Tag Archives: NotPetya

Security Never Sleeps- Chicago Voters, Maersk Attack

Personal data of 1.8 million Chicago voters accidentally exposed by vendor

“Roughly 1.8 million affected”

Almost 2 million Chicago voters had their phone numbers, addresses, and partial social security numbers have been left exposed on a cloud-storage website. The site was maintained by the Omaha election-services company, and the sensitive information was left vulnerable until a cybersecurity researcher discovered it earlier this week.

Ukraine central bank warns of new cyber-attack risk

“Bank warns lenders of new malware”

Today the Ukrainian central bank has issued warnings to both private and state-owned lenders of the apparent spark of a new malware program making its way through the internet. Ukrainian security forces say this program resembles the NotPetya attacks, which ended up knocking out many global systems on June 27th as it spread rapidly through corporate networks of multinational firms and suppliers in Eastern Europe.

New Android malware that spreads via text can steal victims’ credit card details from other apps

“Even apps you trust might be unsafe”

Most of us have the good sense to not enter credit card details or other financial information into sketchy looking apps or websites out of fear of theft, but hardly anyone would do a doubletake on apps like Amazon. Alas, even our favorite applications may not be a sanctuary for our sensitive information, detailed by security firm Kaspersky Labs recent blog post. The blog claims that a new malware is able to quietly steal victims data when they are put into applications, as well as spy remotely on texts and phone calls

Cyberattack cost Maersk as much as $300 million and disrupted operations for 2 weeks

“Huge costs in goods transport”

A June attack that left shipping operations crippled worldwide, even briefly shutting down the Port of Los Angeles largest cargo terminal, has cost Danish shipping firm A.P. Moller Maersk between $200-$300 million as reported by the firm earlier this week. The unprecedented severity of the attack prompted workers to coordinate improvised communications via social media networks like Twitter, WhatsApp, and even post-it notes to get goods moving from ships to the shore again.

Enjoy your read? Check out our other content here.

10Fold- Security Never Sleeps- 193

Hackers are making their malware more powerful by copying WannaCry and Petya ransomware tricks

“Hackers learn from effective programs”

Cybercriminals have been taking note of the effectiveness recent ransomware outbreaks. Recent Trojan’s have equipped aspects of these malwares with a worm propogation model that helps it spread.

Plastic Surgery Associates Announces Data Breach

“Some patients open to hackers”

Plastic Surgery Associates of South Dakota has announced a data breach that has left patients in the Sioux Falls, Dakota Dunes, Yanktown, Mitchell, Watertown, and Spencer locations. In a recent statement, the firm revealed it learned of the attack in February and has hired third party experts to determine what data was specifically accessed.

Two Swedish officials resign over data breach fallout

“Transport agency incident cited”

Two senior officials from the Swedish government have resigned due to the embarrassing data breach incident last week that exposed citizens sensitive data. Home affairs minister Anders Ygeman and infrastructure minister Anna Johansson have resigned over the scandal.

10Fold- Security Never Sleeps- 190

Sweden Accidentally Leaks Personal Details of Nearly All Citizens

“Swedish Transport Agency breached”

Virtually all Swedish citizens personal vehicle details may have been leaked due to a mishandling of an outsourcing  deal with IBM. Swedish media reports that this breach extends to private vehicles and even police and military transportation as well.

Wells Fargo Gets Regulatory Questions After Data Breach

“Release of client details prompts questions”

Wells Fargo, despite already being a target of regulatory scrutiny from last years fake account scandal, has drawn even more attention to itself after a new leak. A lawyer working for the firm has released sensitive client data for tens of thousands of accounts, mostly of wealthy clients in the brokerage unit.

Second Major Ethereum Hack In a Week Leads to $34 Million Theft

“Popularity met with skepticism of security”

Cryptocurrencies like Ethereum and BitCoin have been rising fast in popular use, however many investors remain cautious due to concerns over vulnerabilities. Ethereum is not doing much to ease doubters, being majorly hacked for the second time in a single week.

Cybercriminals Kept Botnet That Infected 500,000 Computers Hidden For Five Years

“Stantinko is new creeping botnet”

The Mirai botnet and ransomware programs like WannaCry and Petya have often caught our attention, but have you heard of Stantinko? It’s been able to stealthily execute its criminal mission for over five years without attracting much, or perhaps any, media attention.

Enjoy your read? Check out our other content here.

10Fold- Security Never Sleeps- 187

Undetected For Years, Stantinko Malware Infected Half a Million Systems

“Massive botnet remained under the radar for five years”

Half a millions devices have been infected by a rogue botnet, dubbed Stantinko. ESET researchers warn that affected systems can “execute anything on the infected host.” The malware has powered a huge adware campaign since at least 2012, largely targeting Russia and Ukraine, but remained hidden via code encryption until now.

Network Spreading Capabilities Added to Emotet Trojan

“Emotet Trojan spreads malware on internal networks”

Fidelis Cybersecurity researchers have identified a new variant of the Emotet Trojan that can distribute malicious programs on internal systems. Recent WannaCry and NotPetya incidents have shown us just how efficient and costly these attacks can be if they spread, increasing concerns among security researchers on greater prevalence in the future.

US Banks Targeted with Trickbot Trojan

“Necurs spreads to financial institutions”

New Emotet banking Trojan signals increasingly complex attacks on the finance industry. An official blog post had subsequently confirmed that a ‘security alert is ongoing related to the discovery, the effects of which are continuing.

Healthcare Industry Lacks Awareness of IoT Threat, Survey Says

“Three quarters of IT decision makers report that they are ‘confident’ they’re secure”

Healthcare networks are filled with IoT devices, but a study has found that the majority of IT experts claim that security systems for many of these are not adequately protected despite many believing that they are.

Kansas data breach compromised millions of Social Security numbers In 10 States

“Over 5.5 million potentially compromised”

A breach of the Kansas Department of Commerce may have given hackers access to millions of social security numbers, putting the department on the hook for credit monitoring services for all victims. The SSN’s had not been previously reported. The Kansas News Services obtained the information through an open records request.

Enjoy your read? Check out our other content here.

My First Trendjack Experience at 10Fold

As a new addition to the 10Fold team, as well as being new to the cybersecurity practice in general, it has been important for me to monitor the news on a daily basis in order to get familiar with trending topics and identify what it is my clients can speak to with authority. Although many stories have caught my eye in the last two months since I started these daily news sweeps, the NotPetya cyber attack stood out to me above all others.  

Peyta/NotPetya/ExPetr/GoldenEye is an ongoing cyberattack that started Tuesday, June 26. It began with a cyberattack in Kiev, Ukraine, where this malware went on to hit around 2,000 computer systems, specifically targeting computers running the Microsoft Windows Operating system. While many people originally believed it to be a form of ransomware similar to the recent ‘Petya’ attacks, this malicious software has been categorized as a  “wiper.” It’s designed to cause mayhem and wipe computers – and is not actually ransomware – which is why this ongoing attack has adopted so many names. It’s similar, but also different in a lot of ways.

Although there were corporations and public sector agencies affected in more than 65 countries all over the world, Ukraine and Russia were hit the hardest, including Ukraine government ministries, banks, utilities, telecom operators, an airport and other major companies. Also attacked were Russian oil giant Rosneft and Russian web security firm group-IB. Computers at the Chernobyl nuclear plant were compromised as well, forcing workers to manually monitor radiation levels, which have their own inherent security and safety challenges. Others hit include companies in the UK, Germany, China and U.S., British advertising giant WWp, French Industrial group Saint-Gobain, Shipping giant A.P. Moller-Maersk, Cadbury, pharmaceutical companies, hospitals and many more.

What was interesting about Petya was that after encrypting files on the PC, it demanded $300 worth of Bitcoin Cryptocurrency in order to supposedly unlock them. It turned out that as the story evolved, the ransomware was later categorized as a wiper, as previously stated, and the computer’s’ files were completely destroyed. Some security experts claim that this attack is more harmful than WannaCry, because rather than spreading only via a weakness in Windows’ SMB, the NotPetya malware can also spread by finding passwords on the infected computer to move from system to system. It extracts passwords from memory and local filesystem. Once inside a corporate network, it works its way from computer to computer, destroying the infected machines’ filesystems.

There has yet to be a solid explanation on the attackers’ motive and what they were after. Researching the attack, NATO said it was likely launched by a state actor or by a non-state actor with support and approval from a nation state since the operation was extremely complex and likely very expensive. The Russian government has been suspected as a possible origin for NotPetya. The latest rumors suggested that it spread by accident by a Ukrainian tax software company, named MeDoc.

NotPetya is continually evolving and more information is exposed every day. As one of the more significant organized attacks in 2017, it should bring awareness to the fact that many are unprotected. Even though large-scale attacks like this are not new, they are important to watch because each time around they are getting stronger and more sophisticated.   

It will be fun keeping an eye on more of these trends as they pop up. The next one I’ll dive into is the recent disclosures of public cloud leaks from organizations using the popular AWS services!

By Kory Buckley

Enjoy your read? Read our other blog content here.

 

Sources:

http://spectrum.ieee.org/tech-talk/computing/it/notpetya-latest-ransomware-is-a-warning-note-from-the-future

https://www.reuters.com/article/us-cyber-attack-ukraine-backdoor-idUSKBN19Q14P

http://www.darkreading.com/attacks-breaches/petya-or-not-global-ransomware-outbreak-hits-europes-industrial-sector-thousands-more/d/d-id/1329231

https://www.theverge.com/2017/7/2/15910826/nato-response-petya-attack-state-actor-russia-ukraine

http://www.csoonline.com/article/3204547/security/petya-wannacry-and-mirai-is-this-the-new-normal.html

https://www.forbes.com/sites/thomasbrewster/2017/07/05/notpetya-hackers-demand-256000-in-bitcoin-to-cure-ransomware-victims/#5f709ac86cf9

10Fold- Security Never Sleeps- 179

‘NotPetya’ Hackers Demand $256,000 In Bitcoin To Cure Ransomware Victims

“One of biggest attacks leaves many with a big bill”

Some of the largest industrial firms were infected by the ‘NotPetya’ ransomware and those responsible are demanding 100 Bitcoin, or about $256,000, to decrypt the victims files. A post on Pastebin by an anonymous user said: “Send me 100 Bitcoins and you will get my private key to decrypt any harddisk (except boot disks).”

Fake WannaCry Ransomware Uses NotPetya’s Distribution System

“Distributed through the same channel”

The NotPetya malware was not the only bug to make its way through the M.E.Doc last week. A WannaCry variant that ended up being a fake, FakeCry, was delivered with the same mechanism. Kaspersky found that FakeCry was delivered to the M.E.Doc users on June 27th, the same day as the NotPetya spread. The security firm says that it was run as ed.exe by the parent process ezvit.exe, which led Kaspersky to believe that it utilizes the same delivery system as NotPetya.

Android Ransomware Mimics WannaCry

“WannaCry interface similarities in SLocker”

Windows systems were hit by a ransomware that had an interface mimicking the WannaCry malware last month. TrendMicro security researchers found that one of the first Android ransomware families to encrypt files in exchange for payment, Slocker, has had a major upgrade. SLocker has been seen before, but was offline for a while after the creator had been arrested just days after its initial release.

CopyCat malware infected 14 million outdated Android devices

“Fradulent ad revenue collected”

A new Android malware strain dubbed, CopyCat, has injected itself into over 14 million outdated devices globally. The malware hijacks applications to display fradulent ads, according to CheckPoint researchers. On Thursday, the security firm claimed that most victims were in Asia, but over 280,000 U.S. devices were also affected. Google was tracking the malicious software for the better part of two years, but third party app downloads, phishing attacks, and other avenues make the infection difficult to contain.

Enjoy your read? Check out our other blogs and content here.

10Fold- Security Never Sleeps- 178

Windows 10 Is Getting A Clever New Way To Fight Off Ransomware

“New ability added to Windows Defender”

The built-in Windows anti-malware application has been outfitted with a new protective mechanism. ‘Controlled Folder Access’ allows only recognized trustworthy devices and users to access the files that you activate the feature for.

Medicare data breach: Alan Tudge admits department unaware darknet vendor selling card details

“HS Minister concedes after investigation”

Alan Tudge, Australian Human Services Minister, now confirms that his department was blind to the fact that a secretive Darknet vendor had obtained and began to sell Australian medicare information on the web. The Guardian published an investigation Tuesday that revealed the operation, which had sold about 75 individuals records on an illegal product auctioning site. Mr. Tudge has addressed the breach in a recent statement:

Decrypting the Motivations Behind NotPetya/ExPetr/GoldenEye

“Who and Why still largely unknown”

The most recent malware attack to rock the Ukraine and others has seemed to leave more questions than answers. Reaching at least 60 countries, the malware is now even taking on different names. Some researchers have dubbed it Petya, due to its similarities with the Petya malware seen previously. However, others refute the relationship, leaving it categorized as NotPetya, GoldenEye, and more. Kaspersky Labs has found similarities with a modified version of Petya, and have settled on ExPetr.

Zero-Day Found in Humax WiFi Router

“Vulnerable routers easily compromised”

Security systems in the new HG-100R Humax WiFi router are apparently fragile enough to allow hackers remote access to sensitive information and administrative command control. TrustWave SpiderLabs researchers discovered the flaw in May, but repeated warnings to the manufacturer were allegedly met with silence.

Personal Details of 117,000 AA Shoppers Exposed

“15 million member organization criticized for security faults”

The Automobile Association is the target of massive critique this week after news of a major data malfunction may have compromised the sensitive information of much of its membership base. A server misconfiguration brought the vulnerability of at least 100,000 customers data, however the organization had downplayed the severity of the incident. The company posted the following message to customers on Monday;

Enjoy your read? Check out our other blogs and content here.