Wednesday, June 28, 2017

A new massive attack allegedly based on Petwrap #ransomware hits organizations in several states

A new wave of cyber attacks is shocking the IT industry, a few weeks after the WannaCry massive attack, security experts are facing a new threat that is rapidly spreading.
Once again it is a ransomware that is infecting computers worldwide making chaos, systems at banks, power suppliers and businesses in Europe, Russia, Ukraine,  and India have been targeted by Petwrap.
The Petwrap ransomware is a variant of the notorious Petya ransomware that encrypts files demanding $300 in bitcoins to the victims.
Like WannaCry, also Petwrap exploits the Windows SMBv1 vulnerability and the effects appear to be serious on a large scale highlighting the poor level of security of computers worldwide.
According to the security researchers Matt Suiche, founder of cyber security firm Comae Technologies, the malware use the same attack vector exploited by EternalBlue and the accompanying DoublePulsar rootkit.
Unlike other ransomware, Petya does not encrypt files on the infected systems but targets the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable.
Petya locks the access to the users’ data by encrypting the master file table (MFT) and replaces the computer’s MBR with its own malicious code that displays the ransom note.
Petya overwrites the MBR of the hard drive causing Windows to crash. When the victim tries to reboot the PC, it will impossible to load the OS, even in Safe Mode.
Below the ransom note that was displayed by the Petwrap ransomware:
“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
Petwrap ransomware
Another bad news is that currently, only a small portion of antivirus is able to detect the threat, according to VirusTotal, only 15 out of 61 anti-virus services are able to detect Petwrap.
News of attacks on financial institutions are circulating on the internet, the National Bank of Ukraine (NBU) is one of the victims of the ransomware.
The Perwrap ransomware has infected systems at Russian state-owned oil company Rosneft, while Ukrainian state electricity suppliers, “Kyivenergo” and “Ukrenergo,” were also targeted by the malware.
“We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine’s Security Service (SBU) to switch them back on,” Kyivenergo’s press service said.
Many systems were infected in Ukraine, Ukrainian branch’s mining company Evraz also confirmed the infections along with the Ukraine’s local metro ,and Kiev’s Boryspil Airport.
The giant logistic company Maersk was also targeted by the malware in a serious way.
At least three Ukrainian telecommunication operators, LifeCell, Kyivstar, Ukrtelecom, have also reported Petwrap ransomware infections.
While I was writing, different opinions about the threat are circulating on the Internet, 

Kaspersky Lab malware analyst Vyacheslav Zakorzhevsky declared that infections were traced to a “new ransomware we haven’t seen before.Stay Tuned.

Human error is the root cause of password reset email sent to AA customers

UK car insurance company AA accidentally sent out a “password update” email to its customers, the messages led the motorists to log into the motoring organization’s website to change their passwords. The concurrent access of a so large number of customers crashed the AA servers, then its customers couldn’t access their profiles, believing their accounts were compromised by hackers.
In reality, the incident was caused by a human error, according to AA no passwords had been changed and people couldn’t access their account because the server was flooded with access requests.
AA reset password
The AA company reassured its customers by confirming that the change password messages were sent out for error.
In a first time, the company confirmed that something of strange was happening to its customers, the message it posted on Twitter led use into believing that its customers were targeted by a phishing campaign.
Further investigation revealed the password reset messages were triggered by an error made by an internal,
Summarizing, if you are an AA customers ignore the password reset message sent by the company.

Google Hacker found a new way to bypass Microsoft Windows Defender

The popular Google Project Zero hacker Tavis Ormandy has discovered a new bug in Windows Defender that allow attackers to circumvent the Microsoft anti-virus tool.
Ormandy publicly disclosed the news of the vulnerability in Windows Defender on Friday after Microsoft released a for its software. Ormandy reported the vulnerability to Microsoft on June 9th.
The vulnerability resides is in the non-sandboxed x86 emulator Windows Defender uses.
The expert explained that “apicall” instruction can invoke internal emulator APIs running them with system privilege, unfortunately, it is exposed to remote attacks by default.
The hacker discovered a heap corruption issue in the KERNEL32.DLL!VFS_Write API.
“I discussed Microsoft’s “apicall” instruction that can invoke a large number of internal emulator apisand is exposed to remote attackers by default in all recent versions of Windows. I asked Microsoft if this was intentionally exposed, and they replied “The apicall instruction is exposed for multiple reasons”, so this is intentional.” wrote Ormandy.
“This full system x86 emulator runs as SYSTEM, is unsandboxed, is enabled by default and remotely accessible to attackers. I took a quick stab at writing a fuzzer and immediately found heap corruption in the KERNEL32.DLL!VFS_Write API, I suspect this has never been fuzzed before.”


windows defender
After the disclosure of the bug, Ormandy published a minimal testcase to exploit the bug:
MpApiCall(“NTDLL.DLL”, “VFS_Write”, 1, Buf, 0, 0xffffffff, 0);
MpApiCall(“NTDLL.DLL”, “VFS_Write”, 1, Buf, 0x7ff, 0x41414141, 0);
“The first call extends the length of the file to nOffset, but because the numberOfBytes parameter is 0 no space is allocated. Then you can read and write arbitrary data to an arbitrary offset to the MutableByteStream object buffer. This is a very powerful exploit primitive, and exploitation does not seem difficult.” he added.
Microsoft released a fixed version of the Malware Protection Engine, version 1.1.13903.0.

Friday, June 23, 2017

Honda halted production in a factory after finding WannaCry traces in its networks

The WannaCry ransomware makes the headlines once again, The Honda Company to stopped the production in one of its plant in Japan after discovering the malware in its computer networks,
The Honda automaker halted the activities in the Sayama plant northwest of Tokyo on Monday after finding that the WannaCry ransomware had infected systems in its networks across Japan, North America, Europe, China, and other regions,
According to the Reuters agency, the experts discovered the infection on Sunday.
“The automaker shut production on Monday at its Sayama plant, northwest of Tokyo, which produces models including the Accord sedan, Odyssey Minivan and Step Wagon compact multipurpose vehicle and has a daily output of around 1,000 vehicles.” states the article.
“Honda discovered on Sunday that the virus had affected networks across Japan, North America, Europe, China and other regions, a spokeswoman said, despite efforts to secure its systems in mid-May when the virus caused widespread disruption at plants, hospitals and shops worldwide.”
According to the company, the production at other plants had not been affected, according to a Honda Spokesman, regular operations at the Sayama plant had resumed on Tuesday.
It is still unclear why the WannaCry ransomware was present in the Honda networks 5 weeks after its discovery,
WannaCrypt ransomware
the unique certainly is that the company had yet to patch its systems with the highly critical patch that Microsoft released in March.
One possibility is that IT staff at the company has inadvertently blocked the access to the kill switch domain that partially stopped the infections. That would have caused the WannaCry propagation inside the Honda networks.
We cannot exclude that the shutdown of Sayama plant was a  precautionary measure to eradicate dormant instance of the ransomware.
Honda wasn’t the only company forced to shut down its networks due to WannaCry, other automakers like Renault and Nissan Motor were affected and were forced to halt productions in plants in Japan, Britain, France, Romania, and India.
It’s my opinion that the failure in responding the WannaCry attack was primarily caused by the failure of patch management processes. Don’t forget that systems across the world were infected by ransomware that was exploiting a flaw that was already fixed by a two-month-old patch.

Attackers can exploit electronic cigarettes to hack computers

In November 2014, in a discussion started on the Reddit news media website it has been debated the case of a malware implanted by using electronic cigarettes connected over USB.
Hackers are able to exploit any electronic device to deliver a malware in a poorly protected network. Electronic cigarettes could be an attack vector, the idea may appear hilarious, many electronic cigarettes can be charged over USB, using a special cable or by inserting one end of the cigarette directly into a USB port.
The report posted on the social news Reddit website reported a strange case happened to an executive that discovered a malware in his system without immediately identify its source.
“One particular executive had a malware infection on his computer from which the source could not be determined,” reported a Reddit user “After all traditional means of infection were covered, IT started looking into other possibilities.
Investigating on the case, the man discovered that the electronic cigarettes were infected by a malware hardcoded into the charger, once the victim will connect it to the computer the malicious code will contact the C&C server to drop other malicious code and infect the system
Electronic cigarettes or vape pens properly modified could be an effective hacking tool to infect a targeted computer.
The security researcher Ross Bevington presented at BSides London how to use electronic cigarettes to compromise a computer by tricking it to believe that it was a keyboard.The researchers also explained that it is BSides London how to use electronic cigarettes to compromise a computer by tricking it to believe that it was a keyboard.
It is important to note that Bevington’s attack required the victim’s machine to be unlocked.
“PoisonTap is a very similar style of attack that will even work on locked machines,” Mr Bevington told Sky News.
The researchers also explained that it is possible to use the electronic cigarettes to interfere with its network traffic.
E-cigarettes are powered by a rechargeable lithium-ion battery that can be plugged into a cable or directly connects to the USB port of a computer.
“Security researchers have demonstrated how e-cigarettes can easily be modified into tools to hack computers.” reported SkyNews.
“With only minor modifications, the vape pen can be used by attackers to compromise the computers they are connected to – even if it seems just like they are charging.”
The researcher @FourOctets published a proof-of-concept video which showed arbitrary commands being sent to an unlocked laptop just by charging a vape pen.
Fouroctets modified the vape pen by simply adding a hardware chip which allowed the device to communicate with the laptop as if it were a keyboard or mouse.
“A pre-written script that was saved on the vape made Windows open up the Notepad application and typed “Do you even vape bro!!!!” reported SkyNews.
Enjoy the video!

National Security Agency opens the NSA Github Account that already lists 32 Projects

The National Security Agency has opened its GitHub account and presented an official GitHub page. The US intelligence agency employees numerous excellent experts that in the past demonstrated extraordinary abilities in developing hacking tools, exploits and surveillance solutions.
The work of the NSA experts was secret until the Snowden’s revelations, but now the Agency seems to be more social and the creation of the Github account demonstrates it.
Giving a look at the GitHub account we can notices that the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are ‘coming soon.’
“The NSA Technology Transfer Program (TTP) transfers NSA-developed technology to industry, academia, and other research organizations, benefitting the economy and the Agency mission. The program has an extensive portfolio of patented technologies across multiple technology areas” states the description of the NSA program.
Many projects shared by the NSA are very old and were already available online, such as the SELinux (Security-Enhanced Linux).
“The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace,” the agency wrote on the program’s page
“OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community’s enhancements to the technology.”
NSA Github Account
Other NSA’s open source projects are below:
  • Certificate Authority Situational Awareness (CASA): A Simple tool that Identifies unexpected and prohibited certificate authority certificates on Windows systems.
  • Control Flow Integrity: A hardware-based technique to prevent memory corruption exploitations.
  • GRASSMARLIN: It provides IP network situational awareness of ICS and SCADA networks to support network security.
  • Open Attestation: A project to remotely retrieve and verify system integrity using Trusted Platform Module (TPM).
  • RedhawkSDR: It is a software-defined radio (SDR) framework that provides tools to develop, deploy, and manage software radio applications in real-time.
  • OZONE Widget Framework (OWF): It is basically a web application, which runs in your browser, allows users to create lightweight widgets and easily access all their online tools from one location.
The full list of NSA’s projects is available here.