Petya and EternalBlue: Spread of a deadly ransomware

EternalBlue was used in the propagtion of both WannyCry and Petya. It is believed that this exploit was developed by NSA and was leaked by Shadow Broker hacker group. 

EternalBlue exploits a vulnerability in Microsoft Windows SMB v1 service which allowed to execute arbritary code from a remote system on the target computer. Microsoft did release a patch for all of its operating system which had this vulnerability including unsupported Microsoft XP.

More details of the vulnerability can be found at the CVE and its catalogued as CVE-2017-0144 (https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144)

It is believed that Petya spread through a vulnerability in a third party software M.E. Doc used in Ukraine, which explains why it impacted Ukraine the most. Unlike WannyCry, Petya used multiple techniques to propogate. These included EthernalBlue, a technique used by Mimikatz and other tools leveraging lsadump to dump passwords from memory and it also used PSEXEC and WMIC to spread across the network.

It is advised that you patch your windows system, if they are not already patched. Like WannyCry, block SMB ports on your firewalls, disable local Administrative rights for users, do not reuse the same passwords across different system. If best pratices are followed, not only attacks like Petya, WannaCry but also future attacks be limited.

GajShield Security Alert - https://www.gajshield.com

Many firms across the world hit by global cyber-attacks

British, Russian and Dutch companies were among those targeted by the "powerful" hack, which is quickly spreading.  Major firms, airports and government departments in Ukraine have been struck by a massive cyber attack which began to spread across Europe.

In Ukraine, government departments, the central bank, a state-run aircraft manufacturer,  the airport in Kiev and  the metro network have all been paralysed by the hack. Advertising firm WPP of UK too have been affected by this attack. Maersk, a Danish transport too has been impacted by attack.

The attack seemed to be consistent with a ransomware described as a variant of a virus Petya or Petrwap. It is also believed that the malware uses a vulnerability in SMB file sharing system.

More information coming soon. 

GajShield Security Alert - https://www.gajshield.com

Cover Story on GajShield

Silicon India cover story on GajShield.

GajShield: Soaring Higher with Bleeding Edge Security Solutions that are Made in India

To reach the finish line amidst the fierce competition, IT organizations must dabble through the minefield crammed up cyber threats spawning abreast with dynamically changing trends, where newest technologies are capturing the hot seat from newer technologies frequently. As cyber criminals are creating more mines at full tilt to steal data, enterprises need blast-proof suits invented apace with technological evolution and more importantly, visibility through context-based solutions to ensure that they are running in the right track. Encompassing both these features is the next generation firewall suite of GajShield proudly made in India, which is comprised of a unique set of solutions such as context-based data leak prevention, cloud security for roaming users, application filtering and BYOD security among others. This Mumbai-based company stays one step ahead of its competitors by constantly innovating stronger shields that are quintessential to tackle the growing threats.

Click here for more details...

How to avoid WannaCry ransomware?

A malicious software has been used in a massive hacking attack, affecting tens of thousands of computers worldwide across multiple countries. It is estimated that at least 99 countries have been affected by it, right across Russia, Ukraine, Taiwan, Britain, Spain and many others.

The hack forced British hospitals to turn away patients, affected Spanish companies such as Telefonica, and threw other government agencies and businesses into chaos.

WannaCry is a ransomware which infects systems when a user clicks on a link and downloads a malicious software. This software then locks all the files on your system. This worm is also assumed to spread by infecting other systems on the network through Microsoft SMB vulnerability.

Though this ransomware has been accidentaly stopped in its path, researcher fear that a variant of this worm is expected.

Few steps can be taken to protect against this ransomware

  • Educate your users not to open any mail with suspicious content.

  • Block unwanted file downloads on the firewall.

  • Ensure that your antispam/anti-malware engine is enabled and updated.

  • It is advisable to  block all Microsoft SMB ports on windows system i.e. 445/137/138/139

  • Block the above ports on your firewall, in-bound and out-bound towards your network.

  • Microsoft has already released a patch to protect against NSA exploit of windows system. Ensure that your systems are updated with this patch.

  • Microsoft has also released a patch for non-supporting older Windows operating system. If you have any such systems, immediately apply the patch on such systems.

 GajShield Security Alert - https://www.gajshield.com

Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable

 

Massive vulnerability in Windows Defender leaves most Windows PCs vulnerable (CVE-2017-0290)

A vulnerability has been identified in the malware protection engine (Windows Defender) that is used in almost every recent version of Windows (7, 8, 8.1, 10, and Server 2016). Since Windows Defender is installed by default on all Windows PCs, it leaves many enterprises and users vulnerable to it.

This exploit allows a remote attackers to take over the system, without any intervention by the system owner. An attackers could craft an email or an instant message, which when scanned by the vulnerable system, could lead to remotely taking over the system. Anything that can be automatically scanned by Windows Defender e.g. file shares, websites etc. could be used to attack the system. This exploit could also be written as a worm to scan other vulnerable systems and replicate it.

Micrisoft has released and pushed an immediate patch against this code execution vulnerability. According to Microsoft the risk is lower on Windows 10 and Windows 8.1 system because of its security feature to protect against memory corruption on these systems.

You are advised to perform a manual check whether your PC has been updated. To do so, go to "Windows Defender settings" and if the Engine version number is 1.1.13704.0 or higher means the system is patched. For others, you need to act immediately to install the latest updates to avoid being vulnerable to future attacks. 

 

GajShield Security Alert - https://www.gajshield.com

 

 

 

Page 1 of 5