Monthly Archives: December 2017

WannaCry ransomware: Now the US says North Korea was to blame

North Korea was behind the WannaCry ransomware attack that caused chaos around the world earlier this year, according to the US government.

 

After careful investigation, the U.S. today publicly attributes the massive WannaCry cyberattack to North Korea,” Thomas Bossert, US Homeland security advisor, wrote in an article for the Wall Street Journal.

“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behaviour is growing more egregious. WannaCry was indiscriminately reckless,” Bossert said.

The WannaCry attack in May was the biggest crisis of its type so far. The ransomware demands $300 in bitcoin for unlocking encrypted files — a price which doubles after three days. If the ransom wasn’t paid, users were threatened with having their files permanently deleted.

The malware spread rapidly, and more than 300,000 PCs fell victim.

“It was costly, cowardly and careless. The attack was widespread and cost billions, and North Korea is directly responsible,” said Bossert. The US administration is expected to also make an official statement about WannaCry.

 

The NHS in the UK was particularly affected. In total, one-third of NHS trusts in England were disrupted by the WannaCry attack, with 81 of the 236 trusts impacted and 595 GP practices also hit, resulting in thousands of operations and appointments being cancelled. None paid the ransom demanded by those behind WannaCry.

The ransomware worm is so potent because it exploits a known software vulnerability called EternalBlue. In a twist worthy of a spy novel this Windows flaw was one of many zero-days that apparently was known to the NSA — before being leaked by the Shadow Brokers hacking collective. While a patch existed for the flaw by the time WannaCry hit, many organisations had failed to apply it.

This is not the first time that North Korea has been linked with the WannaCry attack: as early as June this year the UK’s intelligence agencies were investigating a potential link to North Korean hacking operation the Lazarus Group, which has been associated with a number of high-profile cyberattacks in recent years, including the $80m Bangladeshi bank heist and 2014’s Sony Pictures hack. In October a UK government minister also said that North Korea was behind the attack.

So while the accusations are not new, the US statement comes at a time of rising tensions as the White House tries to put more pressure on North Korea over its nuclear programme.

Figuring out what motivated the WannaCry attack in the first place may be even more difficult. In January this year, US intelligence chiefs warned that Pyongyang “remains capable of launching disruptive or destructive cyber attacks to support its political objectives”.

However, it also possible that North Korea is using its hackers to raise cash. Bossert noted that the country is “increasingly using cyberattacks to fund its reckless behaviour and cause disruption across the world”.

If WannaCry was an attempt to generate income for Pyongyang it hasn’t been particularly successful, especially considering the chaos it caused. While the attack cost organisations billions, it didn’t generate much ransom, perhaps as little as $200,000.

And yet, even as recently as last week someone paid a ransom. While the worst of the WannaCry storm has passed, its effects will be felt for some time to come.

 

net-creds – Sniff Passwords From Interface or PCAP File

net-creds is a Python-based tool for sniffing plaintext passwords and hashes from a network interface or PCAP file – it doesn’t rely on port numbers for service identification and can concatenate fragmented packets.

net-creds - Sniff Passwords From Interface or PCAP File

 

Features of net-creds for Sniffing Passwords

It can sniff the following directly from a network interface or from a PCAP file:

  • URLs visited
  • POST loads sent
  • HTTP form logins/passwords
  • HTTP basic auth logins/passwords
  • HTTP searches
  • FTP logins/passwords
  • IRC logins/passwords
  • POP logins/passwords
  • IMAP logins/passwords
  • Telnet logins/passwords
  • SMTP logins/passwords
  • SNMP community string
  • NTLMv1/v2 all supported protocols: HTTP, SMB, LDAP, etc.
  • Kerberos

 

You can download net-creds here:

net-creds-master.zip

Beware – Keylogger uncovered on hundreds of HP PCs

Hewlett Packard has issued an emergency patch to resolve a driver-level keylogger discovered on hundreds of HP laptops.

The bug was discovered by Michael Myng, also known as “ZwClose.” The security researcher was exploring the Synaptics Touchpad SynTP.sys keyboard driver and how laptop keyboards were backlit and stumbled across code which looked suspiciously like a keylogger.

In a blog post, ZwClose said the keylogger, which saved scan codes to a WPP trace, was found in the driver.

 

While logging was disabled by default, given the right permissions, it could be enabled through changing registry values and so should a laptop be compromised by malware, malicious code — including Trojans — could take advantage of the keylogging system to spy on users.

“I messaged HP about the finding,” Myng said. “They replied terrifically fast, confirmed the presence of the keylogger (which actually was a debug trace) and released an update that removes the trace.”

 

keylogger in the Conexant HD audio driver package, installed in dozens of HP devices. HP quickly rolled out a patch which resolved the issue, which could be used to collect data including passwords, website addresses, and private messages.

This ransomware asks victims to name their own price to get their files back

A brand new type of ransomware, which stocks similarities with Locky, lets in its sufferers to barter the associated fee for retrieving their encrypted information.

Scarab ransomware was once first exposed in June, however right through November, it was once abruptly disbursed in thousands and thousands of junk mail emails, in step with researchers at Fortinet. The emails had been disbursed by way of Necurs, the botnet notorious for spreading the highly-successful Locky ransomware.

The file-encrypting malware is deployed when the sufferer runs a VBScript software contained inside of a malicious e mail, which retrieves Scarab from payload internet sites. Researchers at PhishMe stated the script comprises similarities to the mechanism used to ship Locky.

The ones at the back of Scarab have additionally selected to fill the supply code of the ransomware with what seem to be references to Sport of Thrones persona Jon Snow.

john-snow-ransomware-code.png
The Scarab supply code references Sport of Thrones.


Symbol: PhishMe

As soon as put in and done at the sufferer’s pc, the malware will connect with a web page that gives the attacker with the sufferer’s IP deal with and different device knowledge — prone to support the attacker in maintaining a tally of sufferers.

Even supposing the device is taken offline right through the method, the ransomware nonetheless encrypts the information with the .scarab dossier extension and items the sufferer with a ransom observe.

scarab-ransom-note.pngscarab-ransom-note.png
The Scarab ransom observe – with e mail deal with for negotiating cost.


Symbol: PhishMe

However moderately than tough a collection charge to unlock the information, the attackers at the back of Scarab ask the sufferers to e mail them to be able to negotiate a cost in bitcoin — the cryptocurrency incessantly utilized by attackers to assemble ransom bills.

The usage of an e mail deal with suggests the attackers are not as subtle as the ones at the back of different kinds of ransomware. On the other hand, they do appear to be operating to the speculation that if they enable the sufferer to set their very own value for the ransom, they are much more likely to obtain a cost.

See additionally: Ransomware: An govt information to probably the most largest menaces on the internet

“The negotiation procedure inspired by way of the Scarab ransomware is especially fascinating. Whilst coming into into negotiations indubitably makes it much more likely ransom of a few type might be paid, it additionally permits them to differ calls for relying at the price of bitcoin at the moment,” stated Aaron Higbee, co-founder and CTO of PhishMe.

Researchers recommend the upward thrust within the price of bitcoin has performed an element within the shift to the use of this tactic. A charge of round one bitcoin was once incessantly set because the ransom call for right through 2016, when the worth of bitcoin was once underneath $1000. On the time of writing, one bitcoin is price over $16,000.

Attackers are prone to perceive the common sufferer is not going to have the price range to pay this charge, so by way of permitting the sufferer to indicate a worth, the ones at the back of Scarab are much more likely to ensure a payday for his or her legal paintings.

The ones at the back of Scarab additionally try to display they may be able to be relied on to carry up their finish of the malicious handle using a commonplace tactic of ransomware vendors: providing to decrypt some information at no cost. In addition they supply directions on methods to download bitcoin so as in order that they may be able to obtain cost from sufferers.

On the other hand, those are not acts of neighborhood spirit. The attackers are criminals who’re in search of benefit by way of extorting a cost out of the unlucky sufferer — a fact hammered house by way of the ransom observe, which says: “Decryption of your information with the assistance of 3rd events would possibly motive an higher value.” The attackers additionally upload that by way of making an attempt to make use of decryption gear, the sufferer “can grow to be a sufferer of a rip-off”.

Researchers are these days undecided if Scarab might be a short lived ransomware marketing campaign — like Jaff — or if it is going to grow to be a long-standing risk like Locky.

Fresh and similar protection

Ransomware: Safety researchers spot rising new pressure of malware

‘Magniber’ ransomware may doubtlessly be an experiment by way of folks at the back of the Cerber ransomware circle of relatives.

Suppose cybercriminals are glad about the upward thrust of ransomware? Suppose once more

Ransomware is rising, however its upward push has break up opinion amongst cybercriminals.

Bitcoin Trouble: Over $60 Million Lost in NiceHash Hack

  • In India, the Reserve Bank of India (RBI) this week cautioned the “users, holders and traders” of Bitcoins about the security-related risks associated with dealing with such virtual currencies (VCs).

 

  • In a warning for those who wish to invest in Bitcoins to make some big bucks, the cryptocurrency mining market NiceHash has revealed hackers wiped out its entire Bitcoin wallet, resulting in over $60 million loss. “Unfortunately, there has been a security breach involving NiceHash website. We are currently investigating the nature of the incident and, as a result, we are stopping all operations for the next 24 hours,” the marketplace said in a statement late on Wednesday. “Importantly, our payment system was compromised and the contents of the NiceHash Bitcoin wallet have been stolen. We are working to verify the precise number of BTC taken,” it added.
  • Coindesk reported on Thursday that the loss is about 4,736.42 Bitcoins, worth more than $60 million. “Are we going to get our btc? or might as well just forget it. Your press release said nothing about sending us what you owe. I have 4000$ stuck in your wallet which is now almost 4300$,” tweeted a user named Lohit. Another NiceHash user Philip Richardson tweeted: “If I don’t get my BTC back I will never use your service again”.
    Earlier in the day, the value of one Bitcoin had crossed $14,000, a new record high for the cryptocurrency. Bitcoins are created through a complex computer process known as mining and then monitored by a network of computers across the world. A steady stream of about 3,600 new bitcoins are created a day – with about 16.5 million now in circulation from a maximum limit of 21 million, BBC reported.
  • “Clearly, this is a matter of deep concern and we are working hard to rectify the matter in the coming days. In addition to undertaking our own investigation, the incident has been reported to the relevant authorities and law enforcement and we are co-operating with them as a matter of urgency,” NiceHash said. The company recommends users to change their passwords – both on NiceHash and other services. The incident brings back the memories of the 2014 implosion of the “mtGox” Bitcoin marketplace which lead to losses of millions of dollars.
  • In India, the Reserve Bank of India (RBI) this week cautioned the “users, holders and traders” of Bitcoins about the security-related risks associated with dealing with such virtual currencies (VCs). The apex bank reiterated its stand that “it has not given any licence or authorization to any entity or company to operate such schemes or deal with Bitcoin or any VC”.
  • “In the wake of significant spurt in the valuation of many VCs and rapid growth in Initial Coin Offerings (ICOs), RBI reiterates the concerns,” the central bank said in a statement.

Crack BIOS Password !!!

Forgot BIOSPassword ?

Do the following :

1. Open the CPU
2. Now, observe the motherboard.
3. You notice a coin like silverBattery(3V).

—————————————– NOTE ——————————————————–
This battery is 24 x 7 power supply for the BIOS, which is used to run the system clock will the main power is off. It also initiates the booting process when power is switched on.
———————————————————————————————————–

4. Remove the battery from the motherboard.
(It is safe to remove the Battery)
5. Wait 30 seconds and place the battery back on the motherboard.
6. Now, when you start your system you won’t be prompted for the BIOS password.

Enjoy !!!
———————————— CAUTION ———————————————–
1. Perform on your own risk !
2. You have to set the time of your computer when you start again.

Beware – This sneaky cryptominer hides behind taskbar even after you exit browser

  • JavaScript-based in-browser cryptocurrency miners are now borrowing loathed online ad techniques to covertly harvest power from PCs after visiting a site.
  • Most of the browser-based miners on sites that use the Monero-mining Coinhive service can be stopped simply by closing the browser, which stops them chewing up your CPU.
  • However, security firm Malwarebytes has discovered a new case where the page will continue mining even after the browser is closed.
  • The technique relies on a tiny ‘pop-under’ window, which is sometimes used to load hidden ads. For extra cover, the window is designed to sit behind the Windows taskbar, making it hard to spot.
  • In-browser cryptominers have grown in popularity, partly in response to the rise of ad-blockers. Coinhive was proposed as a legitimate alternative to advertising. The Pirate Bay, for example, recently integrated Coinhive in its site for this reason, but annoyed some users by apparently accidentally setting it to use 100 percent of a visitor’s CPU. It later dialed it back.
  • Users who believe their PC is being abused for someone else’s mining profits have a few options to detect and stop the activity.

    Segura notes that users can open Task Manager and kill intensive browser processes being used by the miner. If the taskbar is set to transparent, the pop-under can be seen. Additionally, resizing the task bar will reveal the hidden window.

    Segura predicts “drive-by mining” will continue to remain popular for all the wrong reasons.

    “Forced mining (no opt-in) is a bad practice, and any tricks like the one detailed in this blog are only going to erode any confidence some might have had in mining as an ad replacement,” he wrote.

    “Unscrupulous website owners and miscreants alike will no doubt continue to seek ways to deliver drive-by mining, and users will try to fight back by downloading more adblockers, extensions, and other tools to protect themselves. If malvertising wasn’t bad enough as is, now it has a new weapon that works on all platforms and browsers.”

    win10mitigation.png
    Users can run Task Manager to spot any remnant running browser processes and terminate them.

    Image: Malwarebytes Labs