Author Topic: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor  (Read 1400 times)

0 Members and 1 Guest are viewing this topic.

Offline Croix de Fer

  • Sr. Member
  • ****
  • Posts: 2432
  • Reputation: +1778/-72
  • Gender: Male
  • Thanks!0
  • No Thanks!0
  • Emergency fixes emitted by Microsoft for WinXP+

    https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/


    Quote
    The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations.
    In response, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, such as XP and Server 2003, as well as modern builds.
    To recap, WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft's SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining unpatched systems are therefore vulnerable and can be attacked.
    This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.
    Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.
    And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That's another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.
    Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today by a UK infosec bod, who spotted the dot-com in the reverse-engineered binary; that registration was detected by the ransomware, which immediately halted its worldwide spread.
    Connections to the magic domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – were sinkholed to a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we're told. "IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon," said the researcher. The infosec bod admitted they registered the domain first, then realized it was a kill switch. Still, job done.
    Here are some quick links to much more technical details we've gathered:
    • Cisco's Talos team has dissected the malware, describing its components.
    • A scrapbook page linking to samples of the malware, its command-and-control addresses, Bitcoin wallet addresses for ransoms, and so on.
    • A decrypted sample of the software nasty is here.
    • An exploit for MS17-010 written in Python with example shellcode. This is based on the Eternalblue tool stolen from the NSA, and was developed by infosec biz RiskSense. It reveals that the SMB server bug is the result of a buffer overflow in Microsoft's code. A 32-bit length is subtracted into a 16-bit length, allowing an attacker to inject more data than they should into the networking service and ultimately hijacking the system. Disabling SMBv1 disables the bug, and is recommended in any case. You should also firewall off SMB ports 139 and 445 from the outside world, and restrict access to the service where possible on internal networks.
    • You can track infections in real time, here. There are at least 104,000 identified infected hosts worldwide.
    • MalwareBytes has a study of the worm component, here.
    • Microsoft has advice for customers, here. There's also an emergency patches for operating systems as far back as WindowsXP, here. Please install them if you need to.
    The software nasty has today ransacked the UK's national healthcare service, forcing hospitals to shut down to non-emergency patients; torn through Spanish telco Telefónica; and many other organizations. In what is looking like one of the biggest malware attacks in recent memory, the bulk of the infections are in Russia – including the state's interior ministry; the virus has claimed high-profile targets around the world.
    ♪ Been around the world and I–I–I, I can't find my data ... Source: Kaspersky Lab
    We're told 16 NHS health trusts in the UK were taken out by the malware. Prime Minister Theresa May said the code "has crippled" Brit hospitals, and that Blighty's surveillance nerve center GCHQ is looking into the outbreak. The NHS is thought to have been particularly hard hit because of the antiquated nature of its IT infrastructure. A large part of the organization's systems are still using Windows XP, which is no longer supported by Microsoft, and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.
    Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget hospital in Norfolk, Lanarkshire, and Leicester.
    US companies have also been hit. FedEx told The Reg: "Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers." Essentially, staff have been told to turn off their non-critical systems, and to keep it that way until the mess is cleaned up – which could take the whole weekend, or longer.
    Meanwhile, Scottish Power was also reported as hit, but it told us that it just took down some non-essential systems as a precaution. Germany's rail system was infected, it appears.
    To counter the spread of the malware, security firms pushed out file and network traffic signatures to detect the ransomware-worm hybrid's presence and kill it. Microsoft was quick off the ball, emitting signatures for the malware for its systems.
    "Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt," a Microsoft spokesperson told The Reg.
    "In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows Update enabled, are protected. We are working with customers to provide additional assistance.”
    NSA exposure puts us all at risk
    As described above, the worm uses the EternalBlue and DoublePulsar exploits swiped from the NSA's arsenal of hacking tools. It would have been great if the bugs targeted by the agency had been patched years ago; instead, they were fixed by Microsoft in March just before the Shadow Brokers dumped the programs online in April. We assume either the NSA or the brokers tipped off the Redmond giant so that updates to kill off the SMB bug could be pushed out before the exploits publicly leaked.
    So, yes, Microsoft issued security fixes to address the vulnerabilities attacked by those cyber-weapons, but as is the way with users and IT departments big and small, not everyone has patched, or can patch, and are now paying the price. The initial infection point appears to be spear-phishing emails, thrown at people within organizations, with the malware hidden in attachments that, when opened, trigger a cyber-contagion on the internal network. The malware is a hybrid design that has a worm element, allowing it to spread through internal structures for maximum effect.
    According to an analysis by Payload Security, the malware drops a number of programs on the system, including Tor, and adds itself to the Windows Registry so it persists across reboots. It can fetch software modules to gain new abilities, and uses various techniques to hinder reverse-engineering: decrypted samples of the executables are available from the above links.
    The code encrypts a wide variety of documents on a computer, including any attached storage, and snatches any keys for remote-desktop access. It deletes volume snapshots, and disables system repair tools. It also scans the infected system's settings to work out the user's language, and pulls up a ransom demand in the correct lingo for the victim. It changes the desktop backdrop, too, to grab the victim's attention.
    According to a study by Kaspersky, it appears the malware controllers are getting greedier as infection rates grow. The initial infections asked for $300 worth of Bitcoin, however later infection notices have upped this price to $600. A check on the Bitcoin strings show a few thousand dollars' worth of Bitcoin have already been sent to the criminals.
    "We have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia," said Kaspersky's research team.
    "It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher."
    What is to be done?
    This is just the first wave: there is nothing stopping someone from making a new worm that attacks the MS17-010 bug to silently compromise vulnerable systems, or adapting the WannaCrypt binaries to cause more damage.
    So, what's the solution? If you're already infected then there's not a lot you can do other than wipe the system and reinstall from offline unaffected backups – if you have them.
    It's possible that the malware writers will have screwed up and put the decryption key in the code itself – such slip-ups have happened in the past. Researchers are picking the code apart byte by byte trying to find such clues, but this looks like a reasonably sophisticated piece of software so that's a long shot.
    If you haven't been infected, make sure your security patches are up to date. Kill off SMBv1 at the very least, and block access to it from outside your network. The exploits the malware uses have already been patched, and there's no excuse for getting caught out as a private user. It's understandable that IT managers with annoying corporate policies and heavy workloads have been forced to hold back patches, or are unable to apply them. If you can update your installations, drop everything and get patching.
    And we'd sure appreciate it if you could stop clicking on attachments from unknown parties, too. ®
    Blessed be the Lord my God, who teacheth my hands to fight, and my fingers to war. ~ Psalms 143:1 (Douay-Rheims)

    Offline JezusDeKoning

    • Full Member
    • ***
    • Posts: 1790
    • Reputation: +518/-263
    • Gender: Male
    Re: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor
    « Reply #1 on: May 13, 2017, 08:41:34 AM »
  • Thanks!0
  • No Thanks!0
  • Windows XP is a wonderful OS, but it will never be updated again. It's now a security risk being a 16 year old operating system. If it's financially feasible, they should upgrade to Windows 10.
    The second Monday of October is Columbus Day, not Indigenous People's Day. Without Columbus discovering the Indies and giving them the True Faith, they would still be cannibals worshipping the Sun.

    Santo subito!


    Offline RomanCatholic1953

    • Hero Member
    • *****
    • Posts: 5082
    • Reputation: +1927/-35
    • Gender: Male
    Re: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor
    « Reply #2 on: May 14, 2017, 12:23:11 PM »
  • Thanks!0
  • No Thanks!0
  • Snowden Blasts The NSA Over Global Malware Attack
    TOPICS:Edward SnowdenHackingJack BurnsNSA
    MAY 13, 2017

    By Jack Burns
    Just one day after U.S. President Donald Trump signed an executive order designed to improve the country’s national security against cyber security threats, nearly 100 countries, including the United States, were hit with a powerful Ransomware cyber-attack. An Attack, that former National Security Advisor contractor Edward Snowden is blaming on the NSA.
    Quote


     Follow
    Edward Snowden 

    @Snowden
    First question arise in Congress after @NSAGov's attack tools—which officials promised "nobody but us" could use—shut down hospitals in UK. https://twitter.com/dnvolz/status/863189242125660162 …



    9:35 AM - 13 May 2017




    It was the one of largest known cyber-attacks in the history of the world and demanded frozen computers all across the globe buy bitcoin and pay in bitcoin to have their computers released.
    The attack, carried out on Friday, affected and infected computer systems all across the globe, hitting the UK’s National Health Service the worst, according to some reports.
    It even affected the server which hosts the Free Thought Project’s website. We experienced outages of over an hour before reverting back to our backup server in another part of the country.


    Hours after the attack, carried out by unknown assailants, Snowden said it all could have been prevented.

    In a series of tweets, Snowden attacked his former employer, pinning the burden of blame squarely on the backs of the NSA. Demonstrating the serious nature of the attacks, the whistleblower emphasized lives were on the line in the latest cyber attack.
    The tools used in this hack were released online last month and belonged to the NSA.
    Snowden, seeing the grave danger posed by the NSA’s spying and irresponsible nature, tweeted, “Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients,” indicating it was a leaked NSA cyberwar tool, created by the NSA which attacked the UK’s hospital system.
    Pinning the blame on the NSA, he then tweeted, “Despite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost:”
    Quote


     Follow
    Edward Snowden 

    @Snowden
    Despite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost:https://www.nytimes.com/2017/05/12/world/europe/uk-national-health-service-cyberattack.html …



    12:53 PM - 12 May 2017

    Cyberattack Against U.K.’s National Health Service Is Reported
    The attack harmed computer and phone systems, and some emergency care was rerouted, officials said.
    nytimes.com





    Graham Cluley, a computer security expert, agrees with Snowden, saying,
    Quote
    The US intelligence agency found a security hole in Microsoft software and rather than doing the decent thing and contacting Microsoft they kept it to themselves and exploited it for the purposes of spying. Then they themselves got hacked. And it was at that point Microsoft thought, ‘Jesus we need to patch against this thing’.
    Still acting as the patriot he claims to be, Snowden then called on Congress to call the NSA to the carpet and demand they acknowledge, address, and shore up vulnerabilities in other systems. He said in a tweet, “In light of today’s attack, Congress needs to be asking @NSAgov if it knows of any other vulnerabilities in software used in our hospitals.”
    Quote


     Follow
    Edward Snowden 

    @Snowden
    In light of today's attack, Congress needs to be asking @NSAgovif it knows of any other vulnerabilities in software used in our hospitals.



    1:08 PM - 12 May 2017



    Not mincing words, the whistleblower — who some have called a traitor — tweeted, “If @NSAGovhad privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened.”

    Quote


     Follow
    Edward Snowden 

    @Snowden
    If @NSAGov had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened https://twitter.com/Snowden/status/863108616773095425 …



    1:11 PM - 12 May 2017

    The blame, according to Snowden, lies within the NSA and could have been prevented. He elaborated in his follow-up tweet. The former NSA contractor said the government agency should have approached the hospital systems privately and revealed the Microsoft Windows vulnerability years ago, instead of letting the tool fall into the wrong hands and jeopardize lives.
    He tweeted, “This is a special case. Had @NSAGov disclosed the vuln[erability] when they discovered it, hospitals would have had years — not months — to prepare.”
    Quote


     Follow
    Edward Snowden 

    @Snowden
    This is a special case. Had @NSAGov disclosed the vuln when they discovered it, hospitals would have had years -- not months -- to prepare. https://twitter.com/zeynep/status/863111733161979906 …



    1:24 PM - 12 May 2017



    While it’s true that Microsoft is no longer providing updates and patches to its Windows XP platform, Snowden implied the security agency had a fiduciary responsibility to shore up any and all known vulnerabilities within XP. He tweeted, “If NSA builds a weapon to attack Windows XP—which Microsoft refuses to patches—and it falls into enemy hands, should NSA write a patch?”
    Quote


     Follow
    Edward Snowden 

    @Snowden
    If NSA builds a weapon to attack Windows XP—which Microsoft refuses to patches—and it falls into enemy hands, should NSA write a patch? https://twitter.com/AlexanderAbdo/status/863115958101172226 …



    1:46 PM - 12 May 2017



    Some might say Snowden’s last suggestion makes a lot of sense. Microsoft could have continued support for its aging platform, but when it didn’t, the NSA could have stepped in and provided such a security patch. Or, at the very least, informed people of the flaw.
    Once again, Snowden’s words appear to haunt his former employer. In the ground shaking documentary, Citizenfour(2014), Snowden went on camera to tell the world just how powerful the NSA’s systems were, and to warn all Americans and world citizens alike of the dangers of cyber-warfare.
    Only now is the world beginning to see, arguably, just how true his predictions would become. The switch has been flipped and the world is at war. The only problem is, no one knows precisely who is pulling the switches. But according to Snowden, the NSA knows how to fix it.
    Jack Burns is an educator, journalist, investigative reporter, and advocate of natural medicine. This article first appeared here at TheFreeThoughtProject.com
    Activistpost.com

    Offline Ascetik

    • Jr. Member
    • **
    • Posts: 231
    • Reputation: +129/-13
    • Gender: Male
    Re: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor
    « Reply #3 on: May 15, 2017, 08:55:16 AM »
  • Thanks!0
  • No Thanks!0
  • Pretty sad.

    I assume this only effects Windows, but I'm not 100% sure. I think because it runs as a DCOM, which is a windows process.

    I work in IT and have 4 open tickets right now dealing with patches on this issue.

    Offline Matthew

    • Mod
    • *****
    • Posts: 20611
    • Reputation: +18244/-61
    • Gender: Male
    Re: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor
    « Reply #4 on: May 15, 2017, 08:58:12 AM »
  • Thanks!0
  • No Thanks!0
  • I'm on Linux, and so is CathInfo.

    Hahahaha

    This is what you get for going with the mainstream (Windows), taking the path of least resistance, and being like everyone else...
    Start your Amazon.com session by clicking this link, and my family and I get a commission on your purchase!


    Offline Ascetik

    • Jr. Member
    • **
    • Posts: 231
    • Reputation: +129/-13
    • Gender: Male
    Re: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor
    « Reply #5 on: May 15, 2017, 09:38:34 AM »
  • Thanks!0
  • No Thanks!0
  • Yep, pretty crazy.

    What distro do you use Matthew?

    Offline Matthew

    • Mod
    • *****
    • Posts: 20611
    • Reputation: +18244/-61
    • Gender: Male
    Re: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor
    « Reply #6 on: May 15, 2017, 09:53:15 AM »
  • Thanks!0
  • No Thanks!0
  • Yep, pretty crazy.

    What distro do you use Matthew?

    Linux Mint, of which there are 4 varieties (desktop managers). I use the MATE desktop/flavor.

    "Cinnamon" is much more fancy, but I prefer reliability over slick features. But if you like rotating cubes, and effects like you have on Mac OS X, you should go with the Cinnamon desktop.

    I started using Ubuntu part-time about 2009, and I switched to Linux Mint full-time in 2011.
    Start your Amazon.com session by clicking this link, and my family and I get a commission on your purchase!

    Offline Ascetik

    • Jr. Member
    • **
    • Posts: 231
    • Reputation: +129/-13
    • Gender: Male
    Re: 74 countries hit by NSA-powered WannaCrypt ransomware backdoor
    « Reply #7 on: May 15, 2017, 09:58:29 AM »
  • Thanks!0
  • No Thanks!0
  • Cool. I hope around depending on what I'm doing.

    For desktop I typically use Antergos or Debian, but I'm familiar with many. I switch around windows managers. I've used i3, kde plasma, gnome, cinnamon, you name it I've probably used it. But for Antergos I just use KDE plasma right now.

    All of my support tools for customers only work on Windows, so I just use Windows 8.1 for that.


     

    Sitemap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16