Author: Lucian Constantin

0

Shadow Brokers teases more Windows exploits and cyberespionage data

A group of hackers that previously leaked alleged U.S. National Security Agency exploits claims to have even more attack tools in its possession and plans to release them in a new subscription-based service.

The group also has intelligence gathered by the NSA on foreign banks and ballistic missile programs, it said.

The Shadow Brokers was responsible for leaking EternalBlue, the Windows SMB exploit that was used by attackers in recent days to infect hundreds of thousands of computers around the world with the WannaCry ransomware[1] program.

The group first appeared online in August and claimed that it had access to the arsenal of a cyberespionage group known in the security industry as the Equation, widely believed to be a hacking division of the NSA[3].

On Tuesday, following the WannaCry attacks, the Shadow Brokers posted a new message online[4] in which they claim to have many more Equation exploits that haven’t been leaked yet. The group wants to make them available as part of a new subscription-based service that it plans to launch in June.

The group initially released a set of hacking tools for routers and firewall products but claimed it had much more it was willing to sell for 10,000 bitcoins or more — around US$12 million. After failing to attract any bids, the group dumped more information, including IP addresses of systems targeted by the Equation.

The Shadow Brokers eventually called it quits in January and disabled its online accounts, only to return in April in a surprise move that involved publishing the password for an encrypted archive containing many Linux and Windows exploits, as well as malware implants supposedly used by the Equation.

Most of the vulnerabilities targeted by the leaked exploits had already been patched by that time, including EternalBlue, which Microsoft fixed in March.

According to the hackers, data that will be leaked monthly through the new subscription service could include exploits for web browsers, routers, mobile devices, and Windows 10, as well as data extracted by the Equation during its cyberespionage operations. The information is supposed to include data stolen from SWIFT providers[5] and central banks and data from “Russian, Chinese, Iranian, or North Korean nukes and missile programs.”

What subscribers will do with these exploits and data will be up to them, the group said.

No one appears to have paid the Shadow Brokers for access to the Equation arsenal in the past, at least as far as it’s publicly known. The group has even expressed its frustration about this lack of interest in its offers.

It’s unclear if a subscription-based model will attract more interest, with no price announced yet. However, given the group’s track record of leaking legitimate information that many believe to be sourced from the NSA, it is likely that at some point, this data will become public, one way or another.

To comment on this article and other PCWorld content, visit our Facebook[6] page or our Twitter[7] feed.

References

  1. ^ WannaCry ransomware (www.computerworld.com)
  2. ^ [ Further reading: How the new age of antivirus software will protect your PC ] (www.pcworld.com)
  3. ^ widely believed to be a hacking division of the NSA (www.pcworld.com)
  4. ^ posted a new message online (steemit.com)
  5. ^ SWIFT providers (en.wikipedia.org)
  6. ^ Facebook (www.facebook.com)
  7. ^ Twitter (twitter.com)
0

WannaCry attacks are only the beginning

Thousands of organizations from around the world were caught off guard by the WannaCry ransomware attack[1] launched Friday. As this rapidly spreading threat evolves, more cybercriminals are likely to attempt to profit from this and similar vulnerabilities.

As a ransomware program, WannaCry itself is not that special or sophisticated. In fact, an earlier version of the program was distributed in March[2] and April and, judging by its implementation, its creators are not very skilled.

The difference between the earlier WannaCry attacks and the latest one is a worm-like component that infects other computers by exploiting a critical remote code execution vulnerability in the Windows implementation of the Server Message Block 1.0 (SMBv1) protocol.

Microsoft released a patch for this vulnerability[4] in March and, on the heels of the attack Friday, even took the unusual step of releasing fixes for older versions of Windows[5] that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8.

The WannaCry attackers didn’t put in a lot of work to build the SMB-based infection component either, as they simply adapted an existing exploit leaked in April by a group called the Shadow Brokers. The exploit, codenamed EternalBlue, is alleged to have been part of the arsenal of the Equation, a cyberespionage group widely believed to be a team linked to the U.S. National Security Agency.

The version of WannaCry that spread through EternalBlue on Friday had a quirk: It tried to contact an unregistered domain and halted its execution when it could reach it, stopping the infection. A researcher who uses the online alias MalwareTech quickly realized that this could be used as a kill switch[6] and registered the domain himself to slow down the spread of the ransomware.

Since then researchers have discovered a couple more versions[7]: one that tries to contact a different domain name, which researchers have also managed to register, and one that has no apparent kill switch. However, the latter version is non-functional and seems to have been a test by someone who manually patched the binary to remove the kill switch, rather than recompiling it from its original source code. This led researchers to conclude that it’s likely not the work of the original authors.

Separately, experts from the computer support forum BleepingComputer.com have seen four imitations[8] so far. These other programs are in various stages of development and try to masquerade as WannaCry, even though some of them are not even capable of encrypting files at this point.

This does indicate that attacks, both from the WannaCry authors and other cybercriminals, will likely continue and, despite patches being available, many systems will likely remain vulnerable for some time to come.

After all, security vendors are still seeing successful exploitation attempts today for MS08-067, the Windows vulnerability that allowed the Conficker computer worm to spread nine years ago.

“It’s probably going to get worse before it gets better, as it’s going to be one of the most serious threats for the following 12 months,” Catalin Cosoi, Bitdefender’s chief security strategist, said in a blog post[9] about the EternalBlue vulnerability and the on-going attacks.

He believes that state-sponsored cyberespionage groups could also take advantage of the SMB flaw to plant stealthy backdoors on computers while defenders are busy dealing with the much more visible ransomware attack.

Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems[10] that have the SMB service exposed to the internet. The number is considerably higher than the 200,000 machines affected by WannaCry, so there is potential for more attacks and victims.

WannaCry’s success showed that a large number of organizations are falling behind on patches and that many have legacy systems running old versions of Windows. To some extent, this is understandable because deploying patches in environments with a large number of systems is not an easy task. Enterprises need to test patches before installing them to ensure that they don’t have compatibility issues with existing applications and break existing workflows.

In other cases, organizations might be stuck with certain systems that run unsupported Windows versions without having the financial resources to upgrade or replace them. This is the case for ATMs, medical devices, ticketing machines, electronic self-service kiosks, like those in airports, and even servers that run legacy applications that can’t easily be reengineered.

However, there are measures that can be taken to protect those systems, like isolating them on network segments where access is strictly controlled or by disabling unneeded protocols and services. Microsoft has tried to convince companies to stop using SMBv1[11] for some time, as it has other problems aside from this flaw.

“There are certain organizations or sectors — e.g. medical — where patching is not a simple matter,” Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. “In those cases, it’s imperative they properly understand the risks and look into workarounds to limit the threat.”

The success of WannaCry, at least as far as rapid distribution is concerned, has proved to cybercriminals there are many vulnerable systems on enterprise networks that can be targeted through old exploits. It is possible they will try to use other Equation/NSA exploits leaked by the Shadow Brokers or will be quicker to adopt exploits for future flaws that enable similar mass-scale attacks inside LANs.

“The EternalBlue exploit is part of a bigger leak called ‘Lost In Translation’ that packs multiple vulnerabilities ranging from simple annoyances to extremely severe ones,” Bogdan Botezatu, senior e-threat analyst at Bitdefender, said by email. “We expect that most of these ‘government-grade’ exploits to make it to the public domain and get merged into commercial-grade malware, as it has happened in the past.”

Meanwhile, Eiram is convinced there will be many vulnerabilities in the future that will enable similar ransomware attacks.

“I don’t doubt that for a second,” he said. “Every year we see such vulnerabilities.”

To comment on this article and other PCWorld content, visit our Facebook[12] page or our Twitter[13] feed.

References

  1. ^ WannaCry ransomware attack (www.csoonline.com)
  2. ^ was distributed in March (twitter.com)
  3. ^ [ Further reading: How the new age of antivirus software will protect your PC ] (www.pcworld.com)
  4. ^ released a patch for this vulnerability (technet.microsoft.com)
  5. ^ releasing fixes for older versions of Windows (www.pcworld.com)
  6. ^ this could be used as a kill switch (www.pcworld.com)
  7. ^ discovered a couple more versions (blog.comae.io)
  8. ^ seen four imitations (www.bleepingcomputer.com)
  9. ^ a blog post (hotforsecurity.bitdefender.com)
  10. ^ detected more than 1 million Windows systems (blog.binaryedge.io)
  11. ^ to stop using SMBv1 (blogs.technet.microsoft.com)
  12. ^ Facebook (www.facebook.com)
  13. ^ Twitter (twitter.com)
0

Google will review web apps that want access to its users’ data

In response to recent attacks where hackers abused Google’s OAuth services to gain access to Gmail accounts, the company will review new web applications that request Google users’ data.

To better enforce its policy regarding access to user data through its APIs (application programming interfaces), which states that apps should not mislead users when presenting themselves and their intentions, Google is making changes to the third-party app publishing process, its risk assessment systems and the consent page it displays to users.

Google is an identity provider, which means other web apps can use Google as the authentication mechanism for users accessing the app. Apps use the OAuth protocol to do this. These apps can also use Google’s APIs to send users requests for information stored in Google’s services.

Last week, a large number of users received a well-crafted phishing email[2] that asked them to view a document in Google Docs. Clicking on the link redirected them to a Google OAuth consent page that said an application called Google Docs wanted access to their contacts and Gmail accounts.

The reason this spoofing attack worked is that there was no mechanism to prevent a third-party app registered to Google’s OAuth service from using the same name as one of Google’s own apps—or the name of another legitimate third-party app.

Since the attack, Google has strengthened its risk assessment for new apps and made other changes to better detect such abuse. So app developers might see error messages when registering new applications or modifying existing ones in the Google API Console, Firebase Console, or Apps Script editor, the Google Identity Team said in a blog post[3].

On top of this, based on the results of the enhanced risk assessment, some web applications will need to undergo a manual review and approval process that could take from three to seven business days.

“Until the review is complete, users will not be able to approve the data permissions, and we will display an error message instead of the permissions consent page,” the Google identity team said.

For now, developers will only be able to request a review during the application testing phase, but in the future, Google will also allow review requests during the registration phase.

Until the app is reviewed, developers will be able to continue testing their app using their own account, as well as to add additional testers.

To comment on this article and other PCWorld content, visit our Facebook[4] page or our Twitter[5] feed.

References

  1. ^ [ Further reading: How the new age of antivirus software will protect your PC ] (www.pcworld.com)
  2. ^ well-crafted phishing email (www.pcworld.com)
  3. ^ a blog post (developers.googleblog.com)
  4. ^ Facebook (www.facebook.com)
  5. ^ Twitter (twitter.com)
0

The nasty new Jaff ransomware demands $3,700 payments

Attackers behind the highly successful Locky and Bart ransomware campaigns have returned with a new creation: A malicious file-encrypting program called Jaff that asks victims for payments of around $3,700.

Like Locky and Bart, Jaff is distributed via malicious spam emails sent by the Necurs botnet, according to[1] researchers from Malwarebytes. Necurs first appeared in 2012 and is one of the largest and longest-running botnets around today.

According to an April analysis[2] by researchers from IBM Security, Necurs is made up of about 6 million infected computers and is capable of sending batches of millions of emails at a time. It is also indirectly responsible for a large percentage of the world’s cybercrime because it’s the main distribution channel for some of the worst banking Trojan and ransomware programs.

Safe to say that since Jaff is being distributed by Necurs, it will hit a lot of mailboxes.

The emails observed so far attempt to mimic the automated emails sent by printers: The subject line is simply one of the words Copy, Document, Scan, File or PDF, followed by a random number.

The attachment is a PDF file called nm.pdf that has a Word document embedded into it. This second document has malicious macros attached and contains instructions for users to allow the code to execute.

If the macros are allowed to run, they will download and install the Jaff ransomware, which immediately starts encrypting files that match a long list of targeted file extensions. After encryption, the affected files will get a .jaff extension appended to them.

The ransomware also creates two files with instructions for making a bitcoin payment in order to obtain a decryptor program. The payment portal is hosted on the Tor network and is visually identical to the portal used by the Bart ransomware, suggesting a relationship between these two threats.

While there are some similarities with Locky and Bart, the Jaff ransomware uses a different code base, so it’s a separate program, according to the Malwarebytes researchers.

Another interesting aspect is the ransom amount of 2 bitcoins, or around $3,700, which is significantly higher than what most other ransomware programs ask for.

Users should always be suspicious of unsolicited documents sent to them by email and should never allow the execution of active content inside documents unless they can verify their source. The best protection against ransomware is having a good backup routine in place that makes copies to an external storage device that’s not always connected to the computer.

To comment on this article and other PCWorld content, visit our Facebook[4] page or our Twitter[5] feed.

References

  1. ^ according to (blog.malwarebytes.com)
  2. ^ analysis (securityintelligence.com)
  3. ^ [ Further reading: How the new age of antivirus software will protect your PC ] (www.pcworld.com)
  4. ^ Facebook (www.facebook.com)
  5. ^ Twitter (twitter.com)
0

New ransomware Jaff demands $3,700 payments

Attackers behind the highly successful Locky and Bart ransomware campaigns have returned with a new creation: A malicious file-encrypting program called Jaff that asks victims for payments of around $3,700.

Like Locky and Bart, Jaff is distributed via malicious spam emails sent by the Necurs botnet, according to[1] researchers from Malwarebytes. Necurs first appeared in 2012 and is one of the largest and longest-running botnets around today.

According to an April analysis[4] by researchers from IBM Security, Necurs is made up of about 6 million infected computers and is capable of sending batches of millions of emails at a time. It is also indirectly responsible for a large percentage of the world’s cybercrime because it’s the main distribution channel for some of the worst banking Trojan and ransomware programs.

Safe to say that since Jaff is being distributed by Necurs, it will hit a lot of mailboxes.

The emails observed so far attempt to mimic the automated emails sent by printers: The subject line is simply one of the words Copy, Document, Scan, File, or PDF, followed by a random number.

The attachment is a PDF file called nm.pdf that has a Word document embedded into it. This second document has malicious macros attached and contains instructions for users to allow the code to execute.

If the macros are allowed to run, they will download and install the Jaff ransomware, which immediately starts encrypting files that match a long list of targeted file extensions. After encryption, the affected files will get a .jaff extension appended to them.

The ransomware also creates two files with instructions for making a bitcoin payment in order to obtain a decryptor program. The payment portal is hosted on the Tor network and is visually identical to the portal used by the Bart ransomware, suggesting a relationship between these two threats.

While there are some similarities with Locky and Bart, the Jaff ransomware uses a different code base, so it’s a separate program, according to the Malwarebytes researchers.

Another interesting aspect is the ransom amount of 2 bitcoins, or around $3,700, which is significantly higher than what most other ransomware programs ask for.

Users should always be suspicious of unsolicited documents sent to them by email and should never allow the execution of active content inside documents unless they can verify their source. The best protection against ransomware is having a good backup routine in place that makes copies to an external storage device that’s not always connected to the computer.

References

  1. ^ according to (blog.malwarebytes.com)
  2. ^ Make threat intelligence meaningful: A 4-point plan (www.infoworld.com)
  3. ^ Security Report newsletter (www.infoworld.com)
  4. ^ analysis (securityintelligence.com)
       
Apps & Games Clothing Electronics & Photo Large Appliances
Baby Womens Apparel Garden Lighting
Beauty Mens Apparel Outdoors Luggage
Books Girls Apparel Health & Personal Care Pet Supplies
Car Boys Apparel Home Shoes & Bags
Motorbike Computers & Accessories Kitchen Equipment Sports & Outdoors
Fashion DIY & Tools Jewellery Toys & Games