quote:

Foxnews.com: Leaked NSA tool used in major cyber attack

Cyber attacks that hit 74 countries across Europe and Asia Friday, impacting the public health system in Britain, apparently involved a leaked hacking tool from the National Security Agency.

The attack used ransomware, which is malware that encrypts data and locks a user from their data until they pay a ransom. The tool, which was leaked by a group known as Shadow Brokers, had been stolen from the N.S.A. as part of a wide swath of tools illegally released in 2016.

Microsoft said that they had rolled out a patch to fix the issue, but certain targets, including the hospitals in Britain, had not yet updated their systems.

The malware was sent via email with a file attached to it. From there, it subsequently spread.

Tom Donnelly, a spokesman for N.H.S. Digital, said the attack was still "ongoing" and that that the organization was "made aware of it this afternoon," according to an interview in The New York Times.

The impact of the attacks caused phone lines to go down, appointments to be canceled and patients to be turned away, but there has been no reported evidence of patient data being breached.

"It's one of the widest sperad attacks we've ever seen," said Michael Balboni, President of Redland Strategies, a consulting firm that specializes in cybersecurity. Balboni, who is also a former homeland security advisor for the state of New York, said that the possiblity of another attack this size is possible.

"We're entering an age known as cyber-insecurity," Balboni added. "There's going to be a huge response from the public now that doctors and hospitals are being affected, there is going to be a huge shift in how people think about this."

There were a number of pictures posted to social media highlighting the ransomware, which asked for $300 in Bitcoin.

NHS Digital, which oversees cybersecurity in Britain, said the attack did not specifically target the NHS and "is affecting organizations from across a range of sectors." In total, 16 NHS organizations said they were affected.

ROSAL

And on the UK's NHS hospitals...

quote:

Ransomware' cyberattack cripples hospitals across England

LONDON – A large cyberattack crippled computer systems at hospitals across Britain on Friday, with appointments canceled, phone lines down and patients turned away.

Britain's National Health Service said hospitals were hit by an apparent "ransomware" attack, but there was no immediate evidence that patient data had been accessed.

NHS Digital, which oversees hospital cybersecurity, says the attack used the Wanna Decryptor variant of malware, which infects and locks computers while the attackers demand a ransom.

Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 worth of the online currency Bitcoin, saying: "Ooops, your files have been encrypted!"



NHS Digital said the attack "was not specifically targeted at the NHS and is affecting organizations from across a range of sectors." It said 16 NHS organizations had reported being hit.

Spain, meanwhile, activated a special protocol to protect critical infrastructure in response to the "massive infection" of personal and corporate computers in ransomware attacks.

The Spanish government said several companies had been targeted in ransomware cyberattack that affected the Windows operating system of employees' computers. It said the attacks were carried out with a version of WannaCry ransomware that encrypted files and prompted a demand for money transfers to free up the system.

Spain's Telefonica was among the companies hit.

Spain's National Center for the Protection of Critical Infrastructure said it was communicating with more than 100 providers of energy, transportation, telecommunications and financial services about the attack even if basic services had not suffered any disruption.

In the U.K., hospitals in London, northwest England and other parts of the country reported problems and asked patients not to come to the hospitals unless it was an emergency. Most of the affected hospitals were in England, but several facilities in Scotland also reported being hit.

ROSAL

$300 ransom????

Seems a little cheap to me?

Could you imagine years of records disappearing? Scary stuff...

quote:

Originally posted by Skins2881:
$300 ransom????

Seems a little cheap to me?

That's the first payment. No guarantee that they provide the encryption key or don't re-lock it later.

quote:

Originally posted by Skins2881:
$300 ransom????

Seems a little cheap to me?

Multiply that times the number of users affected, and factor in how little money it probably cost the hackers to set this up. Also, $300 is probably more likely to be paid than, say, $3000.

I am glad my doctor still knows how to use pen and paper to write prescriptions, schedule appointments and diagnose my problem. He even has a landline as a backup to return calls.

This stuff sucks, for those that want a bit more on how this works.

Today's ransomware worm outbreak is dissected by @TalosSecurity

EXECUTIVE SUMMARY
A major ransomware attack has affected many organizations across across the world reportedly including Telfonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as 'WannaCry'.

The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin.

Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.

Please note this threat is still under active investigation, the situation may change as we learn more or as our adversary responds to our actions. Talos will continue to actively monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date. For current information, please refer to your Firepower Management Center or Snort.org.

this thing is really big in scope


There have been reports of infections in 99 countries, including the UK, US, China, Russia, Spain, Italy and Taiwan.


http://www.bbc.com/news/technology-39901382

Some experts say the attack may be have been built to exploit a weakness in Microsoft systems that was identified by the NSA and given the name EternalBlue.

The NSA tools were then stolen by a group of hackers known as The Shadow Brokers, who then attempted to sell the encrypted cache in an online auction.

However they subsequently made the tools freely available, releasing a password for the encryption on 8 April.

The hackers said they had published the password as a "protest" about US President Donald Trump.

At the time, some cyber-security experts said some of the malware was real, but old.
A patch for the vulnerability was released by Microsoft in March, but many systems may not have had the update installed.

Microsoft said on Friday its engineers had added detection and protection against WannaCrypt. The company was providing assistance to customers, it added.

Some security researchers have pointed out that the infections seem to be deployed via a worm - a program that spreads by itself between computers.

Unlike many other malicious programs, this one has the ability to move around a network by itself. Most others rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.

By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too. This perhaps explains why its impact is so public - because large numbers of machines at each victim organisation are being compromised.

Keep in mind all, 300 bitcoin is valued at about half a million USD. Different currency. Could be payday for someone...

quote:

Originally posted by kornesque:
Keep in mind all, 300 bitcoin is valued at about half a million USD. Different currency. Could be payday for someone...

The screen capture says $300 worth of bitcoin not 300 bitcoin

Ransomware flood stopped for $10.69.
https://www.google.com/amp/s/a...somware-cyber-attack

Makes a man want to just pull the plug.

Our dependency on the Internet rivals only our dependency on cars and electricity.

It seems like every one of these Internet breaches etc, are the largest ever...until the next one.

Yep, and now people have connected Thermostats, Door Bells, Dead Bolts, Garage Door Openers, and more... just wait until that shit starts becoming a regular vector of attack.

It's coming. Maybe not today or tomorrow, but soon enough.

Its called IoT or the internet of things. Wait till those amazon Echos are subverted then you'll properly lose your mind.

quote:

Originally posted by 46and2:
Yep, and now people have connected Thermostats, Door Bells, Dead Bolts, Garage Door Openers, and more... just wait until that shit starts becoming a regular vector of attack.

It's coming. Maybe not today or tomorrow, but soon enough.

How does the NSA, one of our top secure agencies, lose "tools?"

Probably from anyone of the dozens of previous employees who left the agency for higher paying non government jobs.

quote:

Originally posted by msfzoe:
How does the NSA, one of our top secure agencies, lose "tools?"

A 'kill switch' is slowing the spread of WannaCry ransomware

http://www.pcworld.com/article...acry-ransomware.html

Friday’s unprecedented ransomware attack may have stopped spreading to new machines -- at least briefly -- thanks to a "kill switch" that a security researcher has activated.

the ransomware also contains a kill switch that may have backfired on its developers, according to security researchers.

Wana Decryptor infects systems through a malicious program that first tries to connect to an unregistered web domain. The kill switch appears to work like this:

If the malicious program can’t connect to the domain, it’ll proceed with the infection. If the connection succeeds, the program will stop the attack.

A security researcher who goes by the name MalwareTech found that he could activate the kill switch by registering the web domain and posting a page on it.


MalwareTech's original intention was to track the ransomware's spread through the domain it was contacting. “It came to light that a side effect of us registering the domain stopped the spread of the infection,” he said in an email.

Security firm Malwarebytes and Cisco’s Talos security group reported the same findings and said new ransomware infections appear to have slowed since the kill switch was activated.

However, Malwarebytes researcher Jerome Segura said it’s too early to tell whether the kill switch will stop the Wana Decryptor attack for good. He warned that other versions of the same ransomware strain may be out there that have fixed the kill-switch problem or are configured to contact another web domain.

Unfortunately, computers already infected with Wana Decryptor will remain infected, he said.

Friday’s ransomware attack first spread through a massive email phishing campaign. At least some of those emails appeared to be messages from a bank about a money transfer, according to Cisco’s Talos group.

Security firm Avast said it had detected more than 75,000 attacks in 99 countries, with Russia, Ukraine and Taiwan among the hardest-hit countries. The U.K.’s National Health Service was one of the biggest organizations hit by the ransomware.

The ransomware was designed to work in numerous languages, including English, Chinese and Spanish, with ransom notes in each.

*********************

I always wonder if it wise to publicly report discoveries like this. (that the kill switch was found in the code)

Fwiw.

Yesterday I had an email supposedly from a 63 year old, high school graduate, US ex-client, female, who supposedly sent the email from a domain in .au.

http://www.mailwasher.net/ allowed me to see from where it originated, among other giveaways.

What mailwasher does, among other things, is that you can wash away emails before they reach your inbox. It serves exceedingly well as a frontline measure.

Microsoft ought to send "MalwareTech" the 22 year old who found a kill switch in the code about $100M. The NSA needs to hire him for the challenge he'd face.

The domain cost him $10.69 but looks to have stopped it cold.

 
This Windows vulnerability is so dangerous and exploitable, that Microsoft even relented and issued a patch for XP, which is past its support deadline.
  
Ars Technica article.