Security experts will tell you that one of the best ways to protect yourself from a malware infection or security breach is to keep your software up-to-date. Running outdated versions that cybercriminals can compromise is simply a bad idea. So, why would anyone put off installing a Windows update that Microsoft considered critical, like the one that fixed a vulnerability exploited by the WannaCry ransomware?
Sometimes it’s because system administrators fear that some part of the update process could go awry and lead to service interruptions. Even when things do go as planned, there can still be unwanted complications. That’s the reality five Australian hospitals are dealing with this week.
In the wake of the WannaCry outbreak, Queensland Health moved quickly to ensure that the proper protections were put in place. In addition to Windows, Citrix and clinical workflow software from Cerner was also patched. While the updates “protected the integrity of [hospital] systems and data,” they have also made it difficult for some staff to access medical record systems.
Just two months passed from Wikileaks’ revelation of the EternalBlue exploit to when WannaCry began spreading. That isn’t a lot of time to test and update every piece of computer equipment that needs to be patched, especially in an incredibly complex environment like a hospital. There’s far more to worry about than just desktop computers or laptops. Windows computers are also embedded into medical imaging and diagnostic equipment, and some were vulnerable to the attack.
When fixes need to be applied in a hurry, there’s always a chance that there will be side effects. Still, patching against WannaCry and any future copycat malware was important enough for Queensland Health to take the risk.
In the past, this could’ve been a tough sell. In 2017, however, the “if it ain’t broke, don’t fix it” mentality can’t be applied to computer systems. Advice from the United States Computer Emergency Readiness Team (US-CERT) is very clear: “Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.”
Yes, Queensland Health is coping with some issues accessing their systems. Trouble logging in or accessing records is, however, a huge step up from having an entire network ransomed, servers full of critical data lost, and surgical procedures interrupted.
If you are following the news, by now you might be aware that a security researcher has activated a “Kill Switch” which apparently stopped the WannaCry ransomware from spreading further.
But it’s not true, neither the threat is over yet.
However, the kill switch has just slowed down the infection rate.
Updated: Multiple security researchers have claimed that there are more samples of WannaCry out there, with different ‘kill-switch’ domains and without any kill-switch function, continuing to infect unpatched computers worldwide (find more details below).
So far, over 237,000 computers across 99 countries around the world have been infected, and the infection is still rising even hours after the kill switch was triggered by the 22-years-old British security researcher behind the twitter handle ‘MalwareTech.’
For those unaware, WannaCry is an insanely fast-spreading ransomware malware that leverages a Windows SMB exploit to remotely target a computer running on unpatched or unsupported versions of Windows.
Once infected, WannaCry also scans for other vulnerable computers connected to the same network, as well scans random hosts on the wider Internet, to spread quickly.
The SMB exploit, currently being used by WannaCry, has been identified as EternalBlue, a collection of hacking tools allegedly created by the NSA and then subsequently dumped by a hacking group calling itself “The Shadow Brokers” over a month ago.
“If NSA had privately disclosed the flaw used to attack hospitals when they *found* it, not when they lost it, this may not have happened,” NSA whistleblower Edward Snowden says.
Kill-Switch for WannaCry? No, It’s not over yet!
In our previous twoarticles, we have put together more information about this massive ransomware campaign, explaining how MalwareTech accidentally halted the global spread of WannaCry by registering a domain name hidden in the malware.
The above-mentioned domain is responsible for keeping WannaCry propagating and spreading like a worm, as I previously explained that if the connection to this domain fails, the SMB worm proceeds to infect the system.
Fortunately, MalwareTech registered this domain in question and created a sinkhole – tactic researchers use to redirect traffic from the infected machines to a self-controlled system. (read his latest blog post for more details)
Updated: Matthieu Suiche, a security researcher, has confirmed that he has found a new WannaCry variant with a different domain for kill-switch function, which he registered to redirect it to a sinkhole in an effort to slows down the infections.
The newly discovered WannaCry variant works exactly like the previous variant that wreaked havoc across the world Friday night.
But, if you are thinking that activating the kill switch has completely stopped the infection, then you are mistaken.
Since the kill-switch feature was in the SMB worm, not in the ransomware module itself., “WannaCrypt ransomware was spread normally long before this and will be long after, what we stopped was the SMB worm variant,” MalwareTech told The Hacker News.
You should know that the kill-switch would not prevent your unpatched PC from getting infected, in the following scenarios:
If you receive WannaCry via an email, a malicious torrent, or other vectors (instead of SMB protocol).
If by chance your ISP or antivirus or firewall blocks access to the sinkhole domain.
If the targeted system requires a proxy to access the Internet, which is a common practice in the majority of corporate networks.
If someone makes the sinkhole domain inaccessible for all, such as by using a large-scale DDoS attack.
MalwareTech also confirmed THN that some “Mirai botnet skids tried to DDoS the [sinkhole] server for lulz,” in order to make it unavailable for WannaCry SMB exploit, which triggers infection if the connection fails. But “it failed hardcore,” at least for now.
WannaCry 2.0, Ransomware With *NO* Kill-Switch Is On Hunt!
Initially, this part of story was based on research of a security researcher, who earlier claimed to have the samples of new WannaCry ransomware that comes with no kill-switch function. But for some reason, he backed off. So, we have removed his references from this story for now.
However, shortly after that, we were confirmed by Costin Raiu, the director of global research and analysis team at Kaspersky Labs, that his team had seen more WannaCry samples on Friday that did not have the kill switch.
“I can confirm we’ve had versions without the kill switch domain connect since yesterday,” told The Hacker News.
Updated: WannaCry 2.0 is Someone Else’s Work
Raiu from Kaspersky shared some samples, his team discovered, with Suiche, who analysed them and just confirmed that there is a WannaCrypt variant without kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption.
What’s even worse is that the new WannaCry variant without a kill-switch believed to be created by someone else, and not the hackers behind the initial WannaCry ransomware.
“The patched version matt described does attempt to spread. It’s a full set which was modified by someone with a hex editor to disable the kill switch,” Raiu told me.
Updated: However, Suiche also confirmed that the modified variant with no kill switch is corrupted, but this doesn’t mean that other hackers and criminals would not come up with a working one.
“Given the high profile of the original attack, it’s going to be no surprise at all to see copycat attacks from others, and perhaps other attempts to infect even more computers from the original WannaCry gang. The message is simple: Patch your computers, harden your defences, run a decent anti-virus, and – for goodness sake – ensure that you have secure backups.” Cyber security expert Graham Cluley told The Hacker News.
Expect a new wave of ransomware attack, by initial attackers and new ones, which would be difficult to stop, until and unless all vulnerable systems get patched.
“The next attacks are inevitable, you can simply patch the existing samples with a hex editor and it’ll continue to spread,” Matthew Hickey, a security expert and co-founder of Hacker House told me.
“We will see a number of variants of this attack over the coming weeks and months so it’s important to patch hosts. The worm can be modified to spread other payloads not just WCry and we may see other malware campaigns piggybacking off this samples success.”
Even after WannaCry attacks made headlines all over the Internet and Media, there are still hundreds of thousands of unpatched systems out there that are open to the Internet and vulnerable to hacking.
“The worm functionality attempts to infect unpatched Windows machines in the local network. At the same time, it also executes massive scanning on Internet IP addresses to find and infect other vulnerable computers. This activity results in large SMB traffic from the infected host,” Microsoft says.
Believe me, the new strain of WannaCry 2.0 malware would not take enough time to take over another hundred of thousand vulnerable systems.
Video Demo of WannaCry Ransomware Infection
Hickey has also provided us two video demonstrations, showing packet traces that confirm the use of Windows SMB vulnerability (MS17-010).
And Second one…
Since WannaCry is a single executable file, it can also be spread through other regular exploit vectors, such as spear phishing, drive-by-download attack, and malicious torrent files download, warned Hickey.
Get Prepared: Upgrade, Patch OS & Disable SMBv1
MalwareTech also warned of the future threat, saying “It’s very important [for] everyone [to] understand that all they [the attackers] need to do is change some code and start again. Patch your systems now!”
“Informed NCSC, FBI, etc. I’ve done as much as I can do currently, it’s up to everyone to patch,” he added.
As we notified today, Microsoft took an unusual step to protect its customers with an unsupported version of Windows — including Windows XP, Vista, Windows 8, Server 2003 and 2008 — by releasing security patches that fix SMB flaw currently being exploited by the WannaCry ransomware.
Even after this, I believe, many individuals remain unaware of the new patches and many organizations, as well as embedded machines like ATM and digital billboard displays, running on older or unpatched versions of Windows, who are considering to upgrade their operating system, would take time as well as it’s going to cost them money for getting new licenses.
So, users and organizations are strongly advised to install available Windows patches as soon as possible, and also consider disabling SMBv1 (follow these steps), to prevent similar future cyber attacks.
For god sake: Apply Patches. Microsoft has been very generous to you.
Almost all antivirus vendors have already been added signatures to protect against this latest threat. Make sure you are using a good antivirus, and keep it always up-to-date.
Moreover, you can also follow some basic security practices I have listed to protect yourself from such malware threats.
WannaCry has Hit Over 200,000 Systems in 150 Countries, Warned Europol
Update: Speaking to Britain’s ITV, Europol chief Rob Wainwright said the whole world is facing an “escalating threat,” warning people that the numbers are going up and that they should ensure the security of their systems is up to date.
“We are running around 200 global operations against cyber crime each year, but we’ve never seen anything like this,” Wainwright said, as quoted by BBC.
“The latest count is over 200,000 victims in at least 150 countries. Many of those victims will be businesses, including large corporations. The global reach is unprecedented.”
Above map is showing the WannaCry ransomware infection in just 24 hours.
This story is still updating, stay tuned to our Twitter page for more up-to-date information.
This new ransomware known as Popcorn Time will decrypt your files if you forward the link to the ransomware to your contacts and two or more of them pay the ransom of two bitcoins, which cost more than $700 each.
To prevent being a victim of ransomware, it is imperative that you have the essential layers in place to protect your computers and data. The essentials are a working backup solution of all of your critical data from all PCs (laptops, desktops and servers), top of the line Anti-virus software running on all PCs, a good and properly configured firewall, good SPAM and Email security software, and general awareness of users (don’t click on links that look suspicious).
For more information, read:
AUTHOR: LILY HAY NEWMAN. LILY HAY NEWMAN
DEVIOUS RANSOMWARE FREES YOU IF YOU INFECT TWO OTHER PEOPLE
A PARTICULARLY NASTY malware that holds your data hostage until you pay up—just got more pernicious with a version that lets you sell out your friends instead of handing over your cash.
The diabolical software Popcorn Time, which is not at all affiliated with the Popcorn Time piracy app, shakes victims down like any other ransomware. If you can’t afford the one bitcoin payout or you’re feeling especially spiteful, you can share a link to download Popcorn Time in an attempt to infect others. If two of your victims pay up, the attackers give you the key to decrypt your data. It’s a bit like the movie It Follows, but for malware instead of killing.
MalwareHunter, a hacker with the MalwareHunterTeam research group, recently discovered Popcorn Time. It resembles any other malware in terms of infecting a computer, encrypting its drive, and locking you out. The social aspect is what makes it novel. It’s like sharing a referral code for cheap takeout or a free Uber ride. “The model for getting it off your system is sort of a pyramid scheme, multi-level marketing style approach,” says Kevin Butler, a cybersecurity and malware propagation researcher at the University of Florida. “It could certainly make for some interesting discussions amongst one’s group of friends if you’re trying to figure out who infected you with this malware.”
Hackers regularly get creative with ransomware, offering things like support desks where victims can negotiate their ransom. Popcorn Time goes further by tapping into eat-or-be-eaten instincts. It’s fascinating in its psychological gamesmanship, and indicative of experimentation in an already disruptive field. “The bad guys are making a lot of money and they’re going to make a lot more money. A certain percentage of those funds are going to go into research and development for them to try new things,” says Jeremiah Grossman, chief of security strategy at cybersecurity defense firm SentinelOne. “The bad guys are innovating.”
There’s some good news, though. First, the Popcorn Time code doesn’t appear to be finished. “It is still not perfect, but it’s getting better,” MalwareHunter says. “Infect more to get free key is already unique thing. This system is something you not see every day.”
It also remains to be seen how wide Popcorn Time spreads. “No one really knows if the mechanism is going to have any meaningful impact,” Grossman says. “You infect someone and you try to get them to infect other people. That’s a human-to-human process. Does it really scale versus all other ways, like mass-blast email? Does this process really work economically?”
Still, ransomware tends to cluster in families and strains that share similar attributes. Even if Popcorn Time isn’t a viral hit, hackers could study its successes and failures to make their own variations more effective. Your best bet? Avoid getting hit in the first place. Regardless of whether Popcorn Time spreads like a virus, there’s no reason to be patient zero.
If you’re using Yahoo for Email, you should stop ASAP, especially if you’re using Yahoo Email for business Email. Yahoo’s Email has proven to not be secure, and it’s also a lousy Email platform.
If you must maintain the Email address, we recommend that you setup forwarding your Yahoo mail to a new Email address at your company’s domain (ie @sony.com, @amex.com, etc.). If you don’t have your company’s domain name setup, along with Email services to your company’s domain, we at Innovatviv IT can get you going in no time. Using @yahoo or @gmail for your business Email is missing a branding opportunity, and makes your company look small and unprofessional.
If you choose to continue to keep your Yahoo Email account alive and functional, then we recommend you follow these guidelines to keep your account secure:
By Lucian Constantin
Romania Correspondent, IDG News Service | Dec 15, 2016 6:46 AM PT
1. Don’t save emails you don’t need
Because space is no longer a problem with most email services, users tend to never delete emails. While that’s extremely convenient, it’s not a very good idea, because it allows hackers to easily discover what other online accounts are tied to that address by searching for sign-up or notification emails from various online service providers.
Aside from exposing the link between your email address and accounts on other websites, sign-up and notification emails can also expose specific account names that you’ve chosen and are different from the email address.
You might want to consider cleaning your mailbox of welcome emails, password reset notifications and other such communications. Sure, there might be other ways for hackers to find out if you have an account on a certain website, or even a number of websites, but why make it easier for them to compile a full list?
2. Check your email forwarding and reply-to settings
Email forwarding is one of those “set it and forget it” features. The option is buried somewhere in the email account settings and if it’s turned on there’s little to no indication that it’s active.
Hackers know this. They only need to gain access to your email account once, set up a rule to receive copies of all your emails and never log back in again. This also prevents the service from sending you notifications about repeated suspicious log-ins from unrecognized devices or IP addresses.
Which Programming Languages Are Currently In-Demand?
SponsoredPost Sponsored by DeVry University
Which Programming Languages Are Currently In-Demand?
More than 500 programming languages are available to create our digital world.
Another technique that attackers might use to get a copy of your emails is to change the reply-to address in your email settings, although this is noisier and can be spotted more easily than a forwarding rule.
The reply-to field is included in every email message that you send and allows the recipient’s email client to automatically populate the To field with an address you chose when they hit reply. If a hacker changes the reply-to value with an address that he controls, he will receive all email replies intended for you and these typically include the original emails that you sent.
In order to ensure that you also get those replies, the attacker can set up a forwarding rule in their own email account and automatically forward those replies to your address.
3. Two-factor authentication everywhere
Turn on two-factor authentication—this is sometimes called two-step verification—for any account that supports it, including Yahoo. This will prompt the online service to ask for a one-time-use code sent via text message, phone call, email or generated by a smartphone app when you try to access the account from a new device. This code is required in addition to your regular password, but Yahoo also has a feature called Account Key that does away with regular passwords completely and instead requires sign-in approval via phone notifications.
Two-factor authentication is an important security feature that could keep your account secure even if hackers steal your password.
4. Never reuse passwords
There are many secure password management solutions available today that work across different platforms. There’s really no excuse for not having unique, complex passwords for every single account that you own. If you do want memorable passwords for a few critical accounts use passphrases instead: sentences made up of words, numbers and even punctuation marks.
According to Yahoo, this breach happened in August 2013, at a time when the company hadn’t yet switched to the more secure bcrypt password hashing algorithm. As a result, most passwords that were stolen are in the form of MD5 hashes, which are highly vulnerable to cracking.
If you made the mistake of using your Yahoo password elsewhere and haven’t changed it yet, you should do so immediately and review the security settings of those accounts too. It’s very likely that hackers have already cracked your password and had three years to abuse it.
5. Phishing follows breaches
Large data breaches are typically followed by email phishing attempts, as cybercriminals try to take advantage of the public interest in such incidents. These emails can masquerade as security notifications, can contain instructions to download malicious programs that are passed as security tools or can direct users to websites that ask for additional information under the guise of “verifying” accounts.
Be on the lookout for such emails and make sure that any instructions you decide to follow in response to a security incident came from the affected service provider or a trusted source. Official Yahoo emails are easily recognizable in the Yahoo Mail interface because they are marked with a purple Y icon.
In the future, be selective in what personal information you choose to share and which websites you choose to share it with, even when those websites are legitimate. There’s no guarantee that they won’t be hacked in the future and you simply don’t know how securely they store your details.
In Yahoo’s case, the compromised account information includes names, email addresses, telephone numbers, dates of birth and, in some cases, unencrypted security questions and answers. These details can be used to impersonate you or to authenticate you on other websites.
Don’t provide real answers to security questions, if you can avoid it. Make something up that you can remember and use that as answer. In fact, Yahoo doesn’t even recommend using security questions anymore, so you can go into your account’s security settings and delete them.
Ransomware in Houston, as well as nationwide is continuing to grow. The prevention of ransomware requires that best practices are strictly followed when it comes to IT security. IT security is proving to be an imperative for companies, if they want to prevent costly ransomware attacks which may cause some SMBs to go out of business.
The minimum best practices when it comes to Ransomware prevention include: reliable server backups, anti-virus for all computers, quality SPAM filtering, properly configured firewalls, proper patch-management (regular server patching and workstation patching), training of staff to not open email attachments (fishing is the number 1 way that ransomware spreads), and utilizing OpenDNS to prevent infected computers from phoning home.
According to a recent study by the FBI, “ransomware is on pace to become a billion-dollar annual crime”. Two weeks ago, the third-largest electric and water utility in Michigan has shut down all its corporate IT systems while it attempts to clean up after a ransomware attack. The Lansing Board of Water & Light (Lansing BWL) announced last Monday, 25 April, that it was hit by ransomware after a phishing attack.
Ransomware has hit both small companies, and big companies alike. The common thread for the outages is that the organizations affected did not have good IT security in place on all of their IT assets. Human error is always a factor in Ransomware cases, which is why the layered IT security stack must be in-place to prevent these costly attacks.
Ransomware is no joke, especially when it comes to Cryptolocker and Cryptowall. These menacing malware programs not only encrypt files on the infected PC, but will also encrypt on network drives mapped to servers. We’ve seen cases where more than 100,000 documents were encrypted.
It is imperative that all PCs on the network are protected with a quality anti-virus solution. It is equally important that there are frequent and reliable backups being made of the data, ideally real-time replication of the data to the cloud.
It really is viscous stuff, and mafia-like in it’s shrewdness. The truth of the matter though, is the decrypt process seems to work, as long as a list of provisions are met (reliable power for all infected systems, reliable LAN connectivity, reliable internet connectivity, etc.). Paying these heartless bastards is painful, but it often works when there’s no other option for getting the data back.
According to Websters Online, IT (Information Technology) is the branch of engineering that deals with the use of computers and telecommunications to retrieve, store, and transmit information.
Sure, that’s IT in a nutshell. But what does IT mean to the user? What does IT mean to the business? To me, IT is not just technology; it’s communication, it’s connection and it’s personal.
Information Technology is the technology behind how we all communicate. It is how we connect with one another. It is so much an everyday part of our lives that we rarely notice it anymore, unless something breaks. We pick up the phone, send an email, update our social media pages, write reviews on sites like Yelp, and type up proposals on Word and Excel. A lot of people don’t realize how reliant we all are on information technology. Because of the advances in IT, we all can communicate, connect, learn and build relationships in ways never before possible with people who were previously unreachable all across the world. It has helped streamline business practices, and has truly made our world flat. IT is such an essential part of how we live today, there is no going back. We’re all spoiled. IT is beautiful.
To some, IT is a necessary evil that they don’t want to deal with until they have an issue. Once it is an issue, it then becomes much more costly and detrimental to the overall business. It’s like scheduled maintenance on your car, most people don’t do it. They will do their regular oil changes, but that’s it. They deal with their car when it breaks, not realizing that there is preventive maintenance they could do that is ultimately less expensive and invasive than going through a Break-Fix issue. This is why I’m passionate about selling Managed IT Services. Sure, we’ll do a lot of Break-Fix, that’s pretty rewarding, but what is most rewarding is helping a company be proactive about their IT Systems, rather than reactive. I like knowing that I’ve done everything I could to get my team in and make sure the client can continue to communicate and operate without issue.
Information Technology is the bridge to relationships. I like bridges, they’re neato.
Submitted by Matt Fox, VP Sales at Innovativ IT Services (Dec., 2010)