Security Bulletin #129 – 16 June 2017
After WannaCry, ransomware will get worse before it gets better
The WannaCry outbreak put ransomware into the global spotlight, generating global coverage across mainstream media outlets as the malware epidemic locked governments, hospitals, public transport networks, factories and more out of their computer systems. Ransomware is going to become more advanced, harder to decrypt with free tools, and things are going to get worse before they get better -- before enough individuals and organizations learn to not to pay ransoms, or to protect their systems with backups. Ransomware authors will have much more robust crypto, robust payment channels and there will be a lack of decryption tools to help people get their data back without paying. And even now, despite some ransomware variants being inherently poorly built, ransomware is working because victims are giving into ransom demands, with some figures suggesting that as many as two-thirds of victims will pay up. As a result, cybercriminals know they can get away with charging higher ransom demands. The average size of ransoms has tripled in the last year, because it's supply and demand. If a criminal can charge more because they know they're going to get a return, they will. If people don't prevent the impact by proactively preparing with the right security controls, patches and backups, we're going to have many more people in positions of irrecoverable data loss if they don't pay. Hopefully people are going to pay a little more attention to vulnerability management, patch management, legacy systems
Victims of Jaff Ransomware now can decrypt their locked files for free
Security researchers at Kaspersky Lab have discovered a weakness in the Jaff ransomware that allowed the researchers creating of decryption keys to unlock files encrypted by the malware. Once the victims were infected by the Jaff ransomware, crooks then demanded a ransom of between 0.5 to 2 Bitcoin (approximately $1,500 – $5,000, based on current exchange rates). That weakness can be exploited by a free tool that has been included in the list of free ransomware decryptors shared by Kaspersky Lab. The tools allow recovering files encrypted by the ransomware like Rannoh and CoinVault. The free decryption tool for unlocking files has been added to the RakhniDecryptor (version 18.104.22.168).
Wikileaks revealed CIA Cherry Blossom framework for hacking Wireless devices
WikiLeaks released a new batch of documents belonging to the Vault 7 leak, the files provide details related to the Cherry Blossom framework which is being used by the CIA cyber spies to hack into Wi-Fi devices. Cherry Blossom is a remotely controllable firmware-based implant for wireless networking devices, it could be used to compromise routers and wireless access points (APs) by triggering vulnerabilities to gain unauthorized access and load the custom Cherry Blossom firmware. The CherryBlossom is composed of four main components: 1) FlyTrap – beacon (compromised firmware) that runs on compromised device that communicates with the CherryTree C&C server 2) CherryTree – C&C server that communicates with FlyTrap, 3) CherryWeb – web-based admin panel running on CherryTree, 4) Mission – a set of tasks sent by the C&C server to infected devices. CIA cyber spies use Cherry Blossom framework to compromise wireless networking devices on the targeted networks and then run man-in-the-middle attacks to eavesdrop and manipulate the Internet traffic of connected devices. FlyTrap could perform the following malicious tasks: 1) Monitoring network traffic to gather data of interest such as email addresses, MAC addresses, VoIP numbers, and chat user names 2) Hijack users to malicious websites 3) Injecting malicious content into the data traffic to deliver malware 4) Setting up VPN tunnels to access clients connected to Flytrap’s WLAN/LAN for further exploitation