London uni fears 0-day used to cram network with ransomware

Minimalist · Jun 14, 2017

University College London is tonight tackling a serious ransom outbreak that has scrambled academics' files.

It is feared the software nasty is exploiting a zero-day vulnerability, or is a previously unseen strain of malware as antivirus defenses did not spot it in time. Eggheads at the UK uni are urged to not open any more email attachments, which may be booby-trapped with the ransomware.
Click to expand...

https://www.theregister.co.uk/2017/06/14/university_college_london_ransomware_attack/

itman · Jun 14, 2017

Question is why are they opening attachments in the first place?

NormanF · Jun 14, 2017

Human curiosity. Malware authors know the biggest flaw they can exploit is human nature.

Minimalist · Jun 15, 2017

University College London, one of the U.K.’s prestigious public research universities, has closed off access to personal and shared drives after a ransomware attack was detected late Wednesday afternoon.

University officials said this morning that this was a web-based infection, reversing claims made in the early hours of the attack that the ransomware was executed via a phishing email attachment.
Click to expand...

https://threatpost.com/ransomware-attack-hobbles-prestigious-university-college-london

itman · Jun 15, 2017

Minimalist said: ↑

https://threatpost.com/ransomware-attack-hobbles-prestigious-university-college-london
Click to expand...

Love to find what the AV was since they are claiming it was a 0-day that blew right past it.

Daveski17 · Jun 15, 2017

'"Currently it appears the initial attack was through a phishing email, although this needs to be confirmed," the ISD said.' ~ op cit

Minimalist · Jun 15, 2017

Daveski17 said: ↑

'"Currently it appears the initial attack was through a phishing email, although this needs to be confirmed," the ISD said.' ~ op cit
Click to expand...

Update: 18:30 15 June

A final update on this issue for this evening. We have continued to analyse the infection across the UCL filestore and the method of infection this is still ongoing. We have not seen any more users affected by the malware. We no longer think the infection came from an infected email but from users accessing a compromised website. Please be vigilant if you notice an unexpected popup or other unusual behaviour when you access a website close the browser and report it to Service Desk.

We hope to be able to make some changes tomorrow but we will inform all users tomorrow morning before making any changes.
Click to expand...

itman · Jun 15, 2017

Oh yes folks, you can get ransomware via a drive-by download.

A few months back, Eset detected same. I am posting the screen shots below. At first, I thought it was a FP because no one at VT detected anything about the URL. This went for a couple of days - no detections. Also, each drive-by download had a different hash indicating it was polymorphic. So I finally manually submitted the URL to Quttera. It found plenty of malware. Also after that scan, it finally showed detections at VT - thank you, itman.

Anyway, this incident made me a "firm believer" in Eset's ransomware detection capability. BTW - the ransomware was Cerber.

Minimalist · Jun 15, 2017

Well it's a website where exploits and vulnerabilities are discussed so there could be some links to POCs and malware posted... Using IE to access that site would not be my choice

Daveski17 · Jun 15, 2017

I don't know which is the most disconcerting, a phishing email or a drive-by web page.

Minimalist · Jun 16, 2017

Ulster University Also Suffered Ransomware Outage This Week

A second UK university has been hit by a major ransomware attack this week, as new figures showed the country is the most frequently targeted by the malware in Europe.

The attack appears to have struck Northern Ireland’s Ulster University on the same day a ransomware outage affected University College London (UCL).

Ulster Uni’s Information Services Division (ISD) revealed yesterday that its AV partner suspects a zero-day threat was the cause, also echoing the current thinking at UCL.
Click to expand...

https://www.infosecurity-magazine.com/news/ulster-university-also-suffered/

itman · Jun 16, 2017

Minimalist said: ↑

https://www.infosecurity-magazine.com/news/ulster-university-also-suffered/
Click to expand...

I just checked Ulster U's web site. They offer McAfee free to students. So its a fair assumption that's their enterprise vendor also. Do we need further explanation why the U.K. keeps getting hacked all the time?

itman · Jun 16, 2017

This incident might get interesting ..............

Steven Malone, director of security product management at Mimecast, believes that UCL's problem is typical of organizations that do not sufficiently consider email as an attack vector. "UCL appears to be running 'naked' Office 365 for its email security gateway. This is case in point for why all organizations need to ask if they are happy to trade defense-in-depth strategies for single vendor reliance when moving to the cloud...
Click to expand...

http://www.securityweek.com/uk-center-security-excellence-hit-ransomware

Rasheed187 · Jun 17, 2017

itman said: ↑

I just checked Ulster U's web site. They offer McAfee free to students. So its a fair assumption that's their enterprise vendor also. Do we need further explanation why the U.K. keeps getting hacked all the time?
Click to expand...

LOL, good one. But if they were really hacked via web-exploit, I wonder which browser they were using. It would be crazy to still use IE.

itman · Jun 23, 2017

Looks like most Wilders folks are covered on this one; the ad blocker part that is.

Ad blockers help prevent ransomware, says Graham Cluley

Cluley explained that rather than malicious email attachments being the means of entry, as is usually the case in ransomware campaigns, the scourge which last week hit two U.K. universities, University College London and Ulster University, was the consequence of a malvertising operation – in which toxic advertisements on legitimate websites deliver, in this case, Mole ransomware through use of an exploit kit. Users visit what appears to be a legitimate site, but even merely browsing to the site containing the poisoned ad – not needing even to click a link – their computers become polluted with the ransomware.
Click to expand...

https://www.scmagazine.com/ad-blockers-help-prevent-ransomware-says-graham-cluley/article/670877/

Also a classic example of a drive-by download. Hum ....... isn't SmartScreen supposed to prevent stuff like this?

Minimalist · Jun 24, 2017

So they probably used some not up-to-date software that got exploited? I wonder which one was that.
Unfortunately, ad blockers are a must and I usually install them right after I install browser.

Rasheed187 · Jun 24, 2017

Minimalist said: ↑

So they probably used some not up-to-date software that got exploited? I wonder which one was that. Unfortunately, ad blockers are a must and I usually install them right after I install browser.
Click to expand...

I read about it, they used an unpatched version of IE, that's asking for trouble. Apparently their AV also failed to block it. All they need to do is start using FF or Chrome with ad-blocker, and of course AE/white-listing.

guest · Jun 24, 2017

Minimalist said:

ad blockers are a must
Click to expand...

An adblocker is also my first extension after i have installed a browser.

itman · Jun 24, 2017

Rasheed187 said: ↑

I read about it, they used an unpatched version of IE, that's asking for trouble.
Click to expand...

Link please.

itman · Jun 24, 2017

Adgholas malvertising group linked to UCL Trojan ransomware attack

A number of universities in the UK were infected with ransomware via an AdGholas infection chain, according to new research by Proofpoint.

In a blog post, researcher Kafeine said that this was a marked departure from the banking Trojans this group usually distributes.

“Although the universities made headlines as a result of the infection, it appears that the attack was far more widespread, with malvertising appearing on a number of high-profile websites,” Kafeine said.

Kafeine added that between 14 and 15 June, Astrum was dropping Mole ransomware in the United Kingdom and likely in the US. Mole is a member of the CryptFile2/CryptoMix ransomware family

The researcher said that AdGholas malvertising redirecting to the Astrum Exploit Kit is the most evolved blind mass infection chain known today.

“Full HTTPS, heavy smart filtering, domain shadowing, Diffie-Hellman, and perfect knowledge of how the Advertising industry operates allow these threat actors to lure large agencies to bring them high volumes of traffic from high-value website and targets,” they said.

Fraser Kyne, CTO for Bromium, told SC Media UK that these attacks are becoming increasingly well designed, making it hard to spot such an attack.
Click to expand...

https://www.scmagazineuk.com/adghol...-ucl-trojan-ransomware-attack/article/670252/

hawki · Jun 24, 2017

itman said: ↑

Adgholas malvertising group linked to UCL Trojan ransomware attack

https://www.scmagazineuk.com/adghol...-ucl-trojan-ransomware-attack/article/670252/
Click to expand...

WoW ! This is getting sirius. Thanks for that one @itman.

I pity those who do not read Wilders daily. It's easy to lose sight of the fact that the vast majority have no idea of the online threats they face daily and their total lack of awareness of the deficiencies in their security practices.

itman · Jun 25, 2017

Known CVEs used by Astrum include CVE-2016-0189 [7], CVE-2016-1019 [6], and CVE-2016-4117 [8]. The introduction of Diffie-Hellman [9] suggests that there might be a new exploit the actors are trying to hide in this chain

Moreover, it is worth remembering that a common misperception about drive-by malvertising attacks remains prevalent: there is no need to click on the advertisement to be infected. It is enough simply to display the ad: if the machine is vulnerable and targeted, then the infection occurs without any user interaction.
Click to expand...

https://www.proofpoint.com/us/threa...paign-using-astrum-ek-deliver-mole-ransomware

-EDIT-

CVE-2016-0189 is an IE8-11 vulnerability posted 5/2016
CVE-2016-1019 and 4117 are Flash Player vulnerabilities

My money is on the use of a new undisclosed vulnerability in these latest attacks.

hawki · Jun 24, 2017

itman said: ↑

https://www.proofpoint.com/us/threa...paign-using-astrum-ek-deliver-mole-ransomware
Click to expand...

Thinking that Microsoft should make uBlock Origin an integrated part of Windows. WD and Smite Screen are apparently not enough.

Does Smite Screen disable uBlock also?? Why not? Since it disables KIS it's only fair that it should also disable uBlock. Looks like a clear case of discriminatory behavior. uBlock should sue Microsoft for not being blocked by Windows.

EASTER · Jun 24, 2017

hawki said: ↑

WoW ! This is getting sirius. Thanks for that one @itman.

I pity those who do not read Wilders daily. It's easy to lose sight of the fact that the vast majority have no idea of the online threats they face daily and their total lack of awareness of the deficiencies in their security practices.
Click to expand...

And you already know the worse part. Most couldn't care less but only to get online and take off blindly like a bat not even realizing they been owned several times over or when their system goes Kap00f or overheats due to the nature of some of them. Burn baby burn is the motto for advert foulware makers. Drive new unit sales up or tech support right?

hawki · Jun 24, 2017

EASTER said: ↑

And you already know the worse part. Most couldn't care less but only to get online and take off blindly like a bat not even realizing they been owned several times over or when their system goes Kap00f or overheats due to the nature of some of them. Burn baby burn is the motto for advert foulware makers. Drive new unit sales up or tech support right?
Click to expand...

Yeah, I hear you. Kids these days.

BTW: Looking at your Signature, are you sure you couldn't use a little "beefing-up" yourself in your security set up Maybe an M1A2 Abrams Tank or something like that.

Log in or Sign up

London uni fears 0-day used to cram network with ransomware

Minimalist Registered Member

itman Registered Member

NormanF Registered Member

Minimalist Registered Member

itman Registered Member

Daveski17 Registered Member

Minimalist Registered Member

itman Registered Member

Minimalist Registered Member

Daveski17 Registered Member

Minimalist Registered Member

itman Registered Member

itman Registered Member

Rasheed187 Registered Member

itman Registered Member

Minimalist Registered Member

Rasheed187 Registered Member

guest Guest

itman Registered Member

itman Registered Member

hawki Registered Member

itman Registered Member

hawki Registered Member

EASTER Registered Member

hawki Registered Member

Log in or Sign up

London uni fears 0-day used to cram network with ransomware

Minimalist Registered Member

itman Registered Member

NormanF Registered Member

Minimalist Registered Member

itman Registered Member

Daveski17 Registered Member

Minimalist Registered Member

itman Registered Member

Minimalist Registered Member

Daveski17 Registered Member

Minimalist Registered Member

itman Registered Member

itman Registered Member

Rasheed187 Registered Member

itman Registered Member

Minimalist Registered Member

Rasheed187 Registered Member

guest Guest

itman Registered Member

itman Registered Member

hawki Registered Member

itman Registered Member

hawki Registered Member

EASTER Registered Member

hawki Registered Member

Useful Searches