Security

Petya Ransomware Outbreak Originated In Ukraine Via Tainted Accounting Software (bleepingcomputer.com) 6

An anonymous reader quotes a report from Bleeping Computer: Today's massive ransomware outbreak was caused by a malicious software update for M.E.Doc, a popular accounting software used by Ukrainian companies. According to several researchers, such as Cisco Talos, ESET, MalwareHunter, Kaspersky Lab, and others, an unknown attacker was able to compromise the software update mechanism for M.E.Doc's servers, and deliver a malicious update to customers. When the update reached M.E.Doc's customers, the tainted software packaged delivered the Petya ransomware -- also referenced online as NotPetya, or Petna. The Ukrainian software vendor appears to have inadvertently confirmed that something was wrong when, this morning, issued a security advisory. Hours later, as the ransomware outbreak spread all over Ukraine and other countries across the globe causing huge damages, M.E.Doc denied on Facebook its servers ever served any malware. According to security researcher MalwareHunter, this is not the first time M.E.Doc has carried a malicious software update that delivered ransomware. Back in May, the company's software update mechanism also helped spread the XData ransomware.
Security

Hacker Behind Massive Ransomware Outbreak Can't Get Emails From Victims Who Paid (vice.com) 115

Joseph Cox, reporting for Motherboard: On Tuesday, a new, worldwide ransomware outbreak took off, infecting targets in Ukraine, France, Spain, and elsewhere. The hackers hit everything from international law firms to media companies. The ransom note demands victims send bitcoin to a predefined address and contact the hacker via email to allegedly have their files decrypted. But the email company the hacker happened to use, Posteo, says it has decided to block the attacker's account, leaving victims with no obvious way to unlock their files. [...] The hacker tells victims to send $300 worth of bitcoin. But to determine who exactly has paid, the hacker also instructs people to email their bitcoin wallet ID, and their "personal installation key." This is a 60 character code made up of letters and digits generated by the malware, which is presumably unique to each infection of the ransomware. That process is not possible now, though. "Midway through today (CEST) we became aware that ransomware blackmailers are currently using a Posteo address as a means of contact," Posteo, the German email provider the hacker had an account with, wrote in a blog post. "Our anti-abuse team checked this immediately -- and blocked the account straight away.
Australia

Roadside Cameras Infected with WannaCry Virus Invalidate 8,000 Traffic Tickets (yahoo.com) 172

Long-time Slashdot reader nri tipped us off to a developing story in Victoria, Australia. Yahoo News reports: Victoria Police officials announced on Saturday, June 24, they were withdrawing all speed camera infringement notices issued statewide from June 6 after a virus in the cameras turned out to be more widespread than first thought. "That does not mean they [the infringement notices] won't not be re-issued," Assistant Commissioner Doug Fryer told reporters, explaining that he wants to be sure the red light and speed cameras were working correctly. Acting Deputy Commissioner Ross Guenther told reporters on Friday that 55 cameras had been exposed to the ransomware virus, but they've now determined 280 cameras had been exposed. The cameras are not connected to the internet, but a maintenance worker unwittingly connected a USB stick with the virus on it to the camera system on June 6.

Fryer said that about 1643 tickets would be withdrawn -- up from the 590 that police had announced on Friday -- and another five and a half thousand tickets pending in the system would be embargoed. Fryer said he was optimistic the 7500 to 8000 tickets affected could be re-issued, but for now police would not issue new tickets until police had reviewed the cameras to ensure they were functioning properly... The "WannaCry" malware caused the cameras to continually reboot, Fryer said. Fryer said there was no indication the malware had caused inaccurate radar readings, but police were being "over cautious" to maintain public faith in the system.

Last week Victoria's Police Minister was "openly furious" with the private camera operator, saying the group hadn't notified the relevant authorities about the infection.
Network

WikiLeaks Doc Dump Reveals CIA Tools For Hacking Air-Gapped PCs (bleepingcomputer.com) 74

An anonymous reader writes: "WikiLeaks dumped today the manuals of several hacking utilities part of Brutal Kangaroo, a CIA malware toolkit for hacking into air-gapped (offline) networks using tainted USB thumb drives," reports Bleeping Computer. The CIA uses these tools as part of a very complex attack process, that allows CIA operatives to infect offline, air-gapped networks. The first stage of these attacks start with the infection of a "primary host," an internet-connected computer at a targeted company. Malware on this primary host automatically infects all USB thumb drives inserted into the machine. If this thumb drive is connected to computers on an air-gapped network, a second malware is planted on these devices. This malware is so advanced, that it can even create a network of hacked air-gapped PCs that talk to each other and exchange commands. To infect the air-gapped computers, the CIA malware uses LNK (shortcut) files placed on the USB thumb drive. Once the user opens and views the content of the thumb drive in Windows Explorer, his air-gapped PC is infected without any other interaction.
Security

Fireball Browser Hijack Impact Revised After Microsoft Analysis (eweek.com) 10

Sean Michael Kerner, writing for eWeek: A browser hijacking operation initially reported to have 250 million victims by security firm Check Point isn't quite that large, according to a new analysis by Microsoft. On June 1, security firm Check Point reported that a browser hijacking operation called "Fireball" had already claimed 250 million victims. According to a Microsoft analysis published June 22, Check Point's estimate of the number of victims was "overblown" and the attack is not nearly as widespread as initially reported. The Fireball attack is a browser hijacking that is potentially able to download malware onto victims' systems, as well as manipulate pageviews and redirect search requests. Check Point's initial analysis claimed that Fireball was being bundled as part of free software downloads to unsuspecting users. "Indeed, we have been working with Microsoft on their analysis, feeding them with some additional data," Maya Horowitz, group manager of threat intelligence at Check Point, said in a statement sent to eWEEK. "We tried to reassess the number of infections, and from recent data we know for sure that numbers are at least 40 million, but could be much more."
Firefox

Chrome and Firefox Headless Modes May Spur New Adware & Clickfraud Tactics (bleepingcomputer.com) 80

From a report: During the past month, both Google and Mozilla developers have added support in their respective browsers for "headless mode," a mechanism that allows browsers to run silently in the OS background and with no visible GUI. [...] While this feature sounds very useful for developers and very uninteresting for day-to-day users, it is excellent news for malware authors, and especially for the ones dabbling with adware. In the future, adware or clickfraud bots could boot-up Chrome or Firefox in headless mode (no visible GUI), load pages, and click on ads without the user's knowledge. The adware won't need to include or download any extra tools and could use locally installed software to perform most of its malicious actions. In the past, there have been quite a few adware families that used headless browsers to perform clickfraud. Martijn Grooten, an editor at Virus Bulletin, also pointed Bleeping Computer to a report where miscreants had abused PhantomJS, a headless browser, to post forum spam. The addition of headless mode in Chrome and Firefox will most likely provide adware devs with a new method of performing surreptitious ad clicks.
Microsoft

Microsoft Admits Disabling Anti-Virus Software For Windows 10 Users (bbc.com) 207

An anonymous reader quotes a report from the BBC: Microsoft has admitted that it does temporarily disable anti-virus software on Windows PCs, following an competition complaint to the European Commission by a security company. In early June, Kaspersky Lab filed the complaint against Microsoft. The security company claims the software giant is abusing its market dominance by steering users to its own anti-virus software. Microsoft says it implemented defenses to keep Windows 10 users secure. In an extensive blog post that does not directly address Kaspersky or its claims, Microsoft says it bundles the Windows Defender Antivirus with Windows 10 to ensure that every single device is protected from viruses and malware. To combat the 300,000 new malware samples being created and spread every day, Microsoft says that it works together with external anti-virus partners. The technology giant estimates that about 95% of Windows 10 PCs were using anti-virus software that was already compatible with the latest Windows 10 Creators Update. For the applications that were not compatible, Microsoft built a feature that lets users update their PCs and then reinstall a new version of the anti-virus software. "To do this, we first temporarily disabled some parts of the AV software when the update began. We did this work in partnership with the AV partner to specify which versions of their software are compatible and where to direct customers after updating," writes Rob Lefferts, a partner director of the Windows and Devices group in enterprise and security at Microsoft.
Network

Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer? 233

Futurepower(R) writes: What is the best way to isolate a network from the internet and prevent intrusion of malware, while allowing carefully examined data transfer from internet-facing computers? An example of complete network isolation could be that each user would have two computers with a KVM switch and a monitor and keyboard, or two monitors and two keyboards. An internet-facing computer could run a very secure version of Linux. Any data to be transferred to that user's computer on the network would perhaps go through several Raspberry Pi computers running Linux; the computers could each use a different method of checking for malware. Windows computers on the isolated network could be updated using Autopatcher, so that there would never be a direct connection with the internet. Why not use virtualization? Virtualization does not provide enough separation; there is the possibility of vulnerabilities. Do you have any ideas about improving the example above?
Microsoft

Microsoft Will Disable WannaCry Attack Vector SMBv1 Starting This Fall (bleepingcomputer.com) 73

An anonymous reader writes: Starting this fall, with the public launch of the next major Windows 10 update — codenamed Redstone 3 -- Microsoft plans to disable SMBv1 in most versions of the Windows operating systems. SMBv1 is a three-decades-old file sharing protocol that Microsoft has continued to ship "enabled by default" with all Windows OS versions.

The protocol got a lot of attention recently as it was the main infection vector for the WannaCry ransomware. Microsoft officially confirmed Tuesday that it will not ship SMBv1 with the Fall Creators Update. This change will affect only users performing clean installs, and will not be shipped as an update. This means Microsoft decision will not affect existing Windows installations, where SMBv1 might be part of a critical system.

Communications

CIA Created 'CherryBlossom' Toolkit For Hacking Hundreds of Routers Models (bleepingcomputer.com) 107

An anonymous reader writes: After a two-week hiatus, WikiLeaks dumped new files as part of the Vault 7 series -- documents about a CIA tool named CherryBlossom, a multi-purpose framework developed for hacking hundreds of home router models. The tool is by far one of the most sophisticated CIA malware frameworks in the CIA's possession. The purpose of CherryBlossom is to allow operatives to interact and control SOHO routers on the victim's network. The tool can sniff, log, and redirect the user's Internet traffic, open a VPN to the victim's local network, execute actions based on predefined rules, alert operators when the victim becomes active, and more. A 24-page document included with the CherryBlossom docs lists over 200 router models from 21 vendors that the CIA could hack. The biggest names on this list are Apple, D-Link, Belkin, Aironet (Cisco), Linksys, and Motorola.
Security

Oil Changes, Safety Recalls, and Software Patches (daemonology.net) 129

An anonymous reader shares a blog post: Every few months I get an email from my local mechanic reminding me that it's time to get my car's oil changed. I generally ignore these emails; it costs time and money to get this done and I drive little enough -- about 2000 km/year -- that I'm not too worried about the consequences of going for a bit longer than nominally advised between oil changes. I do get oil changes done... but typically once every 8-12 months, rather than the recommended 4-6 months. On the other hand, there's another type of notification which elicits more prompt attention: Safety recalls. There are two good reasons for this: First, whether for vehicles, food, or other products, the risk of ignoring a safety recall is not merely that the product will break, but rather that the product will be actively unsafe; and second, when there's a safety recall you don't have to pay for the replacement or fix -- the cost is covered by the manufacturer. I started thinking about this distinction -- and more specifically the difference in user behaviour -- in the aftermath of the "WannaCry" malware. While WannaCry attracted widespread attention for its "ransomware" nature, the more concerning aspect of this incident is how it propagated: By exploiting a vulnerability in SMB for which Microsoft issued patches two months earlier. As someone who works in computer security, I find this horrifying -- and I was particularly concerned when I heard that the NHS was postponing surgeries because they couldn't access patient records. [...] I imagine that most people in my industry would agree that security patches should be treated in the same vein as safety recalls -- unless you're certain that you're not affected, take care of them as a matter of urgency -- but it seems that far more users instead treat security patches more like oil changes: something to be taken care of when convenient... or not at all, if not convenient. It's easy to say that such users are wrong; but as an industry it's time that we think about why they are wrong rather than merely blaming them for their problems.
Desktops (Apple)

Apple Mac Computers Are Being Targeted By Ransomware, Spyware (bbc.com) 54

If you are a Mac user, you should be aware of new variants of malware that have been created specifically to target Apple computers; one is ransomware and the other is spyware. "The two programs were uncovered by the security firms Fortinet and AlienVault, which found a portal on the Tor 'dark web' network that acted as a shopfront for both," reports BBC. "In a blog post, Fortinet said the site claimed that the creators behind it were professional software engineers with 'extensive experience' of creating working code." From the report: Those wishing to use either of the programs had been urged to get in touch and provide details of how they wanted the malware to be set up. The malware's creators had said that payments made by ransomware victims would be split between themselves and their customers. Researchers at Fortinet contacted the ransomware writers pretending they were interested in using the product and, soon afterwards, were sent a sample of the malware. Analysis revealed that it used much less sophisticated encryption than the many variants seen targeting Windows machines, said the firm. However, they added, any files scrambled with the ransomware would be completely lost because it did a very poor job of handling the decryption keys needed to restore data. The free Macspy spyware, offered via the same site, can log which keys are pressed, take screenshots and tap into a machine's microphone. In its analysis, AlienVault researcher Peter Ewane said the malicious code in the spyware tried hard to evade many of the standard ways security programs spot and stop such programs.
Power

Researchers Reveal Malware Designed To 'Power Down' Electric Grid (securityledger.com) 42

chicksdaddy writes: A sample of malicious software discovered at the site of a December, 2016 cyber attack on Ukraine's electrical grid is a previously unknown program that could be capable of causing physical damage to the electrical grid, according to reports by two security firms. The Security Ledger reports: "Experts at the firm ESET and Dragos Security said on Monday that the malicious software, dubbed CrashOverride (Dragos) or Industroyer (ESET) affected a 'single transmission level substation' in the Ukraine attack on December 17th, 2016 in what appears to have been a test run. Still, experts said that features in the malware show that adversaries are automating and standardizing what were previously manual attacks against critical infrastructure, while also adding features that could be used to physically disable or damage critical systems -- the first evidence of such activity since the identification of the Stuxnet malware in 2010. The Crash Override malware 'took an approach to understand and codify the knowledge of the industrial process to disrupt operations as STUXNET (sp) did,' wrote Dragos Security in a report. The malware improves on features seen in other malicious software that it knows to target industrial control systems. Specifically, the malware makes use of and manipulates industrial control system-specific communications protocols. That's similar to features in ICS malware known as Havex that targeted grid operators in Europe and the United States in 2014. The Crash Override malware also targeted the libraries and configuration files of so-called 'Human Machine Interfaces' (or HMIs) to understand the environment they have infected. It can use HMIs, which provide a graphical interface for managing industrial control system equipment, to connect spread to other Internet connected equipment and systems, Dragos said."
Security

New Malware Downloader Can Infect PCs Without A Mouse Click (engadget.com) 151

An anonymous reader quotes Engadget: You think you're safe from malware since you never click suspicious-looking links, then somebody finds a way to infect your PC anyway. Security researchers have discovered that cybercriminals have recently started using a malware downloader that installs a banking Trojan to your computer even if you don't click anything. All it takes to trigger the download is to hover your mouse pointer over a hyperlink in a carrier PowerPoint file. According to researchers from Trend Micro and Dodge This Security the technique was used by a recent spam email campaign targeting companies and organizations in Europe, the Middle East and Africa. The emails' subjects were mostly finance-related, such as "Invoice" and "Order #," with an attached PowerPoint presentation. The PowerPoint file has a single hyperlink in the center that says "Loading... please wait" that has an embedded malicious PowerShell script. When you hover your mouse pointer over the link, it executes the script.
Trend Micro writes that "while the numbers aren't impressive, it can also be construed as a dry run for future campaigns, given the technique's seeming novelty," adding "It wouldn't be far-fetched for other malware like ransomware to follow suit."
Security

Linux Malware Infects Raspberry Pi Devices And Makes Them Mine Cryptocurrency (hothardware.com) 84

An anonymous reader quotes Hot Hardware: If you're a Raspberry Pi user who's never changed the default password of the "pi" user, then heed this warning: change it. A brand new piece of malware has hit the web, called "Linux.MulDrop.14", and it preys on those who haven't secured their devices properly... After scanning for RPis with an open (and default) SSH port, the "pi" user is logged into (if the password is left default), and the password is subsequently changed. After that, the malware installs ZMap and sshpass software, and then it configures itself. The ultimate goal of Linux.MulDrop.14 is to make digital money for someone else, namely the author of the malware, using your Raspberry Pi.
Microsoft

No Known Ransomware Works Against Windows 10 S, Says Microsoft (betanews.com) 160

An anonymous reader shares a report: According to Microsoft, "no Windows 10 customers were known to be compromised by the recent WannaCry (WannaCrypt) global cyberattack." That's great news for anyone running the latest version of the OS, and the software giant says it is working to ensure Windows 10 remains safe from other future attacks. However, if you want to guarantee your safety from ransomware, then Microsoft points out there's an even more secure option to consider -- Windows 10 S. The new, hardened Windows 10 variant only runs apps from the Windows Store, which means it can't run programs from outside Microsoft's ecosystem, and that includes malware. Which is why, as Microsoft says, "No known ransomware works against Windows 10 S."
Microsoft

Malware Uses Obscure Intel CPU Feature To Steal Data and Avoid Firewalls (bleepingcomputer.com) 128

An anonymous reader writes: Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool. The problem with Intel AMT SOL is that it's part of Intel's ME, a separate chip inside Intel CPUs that runs its own OS and stays on even when the main CPU is off.

Inside Intel's ME, AMT SOL opens a virtual network interface which works even when the PC is turned off. Furthermore, because this virtual network interface runs inside ME, firewalls and security products installed on the main OS won't detected malware using AMT SOL to exfiltrate data.

The malware was created and used by a nation-state cyber-espionage unit codenamed PLATINUM, active since 2009, and which has targeted countries around the South China Sea. PLATINUM is by far one of the most sophisticated hacking groups ever discovered. Last year [PDF], the OS maker said the group was installing malware by abusing hotpatching — a mechanism that allows Microsoft to issue updates that tap into active processes and upgrade applications or the operating system without having to reboot the computer.

Details about PLATINUM's recent targets and attacks are available in a report [PDF] Microsoft released yesterday.

Security

Russian Malware Communicates Using Britney Spears's Instagram Account (welivesecurity.com) 54

JustAnotherOldGuy writes: A key weakness in malicious software is the "Command and Control" (C&C) system -- a central server that the malware-infected systems contact to receive updates and instructions, and to send stolen data. Anti-malware researchers like to reverse engineer malicious code, discover the C&C server's address, and then shut it down. Turla is an "advanced persistent threat" hacking group based in Russia with a long history of attacking states in ways that advance Russian state interests. A new analysis by Eset shows that Turla is solving its C&C problems by using Britney Spears' Instagram account as a cut-out for its C&C servers. Turla moves the C&C server around, then hides the current address of the server in encrypted comments left on Britney Spears's image posts. The compromised systems check in with Spears' Instagram whenever they need to know where the C&C server is currently residing.
Security

Malware Uses Router LEDs To Steal Data From Secure Networks (bleepingcomputer.com) 105

An anonymous reader writes: Researchers from the Ben-Gurion University of the Negev in Israel have developed malware that when installed on a router or a switch can take control over the device's LEDs and use them to transmit data in a binary format to a nearby attacker, who can capture it using simple video recording equipment. The attack is similar to the LED-it-GO attack developed by the same team, which uses a hard drive's blinking LED to steal data from air-gapped computers. Because routers and switches have many more LEDs than a hard drive, this attack scenario is much more efficient, as it can transmit data at about the same speed, but multiplied by the number of ports/LEDs. Researchers say they were able to steal data by 1000 bits/ per LED, making this the most efficient attack known to date. The attack worked best when coupled with optical sensors, which are capable of sampling LED signals at high rates, enabling data reception at a higher bandwidth than other typical video recording equipment. A video of the attack is available here.
Windows

WannaCry Exploit Could Infect Windows 10 (threatpost.com) 52

msm1267 writes: EternalBlue, the NSA-developed attack used by criminals to spread WannaCry ransomware last month, has been ported to Windows 10 by security researchers. The publicly available version of EternalBlue leaked by the ShadowBrokers targets only Windows XP and Windows 7 machines. Researchers at RiskSense who created the Windows 10 version of the attack were able to bypass mitigations introduced by Microsoft that thwart memory-based code-execution attacks. These mitigations were introduced prior to a March security update from Microsoft, MS17-010, and any computer running Windows that has yet to install the patch is vulnerable. You can read the researchers' report here (PDF), which explains what was necessary to bring the NSA exploit to Windows 10.

Slashdot Top Deals