Researchers urge Windows admins to apply MS17-010 before the next attack using the EternalBlue NSA exploit deploys a worse payload than WannaCry ransomware.
No one should be letting their guard down now that the WannaCry ransomware attacks have been relatively contained. Experts intimately involved with analyzing the malware and worldwide attacks urge quite the opposite, warning today that there’s nothing stopping attackers from using the available NSA exploits to drop more destructive malware.
The key is to patch vulnerable Windows machines while there is a downtime, ensure offline backups are secure and available, and that antimalware protection is running and current.
Kaspersky Lab researcher Juan Andres Guerrero-Saade and Comae Technologies’ Matt Suiche said today during a webinar, below, that the EternalBlue exploit targeting a SMBv1 flaw could be fitted with payloads ranging from banking Trojans to wiper malware that destroys a computer’s hard disk.
“Absolutely,” Guerrero-Saade said when asked if this could have been a wiper attack rather than ransomware. “We’re talking ring0 access (via the DoublePulsar rootkitinstalled by the EternalBlue exploit). It would have just come down to a matter of implementation at that point.”
Accelerating the researchers’ anxiety about what could be next was yesterday’s ShadowBrokers announcement that it would begin in June a monthly dump of new exploits—including Windows 10 attacks—and stolen data. The ShadowBrokers’ leak in April of EternalBlue and other Windows attacks handed attackers not only the exploits but also documentation that lowered any barrier to entry for using these attacks.
“This is really worrying because we’ve seen the impact of what those files out in the wild can do,” Suiche said.
The attacks also exposed the shortcomings associated with patching, despite experts for more than a decade stressing the importance of keeping operating systems, browsers and third-party software up to date. MS17-010, the patch that addressed the SMB vulnerabilities leaked by the ShadowBrokers in April, has been available since March. Microsoft rated the security bulletin as critical and experts cautioned that this patch was to be prioritized, and that SMB port 445 on Windows machines should not be exposed to the internet. Yet, Rapid7 today said its scans have found more than 1 million internet-connected devices exposing SMB over 445 with more than 800,000 of those devices running Windows. Rapid7 said it’s likely that a large percentage of that number includes vulnerable versions of Windows with SMBv1 enabled.
“Beyond the prevalence of what these exploits might be, but it really has been a test on the industry and defenders as well,” Guerrero-Saade said. “What we saw here was not the super secret zero-day situation you can’t save yourself from. It was a test of how well we’re implementing the solutions and recommendations that have been out there a very long time that everybody touts every single day. We were asked to put our money where our mouth is with this WannaCry infection.”
The biggest mitigating factor in slowing down the WannaCry outbreak was the discovery of a so-called killswitch that was likely an evasion technique by the malware to check whether it was running in a sandbox. The malware called out to a hard-coded URL, and if it responded, the malware would not execute. The speculation is that getting a response back from the killswitch domain indicated the malware might be executing instead in a sandbox.
Researcher Marcus Hutchins of the MalwareTech blog registered the domain coded into last Friday’s version of WannaCry while Suiche registered a second and third killswitch domain found in subsequent variants, shutting down most infections in the wild.
Guerrero-Saade said his concern is that the next version likely won’t have a killswitch, and could contain a more dangerous and costly payload.
“We have essentially bought time with the killswitches. That’s something where we got incredibly lucky that was even involved in the development of the malware,” Guerrero-Saade said.
They also touched on the shared code between an early WannaCry version found in February and a sample from the Lazarus APT from February 2015. Lazarus is the North Korean group alleged to be behind the Sony hack, which featured wiper malware and damaging data leaks, as well as the SWIFT attacks against banks in Bangladesh, Poland and Mexico. The attacks against financial organizations, experts said during the Kaspersky Lab Security Analyst Summit, were performed by an internal Lazarus splinter group called Bluenoroff in an attempt to help fund the APT’s other activities.
Google’s Neel Mehta found the same code in both samples, which was confirmed by Kaspersky Lab and Suiche later. Guerrero-Saade, who worked on the Lazarus research and on separate research on APTs and their use of false flags, said today that this was not an attribution claim that Lazarus was behind WannaCry, but instead a clustering claim.
“What we’re talking about is what cluster of activity this fits into, what threat actor fits the bill for this,” he said. The linkage between the SWIFT attacks and Lazarus, made by BAE Systems researchers, was based off similar code re-use of a wiper function in a Lazarus attack and the Bangladeshi attack. “The amount of proof grew over times and we laid to rest the concerns about whether the SWIFT attackers are actually part of the Lazarus group.
“Having only had WannaCry for five days, I think it’s important to understand that this is only a lead, and not a simple lead,” Guerrero-Saade said. “It’s not necessarily easy to just replicate a very specific function of code from a very obscure piece of malware from two years ago that you only put into version 1.0 and then removed. That’s not a false flag, that’s too subtle. No one would have noticed it if not for Neel Mehta doing fantastic work.
“I understand that while it’s important to have some healthy skepticism, in this particular case, I think we’re just catching a bit of code re-use. The claims aren’t necessarily bigger than they are, but they aren’t quite as hard to stomach when you look at the code itself.”
The country’s top cybersecurity boss said the country is headed the wrong way when it comes to cybersecurity.
BOSTON–Citing Mirai and WannaCry as recent examples, Rob Joyce, special assistant to the president and cyber security coordinator for the White House, said the global landscape of cyber threats can’t be ignored and the U.S. needs to sharpen its defenses when it comes to fending off attacks.
“If you step back and look at the trend lines for cybersecurity, they are going the wrong way. You only have to look at last week at WannaCry to understand,” Joyce said during a talk sponsored by Massachusetts Technology Leadership Council.
Last week, President Donald Trump signed an executive order that prioritizes the protection of federal networks, critical industries and works to implement the NIST Framework. It’s Joyce’s job to carry it out. Joyce, former chief of the NSA’s office of Tailored Access Operations, was tapped by Trump in March for the role.
“The Trump administration signed an executive order that allows us to get our legs underneath us in terms of cybersecurity,” he said. “With this executive order we are going to step back and we are going to manage the federal government’s IT activity as a single enterprise. Even though we are talking millions-upon-millions of assets and thousands-upon-thousands of networks, we are going to step back and try to view it as a sum total of risks.”
Joyce said Trump’s cybersecurity executive order consisted of three main pillars, or priorities. One included securing the federal networks. Joyce said that pillar shared many of the same challenges of private enterprise faces, from difficulties in finding qualified cybersecurity professionals, handling risk between agencies and being able to defend against hacks and contain breaches should they happen.
“We know we aren’t going to be able to defend against all breaches. So we need to have methods for detecting early and defend against them and compartmentalize them so that breaches don’t cascade into massive data losses… We need to able to take hits and contain damage and restore capability quickly,” he said.
The second pillar is working with private industry to make sure portions of the United States’ privately owned critical infrastructure, made of 16 sectors, can defend against attacks and rebound if it should take a hit.
“So, with those interrelated and interdependent systems, we understand our critical infrastructure is probably not in the state we need to be to survive a deliberate or natural hazard,” he said.
Part of working with private industry will include an initial focus on defending against Mirai-like DDoS attacks and mitigating against IoT botnets. “Recent events, Mirai botnet and others, showed how just how vulnerability we are to technologies that have been pushed into the ecosystem–often without really strong plans for security.”
Joyce added that much of the Trump’s cybersecurity focus would also include working with private companies to better identify APTs and improve the amount of sharing between government and private companies.
Lastly, strengthening cyber defenses and boosting deterrence was another priority along with reaching out to other countries to fight global threats.
“It’s going to take a coalition of like-minded countries to advance the global common space we have here,” he said. “We will be looking to foster an open interoperable, reliable and secure global internet that benefits the U.S. and the rest of the world. We built the internet and gave it to the world, we think it’s very important that it continues to reflect our values.”
In his hour-long address, Joyce also touched on hot button topics such as net neutrality and recent proposed changes to the Vulnerabilities Equities Process.
“When you look at net neutrality, that is one of the sticky decisions that has to be made in the regulator space… But, we have to find a balance point between what we have today and allow some changes… If you are just are going to have a pipe that lets everything straight through, you are inviting people through your unlocked door,” Joyce said.
He said that government and private service providers can’t be hamstrung in cases where internet traffic used for malicious purposes must be left alone.
When asked about the Vulnerabilities Equities Process, Joyce said he was noncommittal about pending changes, however leaned toward the status quo.
“There is a process to legislate the VEP. We are working with Congress about that right now. I do have some concerns because legislators are talking about giving authority to a non-neutral entity. I think the processes right now gives us the balance where we don’t have the offense or the defense with too much thumb on the scale.”
What is it?
Attackers, using a tool allegedly stolen from the U.S. National SecurityAgency, took advantage of flaws in Microsoft Windows systems to spread malware around the world on Friday. The “ransomware” encrypts files, effectively hijacking computer systems, and demands money, in the form of bitcoin, in exchange for decrypting them. Microsoft Corp. had issued a fix, or patch, for the flaw on March 14.
How big is it?
Kaspersky Lab, an antivirus vendor, said it has tracked 45,000 instances of the attack, dubbed WannaCry, in 74 countries around the world, mostly in Russia. Other hot spots include Ukraine, India and Taiwan. Computer security experts say, however, the virus’s spread has been contained by the actions of a private security researcher who found a “kill switch” inside the virus.
Who has been hit?
Victims include Britain’s National Health Service, FedEx Corp., car makers Nissan Motor Co. and Renault SA, Germany’s biggest train operator as well as Russian banks. China state media reported early Saturday that some gas stations and universities have been affected.
Has anyone paid the ransom?
It is impossible to say. Screenshots of affected computers indicate hackers are asking for as little as $300 in bitcoin from affected users. The chief data officer at Telefónica, a Spanish telecom provider hit by the virus, said in a personal blog post that a bitcoin account associated with the attackers shows they haven’t “achieved much real impact.” That account had received only 25 payments by midafternoon Saturday in Europe. It is very likely though that the attackers used many accounts. U.K. Home Secretary Amber Rudd told the British Broadcasting Corp. that the government has advised the NHS not to pay.
A cyber-attack that hit organisations worldwide including the UK’s National Health Service was “unprecedented”, Europe’s police agency says.
Europol also warned a “complex international investigation” was required “to identify the culprits”.
Ransomware encrypted data on at least 75,000 computers in 99 countries on Friday. Payments were demanded for access to be restored.
European countries, including Russia, were among the worst hit.
Although the spread of the malware – known as WannaCry and variants of that name – appears to have slowed, the threat is not yet over.
Europol said its cyber-crime team, EC3, was working closely with affected countries to “mitigate the threat and assist victims”.
In the UK, a total of 48 National Health trusts were hit by Friday’s cyber-attack, of which all but six are now back to normal, according to the Home Secretary Amber Rudd.
The attack left hospitals and doctors unable to access patient data, and led to the cancellation of operations and medical appointments.
Who else has been affected by the attack?
Some reports say Russia has seen more infections than any other country. Banks, the state-owned railways and a mobile phone network were hit.
Russia’s interior ministry said 1,000 of its computers had been infected but the virus was swiftly dealt with and no sensitive data was compromised.
In Germany, the federal railway operator said electronic boards had been disrupted; people tweeted photos of a ticket machine.
France’s carmaker Renault was forced to stop production at a number of sites.
Other targets have included:
■ Large Spanish firms – such as telecoms giant Telefonica, and utilities Iberdrola and Gas Natural
■ Portugal Telecom, a university computer lab in Italy, a local authority in Sweden
■ The US delivery company FedEx
■ Schools in China, and hospitals in Indonesia and South Korea
Coincidentally, finance ministers from the G7 group of leading industrial countries had been meeting on Friday to discuss the threat of cyber-attacks.
They pledged to work more closely on spotting vulnerabilities and assessing security measures.
‘I was the victim of a ransom attack’
Who has been hit by the NHS cyber attack?
Explaining the global ransomware outbreak
A hack born in the USA?
How did it happen and who is behind it?
The malware spread quickly on Friday, with medical staff in the UK reportedly seeing computers go down “one by one”.
NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer.
The infections seem to be deployed via a worm – a program that spreads by itself between computers.
Most other malicious programs rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.
By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too.
It is not clear who is behind the attack, but the tools used to carry it out are believed to have been developed by the US National Security Agency (NSA) to exploit a weakness found in Microsoft’s Windows system.
This exploit – known as EternalBlue – was stolen by a group of hackers known as The Shadow Brokers, who made it freely available in April, saying it was a “protest” about US President Donald Trump.
A patch for the vulnerability was released by Microsoft in March, which would have automatically protected those computers with Windows Update enabled.
Microsoft said on Friday it would roll out the update to users of older operating systems “that no longer receive mainstream support”, such Windows XP (which the NHS still largely uses), Windows 8 and Windows Server 2003.
The number of infections seems to be slowing after a “kill switch” appears to have been accidentally triggered by a UK-based cyber-security researcher tweeting as @MalwareTechBlog.
But in a BBC interview, he warned that it was only a temporary fix. “It is very important that people patch their systems now because there will be another one coming and it will not be stoppable by us,” he said.
‘Accidental hero’ – by Chris Foxx, technology reporter
The security researcher known online as MalwareTech was analysing the code behind the malware on Friday night when he made his discovery.
He first noticed that the malware was trying to contact an unusual web address but this address was not connected to a website, because nobody had registered it.
So, every time the malware tried to contact the mysterious website, it failed – and then set about doing its damage.
MalwareTech decided to spend £8.50 ($11) and claim the web address. By owning the web address, he could also access analytical data. But he later realised that registering the web address had also stopped the malware trying to spread itself.
“It was actually partly accidental,” he told the BBC.
Blogger halts ransomware ‘by accident’
In today’har busy world, convenience seems to outweigh consequence, especially with how people use their mobile devices. Using free public Wi-Fi networks, for example, comes with any number of serious security risks, yet surveys show that the overwhelming majority of Americans do it anyway. In a study by privatewifi.com, a whopping three-quarters of people admitted to connecting to their personal email while on public Wi-Fi.
It isn’t hard to see that a few moments of online convenience are far outweighed by your money or financial information being stolen, or by suffering the embarrassment of your personal information being publicly released. According to a recent opinion poll, more people are leery of public Wi-Fi networks than of public toilet seats (a promising sign). But an interesting experiment, conducted at the 2016 Republican and Democratic National Conventions, showed attendees’ true colors. At each convention, private entities provided visitors with free public Wi-Fi networks (for social science purposes). Around 70% of people connected to the nonsecure Wi-Fi networks at both conferences.
There are dozens of online tutorials showing hackers how to compromise public Wi-Fi, some of them with millions of views. The most common method of attack is known as “Man in the Middle.” In this simple technique, traffic is intercepted between a user’s device and the destination by making the victim’s device think the hacker’s machine is the access point to the internet. A similar, albeit more sinister, method is called the “Evil Twin.” Here’s how it works: You log on to the free Wi-Fi in your hotel room, thinking you’re joining the hotel’s network. But somewhere nearby, a hacker is boosting a stronger Wi-Fi signal off of their laptop, tricking you into using it by labeling it with the hotel’s name. Trying to save a few bucks, and recognizing the name of the hotel, you innocently connect to the hacker’s network. As you surf the web or do your online banking, all your activity is being monitored by this stranger.Still not convinced of the risks? Here’s a story that should worry business travelers in particular. In 2014 experts from Kaspersky Lab uncovered a very sophisticated hacking campaign called “Dark Hotel.” Operating for more than seven years and believed to be a sophisticated economic espionage campaign by an unknown country, Dark Hotel targeted CEOs, government agencies, U.S. executives, NGOs, and other high-value targets while they were in Asia. When executives connected to their luxury hotel’s Wi-Fi network and downloaded what they believed were regular software updates, their devices were infected with malware. This malware could sit inactive and undetected for several months before being remotely accessed to obtain sensitive information on the device.
What is the best way to protect yourself against these kinds of Wi-Fi threats? Although antivirus protection and firewalls are essential methods of cyber defense, they are useless against hackers on unsecured Wi-Fi networks. Consider the following seven security tips to keep prying eyes out of your devices:
- Don’t use public Wi-Fi to shop online, log in to your financial institution, or access other sensitive sites — ever
- Use a Virtual Private Network, or VPN, to create a network-within-a-network, keeping everything you do encrypted
- Implement two-factor authentication when logging into sensitive sites, so even if malicious individuals have the passwords to your bank, social media, or email, they won’t be able to log in
- Only visit websites with HTTPS encryption when in public places, as opposed to lesser-protected HTTP addresses
- Turn off the automatic Wi-Fi connectivity feature on your phone, so it won’t automatically seek out hotspots
- Monitor your Bluetooth connection when in public places to ensure others are not intercepting your transfer of data
- Buy an unlimited data plan for your device and stop using public Wi-Fi altogether
Google said it has disabled offending accounts involved in a widespread spree of phishing emails today impersonating Google Docs.The emails, at the outset, targeted journalists primarily and attempted to trick victims into granting the malicious application permission to access the user’s Google account. It’s unknown how many accounts were compromised, or whether other applications are also involved. Google advises caution in clicking on links in emails sharing Google Docs.
The messages purport to be from a contact, including contacts known to the victim, wanting to share a Google Doc file. Once the “Open in Docs” button is clicked, the victim is redirected to Google’s OAUTH2 service and the user is prompted to allow the attacker’s malicious application, called “Google Docs,” below, to access their Google account and related services, including contacts, Gmail, Docs and more.
The Dark Overlord attempted to extort plenty of companies before targeting Netflix.
Last week, a hacker or group of hackers dumped apparent full episodes of Orange Is the New Black after Netflix allegedly declined to pay a ransom, and has threatened to release a number of other shows too, including Celebrity Apprentice, New Girl, and The Catch. But this was only the latest move from the group. Known as The Dark Overlord, the hackers have established themselves with a dizzying number of data breaches, often stealing mountains of sensitive corporate and personal data.
For nearly a year, Motherboard and a handful of other journalists have followed The Dark Overlord, and watched it evolve from a group learning how to manipulate the media to aid in extortion attempts, to a ruthless and apparently organized criminal enterprise, albeit one whose ultimate financial success is unclear.
Full Article (in Polish)
Kraków: ławka z figurami wybitnych polskich matematyków na Plantach
Ławka z figurami dwóch wybitnych polskich matematyków Stefana Banacha i Ottona Nikodyma została dziś (14.10.1016 r.) odsłonięta na krakowskich Plantach nieopodal wzgórza wawelskiego. Upamiętnia ona 100. rocznicę dyskusji matematycznej, jaką odbyli naukowcy.
Jak zaznaczył dr Krzysztof Ciesielski z Instytutu Matematyki Uniwersytetu Jagiellońskiego, ławeczkę ustawiono w okolicy miejsca, gdzie prawdopodobnie miało miejsce spotkanie matematyków. Figury Banacha i Nikodyma wykonał wybitny krakowski rzeźbiarz, prof. Stefan Dousa. “Teraz każdy będzie mógł dosiąść się do słynnych matematyków. Może odwiedzenie ławki przed maturą z matematyki przyniesie szczęście?” – zastanawiał się naukowiec z UJ.
W 1916 r. Hugo Steinhaus, młody uczony o sporym już dorobku matematycznym, podczas wieczornego spaceru krakowskimi Plantami usłyszał nagle słowa “całka Lebesgue’a”. Jak wyjaśnił dr Ciesielski, dziś całka Lebesgue’a jest jednym z podstawowych pojęć matematyki wyższej, wtedy jednak było to odkrycie ostatnich lat, znane wyłącznie specjalistom. Zaintrygowany Steinhaus podszedł więc do dwóch młodych krakowian dyskutujących o matematyce.
Jednym z nich był Stefan Banach, matematyk-samouk, drugim Otton Nikodym, absolwent studiów matematycznych we Lwowie, nauczyciel matematyki w IV gimnazjum w Krakowie. Okazało się, że młodzi ludzie mają sporą wiedzę matematyczną oraz wieczorami dyskutują o matematyce, spacerując po Krakowie, zwykle z trzecim kompanem, Witoldem Wilkoszem – szkolnym kolegą Banacha, studentem UJ. Steinhaus włączył się do rozmowy. Opowiedział im o problemie, nad którym od dłuższego czasu pracował. Wielkie było jego zdziwienie, gdy kilka dni później Banach przyniósł mu gotowe rozwiązanie.
Banach w 1920 r. wyjechał do Lwowa. Stał się później jednym z najsłynniejszych matematyków XX wieku, najważniejszą postacią lwowskiej szkoły matematycznej. Był współtwórcą analizy funkcjonalnej.
Nikodym pracował w Warszawie i Krakowie, po II wojnie światowej wyjechał do USA. Wiele ważnych wyników matematycznych jest dziś związanych z jego nazwiskiem. Trzeci z kompanów, Wilkosz, pozostał w Krakowie, uzyskał nominację na profesora Uniwersytetu Jagiellońskiego. Ma wielkie zasługi tak dla rozwoju matematyki, jak i jej upowszechniania i kształcenia młodzieży. Steinhaus wyjechał do Lwowa, po wojnie pracował we Wrocławiu – oprócz odkrycia Banacha ma na swoim koncie liczne doniosłe rezultaty matematyczne, napisał też wspaniałe książki popularyzujące matematykę.
Ławkę ufundowała krakowska firma technologiczna Astor. Nad całością działań czuwał komitet, powołany przez dziekana Wydziału Matematyki i Informatyki Uniwersytetu Jagiellońskiego. prof. Włodzimierza Zwonka.