Yes… we got delayed in posting this week, what with all the news of WannaCry all over, and with requests from all of our customers to give them as much of the latest information regarding the threat progression, preventive actions and everything in between, that was the only news that we were tracking last week and also posted a couple of articles on the same.
And so, with the SWTW, we dug deeper and found some interesting articles and are sharing it here. Hope it helps you in your endeavours.
Azure users told they’re not WannaCrypt-proof
Microsoft advises how to harden cloudy Windows, cos it runs a cloud not your OS
Microsoft Windows users already know what to do to defeat WannaCrypt (unless they’ve been asleep for a week). Now the company’s published its advice for its Azure customers.
Since there aren’t any surprises in Microsoft’s note for Azure users, Vulture South suspects this is a prod for people who are slow to respond or complacent about security.
WannaCrypt is the ransomware/worm built using NSA exploits leaked by Shadow Brokers. It exploits a bug in the ancient and should-have-been-retired SMB1 protocol as one of its most important vectors.
That bug (CVE-2017-0145) was plugged by Microsoft in its service pack – all the way back to Windows XP, so serious was it – but there’s a bit of work for Azure users to secure their cloudy computers.
Microsoft writes that customers should review any services that expose SMB endpoints to the Internet (or perhaps just hit yourself with the clue-stick because that exposure should be avoided). The appropriate IP ports (TCP 139, TCP 445, UDP 137 and UDP 138) should be blocked at the firewall unless absolutely essential.
Follow these instructions if you haven’t already disabled SMB1, and watch your environment with Azure Security Center.
Windows Update should have taken care of users running Azure Cloud Services or IaaS, and all guest operating system versions released since March 14 include MS17-010.
Finally, use Network Security Groups to restrict network access; run malware protection; and apply multi-factor authentication to all backups. ®
Note: You can keep all your Cloud Windows systems completely hidden from the Internet and in a private network even if you need to allow access to applications hosted in those systems from the Internet or from your office. InstaSafe SecureAccess can help you hide all the cloud and on-premises applications while providing ‘need-to-know’, encrypted access to users with only their authorized devices. To learn more, reach us at firstname.lastname@example.org
Inside the Motivations Behind Modern Cyberattackers
Attackers seeking money, dominance, and data are banding together and sharing infrastructure to target businesses.
Today’s organizations have a few key disadvantages in the fight against modern cybercrime. For one, each needs to build an indestructible defense — but attackers only need to find one crack to break in.
On top of that, each business is up against several attackers who share strategies and skills. Cybercriminals are collaborating better than white-hat hackers are, explained Paul Kurtz, co-founder and CEO at TruSTAR, during his Dark Reading Crash Course presentation at this year’s Interop ITX.
Kurtz focused his talk on the motives and methods of today’s adversaries: who are they, what do they want, and how are they targeting their victims?
Motivations for cybercrime extend beyond the obvious draw of financial gain. Attackers are also driven by espionage, dominance, and creating uncertainty, as demonstrated by the proliferation of false information during last year’s presidential elections.
Dark Web Marketplace Shuts Down Claiming Being Hacked. Users Have Lost Money.
Victims are not necessarily the honest people. It’s sometimes also those that want to do damage. This case smells of people being robbed of their bitcoins that was kept in the escrow account of the Dark Web Marketplace named Outlaw.
The Outlaw Dark Web market has shut down this week under mysterious circumstances, and while admins said the site closed down after a hack, many believe this was just another exit scam.
Outlaw was a veteran of the Dark Web marketplaces, founded way back in 2013. The site was never the most popular destination for online criminals but had a steady following.
The market’s reputation flourished after the death of Silk Road and after competitors never managed to survive past a few months.
The marketplace sold all your regular Dark Web illegal products, from drugs to weapons, and from data dumps to stolen electronics. One of the site’s unique features was something called “dead drop,” where clients had the option to pick up products from sellers or predetermined spots.
However, a low level admin of Outlaw posted a message on multiple platforms explaining that the top admins worked hard at fixing issues with Bitcoin payouts and that they did not do an “exit scam” – a term popularly used when Dark Web Markets exit stealing their customer’s Bitcoins. Bitcoin value has increased dramatically in the last week, from around $1,800 to over $2,000 for the first time ever.
In recent years, hackers have targeted Dark Web marketplaces, either to steal their funds or to find bugs they could use to coerce admins into paying ransoms.
For example, AlphaBay rewarded a hacker for finding one such bug earlier in January this year, while a month later, the Hansa Dark Web marketplace opened a bug bounty program with rewards up to $10,000 per privately reported bug.
Earlier this month, Slovakian authorities shut down the Bloomsfield Dark Web marketplace, arresting two individuals, including the site’s top admin.
Wikileaks Vault 7 Series: CIA Co-Developed Athena Malware with US Cyber-Security Company
Every Friday, WikiLeaks has established a tradition of leaking new documents in the Vault 7 series — which details some of the CIA’s hacking tools. Today, the organization leaked documentation about a tool called Athena.
Athena is an implant — a CIA technical term for “malware” — that can target and infect any Windows system, from Windows XP to Windows 10, Microsoft’s latest OS version.
Documents leaked today are dated between September 2015 and February 2016, showing that the CIA had the ability to hack Windows 10 months after its launch, despite Microsoft boasting about how hard it would be to hack its new OS.
Athena included support for fileless execution
At the technical level, despite using custom terms to describe its modus operandi, Athena isn’t that special when compared to other malware developed for cyber-espionage operations.
According to documents, a CIA operative has a builder at his disposal with plenty of options to generate an Athena malware payload. This payload can be specifically assembled to work with an online C&C server, offline, or in a RAM-only mode (also known as diskless/fileless mode).
For installing Athena, operatives had different methods available that ranged from classic delivery methods to supply chain compromise, and even via an in-the-field operative, if necessary.
Once on a target’s PC, Athena would communicate with a C&C server from where it would receive instructions or additional payloads it would need to install on its victim’s computer. This is a classic architecture we find in most malware today.