msm1267 writes: The WannaCry ransom note was likely written by Chinese- and English-speaking authors, adding more intrigue to the investigation into whether it was indeed a North Korean APT using stolen NSA exploits to spread ransomware worldwide.
Analysts at Flashpoint, including some fluent in Chinese, said the Simplified and Traditional Chinese notes differ significantly from the others and that they were likely the original notes. The English note was then the source note for the remaining translations and was flushed through Google Translate to create them.
Many of the notes, Flashpoint director of Asia-Pacific research Jon Condra said, contained glaring grammatical errors that a native would not make. Ironically, the version of the note written in Korean was among the most poorly translated.
“It was interesting to us and we were kind of shocked after hearing the links to the Lazarus group that the Korean note was so badly translated,” Condra said. “That could be intentional, or maybe the person who wrote it didn’t speak Korean.”
Condra said the analyst who looked at it said it was about 65 percent correct and there were some basic mistakes made in the translation.
schwit1 writes: A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner.
But whoever has a photo of the legitimate owner can trivially unlock the phone.
We’re dealing with a ransomware worm, possibly unleashed by a foreign government, that uses exploit code lifted from a tool dump stolen from the NSA. Allegedly. It’s a weird, hall-of-mirrors kind of story, and it’s looking more and more like a harbinger of things to come as we move deeper into the era of cyber espionage. WannaCry is very, very bad. It’s the most effective ransomware campaign we’ve seen to date. And it’s probably not over yet. There’s likely another variant or two in the works that don’t include the kill switch domains that researchers have used to limit its spread this week and that will cause a fresh wave of infections.
Each of the variants of WannaCry that have emerged so far has a domain hidden inside of it that malware tries to contact once it infects a new machine. If the connection succeeds, the malware stops the infection routine, so researchers have registered the domains and prevented broader infections.
But those kill switches are essentially the only things standing between vulnerable machines and a huge wave of WannaCry infections. Although Microsoft released a patch in March for the vulnerability that the ransomware uses to infect new machines, there are plenty of PCs that haven’t been patched yet. Researchers say a new version of the malware without a kill switch could be brutally effective.
“We got incredibly lucky that was even involved in the creation of the malware,” said Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky Lab, said Wednesday.
“It actually means that we’ve barely bought a little time. If another version comes out without this, we’re going to have a very, very serious problem because there won’t be an easy way to slap a band aid on this.”
msm1267 writes: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent ShadowBrokers dump.
Researchers said the attackers behind today’s outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA.
Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they’ve recorded more than 45,000 infections so far on their sensors, and expect that number to climb.
Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems.
Phone fraud has become one of the favored tactics for criminals as they look for less-risky and more-profitable avenues to get into targeted organizations. The phone channel typically is not as well-defended as other channels, including the web and in-person transactions, making it a juicy target for fraudsters. Data published in Pindrop’s 2017 Call Center Fraud Report today shows that these criminals are having more than their share of success.
In 2016, one in every 937 calls was fraudulent, a significant increase from 2015, when one in every 2,000 calls was fraudulent. The data, extracted from more than 500 million calls to Pindrop’s customers’ call centers, is an indication that the fraudsters running these phone scams are getting better and better and continuing to develop new skills and schemes to get past call center agents.
“The sophistication of the fraudsters, the expansion of criminal rings, heightened security in other channels, and the amount of information available on the dark web is making the call center the easiest fraud target in virtually every industry,” said Vijay Balasubramaniyan, CEO and co-founder of Pindrop.
schwit1 writes: As the latest installment of it's 'Vault 7' series, WikiLeaks has just dropped a user manual describing a CIA project known as ‘Scribbles’ (a.k.a. the "Snowden Stopper"), a piece of software purportedly designed to allow the embedding of ‘web beacon’ tags into documents “likely to be stolen.” The web beacon tags are apparently able to collect information about an end user of a document and relay that information back to the beacon's creator without being detected. Per WikiLeaks' press release
But, the "Scribbles" user guide notes there is just one small problem with the program...it only works with Microsoft Office products. So, if end users use other programs such as OpenOffice of LibreOffice then the CIA's watermarks become visible to the end user and their cover is blown. Link to Original Source
Data from the 2017 Verizon Data Breach Investigations Report released Thursday shows that 72 percent of all malware incidents affecting health care organizations involved ransomware. The DBIR dataset, which includes more than 2,000 separate breaches, reveals a 50 percent increase in ransomware incidents compared to 2015, and also shows that ransomware is now the fifth most-common variety of malware found in breaches.
The new card also has a chip embedded in it and it can be used at all of the existing chip-and-PIN terminals. During a transaction, the user would insert the card into the terminal and hold his thumb on the embedded biometric sensor while the terminal reads the chip. Rather than entering a PIN, the user’s print serves as a second factor of authentication. The user’s print is stored on the card and it is compared against the one used during each transaction.
Mastercard already has tested the new card in a pair of trials in South Africa, one with a large supermarket chain and another with a bank. The company plans wider trials this year and is aiming for a full rollout by the end of 2017.
The Facebook system allows users to connect their Facebook accounts with other services and use that trusted link to recover access to one of the accounts. The company has published an SDK and documentation on the system, which it has been testing for several months with GitHub. Now the program is entering a closed beta with the promise of a public release in the coming months. Delegated Account Recovery is meant to eliminate the use of insecure channels such as email or SMS to verify a user’s ownership of a given account.
“It’s an open protocol. Trust who you want. We’re really excited that GitHub is making the first connection with us,” Brad Hill, a security engineer at Facebook, said. “We really don’t want this to be a Facebook-only service, so that we can have that network effect protecting you. The best way for us to address that is to share it.”
The study is the first analysis of its kind on tech support scams, and it’s the work of three PhD candidates at Stony Brook University. The team built a custom tool called RoboVic that performed a “systematic analysis of technical support scam pages: identified their techniques, abused infrastructure, and campaigns”. The tool includes a man-in-the-middle proxy that catalogs requests and responses and also will click on pop-up ads, which are key to many tech-support scams.
In their study, the researchers found that the source for many of these scams were “malvertisements”, advertisements on legitimate websites, particularly using ad-based URL shorteners, that advertised for malicious scams. This gives the scammers an opportunity to strike on what would seem like a relatively safe page. Although victims of these scams can be anywhere, the researchers found that 85.4 percentof the IP addresses in these scams were located across different regions of India, with 9.7 percentlocated in the United States and 4.9 percent in Costa Rica. Scammers typically asked users for an average of $291, with prices ranging from $70 to $1,000.
The botnet has been operating since at least 2010 and has infected hundreds of thousands of computers around the world, mainly in the service of a massive spam operation. Kelihos has been responsible for a large slice of the spam clogging the Internet for many years, and officials at the Justice Department on Monday filed a civil complaint against Peter Yuryevich Levashov, who was arrested last weekend in Spain. The complaint accuses Levashov of running Kelihos and using infected computers as part of his spam business.
Sen. Ed Markey (D-Mass.) has drafted the bill and introduced it in the Senate in the hopes of reversing the effects of the law that Trump signed last week. That law, which drew criticism and opposition from a diverse set of privacy advocates, technologists, consumer groups, and legislators, gives broadband providers such as Comcast and Verizon the ability to sell users’ browsing histories and other personal information without customers’ consent.
The FCC last year had passed a rule that prevented broadband providers from selling that kind of customer information without clear consent, but opponents said the rule placed unfair restrictions on some companies. Markey’s bill seeks to put the FCC rule back in place.
The Moonlight Maze attacks were among the first major cyber espionage campaigns to gain public attention, and security researchers often point to the attacks as the beginning of the modern advanced threat era. The attacks went on for years and included highly complex techniques and the exfiltration of a huge amount of data. Researchers at Kaspersky Lab, working with counterparts from King’s College London, recently discovered that a backdoor used by the Moonlight Maze attackers in 1998 also has been used by the Turla APT attack group, possibly as recently as this year. The new details come from a months-long analysis of data and logs from a server that was compromised during the Moonlight Maze attacks and preserved by a systems administrator since then.
The original Moonlight Maze attackers mainly used Unix and had a large set of tools at their disposal. They were targeting Solaris systems for the most part and had a custom backdoor that they used often. One of the systems that they compromised was a server known as HRtest, which administrator David Hedges has kept. Hedges allowed Kaspersky’s researchers and Rid access to the server, including access logs, the attackers’ own logs, and an extensive toolset used by the attackers, including 43 separate binaries.
[The] collect[ing of] personal information from a customer resulting from the customer's use of the telecommunications or internet service provider without express written approval from the customer. No such telecommunication or internet service provider shall refuse to provide its services to a customer on the grounds that the customer has not approved collection of the customer's personal information.