Petya Ransomware
Petya is one of several new ransomware variants that have appeared over the past week or so. It was first thought to be a locker rather than an encryptor (the former ‘locks’ your screen while the latter encrypts your files) because running the malicious executable will immediately result in a blue screen of death (BSOD) followed by a lock screen at startup.
Unfortunately, Trend Micro has discovered that Petya does encrypt files in addition to using a lock-screen. It also alters the master boot record (MBR) to prevent users from restarting their systems in safe mode.
Petya is currently being spread through a phishing campaign that targets HR departments with fake CVs.
Coverton Ransomware
A perfect example of the worst kind of crypto-ransomware, Coverton does not appear to have any vulnerabilities in its code, so researchers aren’t likely to find a way to retrieve files without paying the ransom.
Unfortunately, it appears that the decryptor supplied by the ransomware’s authors is flawed, and several users who paid up have reported that their files are now corrupted. This is one you don’t want to shell out for.
FinnSec Security
Hacking group FinnSec Security have claimed responsibility for DDoS attacks on the Finnish Ministry of Defence and Parliament websites, as well as that of the insurance company Kela.
FinnSec claimed that the attacks were intended to showcase the low standards of protection on these sites, noting in an email that “The Finnish government needs to improve, because we can too.”
EC-Council is Exploited
The EC-Council organisation, best known for its ethical hacking programme, had its website hacked from the 21st of March until the 25th. The site was found to be redirecting Internet Explorer users to the the Angler exploit kit, which would drop TeslaCrypt ransomware on unfortunate victims.
Down-Sec Hackers
Hacker group Down-Sec has taken down the website of Belgian Prime Minister Charles Michel, stating that he has failed to respond appropriately to the terrorist threat and should resign, noting that his recent decision to reduce the country’s threat level was also a mistake.
Down-Sec have recently attacked several sites linked to IS in the aftermath of the Brussels attacks, including those they accuse of spreading propaganda or providing funding for the group.
Apple’s 0-Day
SentinelOne researcher Pedro Vilaca has discovered a zero-day vulnerability in (he claims) every version of OSX and iOS.
Exploiting the vulnerability requires one to first establish a foothold on the target machine. The bug is apparently 100% reliable and can be used to run arbitrary code without crashing systems.
Apple introduced System Integrity Protection (SIP) on “El Capitan” versions of their OS in order to prevent this sort of malicious code execution, but Vilaca found a way to circumvent SIP by exploiting the same code that Apple uses to update its systems (which by necessity must bypass SIP).
Apple has apparently patched this flaw, but only in the March 21st update for El Capitan.
MedStar Health’s Malware
American healthcare provider MedStar Health has been hit by an unknown malware. The non-profit, which runs ten hospitals across Washington and Baltimore, was forced to shut down a large section of its network.
Administrators claim that no information has been compromised and the FBI is currently investigating.
Badlock Bug
The internet is abuzz with news of ‘Badlock’, a supposedly critical vulnerability that may be located in the Windows Server Message Block (SMB) as well as ‘Samba’, its open-source namesake.
Discovered by German security firm SerNet, the details of Badlock are currently unknown, though it is set to be patched on the 12th of April. More details of the bug will be in the patch notes, meaning that attackers will be able to reverse engineer an exploit and compromise unpatched users.
A few security specialists have accused SerNet of releasing details on the bug to capitalise on PR in the same style as Heartbleed. Knowing that such a bug exists is arguably more helpful for malware authors (who wish to exploit it) than innocent users, who will have to wait for patch day regardless. SerNet claim that they’ve publicised Badlock early in order to ensure that sysadmins have the resources to fix it as soon as the patch goes live.
Samas Ransomware
Researchers at Microsoft’s Malware Protection Centre (MMPC) and the FBI have warned the public about Samas, a new ransomware family that has become increasingly active over the last 3 months.
Also known as Kazi, or RDN ransomware, it begins its infection process when it detects servers running outdated JBOSS installations. Upon penetrating vulnerable servers, the malware’s authors use the open source tool reGeorg to scan internal networks, before deploying a trojan that steals personal details and finally deploys the Samas ransomware.
Samas uses the RSA-2048 algorithm to encrypt user’s files, and demands a $400 ransom to be paid via a site hosted on the Dark Web. It has been spotted in India and across parts of Asia, but is most prevalent in the USA. The ransomware operates in a more convoluted and technical manner than many of its current competitors, hence the interest it has received from both Microsoft and the FBI.
It contains a number of additional features designed to hinder the user, including an app called vssadmin.exe, that deletes hard-drive shadow copies and backup files.
Pwn2Own 2016
The white hat hacking conference Pwn2Own got off to a fast start in Vancouver this weekend as researchers found significant flaws in Adobe Flash, Google Chrome and Apple’s browser Safari. The conference, which has been held annually since 2007, is designed to encourage talented hackers to uncover and exploit previously unknown vulnerabilities in some of the world’s most popular software.
So far, an independent researcher has uncovered four exploits within Apple devices, including 3 within their IOS, whilst the 360Vulcan Team have unearthed flaws in both Adobe and Google products. On the first day alone it is estimated over $280,000 was awarded in prize money for successful hacks, demonstrating the value that technology companies place upon such exercises. All of the uncovered flaws will be investigated and patched by the relevant companies before any of their technical details are revealed.
Gumtree Malvertising
Researchers at Malwarebytes Lab have discovered a malvertising campaign that has infiltrated popular advertising and reselling site Gumtree. Threat actors hacked the accounts of Australian legal firm Concisus Legal and created a fraudulent but highly realistic subdomain based off their main site. The attackers then approached Gumtree and sought consent to post their malicious ad, protected by the high level of authenticity it possessed.
Users exposed to this campaign are redirected to a landing page for the Angler exploit kit, which has the capacity to drop a range of highly dangerous payloads onto a machine, including various types of ransomware and banking trojans.
Andrew Auernheimer
Infamous internet troll and hacker Andrew Auernheimer has exploited a flaw in thousands of unsecure wireless printers across the US, forcing them to print copies of racist propaganda posters. Auernheimer discovered that printers with port 9100 exposed can be manipulated into printing black and white Unicode documents, provided you add a small postscript to the port.
Colleges including Princeton and Berkeley were affected as he forced the printing of thousands of anti-Semitic documents. Police are said to be investigating the incident.
Verizon Data Leak
More details have been released regarding the reported data breach at Verizon. Security researcher Brian Krebs has announced that the personal details of 1.5 million Verizon Enterprise customers have been stolen from the company’s servers. They are currently being touted on an exclusive underground cybercrime forum, the hacker asking for $100,000 for the whole data set.
Verizon claim to have fixed the vulnerability located in their customer enterprise portal, and are in the process of contacting affected customers. Importantly, they are insisting no Customer Proprietary Network Information (CPNI) was accessed, instead saying the attacker only accessed basic contact information.
Nevertheless, for a company that often publishes reports on data breaches at other companies, this is a highly embarrassing incident.
The Silobreaker Team
The post Silobreaker Daily Cyber Digest – 29 March 2016 appeared first on Silobreaker.