Many firms hit by global cyber-attacks

English translation - cloud-cuckoo-land
Definition - An imaginary place where silly or unrealistic people metaphorically reside.
Synonyms - never-never-land.

Ref.: https://en.wiktionary.org/wiki/Wolkenkuckucksheim https://en.wiktionary.org/wiki/cloud-cuckoo-land

I get it. They are all Michael Jackson fans

 

"Petya victims given hope by researchers

A security firm says it has managed to decrypt files damaged by the recent Petya ransomware attack, on one infected computer....

The potential solution only works if the ransomware secured administration privileges to the machine.

However Positive Technologies said the concept is currently too technical for most average computer users to run...

The company says in a blog that the creators of the ransomware made mistakes in programming the encryption algorithm Salsa 20 that was used with administration rights...

http://www.bbc.com/news/technology-40530316

 

"Don’t Ignore Ukraine: Lessons From the Borderland of the Internet...

...Ukraine’s resilience to recent cyber attacks also stems from its relatively early stage of digital development...

...Ukraine’s digital infrastructure pales in comparison with that of most Western countries, including the United States. Many of Ukraine’s critical infrastructure systems still feature non-digital fallbacks or bypass digital systems altogether...

...The United States and many Western nations lack similar analog systems to fall back on in the event of an equivalent sustained attack. Long ago, we traded the resilience of non-digital back-up systems for digital convenience and modernization....

...Ukraine and the internet in America are one and the same. The very same skills and tools, whether technical or informational, being used on foreign networks are also appearing in the United States and Western Europe. And yet our systemic vulnerabilities are far more expansive...

Ukraine—a nation whose name translates to “on the borderland” or “borderland”—is once again the frontier of a conflict that threatens to engulf the West...If we ignore the plight of Ukraine, we miss the opportunity to prepare to defend ourselves..."

https://www.lawfareblog.com/dont-ignore-ukraine-lessons-borderland-internet

 

"Germany Says Risks From Recent Cyber Attacks Greater Than Expected...

Germany's BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week...

The German statement added to the growing conviction among experts that the global attack was more harmful than initially believed..."

http://fortune.com/2017/07/07/germany-petya-risks-greater-than-expected/

 

"Google does their bit to help WannaCry and Petya live longer...

Google, with impeccable timing, has now released an SMB client for Android which is full featured, but only supports SMBv1, as confirmed by Android Police.

If widely adopted by enterprises it would make it more difficult for administrators to deactivate SMBv1 support on their network, and therefore place the Windows machines on the network at risk.

Microsoft’s Ned Pyle, who owns SMB, also reports that SMBv1 is vulnerable to Man in the Middle attacks, meaning even Linux and Android users who use a clean room implementation of SMB would be exposing users to being exploited..."

https://mspoweruser.com/google-bit-help-wannacry-petya-live-longer/

 

A few more loose ends to tie up from the Cisco Talos analysis.

First it appears that there was no internal M.E. Doc manipulation other than the attacker gaining access to a sys admin's logon. Then the attacker logged on remotely and did all he had to do to plant the backdoor code on the update server. Once the backdoor code was planted on every M.E. Doc customer device, the attacker entered through the backdoor to deliver the ransomware. Unfortunately remote logon sys admin capability is a reality. However, there are ways to restrict it such as by remote device MAC address and the like:

As far as further attacks on M.E. Doc customers Cisco believes that unlike the previous backdoor hack incidents in which the backdoor was temporary and overlaid in the next M.E. Doc regular update, the attacker used the June backdoor to implant and possibly set a permanent backdoor and other hidden malware:

Ref.: https://www.scmagazine.com/cisco-talos-notpetya-analysis-attacker-could-launch-again/article/673392/

 

Then this thread is done?

 

Correct, but I wasn't talking about home users of course. I also don't know if it's even possible or realistic to disable auto-update in a corporate environment. But behavior blockers/next gen AV's could have blocked this attack, by simply monitoring all applications, no matter if they are downloaded/updated from a trusted source. I don't know about all of the details, but it's likely that the modified version of MeDoc executed the Petya ransomware, so monitoring child processes should have been enough to stop it.

 

Corps and enterprises disable Windows Updates all the time by disabling the Windows Update service. Some just don't want Windows Updates because of breakages caused by Windows Updates. They just want a system that "works" every day, day-in and day-out - and choose to ignore security risks for the sake of having a "reliable" system.

 

Ok You guys lost me. Why are we talking about Windows updates? I thought it was the Medoc program that had a bad update.

 

It was.

If the majority of M.E. Doc customers were indeed large corps. or enterprises, the attack would have been thwarted for the most part due to the practice of never allowing an untested update within the network. M.E. Doc's customers are accounting practices and the like. As such, it is fair to assume their IT support would not be that sophisticated.

-EDIT- Actually, in this case the above wouldn't have helped since the backdoor was delivered via a software update. It is also very likely that the backdoor had "sleeper" logic in that it did not establish a remote connection until a certain date and time. So monitoring of network logs at the time of the update installation would have shown nothing amiss.

Also the Eset analysis did show that the ransomware download originated from the M.E. Doc update server. So let's recap events:

-Revised 7/10/2007-

1. Attacker logs in remotely to M.E. Doc update server and implants M.E. Doc update with backdoor code.

2. Malicious update w/backdoor code delivered to customers via scheduled M.E. Doc software update. Assumed is the backdoor had "sleeper" code that would activate the remote connection to M.E. Doc server at a later date and time.

3. Attacker logs in remotely to M.E. Doc server and removes backdoor update code replacing it with valid update code previously hijacked.

4. Attacker later logs on to M.E. Doc servers and sets up a remote connection on M.E. Doc server that directs all backdoor requests from the customer's device to his server which contains the ransomware payload. He additionally establishes connections for the backdoor.

5. Previous update delivered backdoor later activates and establishes connection to M.E. Doc server. Assumed is this backdoor is closed after no. 6 activities to avoid any kind open network connection monitoring.

6. Backdoor connects to M.E. Doc server with connection routed to attacker server. Worm payload w/ransomware download received at M.E. Doc update server and routed back to origin customer device. Once worm payload is received, attacker remotely executes it from compromised M.E. Doc server via customer device installed backdoor.

7. Attacker logs onto M.E. Doc sever and removes all traces of remote connections and configuration changes that enabled it.

So what we have here is the "perfect" malware attack in that from the customer device, no external connection was established other than to the compromised M.E. Doc server.

 

The worse possible scenario of yet another clever line of attack plan.
With an imposed time limit coded to the backdoor (or any other malware for that matter) it lies concealed and dormant until triggered via the system clock.

If there is any consolation to be realized from this recent aggressive system hack/penetration it's that it is now exposed fully enough and been (and being) picked apart by security experts to a degree where some alternative mitigations might finally be in order to prevent anything similar in the future.

On the other hand, it's way to soon IMO to expect anything less than more of the same someplace else eventually via different techniques whilst those windows systems are still operating with default candy code.

I am always so very curious what Bill Gates would make of his brainchild creation today and what he might suggest as a counter measure to everything we are seeing in ongoing events like this.

 

An effective mitigation that can be deployed for logon credential theft is again two-factor authorization. When the remote user logs on, the logon process is suspended. An authorization code is then sent to the person's cell phone, etc. associated with the logon. The authorization code must be entered for the logon to proceed. This technique has the additional benefit of alerting the user that someone is attempting to logon with his credentials.

Biometric devices can also be deployed such as a thumbprint reader attached to the user's device.

 

Bingo!

How simple can simple be made to be?

 

Linux systems are being targeted too. Android, Mac, you name it.

 

There is still an answer. A solution. Even for those current systems. That brain group will have the corner on the market but only temporary IMHO.

It's high time (IMHO ) for a complete rewrite and to a bit of a different course then the one's that existed so far which obviously needs to reduce if not eliminate completely the capitulation to obedience of these MACHINE'S instructions set to so easily yield when it comes to outside interference command structures.

If not, then prepare ourselves to strap in and saddle up for a wild ride.

 

I think MS is doing pretty good with Win 10

 

No one is been more of a critic of Windows than I have over these Windows years. But the intent and raves are always meant constructively in some hopes that they would edge ever closer to that ultimate windows desktop experience everyone would like to finally see.

For them to finally break away from what's been the norm for them for far too long already and get fiercely aggressive on the security end of things should be a very welcome development, one that many are looking forward to when Redstone3 is rolled out. They are making some positive strides and progress in this area which can only get better right?

I think all windows users from home to enterprise to military are waiting with baited breathe to see if they also have what it takes to make it hack-proof?

 

Well they are laying off 3000 employees. Hope they are not part of the security team.

 

Can't be done with the current two level user and kernel mode architecture. Needs to be totally redesigned from the ground up along the lines of Unix's multiple security ring architecture. Bottom line - Windows is a building constructed on a faulty foundation and the foundation is collapsing.

Anything Microsoft is doing now is a "Band-Aid" solution designed to generate more revenue by forcing commercial users to move to their subscription model for the "Band-Aid" security improvement.

 

Thank You itman.

That is so spot-on in a nutshell. So the beat will go on and everyone is stuck with the cards we been dealt. The Band-Aid approach.

What's that saying again? Get used to it. But the more inventive and creative minds are exploring and realizing other more efficient alternatives as usual.

It's once again a full on cat and mouse game (always was) with windows. Maybe that's why they threw in the towel and decided it's easier for them to just put telemetry and all other manner of data privacy taps into Win 10 and, continue the routine patch jobs, make fanfare of great new developments as they go along and leave it at that.

 

OK where is Bill Bright?

 

As far as I know 10 was rebuilt from scratch. Not a Band-Aid. By the help of old hackers. Unix - Linux systems are just as vulnerable PERIOD. Those that do not want to use Windows have a clear choice. Move to Mac or a Linux Distro.

 

No worry. With such useful details he can't possibly miss out LoL