What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2017-06-29 14:47:21 | 6 tips to avoid ransomware after Petya and WannaCry (lien direct) | Ransomware attacks continue to wreak havoc on businesses worldwide. Here are six recommendations from PwC to prevent and mitigate these cybercrimes. | Wannacry | ||
 |
2017-06-29 13:00:00 | Data Carving in Incident Response - Steps Toward Learning More Advanced DFIR Topics (lien direct) |
Introduction
I have been in information security since March 2010, when I got out of the Navy after navigating nuclear submarines for almost 7 years. Little did I know that with this change of career, I was about to be in for the ride of my life.
I have been steadily progressing as a "blue teamer" or enterprise defender this whole time and have undertaken learning one of (what I believe to be) the most difficult blue team trades: reverse engineering malware. The purpose of this blog is to allow readers to follow along if they want to get into the trade as well as to force me to take actual notes periodically.
Background: The Beginning
To understand my background, here is a graphic showing my career progression:
I started my career with only basic fundamental knowledge of information security. However, applying the work ethic and desire to excel I learned in the Submarine Force, I set out to become the best information security professional that I could. My first job out of the Navy was not very technical. I realized this and enrolled for both online and in-person training. I took a UNIX and Linux class in person and that itself has taken me far. I use Linux or a UNIX variation often in my current role and have used it in my past two roles as well.
I learned auditing as part of being a government employee, so that I could assess the security of systems to support them, attaining Certification & Accreditation (C&A; now known simply as Authorization in the federal space). I continued to push myself to learn technical concepts and refine my knowledge. After I left the federal government and came back to the same agency as a contractor, my former supervisor commented that I "was too technical to be a 'govvie'."
As a UNIX administrator, I was able to unleash my theoretical knowledge and be at ground-zero for technology. I was involved with patching and remediation, system migrations from PA-RISC to Itanium, and modernization of the web experience.
Over the course of a few years, I had already worked as an auditor, a systems engineer, and a Senior UNIX Administrator focused on security, and had completed my undergraduate and graduate degrees in Information Security as well. At this point, I wanted a change and wanted to be closer to family, so I accepted a job as Director of IT Security/ISSO in Atlanta.
Background: 2013 to Mid-2017
When I started this job, I was afforded something I had never had before: freedom and latitude. I found that I could be as technical as I wanted to, as long as it didn't cost much. Over time, I learned how to administer Active Directory, Group Policy, McAfee ePO, Tenable Security Center, Gigamon, and Sourcefire. Prior to this role, I had only managed HP-UX and Red Hat servers. It felt like a knowledge explosion to have a chance to learn so many new things.
As Director of IT Security and ISSO, I had to revisit my roots in Governance and Regulatory Compliance (GRC) in writing Policies and Procedures to meet federal and contractual requirements. Beyond this, I was able to build on my technical foundation and deploy, analyze, and maintain various technologies as well as participate in "Hack the Pentagon." This was a confidence booster and a challenge. I had no other security people to consult internally. I had to learn to make things work in an efficient and secure manner.
As time went on, things changed with the contract, the management, and the team. Within three years, I had outgrown my position. There was no more opportunity for development or upward mobility and things were beginning to feel toxic. I felt like I was losing my passion for Infosec. Luckily, Sword & Shield came to my rescue. I began my |
Wannacry APT 32 | ||
 |
2017-06-29 10:08:40 | How Does Samba Compare to WannaCry? (lien direct) | Many reports are drawing comparisons between the Samba vulnerability and WannaCry, but they don't pose the same widespread risk. | Wannacry | ||
 |
2017-06-29 10:00:00 | Why Enterprise Security Needs a New Focus (lien direct) | The WannaCry ransomware attack shows patching and perimeter defenses aren't enough. Enterprises should combine preventative measures with threat detection tactics. | Wannacry | ||
 |
2017-06-28 22:25:19 | Petya Malware is about wreaking Havoc, not collecting Ransom | The Register (lien direct) | In-brief: On Tuesday, a ransomware infection spread across Europe and even affected companies and systems as far away as the United States and Brazil. Iain Thomson at The Register breaks down the malware used in the attack, dubbed NotPetya because it disguises itself as the Petya ransomware, although in the end it seems it was designed to wreak...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/379201736/0/thesecurityledger -->»Related StoriesWannaCry: What's in a name? Confusion | Digital GuardianIs this Cyber War? Ransomware Attack Hits Banks, Transport, Government in UkraineIdentity at Scale: how the Internet of Things will Revolutionize Online Identity | NotPetya Wannacry | ||
 |
2017-06-28 18:05:00 | A Technical Analysis of the Petya Ransomworm (lien direct) | Yesterday, a new ransomware wreaked havoc across the world. This new malware variant, which combines the functionality of ransomware with the behaviors of a worm, is being called Petya, Petrwrap, and even NotPetya, since researchers are still investigating as to whether its ability to modify the Master Boot Record of a targeted machine is based on the Petya family of malware. Fortinet has designated this new hybrid form of malware as a ransomworm, and this outbreak was reported to use the same worm mechanism to spread across the Internet as WannaCry,... | NotPetya Wannacry | ||
 |
2017-06-28 15:02:08 | Preventing Petya – stopping the next ransomware attack (lien direct) | Check Point's Incident Response Team has been responding to multiple global infections caused by a new variant of the Petya malware, which first appeared in 2016 and is currently moving laterally within customer networks. It appears to be using the 'EternalBlue' exploit which May's WannaCry attack also exploited. It was first signaled by attacks on […] | Wannacry | ||
 |
2017-06-28 14:56:16 | UK\'s Metropolitan Police Still Using 10,000 Windows XP Computers (lien direct) | Legacy Windows XP systems used by public authorities in the UK remains a concern. The WannaCry outbreak last month followed by the current 'NotPetya' outbreak -- both using a vulnerability patched in newer versions of Windows, but initially unpatched in XP -- highlights the problem. | NotPetya Wannacry | ||
 |
2017-06-28 08:06:34 | Cyberattaque mondiale – Une campagne de " cyberextorsion " d\'une violence inouïe (lien direct) |  WannaCry n'était visiblement qu'un début. Cette nouvelle cyberattaque propageant un ransomware nouveau baptisé Petrwrap est très virulente et 38 millions de PC dans le monde sont potentiellement vulnérables. D'importantes entreprises ont déjà été touchées aux quatre coins du monde. |
Wannacry | ||
|
2017-06-28 07:35:34 | L\'attaque ransomware Petya est l\'équivalent de l\'attaque WannaCry, mais cette fois-ci, l\'opération a été menée par des professionnels (lien direct) |  Une famille de ransomware particulièrement redoutable fait actuellement des ravages aux quatre coins du globe. Des similarités avec l'attaque WannaCry du mois dernier sont régulièrement évoquées mais les chercheurs en sécurité insistent également sur le fait qu'il s'agit d'une opération bien plus travaillée, plus professionnelle, et potentiellement nettement plus dommageable pour les entreprises qui en sont victimes. |
Wannacry | ||
|
2017-06-28 07:31:20 | Nouveau ransomware : 38 millions de PC vulnérables à EternalBlue, voire plus ! (lien direct) |  Après l'attaque massive WannaCry qui a touché le monde le mois dernier, un nouveau ransomware vient d'être identifié et touche actuellement plusieurs entreprises internationales telles que WPP, Maersk et Saint. |
Wannacry | ||
|
2017-06-28 06:30:06 | Petya Ransomware : Le point de vue de FireEye (lien direct) |  Le 27 juin 2017, plusieurs organisations - notamment en Europe - ont signalé des perturbations importantes qu'elles attribuent à Petya ransomware. Sur la base des informations initiales, cette variante de la Petya ransomware peut se propager via l'exploit EternalBlue utilisé dans l'attaque WannaCry du mois dernier. |
Wannacry | ||
 |
2017-06-28 01:24:49 | \'Shadow Brokers\' Threatens to Unmask A Hacker Who Worked With NSA (lien direct) | The Shadow Brokers, a notorious hacking group that leaked US cyberweapons - which were also abused by the recent ransomware disasters WannaCry and Petya or NotPetya - has now threatened to unmask the identity of a former hacker who worked for the NSA.
Besides this, the Shadow Brokers group has also doubled the price for its monthly subscription model of NSA's built hacking tools and zero-day
|
NotPetya Wannacry | ||
|
2017-06-27 23:01:00 | New Variant of Petya / PetrWrap Ransomware Strikes (lien direct) |
.png)
On June 27th the AlienVault Labs Team became aware of a new ransomware, a variant of the Petya malware, that is spreading rapidly and is known to have affected organizations in Russia and the Ukraine, and some other parts of Europe. A pulse detailing the Indicators of Compromise for this variant of Petya can be found in the AlienVault Open Threat Exchange (OTX) at https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/.
Once it has compromised a system, the ransomware will:
Overwrite the Master Boot Record (MBR), encrypt individual files that match a list of file extensions (including documents, archives, and more), and after a reboot of the system will present the user a message requesting a ransom of $300 in Bitcoin to decrypt the system. To date, we understand that over $3000 has been paid in ransom, but we have not heard of any affected organizations having successfully decrypted their files.
Attempt to replicate itself to other systems on your network.
Understanding how this ransomware variant works is first in understanding how to protect your existing assets, and in detecting when any of your systems have been compromised. In addition to this blog we've also created a short white paper detailing the facts behind this ransomware. You can access it here.
What We Know About this Ransomware Campaign
What we know is that, like WannaCry, this variant of Petya affects Microsoft Windows computers and is technically a 'compute worm', meaning that it replicates itself in order to spread to other computers. In addition, the campaign does not rely on a user clicking on an attachment to infect the host, nor is it known to communicate with a Command & Control (C2 or C&C) server in order to get instructions.
What this variant of Petya is known to use to distribute itself to other systems are the PsExec service (PsExec is dropped as dllhost.dat by the ransomware) and WMI services. In addition, the ETERNALBLUE exploit toolkit (which was released by the Shadow Brokers group in April 2017 and used to such great success by WannaCry) is suspected to be a key part of the attack.
There are also reports that some organizations were infected through a software update for a Ukrainian tax accounting package called MeDoc, which given the locations of many of the attacked organizations and the below data from Kapersky is likely
Once a system has been compromised, the ransomware takes the following steps:
Writes a message to the raw disk partition
Clears the Windows Event log using Wevtutil
Restarts the machine
Encrypts files matching a list of file extensions (including .3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf .ppt, .pptx, .pst, .pvi, .py .pyc, |
Wannacry | ||
 |
2017-06-27 21:15:19 | Petya Weren\'t Expecting This: Ransomware Takes Systems Hostage Across the Globe (lien direct) | It appears that the current Petya payload is being distributed using the same exploits that were part of the leaks that powered the spread of WannaCry. | Wannacry | ||
 |
2017-06-27 20:26:29 | Petya-esque ransomware is spreading across the world (lien direct) |
Ringing in with echoes of WannaCry, Petya (or Petrwrap, NotPetya), is a new ransomware strain outbreak affecting many users around the world.
Categories:
Cybercrime
Malware
Tags: EternalBlueexploitgermanymalwarebytes labsNotPetyaPetrwrappetyaransomwareSMBspreadingukraineUnited Kingdomunited statesWannaCryWannaCryptWannaCryptor
(Read more...)
|
NotPetya Wannacry | ||
 |
2017-06-27 20:18:43 | \'Petya\' Ransomware Outbreak Goes Global (lien direct) | A new strain of ransomware dubbed "Petya" is worming its way around the world with alarming speed. The malware appears to be spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 -- the same bug that was exploited by the recent and prolific WannaCry ransomware strain. | Wannacry | ||
 |
2017-06-27 20:06:00 | Complex Petya-Like Ransomware Outbreak Worse than WannaCry (lien direct) | Today's global ransomware attack is spreading via EternalBlue and through local networks using PSEXEC and WMIC. | Wannacry | ||
 |
2017-06-27 17:10:39 | WannaCry Hits Aus Speed Cameras (lien direct) | The ISBuzz Post: This Post WannaCry Hits Aus Speed Cameras | Wannacry | ||
 |
2017-06-27 17:07:50 | How To Protect Yourself Against Petya Ransomware (lien direct) | The latest attack the world has seen recently is a variant of the Petya ransomware virus. As of this writing, it appears a new variant of Petya has been released with EternalBlue exploit code built in, which WannaCry utilised to propagate around organisations. Unlike WannaCry, Petya is a different kind of ransomware. Common delivery methods […]… Read More | Wannacry | ||
|
2017-06-27 17:00:00 | New Ransomworm Follows WannaCry Exploits (lien direct) | We are currently tracking a new ransomware variant sweeping across the globe known as Petya. It is currently having an impact on a wide range of industries and organizations, including critical infrastructure such as energy, banking, and transportation systems. This is a new generation of ransomware designed to take advantage of timely exploits. This current version is targeting the same vulnerabilities that we exploited during the recent Wannacry attack this past May. This latest attack, known as Petya, is something we are referring to as... | Wannacry | ||
|
2017-06-27 16:49:00 | Petya Or Not? Global Ransomware Outbreak Hits Europe\'s Industrial Sector, Thousands More (lien direct) | With echoes of WannaCry, infections spread fast. Some security researchers describe malware as variant of Petya; others say it's a brand new sample. | Wannacry | ||
|
2017-06-27 15:34:15 | Second Global Ransomware Outbreak Under Way (lien direct) | A massive ransomware outbreak is spreading globally and being compared to WannaCry. | Wannacry | ||
 |
2017-06-27 15:07:33 | New WannaCryptor-like ransomware attack hits globally: all you need to know (lien direct) | Numerous reports are coming out on social media about a new ransomware attack in Ukraine, which could be related to the Petya family. | Wannacry | ||
 |
2017-06-27 13:35:56 | Farsight security research indicates that WannaCry-like attacks represent \'just another day at the office\' (lien direct) | We all remember WannaCry; the scale of the attack, spanning over 150 countries and almost a quarter of million computers. In the UK, at least, this was accompanied by a media frenzy, largely due to the highest profile victim of the attack being the National Health Service. As a highly emotional target here in the ... | Wannacry | ||
|
2017-06-27 12:56:23 | Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry (lien direct) | Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.
The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.
According to multiple sources, a new
|
Wannacry | ||
 |
2017-06-27 12:08:02 | Another global ransomware attack underway as reports of Petya exploit spread (lien direct) | Latest cyber attack appears to be based on the same EternalBlue exploit used by the WannaCry ransomware that hit the NHS in May | Wannacry | ||
 |
2017-06-27 08:32:03 | Un malware encore plus virulent que WannaCry frappe les réseaux du monde entier (lien direct) | Une nouvelle attaque de ransomware infecte les entreprises. Le ver s'appuie sur le même vecteur d'attaque que WannaCry, mais en version améliorée.  |
Wannacry | ★★ | |
 |
2017-06-27 08:01:01 | Petya Variante de logiciels malveillants destructive Spreading via des informations d'identification volées et Eternalblue Exploit Petya Destructive Malware Variant Spreading via Stolen Credentials and EternalBlue Exploit (lien direct) |
mise à jour (21 juillet): Fireeye continue de suivre cette menace.Une version antérieure de cet article a été mise à jour pour refléter de nouvelles résultats.
Le 27 juin 2017, plusieurs organisations & # 8211;beaucoup en Europe & # 8211; perturbations importantes variante du ransomware Petya, que nous appelons «EternalPetya».Le malware a été initialement distribué via un système de mise à jour logiciel compromis, puis auto-copier via des informations d'identification volées et des exploits SMB, y compris le eternalblue exploit utilisé dans le Wannacry Attaque de mai 2017.
le vecteur d'infection initial pour ce
UPDATE (July 21): FireEye continues to track this threat. An earlier version of this post has been updated to reflect new findings. On June 27, 2017, multiple organizations – many in Europe – reported significant disruptions they are attributing to a variant of the Petya ransomware, which we are calling “EternalPetya”. The malware was initially distributed through a compromised software update system and then self-propagated through stolen credentials and SMB exploits, including the EternalBlue exploit used in the WannaCry attack from May 2017. The initial infection vector for this |
Malware | Wannacry | ★★★★ |
|
2017-06-27 05:00:49 | WannaCry: How We Created an Ideal Environment for Malware to Thrive, and How to Fix It (lien direct) | How in the world did we end up with a security paradigm where a malware infection can spread so rapidly and so broadly as WannaCry did? | Wannacry | ||
|
2017-06-26 15:27:04 | A week in security (June 19 – June 25) (lien direct) |
A compilation of security news and blog posts from the 19th to the 25th of June. We touched on topics like Barclays phish, Robux scam, breaking the attack chain and Incident Response.
Categories:
Security world
Week in security
Tags: attack chainbarclayscyberteamhondaIncident ResponsenayanaransomwareRobuxSkypeWannaCryweekly blog roundupztorg
(Read more...)
|
Wannacry | ||
|
2017-06-26 15:00:18 | Mobile Menace Monday: Fake WannaCry Scanner (lien direct) |
With all the buzz around the PC ransomware WannaCry, it's no surprise that a fake antivirus (FakeAV) has emerged on Google Play.
Categories:
Cybercrime
Mobile
Tags: AndroidantivirusFakeAVGoogle Playmobile menace mondayransomwaretriple mWannaCryWannaCryptWannaCryptor
(Read more...)
|
Wannacry | ||
|
2017-06-26 13:00:00 | Automated Incident Response in Action: 7 Killer Use Cases (lien direct) |
Picture this: It’s 2AM on Saturday and you’re startled awake by an alert on your phone. Indicators of a new variant of WannaCry ransomware have been detected in your network. But your home network provider is having an outage (again!) and you can’t remote in. You get dressed and race to office, maybe breezing through a few stop lights on the way, all while new alerts arrive on your phone indicating more systems have been compromised. As you arrive and start investigating the alarms and logs, the attack continues to spread rapidly . Desperate to stop it, you run to the server room and rip all the cables out of the routers and servers. In the stillness of your dead network, you sigh. You head to the break room to brew a pot of coffee and settle in for a long weekend.
Now imagine how vastly different that experience would be with automated incident response capabilities. As soon as the ransomware is detected and an alarm is raised, your system automatically responds by isolating the infected machines, and you hit the snooze button.
With the right automated incident response tools, IT security teams can stay in control of their incident response (IR) activities and respond to threats and intrusions swiftly and effectively, with less manual work—no wire-ripping required.
This is Part Two of a three-part blog series that examines how incident response automation and orchestration can make life easier for security teams. The blog series covers the following topics:
Part 1: Incident Response Orchestration: What Is It and How Can It Help?
Part 2: Automated Incident Response in Action: 7 Killer Use Cases
Part 3: Incident Response Automation and Orchestration in USM Anywhere
In Part One, we looked at what incident response orchestration is and how the right automation tools can help security teams respond to intrusions more quickly. While automation can’t replace human security analysts, it can help analysts conserve time for higher priorities and make the incident response processes run as swiftly as possible.
In this installment, we’ll take a look at examples of incident response automation in action, comparing them to what it would take to handle them manually. As you read through these examples, consider what kinds of automated IR capabilities would have the greatest impact on your own organization’s incident response processes and timelines.
1. One of your users interacts with a malicious IP address. You need to update your firewall to block the IP.
Firewalls help protect you from bad actors by filtering network traffic. Still, they have limits. Most firewalls aren’t connected to your other security tools and their rules are infrequently updated, meaning they may not be current to address the latest threats. Addressing this situation might entail detecting the problem using other security software, prioritizing the event, and manually updating a firewall with a new rule to block the malicious IP. At some organizations, you might even need to open a ticket to have another team or team member take action, further slowing down the response process.
With automated incident response, you can automatically update your firewall to block malicious IPs as they are detected. For example, USM Anywhere detects traffic to and from an external IP address that, through its integrated threat intelligence, it knows is malicious. USM Anywhere can instruct your Palo Alto Networks next-generation firewalls to block or isolate the IP address, using an automatic or manual incident response action.
2. One of your systems has been infected with malware. You need to limit the damage and find out how many systems are vulnerable before it spreads.
Relying on |
Wannacry | ||
|
2017-06-26 09:52:06 | UK electricity grid cyber-attack risk is \'off the scale\' (lien direct) | Concerns over the threat posed by cyber-attacks on power stations and electricity grids is “off the scale†in the UK energy sector, according to a leading industry figure. No other country in the world has an energy industry as worried about the risk from cyber threats, such as the WannaCry ransomware attack that recently hit ... | Guideline | Wannacry | ★★★★ |
 |
2017-06-24 09:53:09 | Microsoft Admits That It Disables Third-party Anti-virus Software \'Temporarily\' In Windows 10 (lien direct) | Microsoft temporarily disables anti-virus software for Windows 10 to keep users safe The recent worldwide cyberattack by the WannaCry ransomware cryptoworm targeted computers running the Microsoft Windows operating system around the world, making it the biggest unprecedented ransomware attack in cyber history and computer security a bigger concern. Following the attack, Microsoft had urged its unaffected users to [...] | Wannacry | ||
|
2017-06-23 15:30:58 | Threatpost News Wrap, June 23, 2017 (lien direct) | Mike Mimoso and Chris Brook discuss the news of the week, including Citizen Lab's latest report, WannaCry hitting Honda, GhostHook, and Fireball. | Wannacry | ||
 |
2017-06-23 10:47:36 | Police cancel 590 speeding fines after WannaCry hits traffic cameras (lien direct) |  Australian drivers whose traffic offences were caught on malware-infected speed cameras may be off the hook after all.
|
Wannacry | ||
 |
2017-06-22 17:46:38 | News in brief: AI comes to Mars; WannaCry hits speed cameras; Edge bounty program extended (lien direct) | Your daily round-up of some of the other stories in the news |
Wannacry | ||
|
2017-06-22 14:10:46 | Endpoint Protection Firm Cybereason Lands $100m Softbank Investment (lien direct) | Alternatives to legacy endpoint protection software like anti virus is one of the hottest areas in the information security space. Yesterday’s announcement by Cybereason of a $100 Million investment by SoftBank only underscores that. Cybereason, which has offices in Boston, London and Tel Aviv, closed a Series D funding round from SoftBank...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/371437030/0/thesecurityledger -->»Related StoriesFinancial Malware, not Ransomware, drives most Cyber CrimeThe WannaCry Missing: Federal Systems, ConsumersThe Billion Dollar Headache: Sophisticated Ransomware takes aim at Small Business | Wannacry | ||
|
2017-06-22 12:15:18 | Health Care Endpoint Hygiene: A Post-WannaCry Call to Action (lien direct) | The idea of employing basic endpoint hygiene to keep your data safe seems like a no-brainer. So why was the WannaCry ransomware attack so damaging? | Wannacry | ||
|
2017-06-22 11:08:11 | WannaCry ransomware infects Australian traffic cameras, human error blamed (lien direct) |  55 traffic and speed cameras in the state of Victoria, Australia, have been accidentally infected with the WannaCry ransomware.
Read more in my article on the Tripwire State of Security blog.
|
Wannacry | ||
|
2017-06-22 10:00:00 | WannaCry? You\'re Not Alone: The 5 Stages of Security Grief (lien direct) | As breach after breach hits the news, security professionals cope with the classic experiences of denial, anger, bargaining, depression, and acceptance. | Wannacry | ||
|
2017-06-22 09:32:54 | Ransom-Aware: Carbon Black Survey Finds 7 of 10 Consumers Would Consider Leaving a Business Hit By Ransomware (lien direct) | WannaCry brought the threat posed by cybercriminals into the public consciousness in a way that had not really been seen before. Temporarily crippling the NHS brought the dangers of cyber-attacks to reality and demonstrated that organisations need to be taking the problem of all forms of cybercrime seriously. Ransomware is a particularly devastating form of ... | Wannacry | ||
|
2017-06-22 09:00:32 | Honda Plant Hit By WannaCry Ransomware Attack (lien direct) | The ISBuzz Post: This Post Honda Plant Hit By WannaCry Ransomware Attack | Wannacry | ||
|
2017-06-22 07:34:56 | No, WannaCry Is Not Dead! Hits Honda & Traffic Light Camera System (lien direct) | It's been over a month since the WannaCry ransomware caused chaos worldwide and people have started counting its name as 'the things of past,' but…
...WannaCry is not DEAD!
The self-spreading ransomware is still alive and is working absolutely fine.
The latest victims of WannaCry are Honda Motor Company and 55 speed and traffic light cameras in Australia.
The WannaCry ransomware shuts
|
Wannacry | ||
 |
2017-06-22 01:57:35 | WannaCry Ransomware Infects 55 Speed and Red-Light Cameras in Australia (lien direct) | Fifty-five speed and red-light cameras in the Australia's state of Victoria were infected with the WannaCry ransomware. [...] | Wannacry | ||
|
2017-06-21 17:50:20 | News in brief: WannaCry knocks out Honda plant; Skype hit by global outage; NSA shares tools on GitHub (lien direct) | Your daily round-up of some of the other stories in the news |
Wannacry | ||
|
2017-06-21 17:50:13 | Honda Shut Down Plant Impacted by WannaCry (lien direct) | Carmaker Honda announced Wednesday that it was forced to shut down production at one of its Japanese plants earlier this week after it was hit by the WannaCry ransomware. | Wannacry | ||
|
2017-06-21 13:00:00 | A RAT that Tweets: New ROKRAT Malware Hides behind Twitter, Amazon, and Hulu Traffic (lien direct) |
To carry out attacks, malware and botnets rely on communication with a Command & Control server (C&C or C2) to receive instructions. As a result, today’s security tools have become extremely adept at detecting traffic to and from malicious IP addresses. When a system or device starts talking to a malicious IP or domain, alarms sound and IT security pros roll up their sleeves.
In recent years, however, malicious actors have begun to launch attacks from the depths of Twitter, trying to evade detection and prevent their C2 infrastructure from being found and shut down. In 2016, Twitoor—a widespread Android botnet controlled by Twitter—affected millions of Android devices. And, earlier this year, researchers at University College London discovered a Twitter botnet of over 350K bots called the Star Wars Botnet because, oddly enough, the bots tweet partial Star Wars quotes. (Cue Admiral Ackbar.)
Attackers are increasingly using legitimate websites and servers as infrastructure in their attacks, knowing that it can be more difficult to detect, especially to the untrained eye.
The RAT of Twitter: ROKRAT
In April, security researchers at Cisco Talos uncovered a new malware campaign that does just that. Dubbed ROKRAT, this new piece of malware uses multiple anti-detection techniques, including the use of legitimate websites like Twitter, Amazon, and Hulu to hide its malicious activities.
Researchers found that ROKRAT uses the public APIs of Twitter along with two other legitimate cloud platforms—Mediafire and Yandex—to get commands and to exfiltrate data. According to researchers, the malware can receive orders by checking the most recent message on the Twitter account’s timeline and can also post tweets. The malware uses the Yandex and Mediafire APIs to download and upload stolen data to the cloud.
Going further with its anti-detection tactics, researchers found that ROKRAT has a feature to detect if the victim’s system is running any processes associated with malware detection, debugging tools, or sandbox environments. If detected, the malware will generate dummy HTTP traffic to legitimate websites, including Amazon and Hulu, to mask its malicious activities. To the untrained eye, the victim appears to be watching anime at work.
ROKRAT is the latest example of how today’s sophisticated malware and ransomware campaigns layer on a wide breadth of tools, tactics, and procedures (TTPs) to evade detection. Here’s the full rundown of the TTPs discovered in the ROKRAT campaign, as described by the Cisco Talos researchers:
A spear-phishing email campaign from a compromised university email account
A social engineering tactic, using a conference on unity in Korea as its pretext
A malicious Word file attachment (Hangul Word Processor, used mainly in Korea)
An embedded EPS object to exploit a well-known vulnerability (CVE-2013-0808)
A remote administration tool (RAT) payload disguised a JPG image file
The use of Twitter, Yandex, and Mediafire clouds for C2 communication
A feature that executes an infinite loop of sleep if the OS detected is Windows XP or Windows Server 2003
A feature that detects the use of debugging or sandbox tools like Wireshark or File Monitor and, if detected, generates “normal-looking” dummy HTTP traffic to legitimate Amazon or Hulu pages
A keylogger that also captures the tit |
Wannacry | ||
|
2017-06-21 12:25:33 | One Month Later, WannaCry Ransomware Is Still Shutting Down Factories (lien direct) | On Monday, Honda was forced to temporarily shut down its car plant in Sayama, Japan, after some of its computer systems were infected with the infamous WannaCry ransomware. [...] | Wannacry |
To see everything:
Our RSS (filtrered)
