Computer News & Safety – Harry Waldron Rotating Header Image

June, 2017:

Apple iPhone – 10th anniversary slide show

The history of Apple iPhone is documented in following link:

On the 10th anniversary of the iPhone’s launch, we look back at the phone’s evolution.  One decade ago, Apple finally released the first iPhone. The iPhone’s success certainly stems from its hardware design(s). But Apple is also to be credited with developing the app ecosystem.

Leadership – Three key techniques for success in 2017

John Maxwell offers excellent teamwork & leadership techniques in his weekly blog posts.

So how can you prepare your managers to make the most of their leadership positions while shifting out of a positional mind-set? Share these three ways to be more effective:

1. Stop Relying on Position to Push People. There is nothing wrong with having a leadership position. T While it’s easy to pull rank in order to push people, it isn’t always effective.

2. Trade Entitlement for Movement. Leadership isn’t a right; it’s a privilege and must be continually earned. Entitlement will always work against you. Good leaders don’t take anything for granted. They strive to keep the people and the organization moving forward towards its vision. Let a vision for making a difference lift you and your team above the status quo.

3. Leave Your Position and Move towards Your People. Leaders are initiators. Good leaders understand that it is their responsibility to move towards their people. Make it your job to learn who your people are, find out what they need, and help them and the team win.

Spam email – Blank Slate malware continues strong into June 2017

SANS ISC shares update on a highly effective ransomware attack reported back in March 2017. It is being massively spammed with blank email message with a zip archive attachment.  It is still going strong and attachment is highly convincing in some cases, so users should continue to keep AV ramped up & avoid all email & websites of a suspicious origin.

Blank Slate is the nickname for a malicious spam (malspam) campaign pushing ransomware targeting Windows hosts.  I’ve already discussed this campaign in a previous diary back in March 2017.  It has consistently sent out malspam since then.

Normally, emails from this campaign are blank messages with vague subject lines and attachments that don’t indicate what it is.  That’s why I’ve been calling it the “Blank Slate” campaign. Today’s Blank Slate malspam was pushing Cerber and GlobeImposter ransomware.

As I noted last time, potential victims must open the zip attachment, open the enclosed zip archive, then double-click the final .js file.  That works on default Windows configurations, but properly-administered Windows hosts and decent email filtering are enough, I think, to keep most people from worrying about Blank Slate. I still wonder how many people are fooled by Blank Slate malspam.

Petya-2017 is destructive disk wiper cyberattack rather than ransomware attack

The new Petya-2017 variant is not ransomware as it scrambles the MFT and MBR “table of contents” for the hard drive.  There is no way to recover from this destructive attack other than backups.  Researchers believe this is done more for malicious purposes rather than financial gains.

Like Petya, this attack overwrites the Master File Table and Master Boot Record on computers it infects. One organization reports that one unpatched machine was the culprit at its location, adding that it lost PCs due to a corrupted MBR, while other machines were showing the ransom note.

Researcher Matt Suiche of Comae Technologies said the malware is more wiper than ransomware. Suiche said this malware destroys the first 25 sector blocks of a hard disk, and the MBR section of the disk is purposely overwritten with a new boot loader.  The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative.”

Experts continue to stress the importance of applying the MS17-010 update to unpatched machines, and advise disabling PSEXEC and WMIC on local networks

Ransomware – Sophos describes how Petya attack cycle works

Sophos shares simularities and differences between WannaCry (May 2017 world-wide attack) & this new one, that is being gradually contained

The researchers found no internet-spreading mechanism, though like WannaCry, it uses the EternalBlue/DoublePulsar exploits that target vulnerable SMB installations to spread. But that spread is through internal networks only. Here’s the SMB exploit shellcode for Petya vs the one for WannaCry

In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.

It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through it.). By using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10

Once the infection drops, the encryption stage begins. The ransomware scrambles your data files and overwrites the boot sector of your hard disk so that the next time you reboot, the master index of your C: drive will be scrambled too. The ransomware automatically forces a reboot after about an hour, thus activating the secondary scrambling process.

The victim knows there’s a problem because the ransom note takes over their screen.

Is there a kill switch? – The answer is yes, but only a local one, as outlined here

Ransomware – Petya kill switch discovered for specific Server or PC

Some of earlier analysis has been redacted and rewritten, as more is learned.  The discovery of “kill switch” c:\windows\perfc is technically a “prevention switch” for only a specific server or PC (i.e., not a kill switch that stops the full outbreak) … Corporate users need to get patched up on MS17-010, keep A/V updated, get on modern O/S, eliminate SMB1 protocol completely, etc.   Further evolution of this attack vector with new variants is almost certain in future.

Create a “read-only” file in c:\windows called perfc with no extension.  If malware finds c:\windows\perfc it won’t run on that specific machine. Administrative privileges are required.  The new text file can be created with NOTEPAD and saved as perfc, (remove .txt file extension at the end), then save to c:\windows and finally set attributes as “read-only“.

Ransomware – New Petya variant impacts European firms

This second major corporate ransomware attack is not quite as large as the original attack in May, as many firms have patched.  But the ransomware agent is much more sophisticated as researchers continue to evaluate these attacks in Europe

This is a follow-up from our previous diary about today’s ransomware attacks using the new Petya variant:

* Several hundred more tweets about today’s attack can be found on Twitter using #petya.
* The new Petya variant appears to be using the MS17-010 Eternal Blue exploit to propagate.
* Others claim the new variant uses WMIC to propagate
* Still no official word on the initial infection vector in today’s attacks.
* People everywhere are saying today’s activity is similar to last month’s WannaCry ransomware attack

The main culprit behind this attack is a new version of Petya, a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. Because of this, Petya is more dangerous and intrusive compared to other strains because it reboots systems and prevents them from working altogether.

Petya appears to be spread via email spam in the form of boobytrapped Office documents. These documents use the CVE-2017-0199 Office RTF vulnerability to download and run the Petya installer, which then executes the SMB worm and spreads to new computers on the same network. Second, there’s the train of thought that Petya is spreading via a malicious update of the MEDOC accounting software, very popular in Ukraine


Microsoft Windows – Non-security fixes for Search and web page print issues

The 4th Tuesday of month is occasionally used to schedule non-security fixes and this release may contain some important fixes for those experiencing recent issues from last Windows update:

This non-security update includes improvements and fixes that were a part of Monthly Rollup KB4022719 (released June 13, 2017) and also includes these new quality improvements as a preview of the next Monthly Rollup update:

* Addressed issue where users who are sharing their screen with external or internal customers see a blue screen on the display. This is caused by a Windows Display Driver Model (WDDM) violation.
* Addressed issue where, after installing KB3177725, an Active X control stops working.
* Addressed an issue where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.
* Addressed issue to update time zone information.
* Addressed a reliability issue in Windows Search.
* Addressed issue where CRM UI may hang when pressing the reply button in mail workflow.

Ransomware – New second major outbreak impacting Europe

Early reports are sketchy with ISC & Kaspersky providing some of latest updates
Initial reports indicate this is much like last month’s WannaCry attack.   A global WannaCry-like ransomware outbreak–which began in Russia and Ukraine and spread across Europe–is being reported today. The attack is locking down networks in a number of industries, including energy, transportation, shipping and financial.
Security experts are still trying to determine what type of ransomware is being distributed. Early theories pointed at Petya while others say the ransomware may be a new strain yet to be identified.  Kaspersky Lab malware analyst Vyacheslav Zakorzhevsky said infections were traced to a “new ransomware we haven’t seen before.”
Matt Suiche, founder of cyber security firm Comae Technologies, said he saw evidence of infections through SMB, the same vector used by EternalBlue and the accompanying DoublePulsar rootkit; the vulnerability was patched in March by Microsoft in MS17-010.

Windows 10 Redstone – Preview 16226 in-depth review JUNE 2017

This excellent in-depth Windows Central article includes shares screenshots of the latest Windows 10 Redstone build

Microsoft is now rolling out Windows 10 build 16226 to testers with PCs configured in the Insider Fast ring. This is another significant update that delivers a new set of features and improvements that users will get as part of the Fall Creators Update, which is expected to release later this year.

Windows 10 build 16226 is a big rollout that brings more Microsoft Fluent Design System tweaks, and there are new updates for emoji, OneDrive Files On-Demand, Touch Keyboard and the handwriting experience. The Settings app adds new options and a few new changes, Task Manager now tracks GPU performance, and Microsoft Edge gets a lot of new improvements.  In this Windows 10 guide, we take a closer look at the new features and enhancements included in the latest test preview.