An NSA-derived ransomware worm is shutting down computers worldwide

https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

A highly virulent new strain of self-replicating ransomware is shutting down computers all over the world.

The malware, known as Wanna, Wannacry, or Wcry, has infected at least 57,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected.

Wcry uses weapons-grade exploit published by the NSA-leaking Shadow Brokers.

196 Comments

  1. Tomi Engdahl says:

    A WannaCry Flaw Could Help Some Victims Get Files Back
    https://www.wired.com/2017/05/wannacry-flaw-help-windows-xp-victims-get-files-back/

    A WannaCry Flaw Could Help Some Victims Get Files Back

    The fix still seems far from the panacea WannaCry victims have hoped for. But if Adrien Guinet’s claims hold up, his tool could unlock some infected computers running older versions of Windows which analysts believe account for some portion of the WannaCry plague.

    Reply
  2. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Roughly 98% of computers affected by WannaCry ransomware were running Windows 7, according to data released by Kaspersky Lab — Windows XP was ‘insignificant,’ researchers say — One week after it first hit, researchers are getting a better handle on how the WannaCry ransomware spread so quickly …

    Almost all WannaCry victims were running Windows 7
    Windows XP was ‘insignificant,’ researchers say
    https://www.theverge.com/2017/5/19/15665488/wannacry-windows-7-version-xp-patched-victim-statistics

    One week after it first hit, researchers are getting a better handle on how the WannaCry ransomware spread so quickly — and judging from the early figures, the story seems to be almost entirely about Windows 7.

    According to data released today by Kaspersky Lab, roughly 98 percent of the computers affected by the ransomware were running some version of Windows 7, with less than one in a thousand running Windows XP. 2008 R2 Server clients were also hit hard, making up just over 1 percent of infections.

    https://twitter.com/craiu/status/865562842149392384

    Reply
  3. Tomi Engdahl says:

    Andy Greenberg / Wired:
    Hackers are using Mirai-based botnets to DDoS the domain hardcoded into WannaCry in an attempt to reduce effectiveness of the kill-switch, revive the ransomware — Over the past year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off …

    Hackers Are Trying to Reignite WannaCry With Nonstop Botnet Attacks
    https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/

    Over the past year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off the web last September, including Spotify, Reddit, and The New York Times. And over the past week, the WannaCry ransomware outbreak crippled systems ranging from health care to transportation in 150 countries before an unlikely “kill-switch” in its code shut it down.

    Now a few devious hackers appear to be trying to combine those two internet plagues: They’re using their own copycats of the Mirai botnet to attack WannaCry’s kill-switch. So far, researchers have managed to fight off the attacks. But in the unlikely event that the hackers succeed, the ransomware could once again start spreading unabated.

    Reply
  4. Tomi Engdahl says:

    WannaCry Does Not Fit North Korea’s Style, Interests: Experts
    http://www.securityweek.com/wannacry-does-not-fit-north-koreas-style-interests-experts

    Some experts believe that, despite malware code similarities, the WannaCry ransomware is unlikely to be the work of North Korea, as the attack does not fit the country’s style and interests.

    The WannaCry ransomware, also known as Wanna Decryptor, WanaCrypt0r, WannaCrypt, Wana Decrypt0r and WCry, has hit hundreds of thousands of systems worldwide, including ones housed by banks, hospitals, ISPs, government agencies, transportation companies and manufacturing plants.

    The first clue that the WannaCry ransomware may have been created by North Korea was uncovered by Google researcher Neel Mehta. The expert noticed that a variant of WannaCry making the rounds in February, when the threat was less known, had code similarities with a tool used by the North Korea-linked cyber espionage group named Lazarus. The code in question was removed from later versions of the ransomware.

    Security firms such as Symantec and Kaspersky confirmed the connection to Lazarus, and Kaspersky said it was “improbable” that this was a false flag.

    Reply
  5. Tomi Engdahl says:

    North Korea Denies Role in Global Cyberattack
    http://www.securityweek.com/north-korea-denies-role-global-cyberattack

    North Korea on Friday angrily dismissed reports linking its isolated regime to the global cyberattack that held thousands of computers to virtual ransom.

    Up to 300,000 computers in 150 countries were hit by the WannaCry worm, which seizes systems and demands payment in Bitcoin to return control to users.

    The code used in the latest attack is similar to that used in past hacks blamed on Kim Jong-Un’s regime, leading some to point the finger at Pyongyang.

    But the North has now denied the claims, notably but not exclusively advanced by South Korean experts, and hit back Friday to accuse its opponents of spreading propaganda.

    “It is ridiculous,” Kim In-Ryong, North Korea’s deputy ambassador to the United Nations, told reporters, suggesting Washington and Seoul were behind the allegation.

    “Whenever something strange happens, it is the stereotyped way of the United States and the hostile forces to kick off a noisy anti-DPRK campaign.”

    Reply
  6. Tomi Engdahl says:

    Stealth Backdoor Abused NSA Exploit Before WannaCrypt
    http://www.securityweek.com/stealth-backdoor-abused-nsa-exploit-wannacrypt

    In the aftermath the WannaCry ransomware outbreak, security researchers discovered numerous attacks that have been abusing the same EternalBlue exploit for malware delivery over the past several weeks.

    Targeting a Server Message Block (SMB) vulnerability on TCP port 445, the exploit was made public in April by the group of hackers calling themselves “The Shadow Brokers” and is said to have been stolen from the National Security Agency-linked Equation Group. The targeted flaw was patched in March.

    The fast spreading WannaCry brought EternalBlue to everyone’s attention, yet other malware families have been using it for infection long before the ransomware started using it. One of them was the Adylkuzz botnet, active since April 24, researchers revealed.

    Now, Cyphort says that evidence on a honeypot server suggests attacks on SMB were active in early May, and they were dropping a stealth Remote Access Trojan (RAT) instead of ransomware. The malware didn’t have the worm component and didn’t spread like WannaCry.

    EternalBlue Exploit Actively Used to Deliver Remote Access Trojans
    https://www.cyphort.com/eternalblue-exploit-actively-used-deliver-remote-access-trojans/

    During the WannaCry pandemic attack, CyphortLabs discovered that other threat actors have been using the same EternalBlue exploit to deliver other malware. This malware is not a ransomware and is not a bitcoin miner either as others have reported. This one is a remote access trojan typically used to spy on people’s activities or take control of their computers for whatever end the attacker wants to reach.

    On May 12, at the onset of the WannaCry attack, Cyphort Labs researchers have seen a similar SMB attack to one of our honeypot servers. Later on, we found evidence of the same attack perpetrated on May 3.

    Reply
  7. Tomi Engdahl says:

    Fileless Ransomware Spreads via EternalBlue Exploit
    http://www.securityweek.com/fileless-ransomware-spreads-eternalblue-exploit

    A newly discovered ransomware family was found to be using the NSA-linked EternalBlue exploit for distribution and is capable of fileless infection, researchers have discovered.

    Dubbed UIWIX, the malware was initially spotted on Monday, when the WannaCry outbreak was in the spotlight. The threat spreads by exploiting the same vulnerability in Windows SMBv1 and SMBv2 that WannaCry does.

    Unlike WannaCry, UIWIX is executed in memory after exploiting EternalBlue, with no files or components being written to disk. This “greatly reduces its footprint and in turn makes detection trickier,” Trend Micro explains.

    Furthermore, the security researchers say this ransomware family is also stealthier, containing code that allows it to terminate itself if a virtual machine (VM) or sandbox is detected. UIWIX also contains code that gathers the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.

    Unlike WannaCry, UIWIX doesn’t use autostart and persistence mechanisms, is distributed in the form of a Dynamic-link Library (DLL).

    After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit
    http://blog.trendmicro.com/trendlabs-security-intelligence/wannacry-uiwix-ransomware-monero-mining-malware-follow-suit/

    Reply
  8. Tomi Engdahl says:

    Medical Devices Infected With WannaCry Ransomware
    http://www.securityweek.com/medical-devices-infected-wannacry-ransomware

    everal medical device manufacturers released security advisories this week following reports that the notorious WannaCry ransomware has infected some medical devices.

    The WannaCry ransomware, also known as Wanna Decryptor, WanaCrypt0r, WannaCrypt, Wana Decrypt0r and WCry, leverages a couple of exploits allegedly developed by the NSA and leaked recently by a hacker group called Shadow Brokers. The threat has hit hundreds of thousands of systems worldwide, including ones housed by banks, hospitals, ISPs, government agencies, transportation companies and manufacturing plants.

    Britain’s National Health Service (NHS) was among the worst hit by the malicious campaign, and the incident clearly showed the risk posed by WannaCry to healthcare organizations. However, initial reports suggested that the malware had mainly affected management systems.

    The U.S.-based Health Information Trust Alliance (HITRUST) later reported seeing evidence of Bayer (Medrad), Siemens and other medical devices getting infected with WannaCry. Bayer confirmed for Forbes that two of its customers in the United States had informed it about ransomware infections.

    ICS-CERT has provided a list of vendors that have released security advisories to warn customers of the risks and provide them with recommendations on how to prevent attacks.

    The list includes Rockwell Automation, BD (Becton, Dickinson and Company), Schneider Electric, ABB, Siemens, General Electric, Philips, Smiths Medical, Johnson & Johnson, and Medtronic. Some of these vendors have also issued warnings about the threat posed to their industrial products.

    Reply
  9. Tomi Engdahl says:

    Wannacry: Everything you still need to know because there were so many unanswered Qs
    How it first spread, Win XP wasn’t actually hit, and more
    https://www.theregister.co.uk/2017/05/20/wannacry_windows_xp/

    It has been a week since the Wannacry ransomware burst onto the world’s computers – and security researchers think they have figured out how it all started.

    Many assumed the nasty code made its way into organizations via email – either spammed out, or tailored for specific individuals – using infected attachments. Once accidentally opened, Wannacry would be installed, its worm features would kick in, and it would start the spread via SMB file sharing on the internal network.

    However, the first iteration of the malware – the one that got into the railways, telcos, universities, the UK’s NHS, and so on – required no such interaction. According to research by boffins at Malwarebytes, email attachments weren’t used. Instead, the malware’s operators searched the public internet for systems running vulnerable SMB services, and infected them using the NSA’s leaked EternalBlue and DoublePulsar cyber-weapons. Once on those machines, Wannacry could be installed and move through internal networks of computers, again using EternalBlue and DoublePulsar, scrambling files as it went and demanding ransoms.

    “Our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware,” said Adam McNeil, a malware intelligence analyst at Malwarebytes.

    Reply
  10. Tomi Engdahl says:

    This Guy Stopped The Biggest Ransomware Attack In History. This Was His Reward …
    http://www.iflscience.com/technology/this-guy-stopped-the-biggest-ransomware-attack-in-history-this-was-his-reward-/

    But then a 22-year-old figured out how to hit a kill switch on the ransomware, stopping it from spreading any further. Marcus Hutchins, a security expert from an English coastal town, discovered a domain name within the ransomware’s source-code.

    Since then, Hutchins, who failed his Information Technology course in high school after being accused of hacking (which he denies), has been rewarded by HackerOne with a $10,000 payout, which he decided to give to charity.

    Since stopping the attack, Hutchins has been hounded by the press and had all his details leaked to the public.

    Reply
  11. Tomi Engdahl says:

    Companies Stockpiling Bitcoin in Anticipation of Ransomware Attacks
    by PHIL MCCAUSLAND
    http://www.nbcnews.com/storyline/hacking-of-america/companies-stockpiling-bitcoin-anticipation-ransomware-attacks-n761316

    In the age of cyber threats, companies are stockpiling digital currency in preparation of future “ransomware” attacks — which have grown exponentially over the past few years.

    The most recent attack, known as “WannaCry,” took hundreds of thousands of computers’ data files hostage unless users paid a $300 to $600 ransom via Bitcoin, a popular digital currency. Now many companies are maintaining a stash of the digital cash because of the rise of ransomware, according to cybersecurity experts and firms.

    Reply
  12. Tomi Engdahl says:

    Hospitals in England were developed their own Linux

    The Wannacry worm program quickly infected thousands of UK healthcare organizations (NHS) (National Health Service) Windows computers in a week. The NHS has been clearly thinking about the security issue for a long time, as it has developed its own version of Linux, NHSbuntu.

    NHSbuntu is based, of course, on Ubuntu. According to the UK authorities’ own research, Ubuntu proved to be the most knowledgeable platform.

    NHSbuntu includes all the security features needed for hospitals in patient communication: the NHS’s own smart card authentication, encrypted email, encrypted storage disks, and the required program features.

    Source: http://www.etn.fi/index.php/13-news/6357-englannin-sairaaloihin-kehitettiin-oman-linux

    Reply
  13. Tomi Engdahl says:

    7 NSA hack tool wielding follow-up worm oozes onto scene: Hello, no need for any phish!
    Why can’t you be like a cheerful HHGTTG dolphin overlord?
    https://www.theregister.co.uk/2017/05/22/eternalrocks_worm/

    Miscreants have created a strain of malware that targets the same vulnerability as the infamous WannaCrypt worm.

    EternalRocks worm uses flaws in the SMB Server Message Block (SMB) shares networking protocol to infect unpatched Windows systems. Unlike WannaCrypt, EternalRocks doesn’t bundle a destructive malware payload, at least for now. The new nasty doesn’t feature a kill switch domain either.

    The new nasty bundles seven NSA created hacking tools compared to the two deployed to spread WannaCrypt, according to early analysis of the EternalRocks worm.

    Matt Walmsley, EMEA Director, Vectra Networks, commented: “EternalRocks is the difficult second album from the community that gave us WannaCry. It’s darker, more refined, but targeting the same audience and more of their favourite NSA ‘Shadow Broker’ exploits. All in the hope that many people failed to patch after the WannaCry crisis.”

    Reply
  14. Tomi Engdahl says:

    WannaCry ‘Highly Likely’ Work of North Korean-linked Hackers, Symantec Says
    http://www.securityweek.com/wannacry-highly-likely-work-north-korean-linked-hackers-symantec-says

    North Korea-linked Lazarus Hacking Group is “Highly Likely” to be Responsible for the Global “WannaCry” Ransomware Attack, Symantec Says

    Analysis of the tools and infrastructure used in the WannaCry ransomware attacks reveal a tight connection between the threat and the North Korean hacking group Lazarus, Symantec claims.

    The global outbreak on May 12 drew the world’s attention to WannaCry, but the threat had been active before that, the security researchers say. Over 400,000 machines have been hit by WannaCry to date, although not all had been infected, courtesy of a kill-switch domain registered shortly after the attack began.

    The first WannaCry variant, however, emerged in February, and security researchers already discovered a possible tie between it and the Lazarus group, although some suggested such a connection was far-fetched.

    After the first WannaCry attack in February, experts discovered three pieces of malware linked to Lazarus on the victim’s network

    Moreover, the researchers discovered that WannaCry used the Alphanc Trojan for distribution in the March and April attacks, and that this malicious program is a modified version of the Lazarus-linked Duuzer backdoor.

    Symantec also found the Bravonc backdoor

    Finally, there is the shared code between the previous WannaCry ransomware version and the Lazarus-linked Contopee backdoor.

    The February WannaCry attack hit a single organization but compromised over 100 computers within two minutes after the initial infection. A variant of the Mimikatz password-dumping tool was used for compromise, with a second tool used to copy and execute WannaCry on other network computers using the stolen passwords.

    Reply
  15. Tomi Engdahl says:

    WANNACRY HIGHLIGHTS THAT UN-PATCHED SYSTEMS PRESENT A SECURITY THREAT
    https://www.nordcloud.com/en-blog/wannacry-highlights-how-unpatched-systems-present-a-security-threat

    The latest breach of the ransomware “Wannacry” showed the vulnerability of unpatched legacy infrastructure. “Wannacry” ransomware was engineered to take advantage of the most common security challenges facing large organizations today. This all could have been avoided with a patch which was released more than 2 months ago.

    “The governments of the world should treat this attack as a wake-up call.”

    - Brad Smith, President of Microsoft

    Reply
  16. Tomi Engdahl says:

    And now SMB problems on Linux side as well:

    7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely
    http://thehackernews.com/2017/05/samba-rce-exploit.html?m=1

    A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines.

    Reply
  17. Tomi Engdahl says:

    WannaCry was terrible, but it never had to happen – here’s why
    https://www.tuxera.com/wannacry-was-terrible-but-it-never-had-to-happen-heres-why/?utm_content=54953937&utm_medium=social&utm_source=facebook

    Hospitals, businesses, metro stations, universities, operators, and other organizations were brought to their knees without access to their important shared documents and files.

    The situation was so critical that Microsoft released an emergency security update for some versions of Windows that no longer receive mainstream support. Luckily, due to the swift action of Microsoft and cybersecurity experts around the world, the spread of WannaCry trickled off by May 16.

    WannaCry wasn’t inevitable – it was preventable

    The interesting thing is, the attack was entirely preventable. Firstly, Microsoft released a security update just a few months before the attack to address a susceptibility WannaCry exploited. Those who enabled this update were protected. Secondly, the exploit targeted a vulnerability found in a legacy version of the protocol, SMB1. And according to Microsoft, SMB1 is not safe. In fact, Microsoft’s own Ned Pyle wrote an entire blog post back in September 2016 begging people to stop using it!

    Mr. Pyle wrote his blog post in connection with Microsoft Security Bulletin MS16-114, released September 2016. The bulletin detailed a vulnerability which “could allow remote code execution if an authenticated attacker sends specially crafted packets to an affected Microsoft Server Message Block 1.0 (SMB1) Server…The potential impact is denial of service.”

    This vulnerability was discovered and reported to Microsoft by Tuxera software engineers, Oleg Kravtsov and Alexander Ovchinnikov.

    Microsoft already declared that SMB1 is not secure. WannaCry would not have become such a large-scale problem had people simply stopped using SMB1 in favor of the latest, most secure version, SMB3. This begs the question, why is SMB1 still in use?

    A big reason is that outdated versions of Samba – the open-source SMB server implementation – are used inside embedded devices, such as routers. These older versions of Samba only support SMB1. Interestingly enough, there are newer Samba versions that support SMB3, the most secure version of the protocol. But using these latest Samba versions has a catch – they are licensed under GNU General Public License Version 3 (GPLv3).

    Thus, hardware manufacturers resort to choosing older versions of Samba, which are not licensed under GPLv3. In turn, these versions only support SMB1 – which leads us to the crux of the issue.

    Reply
  18. Tomi Engdahl says:

    John Leyden / The Register:
    Trend Micro: ransomware grew 752% in 2016 and generated $1B in revenue

    Feeling Locky, punk? Ransomware grew eight-fold last year
    Days of future past
    http://www.theregister.co.uk/2017/05/24/ransomware_trends/

    Ransomware saw a more than eight-fold (752 per cent) increase as a mode of attack in 2016, according to Trend Micro.

    The infosec firm estimates file-scrambling malware families such as Locky and Goldeneye raked in $1 billion in 2016.

    2016 was the year when ransomware ruled, and this danger has been maintained by recent WannaCrypt attacks and the latest threat Eternal Rocks, which has no kill switch and continues to grow.

    Trend Micro’s report, Ransomware: Past, Present and Future (pdf), provides a useful overview of the history and evolution of ransomware, from its beginnings in Russia in 2005/6 to the growth of the ransomware-as-a-service (RaaS) business model.

    https://documents.trendmicro.com/assets/wp/wp-ransomware-past-present-and-future.pdf

    Reply
  19. Tomi Engdahl says:

    Detecting WannaCry and Eternal Rocks
    https://www.tenable.com/sc-dashboards/detecting-wannacry-and-eternal-rocks

    The new ransomware that is sweeping the planet, called WannaCry and the successor EternalRocks, is causing many organizations much pain as they determine if their network is at risk. Organizations that practice Continuous Vulnerability management can use this data to identify vulnerable systems. This dashboard helps to show how Tenable SecurityCenter Continuous View (SecurityCenter CV) can identify vulnerabilities using active, passive and event logs to assist customers.

    The WannaCry and EternalRocks malware appears to exploit the SMB flaw that Microsoft provided a patch for in March 2017.

    Reply
  20. Tomi Engdahl says:

    EternalRocks worm
    https://en.wikipedia.org/wiki/EternalRocks_worm

    EternalRocks or MicroBotMassiveNet is a computer worm that infects Microsoft Windows. It uses seven exploits developed by the U.S. National Security Agency (NSA).[1] Comparatively, the WannaCry ransomware program that infected 230,000 computers in May 2017 only uses two NSA exploits, making researchers believe EternalRocks to be significantly more dangerous.[2] The worm was discovered via honeypot.[3]

    EternalRocks first installs Tor, a private network that conceals Internet activity, to access its hidden servers.

    The malware even names itself WannaCry to avoid detection from security researchers. Unlike WannaCry, EternalRocks does not possess a kill switch.

    Reply
  21. Tomi Engdahl says:

    The Wannacry crunch program continues its destruction. Most recently, the Russian post office announced that their machines had been captured. But how does the disadvantage work and how can it be protected? The security company Sophos will host a webinar next Monday.

    Source: http://www.etn.fi/index.php/13-news/6372-kuinka-suojautua-wannacrylta

    Reply
  22. Tomi Engdahl says:

    Can We Ever be Prepared for the Next WannaCry?
    http://www.securityweek.com/can-we-ever-be-prepared-next-wannacry

    The recent WannaCry ransomware outbreak is yet another wake-up call. Humans alone can no longer be expected to manually respond to brazen, fast-spreading cyber-attacks that strike without warning and routinely bypass porous network borders. The early indicators of the attack were evident, but it spread too quickly for human security teams to react before it spread across the world like wildfire.

    Cyber-criminals now have easy access to inexpensive, sophisticated, and fast-moving malware. The Shadow Brokers hacking group recently announced a monthly subscription platform to gain access to their arsenal of cyber-weapons, including the EternalBlue vulnerability that WannaCry exploited. Similarly, underground marketplaces are selling ready-made malware that even amateur hackers can use, some of which even come with live chat support and customer service.

    Thanks to the rise of the ransomware-as-a-service (RaaS) business model, cyber-criminals were able to launch 638 million ransomware attacks in 2016 alone, netting them over $1 billion in revenue. Attacks like WannaCry infect networks in a matter of minutes, and unlike previous forms of ransomware, they do not rely on phishing emails to spread. These threats are often built with custom code from the dark web, making it extremely difficult for legacy security tools to detect them.

    Reply
  23. Tomi Engdahl says:

    The Impact of WannaCry on the Ransomware Conversation
    http://www.securityweek.com/impact-wannacry-ransomware-conversation

    All indicators point to the initial infection occurring via a traditional phishing attempt, in which unsuspecting employees downloaded malicious files from their email. What made WannaCry so impactful was its ability to break away from its originating computer and rapidly traverse the network, infecting connected computers in its wake.

    While phishing, ransomware and a fast-moving worm are not in themselves new, the combination of these strategies was epidemic-like. As WannaCry requires no ongoing interaction on the part of the attacker, it was the perfect method to quickly spread throughout a vulnerable enterprise.

    While this approach isn’t entirely surprising, it is alarming and appears to be the first time that a ransomware payload has been targeted in this way at such a large scale.

    Ransomware is not a new issue. It has been around for decades, and it’s been talked about in earnest in the security industry for several years now. Nonetheless, it continues to be one of the top causes for concern for CISOs, and ransomware attacks grew 36 percent in 2016. So why is it continuing to have such a major impact on cybersecurity? Because solving this problem is really, really hard.

    Ransomware is so successful because it relies on a human element, and as much as we hate to admit it, humans are fundamentally flawed. It’s for this reason that WannaCry continued to impact computers well into the week following the initial attack, despite many organizations spending all weekend notifying their employees and the public and fixing the issues that hit during the business day on Friday. No matter how much employee training or awareness goes into instructing your employees or the general public to refrain from opening attachments, deleting unknown emails and paying attention to the crucial signs of ransomware, the mere reliance on humans is an inherent failing that cannot be overcome.

    So what can you do to protect your organization from an inevitable targeting? While ransomware attacks and targets may have evolved, the ways to protect yourself haven’t.

    The best way to react after becoming the victim of a ransomware attack is to completely erase all data from your systems, removing the hackers’ ability to control your information. Take a “no negotiation with terrorists” stance. Of course, that also removes all of your own data, which means it’s crucial to have extensive back-ups, thereby removing the hold that criminals have over you altogether. Understanding your organization’s use and warehouse of data, and backing up all of that data, is an essential first step toward preventing any ramifications of a future ransomware attack.

    It’s also important to develop a plan of action in the event that your organization is compromised. Consider the potential implications to your reputation, such as company valuation or public brand perception, if you do or do not pay a ransom.

    Reply
  24. Tomi Engdahl says:

    Linguistic Analysis Suggests WannaCry Authors Speak Chinese
    http://www.securityweek.com/linguistic-analysis-shows-wannacry-authors-speak-chinese

    A linguistic analysis of more than two dozen ransom notes displayed by the WannaCry ransomware suggests that its authors are fluent Chinese speakers and they also appear to know English.

    Reply
  25. Tomi Engdahl says:

    Wanna Cry Exposed Heathcare’s Ills
    http://www.eetimes.com/author.asp?section_id=36&doc_id=1331797&

    The crippling software attack on the British National Healthcare Service could put information sharing standards back by ten years.

    The Wanna Cry ransomware attack forced Britain’s NHS to cancel surgeries. The software seized and locked computer files until a ransom was paid. It also crippled computers in Russia and China, an estimated 100,000 machines worldwide. The NHS disruption is especially troubling as people may have been on the operating table when the attack hit.

    The ease with which Wanna Cry did this implies a great deal about the poor state of the global information security industry. The infected systems were simply using old, unpatched versions of Microsoft Windows. Mouser Electronics wrote a blog about the ease with which secure sensor networks could implement a patient monitor, only to be embarrassed by this hangnail in the data gathering system.

    Ideally, you want to make it easy for non-technical workers to add data-gathering nodes to a patient monitoring network in a hospital. On the other hand, you don’t want ease-of-use to be high jacked and held for ransom. Bringing down the computerized records of a hospital is damaging enough; imagining what hackers could do with kidnapped nodes on the Internet of Things is a terrifying prospect.

    Infected institutions used older, unprotected versions (in some cases bootlegged versions) of Microsoft’s popular OS because of budgetary or administrative constraints. The NHS is not a small operation. The agency deals with more than a million patients every 36 hours. It employs more than 1.5 million people, putting it among the top five of the world’s largest workforces, behind the U.S. Department of Defense, McDonalds, Walmart and the Chinese People’s Liberation Army.

    It may seem obvious that hospitals in the NHS would have robust cybersecurity strategies to prevent disruptions. But a Freedom of Information Act request by American software company Citrix last year showed that 90 percent of NHS hospitals had computers that were still running Windows XP.

    The costs of goods and services turn out to be a major inhibitor in the system.

    Reply
  26. Tomi Engdahl says:

    Has WannaCry trashed reputations of leading cyber-security vendors?
    https://www.scmagazineuk.com/has-wannacry-trashed-reputations-of-leading-cyber-security-vendors/article/664386/

    During a recent chat, Ian Trump – also known as phat_hobbit on Twitter – said the cyber-security industry had some difficult questions to answer in the wake of WannaCry.

    There is no doubt that many organisations received an unwelcome penetration test of their security software in the form of the WannaCry ransomware attack. The question is, can security vendors survive with their reputations intact after what appears to be such a massive failure?

    By some measures,” Trump said, “the security software chosen to defend the organisation had a great deal to do with how successfully the storm was weathered.”

    He was both “surprised and disappointed” that what he refers to as a ‘softball cyber-attack’ was able to divide security vendors into two distinct camps: those that worked and nothing got through, and those that failed.

    “For those security products that worked, vendors seemed to respond by gleefully running virtual victory laps on social media,” Trump told SC Media. “For those that failed, it is going to be a rough journey for the brand.”

    Jamie Riden, security consultant at Pen Test Partners, points the finger at a fundamental disconnect in security between solutions and practice. “Vendors have to be prepared to assist organisations not just in plugging in their kit but in creating a responsive security culture,” he told SC. “Vendors have to step up to the mark and provide advice and assistance rather than simply hawking their latest wares.”

    IOActive’s EMEA VP, Owen Connolly, suggests that was not a security technology problem. “Security technology does not work in a vacuum,” he told SC. “It needs people and processes to make it effective.” Unfortunately, too many executives are listening to the hype and believing that buying a box will solve all your problems. “It still amazes me that in 2017 this attitude prevails that prioritises boxes or software products over good people and practical processes,” he concludes.

    Reply
  27. Tomi Engdahl says:

    MS-17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver
    http://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/

    The EternalBlue exploit took the spotlight last May as it became the tie that bound the spate of malware attacks these past few weeks—the pervasive WannaCry, the fileless ransomware UIWIX, the Server Message Block (SMB) worm EternalRocks, and the cryptocurrency mining malware Adylkuzz.

    EternalBlue (patched by Microsoft via MS17-010) is a security flaw related to how a Windows SMB 1.0 (SMBv1) server handles certain requests. If successfully exploited, it can allow attackers to execute arbitrary code in the target system. The severity and complexity of EternalBlue, alongside the other exploits released by hacking group Shadow Brokers, can be considered medium to high.

    We further delved into EternalBlue’s inner workings to better understand how the exploit works and provide technical insight on the exploit that wreaked havoc among organizations across various industries around the world.

    Vulnerability Analysis

    The Windows SMBv1 implementation is vulnerable to buffer overflow in Large Non-Paged kernel Pool memory through the processing of File Extended Attributes (FEAs) in the kernel function, srv!SrvOs2FeaListToNt.

    EternalBlue’s Exploitation Capabilities

    The overflow happens in NON-PAGED Pool memory—and specifically in Large NON-PAGED Pool. Large non-page pool do not have a POOL Header. Because of this, after the large POOL buffer, another POOL Buffer can be allocated—one that is owned by a driver with specific DRIVER data.

    Therefore, the attack has to manipulate the POOL buffer coming after the overflowed buffer. EternalBlue’s technique is to control the SRVNET driver buffer structures. To achieve this, both buffers should be aligned in memory. To create the NON-PAGED POOL alignment, the kernel pool should sprayed. The technique is as follows:

    Create multiple SRVNET buffers (grooming the pool)
    Free some of the buffers to create some holes where the SRV buffer will be copied
    Send the SRV buffer to overflow the SRVNET buffer.

    Given how EternalBlue served as the doorway for many of the malware that severely impacted end users and enterprises worldwide, it also serves as a lesson on the importance of applying the latest patches and keeping your systems and networks updated. EternalBlue has already been issued a fix for Windows systems, including unsupported operating systems.

    Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects endpoints from threats such as fileless infections and those that abuse unpatched vulnerabilities.

    Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across

    Reply
  28. Tomi Engdahl says:

    ETERNALBLUE: Windows SMBv1 Exploit (Patched)
    https://isc.sans.edu/forums/diary/ETERNALBLUE+Windows+SMBv1+Exploit+Patched/22304/

    Microsoft released a blog post outlining which patches address which vulnerability exploited by various “Shadowbroker” exploits. According to the table released by Microsoft, “ETERNALBLUE” was fixed by MS17-010 released in March. Interestingly, MS17-010 listed all vulnerabilities as “not used in exploits”. Microsofts acknowledgement page does not list a source for the vulnerability disclosure.

    We decided to keep our “Infocon” at Green in light fo the availability of a patch.

    To protect yourself from this exploit, you can also disable SMBv1 (see this KB article by Microsoft about details), and make sure you are blocking port 445.

    A snort rule for ETERNALBLUE was released by Cisco as part of the “registered” rules set. Check for SID 41978.

    Reply
  29. Tomi Engdahl says:

    Medical Magazine: WannaCry dispensed hospital in Finland

    Wannacry malware on computers hit the Turku University Hospital, says Medical Journal .

    WannaCry malware has been found in Turku University’s Central Hospital. Hospital District of Southwest Finland Yrjö CIO Koivu Salo says that the virus found in machinery-related imaging. The machines were connected to the same network with approximately 7,000 base stations.

    - The risk of spread of course, but all normal workstations condition was updated in that time, when a side-program was observed in the spring. Now, the malware has no way of spreading more widely. Medical devices can not update their antivirus systems or operating systems with their own devices, but the equipment provider needs to do it.

    The malware was revealed when contaminated machines started to pluck and slow down. After running the checklists, it was revealed that it was the notorious WannaCry

    The infected machines had an older-generation operating system without the necessary security updates. Now the virus mechanism has been blocked because antivirus and firewalls work as it should, says Koivusalo.

    - Although the malware was able to install on machines, it could not hide anything.

    The malware was contaminated by several devices
    System vendors have removed malware from infected machines, discharged hard drives, and reinstalled the operating system.

    Yrjö Koivusalo does not know how malicious software has come to the machine.

    the malware struck about ten device. For example, mammography and radiotherapy devices had suddenly disappeared due to a malfunctioning

    Sources:
    http://www.laakarilehti.fi/ajassa/ajankohtaista/wannacry-haittaohjelma-loytyi-tyks-sta/
    http://www.tivi.fi/Kaikki_uutiset/laakarilehti-wannacry-riepotteli-sairaaloita-myos-suomessa-sammutti-tarkeita-hoitolaitteita-6656218

    Reply
  30. Tomi Engdahl says:

    SambaCry Flaw Exploited to Deliver Cryptocurrency Miner
    http://www.securityweek.com/sambacry-flaw-exploited-deliver-cryptocurrency-miner

    A recently patched Samba flaw known as EternalRed and SambaCry has been exploited in the wild to deliver a cryptocurrency miner to vulnerable machines, researchers warned.

    These attacks, observed by both Kaspersky and Cyphort, were launched shortly after the existence of the security hole was brought to light and proof-of-concept (PoC) exploits were made available.

    The vulnerability, tracked as CVE-2017-7494, affects all versions of Samba since 3.5.0 and it has been addressed with the release of versions 4.6.4, 4.5.10 and 4.4.14. The flaw allows a malicious client to upload a shared library to a writable share, and cause the server to execute the file.

    “The attacked machine turns into a workhorse on a large farm, mining crypto-currency for the attackers,” Kaspersky researchers said in a blog post. “In addition, through the reverse-shell left in the system, the attackers can change the configuration of a miner already running or infect the victim’s computer with other types of malware.”

    The Samba vulnerability has been found to affect many networking devices, including Cisco, Netgear, QNAP, Synology, Varitas and NetApp products.

    Reply
  31. Tomi Engdahl says:

    Zack Whittaker / ZDNet:
    In wake of WannaCry, Microsoft fixes 3 flaws affecting unsupported OSes including Windows XP and Windows Server 2003 that it initially said it wouldn’t patch — The company previously said it would not fix three outstanding exploits, but reversed course following the ransomware attack in May.

    Microsoft: Latest security fixes thwart NSA hacking tools
    http://www.zdnet.com/article/microsoft-reverses-course-patches-three-remaining-nsa-exploits-targeting-windows-xp/

    The company previously said it would not fix three outstanding exploits, but reversed course following the ransomware attack in May.

    Microsoft has confirmed its latest round of security patches has fixed three remaining vulnerabilities built by the National Security Agency, which the company previously said it would not fix.

    The company confirmed to ZDNet that it had reversed course on releasing patches for the exploits, which Microsoft said earlier this year only affect older operating systems that have since been retired, notably Windows XP and Windows Server 2003.

    The release comes as the software giant warned of an “elevated risk for destructive cyberattacks” following last month’s ransomware-based cyberattack.

    It’s the latest twist in a cat and mouse game between the National Security Agency and Microsoft in recent months, after the intelligence lost control of its arsenal of hacking tools.

    Microsoft patched the vulnerabilities in all supported versions of Windows in the April update, but left three exploits remaining. The company said that the flaws only affected older versions of Windows, and users should upgrade.

    But after last month’s massive WannaCry outbreak which locked thousands of computers with ransomware, Microsoft is patching the rest of the exploits in an effort to avoid a repeat of the attack.

    A spokesperson said that the three Windows exploits — dubbed ENGLISHMANDENTIST, ESTEEMAUDIT, and EXPLODINGCAN (which was also independently discovered) — are now fixed in June’s security updates.

    “These vulnerabilities are quite serious and still widespread, even with the affected systems having been ‘out of service’ for some time,”

    Reply
  32. Tomi Engdahl says:

    Gordon Corera / BBC:
    Sources: NSA and Britain’s National Cyber Security Centre link WannaCry ransomware attack to North Korean hacking group Lazarus — British security officials believe that hackers in North Korea were behind the cyber-attack that crippled parts of the NHS and other organisations around the world last month, the BBC has learned.

    NHS cyber-attack was ‘launched from North Korea’
    http://www.bbc.com/news/technology-40297493

    British security officials believe that hackers in North Korea were behind the cyber-attack that crippled parts of the NHS and other organisations around the world last month, the BBC has learned.

    Britain’s National Cyber Security Centre (NCSC) led the international investigation.

    Security sources have told the BBC that the NCSC believes that a hacking group known as Lazarus launched the attack.

    The US Computer Emergency Response Team has also warned about Lazarus.

    The same group is believed to have targeted Sony Pictures in 2014.

    In May, ransomware called WannaCry swept across the world, locking computers and demanding payment for them to be unlocked. The NHS in the UK was particularly badly hit.

    The ransomware did not target Britain or the NHS specifically, and may well have been a money-making scheme that got out of control, particularly since the hackers do not appear to have retrieved any of the ransom money as yet.

    Although the group is based in North Korea the exact role of the leadership in Pyongyang in ordering the attack is less clear.

    North Korean hackers have been linked to money-making attacks in the past – such as the theft of $81m from the central bank of Bangladesh in 2016.

    “It was one of the biggest bank heists of all time in physical space or in cyberspace,” says Nish, who says further activity has been seen in banks in Poland and Mexico.

    Reply
  33. Tomi Engdahl says:

    North Korea behind WannaCry ransomware attack, British intelligence claims
    http://bgr.com/2017/06/18/north-korea-wannacry-investigation-links/

    A report from ZDNet cites sources inside the British National Cyber Security Centre, who claim that North Korea was behind the recent WannaCry ransomware attack that hit millions of users worldwide.

    The ransomware software spread like wildfire between infected Windows machines, and hit the UK particularly hard. A number of hospitals and regional health services were taken offline by the attack, and some officials have suggested that the attack was directly responsible for a number of deaths as a result.

    ZDNet‘s report claims that the NCSC investigation has linked the attack to the Lazarus Group, a group of hackers believed to be behind a series of previous attacks. In particular, the Lazarus Group is generally believed to be behind the 2014 hack of Sony Pictures

    The links to North Korea seem tenuous and circumstantial, at least from the information contained in reports. Hacking attacks are difficult to link to any one country

    Reply
  34. Tomi Engdahl says:

    The malware shut down the car plant – the protection did not work

    Car manufacturer Honda was forced earlier this week to close the factory in Japan WannaCry-kiristyshaitakkeen a result, Reuters says. According to the company, WannaCry spread across its networks worldwide, but only Japan’s Sayama factory had to shut down. According to Reuters, the factory’s daily production is about one thousand cars. Sayama’s factory was stalling for the day.

    The malware was released despite the security measures the company had made online since the first extensive WannaCry epidemic in mid-May.

    Source: http://www.tivi.fi/Kaikki_uutiset/haittaohjelma-sulki-autotehtaan-suojaukset-eivat-toimineet-6659201

    More:
    Honda halts Japan car plant after WannaCry virus hits computer network
    http://www.reuters.com/article/us-honda-cyberattack-idUSKBN19C0EI

    Honda Motor Co (7267.T) said on Wednesday it halted production at a domestic vehicle plant for a day this week after finding the WannaCry ransomware that struck globally last month in its computer network.

    The automaker shut production on Monday at its Sayama plant, northwest of Tokyo, which produces models including the Accord sedan, Odyssey Minivan and Step Wagon compact multipurpose vehicle and has a daily output of around 1,000 vehicles

    Honda discovered on Sunday that the virus had affected networks across Japan, North America, Europe, China and other regions

    Reply
  35. Tomi Engdahl says:

    WannaCry Forces Honda to Take Production Plant Offline
    http://www.darkreading.com/attacks-breaches/wannacry-forces-honda-to-take-production-plant-offline-/d/d-id/1329192

    Work on over 1,000 vehicles affected at automaker’s Sayama plant in Japan while systems were restored.

    Reply
  36. Tomi Engdahl says:

    Victoria Police to Withdraw 8000 Traffic Tickets After Roadside Cameras Infected with WannaCry Virus
    https://uk.news.yahoo.com/victoria-police-withdraw-8000-traffic-070042414.html

    Victoria Police officials announced on Saturday, June 24, they were withdrawing all speed camera infringement notices issued statewide from June 6 after a virus in the cameras turned out to be more widespread than first thought.

    Acting Deputy Commissioner Ross Guenther told reporters on Friday that 55 cameras had been exposed to the ransomware virus, but they’ve now determined 280 cameras had been exposed. The cameras are not connected to the internet, but a maintenance worker unwittingly connected a USB stick with the virus on it to the camera system on June 6.

    The “WannaCry” malware caused the cameras to continually reboot, Fryer said.

    “We’ve got one of the best camera systems worldwide and to have an issue like this is disappointing,” he said. “We need to make sure the integrity of our system is sacrosanct and it is beyond reproach.”

    Reply
  37. Tomi Engdahl says:

    UK Parliament launches inquiry into NHS WannaCrypt outbreak
    NAO hear this: Wares of ransom, feel the wrath come… audit
    https://www.theregister.co.uk/2017/07/05/nhs_wannacrypt_nao_audit/

    UK Parliamentary spending watchdogs at the National Audit Office have launched an inquiry into the impact of the recent WannaCrypt ransomware attack on the NHS.

    Although not aimed specifically at the NHS, the ransomware nonetheless spread across hospital networks, leaving medical staff unable to access patient data, forcing the postponement of some operations as well the diversion of ambulances. Almost 50 NHS Trusts were hit by the WannaCrypt outbreak that left infected computers and hospital kit (MRI scanners, theatre equipment etc) with encrypted files and at least temporarily unusable.

    The NAO’s terms of reference for the inquiry focus on scoping the impact of the ransomware outbreak, which hit hard on 12 May and caused real world problems for days afterwards.

    This investigation will set out the facts about the cyber-attack’s impact on the NHS and its patients; why some parts of the NHS were affected and others were not; and the roles and responsibilities of key stakeholders and how they responded to the attack.

    Lack of accountability and investment in cyber-security was blamed for the severity of the outbreak on the NHS in a recent report by The Chartered Institute for IT, as previously reported. Emergency measures specifically allocated to deal with last month’s NHS ransomware attack cost £180,000, according to a government health minister.

    There was a lot of focus on the NHS’s reliance on obsolete Windows XP systems in the aftermath of the WannaCrypt outbreak. However, post-hack technical analysis revealed that Windows XP systems were more likely to crash than spread the nasty.

    Unpatched or weakly defended Windows 7 systems left vulnerable against the leaked EternalBlue NSA exploit abused by WannaCrypt were, in practice, a much bigger problem.

    Reply
  38. Tomi Engdahl says:

    Free Scanner Finds 50,000 EternalBlue-Vulnerable Systems
    http://www.securityweek.com/free-scanner-finds-50000-eternalblue-vulnerable-systems

    More than 50,000 computers vulnerable to the NSA-linked EternalBlue exploit were found by a free vulnerability scanner in recent weeks.

    Dubbed Eternal Blues, the tool was designed to provide network administrators with visibility into the EternalBlue-vulnerable machines in their networks, but without actually exploiting the flaw. In the wake of WannaCry, NotPetya, and other global infections leveraging the NSA-linked exploit, knowing whether a network is vulnerable or not is certainly a good idea.

    Eternal Blues – Worldwide Statistics
    http://omerez.com/eternal-blues-worldwide-statistics/

    Reply
  39. Tomi Engdahl says:

    WannaCry ransomware bitcoins move from online wallets
    http://www.bbc.com/news/technology-40811972

    More than $140,000 (£105,000) worth of bitcoins paid by victims of the WannaCry ransomware outbreak have been removed from their online wallets.

    It has been nearly three months since infections struck organisations worldwide, including the NHS, which faced days of disruption as a result.

    The bitcoin activity was noticed by a Twitter bot set up by Quartz journalist Keith Collins.

    The balance of all wallets known to be associated with WannaCry is now zero.

    Victims were asked to pay between $300 and $600 to get their systems back.

    According to bitcoin-monitoring company Elliptic, an initial portion of the WannaCry funds were moved in late July.

    And at about 04:10 BST on Thursday, the vast majority were finally withdrawn in entirety.

    Many watchers expect that the WannaCry bitcoins will be put through a “mixer” – in which the currency is transferred and mixed into a larger series of payments that make it much harder to track where it ends up.

    But the incident has left some cyber-security experts confused.

    “I have no idea why they would move that money to be honest,” said Andy Patel at F-Secure.

    “I wouldn’t imagine that they are going to try and turn those bitcoins into real money. If they do, it’s going to give someone a way to track them to an actual person.”

    Instead, Mr Patel told the BBC the funds could be used to pay for dark web services that might leave less of a digital paper trail.

    Reply
  40. Tomi Engdahl says:

    WannaCrypt victims paid out over $140k in Bitcoin to get files unscrambled
    Cash thought to have ‘gone through a mixer’
    https://www.theregister.co.uk/2017/08/03/140k_paid_out_in_bitcoin_by_wannacrypt_victims/

    More than $140,000 (£105,000) in Bitcoin has been paid out by victims of the global WannaCrypt ransomware outbreak from May.

    The money was removed from the online wallets at 4am UTC on Thursday.

    The hackers behind the WannaCry ransomware attack have finally cashed out
    https://qz.com/1045270/wannacry-update-the-hackers-behind-ransomware-attack-finally-cashed-out-about-140000-in-bitcoin/

    It’s been 12 weeks since the WannaCry ransomware attack infected computers across the globe, encrypting files and charging their owners $300 to $600 for the keys to get them back. In total, the hackers made about $140,000 in bitcoin from the operation. Not only were individuals affected, but the May 12 attack forced emergency rooms in the UK to turn away patients, and shut down a Spanish telecommunications company and Russian mobile operator.

    Since the attack, that $140,000 sat untouched, spread across the three bitcoin wallets where victims were instructed to send their ransom payments. Few expected the money would ever move out of the accounts, as they were surely watched by law-enforcement agencies around the world. But on Wednesday night, the money began to move.

    The general consensus among security experts and government agencies is that North Korea was behind the WannaCry attack, and that the operation was more political than money-driven.

    Reply
  41. Tomi Engdahl says:

    The Guardian:
    Marcus Hutchins, who helped stop WannaCry, arrested by FBI after Def Con; DoJ indictment accuses him of helping spread Kronos banking trojan in 2014-2015 — Marcus Hutchins arrested over his alleged role in creating Kronos malware targeting banks — Marcus Hutchins, the 23-year-old British …

    Briton who stopped WannaCry attack arrested over separate malware claims
    https://www.theguardian.com/technology/2017/aug/03/researcher-who-stopped-wannacry-ransomware-detained-in-us

    Marcus Hutchins arrested over his alleged role in creating Kronos malware targeting banks

    Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden “kill switch” for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.

    According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.

    The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacks credentials like internet banking passwords to let its user steal money with ease.

    Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.

    The security researcher became an accidental hero in May when he registered a website, which he had found deep in the code of the ransomware outbreak that was wreaking havoc around the world, including disrupting operations at more than a third of NHS trusts and bodies.

    The site, it turned out, acted as a kill switch for the malware, which stopped infecting new computers if it saw that the URL had been registered.

    Reply
  42. Tomi Engdahl says:

    Patching Against the Next WannaCry Vulnerability (CVE-2017-8620)
    http://www.securityweek.com/patching-against-next-wannacry-vulnerability-cve-2017-8620

    This month’s Microsoft patch updates include one particular vulnerability that is raising concerns: CVE-2017-8620, which affects all versions of Windows from 7 onwards. Microsoft explained, “in an enterprise scenario, a remote unauthenticated attacker could remotely trigger the vulnerability through an SMB connection and then take control of a target computer.”

    In short, this is a wormable bug affecting all supported versions of Windows. The parallels with the WannaCry and NotPetya vulnerabilities are clear — indeed, Check Point described CVE-2017-8620 as ‘The Next WannaCry Vulnerability’. All that is currently missing is full disclosure of the vulnerability and a usable exploit (WannaCry and NotPetya exploited the leaked NSA exploit known as EternalBlue).

    Noticeably, SANS describes this vulnerability as ‘more likely’ to be both disclosed and exploited in the future. Once this happens, the situation could precisely parallel WannaCry/NotPetya. Microsoft has done what it can (or as much as it is willing to do); it has patched the vulnerability. The earlier WannaCry vulnerability had also been patched; but WannaCry (and NotPetya) still happened (and the effects continue to be felt).

    “The importance of patching systems cannot be underestimated,” says David Kennerley, director of threat research at Webroot. “There will always be zero-day vulnerabilities, but it’s worth noting that the vast majority of exploit attacks seen in the wild involve cybercriminals targeting known vulnerabilities. These vulnerabilities have already been fixed by the vendor, but the fix has not been deployed and installed by the end user. With any vulnerability that can result in remote code execution, there is always concern until users deploy and install patches. There is without doubt a window of opportunity for cybercriminals to take advantage.”

    One concern for the CVE-2017-8620 vulnerability is that it could be adopted by nation-state actors.

    The current concern is that since many users did not patch against WannaCry/NotPetya, they might not patch CVE-2017-8620 before it is exploited. The question becomes, why is industry apparently lax in its patch procedures? This is a complex issue with no easy answer.

    “Patching will break stuff,” F-Secure security advisor Sean Sullivan explains. “And so you can’t just roll out patches into a live production environment without testing. It’s a matter of time and resources. There’s no escaping the need to test.”

    Reply
  43. Tomi Engdahl says:

    Ransomware behind NHS Lanarkshire cyber-attack
    http://www.bbc.com/news/uk-scotland-glasgow-west-41076591

    It has been confirmed that ransomware was behind a cyber-attack on a Scottish health board which led to some appointments and procedures being cancelled.

    NHS Lanarkshire said it was a new variant of Bitpaymer that infected its network on Friday.

    The board said staff worked over the weekend to reinstate IT systems.

    Work is ongoing to establish how the malware was able to infiltrate the network without being detected.

    Ransomware is a particularly destructive form of malware that catastrophically struck the NHS earlier this year.

    While this new infection is not the notorious Wannacry variation, which caused global chaos, it is yet another demonstration of how disruptive ransomware can be.

    What it does is encrypt the data it finds on a host computer so that it can no longer be accessed, and then demands payment, often in Bitcoin, for its release.

    Experts recommend resorting to back-up files rather than paying the ransom itself as there’s no guarantee that the criminals behind it will keep to their word – but there are many examples of cases where individuals and organisations have chosen to part with their cash.

    The best defence is to keep software updated and use anti-virus protection but it can be difficult for large organisations like the NHS to implement this en-masse, when complicated, life-saving equipment is running off a network that may not adjust well to even minor tweaks.

    A spokesman added: “Our security software and systems were up to date with the latest signature files, but as this was a new malware variant the latest security software was unable to detect it.

    Reply
  44. Tomi Engdahl says:

    UK Blames North Korea for Cyberattack That Crippled Hospitals
    http://www.securityweek.com/uk-blames-north-korea-cyberattack-crippled-hospitals

    Britain on Friday blamed North Korea for a ransomware attack this year that a new report revealed affected a third of English hospitals and could have been prevented with “basic” IT security.

    “This attack, we believe quite strongly that it came from a foreign state,” Ben Wallace, a junior minister for security, told BBC Radio 4′s Today programme.

    “North Korea was the state that we believe was involved in this worldwide attack,” he said, adding that the government was “as sure as possible”.

    The WannaCry attack in May infected some 300,000 computers in 150 countries, including in Britain’s National Health Service (NHS), Spanish telecoms company Telefonica and US logistics company FedEx.

    Britain’s National Audit Office revealed the attack had hit NHS England particularly hard, forcing the cancellation of some 19,500 medical appointments.

    Computers at 81 hospital groups across England were affected — a third of the total number of 236.

    Some 600 general practitioners were also affected.

    Reply
  45. Tomi Engdahl says:

    North Korea Denies Involvement in WannaCry Cyberattack
    http://www.securityweek.com/north-korea-denies-involvement-wannacry-cyberattack

    North Korea has slammed Britain for accusing it of being behind a global ransomware attack that hit the National Health Service, calling the allegation a “wicked attempt” to further tighten international sanctions against Pyongyang.

    A third of Britain’s public hospitals were affected by the WannaCry worm in May, according to a government report.

    Up to 300,000 computers in 150 countries were hit by WannaCry, which seized systems and demanded payment in Bitcoin to return control to users.

    Some researchers have pointed the finger at Pyongyang, saying that the code used was similar to past hacks blamed on Kim Jong-Un’s regime.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*