Wednesday 28 June 2017

PSA: Petya Ransomware Affecting Critical Systems Globally: Here’s What to Do.

Updated 3:19PM Pacific Time: A method to ‘vaccinate’ yourself against this ransomware variant has been found. I have posted details towards the end of the post along with a batch file you can run. It is as simple as creating the file C:\Windows\perfc and marking it read-only.
Update 2 at 7pm PST on Tuesday: It appears that the initial infection many have come from a company called MeDoc that was breached. Their systems were infected and they then pushed out an update, spreading the infection. MeDoc are disputing the allegation. Sources: Talos quoted on ZDNetForbes and FireEye.

What We Know
A new ransomware variant is spreading quickly across the globe at the time of this writing. There is no consensus yet in the security research community, so the following information is provisional in nature:
The ransomware has been dubbed “Petya.” It likely spreads by using two separate exploits. You don’t need to click on anything or take any action. This can spread into your system through the network. That is why it is having such a wide impact and why it is important that you update your system to protect yourself.
For the technically minded: This ransomware is exploiting a vulnerability in Microsoft Office when handling RTF documents (CVE-2017-0199). It also exploits a vulnerability in SMBv1 which is the Microsoft file-sharing protocol. This second vulnerability is described in Microsoft security bulletin MS17-010.
The ransomware has affected a large number of companies, organizations and government entities on an international scale. The following is a screenshot of the ransomware page you are confronted with once your files are encrypted:
Colin Hardy has provided a behavioral analysis of Petya, which includes a video demonstration of the malware in action:

What To Do

If you have not done so already, you should immediately install the MS17-010 patch from Microsoft.
If you currently run an unpatched Windows system, you may not have time to patch it before you are infected. Consider shutting down your machine, if feasible, and leaving it off the network until there is consensus in the research community on what this exploits and how to protect against it.
If you are technically able to, we recommend you block network access to port 445 on your Windows workstations. You may also want to monitor traffic to that port if you are a security professional.
Keep an eye on the Microsoft Security Response Center where they will hopefully release formal guidance soon.
Update your anti-virus definitions and run a scan on your system. You can find out which anti-virus products are detecting the current variant of Petya on this VirusTotal page. I’ve linked to one of the files involved in the infection. The page shows which AV vendors are currently detecting this file. The green check marks mean the file is not detected by that AV vendor (it’s counterintuitive).

Who This Has Affected So Far

  • A Ukrainian state power company and Kiev’s main airport were among the first to report issues.
  • The Chernobyl nuclear power plant has had to monitor radiation levels manually after they were forced to shut down the Windows systems that their sensors had been using.
  • Antonov aircraft has reported being affected.
  • Copenhagen-based shipping company Maersk is experiencing outages in multiple IT systems and across multiple business units.
  • Food giant Modelez, which makes Oreo and Toblerone, has also been hit.
  • Netherlands-based shipping company TNT was also hit.
  • French construction company St. Gobain has been affected.
  • Pharmaceutical company Merck says they have systems affected.
  • Law firm DLA Piper was hit.
  • Heritage Valley Health System, a US hospital operator, has also been hit.
  • Kiev’s metro system has stopped accepting payment cards because they were affected.
The list is long and growing; the above just a snapshot.

Strong Incentive for Attackers

Many are reporting the belief that the South Korean hosting company that paid attackers a $1M ransom a week ago to recover their data have created a huge incentive for future ransomware attacks.
That has resulted in this new spate of attacks affecting systems globally.

Coverage of This Story

Update 3:19pm PST: A Vaccine has been Found

In the past couple of hours researchers have found a ‘vaccine’ against having your files encrypted by this new variant of Petya. They discovered that if a file exists, the encryption routine will not run.
Amit Serper who found this had their findings confirmed by other security researchers.
To vaccinate a machine against this ransomware, simply create a file called perfc in the C:\Windows folder and mark it read only. The following batch file courtesy of BleepingComputer will do the job for you:
This post in BleepingComputer also includes instructions on how to create the file manually if you would prefer to do that. Once this file is created, the encryption routine for this specific ransomware variant will not run and encrypt your files.

Help Keep the Community Safe

We recommend you let your friends and family know about this fast spreading campaign as a matter or urgency to help them stay safe.

Friday 13 January 2017

Highly Effective Gmail Phishing Technique Being Exploited

A new highly effective phishing technique targeting Gmail and other services has been gaining popularity during the past year among attackers. Over the past few weeks there have been reports of experienced technical users being hit by this.
This attack is currently being used to target Gmail customers and is also targeting other services.
The way the attack works is that an attacker will send an email to your Gmail account. That email may come from someone you know who has had their account hacked using this technique. It may also include something that looks like an image of an attachment you recognise from the sender.

Monday 12 December 2016

Wordfence Blocks Username Harvesting via the New REST API in WP 4.7

WordPress 4.7 was released 6 days ago, on December 6th. It includes a REST API that will be used by many WordPress plugins, mobile apps, desktop applications, cloud services and even WordPress core in future. Every site that upgrades to WordPress 4.7 has this API enabled by default.

Wednesday 30 November 2016

Emergency Bulletin: Firefox 0 day in the wild. What to do.

We’re publishing this as an emergency bulletin for our customers and the larger web community. A few hours ago a zero day vulnerability emerged in the Tor browser bundle and the Firefox web browser. Currently it exploits Windows systems with a high success rate and affects Firefox versions 41 to 50 and the current version of the Tor Browser Bundle which contains Firefox 45  ESR.
If you use Firefox, we recommend