Category: Cybersecurity

City in Florida pays $600,000 to Hackers, after a ransomware attack

River Beach is a small town in Florida, of less than 40,000 people. The City Council in Riviera Beach agreed to pay a $600,000 ransom to hackers who encrypted files on their computers. In hindsight it would have been cost effective to hire a couple of IT guys to go around and apply the Microsoft Security patches to all the computers used by River Beach.

Click on this link to visit The New York Times website to read their post titled: “Hit by Ransomware Attack, Florida City Agrees to Pay Hackers $600,000″.

Ransomware attacks targeting small cities are prevalent and growing. Those cities which do not pay the ransom, may end up spending Millions of Dollars rebuilding their IT Systems. Click on this link to visit the Wired website to read their article titled: “ATLANTA SPENT $2.6M TO RECOVER FROM A $52,000 RANSOMWARE SCARE”.

When the Security Patches were being applied, the IT guys could also discuss Phishing emails as most people are not even aware what a Phishing email is. It is not just small cities that fall for Phishing emails. The accounting departments of huge Tech firms have sent out cheques worth Millions of dollars because of fake Phishing emails.

 

Video courtesy of the RT America YouTube channel

Many of the Ransomware attacks (such as WannaCry) used the Microsoft SMB vulnerability.

There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.

In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.

There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware).

A number of attacked city systems had “not” updated “all” their computers with suggested Security Updates. Some of their Operating Systems and Server System software go back to days of Windows 7. The often quoted statement is that they did not have the IT resources to get Security Updates installed on all the computers.

One area which IMHO require more training is Phishing Attacks. That is the use of fake emails sent to emails which are part of a city’s system. The fake email will ask the receiver to click on a link. If the receiver clicks on the link they will link to one of the Hacker’s Command and Control Servers, which will then upload the Ransomware to the receiver’s computer. The Ransomware will be started and spread to the System Servers and to all the other computers. Once running on a computer, the Ransomware will start to Encrypt data files using a secret key. Next messages will pop up on infected computers telling them that their files have been encrypted and that they have so many days to pay a Ransom to get the key to be able to un-encrypt their files.

I recently posted the following article on this site which was titled: “Phishing eMail Scam targeted Facbook and Google for $100 Million Dollars.”.

If the main Servers have Security Updates installed then the Ransomware will not spread. Also, if the System Admins have been doing daily backups, they may be able to recover the Servers using their backup files. They would still have to deal with individual end user computers which were infected.

The “key” is training End Users to not open emails from unfamiliar people. If opened, then the end user should not click on any links and they should immediately contact their IT Support Team. Unfortunately in real life, that is easer said than done.

Click on the CYBERSECURITY box in the menu at the top of this site, to read more Security related posts.

 

Posted by Vincent Banial

 

Advertisement

Whatsapp Buffer Overflow Vulnerability could be used to inject Surveillance Software into any Cell Phone

Facebook has posted a Security Advisory about a vulnerability in the WhatsApp as follows:

CVE-2019-3568

Description: A buffer overflow vulnerability in WhatsApp VOIP stack allowed remote code execution via specially crafted series of SRTCP packets sent to a target phone number.
Affected Versions: The issue affects WhatsApp for Android prior to v2.19.134, WhatsApp Business for Android prior to v2.19.44, WhatsApp for iOS prior to v2.19.51, WhatsApp Business for iOS prior to v2.19.51, WhatsApp for Windows Phone prior to v2.18.348, and WhatsApp for Tizen prior to v2.18.15.

Last Updated: 2019-05-13

Video is courtesy of the DW News YouTube channel

Facebook owns WhatsApp.  The vulnerability was found in early May of this year. The Hack allowed the installation of spyware on the Cell Phone being called even if the call was not answered by the Cell Phone owner. The software installed was allegedly the very powerful spyware named Pegasus.

Pegasus can gain full control over the phone. That, includes all of its contents and history. Pegasus also has the ability to activate its Cell Phone microphone and camera without the cell phone owner being aware of it.

Video is courtesy of the Lansweeper YouTube channel

The Israeli firm called the NSO Group is known for producing Pegasus. Their customer base is apparently government agencies around the globe.

The Citizen Lab website published a report of the extent of use of Pegaus Spyware around the globe. Click on this link to visit The Citizen Lab website and read their post titled: “HIDE AND SEEKTracking NSO Group’s Pegasus Spyware to Operations in 45 Countries“.

The United Kingdom’s National Cyber Security Centre has published today (May 14) suggestions for Cell Phone users. Click on this link to visit the UK’s National Security Centre to read their post titled: “NCSC advice following WhatsApp vulnerability Advice for users of WhatsApp following today’s vulnerability announcement“.

 

Posted by Vincent Banial

Lockergoga Ransomware may be Stopped from encrypting files by a faulty “.LNK” file

The Alert Logic Blog posted about a coding error found in variants of the Lockergoga ransomware. Before encrypting any files, Lockergoga first checked for certain files including Windows “.LNK” files.

The Security Team at Alert Logic found that if Lockergoga came across a malformed (invalid) “.LNK” file, then it would cause a Windows Exception Error which would then automatically stop Lockergoga in it’s tracks. This is all before the File Encryption Process was started.

Creating a malformed “.LNK” file may be a short term vaccine against present variants of Lockergoga. It is highly likely that the people who built Lockergoga will remove the “.LNK” file check in future variants of Lockergoga.

Click on this link to visit the Alert Logic website to read their blog post titled: “Halting the Lockergoga Ransomware“.

There is Ransomeware protection software available which is based on “Behaviour”. It allows the the Ransomeware to run, but will stop it when it starts to encrypt files in protected folders. Those protected folders also have backups of the files, which can then be restored as needed.

Click on this link to visit the Temasoft website to read their post titled: “Ranstop blocks LockerGoga ransomware“.


Ranstop is behaviour based security software. It is not Signature based. It caught Lockergoga when it started the encryption process. Since the protected folders have the files backed up, any file encrypted prior to stopping Lockergoga, could be recovered.

 

Video is courtesy of the TEMASOFT YouTube channel

 

Click on this link to visit the Temasoft website to read their page titled: “Ranstop – anti-ransomware software that works“. Home Users can also Download a free version of Ranstop. Note Ranstop works with the “PRO” versions of Windows 7,8 and 10.

 

Posted by Vincent Banial

Microsoft Cybersecurity Architect Dr Erdal Ozkaya discusses the state of Cyber Security

The is a capture of a Mar 20 2019 Webinar by Microsoft Cybersecurity Architect Dr Erdal Ozkaya presented by IT Masters Pty and Charles Sturt University.Ltd.

Video is courtesy of ITMastersCSU YouTube channel

Posted by: Vincent Banial

Huawei is the market leader in 5G Technology. They also compete in the Cell Phone market. Maybe that is why they are being attacked.


Huawei has invested Millions in research and development of 5G. Huawei is recognized as the world leader in the new 5G Cellular technology, which will bring with it the new Internet.

Video is courtesy of the RT America YouTube channel

Instead of investing time and money to create better technology, it is easier to harass this company and it’s executives. Using Fear Mongering by saying that Huawei is spying for the Chinese Government. Kinda like the Pot calling the Kettle black. Edward Snowden revealed how extensive US spying was.

Video is courtesy of the Wall Street Journal

So far Canada has arrested a major Huawei Excutive, apparently at the request of the US Government. I suspect strings were pulled and Poland comes out with yet another and more serious charge against another Huawei Executive. Funny how German and French Security and Intelligence Services have not said a word. Why? Maybe because Huawei does not spy for the Chinese Government and they will not allow themselves to be bullied into a false action.

Europe is a major market for Huawei. IMHO this is an attempt to stop the sale of Technically Superior Huawei 5G equipment in Europe.

Video is courtesy of the Wall Street Journal

If you cannot compete with better 5G Technology then hey maybe your government can Tar and Feather the competition who has developed better 5G Technology.

Video is courtesy of The Real News Network YouTube channel

Recent Quarterly Reports from Apple, indicated that iPhone sales in China were slowing down. Huawei also competes in the Cell Phone market and their Cell Phone sales are growing. Might be another reason for the under handed attacks on Huawei.

Video is courtesy of the Wall Street Journal

U.S. Government Has Amassed Terabytes of Internal WikiLeaks Hard Drives

U.S. Government Has Amassed Terabytes of Internal WikiLeaks Hard Drives.

Big mistake to carry WikiLeaks hard drives when traveling. Big Mistake to give other people access to WikiLeaks data files. Big mistake to store passwords needed to decrypt the encrypted WikiLeaks Hard Drives on some of the hard drives.

Video is courtesy of the Wochit News YouTube channel

Click on this link to visit the Gizmodo website to read the article written by Emma Best titled: “The U.S. Government Has Amassed Terabytes of Internal WikiLeaks Data“.

Click on this link to visit the WikiLeaks website.

Click on this link to visit the MIT Technology Review website to read their post titled: “Everything You Need to Know About Wikileaks“.

Increase your CyberSecurity by installing VirusTotal web browser extensions from Chronicle

Chronicle is a new CyberSecurity company that you have never heard of. Google’s Search Engine can be your friend when doing web searches. Well Google also owns Chronicle. Google can be your friend when trying to increase your CyberSecurity on the Internet.

Click on this link to visit the Business Insider webpage where they discuss Google’s New CyberSecuroty Division called Chronicle.

Click on this link to visit the official Chronicle website where they state that they have “the power to fight cybercrime on a global scale“.

Chroncile’s offering is for Enterprise customes. One the products which Chronicle has is called VirusTotal, which can be used by home users. VirusTotal comes as a Extensions for popular web browes like FireFox, Chrome and IE Explorer.

Video curtesy of the Google Cloud Platform YouTube channel


From the VirusTotal website: “Imagine you log into your Gmail account and find a suspicious email from your bank. The email informs you about an unauthorized access to your account and asks you to follow a link and provide your credentials to view the account access log. Wouldn’t it be great if you could simply right-click on the link and check it against VirusTotal in order to understand whether it is legit or report a phishing site? Wouldn’t it be great if you could do this just with that right-click, without having to navigate to VirusTotal and refer to the URL tab? This is what VirusTotal’s browser extensions allow you to do, and they come in flavors for the most widespread browsers.

Click on this link to visit the download page at VirusTotal for their Web Browser Extensions.

Opening an email using Outlook could let someone steal your Windows Login Password

You receive an email from what seems like a legitimate source. By openiing that email using Microsoft Outlook, you could be allowing a Hacker to gain your Windows Login Password.

If the received email contains say a UNC web link starting with \\, clicking on the link will start a SMB connection and the username and password hash data can be transferred without the users knowledge.

This is because Microsoft Outlook allows documents to contain embedded parts within a document. Microsoft allows the use of Rich Text Format (RTF) and Object Linking and Embedding (OLE). That can be exploited to get Outlook to “automatically” open an SMB connection to a remote SMB Server.

Will Dormann who is a Software Vulnerability Analyst with Carnegie Mellon Software Engineering Institute’s CERT Coordination Center (CERT/CC), had found the above vulnerability, Will Doorman reported the vulnerability to Microsoft in November of 2016.

Last Tuesday (Apr 10 2018) Microsoft released a fix for the above bug. Click on this link to visit Microsoft’s site with details of the bug fix: CVE-2018-0950 | Microsoft Office Information Disclosure Vulnerability – Security Vulnerability –
Published: 04/10/2018
MITRE CVE-2018-0950

The above Microsoft fix does address the “Automatic” opening of an SMB connection to a remote SMB Server. But, the user viewing said document can still click on a link embedded (via OLE) within the document and that will then initiate an SMB connection.

To check if your Windows systems has the update installed goto Settings → Update & Security → Windows Update → Check for updates. The updates can be set to install automatically or you can manual get them installed., or you can install the updates.

For info on keeping your Microsoft Windows updated click on this link to visit the Windows Update: FAQ

The Microsoft Apr 10 Security update does not address the end user clicking on a link. To elminate an SMB session being established after an OLE Link has been clicked you need to block certain ports for incoming and outgoing SMB sessions. Block TCP/IP port 445 and port 137 and port 139. In addition, you need to block UDP port 137 and UDP port 139. That way no inbound or outbound SMB connections will be started.

You should also add a Windows Registry DWORD32 key named “EnterpriseAccountSSO” and then set that key to a value of “0”. How to do that is detailed below.

Click on the following link to visit the Microsoft Security Advisory page titled: ADV170014 | Optional Windows NTLM SSO authentication changes – Security Advisory – Published: 10/10/2017

The above link will discuss adding a registry entry which will block disable the NT Lan Manager Single Sign-on (SSO) authentication. It’s a small simple addition:

Customers can add a DWORD32 key named “EnterpriseAccountSSO” to the Windows Registry location HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\MSV1_0 with the following options:

  • 2 – Always allow SSO. (This is the default state.)
  • 1 – Deny SSO if the resource is public. Allow if the resource is private or enterprise. Allow SSO if the resource is unspecified.
  • 0 – Deny SSO if the resource is public. Allow if the resource is private or enterprise. Deny SSO if the resource is unspecified.

You should set it to “0”, which would DENY SSO authentication requests.

References for more details:

 

Carnegie Mellon University – Software Engineering Institute – CERT/CC Blog post by Wll Doorman titled: Automatically Stealing Password Hashes with Microsoft Outlook and OLE Posted on by Will Dormann in

 

CVE page at Mitre.org: CVE-2018-0950

 

Microsoft’s page titled: Description of the security update for Word 2016: April 10, 2018

 

Fastest DNS Service on the Internet. Change your DNS server setting to 1.1.1.1

It’s a free DNS resolver service. It’s also the Fastest DNS Service and likely the most Secure DNS Service. The new DNS Service addresses are 1.1.1.1 and 1.0.0.1

Just open up Control Panel on your Windows machine. Then check the Network Adapter Setting. Once there, click on Properties. Most ISPs are still using IPV4. Add in the DNS server address 1.1.1.1 and then another at 1.0.0.1

Click Ok and close. You will then have free access to the Fastest DNS Service on the Internet.

They also have DNS resolvers setup to handle IPV6. The IPV6 DNS Server addresses are 2606:4700:4700::1111 and 2606:4700:4700::1001   

In North America most ISPs are still using IPV4.

Check out Cloudflare’s website for their new DNS Service at https://1.1.1.1 – not a typo. In the address bar of your web browser, key in https://1.1.1.1 and hit enter.

Video courtesy of the The PC Security Channel [TPSC] YouTube channel

This new service was created from a partnership between Cloudflare and APNIC Labs. Cloudflare had the networking hardware, while APNIC had the IP Address 1.1.1.1

For more details plse click on this Link to visit Clouflare’s Blog post which provides lots of detail about this new free Super FAST DNS Service which is also likley the most Secure DNS Service.


Click on this link to visit APNIC’s blog post, about their new DNS venture with Clourdflare.

 

Posted by: Vincent Banial

Marcus Hutchins, who had stopped the spread of WannaCry RansomWare, has apparently been arrested.

Marcus Hutchins works as a Cyber-Securty Researcher at Kryptos Logic. It was Marcus who had apparenlty stopped the spread of the WannaCry version 1 RansomWare. He found the Kill Switch after decompliing the WannaCry v1 code. Once he registered a Domain name found in the code, the spread of WannaCry V1 RansomWare slowed down dramatically. Soon after  WannaCry version 2, which removed the kill switch, was spotted on the Internet.

Marcus was in Vegad for the Black Hat and Def Con conferences. He was apparenly arrested after the confernces.

Clik on this line to visit the Motherboard Vice.com website to read more details about the apparent arrest of Marcus Hutchins.

Click on this link to visit The Telegraph newspaper website to read their post titled: “FBI arrests WannaCry hero Marcus Hutchins in Las Vegas”.

Click on this link to visit the BBC website and read to post titled: “NHS cyber-defender Marcus Hutchins arrested in US”.

Click on this link to view our prior coverage of the WannaCry Ransomware outbreak.

Ways to protect your computers from Petya Ransomware

Some CERT recommendations to better protect your computers from becoming infected by Petya Ransomware:

    • Perform regular backups of all critical information to limit the impact of data or system loss and to help expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
    • Applocker policies to block execution of files having name perfc.dat as well as psexec.exe utility from sysinternals.
    • Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited e-mail, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through browser.
    • Restrict execution of powershell /WSCRIPT/ PSEXEC / WMIC in enterprise environment Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled. script block logging, and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
    • Establish a Sender Policy Framework (SPF),Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) for your domain, which is an email validation system designed to prevent spam by detecting email spoofing by which most of the ransomware samples successfully reaches the corporate email boxes.
    • Application whitelisting/Strict implementation of Software Restriction Policies (SRP) to block binaries running from %APPDATA%, %PROGRAMDATA% and %TEMP% paths. Ransomware sample drops and executes generally from these locations. Enforce application whitelisting on all endpoint workstations.
    • Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution.
    • Disable macros in Microsoft Office products. Some Office products allow for the disabling of macros that originate from outside of an organization and can provide a hybrid approach when the organization depends on the legitimate use of macros. For Windows, specific settings can block macros originating from the Internet from running.
    • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
    • Disable remote Desktop Connections, employ least-privileged accounts.

Click on this link to view the prior coverage about WannaCry Ransomware found on Uniquely Toronto.

 

Posted by: Vincent Banial

 

Find the Key needed to unencrypt a Hard Drive encrypted by Petya Ransomware

Click on this link to visit the GitHub site where Leo Stone has posted some code which might just figure out the key required to unencrypt a Hard Drive encrypted by Petya Ransomeware. He suggests to try finding the key using an image copy of the Petya encrypted Hard Disk,. That way the original may not be harmed.  

Disclaimer: if you use Leo Stone’s code and method, you do so at your own risk. Loe also suggested to make and use an image copy of the encrypted hard Drive so as not to potentially damage the original. Leo’s code may find the key, or it may not. Playing around with the encrypted Hard Drive may damage it to the point that even if you pay the Ransom, you may not be able to reteive your data from said hard drive. I again state that following Loe Stone’s method as posted on GitHub is done at your own risk. Do your own Due Diligence. You could lose all the data on the hard drive.

Posted by Vincent Banial

Petya Ransomware Major Global Attack

WannaCry Ransomware paved the way by showing how to quickly spread across the Global Internet. It focused on on a vulnerability with Windows SMB which had been there for years and only exploited by Nation State employed Hackers.

Petya Ransonware, as has been named by the Security Staff at Kaspersky Lab, learned much from the WannaCry outbreak. Petya Ransomware has spread to thousands of computers at major institutions across the Globe. Petya ransomware is just starting. This is a major Ransomware attack.

It is basically a Worm which was first spread by malicious XL spreadsheets. Once on a network it stays in memory and as such is no so easy to detect and protect against. It looks like it is also focusing on the Windows SMB protocol and the Ports which support SMB.No wonder the focus on SMB as Petya use EternalBlue code as did WannaCry

My big fear is that Banks and Financial Institution had been targeted by Petya Ransomware. If it infects a large number of Banks then we could possibly see a Major Banking Crisis. It might be an idea to keep some cash on hand, in a safe place. Because it operates as Worm Code it is hard to detect and eliminate.

I will prepare a full review later this week. In the meantime the following are links which will shed light on what is happening. Some of the protective measures which stopped WannaCry Ransomware in it’s tracks, like disabling SMB ports, could also work to stop or slow the spread of Petya Ransomware.

Click on this link to visit Krebs On Security to read their initial post about Petya.

Click on this link to visit the Kaspersky Lab post titled “Petya Ransomware eats your hard drives

Click on this link to visit the Securelist site to read their very detailed post about how Petya Ransomware functions.

Click on this link to visit the Check Point site to read their discussion of the Petya Ransomware worldwide outbreak.

Video is courtesy of the F-Secure YouTube channel

 Click on this link to view the prior coverage about WannaCry Ransomware found on Uniquely Toronto.

Posted by Vincent Banial

Analysis of PETYA Ransomware running live on a computer

Petya Ransomware could be called WannaCry V3 as it is using the same EternalBlue / DoublePulsar code. It starts running via a Windows DLL. In the video below Colin runs Petya on a computer to be able to study it.

Video is courtesy of the Colin Hardy YouTube channel

WannaCry Ransomware infected Traffic Cameras in Australia and Honda’s Sayama factory

Posted by Vincent Banial

WannaCry Ransomware is far from dead. It is still out there on the internet, searching for more victims.

Uniquely Toronto recently had extensive coverage about WannaCry Ransomware and Security Patches and had links to Security Patches and steps to better Secure computers against WannaCry.

When Wannacry was first discovered, Automobile manufacturing plants had been affected after WannaCry infected the Auto Plant’s computers. Seems that the IT folks at a Hond Auto Plant in Japan have not been folllowing the Cyber Security news. WannaCry Ransomware infected Honda’s Sayama car production plant this week.

Click on this link to visit the Reuters News post about Wannacry being found on the computer newtwork at Honda’s Sayama car production plant this week.

Apparently the WannaCry Ransomware was also spread to over 50 Traffic cameras via a USB memory stick. That happened in Austalia. Since wannacry encrypts owner created files on a computer, I would assume it would encrypt any JPGS or video files created by the Traffic cameras. Interesting that it is being claimed that it was spread by the use of a USB Memory stick. A good question to ask, would be “Where has that USB stick been plugged into a computer which was connected to the main system network”. USB Memory sticks generally have to be plugged into a computer to acquire ransomware.

Click on this link to visit the 3Aw News Radio Station’s post about wannacry infecting Traffice camera in Austalia.

Traffice cameras must be a huge money maker. The wannaCry ransomware infection was started apparently on June 6. So by June 22 at least 8,000 Traffic Tickets may be withdrawn because of the infection of the Traffic camera. Those cameras must generate huge amounts of money for the city and for insurance companies and for the court system of lawyers, judges and clerks. Nice money making scheme with possibly little impact on traffic safety. 8,000 tickets in two weeks!!!

Click on this link to visit the Canadian Global News page to read their post titled: “8,000 red-light camera traffic tickets withdrawn in Australia due to WannaCry virus”.

 

Posted by: Vincent Banial

“Rivolta” gives an insight into the Exploits of a 15-year-old “Elite” Hacker named Michael ‘MafiaBoy’ Calce, who had taken down the websites of some of the largest companies.

Michael “MafiaBoy” Calce was just 15 years old. During his Exploit days, prior to being arrested, he had taken down the websites of some of the largest companies in the world, causing an estimated $1.7 billion in losses. He realized the depth of what he had done, after watching a news program where then President Clinton spoke about what “Mafiaboy” had done.

This video: “Rivolta: Inside the Mind of Canada’s Most Notorious Hacker” was produced by HP Canada. “Rivolta” was directed by Hubert Davis.

In one way this young person was extremely curious and yet his educators did not pick-up on that, so he sought out info elsewhere. In one part of the video, Michael Calce talked about taking a computer programming class in Pascal, but showed his instructor that he could code the course examples in far more powerful and complex “C Language“.

How many other genius kids who have the inner desire to learn, are also being missed by their Educators? Yes, this video is about the Exploits of a 15-year-old “Elite” Hacker, but it is also about an Educational System which in my opinion failed this young lad.

Video is courtesy of the HP Canada YouTube channel

Altaro is offering a free ebook “Ransomware: A Survival Guide”

Click on this link to visit the Altraro website to Download their free ebook titled “Ransomware: A Survival Guide”. They ask for your name and email to be able to D/L. Just do a Google search on “Temp Email” to find a site which will give you a free temp email address, if you do not wish to give out your email address.

The Altaro eBook is a short, yet interesting read about Ransomware.

Altaro also have a much more detailed video about Ransomware on their YouTube channel (see below).

Video is courtesy of the Altaro Software YouTube channel

Posted by Vincent Banial

WannaKey along with WanaKiwi may help to decrypt your WannaCry encrypted files without having to pay the Ransom

Adrien Guinet, a French security researcher Adrien Guinet has created a software tool called “WannaKey” that “may” decrypt the files which were encrypted by WannaCry Ransomware. So if you are lucky and have not rebooted the infected computer you “MAY” be able to unencrypt your files without having to pay the Ransom fee.

WannaKey works with older variants of Windows Server and Windows Workstation Operating Systems such as Windows Server 2003, Windows Server 2008, Windows XP, Windows 7, and Windows Vista.

When WannaCry encrypts your files, it creates a Private Key which is used to create the decrypt key. Then the Private key is erased. On older Windows systems the erase does not remove the data from memory. So if you are lucky and you have “not” rebooted the PC then there is a chance that WannaKey could recover the Private key, because it is still held in the system memory.

Once you have the Private Key then you can use a different program developed by Benjamin Delpy called wanakiwi to decrypt the files on the WannaCry encrypted PC.

The key point to remember is that the above process “MAY’ work. The Computer which was encrypted by WannaCry Ransomware, must “NOT” have been rebooted. Any files to download would be done using a different computer and then run on the encrypted PC via a USB flash Drive.  The WannaCry code did issue the command to erase the Private Key but the bug in older Windows Operating Systems is that Private Key has not been erased from the computer’s main memory.  With a bit of luck, you may be able to decrypt your WannaCry encrypted PC. Note there is no guarantee that this will work. If you are unsure how to go about this, then get a computer professional to help you.

Click on this Link to visit the Adrien Guinet GitHub page for Wannakey.

Click on thsLink to visit the Benjamin Delpy GitHubn page for Wanakiwi.

Click on this Link to visit the Comae Blog post by Matt Suiche titled “WannaCry — Decrypting files with WanaKiwi + Demos”. Matt goes thru the whole process along with screen shots.

Video is courtesy of the Vishnu Ava YouTube channel

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to also always create daily backups. If you try to decrypt a WannaCry encrypted personal computer or server, you do so at your own risk. There is no guarantee that the above info will be successful in decrypting the files.

CERT had issued Vulnerability Note VU#867968 advising about the SMB vulnerability in Microsoft Windows

WannaCry Ransomware seems to have appeared out of the blue. Because of it thousands of people have searched the internet to find out how to disable SMB on their Microsoft Windows based Servers and Workstations and Personal Computers. Thousands had dropped by Uniquely Toronto to read out posts which provided details on ways to disable SMB v1.0.

Now Adylkuzz is running another major attack which is underway and uses the SMB vulnerability in Windows.

There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.

In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.

There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware)

“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 (link is external) and 204279 (link is external).”

Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Please install the Microsoft Windows MS17-010 Security Update (see link above). Best Practice is to also always create daily backups

Massive Adylkuzz attack is underway which uses the same tools used by WannaCry

New Adylkuzz Malware attack uses the same tools which were used by WannaCry Ransomware – (EternalBlue for instance) which were released by The Shadow Brokers back in April. Eternal Blue code scans a network to find computers running the Microsoft SMB v1.0 protocol service (open TCP ports 139 and 445 along with UDP ports 137 and 138). When found it can then install the malware.  Adylkuzz is infecting thousands of computers around the Globe. Microsoft released a Security patch back in March which addressed the SMB vulnerability. Last week Microsoft also released further Windows Security Patches for Windows systems going back to Windows XP.  Microsoft’s Windows Security Updates will stop the spread of WannaCry and Adulkuzz, once the Security Patches have been installed and the system rebooted. At the bottom of this post, you will find links to the official Microsoft Patches.

Video is courtesy of the DAHBOO77 YouTUbe channel

This new AdylKuzz Malware does not request any ransom from the owner of the infected computer. It does it’s processing in the background. One interesting aspect about the way that Adylkuzz works is that once it infects a computer it then disables the SMB v1.0 protocol. That move prevents any other Malware from infecting the computer. Adylkuzz may very well have protected thousands of computers around the globe from becoming infected by WannaCry Ransomware because Adylkuzz it is believed has been running in the wild on the internet for many weeks and before the WannaCry attack was launched.

Click on this Link to visit the PHYS.Org website to read their post titled: “Another large-scale cyberattack underway: experts”.

Adylkuzz essentially is a Cryptocurrency Miner. Apparently, it is being reported that Adylkuzz does not damage any files. A lot of people use their powerful computers to do Cryptocurrency Mining. Cryptocurrency like Monero and Bitcoin is essentially untraceable Internet money which can be converted to a National Currency or used directly on the Internet. Adylkuzz mines the Monero Cryptocurrency. Once installed on the infected computer it will start to use computer resources. On an older slow PC, the end user will notice a dramatic slowdown. On a Top End fast PC there will be a far less noticeable slowdown. What will be dramatically affected, will be one’s useable internet bandwidth. Downloads and even web page loading will take longer. Watching internet videos will be affected with slowdowns.

To prevent being infected by either WannaCry or Adylkuzz one needs to make sure that any Microsoft Windows Security Updates have been installed. Yes, one can manually disable the SMB v1.0 protocol on a PC, but the Microsoft Security Patches also patch other holes and vulnerabilities in the Windows Operating Systems. Install the Windows Security Patches. Also make sure to Update any and all of your Computer Security software like your Firewall, Anti-Virus, and Anti-Malware software. Then consider buying an external hard drive (if you do not already have one) and start backing up your data. Having a daily Backup of your data files costs far less than having to pay Ransomware, should your PC become infected.

Click on the following like to visit the Proofpoint cybewrsecurity firm’s post titled: “Adylkuzz Cryptocurrency Mining Malware Spreading for Weeks Via EternalBlue/DoublePulsar”.

Click on this Link to visit the Symantec Security Response blog to read their post titled: “Adylkuzz Cryptocurrency Miner Is Not The Next WannaCry”.

Click on this Link to visit the news.com.au site to read their post titled: “New Adylkuzz cyberattack targeted at mining virtual currency in infected computers”.

Click on this Link to visit the RT website to read their post titled: “WannaCry XXL? 2nd even bigger global cyber attack already underway”.

The following was posted by Anonymous on their YouTube channel TORnado – Anonymous France. Permission to share was posted on their YouTube channel along with the video linked to below,:
“Published on May 17, 2017

Greetings citizens of the world,

We are Anonymous.

This is a new warning about a massive hack.
Following the attack “WannaCry Ransomware”, a much larger hack was discovered.

Much more vicious, better hidden and bringing much more money to black-hats hackers, this massive virus is called “Adylkuzz” and simply uses the same flaw as WannaCry.
This is once again a computer tool stolen from the NSA.
But this time it is not your data that is affected but your entire computer that through the rat, will become a minor zombie of crypto-currency.

For the moment of what we, Anonymous know, here is the process:

The virus enters the computer with DoublePulsar and EternalBlue, via the MS17-010 fault on the TCP port 445 as the previous “WannaCryptor” but there will be nothing on the screen. You will not even know that you are infected.

Then the hack will begin to mining the cryptomony with your machine, ie you will produce virtual currency of type “Monero”, similar to the famous bitcoin without
You know it and free for hackers you do not know.
Knowing that the mining uses the abilities of the PC, the victim then undergoes slowdowns which causes a malfunction of the computer.

Several hundred thousand people would already be in this case, that’s why we’re alerting you once again. It seems that “WannaCry” was only the part of the iceberg, stay alert, update your Windows and keep your antivirus.

On our side we follow different tracks to find these hackers. Already about 40,000 dollars in Monero have recently been discovered probably the money gained through the hack.

The cryptomontee is thus once again likely to have a bad image in the media whereas this currency remains a practical and anonymous means to buy or give money.

Now calls to the Anonymous, it’s time to stop these criminals and help those affected or not knowing how to protect themselves.
The NSA can not even protect its own data, so we can only count on ourselves.
In any event,

We’re Anonymous,
We are Legion,
We do not forget,
We do not forgive,
Rogues, thieves, whoever you are,
Expect us.

————————————-“

The video below, by Anonymous, is the above info but spoken in French.
Video is courtesy of the TORnado – Anonymous France YouTube channel

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

To download localized versions for the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to always create daily backups

Global spread of WannaCry Ransomware – Mon May 15 2017

Video is courtesy of the NIC Webcast YouTube channel

WannaCry Ransomware is continuing the spread around the globe. Some have even called it the start of a CyberWar. Russian President Putin is apparently blaming the U.S. for creating the tool set. Microsoft is apparently pointing that it is the stolen software tools from the N.S.A (National Security Agency).

Click on this link to visit the Kaspersky Lab SecureList blog site to read their detailed coverage titled “WannaCry ransomware used in widespread attacks all over the world”

I’m going to try something new, by featuring links to current news and major website posts related to the Global spread of WannaCry Ransomware:

Click on this link to visit the Microsoft Blog to read their post titled: “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack” by Brad Smith – President and Chief Legal Officer.

The following is a paragraph from Brad Smith’s post:
All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.

Kudos go out to Microsoft for providing the Security Update for Windows XP:

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Click on this Link to visit the Wall Street Journal website to read their post “Cyberattack Is Likely to Keep Spreading. In the post they state that WannaCry Ransomware has spread to over 150 countries. Yesterday I had checked a tracking site which stated that over 230,000 computers had been hit with WannaCry. The Tracker only keeps track of those PCs which were still connected to the internet.

Click on this Link to visit The Telegraph news site to read their post “Cyber attack latest: Vladimir Putin blames US for hack as thousands more computers hit by ransomware“.

Click on this Link to visit the CyberSecurity Firm Malwaretech to view their live tracker for WannaCry / WannaCrypt.

Click on this Link to visit the Yahoo Tech site to read the Associated Press article “The Latest: 29,000 Chinese institutions hit by cyberattack“.

Click on this link to visit the Associated Press news site to read their article “Log in, look out: Cyber chaos may grow at workweek’s start.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Running demo of WannaCry v2 Ransomware Binary

WnnaCry Version 2 Ransomware is out. I had mentioned it in a prior post. The main difference is that the Kill SwitchCode has been removed. It is still a Worm which can spread across a Windows Server-based network, using the SMB v1.0 protocol.

In the video below the actual Binary Code of the WannaCry V2 Ransomware is run in a virtual environment.

Video is courtesy of the Colin Hardy YouTube channel.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

How to find the presence of WannaCry Ransomware and SMB v1.0 Servers running on your Windows Network.

First and foremost make sure that you are running backups. The traditional backup system is called Grandfather, Father, and Son. The Son backup set is created Daily. The Father backup set is created Weekly. The Grandfather backup set is created Monthly. If the Daily backup set has problems, then you have fallback options. At most you should only lose one day’s worth of data input, which normally can be reentered or recreated.

Click on this link to visit the SANS Institute InfoSec Reading Room, to D/L their helpful PDF about backup sets, titled “Backup Rotations – A Final Defense”.

Next, please make sure that you have installed Microsoft’s patches (see the bottom of this post for links) on your Windows Servers. and all Windows based Workstations. Do not forget about patching Portable Notebook Computers running Windows, as they may not always be connected to your network. This includes Apple Mac Equipment, which may be virtually running Windows.

Click on this link to view a map of the spread of the WannaCry Ransomware attack – so far over 230,000 computers have been hit.

As a further precaution, I would check your Windows Servers and Windows based Workstations to ensure that SMB v1.0 has been disabled.

For Windows based Workstations and Notebooks: Open Control Panel. Scroll down to and click Programs. Next click Turn Windows features on or off. In the Windows Features window, Scroll to find the SMB 1.0/CFIS File Sharing Support line. Make sure to clear the checkbox on the SMB1.0/CIFS File Sharing Support line. Click OK. Now restart the Windows based computer or notebook.

For Windows Server Operating Systems: Open Server Manager. Find and click on the and then click the Manage menu. Next select Remove Roles and Features. In the Features window, scroll down and find and clear the SMB1.0/CIFS File Sharing Support check box. Click OK to close the window. Restart the Windows  Server.

Once your Windows Server-based Network is back up and running, start your Network Monitoring tool(s) and Packet Sniffing tool(s). Wireshark is well known. Microsoft Message Analyzer is the replacement for Microsoft’s Network Monitor. SmartSniff is another one. NAST (Network Analyzer Sniffer Tool)  is popular. Capsa Free Network Analyzer allows you to monitor over 300 different protocols.

Click on this link to visit Microsoft’s Technet website to view their post titled: “Microsoft Message Analyzer Operating Guide”.

You should be looking out for the some of the followingUse of file sharing protocol versions, especially SMB v1.0. Activity spikes, like File Renames or New File Creation. Multiple Workstations connecting to the same external IP address.

Keep an eye out for instances of the file@Please_Read_Me@.txton your file shares. Also check for any instances of files with these extensions:.wnry,.wcry,.wncryand.wncryt“.

Video is courtesy of the DAHBOO77 YouTube channel

The following are LINKS to Official Microsoft Patches for assorted versions of Windows (including Windows XP). Download English language security updates at the following links:

Windows Server 2003 SP2 x64,

Windows Server 2003 SP2 x86,

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Windows 8 x86,

Windows 8 x64

Click on this link to download localized versions of the security update for Windows XP, Windows 8 or Windows Server: http://www.catalog.update.microsoft.com/Search.aspx?q=KB4012598

Link to the important Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Click on this link to visit Microsoft’s site to read their post titled: “Customer Guidance for WannaCrypt attacks”.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by Vincent Banial

Disclaimer: The above post is subject to change without notice. There may be unintentional errors in the above post.