Scam Of The Week: Petya MFT Ransomware Returns, Wrapped In Extra Nastiness
Kasperky researchers discovered a new variant of last year’s Petya Master File Table (MFT) ransomware, with “new and improved” crypto and ransomware models. Remember, MFT ransomware only encrypts the table where access to all files is kept, and does not encrypt the files themselves. It’s a very effective way to lock a machine and demand ransom in a few seconds. Kaspersky’s Ivanov and Sinitsyn called the new version “PetrWrap” (because it wraps Petya), which uses the PsExec tool to install ransomware on every workstation and server it can access.
Instead of using the original Petya code, which was cracked last April, “the group behind PetrWrap created a special module that patches the original Petya ransomware ‘on the fly’”, the Kaspersky post states. This on-the-fly patching was created to hide the fact that Petya is handling the infection, and PetrWrap uses its own crypto routines.
If the PetrWrap malware coders had stuck with Petya’s ransomware-as-a-service model, they would need a Petya private key to decrypt victims’ data, but with this new version they can use their own keys.
Once the workstation is infected, the victim ends up with the file system’s master file table encrypted with a better scheme than the old Petya used. The PetrWrap coders used a tried-and-true, debugged version of Petya’s low-level bootloader, ensuring they had “production-quality” criminal software to make sure their infections would be successful.
Read full article: https://blog.knowbe4.com/petya-mft-ransomware-returns-wrapped-in-extra-nastiness
Security Headlines
TechNewsWorld – Personal Data Leak Affects 33 Million US Employees
The personal data of more than 33 million employees from US-based organizations was found lying unprotected on the web, reports Help Net Security. The leaked information had been compiled by US business service firm Dun & Bradstreet (D&B), which sells commercial data to businesses.
Security researcher Hunt got the data from a reportedly reliable source, and it is believed that it may have been stolen from the unprotected database of a D&B customer. The information includes personal details such as email addresses and company information. Affected employees include those of the Department of Defense, US Postal Service, AT&T, FedEx, Citigroup and others.
Darkreading – The 6 Riskiest Social Media Habits to Avoid at Work
Social media is a popular gateway for hackers to access corporate networks, and employee behavior is driving the trend.
Most people don’t recognize the inherent danger of social media. They trust platforms like Facebook because they use these tools to establish connections with people, not usernames or email addresses.
People rarely approach social media with the same caution they employ for suspicious emails or shady websites. This behavior leaves plenty of opportunities for cybercriminals to take advantage of their trust and launch successful attacks.
- Oversharing sensitive information
- Clicking every link
- Controversial posts
- Misusing enterprise social tools
- Reusing passwords
- Not having an account at all
Github – Notepad++6.9.2 DLL Hijacking Vulnerability (Thx to Stephen Bishop for the article)
Notepad++ contains a DLL hijacking vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to some DLL file is loaded by ‘npp.6.9.2.Installer.exe’ improperly. And it allows an attacker to load this DLL file of the attacker’s choosing that could execute arbitrary code without the user’s knowledge.
Impact
Attacker can exploit the vulnerability to load a DLL file of the attacker’s choosing that could execute arbitrary code. This may help attacker to Successful exploits the system if user creates shell as a DLL.
Fix
https://notepad-plus-plus.org/download/v7.3.3.html
Security Bulletins from the FBI and DHS
DHS – Alert (TA17-075A) HTTPS Interception Weakens TLS Security
Systems Affected
All systems behind a hypertext transfer protocol secure (HTTPS) interception product are potentially affected.
Overview
Many organizations use HTTPS interception products for several purposes, including detecting malware that uses HTTPS connections to malicious servers. The CERT Coordination Center (CERT/CC) explored the tradeoffs of using HTTPS interception in a blog post called The Risks of SSL Inspection [1].
Organizations that have performed a risk assessment and determined that HTTPS inspection is a requirement should ensure their HTTPS inspection products are performing correct transport layer security (TLS) certificate validation. Products that do not properly ensure secure TLS communications and do not convey error messages to the user may further weaken the end-to-end protections that HTTPS aims to provide.
Impact
Because the HTTPS inspection product manages the protocols, ciphers, and certificate chain, the product must perform the necessary HTTPS validations. Failure to perform proper validation or adequately convey the validation status increases the probability that the client will fall victim to MiTM attacks by malicious third parties.
https://www.us-cert.gov/ncas/alerts/TA17-075A
FBI – FBI Director Addresses Cyber Security Gathering
Director James Comey delivered a keynote address at the inaugural Boston Conference on Cyber Security, touching on the current cyber threat landscape, what the FBI is doing to stay ahead of the threat, and the importance of strong private sector partnerships.
The conference, a partnership between the FBI and Boston College’s Cybersecurity Policy and Governance master’s degree program, also features additional expert speakers and panelists who will be covering such areas as emerging technologies, operations and enforcement, along with real-life cyber and national security experiences focusing on risk, compliance, policy, threat trends, preparedness, and defensive strategies.
Cyber threats, said Comey, are “too fast, too big, and too widespread for any of us to address them alone.”
During his remarks, Comey discussed the “stack of bad actors” committing cyber crimes, including nation-states, multinational cyber syndicates, insiders, hacktivists, and—currently to a lesser degree—terrorists (“they have not yet turned to using the Internet as a tool of destruction,” he explained, “in a way that logic tells us certainly will come in the future.”)
Vendor Information
Apache – In-the-wild exploits ramp up against high-impact sites using Apache Struts (Thx to Josh Adams for the article)
Eight days after developers patched a critical flaw in the Apache Struts Web application framework, there has been no let-up in the volley of attacks attempting to exploit the vulnerability, which affects a disproportionate number of high-impact websites, a security researcher said Tuesday.
As of Tuesday morning, 503 unique IP addresses were attempting to exploit the code execution bug. Based on the addresses, the attack origins were most concentrated in China (300 unique IPs), followed by the US (92), Taiwan (71), Hong Kong (15), the Netherlands (9), Russia (4), Canada (3), Italy (3), the UK, (3), and Indonesia (3).
In an attempt to go undetected, the attackers in many cases have tweaked the two exploits that were being widely used in last week’s wave.
Cisco – What do Firewalls and Game of Thrones have in common?
To the uninitiated, firewall talk can sound like a foreign language. That’s why we’re going to break it down with a little help from Game of Thrones—the massively popular TV series.
First off, let’s get the description right. Cisco recently released its latest firewall—the Firepower 2100 Series NGFW—a fully integrated, threat-focused next-generation firewall built for the midsize business.
“The Wall” in Game of Thrones. For those not familiar with the fantasy show, The Wall is a massive barrier of mostly ice that stretches 300 miles across the northern border of the Seven Kingdoms. The Wall is a good analogy for a firewall, which is defined as a network security device that monitors incoming and outgoing network traffic. A firewall decides whether to allow or block specific traffic based on a defined set of security rules.
https://newsroom.cisco.com/feature-content?type=webcontent&articleId=1820653