Security Bulletin #105 – 15 May 2017
WannaCryptor, the huge ransomware outbreak that disrupted IT systems worldwide
A massive tidal wave of malware just struck Planet Earth, creating gigantic waves in the information security sphere and even bigger waves for the victims. The culprit? A piece of ransomware, called WannaCryptor by ESET but also going by Wanna Cry and Wcrypt, has been spreading rapidly and it is utilizing leaked NSA files, namely the eternalblue SMB exploit. Unlike most encrypting-type malware, this one has wormlike capabilities, allowing it to spread by itself. As a result, it has spread very quickly indeed. The story started in Spain’s telecom sector and quickly spread from that point, onward and outward. Reports of healthcare related organizations being affected in the UK began to appeared, plus various commercial websites, entire enterprise sites, and just about every type of network in between. People from around the world posted screenshots of the malware from computers in offices, hospitals, and schools.
Jaff Ransomware: Botnet send 5 million Emails per hour
A massive malicious email campaign that stems from the Necurs botnet is spreading a new ransomware at the rate of 5 million emails per hour and hitting computers across the globe. Dubbed ``Jaff,`` the new file-encrypting ransomware is very similar to the infamous Locky ransomware in many ways, but it is demanding 1.79 Bitcoins (approx $3,150), which much higher than Locky, to unlock the encrypted files on an infected computer. Jaff ransomware, written in C programming language, is being distributed with the help of Necurs botnet that currently controls over 6 million infected computers worldwide. Necurs botnet is sending emails to millions of users with an attached PDF document, which if clicked, opens up an embedded Word document with a malicious macro script to downloads and execute the Jaff ransomware, Malwarebytes says. To safeguard against such ransomware infection, you should always be suspicious of uninvited documents sent an email and should never click on links inside those documents unless verifying the source. Check if macros are disabled in your Microsoft Office applications. In enterprises, your system admin can set the default setting for macros. Keep a good backup routine in place that makes their copies to an external storage device that is not always connected to your PC. Moreover, make sure that you run an active anti-virus security suite of tools on your system, and most importantly, always browse the Internet safely.
Microsoft issues patch for unsupported Windows to protect against WannaCry
In the wake of the largest ransomware attack in the history that had already infected over 114,000 Windows systems worldwide since last 24 hours, Microsoft just took an unusual step to protect its customers with out-of-date computers. Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. So, if your organization, for some reason, is still running on Windows XP or Vista, you are strongly advised to download and apply patch now! A large number of successful infections of the WannaCry ransomware at an astonishing pace concludes that either significant number of users have not yet installed the security patch released in March (MS17-010) or they are still running an unsupported version of Windows for which Microsoft is no longer releasing any security update. The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack, Microsoft says.
CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017)
CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017)
CERTFR-2017-ALE-009 : Vulnérabilité dans Microsoft Malware Protection Engine (09 mai 2017)
CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)