Many firms hit by global cyber-attacks

https://www.scmagazine.com/motive-b...-possible-russian-involvement/article/671940/

 

"Ransomware Becomes Go-To Hack as Bitcoin Rallies, NSA Tools Leak..."

https://www.bloomberg.com/news/arti...-go-to-hack-as-bitcoin-rallies-nsa-tools-leak

 

"Firms Worldwide Still Recovering From Massive Cyberattack

Several companies around the world continue to report outages and damage from Tuesday's massive Petya cyberattack that hit firms in more than 60 countries...."

https://www.voanews.com/a/firms-around-world-still-recovering-massive-cyberattack/3921285.html

"Worldwide Ransomware Attack Hits Health Systems Again

Health systems and other organizations worldwide affected by a new ransomware may not be able to recover files, as group behind the NotPetya virus does not appear to be financially motivated...."

http://www.healthleadersmedia.com/technology/worldwide-ransomware-attack-hits-health-systems-again

"Retailers issue warnings after cyberattack

Online retailers are warning customers to prepare for delays as the disruption caused by Tuesday's cyberattack spreads across the shipping industry..."

http://hosted.ap.org/dynamic/storie...ME&TEMPLATE=DEFAULT&CTIME=2017-06-29-11-36-46

"Trading on the largest Ukrainian stock exchanges postponed due to the encryptor virus named ExPetr that attacked computers on Tuesday, according to official statements."

https://sputniknews.com/europe/201706291055091343-ukraine-exchanges-cyberattack/

"Global Cyber Attack Affects Shipping, FedEx, Emails and More

The global cyberattack that has been wending its way across continents since Tuesday started creating real consequences at some businesses even as the virus’s spread seemed to be abating...."

http://www.insurancejournal.com/news/international/2017/06/29/456142.htm

"Petya malware attack 2017: India is one of the world's worst-hit countries, says report"

http://www.ibtimes.co.in/petya-malw...worlds-worst-hit-countries-says-report-732768

"Hospitals in Israel hit by cyber attack...

The attack came hours after hundreds of cyber experts gathered in Tel Aviv for an annual cybersecurity conference.

It is believed to have been launched by the ransomware virus that has hit computers around the world in recent days. Several Israeli offices and businesses were affected by that attack, according to reports..."

http://www.jta.org/2017/06/29/news-...-east/hospitals-in-israel-hit-by-cyber-attack

 

I did read it, and the same exploits were used, it's only the malware that's different. It's not really exciting, and this attack can easily be stopped as we know by now.

 

"Global shipping feels fallout from Maersk cyber attack

Global shipping is still feeling the effects of a cyber attack that hit A.P. Moller-Maersk (MAERSKb.CO) two days ago, showing the scale of the damage a computer virus can unleash on the technology dependent and inter-connected industry.

About 90 percent of world trade is transported by sea, with ships and ports acting as the arteries of the global economy. Ports increasingly rely on communications systems to keep operations running smoothly, and any IT glitches can create major disruptions for complex logistic supply chains...

The cyber attack was among the biggest-ever disruptions to hit global shipping. Several port terminals run by a Maersk division, including in the United States, India, Spain, the Netherlands, were still struggling to revert to normal operations on Thursday after experiencing massive disruptions...

'As Maersk is about 18 percent of all container trade, can you imagine the panic this must be causing in the logistic chain of all those cargo owners all over the world?' said Khalid Hashim, managing director of Precious Shipping (PSL.BK), one of Thailand's largest dry cargo ship owners.

'Right now none of them know where any of their cargoes (or)containers are. And this 'black hole' of lack of knowledge will continue till Maersk are able to bring back their systems on line'..."

http://in.reuters.com/article/us-cyber-attack-maersk-idINKBN19K2LE

 

"'Janus' resurfaces: I was behind the original Petya. I want to help with NotPetya

A Twitter user purporting to speak for the cybercrime group behind the original Petya ransomware has claimed they want to help 'repair' the damage caused by this week's attack.

The Twitter account Janus Cybercrime Solutions (@JanusSecretary), which went dark for a time after the original Petya outbreak, was reactivated on Thursday – and it's not down with the chaos caused in Ukraine and beyond this week following the spread of somewhat similar code that encrypted compromised systems.

'we're back havin a look in "notpetya" maybe it's crackable with our privkey #petya @hasherezade sadly missed ,' said the Twitter update."

https://www.theregister.co.uk/2017/06/29/petya_help/

 

Why can't government, hospitals, corporations etc run their business related computers within an isolated LAN, instead of connecting everything to the Internet directly/indirectly? For outgoing communications, a few terminal per subunit within an organization should be enough.

 

"Police Suggest Petya Ransomware Attack Was a Distraction...

The primary target of a crippling computer virus that spread from Ukraine across the world this week is highly likely to have been that country's computer infrastructure, a top Ukrainian police official told Reuters on Thursday...

A growing consensus among security researchers, armed with technical evidence, suggests the main purpose of the attack was to install new malware on computers at government and commercial organizations in Ukraine. Rather than extortion, the goal may be to plant the seeds of future sabotage, experts said....

Slovakian security software firm ESET released statistics on Thursday showing 75% of the infections detected among its global customer base were in Ukraine,...

'In all of the known cases, the companies were first infected through a Ukrainian subsidiary,'...

'It's highly likely that during this attack new attacks were set up,' said ISSP chairman Oleg Derevianko...

'"At almost all organizations whose network domains were infected, not all computers went offline,' he said by phone. 'Why didn't they all go offline? We are trying to understand what they might have left on those machines that weren't hit.'

http://fortune.com/2017/06/29/police-suggest-petya-ransomware-attack-was-a-distraction/

 

Yes. Things are too tightly-coupled, too "optimized", too interconnected, supply chains operate under critical tolerances, etc. Because of this, not only malware but other problems too, including financial disturbances, propagate easily and very fast. It would be necessary to decouple things, isolate critical systems more, "de-globalize".

 

One link I haven't seen yet (or just simply missed it) is the tentative number of "type" of systems per either Win 7 (8?) and/or 10 which I highly doubt would been tagged in this particular invasion spread.

Once again isn't it purely by virtue of 32 bit an easier target for something of this nature to easily get B0nked being a Win 7 series?

You will pardon my ignorance on that since my eyeballs were sent reeling yesterday trying to stay up on top of the affected regions reports instead of the units they employed.

 

From the file I tested in Win 10 Enterprise clicking on the file gave a warning and so I did not click yes allow. I did not see any point in going any further.
Also whn unzipping the win32/64 file the latest AVG Beta is flagged it and quarantined them.

 

For any that actually test the malware and don't see anything immediate occur, note that it will sleep for 60 minutes before activating.

 

Hello CS
Yes I was aware of that and also even if lay dormant for a month , I don't have the patience. All I know at present is it can't get past 10 Enterprise. And from my testing it does not even get a chance with AVG's new Beta. I was also going to try Ransom free . Next step
How is your foot by the way? Hope you are doing well. And wow I see you are posting during normal hours and not at early hours of the morning.

 

What gave the alert? The OS or your security solution?

 

Malware can get past all defenses if it gains admin privilege.

Boredog's test breeds a false sense of security. That's exactly what happened with the NotPetya outbreak.

 

Absolutely and exactly what I keep harping about.

It's called common freaking sense though that at some point the machine must grind to a halt for an overhaul like it or not.

 

Fact is, banning Bitcoins will not solve the problem. Imagine otherwise if you want.

 

"Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone

A fourth ransomware campaign focused on Ukraine has surfaced today, following some of the patterns seen in past ransomware campaigns that have been aimed at the country, such as XData, PScrypt, and the infamous NotPetya...

M.E.Doc servers appear to have distributed another ransomware...

It is unclear if this recently discovered ransomware reached users via a trojanized update from the same server or a trojanized M.E.Doc app installed from scratch...

This "fourth" ransomware is designed to look like WannaCry, the ransomware that affected tens of thousands of computers in mid-May.
MalwareHunter says this ransomware was "designed" to look like WannaCry, but it's not an actual clone. For starters, the ransomware is coded in .NET, while the original WannaCry was coded in C...

What's more peculiar is that this fourth ransomware also fits a pattern observed with the previous strains. This ransomware tries to pass as another family — WannaCry...

Slowly, it's becoming somewhat clear that someone is slinging ransomware specifically at Ukraine and is trying to pass as a mundane cyber crime operation, hiding other motives.

Putting all clues together, we see four ransomware campaigns that have targeted Ukraine, have tried to pass as other ransomware threats, have quality code, and three of which appear to have used the same server to spread.

There is no clear-cut evidence that the same person or group is behind all campaigns, but there are too many coincidences to ignore.

https://www.bleepingcomputer.com/ne...ue-in-ukraine-with-mysterious-wannacry-clone/

 

Once is extremely distressing but could be excused. Twice is inexcusable. Dump the software pronto.

 

No, the longer bitcoins and enterprise networking systems are established and comfy, the harder and more costly it's going to be to knock everything loose. You can say to a three-pack-a-day smoker ten thousand times: Stop smoking, it's bad for you! Change your network and file sharing configurations, it's bad for you! Data backups/cloud storage at least! A lot of people, particularly in smaller enterprise, think lightning doesn't hit the same place twice but we know better.

Re: Ukraine: By engineering the strains to resemble others, you introduce a major psychological component that wasn't there before. Ransomware used to be "just" ransomware. Now it's a catalyst to instigate mass unrest, and more perhaps.

 

Depends how it is deployed. In this case, it used its admin privileges to run a legit Win utility, PsExec, to elevate to System privileges which allowed it to do anything.

I also don't buy the local admin baloney Microsoft is "speeling." For starters, PsExec would not have been installed on client devices and if it were, its use would have been locked down via SRP/GP. However, PsExec was most likely was installed on the servers which is how this attack entered the network.

 

Agreed BUT options are limited and turn-over time/transfer of past records, if any remain or can be recovered, could be a problem and these could have been planted in the first round. Chaos. The gift that keeps on giving.

"...MEDoc is one of only two software options Ukrainian businesses have to pay their taxes,..."

https://www.washingtonpost.com/worl...455a0e-5cf0-11e7-9b7d-14576dc0f39d_story.html

 

Didn't NotPetya hijack the wmic utility?

 

Bingo. This "jogged my memory from my gov. IT days " when dealing with foreign gov. financial entities. Many govs. have similar setups. Akin to if the IRS in the U.S. said you can only pay them using certain approved software and clearing houses. I also now remember the Ukraine and major issues with foreign EFT payments.

 

Yup. A software restriction policy could have prevented the attack by requiring prior authorization to run the process. That's why its set up as a default deny rule. I wonder if they had one in place.