Security Alert: BlueDoom Worm Caught Spreading through EternalBlue, Integrates Batch of Leaked NSA Exploits

Unfortunately for users who haven’t patched their systems yet after the WannaCry ransomware campaign, there has been an increase in attempts to abuse the EternalBlue exploit in the past few days.

The most recent example comes from this morning, when a new worm, dubbed BlueDoom, was caught trying to exploit EternalBlue on a honeypot. The analysis done on BlueDoom hints that cyber criminals may be preparing to integrate an array of different exploits for an attack that combines a full set of digital weapons.

BlueDoom is different from WannaCry because it shows a long-term intent to make use of vulnerabilities stemming from virtually all Shadow Brokers leaks containing Windows exploits. BlueDoom disguises as WannaCry, but it’s a completely different type of worm that does not drop ransomware.

At the moment, BlueDoom seems focused on establishing a launching pad for future attacks.

The payload includes, among other things, components for installing TOR, which the worm uses as a C&C communication channel. This is where it retrieves the second stage of the payload.

The main component is called “taskhost.exe” and has approximately 4.6MB in size (see the VirusTotal report).

Upon infection, BlueDoom (the internal name is EternalRocks), goes dormant for 24 hours. In the next stage, the worm connects to a TOR Gateway (sanitized):

https [:] //ubgdgno5eswkhmpy [.] Onion / updates / shadowsinstalled? Version = 1.55

From the file properties, we find the name EternalRock:

0050779E CompanyName
005077B8 Microsoft
005077D2 FileDescription
005077F4 EternalRocks
00507816 FileVersion
00507830 1.0.0.0

To ensure that the first payload is not run more than once on a vulnerable client or server, BlueDoom creates the following mutex:

BaseNamedObjects {8F6F00C4-B901-45fd-08CF-72FDEFF}

Unlike WannaCry, this worm does not have a “kill switch”. It, however, includes an arsenal of NSA leaked exploits: Architouch, Doublepulsar, EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Smbtouch.

These are dropped to the c: config folder with the following filenames:

Architouch.inconfig
Doublepulsar.inconfig
Eternalblue.inconfig
Eternalchampion.inconfig
Eternalromance.inconfig
Eternalsynergy.inconfig
Smbtouchv.inconfig

It also drops the following in the c: payloads folder:

ReflectivePick_x64.dll
ReflectivePick_x86.dll
x64.shellcode.out
x86.shellcode.out

It seems obvious that the payloads are intended for both 32 bit and 64 bit Microsoft Windows versions.

In the C: bins folder, the following elements are dropped:

trfo-0.dll
pcreposix-0.dll
taskmgr.exe
dmgd-4.dll
ssleay32.dll
zlib1.dll
trfo.dll
pcrecpp-0.dll
riar.dll
eteb-2.dll
etchCore-0.x64.dll
tibe.dll
trch-0.dll
etchCore-0.x86.dll
pcla-0.dll
ucl.dll
riar-2.dll
posh.dll
pcre-0.dll
winlogon.exe
cnli-1.dll
crli-0.dll
posh-0.dll
msdtc.exe
iconv.dll
wmiprvse.exe
zibe.dll
lsass.exe
etch-0.dll
libiconv-2.dll
adfw-2.dll
trfo-2.dll
xdvl-0.dll
cnli-0.dll
exma.dll
etebCore-2.x86.dll
C:payloadsReflectivePick_x86.dll
coli-0.dll
csrss.exe
C:payloadsReflectivePick_x64.dll
etebCore-2.x64.dll
adfw.dll
trch.dll
tucl-1.dll
tibe-2.dll
spooler.exe
dmgd-1.dll
trch-1.dll
tucl.dll
libeay32.dll
tibe-1.dll
libxml2.dll
libcurl.dll
esco-0.dll

bluedoom-screengrab

As you can see, this is a dangerous arsenal of exploits and malicious code that can fuel the distribution of BlueDoom/EternalRock. This is something the entire security industry feared because it could set the context for it to become a widespread infection, maybe even bigger than WannaCry.

The BlueDoom worm consists of two modules:
1. A first-stage “rocket”, carried by the EternalBlue exploit.
2. And a second phase that drops the main component of the infection, which currently has a detection rate of 13/61 on VirusTotal.

bluedoom virustotal detection rates - May 18 2017

When there are enough zombie computers in the C&C server, the complete infection arsenal is deployed.

You can prevent the BlueDoom worm from running by creating a process with the following mutex value “8F6F00C4-B901-45fd-08CF-72FDEFF”.

The TOR gateway and C&C domains are blocked in Heimdal PRO and Heimdal CORP, which prevents the main component of the infection from being downloaded.

We continue to urge both home users and companies to patch their systems as fast as possible! In order to provide a helping hand, we’ve created a guide to help you get this done faster:

How to Apply the Windows Update that Patches the EternalBlue SMB Exploit

*This article features cyber intelligence provided by CSIS Security Group researchers.

Go to Source
Author: Andra Zaharia

Powered by WPeMatico

WannaCry: On screens everywhere!

The outbreak of Trojan ransomware WannaCry has already caused a heap of trouble to all kinds of businesses. However, we expect that companies whose infrastructures employ embedded systems are feeling particularly unhappy with the authors of this malware.

Companies whose infrastructures employ embedded systems are feeling particularly unhappy with the authors of WannaCry

Theoretically, embedded systems should not be interesting to ransomware actors — it’s doubtful that anyone would pay ransom for a purely utilitarian system that holds no valuable data and whose hard drive is routinely reformatted anyway. But WannaCry does not choose its targets. As a result of the peculiar nature of the vulnerability it exploits, WannaCry has spread itself widely across local networks and infected all unpatched and unprotected machines.

Out of the blue

It would be unfair to say that this plague has been an eye-opener: The problem of insufficient security of embedded systems is not new, and it’s long been known that they traditionally have less (if any) protection than workstations and servers. But WannaCry brought the issue into the spotlight.

When speaking of embedded system, ATMs and POS terminals may come to mind. And indeed, some of them got infected, although they tend to have some protection installed because of regulations and because they are frequently seen in threat models. The infection of such systems as information panels, medical equipment, and vending machines looked like a bigger deal — to say the least.

The owners of infected embedded systems don’t feel any better knowing they didn’t pay ransom to criminals; they still suffered noticeable damage.

  • Inoperable vending machines, ATMs, or automated ticket kiosks mean cash shortfalls.
  • A ransom note on a publicly accessible screen tells customers “Our security is bad.” It’s hard to assess the damage such a message does to a company’s reputation. Will a client who sees that message come back?
  • Infected terminals require repairs. If you use hundreds of terminals, you can count how much money you’re going to spend, especially given the geographical distribution and urgency with which your personnel have to reinstall operating systems and make changes in security settings. And some devices may use outdated software that is challenging or even impossible to reinstall.

Going by the trolling in social networks, these screens did not go unnoticed.

How to solve the problem

Why do embedded systems lack protection? There are two reasons. First, until now their security was often overlooked. Second, they tend to run on old hardware and use low-bandwidth Internet channels and outdated operating systems. They seem simply unfit to run security solutions on top of their hardware resources.

We have to admit that in a way, WannaCry has helped the world by highlighting the first problem. And it’s true that protecting embedded systems with traditional antimalware solutions may not be the most effective approach. That is exactly why we developed Kaspersky Embedded Systems Security specifically for a broad range of embedded systems. It’s less resource-intensive than a desktop security solution, but it prevents infection by employing a number of desktop-class security features.

In the case of a cryptomalware attack (including WannaCry), the solution works as follows:

  • Default Deny mode is the core technology of the product. It precludes execution of any code, including scripts, if they haven’t been whitelisted. So even if cryptomalware has been able to penetrate a system, for example, by hiding in a legitimate software package, it won’t be able to execute itself.
  • The Process Memory Protection component analyzes the integrity of processes in memory and prevents attempts to exploit vulnerabilities both known and unknown.
  • Kaspersky Embedded Systems Security includes a centrally controlled firewall, which allows for quick disabling of the port used by a vulnerability once it is discovered.
  • Technology that controls USB devices when they are attached further enhances the solution. This prevents infection by an untrusted USB device, for example, something that may happen during maintenance.
  • The antimalware module, available as an option, cleans the system of any infected files.

According to our records, none of the devices protected by Kaspersky Embedded Systems Security has been affected by the WannaCry plague. This solution currently protects hundreds of thousands of embedded systems around the world, so it’s fair to say that it has passed this serious real-life test. Therefore, if your network infrastructure includes embedded systems running Windows Embedded, we strongly recommend trying our solution.

Go to Source
Author: Dmitry Zveginets

Powered by WPeMatico

Ignite 2017 Open Seats: Safe Networking

Ignite ’17 Security Conference is right around the corner. To get you ready for the premier security conference of the year, we’ll be spotlighting our top session each day on the blog. Register now, seats fill up quickly!

Safe Networking: Raising the Security Posture of the Service Provider Network to Protect Customers and Drive Security Revenues

Security is at the forefront for all public network operators. In this session we look at how the Service Provider can easily identify security events on their network. How they can protect their customers from these events. How they can build context from these events and use this information to drive their security business.


Register for Ignite ’17 Security Conference
Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.

The post Ignite 2017 Open Seats: Safe Networking appeared first on Palo Alto Networks Blog.

Go to Source
Author: Anna Lough

Powered by WPeMatico

Privacy Awareness Week: A primer

The Asia Pacific Privacy Authorities (APPA) began an initiative called Privacy Awareness Week, or PAW, with the purpose of educating users about current privacy issues and promoting the importance of keeping their personal information safe.

This remains the core of why it exists for more than a decade now.

For those who may not be familiar with what this campaign is all about, this post aims to answer the questions you may have in mind about PAW.


When is Privacy Awareness Week?

APPA typically celebrates Privacy Awareness Week in May every year. Since the organization has a number of member countries, they each decide on when they want to hold the event locally.

In the first week of May, Singapore held its PAW locally. Hong Kong, New Zealand, and the United States held their own campaigns in the second week of May.

Australia is celebrating Privacy Awareness Week this week.

Are there other countries that will hold this event?

There are a total of 11 member countries comprising APPA. Aside from those already mentioned, Canada, Colombia, Korea, Macao, Mexico, and Peru are or will also be celebrating this campaign.

What’s the theme of this year’s Privacy Awareness Week?

There are two themes that APPA members are using: “Share with care” and “Trust and transparency”.

Share with care. This stresses on the importance of caring for your privacy, given that our current technological landscape is heavily data-driven. It also reminds users to think about what may or may not happen to their personal information once they have been shared.

Trust and transparency: Both trust and transparency are vital to each another, as people normally expect one to exist with the other. Case in point, it is important for businesses to gain the trust of their clients and it’s important for clients to know that the businesses they trust are clear about what they do, how they store, and how they use what they give them, which in this case is their personal information.

Can we celebrate Privacy Awareness Week even if our country is not a member of APPA?

Privacy Awareness Week is about educating users concerning privacy. There are ways individuals and organizations can celebrate PAW. One example is to use social media to raise awareness to your followers. Another is to do a refresher of your organization’s privacy policy. If they don’t have one, why not encourage your organization to make one?


Privacy and security go hand in hand. Practicing solid cybersecurity hygiene coupled with a fair familiarity of how personal data changes hands can bring about positive experiences to our digital lives. As such, we encourage you, dear Reader, to check out some of our previous posts and reacquaint yourselves on how you can keep your data safe and your computing devices secure:

Happy Privacy Security Week, everyone, wherever you are, and remember to share your personal info with care!

 

The Malwarebytes Labs Team

The post Privacy Awareness Week: A primer appeared first on Malwarebytes Labs.

Go to Source
Author: Malwarebytes Labs

Powered by WPeMatico

How to properly update Windows to protect your computer from WannaCry

By now, everyone has heard about the WannaCry ransomware attack. So far we have two posts about it: one with a general overview of what happened, and another with advice for businesses. But it’s become clear that not everyone understands how to patch the Windows vulnerability that is exploited by WannaCry, which allows it to travel from one PC to another. So here, we’ll explain what to do and where to find the necessary patches.

How to properly update Windows to protect your computer from WannaCry

1. Find out what version of Windows is running on your computer

First of all, it is important to note that the WannaCry can infect only devices on Windows. If your device runs on macOS, iOS, Android, Linux, or any other operating system, then the malware can’t harm those devices.

Yet, it does pose a serious threat to devices running Windows. But different Windows versions require different patches. So, before installing something, you have to figure out what version of Windows you are running.

To do this:

  • Press the Windows key + R on your keyboard;
  • In the “Run” box that appears on your screen, type winver and click “OK.”

A window showing your Windows version will open.

2. Install the MS17-010 update that patches the vulnerability in Windows

Done with finding out the version? Here are the links to the updates for all of the Windows versions for which it has been released. Note that if you aren’t sure if you use 32-bit or 64-bit version of Windows, you can simply download both patches — one of them will work for you; trying to run the wrong one will bring up an error box but will do no harm.

When you click on the corresponding link, your system will download an executable file with an MSU extension. This is the required update. Simply double-click on the file to run it and follow the instructions of the set-up wizard. After the installation is done, reboot your system. That’s it: The vulnerability will be closed, and WannaCry will not be able to find its way onto your computer that easily.

3. Scan your computer for viruses

It is possible that WannaCry crawled into your computer before you patched the vulnerability. So, just in case, run a virus scan.

If you do not have an antivirus, then you can download a free 30-day trial version of Kaspersky Internet Security. If you already have it, then take the following steps:

  • Make sure the System Watcher module is enabled. To do that, go into the security solution’s settings, select Protection, and ensure that System Watcher is turned on.
  • Run a quick virus scan on your computer. To do that, click Scan in your antivirus solution interface. Then select Quick scan and then Run scan.
  • If the antivirus detects something with Trojan.Win64.EquationDrug.gen in the name, delete the detected file and reboot your computer.

That’s it: You are now protected from WannaCry. Now it’s time to take care of your relatives and friends who do not know how to protect their devices.

Go to Source
Author: Marvin the Robot

Powered by WPeMatico

WannaCry ransomware: how it attacks and how to protect your business

Kaspersky Lab is teaming up with Comae Technologies to present an emergency webinar for businesses to help them understand and defend against the WannaCry ransomware. The malware has primarily affected business networks, and has claimed victims around the world in a wide range of industries.

Juan Andres Guerrero-Saade, senior security researcher in Kaspersky Lab’s Global Research and Analysis Team, will be joined by Matt Suiche from Comae Technologies to present the very latest information on how the ransomware breaches defenses and the subsequent stages of attack. They will independently explain how organizations can determine if they have been infected and the critical actions they need to take to secure networks and endpoints against this threat.

Go to Source
Author: Jeffrey Esposito

Powered by WPeMatico

Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3

Insikt Group

This is the first time researchers have been able to attribute a threat actor group with a high degree of confidence to the Ministry of State Security.

Key Takeaways

  • APT3 is the first threat actor group that has been attributed with a high degree of confidence directly to the Chinese Ministry of State Security (MSS).
  • On May 9, a mysterious group called “intrusiontruth” attributed APT3 to a company, Guangzhou Boyu Information Technology Company, based in Guangzhou, China.
  • Recorded Future’s open source research and analysis has corroborated the company, also known as Boyusec, is working on behalf of the Chinese Ministry of State Security.
  • Customers should re-examine any intrusion activity known or suspected to be APT3 and all activity from associated malware families as well as re-evaluate security controls and policies.

Introduction

On May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of State Security (MSS) as the group behind the APT3 cyber intrusions.

Timeline of APT3 Victims

Recorded Future timeline of APT3 victims.

Blog Post by intrusiontruth in APT3

Screenshot of a blog post from “intrusiontruth in APT3.”

“Intrusiontruth” documented historic connections between domains used by an APT3 tool called Pirpi and two shareholders in a Chinese information security company named Guangzhou Boyu Information Technology Company, Ltd (also known as Boyusec).

Domain Registration Information

Registration information for a domain linked to the malware Pirpi. The details show the domain was registered to Dong Hao and Boyusec.

APT3 has traditionally targeted a wide-range of companies and technologies, likely to fulfill intelligence collection requirements on behalf of the MSS (see research below). Recorded Future has been closely following APT3 and has discovered additional information corroborating that the MSS is responsible for the intrusion activity conducted by the group.

Intel Card for APT3

Recorded Future Intel Card for APT3.

Background

APT3 (also known as UPS, Gothic Panda, and TG-011) is a sophisticated threat group that has been active since at least 2010. APT3 utilizes a broad range of tools and techniques including spearphishing attacks, zero-day exploits, and numerous unique and publicly available remote access tools (RAT). Victims of APT3 intrusions include companies in the defense, telecommunications, transportation, and advanced technology sectors — as well as government departments and bureaus in Hong Kong, the U.S., and several other countries.

Analysis

On Boyusec’s website, the company explicitly identifies two organizations that it cooperatively partners with, Huawei Technologies and the Guangdong Information Technology Security Evaluation Center (or Guangdong ITSEC).

Boyusec’s Website

Screenshot of Boyusec’s website where Huawei and Guangdong ITSEC are

identified as collaborative partners.

In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing. According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.

Huapu Square West Tower

Imagery ©2017 DigitalGlobe, Map data ©2017

Boyusec is located in Room 1103 of the Huapu Square West Tower in Guangzhou, China.

Boyusec’s work with its other “cooperative partner,” Guangdong ITSEC, has been less well-documented. As will be laid out below, Recorded Future’s research has concluded that Guangdong ITSEC is subordinate to an MSS-run organization called China Information Technology Evaluation Center (CNITSEC) and that Boyusec has been working with Guangdong ITSEC on a joint active defense lab since 2014.

Guangdong ITSEC is one in a nation-wide network of security evaluation centers certified and administered by CNITSEC. According to Chinese state-run media, Guangdong ITSEC became the sixteenth nationwide branch of CNITSEC in May 2011. Guangdong ITSEC’s site also lists itself as CNITSEC’s Guangdong Office on its header.

According to academic research published in China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain, CNITSEC is run by the MSS and houses much of the intelligence service’s technical cyber expertise. CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.” Per a recent U.S. Congressional hearing, it is believed the MSS may also use vulnerabilities derived from CNITSEC’s activities in intelligence operations. CNITSEC’s Director, Wu Shizhong, even self-identifies as MSS, including for his work as a deputy head of China’s National Information Security Standards Committee as recently as January 2016.

Recorded Future research identified several job advertisements on Chinese-language job sites such as jobs.zhaopin.com, jobui.com, and kanzhun.com since 2015, Boyusec revealed a collaboratively established joint active defense lab (referred to as an ADUL) with Guangdong ITSEC in 2014. Boyusec stated that the mission of the joint lab was to develop risk-based security technology and to provide users with innovative network defense capabilities.

Job Posting

Job posting where Boyusec highlights the joint lab with Guangdong ITSEC. The translated text is, “In 2014, Guangzhou Boyu Information Technology Company and Guangdong ITSEC cooperated closely to establish a joint active defense lab (ADUL).”

Conclusion

The lifecycle of APT3 is emblematic of how the MSS conducts operations in both the human and cyber domains. According to scholars of Chinese intelligence, the MSS is composed of national, provincial, and local elements. Many of these elements, especially at the provincial and local levels, include organizations with valid public missions to act as a cover for MSS intelligence operations. Some of these organizations include think tanks such as CICIR, while others include provincial-level governments and local offices.

In the case of APT3 and Boyusec, this MSS operational concept serves as a model for understanding the cyber activity and lifecycle:

  • While Boyusec has a website, an online presence, and a stated “information security services” mission, it cites only two partners, Huawei and Guangdong ITSEC.
  • Intrusiontruth and the Washington Free Beacon have linked Boyusec to supporting and engaging in cyber activity on behalf of the Chinese intelligence services.
  • Recorded Future’s open source research has revealed that Boyusec’s other partner is a field office for a branch of the MSS. Boyusec and Guangdong ITSEC have been documented working collaboratively together since at least 2014.
  • Academic research spanning decades documents an MSS operational model that utilizes organizations, seemingly without an intelligence mission, at all levels of the state to serve as cover for MSS intelligence operations.
  • According to its website, Boyusec has only two collaborative partners, one of which (Huawei) it is working with to support Chinese intelligence services, the other, Guangdong ITSEC, which is actually a field site for a branch of the MSS.

MSS and APT3 Relationship

Graphic displaying the relationship between the MSS and APT3.

Impact

The implications are clear and expansive. Recorded Future’s research leads us to attribute APT3 to the Chinese Ministry of State Security and Boyusec with a high degree of confidence. Boyusec has a documented history of producing malicious technology and working with the Chinese intelligence services.

APT3 is the first threat actor group that has been attributed with a high degree of confidence directly to the MSS. Companies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the resources and technology of the Chinese government. In this real-life David versus Goliath situation, customers need both smart security controls and policy, as well as actionable and strategic threat intelligence.

APT3 is not just another cyber threat group engaging in malicious cyber activity; research indicates that Boyusec is an asset of the MSS and their activities support China’s political, economic, diplomatic, and military goals.

The MSS derives intelligence collection requirements from state and party leadership, many of which are defined broadly every five years in official government directives called Five Year Plans. Many APT3 victims have fallen into sectors highlighted by the most recent Five Year Plan, including green/alternative energy, defense-related science and technology, biomedical, and aerospace.

The post Recorded Future Research Concludes Chinese Ministry of State Security Behind APT3 appeared first on Recorded Future.

     

Go to Source
Author: Insikt Group

Powered by WPeMatico