‘Petya’ Ransomware Outbreak Goes Global

June 27, 2017 – 4:00 PM

A new strain of ransomware dubbed “Petya” is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 — the same bug that was exploited by the recent and prolific WannaCry ransomware strain.

According to multiple news reports, Ukraine appears to be among the hardest hit by Petya. The country’s government, national bank and largest power companies all warned today that they were dealing with fallout from Petya infections.

Danish transport and energy firm Maersk said in a statement on its Web site that “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” In addition, Russian energy giant Rosneft said on Twitter that it was facing a “powerful hacker attack.” However, neither company referenced ransomware or Petya.

Security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.

Source:
https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/

Google Will Stop Reading Your Email to Target Ads

June 23, 2017 – 6:16 PM

One of Google’s most controversial practices over the years has been the automated scanning of email contents. Google used that data to target ads inside Gmail, which it places at the top of the list in your social and promotions tabs. Google now says it will end the practice of targeting ads based on email text, but the decision was not made by the Gmail or advertising teams. It comes from Google’s cloud unit, which is responsible for selling G Suite business subscriptions.

G Suite, or Apps for Work as it used to be known, costs $5 or $10 per month for each user, but larger customers can contact Google for enterprise pricing. G Suite includes additional storage beyond the free 15GB that everyone gets, more security tools, and support for the usual list of Google cloud services like Gmail and Drive.

It’s interesting that Google Cloud was able to affect a change in the way Gmail ads are handled. Diane Greene, Google’s SVP of cloud, says this change was made to offer a more consistent experience across paid and free versions of Gmail. G Suite has doubled its paying users in the last year, so Google seems happy to let Greene make some big calls.

While the free version of Gmail has done automated email scanning for advertising purpose since its inception, that has never been the case in G Suite. If you pay Google for Gmail and other tools, you don’t get those ads in the first place. This change is supposed to put everyone’s mind at ease, even business customers that aren’t affected.

Source:
https://www.extremetech.com/g00/internet/251481-google-will-stop-reading-email-target-ads

Advanced CIA firmware has been infecting Wi-Fi routers for years

June 15, 2017 – 6:27 PM

Home routers from 10 manufacturers, including Linksys, DLink, and Belkin, can be turned into covert listening posts that allow the Central Intelligence Agency to monitor and manipulate incoming and outgoing traffic and infect connected devices. That’s according to secret documents posted Thursday by WikiLeaks.

CherryBlossom, as the implant is code-named, can be especially effective against targets using some D-Link-made DIR-130 and Linksys-manufactured WRT300N models because they can be remotely infected even when they use a strong administrative password. An exploit code-named Tomato can extract their passwords as long as a default feature known as universal plug and play remains on. Routers that are protected by a default or easily-guessed administrative password are, of course, trivial to infect. In all, documents say CherryBlossom runs on 25 router models, although it’s likely modifications would allow the implant to run on at least 100 more.

The 175-page CherryBlossom user guide describes a Linux-based operating system that can run on a broad range of routers. Once installed, CherryBlossom turns the device into a “FlyTrap” that beacons a CIA-controlled server known as a “CherryTree.” The beacon includes device status and security information that the CherryTree logs to a database. In response, the CherryTree sends the infected device a “Mission” consisting of specific tasks tailored to the target. CIA operators can use a “CherryWeb” browser-based user interface to view Flytrap status and security information, plan new missions, view mission-related data, and perform system administration tasks.

Missions can target connected users based on IPs, e-mail addresses, MAC addresses, chat user names, and VoIP numbers. Mission tasks can include copying all or only some of the traffic; copying e-mail addresses, chat user names, and VoIP numbers; invoking a feature known as “Windex,” which redirects a user’s browser that attempts to perform a drive-by malware attack; establishing a virtual private network connection that gives access to the local area network; and the proxying of all network connections.

Source:
https://arstechnica.com/security/2017/06/advanced-cia-firmware-turns-home-routers-into-covert-listening-posts/

Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

May 22, 2017 – 4:06 PM

A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked NSA hacking tools, it exploits all the seven.

Last week, we warned you about multiple hacking groups exploiting leaked NSA hacking tools, but almost all of them were making use of only two tools: EternalBlue and DoublePulsar.

Now, Miroslav Stampar, a security researcher who created famous ‘sqlmap’ tool and now a member of the Croatian Government CERT, has discovered a new network worm, dubbed EternalRocks, which is more dangerous than WannaCry and has no kill-switch in it.

Unlike WannaCry, EternalRocks seems to be designed to function secretly in order to ensure that it remains undetectable on the affected system.

Source:
https://thehackernews.com/2017/05/smb-windows-hacking-tools.html

WannaCry Ransomware Decryption Tool Released

May 19, 2017 – 5:25 AM

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

The WannaCry’s encryption scheme works by generating a pair of keys on the victim’s computer that rely on prime numbers, a “public” key and a “private” key for encrypting and decrypting the system’s files respectively.

To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

But here’s the kicker: WannaCry “does not erase the prime numbers from memory before freeing the associated memory,” says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory.

Source:
https://thehackernews.com/2017/05/wannacry-ransomware-decryption-tool.html

Page 3 of 35012345...102030...Last »