'avenir des menaces persistantes avancées (APT), définissant ainsi les changements à prévoir dans le paysage des menaces en 2023. Attaques contre les technologies satellitaires, serveurs de messagerie, multiplication des attaques destructrices et des fuites, piratage de drones et prochaine grande cyber-épidémie sont autant de prédictions prévues pour l'année prochaine. Les bouleversements politiques de 2022 ont provoqué des changements (...) - Points de Vue | Wannacry Wannacry | ★★★ | |
|
2022-11-14 14:20:28 | The next WannaCry and drone hacking: Security Predictions for 2023 (lien direct) | The next WannaCry and drone hacking: Security Predictions for 2023 Kaspersky researchers presented their vision of the future for advanced persistent threats (APTs), defining the changes in threat landscape that will emerge in 2023. Attacks on satellite technologies, mail servers, the rise of destructive attacks and leaks, drone hacking and the next big cyber epidemic are among some of the predictions for the next year. - Opinion | Threat | Wannacry Wannacry | |
 |
2022-10-31 14:37:01 | Wannacry, the hybrid malware that brought the world to its knees (lien direct) | >Reflecting on the Wannacry ransomware attack, which is the lesson learnt e why most organizations are still ignoring it. In the early afternoon of Friday 12 May 2017, the media broke the news of a global computer security attack carried out through a malicious code capable of encrypting data residing in information systems and demanding […] | Ransomware Malware | Wannacry Wannacry | ★★ |
 |
2022-10-19 17:37:26 | Persistent pests: A taxonomy of computer worms (lien direct) | Many of the most notorious ransomware attacks, including WannaCry and NotPetya, began with a worm. Here's how you can help stop the spread. | Ransomware | NotPetya Wannacry Wannacry | |
|
2022-10-18 19:13:26 | N\'attendez pas qu\'une attaque de type WannaCry cible les mobiles (lien direct) | N'attendez pas qu'une attaque de type WannaCry cible les mobiles Par Richard Melick, Director of Product Marketing, Mobile Threat Intelligence, Zimperium - Points de Vue | Threat | Wannacry Wannacry | |
|
2022-10-06 10:00:00 | 7 Biggest Cybersecurity Threats of the 21st Century (lien direct) | This blog was written by an independent guest blogger. The 21st century has seen a dramatic increase in the number and sophistication of cybersecurity threats. Here are the 7 biggest threats that businesses and individuals need to be aware of. Ransomware as a service In the past few years, ransomware has become one of the most popular tools for cybercriminals. Ransomware as a service (RaaS) is a new business model that allows anyone with little to no technical expertise to launch their own ransomware attacks. All they need is to sign up for a RaaS platform and pay a fee (usually a percentage of the ransom they collect). RaaS is a growing threat because it makes it easy for anyone to launch attacks. Cybercriminals can target any organization, no matter its size or resources. And, because RaaS platforms typically take care of all the technical details, ransomware attacks can be launched with little effort. In the past several years, there have been a number of high-profile ransomware attacks that have made headlines. In May 2017, the WannaCry ransomware attack affected more than 200,000 computers in 150 countries. The attack caused billions of dollars in damage and disrupted critical infrastructure, such as hospitals and banks. In December 2017, the NotPetya ransomware attack hit more than 10,000 organizations in over 60 countries. The attack caused billions of dollars in damage and disrupted critical infrastructure, such as hospitals and banks. Ransomware attacks have become more sophisticated and targeted. Cybercriminals are now using RaaS platforms to launch targeted attacks against specific organizations. These attacks are often called "spear phishing" attacks because they use carefully crafted emails to trick people into clicking on malicious links or opening attachments that install ransomware on their computers. Organizations of all sizes need to be aware of the threat of ransomware and take steps to protect themselves. This includes having a robust backup and recovery plan in place in case of an attack. Internet of Things The Internet of Things (IoT) is a network of physical devices, vehicles, home appliances, and other items that are embedded with electronics, software, sensors, and connectivity enabling these objects to connect and exchange data. The IoT is a growing market with more and more devices being connected to the internet every day. However, this also creates new security risks. Because IoT devices are often connected to the internet, they can be hacked and used to launch attacks. In October 2016, a massive Distributed Denial of Service (DDoS) attack was launched against the Dyn DNS service using a network of IoT devices that had been infected with the Mirai malware. The attack caused widespread internet disruptions and took down major websites, such as Twitter and Netflix. The IoT presents a unique challenge for security because there are so many different types of devices that can be connected to the internet. Each type of device has its own security risks and vulnerabilities. And, as the number of IoT devices continues to grow, so do the opportunities for cybercriminals to exploit them. Cloud security The cloud has become an essential part of business for many organizations. It offers a number of advantages, such as flexibility, scalability, and cost savings. However, the cloud also creates new security risks. One of the biggest security risks associated with the cloud is data breaches. Because data is stored remotely on servers, it is more vulnerable to attack. In addition, cloud service providers often have access to customer data, which creates another potential point of entry for hackers. Another security risk associated with the | Ransomware Malware Threat | NotPetya NotPetya Wannacry Wannacry | |
|
2022-09-21 17:00:00 | Don\'t Wait for a Mobile WannaCry (lien direct) | Attacks against mobile phones and tablets are increasing, and a WannaCry-level attack could be on the horizon. | Wannacry Wannacry | ||
|
2022-09-08 03:01:00 | How Penetration Testing can help prevent Ransomware Attacks (lien direct) | >It is hard to believe, but ransomware is more than three decades old. While many would think that the ransomware mayhem started with the WannaCry attack of 2017, that is simply the most publicized example. Since then, dozens of ransomware strains have been utilized in a variety of cyberattacks. According to a PhishLabs report, by […]… Read More | Ransomware | Wannacry Wannacry | |
 |
2022-08-24 12:34:00 | WannaCry explained: A perfect ransomware storm (lien direct) | What is WannaCry? WannaCry is a ransomware worm that spread rapidly through across a number of computer networks in May of 2017. After infecting a Windows computer, it encrypts files on the PC's hard drive, making them impossible for users to access, then demands a ransom payment in bitcoin in order to decrypt them.A number of factors made the initial spread of WannaCry particularly noteworthy: it struck a number of important and high-profile systems, including many in Britain's National Health Service; it exploited a Windows vulnerability that was suspected to have been first discovered by the United States National Security Agency; and it was tentatively linked by Symantec and other security researchers to the Lazarus Group, a cybercrime organization that may be connected to the North Korean government.To read this article in full, please click here | Ransomware Vulnerability Medical | Wannacry Wannacry APT 38 | |
|
2022-07-13 18:44:03 | Internet Searches Reveal Surprisingly Prevalent Ransomware (lien direct) | Two mostly defunct threats - WannaCry and NonPetya - top the list of ransomware searches, but does that mean they are still causing problems? | Ransomware | Wannacry Wannacry | |
 |
2022-07-07 08:14:35 | North Korean State-Sponsored Threat Actors Deploying "MAUI" Ransomware (lien direct) | Today, the United States Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Agency (CISA) and the Department of Treasury released a joint Cybersecurity Advisory on Maui Ransomware, which is attributed to state sponsored activity by the government of North Korea. The Joint CSA provides detailed insight on the various TTPs used by the threat actors behind Maui, which has targeted the Health and Public Health Sector.How Serious of an Issue is This?High. As ransomware activity causes downtime, theft of confidential and personally identifiable information (PII) and other significant impact to operations, it is important to ensure that various security measures are in place, like being up to date with patching vulnerable machines/infrastructure. Also, ensuring employees are trained and up to date on various social engineering attempts and tactics used by threat actors will be a first line of defense against such attacks.What is Maui Ransomware?Maui ransomware is unique in a way that it requires manual execution to start the encryption routine. Maui also features a CLI (command line interface) that is used by the threat actor to target specific files to encrypt. Maui also has the ability to identify previously encrypted files due to customer headers containing the original path of the file.Who are HIDDEN COBRA/LAZARUS/APT38/BeagleBoyz?HIDDEN COBRA also known as Lazarus/APT38/BeagleBoyz has been atributed to the government of North Korea. Also, they have been linked to multiple high-profile, financially-motivated attacks in various parts of the world - some of which have caused massive infrastructure disruptions. Notable attacks include the 2014 attack on a major entertainment company and a 2016 Bangladeshi financial institution heist that almost netted nearly $1 Billion (USD) for the attackers. Had it not been for a misspelling in an instruction that caused a bank to flag and block thirty transactions, HIDDEN COBRA would have pulled off a heist unlike any other. Although HIDDEN COBRA failed in their attempt, they were still able to net around 81 million dollars in total.The most recent notable attack attributed to HIDDEN COBRA was the Wannacry Ransomware attack, which resulted in massive disruption and damage worldwide to numerous organizations, especially those in manufacturing. Various estimates of the impact were in the hundreds of millions of dollars, with some estimates claiming billions. Other verticals which this group has targeted include critical infrastructures, entertainment, finance, healthcare, and telecommunication sectors across multiple countries.Who are the BeagleBoyz?The BeagleBoyz group is a newly identified group that is a subset of activity by the threat actors known as HIDDEN COBRA/LAZARUS/APT 38 and has been observed committing financial crimes, specifically cryptocurrency related thefts. Further information about the BeagleBoyz can be found here.What Operating Systems are Affected?Windows based operating systems are affected.What is the Status of Coverage?Fortinet customers running the latest definitions are protected against Maui with the following (AV) signatures:W32/Ransom_Win32_MAUICRYPT.YACC5W32/Agent.C5C2!trW32/PossibleThreatAnything Else to Note?Victims of ransomware are cautioned against paying ransoms by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities which could potentially be illegal according to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory. | Ransomware Threat Patching Medical | Wannacry Wannacry APT 38 | |
 |
2022-07-05 08:37:42 | EternalBlue 5 years after WannaCry and NotPetya, (Tue, Jul 5th) (lien direct) | We are about two months past the 5-year anniversary of WannaCry outbreak[1] and about a week past the 5-year anniversary of NotPetya outbreak[2]. Since both WannaCry and NotPetya used the EternalBlue[3] exploit in order to spread, I thought that it might be interesting to take a look at how many internet-facing systems still remain vulnerable to it. | NotPetya NotPetya Wannacry Wannacry | ||
|
2022-06-27 10:00:00 | Stories from the SOC - Detecting internal reconnaissance (lien direct) | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
Internal Reconnaissance, step one of the Cyber Kill Chain, is the process of collecting internal information about a target network to identify vulnerabilities that can potentially be exploited. Threat actors use the information gained from this activity to decide the most effective way to compromise the target network. Vulnerable services can be exploited by threat actors and potentially lead to a network breach. A network breach puts the company in the hands of cybercriminals. This can lead to ransomware attacks costing the company millions of dollars to remediate along with a tarnished public image.
The Managed Extended Detection and Response (MXDR) analyst team received two alarms regarding an asset performing network scans within a customer's environment. Further investigation into these alarms revealed that the source asset was able to scan 60 unique IPs within the environment and successfully detected numerous open ports with known vulnerabilities.
Investigation
Initial alarm review
Indicators of Compromise (IOC)
The initial alarm that prompted this investigation was a Darktrace Cyber Intelligence Platform event that was ingested by USM Anywhere. The priority level associated with this alarm was High, one level below the maximum priority of Critical. Network scanning is often one of the first steps a threat actor takes when attempting to compromise a network, so it is a red flag any time an unknown device is scanning the network without permission. From here, the SOC went deeper into associated events to see what activity was taking place in the customer’s environment. The image shown below is the Darktrace alarm that initiated the investigation.
Expanded investigation
Events search
Utilizing the filters built into USM Anywhere , the events were narrowed down to the specific source asset IP address and Host Name to only query events associated to that specific asset. The following events were found that provide more information about the reconnaissance activity that was being observed.
Event deep dive
Upon reviewing the logs from the events shown above, the SOC was able to determine that the source asset scanned two separate Classless Inter-Domain Routing (CIDR) blocks, detecting, and scanning 60 unique internal devices for open ports. As shown in the log snippets below, the scans revealed multiple open ports with known vulnerabilities, most notable is Server Message Block (SMB) port 445 which is the key attack vector for the infamous WannaCry malware. Looking at the logs we can also see that the source asset detected port 5985, the port utilized by Windows Remote Management (WinRM). WinRM can be used by threat actors to move laterally in environments by executing remote commands on other assets from the compromised host. These remote commands are typically batch files performing malicious activity or implanting backdoors to maintain persistence in the network. Lastly, we can see the asset scanning for Lightweight Directory Access Protocol (LD |
Ransomware Malware Threat Guideline | Wannacry | |
|
2022-06-23 10:11:31 | Mouvements latéraux : le succès des récents malwares (lien direct) | Trop souvent méconnu, le mouvement latéral est pourtant la principale raison de l'ampleur insoupçonnée qu'ont pris les cyberattaques depuis plusieurs années. Kesako ? Pourquoi si peu d'organisations prennent en compte cette technique utilisée par les cybercriminels ? Comment s'en prémunir ? Décryptage. Un objectif : gagner en privilèges Vecteur de diffusion des malwares comme WannaCry et NotPetya, la technique du mouvement latéral a largement contribué au succès de ces attaques. Le principe de cette (...) - Points de Vue | Malware | NotPetya Wannacry Wannacry | |
|
2022-05-19 02:00:00 | WannaCry 5 years on: Still a top threat (lien direct) | Who doesn't love an anniversary and the opportunity to reminisce about “where we were” when an historical event happened? Such is the case over the last several days when it comes to remembering WannaCry, the ransomware that infected thousands of computers five years ago and cost companies all over the world billions of dollars in damages.WannaCry broke onto the infosec scene on May 12, 2017. Taking advantage of the vulnerable version of the Server Message Block (SMB) protocol, it ultimately infected approximately 200,000+ machines in more than 150 countries. While Microsoft had issued a patch for the SMB flaw more than a month before the attacks began, millions of computers had not been unpatched against the bug. The largest ransomware attack ever, it impacted several big names globally, including the UK's National Health Service, US delivery giant FedEx, and Deutsche Bahn, the German railway company.To read this article in full, please click here | Ransomware Threat | FedEx Wannacry | |
 |
2022-05-12 16:45:59 | Ransomware cyber-attacks in Costa Rica and Peru drives national response (lien direct) | >Highlights Effectively, one out of every 60 organizations globally have been impacted by attempted ransomware attacks every week, so far in in the first four months of 2022 A 14% increase of attempted ransomware attacks to organizations globally every week compared to the same period last year. To mark the 5th anniversary of the WannaCry… | Ransomware | Wannacry | |
 |
2022-05-12 13:28:09 | Expert Reaction On Cyber Threats Five Years On From WannaCry (lien direct) | Today marks the fifth anniversary of the NHS WannaCry cyber-attack. Cyber security expert reacted below. | Wannacry Wannacry | ★★ | |
|
2022-05-12 00:37:30 | How the evolution of ransomware has changed the threat landscape (lien direct) | >From WannaCry to Conti: A 5-Year Perspective Five years ago, on May 12, 2017, the world fell victim to a major ransomware attack known as 'WannaCry'. The attack had an unprecedented scale, and spread around the world like wildfire, with more than 200,000 Windows computers across 150 countries affected outbreaking only a few days.… | Ransomware Threat | Wannacry Wannacry | |
|
2022-05-11 12:57:31 | Wannacry – 5 Years On, 68% Of Enterprises Are Still At Risk (lien direct) | 5 years on from one of the world’s most damaging ransomware attacks, research from network detection and response leader ExtraHop has found that 68% of enterprises are still running insecure protocol that were exploited by the North Korean ransomware. | Ransomware Guideline | Wannacry | ★★★ |
 |
2022-03-24 18:09:09 | Smart Tips for Staying Safer Online (lien direct) | The recent WannaCry ransomware attack that infected more than 250,000 computers worldwide was a good reminder to everyone about staying... | Ransomware | Wannacry Wannacry | |
|
2022-02-27 22:30:37 | Previously Unseen Backdoor Bvp47 Potentially Victimized Global Targets (lien direct) | FortiGuard Labs is aware of a report by Pangu Lab that a new Linux backdoor malware that reportedly belongs to the Equation group was used to potentially compromise more than 200 organizations across over 40 countries around the globe. The Equation group is regarded as one of the most highly skilled threat actors, which some speculate have close connections with National Security Agency (NSA). The threat actor is also reported have been tied to the Stuxnet malware that was used in 2010 cyber attack on a nuclear centrifuge facility in Iran.Why is this Significant?Bvp47 is a previously undiscovered backdoor malware that was reportedly used in cyber attacks carried out by the Equation group. According to the report and information available in the documents that presumably leaked from the Equation group, over 200 organizations spread across more than 40 countries may have been infected with the Bvp47 malware.The Bvp47 file called out in the report was first submitted to VirusTotal in late 2013, which indicates that Bvp47 was used and undiscovered for close to a decade.How was the Connection between the Bvp47 malware and the Equation Group Established?Pangu Lab concluded that Bvp47 belongs to the Equation group because one of the folders included in the documents leaked by the Shadow Brokers in 2017 contained a RSA private key required by Bvp47 for its command execution and other operations.What is the Shadow Brokers?The Shadow Brokers is a threat actor who claimed to have stolen highly classified information from the Equation group in 2016. The stolen information includes zero-day exploits, operation manuals and description of tools used by the Equation group. The Shadow Brokers then attempted to sell the information to the highest bidder. After no one purchased the information, The threat actor released the information to the public after the auction attempt failed.One of the most famous exploits included in the leaked documents is EternalBlue. Within a few weeks of the leak, EternalBlue was incorporated in Wannacry ransomware which caused global panic in 2017.What are the Characteristics of Bvp47?Bvp is a Linux backdoor that performs actions upon receiving commands from Command and Control (C2) servers.Because the Bvp47 framework is incorporated with components such as "dewdrops" and "solutionchar_agents" that are included in the Shadow Brokers leaks, the backdoor is for mainstream Linux distributions, FreeBSD, Solaris as well as JunOS,.Bvp47 also runs various environment checks. If the requirements are not met, the malware deletes itself.What is the Status of Coverage?FortiGuard Labs provide the following AV coverage against Bvp47:ELF/Agent.16DC!tr | Ransomware Malware Threat | Wannacry Wannacry | |
 |
2022-02-23 14:00:22 | Creaky Old WannaCry, GandCrab Top the Ransomware Scene (lien direct) | Nothing like zombie campaigns: WannaCry's old as dirt, and GandCrab threw in the towel years ago. They're on auto-pilot at this point, researchers say. | Ransomware | Wannacry | |
 |
2022-02-01 14:37:29 | CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential (lien direct) |
![CyberheistNews Vol 12 #05 [Heads Up] DHS Sounds Alarm on New Russian Destructive Disk Wiper Attack Potential](https://blog.knowbe4.com/hubfs/Stu_Headshot_2021_resize.png)
|
Ransomware Malware Hack Tool Threat Guideline | NotPetya NotPetya Wannacry Wannacry APT 27 APT 27 | |
|
2022-01-26 14:00:00 | 10 Years Later, What Did LulzSec Mean for Cybersecurity? (lien direct) | While working on several articles on the WannaCry attacks for my job as a cybersecurity journalist, I learned about LulzSec, which ranked among the most notable attacks of the 2010s. I wanted to find out more about the group that committed major cybersecurity attacks on many household-name companies over a chaotic 50 days in 2011. […] | Wannacry Wannacry | ||
 |
2022-01-07 14:00:27 | 3 Cyber Attacks that Didn\'t Get Enough Attention in 2021 (But Probably Should Have) (lien direct) | In 1988, graduate student Robert Tappan Morris created a computer worm and inadvertently launched what many consider to be the world's first cyber attack. Since that infamous “Morris Worm,” major events from Stuxnet to WannaCry... | Wannacry | ★★ | |
 |
2022-01-03 03:32:41 | Are Medical Devices at Risk of Ransomware Attacks? (lien direct) | In May 2017, the first documented ransomware assault on networked medical equipment happened. The worldwide ransomware assault WannaCry compromised radiological and other instruments in several hospitals during its height, after a software failure caused by a cyberattack on its third-party vendor's oncology cloud service, cancer patients having radiation therapy at four healthcare institutions | Ransomware | Wannacry Wannacry | |
 |
2021-10-25 12:44:44 | Malicious Life Podcast: Marcus Hutchins - A Controversial Hero (lien direct) |
In May 2017, Marcus Hutchins - AKA MalwareTech - became a hero for stopping WannaCry, a particularly nasty ransomware that spread quickly all over the world. Yet his fame also brought to light his troubled past as the teenage Black Hat hacker who created KRONOS, a dangerous rootkit. Should a criminal-turned-hero be punished for his past crimes? Check it out... |
Ransomware | Wannacry | |
|
2021-09-01 16:00:00 | What Has Changed Since the 2017 WannaCry Ransomware Attack? (lien direct) | The cybersecurity world is still feeling the effects of the 2017 WannaCry ransomware attack today. While the majority of the damage occurred in the weeks after May 12, 2017, WannaCry ransomware attacks actually increased 53% from January 2021 to March 2021. While researching my in-depth article WannaCry: How the Widespread Ransomware Changed Cybersecurity, I learned […] | Ransomware | Wannacry Wannacry | |
|
2021-06-29 15:00:34 | How to Proactively Increase Your Protection Against Ransomware with Threat Intelligence (lien direct) | 
As Ransomware continues to spread and target organizations around the world, it is critical to leverage threat intelligence data. And not just any threat intelligence but actionable intelligence from MVISION Insights. Fortunately, there are several steps you can take to proactively increase your Endpoint Security to help minimize damage from the next Darkside, WannaCry, Ryuk, […]
|
Ransomware Threat | Wannacry | |
 |
2021-06-15 12:02:15 | WannaCry est à nouveau sur le devant de la scène (lien direct) | L'attaque du Ransomware WannaCry a fêté son quatrième anniversaire après avoir fait des ravages dans le monde. Les chercheurs de Check-Points ont noté une augmentation de 53 % du nombre d'organisations affectées par le Ransomware. The post WannaCry est à nouveau sur le devant de la scène first appeared on UnderNews. | Ransomware | Wannacry Wannacry | |
|
2021-05-19 10:13:00 | 67% des environnements d\'entreprise fonctionnent encore avec des protocoles exploités par WannaCry et NotPetya (lien direct) | 67% des environnements d'entreprise fonctionnent encore avec des protocoles vulnérables exploités par WannaCry et NotPetya. ExtraHop, éditeur de solutions de détection et réponse réseau, a récemment publié une étude sur la persistance des protocoles vulnérable dans les réseaux d'entreprise. The post 67% des environnements d'entreprise fonctionnent encore avec des protocoles exploités par WannaCry et NotPetya first appeared on UnderNews. | NotPetya NotPetya Wannacry Wannacry | ||
|
2021-05-13 09:42:00 | Four Year On: Two-thirds of Global Firms Still Exposed to WannaCry (lien direct) | ExtraHop finds most enterprises are running insecure SMB protocol | Wannacry Wannacry | ||
|
2021-05-10 12:16:40 | Experts Comments on Anti Ransomware Day – 12th May (lien direct) | WannaCry, notorious as the largest ransomware epidemic in history, reached its peak on May 12, 2017. To raise awareness of this ongoing threat, INTERPOL dubbed the 12th of May Anti-Ransomware Day and urged organisations… | Ransomware | Wannacry | |
 |
2021-04-27 17:24:00 | Anomali Cyber Watch: HabitsRAT Targeting Linux and Windows Servers, Lazarus Group Targetting South Korean Orgs, Multiple Zero-Days and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, Android Malware, RATs, Phishing, QLocker Ransomware and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Zero-day Vulnerabilities in SonicWall Email Security Actively Exploited
(published: April 21, 2021)
US cybersecurity company SonicWall said fixes have been published to resolve three critical issues in its email security solution that are being actively exploited in the wild. The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above.
Analyst Comment: The patches for these vulnerabilities have been issued and should be applied as soon as possible to avoid potential malicious behaviour. SonicWall’s security notice can be found here https://www.sonicwall.com/support/product-notification/security-notice-sonicwall-email-security-zero-day-vulnerabilities/210416112932360/. It is important that your company has patch-maintenance policies in place. Once a vulnerability has been publicly reported,, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
MITRE ATT&CK: [MITRE ATT&CK] Remote File Copy - T1105 | [MITRE ATT&CK] File and Directory Discovery - T1083
Tags: CVE-2021-20021, CVE-2021-20023, CVE-2021-20022
Massive Qlocker Ransomware Attack Uses 7zip to Encrypt QNAP Devices
(published: April 21, 2021)
The ransomware is called Qlocker and began targeting QNAP devices on April 19th, 2021. All victims are told to pay 0.01 Bitcoins, which is approximately $557.74, to get a password for their archived files. While the files are being locked, the Resource Monitor will display numerous '7z' processes which are the 7zip command-line executable.
Analyst Comment: Attackers are using legitimate tools like 7zip to evade detections by traditional antiviruses. EDR solutions can help tracking suspicious command line arguments and process creations to potentially detect such attacks. Customers should use backup solutions to be able recover encrypted files.
MITRE ATT&CK: [MITRE ATT&CK] Credentials in Files - T1081
Tags: Tor, Qlocker, CVE-2020-2509, CVE-2020-36195
Novel Email-Based Campaign Targets Bloomberg Clients with RATs
(published: April 21, 2021)
A new e-mail-based campaign by an emerging threat actor aims to spread various remote access trojans (RATs) to a very specific group of targets who use Bloomberg's industry-based services. Attacks start in the form of targeted emails to c |
Ransomware Malware Tool Vulnerability Threat Medical | Wannacry Wannacry APT 38 APT 28 | |
 |
2021-03-30 07:56:19 | Microsoft Exchange attacks increase while WannaCry gets a restart (lien direct) | The recently patched vulnerabilities in Microsoft Exchange have sparked new interest among cybercriminals, who increased the volume of attacks focusing on this particular vector. [...] | Wannacry Wannacry | ||
|
2021-03-17 18:03:00 | Anomali Cyber Watch: APT, Ransomware, Vulnerabilities and More (lien direct) | The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: APT, AlientBot, Clast82, China, DearCry, RedXOR, and Vulnerabilities. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.
Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.
Trending Cyber News and Threat Intelligence
Google: This Spectre proof-of-concept shows how dangerous these attacks can be
(published: March 15, 2021)
Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser's JavaScript engine to leak information from its memory. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another. While the PoC demonstrates the JavaScript Spectre attack against Chrome 88's V8 JavaScript engine on an Intel Core i7-6500U CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems.
Analyst Comment: As the density of microchip manufacturing continues to increase, side-channel attacks are likely to be found across many architectures and are difficult (and in some cases impossible) to remediate in software. The PoC of the practicality of performing such an attack using javascript emphasises that developers of both software and hardware be aware of these types of attacks and the means by which they can be used to invalidate existing security controls.
Tags: CVE-2017-5753
Threat Assessment: DearCry Ransomware
(published: March 12, 2021)
A new ransomware strain is being used by actors to attack unpatched Microsoft Exchange servers. Microsoft released patches for four vulnerabilities that are being exploited in the wild. The initial round of attacks included installation of web shells onto affected servers that could be used to infect additional computers. While the initial attack appears to have been done by sophisticated actors, the ease and publicity around these vulnerabilities has led to a diverse group of actors all attempting to compromise these servers.
Analyst Comment: Patch and asset management are a critical and often under-resourced aspect of defense in depth. As this particular set of vulnerabilities and attacks are against locally hosted Exchange servers, organization may want to assess whether a hosted solution may make sense from a risk standpoint
MITRE ATT&CK: [MITRE ATT&CK] Data Encrypted - T1022 | [MITRE ATT&CK] Exploit Public-Facing Application - T1190 | [MITRE ATT&CK] File and Directory Discovery - T1083 | [MITRE ATT&CK] Email Collection - T1114 | [MITRE ATT&CK] Obfuscated Files or Information - T1027 | [MITRE ATT&CK] System Service Discovery - T1007 | [MITRE ATT&CK] Data Encrypted for Impact - T1486 | |
Ransomware Tool Vulnerability Threat Guideline | Wannacry APT 41 APT 34 | |
|
2021-03-09 12:16:02 | On Not Fixing Old Vulnerabilities (lien direct) | How is this even possible? …26% of companies Positive Technologies tested were vulnerable to WannaCry, which was a threat years ago, and some even vulnerable to Heartbleed. “The most frequent vulnerabilities detected during automated assessment date back to 20132017, which indicates a lack of recent software updates,” the reported stated. 26%!? One in four networks? Even if we assume that the report is self-serving to the company that wrote it, and that the statistic is not generally representative, this is still a disaster. The number should be 0%... | Threat | Wannacry |
To see everything:
Our RSS (filtrered)
