Viry a Červi

UK Defence Committee chair muses treating TikTok like Huawei: So eyeball its code then ban it from the country?

The Register - Anti-Virus - 3 Srpen, 2020 - 19:36
Chinese-owned vid app reportedly moving HQ to London

The chairman of UK Parliament's Defence Committee has suggested making popular app TikTok subject to Huawei-style code reviews by GCHQ, if its reported move to a new London HQ comes true.…

Kategorie: Viry a Červi

Garmin Pays Up to Evil Corp After Ransomware Attack — Reports

VirusList.com - 3 Srpen, 2020 - 18:26
The ransom for the decryptor key in the WastedLocker attack could have topped $10 million, sources said.
Kategorie: Viry a Červi

Linux Foundation rolls bunch of overlapping groups into one to tackle growing number of open-source security vulns

The Register - Anti-Virus - 3 Srpen, 2020 - 17:44
OpenSSF to take projects from CII and OSSC under its umbrella

The Linux Foundation has formed the Open Source Security Foundation (OpenSSF) with founding board members representing companies including IBM, GitHub, Google, JPMorgan Chase, Microsoft, NCC Group, and Red Hat.…

Kategorie: Viry a Červi

Black Hat USA 2020: Critical Meetup.com Flaws Reveal Common AppSec Holes

VirusList.com - 3 Srpen, 2020 - 17:13
With Black Hat USA 2020 kicking off this week, Erez Yalon with Checkmarx talks about newly disclosed, critical vulnerabilities in Meetup.com - and why they are the "holy grail" for attackers.
Kategorie: Viry a Červi

'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks'

The Register - Anti-Virus - 3 Srpen, 2020 - 16:02
CRM biz doesn't 'anticipate any kind of material financial impact' but can't say same for those whose data was nicked

"We discovered and stopped a sophisticated attempted ransomware attack," Blackbaud CEO Michael Gianoni has told financial analysts – failing to mention the company simply paid off criminal extortionists to end the attack.…

Kategorie: Viry a Červi

Meetup Critical Flaws Allow ‘Group’ Takeover, Payment Theft

VirusList.com - 3 Srpen, 2020 - 15:05
Researchers disclosed critical flaws in the popular Meetup service at Black Hat USA 2020 this week, which could allow takeover of Meetup "Groups."
Kategorie: Viry a Červi

Monday review – our recent stories revisited

Sophos Naked Security - 3 Srpen, 2020 - 11:41
Get yourself up to date with everything we've written in the last seven days - it's weekly roundup time.

Oh cool, more Cisco patches to apply. Happy Monday

The Register - Anti-Virus - 3 Srpen, 2020 - 08:03
Meanwhile, KDE desktops can be pwned by evil archives

In Brief  Cisco customers once again find themselves needing to patch critical vulnerabilities in Switchzilla's gear.…

Kategorie: Viry a Červi

Ransomware v Garminu: výkupné bylo 10 milionů dolarů. Zaplatili ho?

VIRY.CZ - 2 Srpen, 2020 - 11:39

Ze společnosti Garmin prosakují informace, že minimálně u části infrastruktury nedošlo ke „klasickému“ postupu, kdy se zašifrované stroje kompletně smažou, přeinstalují a data obnoví ze záloh. Společnost Garmin měla patrně již od 25.7. dešifrovací klíč pro ransomware WastedLocker

Jak se k němu dostala? Zaplatila alespoň část výkupného? To se asi nikdy nedozvíme. Nicméně pokud není v ransomware WastedLocker vysloveně programátorská chyba, je nereálné vytvořit dekryptor bez „spolupráce“ s útočníky. Do procesu dešifrování jsou podle indícií zapojeny i společnosti Emsisoft a Coveware. První je známá řadou nástrojů pro dešifrování ransomware a druhá nabízí pomoc po řádění ransomware.

Tohle zůstalo na stanicích po útoku ransomware WastedLocker ve společnosti Garmin…

Více v tomhle článku – https://www.bleepingcomputer.com/news/security/confirmed-garmin-received-decryptor-for-wastedlocker-ransomware/

Současný stav služeb Garmin: https://connect.garmin.com/status/

The post Ransomware v Garminu: výkupné bylo 10 milionů dolarů. Zaplatili ho? appeared first on VIRY.CZ.

Kategorie: Viry a Červi

Twitter hack – three suspects charged in the US

Sophos Naked Security - 1 Srpen, 2020 - 03:08
Three people have been fingered for the recent Twitter hack in which 45 high-profle accounts were taken over.

Who was behind that stunning Twitter hack? State spies? Probably this Florida kid, say US prosecutors

The Register - Anti-Virus - 1 Srpen, 2020 - 00:28
Alleged 17-year-old mastermind among trio charged over account mass hijackings

Three individuals were charged on Friday for allegedly hijacking a string of high-profile Twitter accounts after hoodwinking the social network's staff.…

Kategorie: Viry a Červi

Travel company CWT avoids ransomware derailment by paying $4.5m blackmail demand

Sophos Naked Security - 31 Červenec, 2020 - 23:17
US travel company CWT has reportedly coughed up $4.5m to ransomware crooks who stole data and scrambled files.

4 Unpatched Bugs Plague Grandstream ATAs for VoIP Users

VirusList.com - 31 Červenec, 2020 - 23:05
The flaws have been confirmed by Grandstream, but no firmware update has yet been issued.
Kategorie: Viry a Červi

Authorities Arrest Alleged 17-Year-Old ‘Mastermind’ Behind Twitter Hack

VirusList.com - 31 Červenec, 2020 - 22:21
Three have been charged in alleged connection with the recent high-profile Twitter hack - including a 17-year-old teen from Florida who is the reported "mastermind" behind the attack.
Kategorie: Viry a Červi

CWT Travel Agency Faces $4.5M Ransom in Cyberattack, Report

VirusList.com - 31 Červenec, 2020 - 18:08
The corporate-travel leader has confirmed an attack that knocked systems offline.
Kategorie: Viry a Červi

Anti-NATO Disinformation Campaign Leveraged CMS Compromises

VirusList.com - 31 Červenec, 2020 - 18:03
Researchers uncovered a disinformation campaign aiming to discredit NATO via fake news content on compromised news websites.
Kategorie: Viry a Červi

Twitter: Epic Account Hack Caused by Mobile Spearphishing

VirusList.com - 31 Červenec, 2020 - 15:21
Hackers "mislead certain employees" to gain access to internal tools to take over high-profile accounts and push out a Bitcoin scam.
Kategorie: Viry a Červi

First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

The Register - Anti-Virus - 31 Červenec, 2020 - 14:50
$4.5m may have gone into crims' pockets after bookings biz hit by Ragnar Locker nasty

Exclusive  US corporate travel management firm Carlson Wagonlit Travel has suffered an intrusion and it is believed the company paid a $4.5m ransom to get its data back.…

Kategorie: Viry a Červi

WastedLocker: technical analysis

Kaspersky Securelist - 31 Červenec, 2020 - 13:00

The use of crypto-ransomware in targeted attacks has become an ordinary occurrence lately: new incidents are being reported every month, sometimes even more often.

On July 23, Garmin, a major manufacturer of navigation equipment and smart devices, including smart watches and bracelets, experienced a massive service outage. As confirmed by an official statement later, the cause of the downtime was a cybersecurity incident involving data encryption. The situation was so dire that at the time of writing of this post (7/29) the operation of the affected online services had not been fully restored.

According to currently available information, the attack saw the threat actors use a targeted build of the trojan WastedLocker. An increase in the activity of this malware was noticed in the first half of this year.

We have performed technical analysis of a WastedLocker sample.

Command line arguments

It is worth noting that WastedLocker has a command line interface that allows it to process several arguments that control the way it operates.

 -p <directory-path>

Priority processing: the trojan will encrypt the specified directory first, and then add it to an internal exclusion list (to avoid processing it twice) and encrypt all the remaining directories on available drives.

 -f <directory-path>

Encrypt only the specified directory.

 -u username:password \\hostname

Encrypt files on the specified network resource using the provided credentials for authentication.

 -r

Launch the sequence of actions:

  1. Delete ;
  2. Copy to %WINDIR%\system32\<rand>.exe using a random substring from the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  3. Create a service with a name chosen similarly to the method described above. If a service with this name already exists, append the prefix “Ms” (e.g. if the service “Power” already exists, the malware will create a new one with the name “MsPower”). The command line for the new service will be set to “%WINDIR%\system32\<rand>.exe -s”;
  4. Start this service and wait until it finishes working;
  5. Delete the service.

 -s:

Start the created service. It will lead to the encryption of any files the malware can find.

UAC bypass

Another interesting feature of WastedLocker is the chosen method of UAC bypass. When the trojan starts, it will check the integrity level it was run on. If this level is not high enough, the malware will try to silently elevate its privileges using a known bypass technique.

  1. Create a new directory in %appdata%; the directory name is chosen at random from the substrings found in the list of subkeys of the registry key SYSTEM\CurrentControlSet\Control\;
  2. Copy a random EXE or DLL file from the system directory to this new directory;
  3. Write the trojan’s own body into the alternate NTFS stream “:bin” of this system file;
  4. Create a new temporary directory and set its mount point to “C:\Windows ” (with a trailing whitespace) using the API function NtFsControlFile with the flag IO_REPARSE_TAG_MOUNT_POINT;
  5. Create a new subdirectory named “system32” inside the temporary directory. As a result of the previous step, this new subdirectory can be equally successfully addressed as “%temp%\<directory_name>\system32” or “C:\Windows \system32” (note the whitespace);
  6. Copy the legitimate winsat.exe and winmm.dll into this subdirectory;
  7. Patch winmm.dll: replace the entry point code with a short fragment of malicious code whose only purpose is to launch the content of the alternate NTFS stream created on step 2;
  8. Launch winsat.exe, which will trigger the loading of the patched winmm.dll as a result of DLL hijacking.

The above sequence of actions results in WastedLocker being relaunched from the alternate NTFS stream with elevated administrative privileges without displaying the UAC prompt.

Procmon log fragment during the launch of WastedLocker

Cryptographic scheme

To encrypt victims’ files, the developers of the trojan employed a combination of the AES and RSA algorithms that has already become a ‘classic’ among different crypto-ransomware families.

The search mask to choose which files will be encrypted, as well as the list of the ignored paths are set in the configuration of the malware.

Part of the trojan config showing the ignored path substrings

For each processed file, WastedLocker generates a unique 256 bit key and a 128 bit IV which will be used to encrypt the file content using the AES-256 algorithm in CBC mode. The implementation of the file operations is worthy of note, as it employs file mapping for data access. It must have been an attempt by the criminals to maximize the trojan’s performance and/or avoid detection by security solutions. Each encrypted file will get a new additional extension: “.garminwasted“.

The trojan also implements a way of integrity control as part of its file encryption routine. The malware calculates an MD5 hash of the original content of each processed file, and this hash may be utilized during decryption to ensure the correctness of the procedure.

WastedLocker uses a publicly available reference implementation of an RSA algorithm named “rsaref”.

The AES key, IV and the MD5 hash of the original content, as well as some auxiliary information, are encrypted with a public RSA key embedded in the trojan’s body. The sample under consideration contains a 4096 bit public RSA key.

The public RSA key format used by WastedLocker

It should be noted that this kind of cryptographic scheme, using one public RSA key for all victims of a given malware sample, could be considered a weakness if WastedLocker were to be mass-distributed. In this case a decryptor from one victim would have to contain the only private RSA key that would allow all the victims to decrypt their files.

However, as we can see, WastedLocker is used in attacks targeted at a specific organization which makes this decryption approach worthless in real-world scenarios.

The result of RSA encryption is Base64 encoded and saved in a new file with the extension .garminwasted_info, and what is notable, a new info file is created for each of the victim’s encrypted files. This is a rare approach that was previously used by the BitPaymer and DoppelPaymer trojans.

An example list of encrypted files from our test machine

Ransom note left by the trojan

Recommendations

This WastedLocker sample we analyzed is targeted and crafted specifically to be used in this particular attack. It uses a “classic” AES+RSA cryptographic scheme which is strong and properly implemented, and therefore the files encrypted by this sample cannot be decrypted without the threat actors’ private RSA key.

The Garmin incident is the next in a series of targeted attacks on large organizations involving crypto-ransomware. Unfortunately, there is no reason to believe that this trend will decline in the near future.

That is why it is crucial to follow a number of recommendations that may help prevent this type of attacks:

  1. Use up-to-date OS and application versions;
  2. Refrain from opening RDP access on the Internet unless necessary. Preferably, use VPN to secure remote access;
  3. Use modern endpoint security solutions, such as Kaspersky Endpoint Security for Business, that support behavior detection, automatic file rollback and a number of other technologies to protect from ransomware.
  4. Improve user education in the field of cybersecurity. Kaspersky Security Awareness offers computer-based training products that combine expertise in cybersecurity with best-practice educational techniques and technologies.
  5. Use a reliable data backup scheme.

Kaspersky products protect from this threat, detecting it as Trojan-Ransom.Win32.Wasted.d and PDM:Trojan.Win32.Generic.

IoC

2cc4534b0dd0e1c8d5b89644274a10c1

VB2020 localhost call for last-minute papers now open!

Virus Bulletin News - 31 Červenec, 2020 - 12:32
The call for last-minute papers for VB2020 localhost is now open. Submit before 17 August to have your paper considered for one of the nine slots reserved for 'hot' research!

Read more
Kategorie: Viry a Červi
Syndikovat obsah