If you are having trouble viewing this email, click here to view this online

 

VOLUME 72

   ISSUE 72

28 July 2017
Article of the Month Around the World

Petya (malware)

 


A new variant of Petya ransomware, also known as Petrwrap, NotPetya, or GoldenEye, is spreading rapidly with the help of the same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours. Petya ransomware has been delivered via phishing emails pretending to provide a resume which is, in fact, a malicious dropper. Make sure your users are aware of the risks of opening attachments from unknown sources.


The malware appears to share a significant amount of code with an older piece of ransomware that really was called Petya, but in the hours after the outbreak started, security researchers noticed that �the superficial resemblance is only skin deep�. Researchers at Russia�s Kaspersky Lab redubbed the malware NotPetya, and increasingly tongue-in-cheek variants of that name Petna, Pneytna, and so on began to spread as a result. On top of that, other researchers who independently spotted the malware gave it other names.
 

The attack started in Ukraine and caused massive disruption to the country�s critical infrastructure, before spreading further in Europe, infecting a number of businesse.The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as a wiper would simply destroy and exclude possibilities of restoration

Spreading Petya according to countries. (Figure 1)


Petya was discovered in March 2016.Check Point noted that while it had achieved fewer infections than other active ransomware in early 2016, such as CryptoWall, which contained notable differences in the operation that made it immediately marked as the next Step In the evolution of the rescue. Another variant of Petya discovered in May 2016 contained a secondary payload used if malware can not gain access at the administrator level.


The Petya ransomware attack has spread from Ukraine to different parts of Europe (Spain, Netherlands, Denmark etc) and to India as well. It�s reported that the hackers behind this malware are asking for a ransom of $300 in Bitcoin. It�s also reported that they have already started getting their payment and that the ransom payment this time happens faster than it happened with WannaCry.


How to Prevent


Most major antivirus companies now claim that their software has updated to actively detect and protect against �Petya� infections: Symantec products using definitions version 20170627.009 should, for instance, and Kaspersky also says its security software is now capable of spotting the malware. Additionally, keeping Windows up to date at the very least through installing March�s critical patch defending against the EternalBlue vulnerability stops one major avenue of infection, and will also protect against future attacks with different payloads.
For this particular malware outbreak, another line of defence has been discovered: �Petya� checks for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won�t run the encryption side of the software. But this �vaccine� doesn�t actually prevent infection, and the malware will still use its foothold on your PC to try to spread to others on the same network.
 


References


1. http://fortune.com/2017/06/27/petya-ransomware-cyber-attack/
2. https://www.theverge.com/2017/6/28/15888632/petya-goldeneye-ransomware-cyberattack-ukraine-russia
3. https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b

By

Supun Buddika Fernando

Buddika is an undergraduate of Sri Lanka Institute of Information Technology who is currently following BSc(Hons) IT Specializing Cyber Security. Currently he is working as Intern - Information Security Engineer at Sri Lanka CERT|CC



 

 

 

 

 

 

 

 

 

 


 




 

 

 

 

 

 

 

 

 

 

 

 

References

1 Statistics on the Internet growth in Sri Lanka
http://www.trc.gov.lk/images/pdf/
statis_sep_2012.doc
2.The Dragon Research Group (DRG)
http://www.dragonresearchgroup.org/
3.TSUBAME (Internet threat monitoring system) from JPCERT | CC
https://www.jpcert.or.jp/english/tsubame/
4.Shadowserver Foundation
http://www.shadowserver.org/wiki/
5. Team Cymru
http://www.team-cymru.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

 
  
  14M Verizon customer records exposed on Amazon server
  

  

"....A third-party vendor working with Verizon left the data of as many as 14 million US customers exposed on a misconfigured server.
UpGuard Director of Cyber Risk Research Chris Vickery on June 28, spotted exposed names, addresses, account details, account personal identification numbers (PINs) and information fields indicating customer satisfaction tracking for as many as 14 million US customers..."

 

MACOS FRUITFLY BACKDOOR ANALYSIS RENDERS NEW SPYING CAPABILITIES

  

"...Wardle built a custom command and control server to examine a FruitFly sample that was capable of executing shell commands, retrieving screen captures, manipulating mouse movements, killing processes and even triggering an alert to the attacker when the user is active again on their Mac......"

  Attackers used template injection technique to steal credentials of power plant operators
   

'...Hackers recently launched a phishing scheme against the energy sector that uses malicious attachments to download a template file via an SMB connection in order to silently harvest credentials, according to a blog post from Cisco Talos....'

BAD CODE LIBRARY TRIGGERS DEVIL�S IVY VULNERABILITY IN MILLIONS OF IOT DEVICES

   

  

'...Tens of millions of products ranging from airport surveillance cameras, sensors, networking equipment and IoT devices are vulnerable to a flaw that allows attackers to remotely gain control over devices or crash them.

The vulnerability, dubbed Devil�s Ivy, was identified by ​researchers at Senrio, who singled out high-end security cameras manufactured by Axis Communications. Senrio said 249 models of 251 Axis cameras are vulnerable to unauthenticated remote attackers who can intercept a video feed, reboot cameras, or pause a video feed while conducting a crime....'

The paranoid Android traveler�s data-protection checklist

  

'....International border crossings are often legal gray areas where government agents can, and sometimes do, ask travelers for access to their laptops, phones and other mobile devices. Complying with the request allows them to freely search, read or copy documents, emails, passwords, contacts and social media account information....'

Month in Brief
Facebook Incidents Reported to Sri Lanka CERT|CC in June 2017
     
  Statistics - Sri Lanka CERT|CC

Clock ticking on Google as $2.7 billion fine takes bite out of earnings

'...Google's parent company Alphabet has�with relative ease�gulped down the record �2.4 billion ($2.7 billion) fine slapped on the ad giant by the antitrust wing of the European Commission in June, following a long-running probe of the Google's abuse of dominance in Europe's search market.

On Monday, Alphabet reported second quarter net income of $3.52 billion�down 28 percent from the same period a year ago�due to what it said was "the impact of the $2.7 billion European Commission (EC) fine." Alphabet shares barely wobbled, however, following the Q2 results, which saw sales climb to $26 billion, up 21 percent year-on-year, while earnings per share stood at $5.01.....'

Adobe to kill off Flash plug-in by 2020

"...Adobe Systems has said that it plans to phase out its Flash Player plug-in by the end of 2020.
The technology was once one of the most widely used ways for people to watch video clips and play games online.
But it also attracted much criticism, particularly as flaws in its code meant it became a popular way for hackers to infect computers.
In recent years, much of its functionality has been offered by the rival HTML5 technology..."
Microsoft Paint saved after outpouring of love � sort of

�..After the tremendous outpouring of love across the internet for arguably the greatest Windows program ever, Microsoft has announced that it will save MS Paint by putting it on the Windows Store.

Following the company�s announcement that the 32-year-old Paint is now deprecated, meaning that it is �not in active development and might be removed in future releases�, Microsoft put out a blogpost in response to the anguished outcry at the potential removal of an old friend...�
22 free tools for data visualization and analysis

."...You may not think you've got much in common with an investigative journalist or an academic medical researcher. But if you're trying to extract useful information from an ever-increasing inflow of data, you'll likely find visualization useful -- whether it's to show patterns or trends with graphics instead of mountains of numbers, or to try to explain complex issues to a nontechnical audience...."

 
Notice Board
  Training and Awareness Programmes - July  2017
  
DateEventVenue

Brought to you by:                           

  
 

Sri Lanka Computer Emergency Readiness Team | Coordination Centre
Room 4-112, BMICH, Bauddhaloka Mawatha, 
Colombo 07 
Tel. +94 - 112 691 692
www.cert.gov.lk