Security Bulletin

Security Bulletin #106 – 16 May 2017

  • Text Hover
2017 / 05 / 16

  • Text Hover

WannaCry Ransomware: Everything you need to know


Since this widely spread ransomware attack is neither the first nor the last one to hit users worldwide, prevention is always the key to protect against such malware threats. WannaCry is said to be so unique and nasty as it has the ability to self-spread without even need to click any link or a file. Once infected, WannaCry also scans for other unpatched PCs connected to the same local network, as well as scans random hosts on the wider Internet, to spread itself quickly. What has happened so far? Day 1: OutCry — WannaCry targeted over 90,000 computers in 99 countries. Day 2: The Patch Day — a security researcher successfully found a way to slow down the infection rate, and meanwhile, Microsoft releases emergency patch updates for unsupported versions of Windows. Day 3: New Variants Arrives — Just yesterday, some new variants of WannaCry, with and without a kill-switch, were detected in the wild would be difficult to stop for at least next few weeks. The attack is not over yet, security researchers have detected some new versions of this ransomware, dubbed WannaCry 2.0, which couldn’t be stopped by the kill switch. The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits. Some simple tips you should always follow are: 1) Always Install Security Updates 2) Patch SMB Vulnerability 3) Disable SMB 4) Enable Firewall & Block SMB Ports 5) Use an Antivirus Program 6) Be Suspicious of Emails, Websites, and Apps 7) Regular Backup your Files 8) Keep Your Knowledge Up-to-Date. Is NSA/CIA to be blamed? Microsoft has hit out at the US government for facilitating cyber-attacks, like WannaCry, by not disclosing the software vulnerabilities to the respective vendors and holding them for their benefits, like global cyber espionage.

Malicious registry keys: Reflective injection


Over the years, we have witnessed how cybercriminals have developed and implemented sophisticated new techniques to outwit users. That being said, one thing has not changed and remains a constant challenge: ensuring perseverance and avoiding detection both by security solutions and the human eye. The attack begins with a mass mailing of malicious JavaScript files attached. Once this has been carried out, they write an entry in the Windows registry with a random name and assign it a base64 encrypted code. Following extraction and decoding of the registry contents, we obtained a PowerShell exit code. This scripting language can only be executed and interpreted on Windows platforms, as it was conceived for the management of this system. The function Invoke-ReflectivePEInjection is the command called up along with the corresponding arguments and parameters in order to inject the bytes of an executable code into the PowerShell process. In this particular case, the attackers are using a method called reflective injection, which involves an injection of a DLL or EXE file into any process so that it subsequently goes undetected by any monitoring tools. Therefore, the malicious activity is transparent to users, who will only see the legitimate processes running on their system. Finally, we can uncover the malicious code that was to be injected and run in the memory. This file is a variant of Win32/TrojanDownloader.Wauchos, which is designed to download another malicious file, such as ransomware.

Mimosa Wireless kit has multiple security holes


5G wireless vendor Mimosa Wireless has patched against a bunch of remote code execution, denial-of-service and file disclosure vulnerabilities. The products' Web interface reveal device serial numbers, which another page in the same interface can be used to force a factory reset without authentication. The web interface also leaks passwords: an attacker can use an unsanitized GET to download files as root, which ends up as more-or-less complete pwnage: his can be used to view unsalted, MD5-hashed administrator passwords, which can then be cracked, giving the attacker full admin access to the device’s web interface. This vulnerability can also be used to view the plaintext pre-shared key (PSK) for encrypted connections, or to view the device’s serial number (which leads to DoS). The bugs apply to firmware versions below 2.2.3 and were patched in a mid-April release from Mimosa.

CERT-FR Weekly News Alert

Current Alerts

CERTFR-2017-ALE-008           : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-008.pdf

CERTFR-2017-ALE-011           : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-011.pdf

CERTFR-2017-ALE-010           : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-010.pdf

CERTFR-2017-ALE-009           : Vulnérabilité dans Microsoft Malware Protection Engine (09 mai 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-009.pdf

CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-008.pdf

Patches

CERTFR-2017-AVI-154           : Multiples vulnérabilités dans Microsoft Windows XP, Windows Server 2003 et Windows 8 (15 mai 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-154.pdf

CERTFR-2017-AVI-153 : Multiples vulnérabilités dans Moodle (15 mai 2017)

Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-153.pdf