0
0

[–] Devious1 ago 

I'm very suprised that the cash card ATM machines haven't been hit, After all most of them are Windows XP. Then again, on the cash card ATM network there isn't many people opening malware infested emails....

Monday's goin to be fun

0
2

[–] remola 0 points 2 points (+2|-0) ago 

To all those interested, I work in the industry and we've been busy with putting blocks in place at clients the whole day.

https://kc.mcafee.com/corporate/index?page=content&id=KB89335&elqTrackId=080d6d6426f34a2fb9b7fae0ca16d59a&elq=8c49aa9c79c04309921897488b0e731a&elqaid=7257&elqat=1&elqCampaignId=4054

The campaign sends an e-mail to users with an attached PDF document, that contains an embedded DOCM file with a malicious Macro script. Once clicked on, the script will download and execute the Jaff ransomware. The ransomware targets 423 file extensions, and is capable of offline encryption without dependency on a command and control server. Once a file is encrypted, the '.jaff' file extension is appended

https://arstechnica.com/security/2017/05/an-nsa-derived-ransomware-worm-is-shutting-down-computers-worldwide/

https://www.alienvault.com/blogs/labs-research/ongoing-wannacry-ransomware-spreading-through-smb-vulnerability?utm_medium

https://intel.malwaretech.com/botnet/wcrypt

Summary: As you may be aware there is a widespread global outbreak of a new variant of ransomware today, known as WannaCry. Whilst this would normally be unremarkable, this variant of ransomware is reported to be spreading via the SMB protocol and believed to be using the MS17-010 vulnerability that was linked with the Shadowbrokers exploit Eternalblue. This exploit enables RCE by sending a specially crafted message to devices using SMB, full Microsoft advisory available here: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx. The importance of this delivery method is that it enables the attackers to compromise a single machine on a network and then laterally deploy large amounts of ransomware within that estate, using a P2P infrastructure that can have a large damaging impact to a corporate network. The Countercept team are still analysing the malware seen however initial indicators do suggest that the malware uses SMB to propagate.

What can be confirmed at this stage is that there is a large outbreak of ransomware that is spreading at a rapid rate globally and also seems to be able to spread internally within a network once the first host is compromised. The new variant of malware is known as WannaCry 2.0 and encrypts files with the .wncry extension.

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack?CMP=Share_iOSApp_Other

Wanna Cry Rasomware Since 12th Apr 2017, a Ransomware exploiting MS17-010 has been wreaking havoc worldwide. Precautions to be taken 1 - Patch Management Ensure all Workstations and Servers have the latest Microsoft patches, especially the ones related to MS17-010. 2 - Antivirus Ensure AV signatures are updated on all assets. Identify critical assets and target them first. Block IOCs on AV solution. Get the details with regards to the name of the malware and verify if this malware has been detected in the logs for last 1 week. 3 - IPS Ensure IPS signatures are updated. Verify if the signature that can detect this vulnerability / exploit attempt is enabled and is in blocking mode. Get the details with regards to the name of the Signature and verify if this Signature has been detected in the logs for last 1 week. 4 - eMail Gateway Ensure eMail Gateway solutions has all relevant updates for detecting possible mails that may bring the Trojan in the environment. 5 - Proxy Ensure Proxy solution has updated database. Block IOCs for IP Address and Domain names on the Proxy. Verify last one week logs for the IOCs on Proxy and take action on sources of infection. 6 - Firewall Block the IP addresses on Perimeter Firewall. Verify logs for last one week. 7 - Anti - APT Solutions (FireEye, Trend Micro) Ensure signatures are up to date. Check for possible internal sources of infection and take actions. 8 - SIEM Check logs to verify if any of the IOCs have been detected in 1 week logs.

Some additional recommendations we have implemented and communicate with some clients in Mexico are: Traffic filtering to the SMBv1 and v1 Ransomware Recollect known IOCs and implement them in the perimeter of security devices and intrusion prevention devices (internal and external) Block IOCs associated with the know files hashes as malicious related with the ransomware: https://otx.alienvault.com/pulse/5916115b0d3cde73f7669850/ Add block policies to the firewall from know IP addrees related as infection: a. 154.35.175.225 b. 171.25.193.78 c. 178.162.194.210 d. 192.99.212.139 e. 195.154.165.112 f. 154.35.175.225 g. 171.25.193.78 h. 178.162.194.210 i. 192.99.212.139 j. 195.154.165.112 k. 91.219.236.222 l. 188.166.23.127 m. 193.23.244.244 n. 2.3.69.209 o. 146.0.32.144 p. 50.7.161.218 q. 192.42.113.102 r. 83.169.6.12 s. 158.69.92.127 t. 86.59.21.38 u. 62.138.7.171 v. 51.255.203.235 w. 51.15.36.164 x. 217.79.179.177 y. 128.31.0.39 z. 213.61.66.116 aa. 212.47.232.237 bb. 81.30.158.223 cc. 79.172.193.32 dd. 163.172.149.155 ee. 167.114.35.28 ff. 176.9.39.218 gg. 192.42.113.102 hh. 193.11.114.43 ii. 199.254.238.52 jj. 89.40.71.149

Additional IP addrees can be found in: https://otx.alienvault.com/pulse/591608484da25870a4eaf2f6/ Enable IPS signatures related with the Ransomware (depends on the actual provider

I love this stuff. But as interesting as you can get.