Friday, July 21, 2017

Innovatie & Strategie
Security
Beveiliging

Tijd voor nieuwe strategie

De Chief Information Security Officers moeten hun strategie herzien
17 juli 2017
De Chief Information Security Officer (CISO) staat onder grote druk. Cyberaanvallen nemen in aantal toe en worden bovendien steeds geavanceerder. Denk bijvoorbeeld aan de recente ransomware-variant PetyaWrap. De gevolgen hiervan zijn immens en zorgen naast financiële schade ook voor reputatieschade. CISO’s doen er goed aan om hun securitystrategie onder de loep te nemen en waar nodig te herzien. Alleen op die manier kunnen ze hun organisatie optimaal beveiligen tegen cyberaanvallen.

Dat een serieus datalek voor grote problemen zorgt, blijkt uit allerlei onderzoeken. Zo berekende het Ponemon Institute dat de gemiddelde schadepost bij een serieus lek vier miljoen dollar bedraagt. En het aantal pogingen om data te stelen neemt toe: Symantec signaleerde vorig jaar een stijging van ransomware-aanvallen en phishing-pogingen met respectievelijk 35 en 55 procent.
Onder deze omstandigheden wordt het werk van de CISO steeds belangrijker, maar ook complexer. Zij moeten hun organisaties beschermen tegen een breed scala aan bedreigingen, terwijl de C-suite en de board hen nauwlettend in de gaten houden. Onder deze hoge druk wordt de security-strategie herzien, maar CISO’s kunnen bedreigingen nooit helemaal voorkomen. Samen met hun teams en peers moeten zij zich richten op het optimaliseren van hun vermogen adequaat te reageren op securityrisico’s.
Deze optimalisatie bestaat uit drie stappen: investeren in automatisering, de nadruk leggen op het prioriteren van dreigingen en werknemers efficiënt inzetten.

Stap 1: Automatiseren

Veel organisaties vertrouwen op een handmatig, decentraal systeem om security-incidenten te volgen. Volgens ruim een kwart van de CISO’s zijn binnen hun organisatie dergelijke handmatige processen een drempel voor het implementeren van een effectieve security. Er valt dus veel winst te behalen door de processen rondom respons en herstel bij een cyberaanval te automatiseren. Belangrijk is dat hierbij rekening wordt gehouden met de workflow van security over verschillende afdelingen heen, daar ontbreekt het op dit moment namelijk nog vaak aan. Door gezamenlijk met IT en andere afdelingen op één platform te werken, kunnen securitywerkzaamheden sneller en slimmer geautomatiseerd worden. Dit heeft weer voordelen voor het proces van prioritering in de tweede stap.

Stap 2: Prioritering als onderdeel van automatisering

Het merendeel van de organisaties vindt het lastig om security-alerts te prioriteren op basis van dreigingsgrootte. Dit kan verlammend werken voor een organisatie omdat alle dreigingen en aanvallen even serieus worden genomen. Helemaal als je bedenkt dat bedrijven dagelijks door duizenden cyberattacks geraakt kunnen worden. Het goed kunnen prioriteren van bedreigingen is een essentieel onderdeel van een effectieve securitystrategie. En daarmee een essentiële voorwaarde voor CISO’s om hun werk goed te kunnen doen.

Stap 3: Laat werknemers focussen op complexe taken

De derde en laatste stap is om de tijd en het talent van security-medewerkers zo effectief mogelijk in te zetten. Door processen te automatiseren en dreigingen te prioriteren, heeft securitypersoneel de handen vrij om sneller te kunnen reageren op lekken en aanvallen en zelfs te kunnen anticiperen op aankomende gevaren. Dat is immers de kern van hun werk, niet het catalogiseren van verdachte e-mails. Bovendien is het in deze tijden van schaarste aan IT-talent belangrijk om het aanwezige talent zo optimaal mogelijk in te zetten. Dat hier nog veel werk aan de winkel is, blijkt uit het feit dat maar 7 procent van de CISO’s van mening is dat hun organisatie voldoende securitymedewerkers in dienst heeft die goed kunnen inschatten welke cyberbedreigingen het meest schadelijk zijn voor de bedrijfsstrategie.
Routinewerk neemt af
Door deze drie stappen te volgen en te focussen op de beste aanpak van cyberdreigingen, zijn CISO’s beter in staat om de meest kritieke onderdelen van hun organisatie te beschermen. Bovendien zorgt deze strategie voor een hogere werknemerstevredenheid doordat routinewerk afneemt. En uiteindelijk zijn CISO’s met deze strategie beter in staat om sneller en efficiënter dan ooit tevoren op bedreigingen te reageren.

'Spyware,' Ransomware Top Threats but Defenders Slowly Improve

'Spyware,' Ransomware Top Threats but Defenders Slowly Improve

Nearly half of firms have encountered spyware, according to Cisco’s semi-annual cyber-security report.
malware
Business email compromise, ransom-seeking criminals and questionable programs that collect information are three of the major threats facing companies in 2017, according to Cisco's Midyear Cybersecurity Report, published on July 20.
Malware and denial-of-service attacks aimed at forcing victims to pay a ransom—known as ransomware and ransom denial-of-service (RDoS), respectively—affect 49 percent of companies, according to the report, citing a study by Cisco research partner Radware. Part of the increase is due to attacks as a service—such as distributed DoS (DDoS)-as-a-service and ransomware-as-a-service—becoming the de facto approach for many cyber-criminals.
“We are seeing tools going away, and instead we are seeing a lot of as-a-service models,” Francisco Artes, security business group architect at Cisco, told eWEEK.
The report forecasts that attacks will become more destructive and focus more on easy-to-hack internet of things (IoT) devices. Combining both trends, destruction-as-a-service will become more popular, with permanent DoS attacks, such as BrickerBot, attempting to erase data and then flash the motherboard of targeted devices.


The 90-page report brings together data from a variety of sources: Cisco internal research, government data and research from nearly a dozen partners, including RSA, Radware and Qualys.
One major trend highlighted by the report is the danger of borderline spyware. Programs that seem legitimate but contain extensive spyware capabilities are becoming a larger problem, Cisco stated in the report. In a study of the network traffic of approximately 300 companies, Cisco found that more than 20 percent had at least one spyware infection. The most prevalent spyware were seemingly legitimate programs that exceed their expected behavior—a description that could apply to many of the tracking services used by advertisers.
“Although operators may market spyware as services designed to protect or otherwise help users, the true purpose of the malware is to track and gather information about users and their organizations—often without users’ direct consent or knowledge,” Artes said. “Spyware companies are known to sell or provide access to the data they collect, allowing third parties to harvest information with relative anonymity.”
Six out of every 10 firms showing signs of spyware, for example, had a client compromised by the Hola service, which is advertised as a peer-to-peer virtual private network but allows remote code execution and the ability to download files while bypassing antivirus checking. Another prevalent spyware program is RelevantKnowledge, a browser plugin that collects information on the user’s browsing habits and is often installed through software bundling without the user’s knowledge.
The developers behind malware are continuously modifying their programs and techniques to attempt to avoid detection. A new vector was introduced for each of the top four programs—Kryptik, Ramnit, Nemucod and Fereit—approximately every day. While the number of vectors focused on the Web gradually declined over the study period, the number of vectors through email increased.
Overall, companies seem to be improving their defensive efforts. Firms focused on quickly fixing vulnerabilities have made great strides in reducing their attack surface area, according to the report. In 2017, companies took an average of 62 days to eliminate 80 percent of the known Adobe Flash vulnerabilities in their organizations, according to Cisco partner Qualys, a vulnerability management firm. While there seems to be little to celebrate in that response time, it used to take 308 days to reach the same benchmark in 2014.
In addition, companies are getting better at detecting incidents in their networks. The average incident took 3.5 hours to be detected in May 2017, down from 39 hours in November 2015. The median time to detection (TTD) is the period between when a compromise happens and when the company’s security detects the incident.
Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...

Sunday, July 16, 2017

Pervasive encryption: Just say yes

Data Centre


Pervasive encryption: Just say yes

Never mind the performance penalty

SGI logo hardware close-up
Cloud In my day job as a sysadmin for a small business, and in my moonlighting as a freelance tech consultant, I get to do a lot of thinking about security.
Ignorance of information security among small businesses is hardly news but in my experience many small businesses are only now getting the hang of securing their local PCs - just in time to become infatuated by cloud computing tools they barely understand.
Picture the scene at a typical small retailer. After finding the consternation-inducing 69p that someone dropped on the floor, the bored till-jockey goes into the back room and fires up the ten-year-old MacBook. Several minutes later, the browser loads. The opportunity has at last arisen to punch in the sacred credentials written down on the battered yellow Post-it.
A couple of links are clicked; the till-jockey is now editing a cloud-hosted spreadsheet. Numbers from the till are entered absent-mindedly while texting friends and grabbing personal items in preparation for leaving. A box pops up; an annoyed stab is made in the general direction of “yes, okay” or whatever it seems will make said unwanted and irrelevant intrusion into consciousness go away. The document is saved immediately before the till jockey dashes out the door to catch the bus.

Compromising position

Behind the scenes, what has happened is much more interesting. Someone using a suite of applications bought online has begun to attack the network. The Wi-Fi – using WEP – is for all intents and purposes unsecured; the WEP secret to the network is easily cracked. A well-known vulnerability is exploited to breach and then root the Wi-Fi router. Our attacker has just given himself the ability to perform man-in-the-middle attacks. A security alert pops up on the browser of our bored till-jockey, but he has bypassed it in his hurry to go home.
The password for the cloud service is scraped from the HTTP session, and some very minor code injection allows a complete download of the browser history. The code injection also allows the exploitation of the un-patched, leading to the local system being rooted. Rampant password re-use allows access to the company’s complete stack of cloud services. Email, banking, accounting, CRM/ERP/BIS – including a great deal of customer personally identifiable information – have just been compromised in a matter of minutes.
With this sort of scenario in mind I want to make the case for pervasive encryption. Encryption is by no means free; it exacts a performance penalty that at cloud scale can mean millions or even billions of dollars. Traditionally, every three cores in use doing actual work has meant one core dedicated to encryption.
From a pure hardware standpoint, this is not the end of the world. Chips are cheap and getting cheaper. More and faster cores are continuously available running in the same or lower thermal envelopes.
Increasingly, modern systems are shipping standard with NICs, HBAs and other devices peripherals that offer more options than running encryption on the CPU. Hardware virtualization tech continually lessens the penalties of that technology; and new management tools integrate with our data centres to move loads around the room in order to deal with “hot spots.”
There are other costs; the increased electrical and cooling loads generated by encryption can’t simply be wished away. With dedicated and specialized crypto-processors however, the toll exacted for encrypting everything everywhere should be significantly less than the 25 per cent paid by doing it all in software.
As well as hardware considerations, pervasive encryption brings up some weighty software licensing issues. Anyone using Oracle-anything will go more than a little pale at the thought of suddenly having 25 per cent of their processing capacity vanish into encryption. Dedicated FPGAs and ASICs are available for cloud-scale deployments where licensing is a serious consideration. These allow serious crypto to be done - often without any licensing impact.
Except for dedicated communications channels between diligently maintained back-end systems, pervasive encryption is unquestionably worth it. Various flavours of encryption are one part of properly securing our own networks and ensuring its widespread use boosts security the networks of our customers as well as our own.
Nobody wants their credit card compromised the next time they go out to buy fish food. Especially if the entire incident could have been avoided by a little bit of encryption at any of several different points along the way. ®

Thursday, June 29, 2017

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide

This isn't ransomware – it's merry chaos


Analysis It is now increasingly clear that the global outbreak of a file-scrambling software nasty targeting Microsoft Windows PCs was designed not to line the pockets of criminals, but spread merry mayhem.
The malware, dubbed NotPetya because it masquerades as the Petya ransomware, exploded across the world on Tuesday, taking out businesses from shipping ports and supermarkets to ad agencies and law firms. Once inside a corporate network, this well-oiled destructive program worms its way from computer to computer, trashing the infected machines' filesystems.
Although it demands about $300 in Bitcoin to unscramble the hostage data, the mechanisms put in place to collect this money from victims in exchange for decryption keys quickly disintegrated. Despite the slick programming behind the fast-spreading malware, little effort or thought was put into pocketing the loot, it appears.
"The superficial resemblance to Petya is only skin deep," noted computer security veteran The Grugq. "Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This [latest malware] is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware.”
To put it plainly, this code was built to destroy, not extort.
Here's a summary of the NotPetya outbreak:
  • The malware uses a bunch of tools to move through a network, infecting machines as it goes. It uses a tweaked build of open-source Minikatz to extract network administrator credentials out of the machine's running memory. It uses these details to connect to and execute commands on other machines using PsExec and WMIC to infect them. It can either scan subnets for devices or, if it's running on a domain controller, use the DHCP service to identify known hosts.
  • It also uses a modified version of the NSA's stolen and leaked EternalBlue SMB exploit, previously used by WannaCry, plus the agency's stolen and leaked EternalRomance SMB exploit, to infect other systems by injecting malicious code into them. These cyber-weapons attack vulnerabilities were patched by Microsoft earlier this year, so the credential theft is usually more successful, at least at places that are on top of their Windows updates.
  • Crucially, NotPetya seeks to gain administrator access on a machine and then leverages that power to commandeer other computers on the network: it takes advantage of the fact that far too many organizations employ flat networks in which an administrator on one endpoint can control other machines, or sniff domain admin credentials present in memory, until total control over the Windows network is achieved.
  • One way to gain admin access is to use the NSA exploits. Another way is to trick a user logged in as an admin or domain admin into running a booby-trapped email attachment that installs and runs the malware with high privileges. Another way is to feed a malicious software update to an application suite running as admin or domain admin, which starts running the malware on the corporate network again with high privileges. It is understood NotPetya got into corporate networks as an admin via a hijacked software update for a Ukrainian tax software tool, and via phishing emails.
  • With admin access, the software nasty can not only lift credentials out of the RAM to access other internal systems, it can rewrite the local workstation's hard drive's MBR so that only the malware starts up when the machine reboots, rather than Windows, allowing it to display the ransom note and demand an unlock key; it can also encrypt the NTFS filesystem tables and files on the drive. NotPetya uses AES-128 to scramble people's data.
  • Needless to say, don't pay the ransom – there's no way to get the necessary keys to restore your documents. It appears the malware doesn't provide enough information to the extortionists for them to generate a correct unlock key, so it would be impossible to obtain a working decryption key from the crims. And the means to contact the miscreants after paying the money is now shut off, so you're out of luck regardless.
  • Not only should you patch your computers to stop the SMB exploits, disable SMBv1 for good measure, and block outside access to ports 137, 138, 139 and 445, you must follow best practices and not allow local administrators carte blanche over the network – and tightly limit access to domain admins. You'd be surprised how many outfits are too loose with their admin controls.
  • The precise affected versions of Windows aren't yet known, but we're told Windows 10's Credentials Guard thwarts NotPetya's password extraction from memory.
  • Creating the read-only file C:\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.

In the beginning

So far, the vast majority of infections have occurred in Ukraine and Russia, but some big names in the West have also suffered. International advertising conglomerate WPP was taken offline (even its website was down), global law firm DLA Piper was infected and, most worryingly, shipping goliath Maersk is warning of a worldwide outage that could seriously bork the global transport supply chain. Computer terminals in major ports were borked for hours by the malware.
In Ukraine itself, which appears to be ground zero for the attack, the situation was critical. Large numbers of businesses were caught by the software nasty – the contagion has broken the automatic radiation monitoring systems in Chernobyl, meaning some unlucky scientists are going to have to take readings manually for the time being. Energy companies were hit as well as government agencies.
According to Ukraine's cyber-cops, as well as phishing emails booby-trapped with malware-laden attachments, financial software firm MeDoc was used to infect computers in the ex-Soviet nation. We're told miscreants managed to compromise a software update for the biz's products, which are widely used in the country, so that when it was downloadable and installed by victims it contaminated their network with NotPetya. If this software was running with domain admin access, it would be immediately game over.
MeDoc issued an early statement confessing "our server made a virus attack," but has since U-turned on Facebook, denying that it is responsible.
The tax software maker admitted it was hacked but said its last software update was sent out on June 22, just before Tuesday's attack. However, police said that on June 27 the update servers – upd.me-doc.com.ua – pushed out a 333KB download to customers that unpacked a RUNDLL32.EXE containing the NotPeyta nasty. Oops.
The executable, by the way, lightly XOR encrypts itself and uses faked Microsoft digital signatures in an attempt to fool antivirus scanners. When the nasty started spreading, just two AV engines on the VirusTotal roster detected it as dangerous.

What's in a name?

While it was first assumed that the malware was a new strain of the Petya ransomware family that surfaced last year, that is now in doubt due to some key differences in code. The changes are so striking that Kaspersky Lab has gone as far as to dub the code "NotPetya."
One thing is certain – if you are infected with the malware and it has taken a mixing spoon to your bytes, you're screwed. There doesn't appear to be a way to restore PCs with scrambled filesystems, and no way to pay the ransom, because the Posteo webmail address given to pay the $300 ransom has been shut down.
"Since midday it is no longer possible for the blackmailers to access the email account or send emails," Posteo said. "Sending emails to the account is no longer possible either."
Putin and his pals in action?
The first clue is in the types of files this piece of ransomware encrypts. Typically this kind of malware encrypts everything to make the victim more likely to cough up the digital cash, but in total this ransomware encrypts 65 types of files, from .7z archives and .c source files to .aspx code to .pdf and .php files to PowerPoint and Python to VMware images and Excel spreadsheets.
That might sound like a lot, but the original Petya ransomware that popped up last year encrypted hundreds of file types, and the new code makes some interesting choices in what it encrypts.
"It's very odd," Justin Cappos, assistant professor of security, operating systems and networks at the New York University Tandon School of Engineering told The Register.
"The image types like .png don't seem to be among those encrypted and usually those would be the kinds of things people want to encrypt because the victims will care about their baby pictures, if you were targeting consumers. I find this suspicious; it's targeting code and even Python scripts and Visual Basic to lock down developers' work."
There's also the method of extracting money from the attack. Ransomware has been exploding of late because it makes it easy for criminals to collect funds without having to recruit a lot of money mules around the world to harvest payments.
Bitcoin has helped with this and, as you'd expect, this infection also asks for the digital currency but with a crucial difference. This time, users wanting to get their files back had to email details to a specific address.
This is neither normal or sensible, since the malware writers must have known that the email address would be shut down quickly, which cut off access to funds. This is not how criminals looking to make a quick buck operate.
Another hint comes in the timing of the attack. Tomorrow, June 28, is a national holiday in Ukraine, its annual Constitution Day. Criminal hackers typically attack on holidays and weekends to avoid detection, but doing so the day before looks like an attempt to cause maximum disruption for the largest number of people in the country.
Who is Ukraine's main enemy at the moment? Russia, since it's currently fighting a proxy in the country by supporting the Donetsk People's Republic that has set itself up in the east of the country. Russia has also been accused of hacking Ukrainian systems in the past.
That said, Russian firms have been hit by the ransomware too. State oil giant Rosneft has reported infections, although it says oil productions and processing wasn't harmed in the outbreak, and local steel maker Evraz has also been infected.
As is so often the case in online attacks, we may never know the truth behind the source of the infection, but Interpol and police forces in at least three countries are investigating the source and motivations behind the attacks. Microsoft will be doing its own detective work and says Defender has been updated to block the ransomware.
"Our initial analysis found that the ransomware may use multiple techniques to spread, including one which was addressed by a security update previously provided for all platforms from Windows XP to Windows 10," a spokesperson told The Reg.
"As ransomware also typically spreads via email, customers should exercise caution when opening unknown files. We are continuing to investigate and will take appropriate action to protect customers."
In the meantime, the best advice for dealing with ransomware hasn't changed since yesterday. Ensure that you take regular and complete backups, patch software as soon as possible, and disable any unwanted features or open ports that can be closed off. ®


Wednesday, June 28, 2017

Petya ransomware reportedly spread via malicious software updates, Windows exploits and tools


Petya ransomware reportedly spread via malicious software updates, Windows exploits and tools

 While WannaCry ransomware specifically targets files, Petya attempts to encrypt a machine's entire hard disk, making it significantly more dangerous to infected organizations.
While WannaCry ransomware specifically targets files, Petya attempts to encrypt a machine's entire hard disk, making it significantly more dangerous to infected organizations.
The Petya ransomware attack that infected corporations around the world today may have originated from a malicious update for a Ukranian accounting software product called MeDoc, according to researchers.
Additionally, the ransomware possibly leverages not one, but two former Microsoft Windows exploits that were employed by the National Security Agency (NSA)0 before they were leaked by the Shadow Brokers hacking group.
Still, the security community has much work to do as it scrambles for answers regarding Petya's coding, how the ransomware differs from WannaCry 2.0, and the attackers' identity and motive. At this point, there is even disagreement over whether or not the ransomware is actually a variant of Petya at all.
Petya Analysis: Worse than WannaCry
Like the WannaCry malware that infected victims in May, Petya has a wormable component that allows it to spread laterally around connected networks. But while WannaCry specifically targets files, Petya encrypts a machine's entire hard disk by overwriting the master reboot record, making it significantly more dangerous to infected organizations.
"Unlike other types of ransomware, the Petya ransomware family appears to be more brutal in the techniques it uses to encrypt files as it goes straight for the hard drive to encrypt the entire machine," said Lenny Zeltser, vice president of products at endpoint security solutions company Minerva. "Therefore, not only do users lose their data, their entire productivity is shut down as even their Windows operating system won't run."
Chris Hinkley, lead ethical hacker at Armor, similarly noted that while Petya looks like "somewhat of a WannaCry copycat," it is potentially worse because it "for all intents and purposes turns the computer off."
And in a surprise twist, Recorded Future reported that Petya ransomware is actually being coupled with a second payload: an information stealer, possibly Loki Bot. "The Loki Bot information stealer grabs usernames and passwords from victim computers and sends the data to a command and control server controlled by the attacker," said llan Liska, an intelligence analyst at Recorded Future. "If confirmed, that would mean that while the computer is completely inoperable because of the Petya ransomware, the attackers have full access to the usernames and passwords stolen from the computer."
The specific variant of Petya spreading around the world has been identified by some researchers as Petrwrap. According to the Kaspersky researchers who discovered this variant last May, Petrwrap is derived from the original Petya ransomware-as-a-service module, but with a modification that allows users to receive ransom payments without having to share the profit with the original developers. Others have identified today's ransomware as another variant called GoldenEye, which was described in a recent Sophos report.
However, Kaspersky reported via Twitter that, contrary to public reports, the ransomware actually may not be a variant of Petya at all, but rather a previously undiscovered ransomware that it is calling NotPetya.
There are also conflicting accounts of how companies have been infected. Many reports have cited phishing scams as a likely source of infection. While this is possible in some cases, the evidence strongly suggests that Ukrainian organizations were by and large infected via a malware-ridden update of MeDoc accounting software, according to a report from Cisco Talos and another from Kaspersky. In a Facebook post, MeDoc denied that its software updates were responsible for any infections, through it did admit to being targeted by hackers.
Still, a compromise of MeDoc would not likely explain how other international organizations became infected as Petya began to spread outside of Ukraine's borders.
What seems more clear at this time is that once the malware resides on a machine, it then spreads laterally across connected networks via various Windows exploits and tools. While WannaCry specifically leveraged the exploit known as EternalBlue, Petya (or NotPetya) takes advantage of both EternalBlue and EternalRomance, a separate remote code execution Windows exploit, Kaspersky reported. According to various reports, the ransomware also uses the Windows Management Instrumentation Command-line (WMIC) interface and the telnet alternative PsExec to enable lateral propagation.
Via Twitter, security researcher Kevin Beaumont additionally reported that the ransomware has no kill switch in its code, like the kind that cut short WannaCry's path of destruction. And Ori Bach, vice president of product at TrapX Security, said that his company determined from a malware sample analysis that Petya was designed "not to run on desktops [that] only have a keyboard running EN-US" language code (which commands the Windows operating system to use U.S. standard English). If accurate, this might suggest that the attackers hoped to avoid U.S. causalities, although American companies including the pharmaceutical company Merck were reportedly hit.
SC Media's own research expert Dr. Peter Stephenson also conducted his own sample analysis and found that the ransomware uses a wrapper program for obfuscation purposes. Commenting on fellow researchers' early findings, Stephenson highlighted the uniqueness of the malicious MeDoc update, noting that "there haven't been a lot of massive attacks that have been spread that way."
In conclusion, while the WannaCry attack appeared amateurish in how it was executed, Petya has all the hallmarks of a professional job, Stephen surmised.
Poor Patching to Blame
In March 2017, Microsoft issued patches for both vulnerabilities linked to the NSA's EternalBlue and EternalRomance exploits. So if, indeed, the attackers capitalized on these bugs, it further demonstrates the continued negligence of companies that fail to update their software, in spite of lessons learned from the WannaCry infection.
"Given the notoriety that WannaCry achieved, it's surprising to see that organizations are falling victim to a vulnerability that has been public knowledge since earlier this year," commented Andrew Avanessian, VP at Avecto.
"The current approaches to security with respect to patching and updates is severely broken," said Mike Kail, CTO at Cybric. "Companies need to rapidly adopt a much more continuous strategy around patching and security testing, along with a robust disaster recovery plan that gets tested frequently." This is especially true for organizations that provide critical infrastructure technology, he noted, alluding to Ukrainian energy companies that were affected in this latest attack, including the Chernobyl nuclear plant.
Mike Ahmadi, global director of critical systems security within Synopsys's software integrity group, called for increased legal enforcement of security patching. "Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs," said Ahmadi. "Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated."

https://www.scmagazine.com/petya-ransomware-reportedly-spread-via-malicious-software-updates-windows-exploits-and-tools/article/671543/

Huge 'Petya' cyber attack spreading across the world in potential repeat of 'Wannacry' hack

http://www.independent.co.uk/life-style/gadgets-and-tech/news/hack-cyber-attack-ukraine-russia-wannacry-petya-security-internet-broken-computer-not-working-a7810626.html

Thursday, June 22, 2017

Cyber Attack At Honda Stops Production After WannaCry Worm Strikes

I write about automobiles and games.
In a career that spans nearly 30 years, I have written about automobiles, innovation, games, luxury lifestyles, travel and food. Based in Tokyo since 1988, I have scribbled about all things Japanese for publications including Car and Driver, Edmunds, Top Gear, Autocar, The Sydney Morning Herald and Herald Sun. I have published a book on Japanese car culture in Japanese and plan to get an English version out soon. I also host a weekly TV show about cars called 'Samurai Wheels' on the country’s national broadcaster NHK World. In 2010, I placed 4th in class in the Nurburgring 24-hour race in Germany co-driving a Lexus IS-F and in 2011, my team came 2nd in the annual Mazda MX-5 Media 4-hour race in Japan.
Loading...
Loading...
Honda was forced to halt production at its Sayama plant after WannaCry virus struck. Photo by KAZUHIRO NOGI/AFP/Getty Images
The WannaCry worm is still alive. Honda said this week that it was forced to halt production for one day at its Sayama plant near Tokyo after finding the WannaCry ransomware in its computer network.
This virus is the same one that infected over one million machines worldwide after taking advantage of security holes in some Microsoft products. According to a Honda spokesperson, about 1,000 units were not produced as planned at the plant when WannaCry attacked several older production line computers, causing them to shut down. The Sayama plant produces models such as the Accord sedan and Odyssey and StepWagon minivan models.
Production at other Honda plants had not been affected with regular operations resuming at the Sayama plant this week. Honda discovered that the virus had infected networks across Japan, Europe, North America and China, despite moves to secure its systems in mid-May when WannaCry caused widespread disruption worldwide.
Nissan and Renault were also affected by the cyber attack last month, forcing them to temporarily stop production at plants in Japan, Britain, India, France and Romania.
WannaCry has infected companies using aging technology and outdated software and this appears to be what transpired at Honda’s Sayama plant.
Cyber security company Kryptos Logic said last week that it had dealt with 60 million infection attempts from WannaCry of the past month.
Intelligence agencies have linked the virus infections to a hacking group associated with North Korea and say that the threat of further attacks still looms.

https://www.forbes.com/sites/peterlyon/2017/06/22/cyber-attack-at-honda-stops-production-after-wannacry-worm-strikes/#32fc967a5e2b