ransomware

31 Articles

Global Cyber Attack Halted: Autopsy Time

May 13, 2017 by 131 Comments

Friday saw what looked like the most dangerous ransomware infection to date. The infection known as WannaCry was closing down vital hospital IT systems across the UK canceling major operations and putting lives at risk.

Spread Halted?

It spread further around the world and almost became a global pandemic. Although machines are still encrypted demanding Bitcoin, one security blogger [MalwareTech] halted the ransomware by accident. As he was analyzing the code he noticed that the malware kept trying to connect to an unregistered domain name “iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com”. So he decided to register the domain to see if he could get some analytics or any information the worm was trying to send home. Instead much to his surprise, this halted the spread of the ransomware. Originally he thought this was some kind of kill switch but after further analysis, it became clear that this was a test hard-coded into the malware which was supposed to detect if it was running in a virtual machine. So by registering the domain name, the ransomware has stopped spreading as it thinks the internet is a giant virtual machine.

Why was the UK’s NHS Hit So Badly?

According to the [BBC] Information obtained by software firm Citrix under Freedom of Information laws in December suggest up to 90% of NHS trusts were still using Windows XP, However NHS Digital says it is a “much smaller number”. Microsoft has rolled out a free security update to Windows XP, Windows 8, and Windows Server 2003 “to protect their customers”. There was much warning about XP no longer receiving updates etc, the 2001 operating system just needs to die however so many programs especially embedded devices rely upon the fact that the OS running is Windows XP, This is a problem that needs sorted sooner rather than later. There is still obvious problems facing the NHS as all outpatients appointment’s have been canceled at London’s Barts Health NHS Trust which happens to be the largest in the country. However [Amber Rudd], Home Secretary, said 97% of NHS trusts were “working as normal” and there was no evidence patient data was affected. Let’s just hope they update their systems and get back to fixing people as soon as they can.

Where Else Was Hit?

There was quite a few other places hit as well as the UK’s NHS including The Sunderland Nissan Plant also in the UK, Spanish telecoms giant Telefonica along with some gas companies in Spain. In the US FedEx was affected, France has seen production in some of it’s Renault factories halted. Finally, Russia reported 1000 governmental computer systems has been hit.

So is this the end for ransomware?

No, this infection was stopped by accident the infected are either still infected or have paid up, had they not included the sloppy code in the first place then who knows what would have happened. Microsoft had rolled out patches but some people/organizations/Governments are lazy and don’t bother to apply them. Keep your computers up to date, Good luck because we think we will be seeing a lot more ransomware malware in the coming years.

[Update WannaCry v. 2.0 has been released without the “kill switch”, We wonder what will happen now. Probably not a lot as the media attention has been quite intense so it may not be that big an infection however there is always a few who live in the land where news doesn’t exist and will go a long their day until BAM! Ransom Ware installed and pockets emptied.]

Massive Cyber Attack Cripples UK Hospitals, Spreads Globally

May 12, 2017 by 179 Comments

A massive ransomware attack is currently under way. It was first widely reported having crippled the UK hospital system, but has since spread to numerous other systems throughout the world including FedEx in the US, the Russian Interior Ministry, and telecommunications firms in Spain and Russia.

The virus is known by names WannaCrypt, WannaCry, and a few other variants. It spreads using the ExternalBlue exploit in unpatched Windows machines older than version 10. The tools used to pull off this attack were likely from an NSA toolset leaked by the Shadow Brokers.

So far the strongest resource for technical information that we’ve found is this factsheet hosted on GitHub.

NHS Services at a Standstill in the UK

NHS services across England and Scotland have been hit by the ransomware attack, crippling multiple hospitals and doctor’s practices. The UK has universal healthcare — the National Health Service  — covering Doctors, Hospitals and generally everything medical related is free at the point of service. but today they have had to turn away patients and cancel consultations.

NHS is unable to access medical records of patients unless they pay £230 ($300) in bitcoin for infected machines. There is no evidence patient data has been compromised, NHS Digital has said. The BBC has stated that up to 39 NHS organisations and some GP practices have been affected.

The National Cyber Security Centre (NCSC) was “working closely” with the NHS and that they will protect patient safety. We are aware that a number of NHS organisations have reported that they have suffered from a ransomware attack.

-Prime Minister Theresa May

Infected Systems Throughout the World

Computers in regions across the globe have been under attack today, including Telefonica (O2 in the UK), with at least 45,000 computers compromised in Russia, Ukraine, India, and Taiwan alone. There’s no indication of who is behind the attack yet.

The ransomware’s code takes advantage of an exploit called EternalBlue, made public in April by Shadow Brokers which was patched by Microsoft in March, It comes as a shock that an organisation the size of the NHS seem not to have kept their computers updated. This is perhaps just a taster of what is to come in the future as cyber crime and warfare become more and more commonplace.

[Ransomware screenshots via @UID_]

UEFI-Hacked

Gigabytes The Dust With UEFI Vulnerabilities

April 4, 2017 by 46 Comments

At this year’s BlackHat Asia security conference, researchers from Cylance disclosed two potentially fatal flaws in the UEFI firmware of Gigabyte BRIX small computers which allow a would-be attacker unfettered low-level access to the computer.

Gigabyte has been working on a fix since the start of 2017. Gigabyte are preparing to release firmware updates as a matter of urgency to only one of the affected models — GB-BSi7H-6500 (firmware vF6), while leaving the — GB-BXi7-5775 (firmware vF2) unpatched as it has reached it’s end of life. We understand that support can’t last forever, but if you sell products with such a big fault from the factory, it might be worth it to fix the problem and keep your reputation.

The two vulnerabilities that have been discovered seem like a massive oversight from Gigabyte, They didn’t enable write protection for their UEFI (CVE-2017-3197), and seem to have thrown cryptography out of the window when it comes to signing their UEFI files (CVE-2017-3198). The latter vulnerability is partly due to not verifying a checksum or using HTTPS in the firmware update process, instead using its insecure sibling HTTP. CERT has issued an official vulnerability note (VU#507496) for both flaws.

Attackers may exploit the vulnerabilities to execute unsigned code in System Management Mode (SMM), planting whatever malware they like into the low level workings of the computer. Cylance explain a possible scenario as follows:

The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.

With all this said, it does raise some interesting opportunities for the hacker community. We wonder if anyone will come up with a custom UEFI for the Brix since Gigabyte left the keys in the door.