Welcome, Guest. Please login or register.

Author Topic: More Crypto Crap  (Read 1127 times)

0 Members and 1 Guest are viewing this topic.

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4634
More Crypto Crap
« on: May 13, 2017, 03:02:18 PM »
This came from CloudWave's I.T. Department down in Dave's neck of the woods.  If you're not familiar with them, these guys are the real deal, so you can give this a lot more credene than you would something from an online blog:

Hi everyone,

There is currently a massive ransomware outbreak globally. While it is being discovered primarily in Europe and South America, it is expected to spread to US based businesses quickly.

Your computer is secure as long as current Windows updates are applied. Please follow the directions below to be sure you’re receiving updates automatically:

Windows 10:

1.       Select the Start  button, then select Settings  > Update & security  > Windows Update . If you want to check for updates manually, select Check for updates.

2.       Select Advanced options, and then under Choose how updates are installed, select Automatic (recommended).

Windows 7:

1.       Select the Start button The Start button. In the search box, enter Update, and then, in the list of results, select Windows Update.

2.       In the left pane, select Change settings, and then under Important updates, select Install updates automatically (recommended).

3.       Under Recommended updates, select the Give me recommended updates the same way I receive important updates check box, and then select OK.

The malware is spreading mostly via “hacked” email accounts, so please be on high-alert when opening email attachments, or clicking links within email, even if you know the sender!

If you notice anything out of the ordinary, or have any questions, please contact IT immediately.

Information about the infection can be found here: http://www.bbc.com/news/technology-39901382
-I'm only here because my flux capacitor is broken.

Online Keighlar

  • Moderator
  • Location: New Hampshire
  • Posts: 1605
Re: More Crypto Crap
« Reply #1 on: May 14, 2017, 11:17:50 AM »
I'm also getting this warning:

National Cyber Awareness System:

TA17-132A: Indicators Associated With WannaCry Ransomware
05/12/2017 09:36 PM EDT

Original release date: May 12, 2017 | Last revised: May 13, 2017
Systems Affected
Microsoft Windows operating systems
Overview
According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages.
The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

This Alert is the result of efforts between the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) to highlight known cyber threats. DHS and the FBI continue to pursue related information of threats to federal, state, and local government systems and as such, further releases of technical information may be forthcoming.
Description
Initial reports indicate the hacker or hacking group behind the WannaCry campaign is gaining access to enterprise servers either through Remote Desktop Protocol (RDP) compromise or through the exploitation of a critical Windows SMB vulnerability. Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. According to open sources, one possible infection vector is via phishing emails.
Technical Details
Indicators of Compromise (IOC)

Initial Analysis
The WannaCry ransomware received and analyzed by US-CERT is a loader that contains an AES-encrypted DLL. During runtime, the loader writes a file to disk named “t.wry”. The malware then uses an embedded 128-bit key to decrypt this file. This DLL, which is then loaded into the parent process, is the actual Wanna Cry Ransomware responsible for encrypting the user’s files. Using this cryptographic loading method, the WannaCry DLL is never directly exposed on disk and not vulnerable to antivirus software scans.
The newly loaded DLL immediately begins encrypting files on the victim’s system and encrypts the user’s files with 128-bit AES. A random key is generated for the encryption of each file.
The malware also attempts to access the IPC$ shares and SMB resources the victim system has access to. This access permits the malware to spread itself laterally on a compromised network. However, the malware never attempts to attain a password from the victim’s account in order to access the IPC$ share.
This malware is designed  to spread laterally on a network by gaining unauthorized access to the IPC$ share on network resources on the network on which it is operating.

Impact
Ransomware not only targets home users; businesses can also become infected with ransomware, leading to negative consequences, including
•   temporary or permanent loss of sensitive or proprietary information,
•   disruption to regular operations,
•   financial losses incurred to restore systems and files, and
•   potential harm to an organization’s reputation.
Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed.

Solution
Recommended Steps for Prevention

•   Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
•   Enable strong spam filters to prevent phishing e-mails from reaching the end users and authenticate in-bound e-mail using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent e-mail spoofing.
•   Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching the end users.
•   Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
•   Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
•   Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
•   Disable macro scripts from Microsoft Office files transmitted via e-mail. Consider using Office Viewer software to open Microsoft Office files transmitted via e-mail instead of full Office suite applications.
•   Develop, institute and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
•   Have regular penetration tests run against the network. No less than once a year. Ideally, as often as possible/practical.
•   Test your backups to ensure they work correctly upon use.

Recommended Steps for Remediation
•   Contact law enforcement. We strongly encourage you to contact a local FBI field office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
•   Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.

Report Notice
DHS and FBI encourages recipients who identify the use of tool(s) or techniques discussed in this document to report information to DHS or law enforcement immediately. We encourage you to contact DHS’s National Cybersecurity and Communications Integration Center (NCCIC) (NCCICcustomerservice@hq.dhs.gov or 888-282-0870), or the FBI through a local field office or the FBI’s Cyber Division (CyWatch@ic.fbi.gov or 855-292-3937) to report an intrusion and to request incident response resources or technical assistance.

“You know you’re in love when you can’t fall asleep because reality is finally better than your dreams.”
Dr Seuss

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4634
Re: More Crypto Crap
« Reply #2 on: May 14, 2017, 03:02:47 PM »
Thanks, Stacey.  We have an update plan going through peer review now.  :054:
-I'm only here because my flux capacitor is broken.

Online Keighlar

  • Moderator
  • Location: New Hampshire
  • Posts: 1605
Re: More Crypto Crap
« Reply #3 on: May 15, 2017, 10:20:24 AM »
And it's not over yet:

(Beware... video auto-plays)
http://www.zdnet.com/article/ransomware-attack-the-second-wave-is-coming-so-get-ready-now/?loc=newsletter_large_thumb_featured&ftag=TRE-03-10aaa6b&bhid=23629036123263534704928807781917

Quote
While ransomware has been a growing menace for some time, this particular attack is without parallel, largely because the ransomware was combined with a worm-like functionality that allowed the infection to spread rapidly from PC to PC.
“You know you’re in love when you can’t fall asleep because reality is finally better than your dreams.”
Dr Seuss

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4634
Re: More Crypto Crap
« Reply #4 on: May 15, 2017, 03:54:22 PM »
And to quote Sony & Cher, "And the beat goes on."

http://thehackernews.com/2017/05/wannacry-ransomware-cyber-attack.html

-I'm only here because my flux capacitor is broken.

Online MacGyver

  • Administrator
  • Location: Dallas, Texas
  • Posts: 4634
Re: More Crypto Crap
« Reply #5 on: June 27, 2017, 09:15:50 AM »
-I'm only here because my flux capacitor is broken.