Tagged: Cybersecurity

Petya Ransomware Major Global Attack

WannaCry Ransomware paved the way by showing how to quickly spread across the Global Internet. It focused on on a vulnerability with Windows SMB which had been there for years and only exploited by Nation State employed Hackers.

Petya Ransonware, as has been named by the Security Staff at Kaspersky Lab, learned much from the WannaCry outbreak. Petya Ransomware has spread to thousands of computers at major institutions across the Globe. Petya ransomware is just starting. This is a major Ransomware attack.

It is basically a Worm which was first spread by malicious XL spreadsheets. Once on a network it stays in memory and as such is no so easy to detect and protect against. It looks like it is also focusing on the Windows SMB protocol and the Ports which support SMB.No wonder the focus on SMB as Petya use EternalBlue code as did WannaCry

My big fear is that Banks and Financial Institution had been targeted by Petya Ransomware. If it infects a large number of Banks then we could possibly see a Major Banking Crisis. It might be an idea to keep some cash on hand, in a safe place. Because it operates as Worm Code it is hard to detect and eliminate.

I will prepare a full review later this week. In the meantime the following are links which will shed light on what is happening. Some of the protective measures which stopped WannaCry Ransomware in it’s tracks, like disabling SMB ports, could also work to stop or slow the spread of Petya Ransomware.

Click on this link to visit Krebs On Security to read their initial post about Petya.

Click on this link to visit the Kaspersky Lab post titled “Petya Ransomware eats your hard drives

Click on this link to visit the Securelist site to read their very detailed post about how Petya Ransomware functions.

Click on this link to visit the Check Point site to read their discussion of the Petya Ransomware worldwide outbreak.

Video is courtesy of the F-Secure YouTube channel

 Click on this link to view the prior coverage about WannaCry Ransomware found on Uniquely Toronto.

Posted by Vincent Banial

“Rivolta” gives an insight into the Exploits of a 15-year-old “Elite” Hacker named Michael ‘MafiaBoy’ Calce, who had taken down the websites of some of the largest companies.

Michael “MafiaBoy” Calce was just 15 years old. During his Exploit days, prior to being arrested, he had taken down the websites of some of the largest companies in the world, causing an estimated $1.7 billion in losses. He realized the depth of what he had done, after watching a news program where then President Clinton spoke about what “Mafiaboy” had done.

This video: “Rivolta: Inside the Mind of Canada’s Most Notorious Hacker” was produced by HP Canada. “Rivolta” was directed by Hubert Davis.

In one way this young person was extremely curious and yet his educators did not pick-up on that, so he sought out info elsewhere. In one part of the video, Michael Calce talked about taking a computer programming class in Pascal, but showed his instructor that he could code the course examples in far more powerful and complex “C Language“.

How many other genius kids who have the inner desire to learn, are also being missed by their Educators? Yes, this video is about the Exploits of a 15-year-old “Elite” Hacker, but it is also about an Educational System which in my opinion failed this young lad.

Video is courtesy of the HP Canada YouTube channel

WannaKey along with WanaKiwi may help to decrypt your WannaCry encrypted files without having to pay the Ransom

WannaKey works with older variants of Windows Server and Windows Workstation Operating Systems such as Windows Server 2003, Windows Server 2008, Windows XP, Windows 7, and Windows Vista.

When WannaCry encrypts your files, it creates a Private Key which is used to create the decrypt key. Then the Private key is erased. On older Windows systems the erase does not remove the data from memory. So if you are lucky and you have “not” rebooted the PC then there is a chance that WannaKey could recover the Private key, because it is still held in the system memory.

Once you have the Private Key then you can use a different program called wanakiwi to decrypt the files on the WannaCry encrypted PC.

The key point to remember is that the above process “MAY’ work. The Computer which was encrypted by WannaCry Ransomware, must “NOT” have been rebooted. Any files to download would be done using a different computer and then run on the encrypted PC via a USB flash Drive.  The WannaCry code did issue the command to erase the Private Key but the bug in older Windows Operating Systems is that Private Key has not been erased from the computer’s main memory.  With a bit of luck, you may be able to decrypt your WannaCry encrypted PC. Note there is no guarantee that this will work. If you are unsure how to go about this, then get a computer professional to help you.

Click on this Link to visit the GitHub page for Wannakey.

Click on thsLink to visit the

Click on this Link to visit the Comae Blog post by Matt Suiche titled “WannaCry — Decrypting files with WanaKiwi + Demos”. Matt goes thru the whole process along with screen shots.

Video is courtesy of the Vishnu Ava YouTube channel

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Best Practice is to also always create daily backups. If you try to decrypt a WannaCry encrypted personal computer or server, you do so at your own risk. There is no guarantee that the above info will be successful in decrypting the files.

CERT had issued Vulnerability Note VU#867968 advising about the SMB vulnerability in Microsoft Windows

WannaCry Ransomware seems to have appeared out of the blue. Because of it thousands of people have searched the internet to find out how to disable SMB on their Microsoft Windows based Servers and Workstations and Personal Computers. Thousands had dropped by Uniquely Toronto to read out posts which provided details on ways to disable SMB v1.0.

Now Adylkuzz is running another major attack which is underway and uses the SMB vulnerability in Windows.

There was a prior Cert advisory titled: “Vulnerability Note VU#867968” (Microsoft Windows SMB Tree Connect Response denial of service vulnerability) was issued on Feb 02 2017.

In March Microsoft issued their Microsoft Security Bulletin MS17-012 which addressed the SMB issue.

There was also an even earlier US-CERT Advisory posted on Jan 16 2017 titled: “SMB Security Best Practices”, which suggested “blocking outbound SMB connections (TCP ports 139 and 445 along with UDP ports 137 and 138) from the local network to the WAN. “. Port blocking can be done using your Firewall Software (or Hardware)

“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users. For more information on SMB, please review Microsoft Security Advisories 2696547 (link is external) and 204279 (link is external).”

Microsoft Windows MS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

Disclaimer: Everything in the post above is subject to change without notice. There could be unintentional errors. Please confirm all info via the linked to websites and web pages. Please install the Microsoft Windows MS17-010 Security Update (see link above). Best Practice is to also always create daily backups

Global spread of WannaCry Ransomware – Mon May 15 2017

Video is courtesy of the NIC Webcast YouTube channel

WannaCry Ransomware is continuing the spread around the globe. Some have even called it the start of a CyberWar. Russian President Putin is apparently blaming the U.S. for creating the tool set. Microsoft is apparently pointing that it is the stolen software tools from the N.S.A (National Security Agency).

Click on this link to visit the Kaspersky Lab SecureList blog site to read their detailed coverage titled “WannaCry ransomware used in widespread attacks all over the world”

I’m going to try something new, by featuring links to current news and major website posts related to the Global spread of WannaCry Ransomware:

Click on this link to visit the Microsoft Blog to read their post titled: “The need for urgent collective action to keep people safe online: Lessons from last week’s cyberattack” by Brad Smith – President and Chief Legal Officer.

The following is a paragraph from Brad Smith’s post:
All of this provides the broadest example yet of so-called “ransomware,” which is only one type of cyberattack. Unfortunately, consumers and business leaders have become familiar with terms like “zero day” and “phishing” that are part of the broad array of tools used to attack individuals and infrastructure. We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported. Clearly, responding to this attack and helping those affected needs to be our most immediate priority.

Kudos go out to Microsoft for providing the Security Update for Windows XP:

Windows XP SP2 x64,

Windows XP SP3 x86,

Windows XP Embedded SP3 x86,

Click on this Link to visit the Wall Street Journal website to read their post “Cyberattack Is Likely to Keep Spreading. In the post they state that WannaCry Ransomware has spread to over 150 countries. Yesterday I had checked a tracking site which stated that over 230,000 computers had been hit with WannaCry. The Tracker only keeps track of those PCs which were still connected to the internet.

Click on this Link to visit The Telegraph news site to read their post “Cyber attack latest: Vladimir Putin blames US for hack as thousands more computers hit by ransomware“.

Click on this Link to visit the CyberSecurity Firm Malwaretech to view their live tracker for WannaCry / WannaCrypt.

Click on this Link to visit the Yahoo Tech site to read the Associated Press article “The Latest: 29,000 Chinese institutions hit by cyberattack“.

Click on this link to visit the Associated Press news site to read their article “Log in, look out: Cyber chaos may grow at workweek’s start.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Posted by Vincent Banial

“Hack the Air Force” is a new White Hat Hacking contest. The United States Air Force is inviting vetted computer security specialists from across the U.S. and select partner nations to do their best to hack some of its key public websites.

Posted by Vincent Banial

The recent DOD ‘Hack the Pentagon’ contest was a success. That contest was limited to US based Cyber Security enthusiasts. The United States Air Force “Hack the Air Force” contest,  will be expanding the opportunity to join in the contest by allowing individuals and groups from the following countries to also participate (in addition to US Citizens): United Kingdom, Canada, Australia and New Zealand.

The Hack the Air Force contest is being run with the help of CyberSeurity Firm HackerOne. The HackerOne platform will help allows White Hat Hackers to submit their Security Holes in a safe and secure manner.

Video is courtesy of the HackerOne YouTube channel

On the HackerOne main website page they state :
“77% of Programs Find Security Vulnerabilities within 24 Hours.”.

This sounds like a great move by the Department of Defence and the US Air Force. The prior “hack the Pentagon” contest was a great success. This new Hack the Air Force contest will allow non-US based CyberSecurity Talent to participate. The more people joining the contest the more Security Vulnerabilities I suspect will be found.

This should be a win-win for bothe the Air Force and for the White Hat Hackers. The HackerOne facebook page states that $16 Million in bounties have been paid out in prior HackerOne coordinated White Hat Hacking events.

Registration for the ‘Hack the Air Force’ event opens May 15 on the HackerOne website. The contest opens May 30 and ends June 23. Military members and government civilians are not eligible for compensation but can participate on-duty with supervisor approval. Mark your calendars and make sure that you register starting on May

Mark your calendars and make sure that you register starting on May 15 2017.

Click on this link to visit the official US Air Force site to read their news Release about this new “Hack the Air Foce” White Hat Hacking contest.

Click on this link to view other Cyber Security posts on Uniquely Toronto.

 

“SysAdmin’s Essential Guide to Linux Workstation Security” free eBook from The Linux Foundation

artificial-intelligence-2167835_1920-Vince changed-640x480-web
Photo courtesy of Gerd Altmann  – CC0 License. Vincent Banial modified the look & feel.

The Linux Foundation is offering a free download eBook titled: “SysAdmin’s Essential Guide to Linux Workstation Security“.

The suggestions offered in their eBook, are based on 3 level levels of security which one would want. These are:

(ESSENTIAL) items, if “not implemented” could introduce high risks to your workstation security.

(NICE) to have items will increase the overall security, but may require learning new habits or unlearning old ones.

(PARANOID) items could significantly improve your workstation security but may require time to learn new ways of doing things.

Click on this link to visit The Linux Foundation website and download your own copy of their eBook titled:SysAdmin’s Essential Guide to Linux Workstation Security.

Click on this link to view other Cyber Security posts on Uniquely Toronto.

Cisco Talos Security Webinar

Participated in the Cisco Talos Security Webinar on Wednesday.

Last year I had posted about Kaspersky Lab reporting about a Bank exploit, where Russian Banks were targeted. Basically the Hackers were able to get Bank Accounting Staff to connect to a site where a keylogger and other Trojan Remote Control software was secretly uploaded and installed into “system RAM“, but not onto the Hard Disk or Network Storage. That allowed their remote control software (called Lurk) to be overlooked by Security Software, because Security Software usually scans stored files and not RAM. Once installed, the hackers could monitor the employees. When the employee went for lunch, they took over the PC and started to transfer funds around the world.

Video is courtesy of the DewClarke YouTube Channel

Earlier this year, Russian Authorities had arrested over 50 alleged Hackers who were alleged to be part of the group which targeted and Hacked into the Banks. The investigation into this group’s activities had been ongoing for years (at least since 2013). The Cisco Talos Security Webinar discussed the arrests and the aftermath. Cisco’s research seems to indicate that the same group was involved in other Internet Exploits. One of which was the Angler Ransomware.

Since the Russian arrests, certain malware has disappeared, along with certain DarkNet sites and BotNets. The Russian Authorities made the Internet a tad safer, at least for a short while.

Click on this Link to visit The Hackers News website to read about the Russian sting operation and arrest of 50+ alleged hackers involved in the Banking Exploit.

Click on this Link to view other Uniquely Toronto posts related to Cyber-Security issues.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Malware infected Android Apps discovered by Cybersecurity Researchers

Warning for Android based Cell Phone Users. Cybersecurity Experts have found a Fake Google Chrome Update which instals Malware

The Cybersecurity Researchers at Zscaler Inc have posted a new finding of a Fake Google Chrome Update which installs Malware. The only way to get rid of the Android Infostealer Malware is to reset the Android Phone to factory settings (thus wiping claen).

Click on this line to be taken to the Zscaler website to read their Blog post ttiled: Android infostealer posing as a fake Google Chrome update.
Their post was written by Viral Gandhi

Click on this line to visit the Zscaler YouTube channel

Click on this line to visit the Zscaler website.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

HORNET, the alternative to Tor Network

When we think about surfing the Internet, most people are looking at just the top of the network iceberg. When in fact, the web actually holds a “Deep Web,” hidden from everyday users and ordinary browsers. This is due to the Deep Web continuously encrypting …

Source: HORNET, the alternative to Tor Network

 

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

Major Bank Heist using SWIFT. Hackers tranferred over $950 Million and got away with $81 Million

The link above is to a Financial Post article on Cyber Security by Martin Arnold

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

New Apple OS X Ransomware discovered by “Unit 42” of Palo Alto Networks


A new Ransomware targeting Apple OS X based computers has been found and reported by Palo Alto Networks
. Their Unit 42 Security Group have named this new ransomware as “KeRanger”.

Two installers of the Transmission BitTorrent ailient installer for OS X were found by Palo Alto Networks to be infected with KeRanger Ransomware.

The following is a quote from the Palo Alto Networks Reseaarch Center blog:

Palo Alto Networks reported the ransomware issue to the Transmission Project and to Apple on March 4. Apple has since revoked the abused certificate and updated XProtect antivirus signature, and Transmission Project has removed the malicious installers from its website.

The Transmissionbt.com home page features the following security notice:

Read Immediately!!!!

Everyone running 2.90 on OS X should immediately upgrade to and run 2.92, as they may have downloaded a malware-infected file. This new version will make sure that the “OSX.KeRanger.A” ransomware (more information available here) is correctly removed from your computer.

Users of 2.91 should also immediately upgrade to and run 2.92. Even though 2.91 was never infected, it did not automatically remove the malware-infected file.

Click on this line to visit the Palo Alto Networks Unit 42 webpage. There you will compete details about KeRanger. Scroll down to the section titled: How To Protect Yourself.

Click on this line to visit the MacRumors website to read their post titled: “First Mac Ransomware Found in Transmission BitTorrent Client”.

Click on this line to visit the 9to5Mac website to read their post titled “First OS X ransomware detected in the wild, will maliciously encrypt hard drives on infected Macs (updated: how to fix)

Click on this ine to visit the arstechnica website to read their post titled: “First Mac-targeting ransomware hits Transmission users, researchers say Rogue copy of BitTorrent client results in KeRanger install, which demands 1 bitcoin.”

Click on this line to visit the Reuters website to read their post titled: “Apple users targeted in first known Mac ransomware campaign“.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice. Any offers mentioned in this post are also subject to change without notice.

Apple withdraws China Apps for the Apple App Store, after XcodeGhost Malware infected IOS Apps were found by CyberSecurity firm Palo Alto Networks.

Ryan Olson, Intelligence Director, with Cyber Security Firm Palo Alto Networks discusses the finding of Apps on Apple’s App Store which were infected by XcodeGhost Malware.

Ryan Olson states that this is an important issue for every Apple IOS user.

If you had downloaded an infected app, one solution might be to then download an “updated” version as it becomes available on Apple’s App Store.

Video is courtesy of the Associated Press YouTube Channel

You can read full details about what Unit 42 of Palo Also Networks had found regarding the XcodeGhost Malware infected IOS Apps found on Apple’s App Store by clicking on this line.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial
http://www.uniquelytoronto.com

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Kaspersky Lab publishes details about the Equation Hacker group’s arsenal, including “nls_933w.dll” which can reprogram the hard drive firmware of over a dozen different hard drive brands


Kaspersky Lab presented at their Security Analysts Summit something even more scary than the details about the Carbanak Bank Cyber Heist. Per Karspersky the Carbanak group ripped off about 100 banks around the globe of about $1 Billion Dollars (and in my opinion very likely still counting).

Kaspersky Lab Experts referred to the Equation group as the “God” or the “Death Star” of Malware. Part of the huge arsenal of code which the Equation group has been developing over what looks like decades is nls_933w.dll“. “It allows them to reprogram the hard drive firmware of over a dozen different hard drive brands“.

Oncenls_933w.dll installs the Malware into the Hard Disk’s firmware, there is no way to remove it. Repartitioning will not affect it. Reformatting has no effect. The only way to get rid of this Malware from the targeted computer, is to physically destroy the Hard Disk.

Kaspersky Lab goes on to report that the Equation group seems to have existed long before the Stuxnet group.

The word “Elite” is part of the lexicon of Hackers. The Equation group therefore can be called the Elite of the Elite of the Elite of the Elite of the Elite and so on of Uber Hackers. To be able to hack and modify a Hard Drive’s firmware is unheard of. To be able to do so for Hard Drives of over a dozen different brands is insanely impossible. Yet the Equation group did it and very likely much more, that has yet to come to light. In comparison, this makes things like the REGIN Malware group’s incredible capabilities seem like no big deal.

Ok, enough of my rambling.

Click on this line to view the Kaspersky Lab report about the Equation group and their arsenal of jaw dropping Malware. On that page you will find a link to a downloadable PDF of the Question and Answer session from their presentation at the Security Analysts Summit.

Wow, this has turned into a CyberSecurity long weekend. Very impressive and rather scary stuff has been revealed by Kaspersky Lab.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Kaspersky Lab report: The Great Bank Robbery: Carbanak cybergang steals $1 Billion Dollars from 100 financial institutions worldwide

Video is courtesy of the Kaspersky Lab YouTube channel


The Kasperskpy Lab report which was presented at the Security Analyst Summit (on Feb 16 2015) is now available online.


Click on this line to visit the Kaspersky Lab SecureList page which discusses the report : The Great Bank Robbery: Carbanak cybergang steals $1bn from 100 financial institutions worldwide.
You can also download a PDF of the “Full” Report via a link on that webpage.

Click on this link to view other CyberSecurity related posts found on Uniquely Toronto.

 

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.

Hackers supposedly were able to steal up to $1 Billion Dollars from Banks around the globe


This is a further update to our prior post about the breaking news of a major Cyber Bank Heist.

The amount supposedly stolen from assorted banks around the globe is now being published to be around $1 Billion Dollars.

Photo of racks filled with Cisco Networking gear. Photo Credit Vincent Banial

Racks filled with Cisco Networking gear. Photo Credit Vincent Banial

Continue reading

Hackers supposedly infiltrated Banks via Malware, allowing them to steal hundred of millions of dollars. Detailed report by cybersecurity firm Kaspersky Lab to be made public on Monday Feb 16

Photo of racks filled with Cisco Networking Gear. Photo Credit Vincent Banial

Photo of racks filled with Cisco Networking Gear. Photo Credit Vincent Banial

Click on this line to read what was posted today (Sat Feb 14)  by the New York Times about Hackers infiltrating Banks around the world by using Malware.

I have had many arguments about security software. One group especially got me going because to them Norton Security was the end all and be all. I finally got their so-called Tech to admit that to him Norton Security was the best because it had the largest market share. That’s like saying that GM automobiles are better than Rolls Royce automobiles because GM has a larger market share.

Of course Norton Security is very good. I believe that the security software created by Kaspersky Lab is better (your mileage may differ). Testing done by the Security Software testing site AV TEST http://av-test.org also top rates Kaspersky Lab security software. But I digress…our coverage of this major Cybersecurity Breach continues below.

The report on what Kasperky Lab had determined about the Cyber Bank Heist will be made public on Monday Feb 16.

Supposedly ATMs were instructed by the Hackers to dispense money at specific times.

Account balances were supposedly inflated and then the inflated amounts were transferred to Bank Accounts setup by the Hackers.

In the New York Times article it seems that Kaspersky Lab had supposedly seen evidence of hundreds of millions of dollars in supposed theft. The article implied that the Cyber Security Experts at Kaspersky Lab think that the sums stolen could possibly be multiple times more.

I will keep watching for the official Kaspersky Lab report on Monday. Till then you can learn more about this by visiting some of the links below.

Click on this line to read a prior report (Sept 11 2014) by Kaspersky Lab Security Experts. The report is titled: “Thefts in remote banking systems: incident investigations”. It details how Hackers were able to overcome one bank’s Security, by using Social Engineering to infect one key computer in that Bank’s Network. Makes for some interesting reading.

The New York Times post which looks to be the main post which  brought this to public light.

CNet’s post about the supposed Cyber Bank Heists.

ARS Techinca coverage of the Cyber Attack on Banks around the globe.

The Citizen post about this Hacker worldwide Bank Heist.

New York Times sub post about how Hackers infiltrated Banks.

 

I will continue to post about this as more is learned – most likely when that Kaspersky Lab report is released on Monday Feb 16 2015.

 

 

 

Posted by: Vincent Banial

Disclaimer: Any Trademarks mentioned in this post are owned by the respective Trademark owner. There could be unintentional errors or omissions in this post. Always refer to the official sites to confirm details and any ongoing changes or updates. This post is subject to change without notice.