STE WILLIAMS

More than 50,000 servers around the world have been infected with malware that installs crypto-coin-mining scripts and advanced rootkits, it is claimed.

Known as Nanshou, the software nasty, we’re told, infects machines by brute-forcing Microsoft SQL Server account passwords and using known exploits to elevate its privileges. It then drops onto the compromised Windows systems one of 20 different payloads, each including versions of a coin-mining tool and a kernel-mode rootkit that gives the mining software the ability to run without the threat of being detected or terminated by an administrator or security software.

The Guardicore Labs researchers who say they discovered the campaign reckoned this week that Nanshou is particularly noteworthy in its use of rootkit tools and techniques that had previously only been seen wielded by the Chinese government’s hacking crews. It is believed someone, or some group, in China, possibly run-of-the-mill criminals, have obtained these tools and used them against thousands of servers dotted around the planet.

“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads,” wrote Guardicore bug-hunters Ophir Harpaz and Daniel Goldberg.

“These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”

The attack itself uses relatively low-tech means to get into the targeted boxes. The attack server first scans for servers with open SQL Server ports then attempts to brute-force the password and, from there, run commands and elevation of privilege exploits in order to get system rights and implant the rootkit on the victim server.

The payload itself is what caught the eye of the researchers. In particular, the Guardicore team found that the malware had used cryptographically signed driver-level rootkits that were last spotted as part of sophisticated Beijing-backed hacking operations. The software nasty’s central command-and-control server has since been disabled, and its code-signing certificate revoked.

“Obtaining a signed certificate for a packed driver is not at all trivial and requires serious planning and execution,” Harpaz and Goldberg explained.

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

READ MORE

“In addition, the driver supports practically every version of Windows from Windows 7 to Windows 10, including beta versions. This exhaustive coverage is not the work of a hacker writing a rootkit for fun.”

At the same time, the group behind Nanshou also made some rookie mistakes that suggest they weren’t the same people who developed the more advanced code found in the rootkits. In particularly, the operator failed to put any sort of security in front of the one command and control server they used to run the entire operation.

“Logs, victims lists, usernames, binary files – we had them all in a mouse click,” the malware detectives mused.

“In addition, all binary files had their original timestamps; an experienced malware author would have tampered with those to complicate the analysis process.”

The big takeaway from the report, other than a reminder not to use common passwords that can be brute-forced, is that the tools used by Chinese state hackers have now made their way into the hands of the country’s cybercrime operators. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/30/chinese_nanshou_malware/

Bruce Schneier, Richard Stallman and a host of western tech companies including Microsoft and WhatsApp are pushing back hard against GCHQ proposals that to add a “ghost user” to encrypted messaging services.

The point of that “ghost user”, as we reported back in 2018 when this was first floated in its current form, is to apply “virtual crocodile clips” and enable surveillance by spies, police, NHS workers and any others from the long list of state organisations allowed to snoop on your day-to-day life.

“Although the GCHQ officials claim that ‘you don’t even have to touch the encryption’ to implement their plan, the ‘ghost’ proposal would pose serious threats to cybersecurity and thereby also threaten fundamental human rights, including privacy and free expression,” said a letter (PDF, 9 pages, 300kB) signed by around 50 prominent individuals and organisations.

Those signatories include the aformentioned luminaries and tech firms as well as Apple, the Tor Project, pro-freedom pressure and lobby groups such as the Electronic Frontier Foundation, Big Brother Watch, Liberty, Privacy International and more.

“In particular,” the letter said, “the ghost proposal would create digital security risks by undermining authentication systems, by introducing potential unintentional vulnerabilities, and by creating new risks of abuse or misuse of systems.”

The thrust of the letter is not that the method is technically unviable; rather, it argues that “loss of trust” in communications services would have a range of negative effects, both predictable and unpredictable. Not only that, it also warns that introducing this backdoor through software updates (how else?) would cause users to simply stop installing privacy-killing updates from manufacturers, with the attendant security risks:

“Individual users aware of the risk of remote access to their devices could also choose to turn off software updates, rendering their devices significantly less secure as time passed and vulnerabilities were discovered [but] not patched.”

The missive also warned that Britain’s lax surveillance laws could see the proposal implemented anyway without the public knowing, thanks to what it described as “the power to impose broad non-disclosure agreements that would prevent service providers from even acknowledging they had received a demand to change their systems, let alone the extent to which they complied”.

For his part, Ian Levy, the National Cyber Security Centre co-author of the original GCHQ proposal, said in a statement:

“We welcome this response to our request for thoughts on exceptional access to data – for example to stop terrorists. The hypothetical proposal was always intended as a starting point for discussion. We will continue to engage with interested parties and look forward to having an open discussion to reach the best solutions possible.”

In his original proposal, Levy had rather optimistically hoped that the discussions could happen “without people being vilified for having a point of view or daring to work on this as a problem”. In the post-Snowden environment, and in light of various revelations and disclosures about what British spies get up to, it’s not easy for the agencies to build the public trust they’re hoping for.

Jake Moore, a security specialist from infosec biz ESET, opined: “This makes a mockery of the fundamental basics of encryption. Not only is it going against what privacy is all about: if you create a backdoor for the good guys, the bad guys won’t be far behind.”

The letter was also copied to audit agency the Investigatory Powers Commissioner’s Office (IPCO). Billed publicly as the regulator of surveillance in the UK, IPCO mostly trawls through spies’ logs of who they spied on, after the event. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/30/tech_hits_back_at_gchq_ghost_user_privacy_buster/

GitHub can now automagically offer security patches for projects’ third-party dependencies.

The Microsoft-owned source-code management site announced on Wednesday the new beta-grade feature: when enabled, developers will receive automatically generated pull requests that, when accepted, will apply security fixes to a project’s dependencies.

For example, Lindsey is a programmer who maintains a project that makes use of three other packages from outside developers, and opts into this new feature. When one of those packages needs a patch for a security vulnerability, Lindsey gets an automatically generated pull request that, when accepted, will merge the fixed package into the project.

These automatic updates will, for now anyway, be limited to dependencies written in Ruby, Python, Java, .NET, and JavaScript. The feature will also require the project have a dependency graph enabled, and will be gradually rolled out over the next few months to coders.

Microsoft? Oh it’s just another partnership, insists GitHub CEO

READ MORE

Prior to merging in a patched dependency, a developer will be given a compatibility score to gauge whether the update will break their code. The security fix may change API functionality, or similar, which will cause subsequent builds to fail.

Ideally, programmers should apply the security patch to their code in a separate branch, or locally, then test it, and accept the fix if it all works, and push out an updated build for users to download and install. If the compatibility score is high, and the fix is an emergency, you may want to accept the pull right away.

“Automated security requests contain everything you need to quickly and safely review and merge a proposed fix into your project, including information about the vulnerability like release notes, changelog entries, and commit details,” GitHub said in announcing the new feature.

The automatic updates will make use of Dependabot, the automated update tool GitHub acquired just seven days ago. Earlier this week, GitHub boss Nat Friedman bigged up the tool as “Roomba for your code”, referring to the automated home vacuum bot.

The Dependabot acquisition was part of a larger effort by GitHub to add new management and administrator options for both its free and premium service customers along with a new funding push for open-source projects. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/30/github_security_fixes/

Under very specific conditions, code running in a Docker container could access files anywhere on a server, according to a new CVE.

A recently discovered vulnerability in the Docker container platform could allow an attacker to gain access to files used by other containers and the host server itself. And, in an unusual progression of events, the vulnerability and exploits have been disclosed before patches are available.

The vulnerability, designated CVE-2018-15664, was discovered by researcher Aleka Sarai. A flaw in the Docker “cp” command, which provides a method for copying a file from the host system to a container, could give an attacker arbitrary read-write access to the host file system with root privileges.

A “race condition” — specifically a “time of check to time of use” (TOCTOU) bug — lies at the heart of the vulnerability. In this case, the problem is that a file path that has been checked for safe and authorized copying conditions can be changed between the time of verification and the time of copying, changed to any file, anywhere on the host server.

“It’s not just a violation of integrity and confidentiality. If the attacker successfully exploits this bug, not only can they get read and write access on data within the container, it actually opens the host itself to integrity and confidentiality violations as if it were in the container,” says Kelly Shortridge, vice president of product strategy at Capsule8.

Fortunately, this is not a vulnerability that can be remotely exploited. “You’d have to own a container running on the server and then be able to control the code running in the container,” explains Jerry Gamblin, principal security engineer at Kenna Security. And even within those containers, only the “cp” command is vulnerable.

That difficulty in exploiting the vulnerability is likely why the researchers and Docker community felt comfortable disclosing the vulnerability before a patch is available.

“The thing that grabbed me and was the talk of the security community yesterday is that they talked to people and allowed them to release the bug and the scripts before the patch was out, which to me indicates that it is probably low risk to most people,” Gamblin says.

Until that patch is released, a brute-force fix may be the only remediation option.

“Because Docker ‘cp’ doesn’t seem to be used in many automated processes, organizations for now can probably just block that utility until there’s a fix out,” Shortridge says.

In the hierarchy of things for a CISO to worry about, this vulnerability should be at a low level, both Gamblin and Shortridge say. Unfortunately, each also says there are factors that will keep it a low-level concern for some time to come.

“People should also be aware that it appears that Kubernetes is able to use Docker ‘cp’ as well,” says Shortridge, which makes it possible for orchestration playbooks to include the vulnerability. And the vulnerability patch, when it arrives, may not make the problem go away.

The common practice of simply pulling an existing container from a Docker pool and using it means that, if the individual maintaining the container doesn’t update it, developers pulling the vulnerable container might never know they are deploying a flawed container, Gamblin says.

Still, he points out, this is a weakness, but not a structural weakness. Shortridge agrees, saying this is a cause for caution, but not at all a reason for panic.

Related content:

• 6 Serverless and Containerization Trends CISOs Should Track
• Build Security into Container Deployment
• Container Deployments Bring Security Woes at DevOps Speed
• Mitigating the Security Risks of Cloud-Native Applications
• Enterprise Cloud Infrastructure a Big Target for Cryptomining Attacks

Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/docker-vulnerability-opens-servers-to-container-code/d/d-id/1334836?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

News aggregation app Flipboard has publicly confessed that hackers accessed personal data about its members.

Although the biz did not say how many customers had been affected, the app has been installed more than half a billion times, according to its Google Play Store listing.

The databases that got away, according to a Flipboard statement, included account credentials, names, hashed and salted passwords, and email addresses. Some of these passwords were SHA-1 hashed, while those created after March 2012 were hashed and salted with the more modern and tougher-to-crack bcrypt algorithm.

The app’s makers do not collect financial data or government ID card information.

Flipboard is a news aggregator. Rather than visiting your favourite news website and reading their glorious headlines, beautiful stock images and cutting-edge captions the way the gods journalists intended, Flipboard allows you to create a personalised “news magazine” that you swipe your way through.

It’s not just Flipboard accounts that may be vulnerable, the company warned. “If users connected their Flipboard account to a third-party account, including social media accounts, then the databases may have contained digital tokens used to connect their Flipboard account to that third-party account.”

All such tokens have been deleted or replaced.

All passwords have been reset, though Flipboard insisted that not all of its users had been compromised and that it was still “identifying the accounts involved”. Law enforcement agencies have, it added, been told of the breach and an unidentified third-party security firm is analysing what happened.

The fallout from this hack is likely to persist. With such a large userbase, the number of affected accounts seems likely to fall into the six-figure bracket – or, if luck is not on their side, a heck of a lot more. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/29/flipboard_hacked/

Compsci academics are startled by how the US-based IEEE is complying with American sanctions on Huawei. That includes halting peer review by anyone connected to the Chinese company – and banning them from buying IEEE-branded coffee mugs.

The New York-headquartered Institute of Electrical and Electronics Engineers, one of the world’s leading technological academic bodies, issued a statement on 22 May setting out in detail (PDF) what “Listed Persons” (employees of Huawei and its affiliates) can and cannot do under the IEEE’s banner.

That has caused academics worldwide to question the institution’s independence of US governmental influence. As the preeminent standards-setting body and professional discussion forum for everything from Wi-Fi to phone networking technologies, the IEEE is the place to be when it comes to cutting-edge research.

As an American corporation, however, the IEEE is bound by US law. When that law places sanctions on particular countries and/or companies, as has happened to Huawei, institutions, agencies and corporations have little choice in what to do.

That’s a hell of Huawei to run a business, Chinese giant scolds FedEx after internal files routed via America

READ MORE

The statement, distributed via an IEEE listserv, said under the heading “participation in peer review” that a Listed Person “may not receive or access materials submitted by other persons for publication until after IEEE has accepted the material for publication in accordance with IEEE’s normal publication process”.

It adds that once the IEEE has accepted something for publication, Huawei people can act as peer reviewers. In effect, they are banned from seeing anything that is not already public, or earmarked to become public – a move intended to wall them off from potentially sensitive western technological advances in radio and networking tech.

Ironically, the immediate effect is likely to slow western understanding of 5G technologies, given Huawei’s grudgingly admitted lead over western companies in the field, as academics told us.

“On face value,” Professor Alan Woodward of the University of Surrey told The Register, “it looks like they are asking all Editors (academics all over the world) to inform anyone on the their editorial board (associate editors) that if they work for Huawei they can no longer participate, and then to inform the remaining associate editors (who are the ones who hunt for reviewers) that they mustn’t choose anyone from Huawei as a reviewer.

“In areas like 5G that will cause a big problem as Huawei have many people that are knowledgable about some of the leading edge research about which these papers are being written.”

Tech-focused academic institutions have already been complying with the IEEE’s new instructions – causing disquiet among some.

This may be useful. pic.twitter.com/s6wxKvGbVs

— Ma Caiyun (@MCaiyun) May 29, 2019

Part of the email above, sent by a London-based academic to Professor Toshio Fukuda, president of the IEEE, reads as follows:

I am writing this email to you regarding the IEEE’s ban on Huawei. Rumor has that due to the BIS list of the US, Huawei’s employee will not be allowed to participate in paper review or edition of all the IEEE Transactions and journals. As the president of the IEEE, Prof. Fukuda, could you please confirm whether this is the truth or not?

If this is true, I strongly appeal to IEEE not to launch this ban. As per my understanding, IEEE is a pure academic organisation, which should stay out of any political disputes. Additionally, please note that Huawei has funded a large number of IEEE conferences, journal papers and other events. As far as I know, Huawei has not done any harm to the IEEE. Instead, IEEE has received a considerable amount of funding from Huawei. There is not reason for the IEEE to ban Huawei employees.

The author also asked whether Fukuda would stand up against what the academic described as “the hegemonic power of the US”.

Institutions have already begun implementing the IEEE’s new rules. Academic sources who were unwilling to speak on the record have told The Register they were deeply unhappy with the IEEE’s stance on Huawei-linked academics and researchers.

Unbelievable, IEEE is forced to ban Huawei employees from peer-reviewing papers or handling papers as editors. pic.twitter.com/pkvQeOUI07

— Junhui Qian (@qian_junhui) May 29, 2019

Woodward added: “If this turns out to be a serious attempt to block editorial members and reviewers from Huawei, it makes the IEEE look a lot less of an international organisation than they have previously held themselves out to be.”

An IEEE spokeswoman did not return The Register’s request for comment. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/29/ieee_huawei_controversy/

ProtonMail, a provider of encrypted email, has denied claims that it voluntarily provides real-time surveillance to authorities.

Earlier this month, Martin Steiger, a lawyer based in Zurich, Switzerland, attended a presentation in which public prosecutor Stephan Walder, who heads the Cybercrime Competence Center in Zurich, mentioned the company. In a live-tweeted account of the event, subsequently written up on German and recently translated into English, Steiger said he learned that ProtonMail “voluntarily offers assistance for real-time surveillance.”

But Walder, the source of the revelation, subsequently contacted Steiger to clarify that he had been misquoted and had only described ProtonMail as a potential provider of assistance.

Steiger maintains that he accurately reported what he heard and points to ProtonMail’s own Transparency Report, which describes enabling IP logging in April in a case of clear criminal misconduct under Swiss law.

The key word here is “voluntary.” ProtonMail says that it is obligated to assist authorities, like every other company in Switzerland and elsewhere. “All Swiss service providers are obligated by law to assist law enforcement in criminal cases, and the law requires us to enable IP logging in criminal cases,” the company said via Twitter.

ProtonMail back up in Russia after regime chokes access over ‘terrorist activity’

READ MORE

In an email to The Register, a company spokesperson dismissed Steiger’s claims.

“ProtonMail does not voluntarily offer assistance,” the company spokesperson said. “We only do so when ordered by a Swiss court or prosecutor, as we are obligated to follow the law in all criminal cases. Furthermore, end-to-end encryption means we cannot be forced by a court to provide message contents.”

Steiger’s skepticism about ProtonMail security appears to follow from marketing non sequiturs – “ProtonMail is hosted in a former military command center deep inside the Swiss alps” – that fall short of testable technical guarantees.

He is argument focuses on the fact that message metadata can be as revealing as message contents, and there’s some truth to that. It’s extraordinarily difficult to communicate securely and anonymously over the internet, particularly if law enforcement authorities have access to relevant service providers. But that problem is not specific to ProtonMail.

The Register asked Steiger to comment but he didn’t immediately respond. ®

PS: ProtonMail has a Tor-based .onion service if you don’t want your real public IP address tracked.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/05/29/protonmail_dismisses_spying/

Creating a culture of supporting and advancing women is no small feat, but it’s worth the challenge. Start with yourself. Here’s how.

Affecting change within an organization can feel like pushing a giant boulder up a hill. The temptation is to put your head down and get the work done. Sometimes it also means flexing some underused muscles, which means we have to do things differently and be willing to take risks.

The statistics below showcase where women stand within cybersecurity, the technology industry, and in general professional jobs right now. Women make up more than half of the population and hold 51.5% of all professional jobs. The foundation may be strong, but here’s where we need improvement:

• At SP 500 companies, women fill only 25% of executive and senior-level positions, only 20% of board seats, and just 6% of CEO positions.
• Just like the CEO position, only 6% of CIO positions are held by women.
• Of all professional computing jobs in the US workforce, women hold only 26%.

In cybersecurity, the numbers are even worse. There’s a massive shortage of cyber jobs, yet women make up only 20% of the cybersecurity workforce. One way to change the numbers is to change the way we work. This means providing women the flexibility to get things done from home and, yes, sometimes even when the kids are there.

Work-Life Balance
The majority of women working in IT believe that having a family places them at a disadvantage professionally, according to a 2018 Harvey Nash Women in Technology report. Why then, with so many technology tools available to connect us globally, are we still required to show up in the office every day from 9 to 5, or longer? As an executive at a cybersecurity company, I work remotely, with the trade-off that I must travel to our headquarters from time to time. Still, as part of a mostly remote team, we are consistently delivering very positive results.

Conversely, when companies fail to trust teams with the flexibility of working remotely, they are losing out on significant opportunities. It’s time to ditch demeaning work cultures and change how business gets done so women and men are able to choose family and career.

My experience in the cybersecurity field is unique because I work for a company that embraces remote work; however, it hasn’t come without challenges. Working in a male-dominated industry among a male-dominant executive team means broaching uncomfortable topics.

The team was flexible with my maternity leave in 2018 and open about giving me as much time as I needed. But I still had to educate the male staff about breastfeeding, why travel was out of the question for the first six months of my daughter’s life, and why sometimes I had to rearrange meetings due to pumping sessions. I chose to provide explanations because I don’t think enough women are sharing this information.

Women in cybersecurity are slowly starting to make inroads, according to several recent studies. But there are still many institutional barriers, such as burnout, lack of career advancement opportunities, and an industry culture of sexism. Another reason for the continuing gender disparity in our industry is because security professionals are not willing to talk about many real, practical issues that get in the way. In my case, I found my male colleagues to be receptive to my candor. Now I’m proud to say we’ve added another female executive to the team, which is a testament to how contributing to the conversation can help change the numbers.

Lessons Learned
When you’re intentional about your goals, you will get there in time. But it doesn’t happen overnight. Here are some valuable lessons I’ve learned: 

• Be your own champion. Ask for the respect and for the salary, but be willing to put in the hard work required. Your boss is more likely to trust you with a flexible work model if your work ethic is unwavering.
• Don’t let the stumbling blocks discourage you. When it comes to our careers, the pressure to be perfect often leads us to be far too conservative with our aspirations. Instead, be brave! Your stumbling blocks will be moments in your career that highlight your perseverance.
• Advance yourself so that you can advance other women. The Harvey Nash survey found that 31% of women in tech left their last job because they had no opportunities for advancement. Advancement happens when you take initiative. Don’t wait for it. Instead, create the opportunity you’re seeking.

What have you seen that helps champion women? Have you been with a company that did this well? Ask yourself these questions, and if the answers fall short, take time to discover why. Creating a culture of supporting and advancing women is no small feat, but it’s worth the challenge. Start with yourself.

Related Content:

• 7 Types of Experiences Every Security Pro Should Have
• A Glass Ceiling? Not in Privacy
• Women Now Hold One-Quarter of Cybersecurity Jobs

Nineveh Madsen is an executive at OpenVPN, a provider of next-gen secure and scalable communication services. The company’s VPN protocol is the standard in the open source networking space with over 50 million downloads since inception.
Before making the transition into the … View Full Bio

Article source: https://www.darkreading.com/careers-and-people/why-fostering-flexibility-is-a-win-for-women-and-cybersecurity-/a/d-id/1334740?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The company reports two incidents affected a subset of its users and is resetting passwords for involved accounts.

Flipboard, a news aggregator and content-sharing platform, has confirmed two separate security incidents in which unauthorized attackers broke into some of its databases.

The company launched a breach investigation on April 23, when it learned these databases had been hacked. It found someone had accessed, and potentially obtained copies of, databases with user information between June 2, 2018, and March 23, 2019, as well as April 21-22, 2019.

These databases stored account information belonging to a subset of Flipboard’s 150 million users; the company has not disclosed the total number of people affected. Compromised data includes names, Flipboard usernames, email addresses, passwords, and digital tokens used to connect Flipboard accounts to third-party accounts like Facebook or Google. Flipboard does not collect government-issued IDs or payment card, bank account, or any other financial data.

“Not all Flipboard users’ account information was involved in the incident,” officials report in a blog post. “We’re still identifying the accounts involved and as a precaution, we reset all users’ passwords and replaced or deleted all digital tokens.” The company also says there is no evidence indicating attackers used digital tokens to access users’ third-party accounts.

Flipboard does note the passwords were never stored in plaintext. Those created or changed after March 14, 2012, were cryptographically protected with the bcrypt function. Passwords created before then were salted and hashed with SHA-1, officials say in the blog post.

Owners of compromised accounts can continue to use Flipboard on devices where they’re already logged in. When Flipboard is accessed from a new device, or someone logs out of Flipboard on their current device, they’ll be asked to create a new password when they log in.

Read more details here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/application-security/flipboard-confirms-two-hacks-prompts-password-resets/d/d-id/1334828?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Data from the last half year shows devices worldwide infected with the self-propagating ransomware, putting organizations with poor patching initiatives at risk.

Two years after the WannaCry ransomware attack blitzed through major organizations and shut down manufacturing and operations, the malware still exists on an estimated 145,000 devices, continuing to attempt to spread to unpatched versions of Microsoft Windows.

Internet of Things security vendor Armis over a six-month period collected data from honeypots and DNS cache servers and found that number of devices remain infected with the WannaCry ransomware. And nearly 60% of manufacturing and 40% of healthcare organizations have had at least one device compromised by WannaCry, the company found.

The continued success of WannaCry is mainly due to unpatched versions of Microsoft Windows that are embedded in hard-to-update industrial and enterprise devices, says Ben Seri, vice president of research at Armis.

“Often these systems are set up when the device—whether manufacturing, a healthcare, or retail—is delivered and the company does not want to update it, because they are concerned that doing so can lead to business disruption,” says Seri, whose company today published its WannaCry data.

WannaCry has successfully attacked an average of 3,500 systems per hour worldwide over the past six months.

WannaCry first started spreading on May 12, 2017, infecting Microsoft Windows systems using an exploit stolen from the National Security Agency—known as EternalBlue—that targeted a vulnerability that had been patched by Microsoft two months before. The ransomware attack propagated on its own, placing it in the class of programs known as a worm, and quickly spread to 74 countries in the early hours of the attack.

The attack hit healthcare systems and manufacturers the hardest, as they had Microsoft Windows embedded in critical operations and information technology that the organizations needed to continue to operate. The attack disrupted the U.K.’s National Health Service, causing surgery delays and cancelled appointments. FedEx service faced disruptions and auto manufacturers such as Nissan and Renault suffered from the attack.

“In industrial networks, much of the security of the organization relies on segmentation of the network—which is good and you should do that—but once WannaCry gets in, the infection spreads quickly,” Seri says.

Armis took a census of the current WannaCry population by using a network of honeypot servers to register the source of attack traffic. More than 145,000 devices appeared to be compromised with WannaCry at some point during the past six months. The company attempted to take into account systems behind routers that can sometimes appear as multiple systems due to the dynamic assignation of IP addresses.  

In addition, the company studied DNS traffic for signs of any requests to thee kill switch—a domain that WannaCry attempts to contact following an infection, and whose existence will be a signal to the program to stop its attempts at infection. The company examined more than 10,000 DNS servers in 120 countries to determine how many requests were made to the kill switch. The data suggests that vulnerable systems are still being infected with the original version of WannaCry – which checks for the kill switch – at a rate of roughly one compromise per second.

Companies and organizations that have systems with embedded versions of Microsoft Windows are at greater risk of WannaCry because those systems are often not regularly updated, Armis’ Seri says. In many cases, the manufacturers of that equipment don’t provide regular updates. In other cases, the organization does not have specific patch windows to apply software updates.

To make matters worse, the companies often also lack additional security, he says. “These reasons are also the reason many of them don’t run any endpoint security, and thus are even more likely to be compromised by WannaCry, or similar malware,” he wrote in an analysis posted to Armis’ site.

An interesting anomaly in the data is that a relatively small country, Vietnam, accounts for more than 10% of the attacks, according to Armis. The issue for companies in the country is that Internet service providers block attempts to connect to the kill-switch domain, removing that safety net and leading to a higher number of infections. 

Armis found that healthcare organizations, manufacturers, and retail companies have high rates of older versions of Windows, with at least 60% of computers in each industry running Windows 7 or older.

The first step for companies is to gain continuous and consistent visibility into their networks and what devices are connected and operation systems are running, Seri says.

“This is not something that you do once in a while,” he says. “You need to continuously know what is running and what is vulnerable.”

Related Content:

• Trump Adviser: North Korea Waged WannaCry Attack
• NSA Reportedly Confident North Korea Was Behind WannaCry
• How to Prepare for ‘WannaCry 2.0’
• Malware Outbreak Causes Disruptions, Closures at Canadian Restaurant Chain

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/wannacry-lives-on-in-145k-infected-devices/d/d-id/1334830?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple