Newly Found Malware Uses 7 NSA Hacking Tools, Where WannaCry Uses 2

May 22, 2017 – 4:06 PM

A security researcher has identified a new strain of malware that also spreads itself by exploiting flaws in Windows SMB file sharing protocol, but unlike the WannaCry Ransomware that uses only two leaked NSA hacking tools, it exploits all the seven.

Last week, we warned you about multiple hacking groups exploiting leaked NSA hacking tools, but almost all of them were making use of only two tools: EternalBlue and DoublePulsar.

Now, Miroslav Stampar, a security researcher who created famous ‘sqlmap’ tool and now a member of the Croatian Government CERT, has discovered a new network worm, dubbed EternalRocks, which is more dangerous than WannaCry and has no kill-switch in it.

Unlike WannaCry, EternalRocks seems to be designed to function secretly in order to ensure that it remains undetectable on the affected system.

Source:
https://thehackernews.com/2017/05/smb-windows-hacking-tools.html

WannaCry Ransomware Decryption Tool Released

May 19, 2017 – 5:25 AM

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.

Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

The WannaCry’s encryption scheme works by generating a pair of keys on the victim’s computer that rely on prime numbers, a “public” key and a “private” key for encrypting and decrypting the system’s files respectively.

To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.

But here’s the kicker: WannaCry “does not erase the prime numbers from memory before freeing the associated memory,” says Guinet.

Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory.

Source:
https://thehackernews.com/2017/05/wannacry-ransomware-decryption-tool.html

HP rolls out patch to fix keylogging bug in certain laptops

May 13, 2017 – 7:10 AM

Consumers with HP laptops that have been accidentally recording their keystrokes can easily address the problem with a patch from the PC maker.

More than two dozen HP laptop models, including the EliteBook, ProBook and ZBook, have an bug in the audio driver that will act as a keylogger, a Swiss security firm said Thursday. A list of affected products can be found here.

Fortunately, HP began rolling out fixes through its support page, and in a Windows update, starting on Thursday, HP Vice President Mike Nash said.

The problem has been found affecting certain HP laptops made since 2015. In some cases, it stores all the captured keystrokes in a log file on the PC. In other cases, the bug will pass the keystrokes to a Windows debugging interface on the machine, exposing them to possible capture.

The security firm Modzero noticed the problem last month and reported it to HP, which prompted the PC maker to investigate it and work on a fix, Nash said in an interview.

“There was some debugging code in the audio driver that was mistakenly left there,” he said. “It was left there by accident. The intent was to help us debug a problem.”

HP’s patch will remove the flaw from the PC’s audio driver and also delete the log file that was storing the keystrokes.

Source:
http://www.csoonline.com/article/3196704/security/hp-rolls-out-patch-to-fix-keylogging-bug-in-certain-laptops.html

Wana Decrypt0r Ransomware Using NSA Exploit Leaked by Shadow Brokers Is on a Rampage

May 12, 2017 – 4:46 PM

Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers.

The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.

Activity from this ransomware family was almost inexistent prior to today’s sudden explosion when the number of victims skyrocketed in a few hours.

Source:
https://www.bleepingcomputer.com/news/security/wana-decrypt0r-ransomware-using-nsa-exploit-leaked-by-shadow-brokers-is-on-a-rampage/

Explained – How Intel AMT Vulnerability Allows to Hack Computers Remotely

May 5, 2017 – 4:35 PM
Earlier this week Intel announced a critical escalation of privilege bug that affects its remote management features shipping with Intel Server chipsets for past 7 years, which, if exploited, would allow a remote attacker to take control of vulnerable PCs, laptops, or servers.

The vulnerability, labeled CVE-2017-5689, affects Intel remote management technologies, including Active Management Technology (AMT), Intel Standard Manageability (ISM), and Intel Small Business Technology (SBT) software, versions 6 through 11.6.

The flaw was originally discovered by Maksim Malyutin, a member of Embedi research team, in mid-February, who then responsibly disclosed it to the Intel security team.

My previous article, published earlier this week, was based on the partial information shared by Maksim to The Hacker News, as the reported Intel AMT vulnerability was highly critical and can be exploited remotely, Embedi held technical details until most sysadmins update their systems with a patched firmware.
Today, Embedi research team has disclosed complete technical details about the critical vulnerability, and I have compiled this piece explaining:

  • What is Intel AMT technology?
  • Where the Intel AMT Vulnerability resides?
  • How can an attacker exploit Intel AMT Vulnerability?

Source:
https://thehackernews.com/2017/05/intel-amt-vulnerability.html