Wednesday 28 June 2017

Global cyber attack


27 June, 20

This is an URGENT breaking news story:  A new, utterly massive cyber-attack is underway in Europe and spreading incredibly fast worldwide.  The attack is shutting down: Banks, Power grids, Postal and other government
systems, Media, Airports, Cell phone providers and now PORTS, with Rotterdam crippled!

At first the attack seemed to target the country of Ukraine, but spread far beyond its borders very quickly. as of 11:15 AM EDT, Maersk and other Rotterdam Harbor terminals are hacked, bringing port operations and shipping to an absolute HALT.
Banks, companies & airports hit by massive hack attack, computers offline.


Reports of "petya ransomware" spreading through Ukraine, India, Spain and UK
Russia, France - confirmed reports about #Petya ransomware outbreak
New ransomware seems a variant on Patya.A. Ukraine, Russia, Spain,Dutch containerterminal Maersk infections reported.
Russian state-run Rosneft oil company under 'major' cyberattack


There are early signs of a new ransomware outbreak, currently affecting a large number of countries across the globe, such as the UK, Ukraine, India, the Netherlands, Spain, Denmark, and others.
At the time of writing, the ransomware outbreak is smaller than WannaCry, but the volume is "considerable," according to Costin Raiu, Kaspersky Labs researcher, and MalwareHunter, an independent security researcher.
The main culprit behind this attack is a new version of Petya, a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer.
Because of this, Petya is more dangerous and intrusive compared to other strains because it reboots systems and prevents them from working altogether.
According to a technical analysis of this new Petya strain, its author appears to have taken inspiration from last month's WannaCry outbreak, and added a similar SMB work based on the NSA's ETERNALBLUE exploit [Source: 12, 3].
Unlike WannaCry, Petya is also spread via email spam in the form of boobytrapped Office documents. These documents will download and run the Petya installer, which then executes the SMB worm and spreads to new computers.
Currently, there are multiple reports from several countries about the ransomware's impact. The most affected country seems to be the Ukraine, where government agencies have reported "cyber-attacks" caused by a mysterious virus that affected the country's largest banks, airports, and utility providers.  Rozenko Pavlo, one of Ukraine's deputy prime ministers posted a photo on Twitter of a government PC locked by this new Petya variant.
Ransomware incidents have also been reported in other countries, such as the Netherlands, where Danish-based container transportation giant Maersk was forced to shut down some operations in Rotterdam. Maersk later confirmed the attacks on its website.
Similarly, in Spain, local media is reporting ransomware attacks at a large number of companies that include food conglomerate Mondelez and law firm giant DLA Piper.
Russian oil giant Rosneft also admitted to cyber-incidents on Twitter but didn't clarify further.
So far,the Petya authors have already pocketed seven ransom payments of 0.87 Bitcoin, worth nearly $2,000. This is quite a considerable sum, knowing that WannaCry took almost a full day to earn that much. This version of Petya is asking $300 in Bitcoin for each infected computer.
Developing story. More details will follow.

NSA Software Behind Latest Global Ransomware Attack

27 June, 2017

"It's like WannaCry all over again," said Mikko Hypponen, chief research officer with Helsinki's cybersecurity firm F-Secure, when discussing today's latest outbreak of the WannaCry-like ransomeware attack, which as we reported earlier started in Ukraine, and has since spread to corporate systems across the world, affecting Russian state oil giant Rosneft, the international shipping and energy conglomerate Maersk, and the UK public relations company WPP, before jumping across the Atlantic and going global, by infecting the US-based division of global pharma giant Merck, which this morning confirmed it has been hit by the "Petya" attack.

We confirm our company’s computer network was compromised today as part of global hack,” Merck said in a statement on Tuesday. “Other organizations have also been affected. We are investigating the matter and will provide additional information as we learn more.”

We confirm our company's computer network was compromised today as part of global hack. Other organizations have also been affected (1 of 2)

Merck employees were instructed to disconnect all mobile devices from the company network and advised not to speak to reporters or post messages on social media accounts.

Computers at Merck facilities in Pennsylvania and New Jersey locked up Tuesday morning around 8am local time, according to the Inquirer.

Back in mid-May, when WannaCry spread with tremendous speed around the globe, many said that it's only a matter of time before the virus returns in a more advanced, weaponized version. Sure enough, cyber security experts quoted by Reuters said those behind the attack appeared to have exploited the same hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May before a British researcher created a temporary kill-switch.

Hypponen said he expected the outbreak to spread in the Americas as workers turned on vulnerable machines, allowing the virus to attack. "This could hit the U.S.A. pretty bad," he said. And, as Merck confirmed, it already has.

Within hours of the first attack, the U.S. Department of Homeland Security said it was monitoring reports of cyber attacks around the world and coordinating with other countries.

The first reports of organizations being hit emerged from Russia and Ukraine, but the impact quickly spread westwards to computers in Romania, the Netherlands, Norway, and Britain.

Within hours, the attack had gone global.

Petrwrap/Petya ransomware variant with contact spreading worldwide, large number of countries affected.

In addition to the US, a Swiss government agency also reported computer systems were affected in India, though the country's cyber security agency said it had yet to receive any reports of attacks according to Reuters.

For those infected, there may be just one option: pay the ransom. One victims of the cyber attack, a Ukrainian media company, said its computers were blocked and it had a demand for $300 worth of the Bitcoin crypto-currency to restore access to its files.

"If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service," the message said, according to a screenshot posted by Ukraine's Channel 24. The same message appeared on computers at Maersk offices in Rotterdam and at businesses affected in Norway.

Other companies that said they had been hit by a cyber attack included Russian oil producer Rosneft, French construction materials firm Saint Gobain and the world's biggest advertising agency, WPP - though it was not clear if their problems were caused by the same virus. "The building has come to a standstill. It's fine, we've just had to switch everything off," said one WPP employee who asked not to be named.

The virus was seen on various Ukraine ATMs, leading to jokes that while normally you ask ATMs for money, in hacked Ukraine, ATMs ask you.

Cyber security firms scrambled to understand the scope and impact of the attacks, seeking to confirm suspicions hackers had leveraged the same type of hacking tool exploited by WannaCry, and to identify ways to stop the onslaught. Experts said the latest ransomware attacks unfolding worldwide, dubbed GoldenEye, were a variant of an existing ransomware family called Petya.

It uses two layers of encryption which have frustrated efforts by researchers to break the code, according to Romanian security firm Bitdefender. "There is no workaround to help victims retrieve the decryption keys from the computer," the company said.

Russian security software maker Kaspersky Lab, however, said its preliminary findings suggested the virus was not a variant of Petya but a new ransomware not seen before

As noted earlier, Ukraine was quick to accuse Russia. An advisor to Ukraine's interior minister said the virus got into computer systems via "phishing" emails written in Russian and Ukrainian designed to lure employees into opening them. According to the state security agency, the emails contained infected Word documents or PDF files as attachments.

But whatever the origin of the geographic hacking operation, the actual software used is the same that was created by the NSA and subsequently leaked by a disgruntled non-Russian employee. Now we are just waiting for the confirmation.

Just talked with Group IB expert in cybercrime who said there's no evidence yet that Petya hack used leaked NSA tools.

As a reminder, the quick proliferation of the original WannCry malware, which infected nearly 300,000 computers worldwide within a day, was due entirely to its use of two powerful software exploits that were released to the public in April by the anonymous hacker group calling itself the Shadow Brokers, which said the exploits were developed by the US National Security Agency (NSA).

On Tuesday, Edward Snowden asked "How many times does @NSAGov's development of digital weapons have to result in harm to civil infrastructure before there is accountability?"

How many times does 's development of digital weapons have to result in harm to civil infrastructure before there is accountability?

Apparently, not enough.

Meanwhile, governments and so-called experts had laughably come to the conclusion that the North Korean government was behind the original WannaCry attack. We just can't wait for the those same "experts" to again blame this latest global malware attack on Kim and his team of crack blackhats.

Finally, for thnose who want to keep track of how many people have made the ransom payment, there is a twitter for that: there is now a Twitter bot, @petya_payments, that will tweet each time a new ransom payment is made to the bitcoin wallets associated with the Petya attack.

The bitcoin wallet tied to ransomware has so far received 11 payments totaling 1.37807212 BTC ($3,246.4 USD).

No comments:

Post a Comment

Note: only a member of this blog may post a comment.