Global ransomware epidemic is just getting started

Thousands of computers around the world are getting locked up by a fast-spreading ransomware. Big businesses are getting hit. An entire hospital is shut out of its system. Suddenly, it’s everywhere: the next big ransomware attack.

Here we go again. And again and again and again and again.

GoldenEye, a new strain of the Petya ransomware, took the world by storm on Tuesday after starting with a cyberattack in Kiev, Ukraine. From there, it spread to the country’s electrical grid, airport and government offices. At the Chernobyl nuclear disaster site, workers had to monitor radiation manually because of the attack. And then it began to go global.

Russia’s largest oil production company, Rosneft, suffered a cyberattack. Denmark-based Maersk, the largest shipping company in the world, had to shut down several of its systems to prevent the attack from spreading. New Jersey-based Merck, one of the largest pharmaceutical companies in the world, also suffered a massive hack. FedEx’s facilities in Tennessee were hit hard from the breach as well.

The list of affected victims goes on, just like it did when the WannaCry ransomware hit in May and locked up more than 200,000 computers across the globe.

It only took 44 days for GoldenEye to stare us down.

Ransomware has been around for years but generally only targeted individual networks, like a single hospital or person. But after the Shadow Brokers hacker group leaked National Security Agency exploits in April, cybercriminals were handed a much more dangerous weapon.

The NSA’s EternalBlue exploit, which took advantage of a Windows PC’s ability to quickly spread files across a network, is the ammunition that powers both WannaCry and GoldenEye.

With the exploit, you don’t need to be breached personally to get infected.

Even if you’re a responsible user on an updated computer, someone on your network could be tricked into downloading malware through emails or a loaded Word document.

It’s why you’re seeing attacks on this scale and why the word “unprecedented” keeps getting thrown around.

Imagine fishing with a single rod and then suddenly you’re given a giant net. For hackers, it’s time to head out to sea.

Ransomware 2.0

The mix of the NSA’s hacking tools with normal malware has created a toxic combination, especially since you can essentially go shopping for malware. GoldenEye is a variant of Petya, which was sold on forums on the dark web since last April as a ransomware service: The buyers get 85 percent of the profit, while the malware’s creators reap 15 percent.

“You don’t have to be a cyber wiz to inflict cyber damage,” Michael Daly, chief technology officer at Raytheon Cybersecurity, said in an email. “Various do-it-yourself kits are available as well as ransomware as an outsourced service on the deep web forums.”

The malware has gotten smarter, too. WannaCry, despite its fame, was fairly basic. A researcher accidentally discovered its killswitch after experimenting with a registered domain name.

Compared with GoldenEye, WannaCry looks like it was written by amateurs. Using Petya, the new ransomware attack not only encrypts crucial files but your entire hard drive and then forces your computer to restart.

It also deletes the computer’s event logs to cover its tracks and hide from analysts, said Mark Mager, a security researcher at Endgame.

“Forensic analysts will be unable to access this data that would be useful to their investigation,” Mager said in a direct message.

And you can’t just accidentally find the killswitch again. Amit Serper, a Cybereason researcher, found a way to block GoldenEye by creating a file on your hard drive, but it won’t shut down every infection like the WannaCry killswitch.

Marcus Hutchins, better known as Malware Tech and the researcher who found the WannaCry fix, said a fix for GoldenEye would not be “doable remotely.”

The fix isn’t in

WannaCry was supposed to be a wake-up call for people to update their computers with the latest software. But it appears people just forgot about the attack and went on with their lives.

Avast, an antivirus company, found that 38 million PCs scanned just last week still have not patched their systems. That’s after Microsoft released special patches so that outdated computers running on Windows XP and earlier versions could be protected from the NSA exploits.

Considering that not everybody uses Avast, Jakub Kroustek, Avast’s threat lab lead, inferred that the “actual number of vulnerable PCs is probably much higher.”

Microsoft did not respond to requests for comment.

Evidently, WannaCry was not the tipping point for people to actually act, and if the trend continues, GoldenEye won’t be either.

The attacks are getting smarter, making more money and being sold as tools. And people are leaving themselves vulnerable.

I’ll see you in a month for the next massive attack.

APT32 group alleged linked to the Vietnamese Government is targeting foreign corporations

APT32 is a new APT group discovered by security experts at FireEye that is targeting Vietnamese interests around the globe.

The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a state-sponsored hacking group.

The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

“APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.” states the analysis published by FireEye.

FireEye highlighted that currently, it is impossible to precisely link the group to the Vietnamese government even if the information gathered by the hackers would be of very little use to any other state.

According to the experts, the cyber attacks seemed to be assessing the victims’ adherence to Vietnamese regulations but the Vietnamese government denies its involvement.

“The government of Vietnam does not allow any form of cyber-attacks against organizations or individuals,” said foreign ministry spokeswoman Le Thi Thu Hang. “All cyber-attacks or threats to cybersecurity, must be condemned and severely punished in accordance with regulations and laws.”

Back to the last wave of attacks, the APT32 hackers use phishing emails containing a weaponized attachment. It is interesting to note that the attachment is not a Word document, instead, it is an ActiveMime file containing an OLE file containing malicious macros.

Another element of innovation for this campaign is that attacker tracked the success of the phishing emails, using legitimate cloud-based email analytics. The phishing attachments contain an HTML image tags.

“When a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist.” reads the analysis. “Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.”

The embedded macros create two scheduled tasks to gain persistence for the backdoors used by the hackers.

The first task executes the Squiblydoo application to enable the download of a backdoor from APT32 infrastructure. The second leads to a secondary backdoor delivered as a multi-stage PowerShell script configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.


APT32 threat actors regularly cleared select event log entries in order to conceal their operations, they also heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework.

The arsenal of APT32 includes a custom suite of backdoors such as Windshield, Komprogo, Soundbite, Phoreal, and Beacon.

FireEye warns of the increasing number of nation-state actors using cyber operations to gather intelligence.

“FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests,” Concluded FireEye. “As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.”

Bell Canada hacked, 1.9 million customer account details stolen

The telco giant Bell Canada was the victim of a security breach that exposed roughly two million customer account details.

The long string of data breach continues, while I’m writing about the intrusion in the systems of the technology provider DocuSign, another incident made the headlines, this time the victim is Bell Canada.

The company admitted on Tuesday that 1.9 million customer account details were stolen by hackers, anyway Bell Canada confirmed that no financial data (i.e. payment card numbers) or passwords have been stolen.

Crooks are trying to blackmail the company and requested the payment of a ransom to avoid the full data leakage.

“A demand for payment was made by the hacker, but it was not paid,” Bell spokesman Marc Choma said via email to the Reuters on Tuesday. “We did not reply to their demand.”

Bell Canada it the largest telco operator in the country with more than 21 million customers, the revenues of the company in the last fiscal quarter are $5.38bn CAD ($3.96bn USD).

it already notified the incident to the Canadian police who is investigating the case. Customer email addresses and phone numbers and names of another 1,700 people have been already leaked online.

“Bell Canada today announced the illegal access of Bell customer information by an anonymous hacker. Bell has determined that the information obtained contains email addresses, customer names and/or telephone numbers.” reads the data breach notification issued by the company.

“There is no indication that any financial, password or other sensitive personal information was accessed.”

This company clarified that the data breach isn’t linked to the recent global WannaCry malware attacks.

At the time I was writing there is no news regarding the source of the stolen data or the technique used by attackers.

The Canadian Privacy Commissioner’s office is also investigating the incident.

“We are waiting for a fuller report sometime today,” Canadian Privacy Commissioner Daniel Therrien told Reuters in a telephone interview on Tuesday, when asked if Bell Canada had followed proper procedures in responding to the cyber attack.

“We apologize to Bell customers for this situation and are contacting those affected directly,” continues the Bell Canada statement. “Bell took immediate steps to secure affected systems. The company has been working closely with the RCMP cyber crime unit in its investigation and has informed the Office of the Privacy Commissioner.”

Massive ransomware infection hits computers in 99 countries

A Massive ransomware attack targets UK hospitals and Spanish banks, the news was confirmed by Telefónica that was one of the numerous victims of the malicious campaign.

The newspaper El Pais reported the massive attack, experts at Telefónica confirmed the systems in its intranet have been infected, but also added that the situation is currently under control. The fixed and mobile telephony services provided by Telefónica have not been affected by the ransomware-based attack.

The ransomware, dubbed WannaCry (aka Wcry, WanaCrypt, WannaCrypt), also spread among other businesses in Spain, among the victims the energy suppliers Iberdrola and the telco firm Vodafone. Spanish financial institutions confirmed the attacks by downplayed the threat.

WannaCry ransomware

At the time I was writing there is no news about the damage caused by the infections.

The Spanish CERT issued an alert warning the organizations and confirming that the malware is rapidly spreading.

The strain of ransomware at the centre of the outbreak is a variant of Wanna Decryptor aka Wcry aka WanaCrypt aka WannaCry. Spain’s CERT put out an alert saying that the outbreak had affected several organizations.

View image on Twitter

The Wanna Decryptor is exploiting the NSA EternalBlue / DoublePulsar exploit to infect other connected Windows systems on the same network.

“The special criticality of this campaign is caused by exploiting the vulnerability described in bulletin MS17-010 using EternalBlue / DoublePulsar, which can infect other connected Windows systems on the same network that are not properly updated. Infection of a single computer can end up compromising the entire corporate network.” states the security alert issued by the CERT.

“The ransomware, a variant of WannaCry, infects the machine by encrypting all its files and, using the vulnerability mentioned in the previous paragraph that allows the execution of remote commands through Samba (SMB) and is distributed to other Windows machines in That same network.”

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

The WannaCry is infecting systems in dozens of states, among the victims there is also the UK public health service.

The network warm capabilities of the malware are allowing the rapid diffusion of the threat

The ransomware demands $300 to restore documents, without any other details of the code we can only speculate that the attack was powered by a criminal gang.

The following aspects of the attack must be carefully analyzed:

  • This attack demonstrates the risks related to the militarization of the cyberspace. Malware, exploits code and hacking tools developed by intelligence agencies and governments could be very dangerous when go out of control.
  • The success of the malware is due to the wrong security posture of the victims that have no awareness of the threat and that did not apply security patches released by Microsoft.
  • Modern critical infrastructure is not resilient to cyber attacks.

Kali Linux 2017.1 rolling release was announced, comes with a set of significant updates and features.

The popular Kali Linux distribution has a new weapon in its hacking arsenal, it can use cloud GPUs for password cracking.

Kali Linux is the most popular distribution in the hacking community, it is a Debian-based distro that includes numerous hacking and forensics tools.

Kali linux

This week, the Kali development team has included new images optimized for GPU-using instances in Azure and Amazon Web Services. The images will improve the password cracking abilities of the Kali Linux distro giving it more power for brute-force attacks exploiting the GPUs computational power.

“Due to the increasing popularity of using cloud-based instances for password cracking, we decided to focus our efforts into streamlining Kali’s approach. We noticed that Amazon’s AWS P2-Series and Microsoft’s Azure NC-Series allow pass-through GPU support so we made corresponding AWS and Azure images of Kali that support CUDA GPU cracking out of the box. You can check out our Cracking in the Cloud with CUDA GPUs post we released a few weeks back for more information.” states the official announcement.

Now is you want to test your password against brute-force attacks you can download the GPU-enhanced images and run in cloud services, the bad news is that this means that also black hats have a new powerful weapon in their hands.

The new Kali Linux, version 2017.1, also adds support for Realtek’s RTL8812AU wireless chipsets, it is a very useful feature because these chipsets are used by major modem-makers like Belkin, D-Link, and TP-Link.

“A while back, we received a feature request asking for the inclusion of drivers for RTL8812AU wireless chipsets. These drivers are not part of the standard Linux kernel, and have been modified to allow for injection. Why is this a big deal? This chipset supports 802.11 AC, making this one of the first drivers to bring injection-related wireless attacks to this standard, and with companies such as ALFA making the AWUS036ACH wireless cards, we expect this card to be an arsenal favorite.” continues the announcement.

The driver can be installed using the following commands:

apt-get update
apt install realtek-rtl88xxau-dkms

Reading the Kali Linux Bug Tracker List we can notice the new support for the OpenVAS 9 vulnerability scanner.

Enjoy it!

Magento Zero Day leaves 200,000 Merchants vulnerable

A popular version of the open source Magento ecommerce platform is vulnerable to a zero-day remote code execution vulnerability, putting as many as 200,000 online retailers at risk. The warning comes from security firm DefenseCode, which found and originally reported the vulnerability to Magento in November.

“During the security audit of Magento Community Edition, a high risk vulnerability was discovered that could lead to remote code execution and thus the complete system compromise including the database containing sensitive customer information such as stored credit card numbers and other payment information,” DefenseCode wrote in a technical description of its discovery (PDF) posted Wednesday.

According Bosko Stankovic, information security engineer at DefenseCode, despite repeated efforts to notify Magento, which began in November 2016, the vulnerability remains unpatched despite four version updates since the disclosure. Affected versions of the Magento Community Edition software include v. 2.1.6 and below. DefenseCode did not examine Magento Enterprise, the commercial version of the platform, but warns both share the same underlying vulnerable code.

“We’re unsure if this vulnerability is actively being exploited in the wild, but since the vulnerability has been unpatched for so long it provides a window of opportunity for potential hackers,” Stankovic said.

Magento confirmed the existence of the flaw in a brief statement to Threatpost and said it was investigating.

“We have been actively investigating the root cause of the reported issue and are not aware of any attacks in the wild. We will be addressing the issue in our next patch release and continue to consistently work to improve our assurance processes,” Magento said in a statement.

The remote code execution (RCE) vulnerability is tied to the default feature in Magento Community Edition that allows administrators to add Vimeo video content to product descriptions.

“When adding Vimeo video content to a new or existing product, the application will automatically retrieve a preview image for the video via POST request taking a remote image URL parameter. The request method can be changed to GET, so the request can be sent,” the advisory states.

If a URL points to an invalid image (a PHP file for example), the application will respond with an error. However, the file will be downloaded regardless, DefenseCode states. “The application saves the file to validate the image, but will not remove it if the validation fails,” researcher said.

Image file information is parsed and saved to a directory that can create conditions ripe for a RCE using a PHP script. “To achieve a Remote Code Execution, two files should be downloaded. One is an .htaccess file that will enable PHP execution in the download directory, the other is a PHP script to be executed,” researchers said.

A likely scenario exploiting this vulnerability includes an attacker targeting a Magento admin panel user (no matter how low their privileges are). The attacker could entice the administrator to visit a URL that triggers a cross-site request forgery attack. If successful, the .htaccess file and the PHP script together can create conditions allowing an attacker to execute remote code on the targeted install of Magento Community Edition.

Next, an adversary can formulate several attack strategies that quickly lead to executing system commands, interacting with the database, or taking over the whole database along with stored credit card numbers and other payment information, or installing malware on the server.

Until Magento addresses the vulnerability, DefenseCode recommends enforcing the use of “Add Secret Key to URLs” within Magento which mitigates the CSRF attack vector, said researchers.

OWASP Top 10 2017 Update

The industry benchmark list is about to change for the first time in four years, but barring a few important changes, it looks a lot like it always has.

After a four-year hiatus, OWASP this week released a working draft of the latest iteration of its OWASP Top 10 vulnerabilities list.

Security leaders welcome some vital changes to the list – namely the addition of application programming interfaces (APIs) – that acknowledge shifts in the development and threat landscape, with hopes that these types of changes would be made more frequently in the future. Others note that in many ways the list looks very similar to previous incarnations. And some say that’s a testament to the need for developer practices– not the list itself–to more rapidly evolve.

A staple benchmark of the application security world, the OWASP Top 10 was designed to help developers avoid common coding bugs and provide security teams some standards for prioritizing vulnerability mitigation. It often sets the tone for enterprise application security program priorities and is also found at the root of many vulnerability testing product-scoring mechanisms and prioritization algorithms.

“To me, the 2017 Top 10 reflects the move towards modern, high-speed software development that we’ve seen explode across the industry since the last version of the Top 10 in 2013,” says Jeff Williams, CTO of Contrast Security and one of the key authors of the list since it was first developed in 2003. “While many of the vulnerabilities remain the same, the addition of APIs and attack protection should focus organizations on the key issues for modern software.”

According to Kunal Anand, CTO and co-founder of Prevoty, the inclusion of APIs is probably the most meaningful change in this go-around. It’s an important addition that addresses the way enterprises operates in this day and age of microservices-enabled DevOps and Agile shops.

“Enterprises across many industries, including finance and retail, are deconstructing large monolithic applications into smaller leaner services and micro-services. It’s common for an average application to make dozens of API calls to render a single page, with many of the calls distributed across different services,” he says. “APIs are ultimately applications, albeit more focused. In 2016, we started to see very targeted attacks against API frameworks. I suspect we’ll see a continuation of that in 2017.”

This new addition could potentially help raise more awareness about API security, which is largely ignored at most organizations today, says Ryan O’Leary, vice president of WhiteHat Security’s Threat Research Center.

“This is a great change and really speaks to the changing dynamic of how we develop applications and build them for modern consumption,” he says.

Having said that, both Anand and O’Leary believe that the Top 10 list isn’t evolving quickly enough to keep up with the pace of change in how software is delivered and in threat patterns.

“I’d like to see an increased cadence when it comes to updating the OWASP Top 10. The Internet, and more specifically applications, looked a lot different in 2013. In our industry, it’s possible to see big changes in just a couple of years,” says Anand, who sees trends like serverless-based technologies, containerization and mobile development frameworks like React all changing the game to the point where they’ll need to be addressed in the near future. “I hope we can update OWASP to cover these large trends and changes more frequently.”

To be fair, though, in many ways the major problems in applications have remained fairly static over the last 14 years.

“We have added and removed a few items over the years, but this year’s list is very similar to what we released in 2003,” says Williams.

In a lot of ways, the OWASP Top 10 pretty well illustrates appsec’s prevailing trend of the more things change, the more they stay the same, says Ben Tomhave, principal security scientist for New Context Services.

“There’s no point in producing a new list every year, because – as demonstrated by the high degree of similarity between recent versions – things simply don’t change that quickly,” he says. “The strong similarities between the 2017 Top 10 list and previous iterations suggests that current approaches to developer awareness and education aren’t working. We clearly have as long way to go, and likely need to change tactics to achieve better outcomes.”

And, in fact, one of the other changes that was made this time around kind of acknowledges that, O’Leary says.

“OWASP is now stating that companies need to have some sort of WAF or RASP technology to detect, respond, and patch. This is going to be a controversial one as it’s a mitigation to a vulnerability and not a vulnerability in itself,” he says. “The OWASP list has typically been focused around vulnerabilities and how to fix or protect against those threats. With this change OWASP is now saying that a 3rd party service or tool is needed. This is likely a result of how slow the industry is to fix vulnerabilities.”

He believes the new inclusion will be a hot button topic for a long time to come.



Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks

Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries.
Since March, as part of its “Vault 7” series, Wikileaks has published over 8,761 documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).
Now, researchers at cybersecurity company Symantec reportedly managed to link those CIA hacking tools to numerous real cyber attacks in recent years that have been carried out against the government and private sectors across the world.

Use Secure VPNs to Prevent ISPs From Spying On You

Data Privacy is a serious concern today with the vast availability of personal data over the Internet – a digital universe where websites collect your personal information and sell them to advertisers for dollars, and where hackers can easily steal your data from the ill-equipped.
If this wasn’t enough, US Senate voted last week to eliminate privacy rules that would have forced ISPs to get your permission before selling your Web browsing history and app usage history to advertisers.
If passed, ISPs like Verizon, Comcast, and AT&T, can collect and sell data on what you buy, where you browse, and what you search, to advertisers all without taking your consent in order to earn more bucks.

WikiLeaks Reveals CIA’s Grasshopper Windows Hacking Framework

As part of its Vault 7 series of leaked documents, whistleblowing website WikiLeaks today released a new cache of 27 documents allegedly belonged to the US Central Intelligence Agency (CIA).
Named Grasshopper, the latest batch reveals a CLI-based framework developed by the CIA to build “customised malware” payloads for breaking into Microsoft’s Windows operating systems and bypassing antivirus protection.
All the leaked documents are basically a user manual that the agency flagged as “secret” and that are supposed to be only accessed by the members of the agency, WikiLeaks claims.