STE WILLIAMS

Attack employs new version of infamous NotPetya ransomware used in June attacks on Ukraine targets.

A wave of ransomware infections is hitting hundreds of government, media, transportation, and other targets in Eastern Europe today mainly in Russia and Ukraine, but also in Bulgaria, Germany, and Turkey.

Among the most high-profile targets thus far are major news outlets such as Russia’s Interfax Agency, and Ukraine’s Kiev Metro, its Odessa International Airport, and ministries of infrastructure and finance.

US-CERT said today that is has received “multiple reports” of Bad Rabbit infections from “many countries,” and says victims should not pay the ransom because it doesn’t guarantee the attackers will release the hijacked, locked-down data.

Ukraine was on alert for the attacks, as its Security Service and CERT earlier this month had warned of a possible large cyberattack akin to NotPetya to occur in conjuction with its Defender of Ukraine Day holiday.

Details about the attacks are trickling in as researchers drill down on the malware and its attack vectors, but researchers at ESET say the malware used in the Kiev Metro attack is Diskcoder.D, a new variant of the infamous Petya. The most recent version of Diskcoder was used in a ransomware campaign that spread around the world in June.

Researchers at Kaspersky Lab say the dispci.exe file found in the malware seems to originate from the code base of open-source encryption tool DiskCryptor, a legitimate tool for encrypting disk and system partitions. “It acts as the disk encryption module which also installs the modified bootloader and prevents the normal boot-up process of the infected machine,” Kaspersky researchers Orkhan Mamedov, Fedor Sinitsyn, and Anton Ivanov wrote in a blog post today.

They also noticed the attackers appear to be fans of “Game of Thrones,” based on code strings that include names of characters from the popular book and HBO series.

Although Bad Rabbit is a relatively widespread ransomware campaign, don’t expect it to be another WannaCry. Robert Lipovsky, senior malware researcher with security vendor ESET, which has been studying the attacks, says the ransomware campaign won’t likely spread like WannaCry did.

“Considering the infection capabilities we discovered in the samples, spreading outside Ukraine is theoretically possible but much less likely than in the June NotPetya case, due to the lack of EternalBlue spreading mechanism,” he says, referring to the SMB-worm style attack used in WannaCry to spread like wildfire around the globe.

Instead, Bad Rabbit employs hardcoded stolen credentials via SMB, first by remotely stealing passwords from infected machines via the Mimikatz password-extraction tool, and using a username/password list that’s hardcoded in the binary code.

There’s also a phony Adobe Flash Player connection: a dropper of Diskcoder.D that poses as a Flash Player installer. ESET spotted that on major news websites in Russia and Ukraine, Lipovsky notes. “While this may very well be an infection vector, it is doubtful that this was the main infection vector … and quite possibly a smokescreen.”

Bad Rabbit ransom message

Source: ESET

Researchers at Kaspersky say their telemetry shows a drive-by attack is the initial attack vector, and it’s a targeted attack campaign. “Our observations suggest that this been a targeted attack against corporate networks, using methods similar to those used during the ExPetr attack,” they say, referring to the June attacks.

“The ransomware dropper was distributed with the help of drive-by attacks. While the target is visiting a legitimate website, a malware dropper is being downloaded from the threat actor’s infrastructure,” according to Kaspersky. “No exploits were used, so the victim would have to manually execute the malware dropper, which pretends to be an Adobe Flash installer.”

Adam Meyers, vice president of intelligence at CrowdStrike, says Bad Rabbit appears to have been served up via the argumentiru.com website, a Russian and Eastern European news and celebrity gossip site. “CrowdStrike Intelligence can confirm that this website was hosting a malicious JavaScript inject as part of a Strategic Web Compromise (SWC) attack on 24 October 2017,” Meyers said in statement.

CrowdStrike also found more proof of a link to the NotPetya attackers: Bad Rabbit and NotPetya DLLs “share 67% of the same codebase, which makes it likely that the same threat actor is behind both attacks,” Meyers said in a tweet late today.

Related Content:

• 10 Social Engineering Attacks Your End Users Need to Know About
• Here Comes Locky, A Brand New Ransomware Threat
• Ransomware Authors Break New Ground With Petya
• NotPetya: How to Prep and Respond if You’re Hit

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/bad-rabbit-ransomware-attacks-rock-russia-ukraine---and-beyond/d/d-id/1330208?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The US Department of Homeland Security (DHS) doesn’t often go public with warnings about cyber threats to the energy grid and other critical infrastructure. But it did last week.

US-CERT (US Computer Emergency Readiness Team), which operates under DHS, and the FBI, issued an “alert” titled, “Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors” last Friday, focused on what it said were, “APT actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”

Which, in general, sounds like very old news. There have been warnings about such threats – espionage plus potential and actual cyberattacks – on US critical infrastructure, especially in the energy sector, for going on two decades. Among the examples:

DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reported in 2013, that there were a third more cyber incidents (111) reported by the energy sector in just the six-month reporting period ending that May than in the previous 12 months (81).

About a year later, ICS-CERT said it had received reports of 245 ICS incidents in 2014, more than half of which were APTs.

And USA Today reported in September 2014 that cyber attackers had successfully breached the US Department of Energy (DoE) 159 times between October 2010 and October 2014.

So, what’s different? Why issue an alert now?

DHS isn’t saying. Spokesman Scott McConnell declined to comment on the information in the alert, but told Reuters last week that the alert provided, “recommendations to prevent and mitigate malicious cyber activity targeting multiple sectors and reiterated our commitment to remain vigilant for new threats.”

Joseph Weiss, managing partner at Applied Control Systems and an industrial control systems (ICS) expert (speaking from the ICS Security Conference in Atlanta), is a bit mystified as well. “When it comes to APTs and ICS, I’m really lost about what is new here – at least when it comes to what’s in the report,” he said. “If there’s something that’s really interesting, it’s not in there.”

But Robert M. Lee, CEO of Dragos and a former US Air Force cyber warfare operations officer, said while the types of threats and the tactics, techniques and procedures (TTPs) being used – spear-phishing emails, watering-hole domains, credential gathering, open-source reconnaissance – are long established, what is different is the level of activity.

“The level of aggression has changed,” he said. “It’s not usual to have this many adversaries being this active. The amount of threat data we’re seeing is novel.”

But this, he added, shouldn’t lead to overstating the immediate threat. “None of this is going to take out the power,” he said, calling the US grid, “very robust and resilient. These adversaries are not in position to create significant disruption. But they are looking to steal data that could be used to build that kind of capability.”

The alert didn’t name suspected attackers or victims, and Lee wouldn’t get specific on attribution either, but did say that among the attackers being tracked are, “a group active in benefiting Russia and another active in benefiting North Korea.”

Both nation states would be obvious suspects – the New York Times recently reported that North Korea now has an “army” of more than 6,000 hackers focused on espionage, sabotage and money.

According to the alert, the spike in threat activity has been going on at least since May 2017, and focuses on two categories of victims: staging and intended targets.

The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks. The initial victims are referred to as “staging targets” throughout this alert. The threat actor uses the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims.

It said the threat actors also “appear to have deliberately chosen the organizations they targeted, rather than pursuing them as targets of opportunity.”

And once they had successfully penetrated a staging target, they turned them into “command and control points” to connect to their intended targets.

Upon gaining access to intended victims, the threat actors conducted reconnaissance operations within the network. (They) viewed files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.

Dale Peterson, founder of Digital Bond and S4 Events, said while he thought the alert generally had, “good, basic IT and ICS security information,” he had a problem with the lack of specifics surrounding the ICS and SCADA information. “Were the threat actors searching for the ICS information on file servers or did they stumble across it?” he wrote in a post on LinkedIn.

Read as written it appears that the threat actors found a file server, looked through the folders and files, and came across some files with ICS. They then chose to view and exfiltrate those files. Was this a high percentage of what was exfiltrated? Or was it one of a large number of files that was Hoovered from one or more compromised file servers?

Whatever the overall merits of the alert, it did come with offers of assistance. It included a list of indicators of compromise (IOCs) they found, and recommended that network administrators, “review the IP addresses, domain names, file hashes, network signatures, and YARA rules provided and add the IPs to their watchlist to determine whether malicious activity has been observed.”

It also urged organizations that found any of those IOCs in their networks to report it to DHS and to contact the National Cybersecurity and Communications Integration Center (NCCIC) for help with incident response.

And that last offer, while it sounds helpful, remains a tricky proposition. Lee is one of many experts who say that, “government, writ large, has a fanaticism around information sharing that isn’t good. Trying to pressure companies into giving up information at no benefit to them is absurd.”

Indeed, retired NCCIC director Lawrence Zelvin told Federal News Radio in 2013 that some ICS operators are loathe to share information with the government or even one another.

There seems to be a misperception out there that everybody’s going to share. No, they’re not. They’re just not, because in some cases this is their business, in other cases this is about their reputation, and in some cases they’re worried about government regulation. These are valid fears, and we have to understand that.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/n-QRmp5lwCU/

Last week, an internal memo from Twitter co-founder and CEO Jack Dorsey leaked online. Following Rose McGowan’s account being temporarily disabled over her Harvey Weinstein tweets, the memo included new policies for violent groups, hate speech and revenge porn.

Well, having the calendar leaked wasn’t the way Twitter had planned it, Dorsey said, but the memo was accurate: the company planned to release an “internal shipping calendar” detailing when multiple bully-blocking and troll-fighting features will be implemented. The calendar includes changes Twitter plans to make to the Twitter Rules, how it communicates with people who violate them and how its enforcement processes work.

“This makes us feel uncomfortable because it’s a work in progress rough, but it’s the right thing to do,” Dorsey said. “We believe showing our thinking and work in real-time will help build trust.”

Here’s some of what Twitter’s calendar, released on Thursday, has in store for us over the coming months:

October:

Accounts found posting nonconsensual nudity – what’s also commonly called revenge porn – will be suspended. The category also includes content taken without the victim being aware, such as upskirt photos and video from hidden or hacked webcams. Twitter says the new policies “err on the side of protecting victims.” The company also says that users can expect “a better experience for suspension appeals” if they believe an account was wrongfully suspended.

November:

Twitter will ban hateful imagery, hate symbols and hateful display names. That last one includes nameflaming: when someone changes their display name to insult someone.

Twitter will begin notifying suspended users via email. Accounts belonging to “groups that use violence to advance their cause” will be suspended. Hate speech and imagery will come with a warning, and hate images will be banned from headers and avatars. Internally, Twitter will begin using a new system to prioritize reports about accounts that violate its rules.

December:

Twitter now removes content that includes violent threats or wishes for serious harm. It will expand that to include content that glorifies or condones “acts of violence that result in death or serious harm.” The platform will introduce improved ways for people who see abuse – what Twitter calls “witnesses” – to report what they see. Twitter will send updates on what, if anything, comes of a witness’ report. Twitter also says it will be using “past relationship signals” to curb “unwanted sexual advances.”

January:

The witness reporting review updates will be rolled out to all.

It all sounds good, doesn’t it? It always sounds good when Twitter promises to stop sucking at dealing with abuse and trolls. But somehow, Twitter’s sucking persists.

In fact, Axios has tallied five other times that Twitter has pledged to crack down on abuse since 2013. This is Twitter’s calendar of nice-try’s, by Axios’ tally:

• 28 July 2013: Rabid trolls prompt Twitter to promise a Report Abuse button on all messages.
• 2 December 2014: Twitter rolled out new anti-trolling tools and promised quicker abuse investigation.
• 4 February 2015: Then Twitter CEO Dick Costolo admitted that the company sucked at dealing with trolls.
• February 2016: Twitter established the Twitter Trust Safety Council to help it banish trolls, including such notables as the Anti-Defamation League, the Center for Democracy and Technology, and perhaps most notably, Feminist Frequency – founded by Anita Sarkeesian, whose experiences facing unrelenting internet abuse have gained worldwide attention.
• 10 March 2017: Twitter finally scrambled those anonymous egg accounts, allowing users to filter them out, along with accounts that have unverified email addresses or phone numbers.

That can’t be a complete list, can it? It feels like Twitter comes up with some new way to clean itself up at least bimonthly.

Still, in spite of all its efforts to come up with new systems and new processes to automatically strain out the sludge, we get stories like that of Xyla Foxlin: one of the more recent tales of Twitter users harassed for months. It took Foxlin two months of reporting abuse before the troll was tracked down and the abusive account suspended.

During that time, she said, Twitter support was “a bot.” In other words, it was a grueling process of getting a real, live person to actually review the harassment and to take action. It was only when Foxlin got help from a friend who works at Twitter that she got relief from the insults, threats and doxing.

Hers isn’t an isolated story, and her salvation – knowing somebody who works at Twitter – isn’t a one-off, either. In July, BuzzFeed reported that Twitter, after all its efforts to automagically make trolls disappear, is still slow to respond to incidents of abuse unless they go viral or involve reporters or celebrities.

Basically, when it comes to getting Twitter to pay attention to its own rules against abuse, it pays to know somebody.

I didn’t see anything on Twitter’s calendar that addresses the fact that there aren’t enough humans in the mix. We need humans to eye a given report to ascertain the nuance and context of a given threat or insult. We need humans to intercede in order to make Twitter a safer space.

Is such a thing as human intervention possible when dealing with the surging growth of Twitter traffic? Human intervention, as in egalitarian protection applied not just to the cases of harassed celebrities or people whose stories have gone viral but for every harassed user – the famous and the obscure?

Maybe that’s a pie in the sky notion from a technical perspective. But it would be a good to see a Twitter troll-easement day planner that mentioned hiring a whole hell of a lot more people to dive into the stream of effluent on behalf of the harassed.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/fauysiU1RZs/

October is National Cybersecurity Awareness Month (NCSAM) and this week’s theme is The Internet Wants You: Consider a Career in Cybersecurity.

Naked Security asked me to explain what Sophos looks for in potential recruits and how it’s possible for somebody without security experience to break into a career in cybersecurity.

Demand for infosec professionals far exceeds the number of available, qualified people and that gap looks likely to grow bigger.

Unfortunately many people with a strong desire to work in the industry are put off by the extensive list of skills and qualifications they think are required.

Don’t be put off, everyone has had to start somewhere!

Computer security is full of ex-accountants, one time baristas, former homemakers and wannabe rock stars (as well as computer science graduates, obviously!) For a few examples, take a look at Naked Security’s Tweet asking people how they started their careers in IT!

There are a huge array of career options available within computer security and each one requires a different balance of skills.

Here are five things you can do to find work in one of the world’s fastest growing industries.

Teach yourself something

Passion and a desire to work in the industry is what we’re looking for, and the skill we value most in an entry level CV for any of our engineering, labs, security or IT roles is the desire to learn.

Candidates who can demonstrate their interest – perhaps by learning a programming language, studying towards a security qualification, contributing to an open source project or participating in meetups and other extra-curricular activities – are people we want to talk to.

Network

Speak to us and other security professionals online or face-to-face. You may have just the skills we’re looking for and not realise it!

Sophos staff are always attending industry events, career fairs, conferences, meetups etc. Come and chat to us about yourself or give our recruiters a call.

Remember that very few people started out from day one in a security career. We all started somewhere and we’re happy to talk to people interested in pursuing a career in our industry about the skills and experience we built up and how we found our way in. There are so many career paths and routes into security – you may have the “right” background and not realise.

Gain some general IT or development experience

Nothing beats experience, but your experience doesn’t need to come from working in computer security for your skill set to be attractive to us.

A strong grounding in IT or software development is a great first step. Take a look at roles which will help develop your basic skills and give you a strong grounding before pursuing your security career.

Volunteer or intern

Volunteering with a not-for-profit organisation or taking up an internship is a great way to gain some real world experience, and demonstrate to a potential employer that you have the passion and drive to go the extra mile.

Organisations of all types need help with their IT, even if they don’t realise it. Don’t be afraid to approach people and organisations that aren’t advertising and offer to help out.

Don’t be afraid to apply!

We all have a fear of failure and many of us worry about applying for a job that seems a little beyond our reach. Just remember that you’ll never get that job if you don’t apply for it so don’t rule yourself out before you’ve even started.

You’ll be surprised at the jobs people pivot into from apparently unrelated fields, and at what you can learn even if your application isn’t successful.

If you see a role that matches your skills but you don’t have industry experience you could still be just the sort of person we are looking for.

Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/_mEH7yEQLd0/

A plastic surgery clinic frequented by celebrities such as Katie Price has been targeted by hackers.

London Bridge Plastic Surgery confirmed in a statement that it has been the victim of a cyber attack.

Hackers using the name The Dark Overlord claimed to be behind the breach, which they said included stealing “terabytes” of data, The Daily Beast reported.

The news site, which has seen the images, says many are highly graphic and close-up, showing surgery on male and female genitalia. “Others show apparent patients’ bodies post-operation, and some include faces,” it reported.

The group claims that its stolen cache contains information on “royal families” and has said it will distribute the patient list and corresponding photos online.

“We took measures to block the attack immediately in order to protect patient information and we informed the Metropolitan Police who launched an investigation,” the clinic told The Daily Beast in a statement.

“Regrettably, following investigations by our IT experts and the police, we believe that our security was breached and that data has been stolen. We are still working to establish exactly what data has been compromised.”

The clinic said it is “horrified that they have now targeted our patients”, adding: “Security and patient confidentiality has always been of the utmost importance to us. We invest in market-leading technology to keep our data secure and our systems are updated daily. We are deeply saddened that our security has been breached.

“We are profoundly sorry for any distress this data breach may cause our patients and our team are available around the clock to speak to anyone who has any concerns by calling 0203 858 0664.”

A police spokesperson told The Daily Beast: “On Tuesday, 17 October the Metropolitan Police Service was informed of a data theft from a cosmetic surgery clinic in London. Detectives from the Met’s Organised Crime Command are investigating. There have been no arrests and enquires are ongoing.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/24/london_plastic_surgery_clinic_data_breach/

UK financial service regulators have launched an investigation into Equifax over its handling of the recent mega-breach.

In a brief statement on Tuesday, the Financial Conduct Authority (FCA), which could fine the firm or revoke its right to operate in the UK, said it was “investigating the circumstances surrounding a cybersecurity incident that led to the loss of UK customer data held by Equifax Ltd on the servers of its US parent”.

In response, Equifax said it welcomed the investigation.

Equifax Ltd is already working closely with the FCA and other authorities: we welcome this opportunity to learn the lessons from this criminal cyber-attack in order for all businesses to better protect consumers in the future. Cybercrime is a real and ever-present risk faced by all companies, so it is important that Government, regulators and businesses work together to combat this growing threat. We see today’s announcement as a continuation of that process.

The FCA probe piles further pressure on Equifax, which already faces pointed questions from an influential Westminster MP. Nicky Morgan, chair of the Treasury Committee, wrote to Equifax Limited’s UK boss earlier this month asking for further details about the scale of the breach, and what compensation it intended to provide. Morgan also wrote to the FCA asking for an assessment of Equifax’s response to the breach in a letter that also raised the issue of whether the regulator is considering further action. Equifax’s UK business is authorised by the FCA.

Asked for an update on this front, an Equifax spokesman said that that the firm recently responded to Morgan’s letter.

Timeline

On September 15, Equifax said a cybersecurity incident that affected 145 million US consumers also affected 400,000 Brits. A month later on October 10 the credit reference agency admitted that it had underestimated the impact the US-centred breach had on UK customers.

Equifax admitted that a file containing 15.2 million UK records dated between 2011 and 2016 had been exposed as a result of the snafu. Most of these were duplicates or test data so the private details of almost 700,000 had actually been exposed. Equifax said it would be contacting affected UK consumers by post.

The breach, which stemmed from an missed Apache Struts patch, was open from May 2017 until it was discovered in July. Equifax had weeks before going public in September but mishandled the breach notification process at almost every turn.

Lowlights have included Equifax’s breach handling website – equifaxsecurity2017.com – a botched WordPress install that several security scanners initially feared was a phishing site. In signing up for free post-breach credit monitoring services, US consumers were initially obliged to agree to terms and services that implied they’d forfeit the right to sue Equifax. This implied condition was dropped after objections.

During a hearing before Congress former Equifax chief exec Rick Smith, who retired days before, attempted to blame the breach on a single technician. In the UK, Equifax has been heavily criticised for taking too long to notify affected consumers while they were at heightened risk of identity theft and fraud.

Equifax was criticised not least because it sells identity protection services. Consumers have little to no choice about doing business with Equifax, whose services are used by businesses to check individuals’ creditworthiness. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/24/equifax_fca_probe/

Updated Computers at Russian media outlets and Ukraine’s transport hubs were among Windows PCs infected and shut down today by another fast-spreading strain of ransomware.

Corporate systems within Interfax and two other major Russian news publishers have had their files encrypted and held to ransom by malware dubbed BadRabbit. In Ukraine, Odessa airport, the Kiev metro, and the Ministry of Infrastructure were also hit by the extortionware, which demands Bitcoins to restore scrambled documents.

BadRabbit may also have spread to Turkey, Bulgaria and beyond, and is a variant of Diskcoder, according to researchers at ESET.

“Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience,” Interfax said in a statement.

The software nasty falsely poses as an Adobe Flash update to trick victims into installing it. The evil code then uses the legit open-source Mimikatz tool to extract file server login credentials out of the computer’s memory – as used by the NotPetya ransomware in June – and uses those details, along with some hardcoded password guesses, to worm its way through SMB shares on the network.

It also, in some cases, causes network intrusion detection systems to trigger EternalBlue alerts while it scans for services to infect, suggesting it may be leveraging the leaked NSA hacking tool EternalBlue to infect and commandeer machines, just like the WannaCry malware in May.

The BadRabbit name comes from the message displayed in a browser window from a .onion Tor-hidden server on infected PCs that gives users the bad news that their files have been encrypted and they need to cough up crypto-coins to unlock their data. It was first spotted by researchers at Moscow-based infosec biz Group-IB.

Pwned … How the ransom note appears on infected machines in a webpage from a .onion address (Source: Kaspersky Lab)

Russian computer forensics and incident response firm Group-IB, which was among the first to report on the outbreak, said the miscreants behind the outbreak were requesting 0.05 BTC ($286, £217) for decryption. This price will keep going up the longer a victim delays paying the ransom.

BadRabbit uses a legit program called DiskCryptor to cipher data on a victim’s hard drive, according to UK security consultant Kevin Beaumont.

Analysis work is still ongoing. BadRabbit encrypts all kinds of files on the drive from .7z archives to .java source code to .docx documents. There’s a list of indicators here for you to check to ascertain whether or not you or your network has been infected – for example, network connections to caforssztxqzf2nm.onion, or downloads from…

hxxp://1dnscontrol.com/flash_install.php
hxxp://1dnscontrol.com/install_flash_player.exe

…are pretty big signs of infiltration.

It is believed at this stage BadRabbit wipes system logs and the filesystem journal, and connects to a command-and-control server after infection to coordinate its extortion.

Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta

READ MORE

It also drops in a kernel-level key-logger, if it can, to snoop on the victim’s keypress, can reboot the machine, and potentially alter the boot sector of the PC’s hard drives, it is claimed.

Chris Doman, a security researcher at AlienVault who is probing the malware, said: “This wouldn’t be the first time that an airport in Ukraine suffered a destructive cyber-attack and we are currently investigating to determine the strength of the links to the NotPetya attacks.

“There are reports that the mechanism involves using the tool Mimikatz to steal passwords to spread in a worm-like fashion but so far the damage does not seem as wide spread as WannaCry or NotPetya.”

Antivirus packages may detect and stop BadRabbit, aka Dickcoder.D, before it can start up. Indeed, running the initial .exe may pop up a window asking you to disable any anti-malware software you have installed. According to Kaspersky Lab, if you prevent these files from executing…

C:Windowsinfpub.dat
C:Windowscscc.dat

…you should be able to disable BadRabbit from running. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/24/badrabbit_ransomware/

Monero miner maker Coin Hive was hacked so that websites using its code inadvertently redirected their generated cryptocurrency to miscreants – after the outfit forgot to change an old password.

The team, which develops alt-coin mining JavaScript engines, said on Tuesday hackers had used an old Cloudflare account password to reconfigure coinhive.com’s DNS settings. This allowed the thieves to briefly redirect downloads of its crypto-mining code to a malicious version that was hardcoded to funnel mined cyber-cash to one particular user. In other words, websites embedding Coin Hive’s JavaScript were actually embedding a dodgy copy that stole any Monero created by their visitors’ browsers.

“The DNS records for coinhive.com have been manipulated to redirect requests for the coinhive.min.js to a third party server,” it said in a blog post. “This third party server hosted a modified version of the JavaScript file with a hardcoded site key. This essentially let the attacker ‘steal’ hashes from our users.”

Coin Hive said it regularly changes its passwords and uses two-factor authentication on its main accounts, but its Cloudflare account was overlooked. It thinks the password was the same one its team used on Kickstarter, which was hacked in February 2014 and the Cloudflare pass phrase hadn’t been changed since.

More and more websites are mining crypto-coins in your browser to pay their bills, line pockets

READ MORE

The group said it was “deeply sorry,” and will recompense users of its software. The plan is to credit all site owners with an additional 12 hours of Monero mining based on their daily average hashrate. One Monero coin, 1 XMR, is worth about $89 right now.

The cockup highlights the dangers of reusing pass phrases and not setting up two-factor authentication for everything. There are plenty of databases out there with searchable passwords, email addresses and usernames, collected from various hacked websites and services. So if you’re reusing credentials on multiple systems, you’ll eventually be caught out when one of those systems is compromised and the login details for, essentially, all your accounts are leaked.

Your humble Reg hack had a similar experience a few months ago when, just minutes after replying on Twitter to a tweet by a far-right twit, someone almost logged into his Facebook account using a reused and leaked password. Thankfully, two-factor authentication was switched on and blocked the attempt. It demonstrates the speed with which some attackers will move, and how dangerous it is to reuse passwords for multiple accounts on the web. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/24/coin_hive_hacked_password_reuse/

Huge companies like Equifax can stumble over basic technical issues. Here’s why.

First of a two-part post.

Like everyone else, I wish that Equifax had patched the software flaw that caused the breach right away. However, I also understand why this is difficult. I was an employee of one of the largest banks in the United States, with over 45,000 employees. For the first few years, I worked as a development lead for a team that created and updated applications that processed transactions for billions of dollars in investment assets. I later worked in public cloud, network, and security engineering roles helping teams across the entire company move applications to production.

Patching one software vulnerability on a few servers sounds easy. However, patching that one vulnerability in the context of thousands of devices, software applications, and software libraries across multiple locations and lines of business is another story.

Tracking Devices, Applications, and Software Libraries
Companies need to have an inventory of every single device that runs software. Equifax has close to 10,000 employees worldwide. Each person may have computers, phones, tablets, and other devices. The company must track every piece of hardware connected to its network and every virtual machine in a public cloud environment. Additionally, the company needs to know all software it runs, including operating systems, applications, and software libraries running on each of those devices. Some of the software doesn’t have an automated update or notification process. Companies must vet the software to make sure that update process is not delivering malicious code, as happened in recent cases involving NotPetya, CCleaner, and malicious libraries in public Python repositories.

According to Crunchbase, Equifax acquired 16 companies between 1995 and 2017. Each time a company buys another company, myriad new technologies and software libraries are part of that acquisition. The acquiring company needs to make sure all software is up to date on the company systems it has acquired. Acquisitions involve many complex issues, and patching may not be a top priority. Merging different networks and IT systems is complicated and can take up to a year or longer. Acquisitions and restructuring may mean companies have different lines of business. Different people may manage software in various parts of the organization.

Updating Critical, Complex, and Legacy Applications
Many applications may share a single software library. Updating that library can break processes handling millions or billions of dollars in transactions. The company must test each application that uses the upgraded library before deploying a new version to production. In one case, it took a development team months to update a custom-built library to a new version of Java. The team had to test over 50 different financial processing applications that depended on that library before deploying them into production and removing the old version of the library.

Testing complex legacy applications can be challenging. Imagine all the rules related to US tax laws for a company that handles investment transactions. There are hundreds of variations that can occur that change the tax implications of a trade and what must appear on tax forms. The type of change made to the system will dictate how many of those variations a development team will need to test to ensure any tax or financial processing by the system works correctly. Hopefully, documentation exists for the application, or someone still works at the company who knows how to test infrequently updated legacy applications.

In some cases, installing and testing a patch is extremely risky. A software patch can break devices that cost millions of dollars, such as SCADA systems, medical devices, and research lab systems. No spare machine exists that system administrators can use to test the software update in advance. Patching the software may cause operations at an organization to cease. In the case of a medical facility, it could be a literal matter of life and death.

Patching Solutions and Alternatives
Just because patching is hard doesn’t mean companies can ignore the problem. Organizations need to invest time and money into solutions that automate software deployments and track software inventory. If companies are not aware what software exists in the organization, they won’t be able to make sure it is all up to date. When patching is very risky, companies can limit network access to the port that exposes the vulnerability or turn off the vulnerable features of the software.

In addition, companies should move legacy software to new software architectures with security designed in from the start. Companies can measure the return on this investment based on the cost other companies are facing due to massive data breaches. Additionally, if this keeps happening, companies should consider the cost of increased legislation designed to prevent data breaches — some of which may add overhead without solving the problem, like regulations related to PCI-DSS compliance. 

In the second part of this two-part post, I’ll examine the organizational challenges involved. 

Related Content:

• Equifax Data Breach Prompts Calls for Tougher Security Requirements on Data Aggregators
• 7 Takeaways from the Equifax Data Breach
• Software Assurance: Thinking Back, Looking Forward

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Teri Radichel is the Director of Security Strategy and Research at WatchGuard Technologies. She was on the initial team that helped Capital One move to the cloud, implementing security controls and networking for multiple lines of business. She joined WatchGuard Technologies … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities-and-threats/why-patching-software-is-hard-technical-challenges-/a/d-id/1330181?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Yes, automation is becoming increasingly critical. But before you go all-in, determine the level that’s right for your company.

“Automation” is one of the most deafening buzzwords in cybersecurity circles. Four out of five executives say their organizations are already implementing some form of this technology, according to a survey by Radware, and 57% indicate that they trust automated security systems “as much or more than” humans to protect the enterprise. What’s more, 38% believe automated security systems will emerge as the primary resource for cyber defense within two years.

Decision-makers funding time-strapped security operations centers (SOCs) overwhelmed with the volume and velocity of alerts understandably like the sound of automation. Others point to plenty of repetitive and time-consuming tasks requiring speed and accuracy that have been offloaded to machines in other industries.

However, in watching security teams test and adopt different automation principles, it’s clear to me that the most important success factor is getting our “appetite for automation” right. In other words, we must ask these questions: “Where can automation realistically make a difference in our operations?” “How much risk are we willing to take for the expected rewards of speed and efficiency?” Unless decisions are framed this way, approaches to automation risk being unfulfilling at best — or problematic and disappointing at worst.

Consider these examples to start a discussion on what degree of automation fits — particularly from a workflow perspective — within three common stages of the incident response process:

Identification
At the initial incident handling stage of “What just happened?” there is a premium on being able to gather and assimilate relevant data quickly. First responders manually managing an endless alert stream can reliably benefit from automation tools to distinguish false positives from the real thing faster. This process of pulling data from multiple disparate sources to provide context is often referred to as enrichment.

Let’s illustrate with the use case of an executive receiving a potentially malicious e-mail. Traditionally, security staff would manually scrutinize the message’s metadata, links, or attachments to find out what it contains, where it came from, and who appears to be the true sender. But automation can now perform this legwork, allowing experts to focus their time on making reasoned decisions about what, if any, action to take instead of tediously gathering all the data beforehand.

Even incremental automation steps usually deliver solid net gains. The biggest caveat, in my experience, is making sure the automation platform you select can readily interface via APIs with both your security tools and other existing investments, such as security information and event management software and configuration management databases. If you start needing multiple dashboards, it offsets any performance gain.

Containment
Here’s where the right appetite becomes tricky, because containment requires action. When malware — or what looks like malware — hits, a number of steps must be executed to curtail what a suspicious file is trying to do, such as stealing data. If you take an “all-in” approach to automation during containment, you might be able to contain true attacks more quickly, but you also shoulder the risk of “breaking things.”

When you move the slider toward more automated defense and empower machines to block and filter more things at top speed, it can result in business users experiencing broken browser links, blocked access to legitimate files, and overall diminished productivity. You have to weigh asset value, sensitivity of the data, and user role to decide if the automation you green-light will result in more security victories — or angry help-desk calls.

Try a few new things on the menu, carefully: Potential risk is the make-or-break factor for most enterprises here. In a large organization, there could be a case for fielding automated defenses in certain business units as test cases, or to protect the most sensitive users and data. Some firms ironically automate containment for low-risk incidents first, requiring human approvals in the process for more high-value targets until confidence is high in the automation’s accuracy.

Remediation
This is where the risk-versus-reward balance matters most. Many vendor claims try to whet automation appetites in this stage with demos that show fully automated technologies seamlessly quarantining or patching machines, or kicking-off more complex steps across security and network management.

The logic and technical tripwires behind these highly automated concepts are generally sound, but demos are not the real world and you have to ask what will happen when the unexpected inevitably occurs. A product could conceivably “take matters into its own hands” (because, well, that’s what automation does) during remediation and shut down production systems or email, while it installs a patch or purges all copies of a certain file. Needless to say, when automation performs at this scale, the CISO wants to be the hero — not the person receiving blame.

Approach security automation with enthusiasm, but use caution. Feed your more immediate appetites first. The safest path is to stair-step with automation; tackle enrichment first for measurable, early gains. Use that insight to guide containment, and what you learn along the way will help determine your tastes in automated remediation.

When SOC alerts are skyrocketing, analysts are racing, and breaches cloud the headlines, it is easy to think that big, bold technology moves are the way to go in changing the game. Automation is surely changing how we do security, but everyone’s needs, resources, and risk tolerance are different.

Our wider goal as a community should be sharing how we reach and feed our appetites for security automation across our enterprises, so that different organizations can take notes, follow good examples, and avoid pitfalls.

Related Content:

• Security Automation: Striking The Right Balance
• In A World With Automation, Where Does Human Intelligence Fit In?
• 7 SIEM Situations That Can Sack Security Teams

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

 

JP Bourget, Founder and Chief Security Officer of Syncurity, has more than 10 years of experience in cybersecurity. JP works with Syncurity’s customers and market influencers to drive adoption of the company’s flagship IR-Flow platform. Prior to co-founding Syncurity, JP was … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/finding-your-appetite-for-security-automation-(and-why-thats-important)/a/d-id/1330184?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple