Welcome to ISSA KC

The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. Through its membership, ISSA -Kansas City helps security professionals in the Kansas City area learn of information security issues and trends, which promote education, collaboration, and leadership, and further the information security profession.

Showing posts with label Articles. Show all posts
Showing posts with label Articles. Show all posts

Petya Ransomware Sinks Global Businesses into Chaos

Posted by VP ISSA Wednesday, June 28, 2017


By David Jones June 28, 2017, http://www.technewsworld.com/story/84643.html

  

A new ransomware exploit dubbed "Petya" struck major companies and infrastructure sites this week, following last month's WannaCry ransomware attack, which wreaked havoc on more than 300,000 computers across the globe. Petya is believed to be linked to the same set of hacking tools as WannaCry.

Petya already has taken thousands of computers hostage, impacting companies and installations ranging from Ukraine to the U.S. to India. It has impacted a Ukrainian international airport, and multinational shipping, legal and advertising firms. It has led to the shutdown of radiation monitoring systems at the Chernobyl nuclear facility.

Europol, the international law enforcement agency, could not provide operational details on the attack, spokesperson Tine Hollevoet told the E-Commerce Times, but it was trying to "get a full picture of the attack" from its industry and law enforcement partners.

Petya "is a demonstration of how cybercrime evolves at scale and, once again, a reminder to business of the importance of taking responsible cybersecurity measures," Europol Executive Director Rob Wainwright said in a Wednesday update.

Unlike Wannacry, the Petya attack does not include any type of 'kill switch,' according to Europol. 
A new ransomware exploit dubbed "Petya" struck major companies and infrastructure sites this week, following last month's WannaCry ransomware attack, which wreaked havoc on more than 300,000 computers across the globe. Petya is believed to be linked to the same set of hacking tools as WannaCry. Petya already has taken thousands of computers hostage, impacting companies and installations ranging from Ukraine to the U.S. to India. It has impacted a Ukrainian international airport, and multinational shipping, legal and advertising firms. It has led to the shutdown of radiation monitoring systems at the Chernobyl nuclear facility.

Europol, the international law enforcement agency, could not provide operational details on the attack, spokesperson Tine Hollevoet told the E-Commerce Times, but it was trying to "get a full picture of the attack" from its industry and law enforcement partners. Petya "is a demonstration of how cybercrime evolves at scale and, once again, a reminder to business of the importance of taking responsible cybersecurity measures," Europol Executive Director Rob Wainwright said in a Wednesday update. Unlike Wannacry, the Petya attack does not include any type of 'kill switch,' according to Europol.

Variant Characteristics 

The U.S. Computer Emergency Readiness Team on Tuesday began fielding numerous reports about the Petya ransomware infecting computers around the world, and noted that this particular variant encrypts the master boot records of Windows computers and exploits vulnerabilities in the Server Message Block. The RANSOM_PETYA.SMA variant uses as infection vectors both the EternalBlue exploit, which was used in the WannaCry attack, and the PsExec tool, which is a Microsoft utility used to run processes using remote access, according to Trend Micro. Users should apply the MS17-010 security patch, disable TCP port 445, and restrict accounts with administrator group access, the firm recommended. The Petya variant uses the rundll32.exe process to run itself, and encryption is carried out using perfc.dat, a file located in the Windows folder, Trend Micro said. 

The ransomware adds a scheduled task and reboots the computer system after one hour. The Master Boot record is modified, allowing encryption to take place, and a ransom note is displayed with a fake CHKDSK notice. The Petya exploit uses a hardcoded bitcoin address, making decryption more labor-intensive than it was during the WannaCry attack. However, users similarly are asked to pay US$300 to release the data. An estimated $7,500 had been paid as of Tuesday, Trend Micro estimated. However, that number could change as the attacks spread. Many companies failed to upgrade their computer systems properly following the WannaCry attack, said Gaurav Kumar, CTO at RedLock. WannaCry exploited legacy Windows systems that had not been patched, even though Microsoft issued an update in March, he told the E-Commerce Times. Governments should mount coordinated efforts to fight cyberattacks, according to Access Now, an advocate for digital rights and privacy. 

The Petya attack's use of the EternalBlue exploit shows that government agencies should not be stockpiling vulnerabilities, the group argued, as the exploit has been linked to the Shadow Brokers' leak of an exploit created by the National Security Agency. "Governments should promote patching by developing and codifying vulnerabilities equities processes and through support of coordinated disclosure programs," said Drew Mitnick, policy counsel at Access Now.

Corporations Caught 

Pharmaceutical giant Merck & Co. on Tuesday confirmed that its computer network was compromised by the attack, and said it was investigating the matter. International law firm DLA Piper confirmed that its advanced warning systems detected suspicious activity that apparently was linked to a new variant of the Petya malware. The firm said it had taken down its systems to prevent the spread, and that it had enlisted forensic experts and was cooperating with FBI and UK National Crime Agency investigators. Advertising and public relations firm WPP said it was working with its IT partners and law enforcement agencies to take precautionary measures, restore services where they have been disrupted, and keep the impact on clients, partners and people to a minimum. The company has taken steps to contain the attack and is working to return to normal operations as soon as possible, while protecting its systems. International shipping firm A.P. Moeller-Maersk reported that a number of company IT systems were down following the attack and said that it had shut down a number of systems to contain the problem. APM terminals were down in a number of ports, and the Port Authority of New York and N.J. issued a warning to delay arrivals in light of APM's system issues.




On Friday, the world experienced the wrath of a well-coordinated ransomware attack, known as WannaCrypt. The attack caused Britain's NHS to cancel surgeries, a wide array of Russian and Chinese private and public institutions to be crippled most of the day, and the rest of the world to recoil in shock.  How could a single piece of malware that exploited a vulnerability identified long ago by the NSA, and leaked last month by a group called the Shadow Brokers, wreak so much havoc?

Before the malware could do damage in the United States, a lone British researcher, known as "MalwareTech," serendipitously identified its kill switch -- the registration of a domain name -- while on vacation. The ease with which MalwareTech did this says a great deal about the poor state of the global information security industry, and raises several important questions.

MalwareTech analyzed the malware in a testing environment and immediately noticed the code queried an improbable Internet domain name that did not exist. Domain names often function as malware command and control centers, so MalwareTech simply bought the domain name which triggered the kill switch for WannaCrypt. This was incredibly lucky.
MalwareTech believes that the domain name was not intended as a kill switch, but rather a mechanism by which the malware itself could identify whether it was being analyzed.

If the domain name were active, the malware would assume it was a false positive from a researcher dissembling its code, and WannaCrypt was designed to frustrate such analyses by shutting itself down. The fact that only a single domain name was coded into the malware meant that registering that domain name had the effect of shutting down WannaCrypt worldwide.  In short, WannaCrypt's creators were lazy, and the world lucked out. If WannaCrypt could be shut down so quickly and easily, why did it take so long for someone in this world to flip the kill switch, and what does this say about the state of global cyber preparedness?

First, it shows that the information security industry views cyberattacks more as a business development opportunity than as a chance to put their collective heads together to eliminate threats.  Though there are undoubtedly professionals who share data unconditionally -- as MalwareTech himself did -- yesterday's events make it clear that the efforts of the information security community need greater alignment, and that the world cannot rely on a combination of serendipity and lazy coding to prevent the next attack.

Second, we must ask whether WannaCrypt was merely a test of readiness. Perhaps the kill switch existed not out of laziness but as a deliberate act, one designed to test how long it would take to shut down the attack.  On the other hand, perhaps the creators intended to gather intelligence on the extent and type of systems that could be affected by malware targeting aged operating systems like Windows XP, which developers do not regularly update or support. Alternatively, WannaCrypt could have been intended merely to demonstrate the moral hazard of governments that catalogue software vulnerabilities but do not notify software developers. Thus, WannaCrypt illustrated exactly what could happen if these vulnerabilities fall into the wrong hands.

WannaCrypt has generated much debate about the danger of state-sponsored cyberattacks. As a staunch privacy and security advocate, I believe the inclusion of government-mandated backdoors in applications or operating systems that could allow unfettered access to personal data or activities are not only unwise but entirely misguided. But if the 2016 election has taught us anything, we cannot deny that we live in a time that requires both offensive and defensive cyber capabilities.

Similarly, we cannot deny that we should be expecting more of software behemoths like Microsoft. We live in the era of big data, where all software is tracked. In the face of a software vulnerability that may bring a portion of the world to a halt, we should expect more than the timely release of a patch.

When critical systems rely on at-risk software, it is reasonable to expect that software developers like Microsoft, not governments, become more adept at notifying at-risk parties and ensuring systems become properly patched. Long-winded blog posts, emails, and available updates are unfortunately insufficient because many customers do not receive mainstream support or may not even know they are in possession of a vulnerable system.

On April 8, 2014, Microsoft ended its support of the Windows XP operating system on which WannaCrypt relied to propagate, and yet institutions around the globe continue to use it. The world was quite different three years ago: the Internet of Things was a nascent but growing concept. Today the IoT is a major concern.

If we do not discover greater efficiencies to combat pernicious threats like WannaCrypt, and if we countenance the creation and abandonment of insecure software, we can expect to face a far greater cascade of threats that have the potential to cause significant digital and physical damage. And next time we may not be so lucky.

Upcoming Events

Aug 23rd - Chapter Meeting * Register

Sept 5th - SIG/WIS Meeting at Sprint

Oct 25 th - Chapter Meeting *Register

Nov 8th - Happy Hour *Register

Past events:

July 26th - Chapter meeting @ Hereford House

June 28th, 2018 - Chapter Meeting

May 24th, 2018 - Chapter Meeting

May 17th, 2018 - Happy Hour

Questions about upcoming meetings? email VP

Join the ISSA Kansas City Chapter

ISSA KC Mentorship Program Program Details

Mentor form/Application
Mentee form/Application


Join our mailing list to stay current on ISSA Kansas City!


For more information on how to join the Kansas City Chapter of ISSA click here. ** Join today! **


ISSA Member Login Page ISSA ** Login **


ISSA International’s Special Interest Groups (SIG) and Webinars:SIG On-Demand Conf

SIG groups are:

Security Awareness

Women in Security

Healthcare

Financial

Social Media

Chapter meetings are a great way to get to know your peers here in KC. And, if you're currently looking to make a career change, it's an invaluable way to build relationships that can provide you with the "inside information" on open security positions.










Do you have any membership questions? email link


Sponsors




Home





Image result for Synack

Image result for Forcepoint

Image result for Carbon Black

Image result for Zerto

Image result for Tenable

Related image


Image result for CyberArk

Image result for Critical Start

Image result for Securonix


Image result for OKTA


Image result for ProofPoint



Be a sponsor!!! Email us at president@kc.issa.org