Security Bulletin #107 – 17 May 2017
WannaCry: the ransomware worm that didn’t arrive on a phishing hook
Four days after WannaCry hijacked 200,000 computers in 150 countries, SophosLabs has determined that this probably didn’t start the way a typical ransomware attack does, as a phishing email carrying a malicious attachment or link the user is tricked into opening. It also appears the first infections were in south-east Asia. There were no outlook.exe files anywhere, nothing but a compromised Windows SMB driver as the starting point. So far, SophosLabs haven’t found anything but evidence of a network worm. The investigation revealed a three-stage attack, starting with remote code execution and the malware gaining advanced user privileges. From there, the payload was unpacked and executed. Once computers were hijacked, it encrypted documents and displayed ransom notes. There were three key factors that caused this attack to spread so quickly: 1) the inclusion of code that caused the threat to spread across networks as a worm quickly without needing further user action after the initial infection had taken place. 2) It exploited a vulnerability that many organizations had not patched against. 3) Organizations are still running Windows XP and there’s no patch available for this version. The first evidence for WannaCry was found at 7:44am UTC, when a client from an ISP in south-east Asia hit WannaCry’s kill-switch domain.
Johnny Depp’s film stolen by hackers
Cyber criminals claim to have stolen the new episode of the Pirates of the Caribbean film saga. The cyber criminals have threatened to firstly release five minutes of the movie and then 20-minute segments unless the ransom is paid. Disney, as any other movie maker, are a lucrative target for crooks that intend to monetize their efforts by blackmailing the company. The Hollywood Reporter added that other agencies had also been hit with extortion threats, while Disney is thought, like Netflix, to have refused to pay up. It’s no surprise then that other studios are stepping up security around their blockbuster properties: last week it was revealed that the cast of Game of Thrones had been told to use two-factor authentication on their emails to foil would-be hackers. Back to the present, it is still unclear is hackers have really stolen the ‘Pirates of the Caribbean: Dead Men Tell No Tales.’ Sources: Naked Security & Security Affairs
Cisco warns: Some products might have WannaCrypt vuln
Here's why infosec needs to quit yelling “if you didn't patch it's your fault” about WannaCrypt: Cisco has announced that some of its products can't be patched against the ransomware. On Monday afternoon, the company said its Cisco Product Security Incident Response Team (PSIRT) has started its review. The investigation will focus on identifying vulnerable products that don't support either manual or automated updates to fix the underlying MS17-010 bug – in other words, products that will need to go on customers' kill lists because they can't be fixed. Promising updates as PSIRT discovers vulnerable system the advisory says: “Currently no additional guidance other than to apply the Microsoft patches or disable SMBv1 is applicable.” The company's published Snort rules and a Cisco IPS (Intrusion Prevention System) signature pack to block WannaCrypt traffic.
CERT-FR Alerts & Patches
CERTFR-2017-ALE-008 : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017)
CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017)
CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017)
CERTFR-2017-ALE-009 : Vulnérabilité dans Microsoft Malware Protection Engine (09 mai 2017)
CERTFR-2017-ALE-008 : Vulnérabilité dans RDP pour Microsoft Windows XP et Windows Server 2003 (14 avril 2017)
CERTFR-2017-AVI-156 : Multiples vulnérabilités dans le noyau Linux de Suse (16 mai 2017)
CERTFR-2017-AVI-155 : Multiples vulnérabilités dans les produits Apple (16 mai 2017)