Security Bulletin #109 – 19 May 2017
Some machines can’t be infected by WannaCry because they have been already infected by Adylkuzz
The recent WannaCry ransomware attack wasn’t the first to use the NSA-linked EternalBlue and DoublePulsar hacking tools. Proofpoint researchers have discovered that the cryptocurrency miner Adylkuzz, was the first threat that used the EternalBlue exploit to trigger a vulnerability in the Server Message Block (SMB) protocol. The botnet used the EternalBlue exploit to improve the malware propagation, meanwhile, the DoublePulsar backdoor was used to deliver a malicious payload on target machines. Once the miner has infected a machine it will lose access to shared Windows resources and its performance slowly degrades, but most interesting thing is that the malware shuts down SMB networking to prevent infections with other malware. This implies that machines infected by Adylkuzz could not be compromised by the WannaCry ransomware, the effects of the last mass-ransomware attack could have been more severe in absence of a threat that previously exploited the same flaw. It is said that the Adylkuzz malware has patched the vulnerability targeted by WannaCry, limiting the spreading of the ransomware. The Adylkuzz attack used several virtual private servers to power the attack, they exploited EternalBlue to compromise them, then the DoublePulsar backdoor is established to download and execute the Adylkuzz malware. Once the Adylkuzz malware has infected a machine, the miner first stops any potential instances of itself and blocks SMB communication to avoid further infection. The malicious code also determines the public IP address of the victim and then downloads the mining instructions, the Monero crypto miner, and cleanup tools.
EU Authorities Fight Back Against ``Black Box`` ATM Attacks
A black box attack is a logical attack against cash dispensers. It requires gaining access to the inner workings of the machine, usually, notes Europol, ``by drilling holes or melting.`` Once access is achieved, the cash dispenser is disconnected from its core working, and connected instead to the hacker's own electronic device- the so-called black box. The attacker then simply issues the necessary commands to empty the cash dispenser; an act known as 'jackpotting', which bypasses any need for a card or transaction authorization. Since a black box attack simply empties the whole machine, rather than attempting to extract available cash from an individual account, a single successful attack can potentially steal hundreds of thousands of Euros. EAST will be leading a breakout session discussing black box attacks at the third global Financial Crime & Security (FCS) Forum, being held in The Hague on 8th/9th June 2017.
Microsoft Withheld Update That Could Have Slowed WannaCry
American software giant Microsoft held back from distributing a free security update that could have protected computers from the WannaCry global cyber-attack according to the Financial Times. In mid-march, Microsoft distributed a security update after it detected the security flaw in its XP operating system that enabled the so-called WannaCry ransomware to infiltrate and freeze computers last week. But the software giant only sent the free security update/patch to users of the most recent version of the Windows 10 operating system, the report said. Users of older software, such as Windows XP, had to pay hefty fees for technical support. A Microsoft spokesperson based in the United States told AFP: ``Microsoft offers custom support agreements as a stopgap measure`` for companies that choose not to upgrade their systems. ``To be clear, Microsoft would prefer that companies upgrade and realise the full benefits of the latest version rather than choose custom support.``
CERTFR-2017-ALE-008 : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017)
CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017)
CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017)
CERTFR-2017-AVI-160 : Multiples vulnérabilités dans les produits Cisco (18 mai 2017)
CERTFR-2017-AVI-159 : Vulnérabilité dans Joomla! (18 mai 2017)