Petya Ransomware Attack and Remediation

Petya Ransomware Attack
The recent attack by Petya ransomware is another warning to organizations about the possible catastrophe of vulnerabilities. Petya Ransomware is spreading fast with Ukraine being the worst hit country in last 24 hours. It uses the same exploit, which WannaCry had used to propagate itself and has created havoc in the recent past. Microsoft patches for Ransomware attacks have been a critical remedy way back in March 2017, but many organizations missed updating their OS and network.

The Exploits and Infection Routines

Eternal Blue was the exploit which was used by WannaCry and uses the SMB protocol vulnerability to propagate throughout the network. However, Petya Ransomware not just encrypts the files but after encrypting them, tries to encrypt the MBR too. Effectively rendering the infected systems un-bootable. According to the findings, Petya was pushed through an update for MeDoc financial software used mostly by organizations in Ukraine.

Its highly unusual for a Ransomware to initiate an infection chain by piggy-backing on a third-party software, rather than initiating its infection via the spam/phishing mails. Throughout the history of Ransomware, we have observed spam mails being the favorite medium for transportation. It is observed that the Petya is more of a targeted attack rather than a ransomware attack.”

The Impact

In India, “The (shipping) ministry has confirmed that one terminal at JNPT has been affected due to the attack at Maersk’s Hague office,” an official said.

Due to this attack, the operations at JNPT’s GTI (Gateway Terminals India) have come to a standstill. However, this seems to be an isolated incident within India and the impact on India seems to be very limited. Last month’s WannaCry’s attack had forced numerous organizations to implement the patches released by Microsoft. Although there might exist some organizations that are still lagging behind.

There have been reports of two more organizations having their presence in India viz. Beiersdorf AG and Reckitt Benckiser were affected by the Ransomware attack.

Monetization

Until now the Bitcoin address which is being used by Petya Ransomware has received 45 transactions worth 3.99009155 BTC equivalents to 10213.12 USD. However, the email-id which is being used to communicate with the criminals has been suspended by the German eMail Service Provider. Hence rendering all the efforts of getting the decryption key futile. Due to this, victims should detest from making any payments to the criminals.

Microsoft Patches for Petya Ransomware – Stay Safe

To stay safe from such attacks, all the organizations and users need to ensure that, the patches released by Microsoft have been updated or patched as per our previous blog-post.

Microsoft releases patches for exploits used by NSA’s hacking tools

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , , , , | Comments Off on Petya Ransomware Attack and Remediation

Trickbot – new entrant in the Indian Online Banking Cyberspace

Trickbot-banking-trojan
Ransomware is not the only prevalent threat these days; there are threats too which have been making their foray. We humans tend to forget that security is an on-going process and is not limited to one single threat. We have to be on our toes 24×7 and be alert at all times, ensure that all the SOPs are adhered to and also ensure regular audits of all the security processes and procedures.

For past few weeks, Ransomwares has gained notoriety specifically due to the exploits used by WannaCry Ransomware, however during the same period, TrickBot a banking Trojans too was working towards stealing banking credentials and gaining access to the banking accounts of the victims.

Thanks to the release of the source code of Zeus Bot a couple of years ago, we have observed a rise in Trojans which share the same / similar codebase with that of Zeus. On these similar lines, Trickbot shares many similarities with Dyre yet another banking malware.

Trickbot’s configuration contains the list of Banking URLs which when accessed by the victim would be intercepted and exploited. In recent weeks, Trickbot has expanded its attack vector and has truly gone global and targets numerous banks, payment processors and CMS systems.

Targeting CMS systems, provides Trickbot with the access credentials which can then be further leveraged to carry out targeted attacks which includes spear phishing attacks and up to a certain extent water holing attacks.

Recently, Trickbot added a couple of Indian Banks to its configuration viz. SBI Bank and ICICI considering their huge consumer base, however we are yet to observe any active attack on the consumers.

Moreover, in coming weeks/months we expect much larger campaigns targeting Indian Online Banking Customers and a few more Indian banks to be added by Trickbot into its configuration. Furthermore, based on the success of Trickbot, we may also observe other banking Trojans sneaking into the Indian Cyberspace.

We at eScan believe that it is our duty to be proactive in alerting the users about the potential attacks, which will assist them to take necessary precautions. Moreover, eScan users are protected from the threats posed by Trickbot and all the other Banking Trojans.

Advisory:

1: Net-banking users should implement an Antivirus/Internet Security Suites on all of their devices including their mobile phones.

2: Regularly apply the patches, which have been released by Software Vendors.

3: Implement Email Gateway security solutions to protect your organization from malicious emails.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , | Comments Off on Trickbot – new entrant in the Indian Online Banking Cyberspace

Web Security: A Major Hurdle for Organizations

web security

Internet being the undeniably biggest growing market in the digitization era, are stressing on the necessity of Online Security. The development of technology happened in such a way that enterprises adopting it are lacking much on the Online Security measures to protect the data and digital identity of their customers/ partners. It is just similar to that of retail stores minimizing the risk of theft or shop-lifting by installation of surveillance cameras. If any organization is looking for online security of their critical data, then related safety measures are very important.
In the age of information, each and everything has its value and can be misused in multiple ways, unless necessary precautions are taken to prevent online attacks, as performed by hackers. We are always in danger to suffer financial losses, integrity and even mental peace. We regret such incidents which might have been easily avoided if we would have invested in Online Security measures.
The first important step to hide information shared in your site from potentially harmful eyes is to ensure SSL certification. The beginning of a URL that starts with https:// instead of http:// is much secured.

ssl certfication

Today encrypted sites are clearly displayed with green padlock signs in the Web browser. This is a signal to the user, that his/ her session with the website is encrypted. This ensures all communication are secured with a key that can not be retrieved easily by third parties and thus communication is secured and cannot be read. In case SSL certificate is unused by a website, the information goes in simple text format that is interrupted easily and is readable for anyone.
The risks of not investing in Online Security are much higher than the owners anticipate. The larger the company and business potential, the risk of attacks and data theft are also high. However, smaller businesses are targeted as well, since they often lack fundamental Online Security measures. As a result, they are easy targets.
Securing your website and its information with the readers establishes a trustworthy environment to conduct daily businesses. Since technology is evolving every day, it is logical to stay updated when it comes to Cyber Security and take necessary precautions. The trust factor is very important in this respect. You need to cross-check if online security is adhered to the system and the organization hardly have resources to migrate to HTTPS. It is advisable to get a specialist on-board to enable to do so by visiting HTTPS.IN.

Extended Validation Certificate

extended validity

This is the newest SSL certificate which gives more confidence to the users and takes the control of any given website. Extended validation certificate reassures the users that they are viewing the authentic website and it is not anything else in disguise. It displays a green address bar while the users log in to the website and on the right side of the address bar there displays a notice space which shows the legal company name and certification authority which authenticated the validation certificate. This helps the organizations to increase credibility and establish online trust in terms of viewership.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , | Comments Off on Web Security: A Major Hurdle for Organizations

Microsoft releases patches for exploits used by NSA’s hacking tools

Microsoft has released patches for the 3 more vulnerabilities, which were found in the exploit tools created by NSA and subsequently released by ShadowBrokers.

Last month, WannaCry Ransomware used one of the exploit code-named EternalBlue by NSA, was already patched by Microsoft in the month of March.Even though patch was issued, there were many who didn’t patch their systems and allowed WannaCry to take control of their systems and encrypt their data.

Considering the fact that WannaCry affected many of the systems worldwide, users and system administrators should patch their XP and Windows 2003 Server systems immediately.

NSA Hacking Tool Exploit CVE Patch Download Link
“EnglishmanDentist” CVE-2017-8487 https://support.microsoft.com/en-us/help/4025218/security-update-for-windows-xp-and-windows-server-2003
“EsteemAudit” CVE-2017-0176 https://support.microsoft.com/en-us/help/4022747/security-update-for-windows-xp-and-windows-server-2003
“ExplodingCan” CVE-2017-7269 https://support.microsoft.com/en-us/help/3197835/description-of-the-security-update-for-windows-xp-and-windows-server
“ErraticGopher” CVE-2017-8461 https://support.microsoft.com/en-us/help/4024323/security-update-of-windows-xp-and-windows-server-2003

Microsoft has also released some additional patches for XP and 2003 Servers, all the end-users who are using older versions of Microsoft Windows should visit this link to download the patches made available fopr the additional vulnerabilities not covered in here.

https://support.microsoft.com/en-us/help/4025687/microsoft-security-advisory-4025685-guidance-for-older-platforms

Previously, Microsoft had issued patches for the below mentioned hacking tools developed by NSA

NSA hacking Tool Patch Information Download Link
“EternalBlue” MS17-010 https://technet.microsoft.com/
library/security/ms17-010.aspx
“EmeraldThread” MS10-061 https://technet.microsoft.com/
library/security/ms10-061
“EternalChampion” CVE-2017-0146 & CVE-2017-0147 A: https://portal.msrc.microsoft.c
om/en-US/security-guidance/
advisory/CVE-2017-0146
B: https://portal.msrc.microsoft.c
om/en-US/security-guidance/
advisory/CVE-2017-0147
“EsikmoRoll” MS14-068 https://technet.microsoft.com/
library/security/ms14-068.aspx
“EternalRomance” MS17-010 https://technet.microsoft.com/
library/security/ms17-010.aspx
“EducatedScholar” MS09-050 https://technet.microsoft.com/
library/security/ms09-050
“EternalSynergy” MS17-010 https://technet.microsoft.com/
library/security/ms17-010.aspx
“EclipsedWing” MS08-067 https://technet.microsoft.com/
en-us/library/security/
ms08-067.aspx

eScan users are protected by eScan’s proactive critical patch management, which checks the endpoints for missing patches on the OS by matching the installed patches with the released patch list. The missing critical Windows update patches are then downloaded and installed on the computer where eScan is running. The above mentioned patches have been added to eScan’s Critical Patch Management Database and would be available to all our customers.

Posted in eScan 11, eScan 14, MailScan, Security | Tagged , , , , , , , , , , , , | Comments Off on Microsoft releases patches for exploits used by NSA’s hacking tools