Computer News & Safety tips  – Harry Waldron MVP Rotating Header Image

Uncategorized

Ransomware – Sophos describes how Petya attack cycle works

Sophos shares simularities and differences between WannaCry (May 2017 world-wide attack) & this new one, that is being gradually contained

https://nakedsecurity.sophos.com/2017/06/28/deconstructing-petya-how-it-spreads-and-how-to-fight-back/

The researchers found no internet-spreading mechanism, though like WannaCry, it uses the EternalBlue/DoublePulsar exploits that target vulnerable SMB installations to spread. But that spread is through internal networks only. Here’s the SMB exploit shellcode for Petya vs the one for WannaCry

In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.

It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through it.). By using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10

Once the infection drops, the encryption stage begins. The ransomware scrambles your data files and overwrites the boot sector of your hard disk so that the next time you reboot, the master index of your C: drive will be scrambled too. The ransomware automatically forces a reboot after about an hour, thus activating the secondary scrambling process.

The victim knows there’s a problem because the ransom note takes over their screen.

Is there a kill switch? – The answer is yes, but only a local one, as outlined here

Ransomware – Petya kill switch discovered for specific Server or PC

Some of earlier analysis has been redacted and rewritten, as more is learned.  The discovery of “kill switch” c:\windows\perfc is technically a “prevention switch” for only a specific server or PC (i.e., not a kill switch that stops the full outbreak) … Corporate users need to get patched up on MS17-010, keep A/V updated, get on modern O/S, eliminate SMB1 protocol completely, etc.   Further evolution of this attack vector with new variants is almost certain in future. 

https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/

https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/

Create a “read-only” file in c:\windows called perfc with no extension.  If malware finds c:\windows\perfc it won’t run on that specific machine. Administrative privileges are required.  The new text file can be created with NOTEPAD and saved as perfc, (remove .txt file extension at the end), then save to c:\windows and finally set attributes as “read-only“.

Ransomware – New Petya variant impacts European firms

This second major corporate ransomware attack is not quite as large as the original attack in May, as many firms have patched.  But the ransomware agent is much more sophisticated as researchers continue to evaluate these attacks in Europe

http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD

https://isc.sans.edu/diary/Checking+out+the+new+Petya+variant/22562

https://www.bleepingcomputer.com/news/security/wannacry-d-j-vu-petya-ransomware-outbreak-wreaking-havoc-across-the-globe/

This is a follow-up from our previous diary about today’s ransomware attacks using the new Petya variant:

* Several hundred more tweets about today’s attack can be found on Twitter using #petya.
* The new Petya variant appears to be using the MS17-010 Eternal Blue exploit to propagate.
* Others claim the new variant uses WMIC to propagate
* Still no official word on the initial infection vector in today’s attacks.
* People everywhere are saying today’s activity is similar to last month’s WannaCry ransomware attack

The main culprit behind this attack is a new version of Petya, a ransomware that encrypts MFT (Master File Tree) tables for NTFS partitions and overwrites the MBR (Master Boot Record) with a custom bootloader that shows a ransom note and prevents victims from booting their computer. Because of this, Petya is more dangerous and intrusive compared to other strains because it reboots systems and prevents them from working altogether.

Petya appears to be spread via email spam in the form of boobytrapped Office documents. These documents use the CVE-2017-0199 Office RTF vulnerability to download and run the Petya installer, which then executes the SMB worm and spreads to new computers on the same network. Second, there’s the train of thought that Petya is spreading via a malicious update of the MEDOC accounting software, very popular in Ukraine

 

Microsoft Windows – Non-security fixes for Search and web page print issues

The 4th Tuesday of month is occasionally used to schedule non-security fixes and this release may contain some important fixes for those experiencing recent issues from last Windows update: 

https://support.microsoft.com/en-us/help/4022168/windows-7-sp1-windows-server-2008-r2-sp1-update-kb4022168

This non-security update includes improvements and fixes that were a part of Monthly Rollup KB4022719 (released June 13, 2017) and also includes these new quality improvements as a preview of the next Monthly Rollup update:

* Addressed issue where users who are sharing their screen with external or internal customers see a blue screen on the display. This is caused by a Windows Display Driver Model (WDDM) violation.
* Addressed issue where, after installing KB3177725, an Active X control stops working.
* Addressed an issue where Internet Explorer and Microsoft Edge printing from a frame may result in 404 not found or blank page printed.
* Addressed issue to update time zone information.
* Addressed a reliability issue in Windows Search.
* Addressed issue where CRM UI may hang when pressing the reply button in mail workflow.

Ransomware – New second major outbreak impacting Europe

Early reports are sketchy with ISC & Kaspersky providing some of latest updates
Initial reports indicate this is much like last month’s WannaCry attack.   A global WannaCry-like ransomware outbreak–which began in Russia and Ukraine and spread across Europe–is being reported today. The attack is locking down networks in a number of industries, including energy, transportation, shipping and financial.
Security experts are still trying to determine what type of ransomware is being distributed. Early theories pointed at Petya while others say the ransomware may be a new strain yet to be identified.  Kaspersky Lab malware analyst Vyacheslav Zakorzhevsky said infections were traced to a “new ransomware we haven’t seen before.”
Matt Suiche, founder of cyber security firm Comae Technologies, said he saw evidence of infections through SMB, the same vector used by EternalBlue and the accompanying DoublePulsar rootkit; the vulnerability was patched in March by Microsoft in MS17-010.

Windows 10 Redstone – Preview 16226 in-depth review JUNE 2017

This excellent in-depth Windows Central article includes shares screenshots of the latest Windows 10 Redstone build

https://www.windowscentral.com/windows-10-build-16226-pc-everything-you-need-know

Microsoft is now rolling out Windows 10 build 16226 to testers with PCs configured in the Insider Fast ring. This is another significant update that delivers a new set of features and improvements that users will get as part of the Fall Creators Update, which is expected to release later this year.

Windows 10 build 16226 is a big rollout that brings more Microsoft Fluent Design System tweaks, and there are new updates for emoji, OneDrive Files On-Demand, Touch Keyboard and the handwriting experience. The Settings app adds new options and a few new changes, Task Manager now tracks GPU performance, and Microsoft Edge gets a lot of new improvements.  In this Windows 10 guide, we take a closer look at the new features and enhancements included in the latest test preview.

Spam EMAIL attack – FAKE DDoS threat if site owner does not pay

The SANS Internet Storm Center warns that spammed FAKE DDoS attack threats are circulating to contact points on the web site’s WHOIS registration records (usually the webmaster). The site owner is threatened if they do not pay, just like the approach used in ransomware attacks.

https://isc.sans.edu/forums/diary/Fake+DDoS+Extortions+Continue+Please+Forward+Us+Any+Threats+You+Have+Received/22550/

We do continue to receive reports about DDoS extortion e-mail. These e-mails are essentially spammed to the owners of domains based on whois records. They claim to originate from well-known hacker groups like “Anonymous” who have been known to launch DDoS attacks in the past. These e-mails essentially use the notoriety of the group’s name to make the threat sound more plausible. But there is no evidence that these threats originate from these groups, and so far we have not seen a single case of a DDoS being launched after a victim received these e-mails. So no reason to pay

 

SAMPLE “FAKE DDoS” EMAIL MESSAGE (designed to solicit money)
We are Anonymous hackers group.
Your site [domain name] will be DDoS-ed starting in 24 hours if you don’t pay only 0.05 Bitcoins @ [bit coin address]
Users will not be able to access sites host with you at all.
If you don’t pay in next 24 hours, attack will start, your service going down permanently. Price to stop will increase to 1 BTC and will go up 1 BTC for every day of attack.
If you report this to media and try to get some free publicity by using our name, instead of paying, attack will start permanently and will last for a long time.
This is not a joke.
Our attacks are extremely powerful – over 1 Tbps per second. No cheap protection will help.
Prevent it all with just 0.05 BTC @ [bitcoin address]
Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!
Bitcoin is anonymous, nobody will ever know you cooperated.

Windows 10 S – New locked down version introduced

During May, a new locked down WIN10 store version was announced.  While the “S” could stand for STORE, it may also reflect SECURITY and SIMPLICITY.  Today, Windows users must have some basic technical savvy to install software and keep the system secure & in good working order. This new version will run certified and secure MS store applications only — and that can help mitigate malware attacks.

The following articles provide a good overview of this special O/S design:

http://www.zdnet.com/article/what-is-windows-10-s/

http://www.zdnet.com/article/microsoft-launches-windows-10-s-its-store-centric-version-of-windows-10/

http://www.zdnet.com/article/windows-10-s-is-the-future-but-not-the-present-of-the-desktop-pc/

Microsoft has rechristened its Windows 10 Cloud product as Windows 10 S, and officially launched it at its Microsoft Education event in New York City on May 2. The “S” in Windows 10 S doesn’t stand for “student,” officials said — even though this is a version of Windows aimed squarely at the education market and meant to help Microsoft and hardware partners take on Chromebooks.

Instead, the “S” stands for “security, simplicity and superior performance,” officials claim — or “soul” as Terry Myerson, head of Microsoft’s Windows and Devices Group quipped at Microsoft’s rollout earlier today. PCs running Windows 10 S also will be available to anyone looking for more secure, locked-down Windows devices, and be available from both third-party PC makers and Microsoft itself at a variety of price points.

As previously known, Windows 10 S is meant to run Windows Store applications only. This includes Win32 applications that are wrapped using Microsoft’s Desktop Bridge technology (codenamed “Centennial”). Windows 10 S will include all the same features that Windows 10 Creators Update does, including support for mixed reality. The difference is that it is more of a locked-down variant, with Microsoft verifying and managing the overall experience via the Windows Store requirement.

Facebook Security – Profile Picture Guard protection pilot JUNE 2017

As Facebook user profile pictures can be manipulated to create fake accounts, a special pilot program of new security protection is being piloted in India. After Facebook gains experience and further tunes this new capability — it will likely be implemented for all users in near future.

https://newsroom.fb.com/news/2017/06/giving-people-more-control-over-their-facebook-profile-picture/

Today, we are piloting new tools that give people in India more control over who can download and share their profile pictures. In addition, we’re exploring ways people can more easily add designs to profile pictures, which our research has shown helpful in deterring misuse. Based on what we learn from our experience in India, we hope to expand to other countries soon. People in India will start seeing a step-by-step guide to add an optional profile picture guard. When you add this guard:

* Other people will no longer be able to download, share or send your profile picture in a message on Facebook

* People you’re not friends with on Facebook won’t be able to tag anyone, including themselves, in your profile picture

* Where possible, we’ll prevent others from taking a screenshot of your profile picture on Facebook, which is currently available only on Android devices

* We’ll display a blue border and shield around your profile picture as a visual cue of protection

* Based on preliminary tests, we’ve learned that when someone adds an extra design layer to their profile picture, other people are at least 75% less likely to copy that picture

Windows 10 Redstone – New Preview version 16226 JUNE 2017

Earlier this month, Microsoft released a newer Windows 10 preview version coming later in 2017

https://venturebeat.com/2017/06/21/microsoft-releases-new-windows-10-preview-with-new-edge-emoji-input-gaming-and-even-calculator-features/

Microsoft today released a new Windows 10 preview for PCs with a long list of features and improvements spanning Edge, emoji, OneDrive, keyboard, handwriting, sound, gaming, settings, shell, My People, calculator, accessibility, security, Hyper-V, and mixed reality. This is the fourth build of the upcoming Windows 10 Fall Creators Update, which is slated to arrive later this year (likely in September).  Today’s update bumps the Windows 10 build number for PCs from 16215 (made available to testers on June 8) to build 16226.

Windows 10 is a service, meaning it was built in a very different way from its predecessors so it can be regularly updated with not just fixes but new features, too. Microsoft has released many such updates, including three major ones: November Update, Anniversary Update, and Creators Update.  Instead of listing everything new in this build, here are the highlights:

* Edge: You can now view your favorites as a directory tree when you save new favorites, collapse or expand folders from within the “Add to favorites” dialog. IT admins can configure favorites via group policy and mobile device management.

* Emoji: Support for the latest Unicode update 5.0. Emoji pickers can now access the profession emoji and gender diverse options for some actions. The Emoji Panel now has a search feature and a dark theme.

* OneDrive: Files on Demand was turned on for Windows Insiders last week. When an app tries to download files stored only in the cloud, Windows now shows a message saying what’s being downloaded and options to prevent the app from downloading.

* Sound: Windows Sonic is now even easier to enable. Plug in a pair of headphones, right-click the sound icon in the notification area, and select Spatial sound to choose your preferred format.

* Gaming: There’s a new “Xbox Networking” section in settings, and the Task Manager has been updated to include GPU info.

* Settings: Storage Sense has a new look and lets you delete previous version of Windows. Failed updates now result in a plain text error message and error code that can be easily copied.

* My People: The People flyout more clearly indicates the people listed there are pinned and the “Switch apps” now uses a hamburger icon.

* Calculator: As you can tell in the headline, this one is my favorite. The Calculator now has a Currency Converter function, including an offline mode.

* Security: As part of a multi-year security plan, the SMB1 networking protocol is being removed from Windows 10 by default.