Many firms hit by global cyber-attacks

"Europol, FBI, UK's NCA ride out to Ukraine's cavalry call

The Ukraine, hardest hit by this week's “NotPetya” ransomware/havoc-ware, has called for help from Europol, the FBI, and England's National Crime Agency to investigate who was behind it...

As well as the three international agencies, the agency says other “leading cyber security institutions” will be involved in the hunt....

Beyond the Ukraine, it's widely assumed infection hit companies who have Ukraine operations, but that doesn't completely hold up.

As F-Secure writes in its ongoing investigation, 'We know of victims who don’t use M.E.Doc and have no obvious connections to Ukraine. Yet they were infected during Tuesday’s outbreak. This mystery is one of the factors that have kept us from jumping on the conspiracy train. And we still don’t have answers here.'...”

https://www.theregister.co.uk/2017/06/30/europol_fbi_uks_nca_ride_out_to_ukraines_cavalry_call/

 

No mystery at all.

Ever here of plants? Where these things are cased out and people moved at certain times to sabotage machinery directly.

 

"Ukraine says seized equipment used by Russia to launch malware attacks

Ukraine's state security service (SBU) seized equipment it said belonged to Russian agents in May and June to launch cyber attacks against Ukraine and other countries, the SBU said in a statement on Friday..."

http://www.reuters.com/article/us-cyber-attack-ukraine-sbu-idUSKBN19L1GD

 

ESET's NotPetya Attack Distribution Map:

https://images.unian.net/photos/2017_06/1498805675-1627.jpg

 

"Blockchain would have prevented Maersk cyber attack

Blockchain technology would have saved shipping from this week’s Petya cyber attack that crippled the logistics IT systems of Maersk Group. The irony of this is AP Moller-Maersk’s container shipping arm Maersk Line has recently begun working with IBM to implement blockchain technology..."

http://www.marinemec.com/news/view,blockchain-would-have-prevented-maersk-cyber-attack_48287.htm

 

"NSA exploits absorbed into NotPetya malware MONTHS before they were publicly released

F-Secure research indicates that NotPetya malware was made six months ago using NSA exploits before they were made public by Shadow Brokers"

https://www.v3.co.uk/v3-uk/news/301...are-months-before-they-were-publicly-released

 

Analysis and clarifcation:

"NotPetya Development May Have Started Before EternalBlue..."

https://www.infosecurity-magazine.com/news/notpetya-may-have-started-before/

 

"Smart port in Rotterdam confounded by cyber attack

The APM Terminal in Rotterdam’s Maasvlakte harbour basin is the flagship container terminal for its parent, shipping giant Maersk. Fully automated, it serves as the model for other container terminals operated around the world by the Danish group.

But days after its computer system was struck by a ransomware virus on Tuesday, APM was idle, all cranes out of action,...

By Friday afternoon, one of the two terminals had reopened, according to the Telegraaf, but the fully-automated one remained out of action..."

http://www.dutchnews.nl/news/archives/2017/06/smart-port-in-rotterdam-confounded-by-cyber-attack/

 

I buy into this one.

I already mentioned in the WannaCry Win 10 thread that it is naïve to assume that the NSA exploits were not known prior to their public disclosure and patching. The EternalBlue exploit could have been deployed previously for the sole purpose of setting a backdoor to be deployed at a later date; like now. If the backdoor was set, deploying the patch or even disabling SMBv1 would have little mitigation effect since the backdoor would have established persistence and means to propagate through the internal network via the normal file sharing ports. For example by using SMBv2+. All the attacker had to do is at a time of his chosing, download subsequent payloads through the existing backdoor and remotely execute them.

What is somewhat amazing to me is that it appears many corps. have not "beefed up" their perimeter network monitoring to detect suspicious inbound network traffic. Additional mitigations starting with Win 8 was the ability to restrict access to admin shares as noted here: https://4sysops.com/archives/access-denied-to-administrative-admin-shares-in-windows-8/ . Also using a security solution with IDS protection and blocking access to admin shares there.

 

Also of issue to me is the M.E.Doc update hijacking. Appears to me, the Ukraine and other affected country's commercial concerns are not following SOP in regards to software upgrades. SOP in this regard is to perform the upgrade/update on a stand-alone device and thoroughly test it out for functionality and problems. Only after testing is the upgrade/update "rolled out in-mass" to the network end point devices.

 

There is the importance of going on a secure platform and applying all patches and updates as soon as they're released. Maersk learned a very expensive lesson in computing security.

 

Industry Reactions to Destructive NotPetya Attacks: Feedback Friday
http://www.securityweek.com/industry-reactions-destructive-notpetya-attacks-feedback-friday

Also don't know what the previous reference to the Chernobyl nuclear complex was about since it appears that is completely shut down. However, the Ukraine still has 15 operating nuclear reactors according to this: https://en.wikipedia.org/wiki/List_of_nuclear_reactors. So appears building fall-out shelters in western Europe is the growth industry to get into.

 

The problem wasn't with the update. The problem was the update server was hacked. Of course, at the time there was no way to determine the software update had been compromised.

 

NATO Cooperative Cyber Defence Centre of Excellence -- Analysis of and Proposed Response to NotPeyta

"NotPetya and WannaCry Call for a Joint Response from International Community

The global outbreak of NotPetya malware on 27 June 2017 hitting multiple organisations in Ukraine, Europe, US and possibly Russia can most likely be attributed to a state actor, concluded a group of NATO CCD COE researchers Bernhards Blumbergs, Tomáš Minárik, LTC Kris van der Meij and Lauri Lindström. Analysis of both recent large-scale campaigns WannaCry and NotPetya raises questions about possible response options of affected states and the international community..."

https://ccdcoe.org/notpetya-and-wannacry-call-joint-response-international-community.html

 

It was the M.E.Doc update server that was hacked. What I stated previously in regards to how the receiving entities handled those updates still stands.

 

So there you have it "in a nutshell." Nothing unique in delivery method including the hacked update server. Also if NATO is correct, it appears prior backdoor comprise was also not a factor; I am reserving judgement on that one.

 

Alert was from Windows. Then scanned with AVG.

 

Are you running WD ATP?

 

Just Enterprise standard install in virtual Box, 90 never ending trial. Have not setup for insider builds as of yet.

 

I am going

So we can assume it was stand-alone WD detection by sig. which it would have created by the time you did your testing.

 

Let's Lighten Up a Bit.

"Fun" article about NotPeyta Cyberattack (or as "fun" as an article about such an event can be). Enjoy

"The hot new cyberattack that's sweeping the nation

Basically we're living in cyber Groundhog Day..."

https://www.engadget.com/2017/06/30/the-hot-new-cyberattack-thats-sweeping-the-nation/

 

The screen shot doesn't say. It does not say smart screen and so not sure since I have not enabled the new insider builds, but appears AVG beta already had Heur for this file. Although like Norman stated it is not a true test because I did not set up a net work where an actual exploit test could be done. This was only an EXE.
I have tested a lot of other malware against this new AVG Beta and becoming more impressed. It still misses a few but overall is pretty good. LIke I said all I did was click on the EXE and got the Windows warning. Maybe EASTER could add more?

 

I am going to take it that MRG validated that the exploit used in this attack was EternalRomance and not EternalBlue as has been noted on more than one published news source. MRG used EternalRomance to validate various security solutions effectiveness against this attack as discussed previously. I can see how this can be mixed up since both are SMBv1 exploits. However, they operate differently as I will highlight below from the recent Microsoft analysis on both exploits.

Additionally, Microsoft makes no mention of a backdoor being set by EternalBlue. So in the WannaCry attack, the backdoor was indeed set by the DoublePulsar exploit. Finally to correct my previous statement, they was no remote execution code execution kernel mode driver vulnerability exploit by EternalBlue but rather by DoublePulsar and also by EternalRomance.

Two additional points:

1. There had to have been at least one patched server on the concerns nailed by this recent attack. The exceptions were those nailed by the malware laced application update which could have been prevented by proper update validation procedures.
2. Microsoft states that all these exploits would have failed on Win 8+ versions but for different reasons which I will underline:

Ref.: https://blogs.technet.microsoft.com...ith-windows-10-virtualization-based-security/

 

Yeah, it does; Win64:Malware-gen and Win32:Malware-gen. Both are generic signatures. One reason for WD's recent improvement in detection scores is that MS is using other AV vendor developed generic signatures. Can one expect them to do otherwise ..............

 

No itman those were AVG detections