On – 15 May, 2017 By Sam Shead
The “accidental hero” who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted.
The ransomware used in Friday’s attack wreaked havoc on organisations including FedEx and Telefónica, as well as the UK’s National Health Service (NHS), where operations were cancelled, X-rays, test results and patient records became unavailable and phones did not work.
But the spread of the attack was brought to a sudden halt when one UK cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and inadvertently activated a “kill switch” in the malicious software.
The researcher, who identified himself only as MalwareTech, is a 22-year-old from south-west England who works for Kryptos logic, an LA-based threat intelligence company.
“I was out having lunch with a friend and got back about 3pm and saw an influx of news articles about the NHS and various UK organisations being hit,” he told the Guardian. “I had a bit of a look into that and then I found a sample of the malware behind it, and saw that it was connecting out to a specific domain, which was not registered. So I picked it up not knowing what it did at the time.”
The kill switch was hardcoded into the malware in case the creator wanted to stop it spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading. The domain cost $10.69 and was immediately registering thousands of connections every second.
MalwareTech explained that he bought the domain because his company tracks botnets, and by registering these domains they can get an insight into how the botnet is spreading. “The intent was to just monitor the spread and see if we could do anything about it later on. But we actually stopped the spread just by registering the domain,” he said. But the following hours were an “emotional rollercoaster”.
“Initially someone had reported the wrong way round that we had caused the infection by registering the domain, so I had a mini freakout until I realised it was actually the other way around and we had stopped it,” he said.
MalwareTech said he preferred to stay anonymous “because it just doesn’t make sense to give out my personal information, obviously we’re working against bad guys and they’re not going to be happy about this.”
He also said he planned to hold onto the URL, and he and colleagues were collecting the IPs and sending them off to law enforcement agencies so they can notify the infected victims, not all of whom are aware that they have been affected.
He warned people to patch their systems, adding: “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”
He said he got his first job out of school without any real qualifications, having skipped university to start up a tech blog and write software.
“It’s always been a hobby to me, I’m self-taught. I ended up getting a job out of my first botnet tracker, which the company I now work for saw and contacted me about, asking if I wanted a job. I’ve been working there a year and two months now.”
But the dark knight of the dark web still lives at home with his parents, which he joked was “so stereotypical”. His mum, he said, was aware of what had happened and was excited, but his dad hadn’t been home yet. “I’m sure my mother will inform him,” he said.
“It’s not going to be a lifestyle change, it’s just a five-minutes of fame sort of thing. It is quite crazy, I’ve not been able to check into my Twitter feed all day because it’s just been going too fast to read. Every time I refresh it it’s another 99 notifications.”
Proofpoint’s Ryan Kalember said the British researcher gets “the accidental hero award of the day”. “They didn’t realise how much it probably slowed down the spread of this ransomware”.
The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organisations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.
The kill switch won’t help anyone whose computer is already infected with the ransomware, and it’s possible that there are other variants of the malware with different kill switches that will continue to spread.
The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).
Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
The ransomware demands users pay $300 worth of cryptocurrency Bitcoin to retrieve their files, though it warns that the “payment will be raised” after a certain amount of time. Translations of the ransom message in 28 languages are included. The malware spreads through email.
“This was eminently predictable in lots of ways,” said Kalember. “As soon as the Shadow Brokers dump came out everyone [in the security industry] realised that a lot of people wouldn’t be able to install a patch, especially if they used an operating system like Windows XP [which many NHS computers still use], for which there is no patch.”
Security researchers with Kaspersky Lab have recorded more than 45,000 attacks in 74 countries, including the UK, Russia, Ukraine, India, China, Italy, and Egypt. In Spain, major companies including telecommunications firm Telefónica were infected.
By Friday evening, the ransomware had spread to the United States and South America, though Europe and Russia remained the hardest hit, according to security researchers Malware Hunter Team. The Russian interior ministry says about 1,000 computers have been affected.
On – 13 May, 2017 By Nadia Khomami
A mirror download server for the popular tool HandBrake video file-transcoding app has been compromised by hackers, who replaced its Mac edition with malware.
The first most Mac users will know about the security incident will be when they visit the app’s website, at https://handbrake.fr, and see a link to a “Security Alert”:
Anyone who has downloaded HandBrake on Mac between [02/May/2017 14:30 UTC] and [06/May/2017 11:00 UTC] needs to verify the SHA1 / 256 sum of the file before running it.
Anyone who has installed HandBrake for Mac needs to verify their system is not infected with a Trojan. You have 50/50 chance if you’ve downloaded HandBrake during this period.
Up-date ESET security products detect the malicious download as OSX/Proton.A – a trojan horse which allows malicious attackers to remotely access infected Mac computers, opening up opportunities for hackers to take screenshots of infected computers, capture credit card details and passwords as they are entered on the keyboard, hijack the webcam, and steal files.
Concerned users of anti-virus products from other vendors would be wise to contact them directly to see if their Mac security solutions are detecting this latest variant of the Proton remote access trojan.
The sad truth, of course, is that Mac users are typically less likely to be running an anti-virus product than their Windows counterparts – making them a soft target for cybercriminals interested in targeting the platform. In recent years take-up of Mac security solutions has risen as the threat has risen – but it still drags (as do the malware numbers for the platform) compared to Microsoft Windows users.
Yes, there’s a lot less malware for Mac OS X than there is for Microsoft Windows, but that’s going to be little consolation if you’re unfortunate enough to find yourself a victim. Personally I think any Mac users connecting to the internet without an anti-virus solution in place is being downright foolhardy.
One longterm user of HandBrake described on the MacRumors forum just how close he came to having his credentials compromised by the malware attack:
Handbrake is an excellent program that has served me well over the years and I have great respect for the developers. Security slip-ups can happen to anyone and I’m sure they will take the necessary measures to improve this for future.
That said, I’m posting because I nearly got caught by this. I download Handbrake last week and was surprised to see a dialog on launch asking me to enter my password to “install additional codecs”. As a longtime Handbrake user I was certain that this was *not* normal, so I declined. Shortly afterword I was shown another dialog, independent from Handbrake, purporting to be from the system “Network Configuration” which needed my password to “update DHCP settings”. As this was also something I was unfamiliar with, I again declined but the dialog immediately reappeared upon clicking cancel and I had to restart the computer to make it go away. So yeah, if you see any suspicious password dialogs, do NOT enter your password.
HandBrake advises that users check the SHA checksum when they download new versions of the app from its mirror site, but it’s hard to imagine that many people ever bother to do such a thing. Most are, no doubt, in too much of a hurry burning DVDs and converting video files to bother with such dull and tedious security checks.
Checking checksums may be a chore, but in all likelihood it would have saved the bacon of some of the app’s downloaders in the last few days.
HandBrake.dmg files with the following checksums are infected:
Author Graham Cluley, We Live Security
On – 08 May, 2017 By Graham Cluley
Microsoft’s own antivirus software made Windows 7, 8.1, RT and 10 computers, as well as Windows Server 2016 more vulnerable.
Security researchers Tavis Ormandy announced on Twitter during the weekend that he and another Project Zero researcher Natalie Silvanovich discovered “the worst Windows remote code [execution vulnerability] in recent memory.”
Natalie Silvanovich also published a proof-of-concept (PoC) exploit code that fits in a single tweet.
The reported RCE vulnerability, according to the duo, could work against default installations with “wormable” ability – capability to replicate itself on an infected computer and then spread to other PCs automatically.
According to an advisory released by Microsoft, the remotely exploitable security flaw (CVE-2017-0290) exists in Microsoft Malware Protection Engine (MMPE) – the company’s own antivirus engine that could be used to fully compromise Windows PCs without any user interaction.
Eventually, every anti-malware software that ship with the Microsoft’s Malware Protection Engine are vulnerable to this flaw. The affected software includes:
Microsoft’s Defender security software comes enabled by default on Windows 7, 8.1, RT 8.1, and Windows 10, as well as Windows Server 2016. All are at risk of full remote system compromise.
The flaw resides in the way the Microsoft Malware Protection Engine scan files. It is possible for an attacker to craft a malicious file that could lead to memory corruption on targeted systems.
Since antivirus programs have real-time scanning functionality enabled by default that automatically scans files when they are created, opened, copied or downloaded, the exploit gets triggered as soon as the malicious file is downloaded, infecting the target computer.
The vulnerability could be exploited by hackers in several ways, like sending emails, luring victims to sites that deliver malicious files, and instant messaging.
“On workstations, attackers can access mpengine by sending emails to users (reading the email or opening attachments is not necessary), visiting links in a web browser, instant messaging and so on,” researchers explained.
“This level of accessibility is possible because MsMpEng uses a filesystem minifilter to intercept and inspect all system filesystem activity, so writing controlled contents to anywhere on disk (e.g. caches, temporary internet files, downloads (even unconfirmed downloads), attachments, etc.) is enough to access functionality in mpengine.”
The injected malicious payload runs with elevated LocalSystem level privileges that would allow hackers to gain full control of the target system, and perform malicious tasks like installing spyware, stealing sensitive files, and login credentials, and much more.
Microsoft responded to the issue very quickly and comes up with a patch within just 3 days, which is very impressive. The patch is now available via Windows Update for Windows 7, 8.1, RT and 10.
The vulnerable version of Microsoft Malware Protection Engine (MMPE) is 1.1.13701.0, and the patched version is 1.1.13704.0.
By default, Windows PCs automatically install the latest definitions and updates for the engine. So, your system will install the emergency update automatically within 1-2 days, but you can also get it installed immediately by pressing ‘Check Update’ button in your settings.
On – 09 May, 2017 By Mohit Kumar
He inadvertently halted the global spread of the international ransomware attack and will donate thousands of pounds of his reward money to charity, but Marcus Hutchins, the security expert labelled the “accidental hero”, has said his “five minutes of fame” have been “horrible”.
Hutchins, 22, was propelled into the media spotlight when he activated a “kill switch” in the malicious software that wreaked havoc on organisations including the UK’s National Health Service earlier this month. He originally told the Guardian how he spotted the URL not knowing what it would do at the time, and spoke under his alias of MalwareTech because he did not want to be identified.
But within two days Hutchins, who operates out of an English coastal town, tweeted that he had woken up to discover that his picture was on the front page of a newspaper and since then has become the centre of a media storm. At first the blogger saw the funny side of having to climb over his back wall to avoid reporters camped outside his house, but now, he says, the situation has escalated to the point that he feels the British tabloids have put his life in danger.
Writing of his experiences on Twitter, he also said the press had doxxed a friend of his, which involves searching for and publishing private or identifying information about a particular individual on the internet, typically with malicious intent.
In a tweet that has since been deleted Hutchins wrote: “One of the largest UK newspapers published a picture of my house, full address, and directions to get there … now I have to move.” He later implored his supporters not to doxx journalists in revenge and reiterated that he had not sought fame.
Hutchins got his first job straight after school without any serious qualifications thanks to his tech blog and skill at writing software, which he said has always been a hobby. He works remotely for Kryptos Logic, an LA-based threat intelligence company, which was impressed by his work and got in touch to offer him a job a little over a year ago.
Last week, he revealed that he had been awarded a bounty by HackerOne, a group that rewards ethical hackers for finding software flaws, and that he would divide the money between charities and educational resources for IT security students.
Offering the reward, HackerOne said: “Thank you for your active research into this malware and for making the internet safer!”
On Sunday, Hutchins said he had so far decided on four charities: Doctors Without Borders, Great Ormond Street, Charity: Water, and Hackers For Charity.
Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack used a piece of malicious software called WannaCry, which exploits a vulnerability in Windows.
Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
Hutchins previously warned that the attack could return in a new form and advised people to patch their systems. “This is not over,” he said. “The attackers will realise how we stopped it, they’ll change the code and then they’ll start again.”
On – 22 May, 2017 By Nadia Khomami
WordPress, the most popular CMS in the world, is vulnerable to a logical vulnerability that could allow a remote attacker to reset targeted users’ password under certain circumstances.
The vulnerability (CVE-2017-8295) becomes even more dangerous after knowing that it affects all versions of WordPress — including the latest 4.7.4 version.
The WordPress flaw was discovered by Polish security researcher Dawid Golunski of Legal Hackers last year in July and reported it to the WordPress security team, who decided to ignore this issue, leaving millions of websites vulnerable.
“This issue has been reported to WordPress security team multiple times with the first report sent back in July 2016. It was reported both directly via security contact email, as well as via HackerOne website,” Golunski wrote in an advisory published today. “As there has been no progress, in this case, this advisory is finally released to the public without an official patch.”
Golunski is the same researcher who discovered a critical vulnerability in the popular open source PHPMailer libraries that allowed malicious actors to remotely execute arbitrary code in the context of the web server and compromise the target web application.
The vulnerability lies in the way WordPress processes the password reset request, for the user it has been initiated.
In general, when a user requests to reset his/her password through forgot password option, WordPress immediately generates a unique secret code and sends it to user’s email ID already stored in the database.
While sending this email, WordPress uses a variable called SERVER_NAME to obtain the hostname of a server to set values of the From/Return-Path fields.
Here, “From” refers to the email address of the sender and “Return-Path” refers to the email address where ‘bounce-back’ emails should be delivered in the case of failure in the delivery for some reason.
According to Golunski, an attacker can send a spoofed HTTP request with a predefined custom hostname value (for example attacker-mxserver.com), while initiating password reset process for a targeted admin user.
Since the hostname in the malicious HTTP request is an attacker-controlled domain, the From and Return-Path fields in the password reset email will be modified to include an email ID associated with the attacker’s domain, i.e. firstname.lastname@example.org, instead of email@example.com.
“Because of the modified HOST header, the SERVER_NAME will be set to the hostname of attacker’s choice. As a result, WordPress will pass the following headers and email body to the /usr/bin/sendmail wrapper,” Golunski says.
Don’t get confused here: You should note that the password reset email will be delivered to victim’s email address only, but since the From and Return-Path fields now point to attacker’s email ID, the attacker can also receive reset code under following scenarios:
“The CVE-2017-8295 attack could potentially be carried out both with user interaction (the user hitting the ‘reply’ button scenario), or without user interaction (spam victim’s mailbox to exceed their storage quota),” Golunski told The Hacker News in an email.
For obvious reason, this is not a sure shot method, but in the case of targeted attacks, sophisticated hackers can manage to exploit this flaw successfully.
Another notable fact on which successful exploitation of this flaw depends is that, even if WordPress website is flawed, not all web servers allow an attacker to modify hostname via SERVER_NAME header, including WordPress hosted on any shared servers.
“SERVER_NAME server header can be manipulated on default configurations of Apache Web server (most common WordPress deployment) via HOST header of an HTTP request,” Golunski says.
Since the vulnerability has now been publically disclosed with no patch available from the popular CMS company, WordPress admins are advised to update their server configuration to enable UseCanonicalName to enforce static/predefined SERVER_NAME value.
On – 04 May, 2017 By Mohit Kumar