Latest Ransomware Attack Cripples Networks Worldwide

For the second time in as many months, hackers have unleashed a massive ransomware attack targeting thousands of computer networks across the world.

The latest attack, nicknamed the GoldenEye strain of Petya ransomware, began on Monday June 27 and continued to unfold into Tuesday June 28, officials said. Investigators suspect it originated in the Ukraine in an attempt to extort money from owners of affected systems into paying ransom money to release their crippled technology. The attack took advantage of a Windows PC’s ability to quickly spread corrupted files across a vast computer network, investigators said.

The latest ransomware attack comes just a month after another similar incident, nicknamed WannaCry, locked up more than 200,000 computers.

Petya Details

Petya is slightly different from the previous WannaCry attack in that it does not contain the kill switch functionality that helped prevent WannaCry from affecting more computer networks than it did, officials said. Instead, Petya uses the EternalBlue exploit to spread malware from system to system using compromised credentials from previous infections and administrative tools such as psexec and WMI. Therefore, a single unpatched system can cause multiple systems inside the same network to become compromised.

Petya works by encrypting the master boot record of affected machines, instead of encrypting the files on a computer and leaving the operating system intact, rendering affected machines unusable. In some cases, investigators said even paying the ransom to the cyber criminals does not allow victims to recover files from compromised machines. For this reason, officials urge those affected not to make ransom payments in this or any ransomware attack.

Facing the Realities

Brad Taylor, Proficio CEO, said the recent ransomware attacks force companies and organizations to face the fact that they are under the constant threat of attack from anonymous cyber criminals.

“Attacks like Petya and WannaCry are making organizations face the realities of today’s cyber threat landscape,” Taylor said. “Hackers are constantly seeking and exploiting vulnerabilities across all enterprise resources; your people, processes and technology are all targets to advanced cyber criminals.”

Employing monitoring and alerting as part of a fully managed security operations center as a service to detect and respond quickly to an emerging threat like GoldenEye is the key to preventing widespread damage, Taylor continued.

“Accurate monitoring can allow your organization to proactively identify the early stages of an attack and more efficiently halt suspicious or high risk behavior,” Taylor said. “Most breaches only take 30 minutes to compromise an entire system, so while prevention is paramount, attackers will continue to find the cracks and stopping attacks earlier in the ‘kill chain’ can minimize the impact of a hack once a network is infected.”

Tips for Avoiding Ransomware

John Humphreys, Proficio Senior VP of Business Development and Alliances, said organizations must use a multi-pronged approach to stay secure in today’s fast-changing cybersecurity space. The latest ransomware attack proves that “not everyone learned the lesson from WannaCry,” Humphreys said.

“First, patch vulnerabilities,” Humphreys said. “Second, monitor for indicators of attack or compromise and rapidly respond. Third, protect your endpoints with next-generation security that can identify ransomware and stop it. Lastly, back up.”

 

Recommended Action for Linux Kernel Vulnerability

Recently, a critical zero day vulnerability in a Linux kernel module was publicized. If successfully exploited on a Linux device, this vulnerability would allow an attacker to potentially execute arbitrary code with escalated privileges.

Devices running Linux kernel 3.8 or higher are potentially vulnerable to this bug, meaning millions of Linux devices and around two thirds of all Android devices are potentially affected. Relevant IoT devices could be vulnerable as well. At time of writing, there have been no publicized observations of exploits against this vulnerability in the wild. Given the sheer number of possible devices vulnerable, we advised all of our customers to review their systems for the vulnerability and mitigate with the appropriate steps detailed below.

Vulnerability Details

The vulnerability, CVE-2016-0728, resides in the Linux kernel’s key retention service provided by a module that allows a process to store security information. Specifically, the bug can be exploited by a process making repeated calls to the keyctl system call where vulnerable code does not check for an integer overflow. If the counter is reset to zero, the kernel will then free the keyring object in memory where an attacker could then attempt an use-after-free attack.

When a process makes a keyctl call with a session key already in use, the Linux kernel will then increment a reference count (available to view in /proc/keys). This counter is a 32-bit integer, even on 64 bit systems. When the counter overflows, effectively returning to zero, the kernel will free the object and a malicious program may insert a crafted object running under escalated privileges.

In order to exploit this vulnerability, an attacker would need the ability to make keyctl calls on the target host. The attacker would also need to make 2^32-1 calls to keyctyl in order to reset the counter, then free the kernel object where the attacker could then leverage function pointers in the struct key_type object for remote code execution under escalated privileges. The researchers at Perception Point, who revealed this vulnerability, noted this exploit took some 30 minutes to run on an Intel Core i7-5500 CPU.

Click here for a more detailed technical description of this kernel service.

We recommend a careful review of all Linux based devices on your network that are using kernel version 3.8 or higher, specifically with “enable access key retention support” enabled. Wherever possible, vulnerable kernels should be patched immediately. Multiple versions of various Linux distributions, to include Red Hat Enterprise Linux 7, CentOS Linux 7, and Debian Linux 8.x and 9.x, are potentially vulnerable. Here’s a guide on which distributions have readied a patch and how to install.

Targeted Wire Transfer Scams on the Rise

While not new, targeted wire transfer scams are alive and well and we recommend that you check your processes to guard against them.

These scams start by targeting corporate executives and attempt to convince their targets to wire funds to accounts controlled by the fraudsters.

In one variant of the attack, the scammer will register a domain name with a similar spelling to the target and establish an email service on the domain. They will then search online for the names of the CFO and managers in the finance department. The attack begins with the attacker sending a targeted email to a manager from what looks like the CFO’s email using a variation of the domain name. If the manager responds, the attacker will stage a malicious funds transfer request after gathering information from the Manager. The attacker will request that the manager perform a wire transfer to a bank account within a short period of time, using language they have phished from the email threads. The manager thinks the CFO is requesting the transfer, requests approval, and the attacker pretending to be the CFO approves the transfer.

In another variant, the attacker impersonates an executive at another company that is likely to be doing business with the target company. The initial email uses a domain name that closely resembles the corporate domain name of the organization being impersonated. The body of the email instructs the target to pay all new or outstanding invoices via wire transfer to a new bank account. This attack leverages the likelihood that Accounts Payable at the target company will have actual invoices from the spoofed company.

In both cases, once the funds are transferred, they are quickly rerouted to other hard to trace accounts.

Who is Being Targeted by Wire Transfer Scams

Scammers frequently attempt to exploit the finance departments of medium to large-sized organizations who are likely to have a high volume of transactions.

Recommended Countermeasures

  1. Internal education – undertake organization-wide phishing awareness training and ensure finance department personnel are familiar with this type scam.
  2. Require validation of new banking information with trusted accounting contacts at suppliers and business partners.
  3. Identify lookalike email domains that could be used by scammers in the above scenarios and create email filters to treat these emails as spam. The following tool generates variations of email domains that could be used in a phishing attack or for URL hijacking: http://www.morningstarsecurity.com/research/urlcrazy.
  4. While you could also block the source IP of the attack, expect that future attacks will come from a different IP address.

Sandworm – Microsoft Windows Zero-day Vulnerability

What is it?

CVE-2014-4114 (aka “Sandworm”): A zero-day vulnerability that allows an attacker to remotely execute arbitrary code.

Who is vulnerable?

Sandworm is a zero-day impacting all versions of Microsoft Windows from Vista SP2 up to Windows 8.1, as well as Windows Server 2008 and 2012.

Where has it been seen?

Used in Russian cyber-espionage campaign targeting NATO, European Union, Telecommunications and Energy sectors.

How does it work?

Non-technical: opening a specially crafted file will allow the remote code execution. This has been seen with Powerpoint files in the wild.

Technical: “The vulnerability exists because Windows allows the OLE packager (packager .dll) to download and execute INF files. In the case of the observed exploit, specifically when handling Microsoft PowerPoint files, the packagers allows a Package OLE object to reference arbitrary external files, such as INF files, from untrusted sources. This will cause the referenced files to be downloaded in the case of INF files, to be executed with specific commands.”
[copied from source: http://www.isightpartners.com/2014/10/cve-2014-4114/ ]

Additional Notes:

Microsoft classified MS14-060 as “important”, not “critical”, because the attack requires a user to open a file.

Security Operations Center Recommendations:

Update all vulnerable systems as soon as possible. Microsoft Bulletin MS14-060 fixes this bug: https://technet.microsoft.com/library/security/ms14-060

Additionally, Microsoft has released a total of eight security bulletins and updates that address them as of October 14, 2014. In total, 24 vulnerabilities are addressed in the updates. Three of them are classified as critical. More information can be found here: https://technet.microsoft.com/library/security/ms14-oct

Shellshock/Bash Vulnerability

Shellshock/Bash is a major new vulnerability that affects Unix, Linux and Mac users. This remote code execution vulnerability exists in almost every version of the GNU Bourne Again Shell (Bash). See CVE-2014-6271 in National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

Description of CVE-2014-6271:

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in
OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

In our assessment, attacks over the internet via HTTP by worms or scripts are the biggest risk to organizations. A sample of HTTP attacks can be found at the following location:
http://pastebin.com/ebDeRd8U

Vulnerable Software and Versions:

* cpe:/a:gnu:bash:1.14.0
* cpe:/a:gnu:bash:1.14.1
* cpe:/a:gnu:bash:1.14.2
* cpe:/a:gnu:bash:1.14.3
* cpe:/a:gnu:bash:1.14.4
* cpe:/a:gnu:bash:1.14.5
* cpe:/a:gnu:bash:1.14.6
* cpe:/a:gnu:bash:1.14.7
* cpe:/a:gnu:bash:2.0
* cpe:/a:gnu:bash:2.01
* cpe:/a:gnu:bash:2.01.1
* cpe:/a:gnu:bash:2.02
* cpe:/a:gnu:bash:2.02.1
* cpe:/a:gnu:bash:2.03
* cpe:/a:gnu:bash:2.04
* cpe:/a:gnu:bash:2.05
* cpe:/a:gnu:bash:2.05:a
* cpe:/a:gnu:bash:2.05:b
* cpe:/a:gnu:bash:3.0
* cpe:/a:gnu:bash:3.0.16
* cpe:/a:gnu:bash:3.1
* cpe:/a:gnu:bash:3.2
* cpe:/a:gnu:bash:3.2.48
* cpe:/a:gnu:bash:4.0
* cpe:/a:gnu:bash:4.0:rc1
* cpe:/a:gnu:bash:4.1
* cpe:/a:gnu:bash:4.2
* cpe:/a:gnu:bash:4.3

What Should You Do?

1. If you are a user of our ProSCAN/Qualys Vulnerability scanning service, please contact us to schedule an emergency scan.
2. If you are using another vulnerability scanning tool, follow your vendor’s instructions.
3. Use official repositories to upgrade to the current release.
4. Verify with your vendors that this vulnerability has been patched.

What Else is Proficio Doing?

Proficio has patched any vulnerable systems within our own infrastructure. We are actively gathering indicators of attack and compromise and looking to apply detection indicators into our monitoring service.

Please feel free to contact us to discuss the best action for your organization.