The FBI and US Department of Homeland Security have issued an alert that hackers have targeted the aerospace industry, financial services and critical infrastructure with a remote access trojan (RAT) to further exploit vulnerable networks. There is a new Trojan malware used by the North Korean government—Volgmer and FALLCHILL Malware. The malware allows remote hackers to send commands from a command-and-control server to infected PCs in order to access files, plant additional malware, and delete digital evidence that they were ever present.

Below are the IPs and IOCs related to HIDDEN COBRA. Please take necessary action as soon as possible

INDICATOR_VALUE TYPE
199[.]68[.]196[.]125 IPV4ADDR
103[.]16[.]223[.]35 IPV4ADDR
113[.]28[.]244[.]194 IPV4ADDR
116[.]48[.]145[.]179 IPV4ADDR
186[.]116[.]9[.]20 IPV4ADDR
186[.]149[.]198[.]172 IPV4ADDR
195[.]28[.]91[.]232 IPV4ADDR
195[.]97[.]97[.]148 IPV4ADDR
199[.]15[.]234[.]120 IPV4ADDR
200[.]42[.]69[.]133 IPV4ADDR
203[.]131[.]222[.]99 IPV4ADDR
210[.]187[.]87[.]181 IPV4ADDR
83[.]231[.]204[.]157 IPV4ADDR
84[.]232[.]224[.]218 IPV4ADDR
89[.]190[.]188[.]42 IPV4ADDR
109[.]68[.]120[.]179 IPV4ADDR
85[.]132[.]123[.]50 IPV4ADDR
80[.]95[.]219[.]72 IPV4ADDR
88[.]201[.]64[.]185 IPV4ADDR
103[.]10[.]55[.]35 IPV4ADDR
45[.]124[.]169[.]36 IPV4ADDR
222[.]44[.]80[.]138 IPV4ADDR
61[.]153[.]146[.]207 IPV4ADDR
41[.]131[.]164[.]156 IPV4ADDR
82[.]129[.]240[.]148 IPV4ADDR
82[.]201[.]131[.]124 IPV4ADDR
31[.]146[.]82[.]22 IPV4ADDR
103[.]27[.]164[.]10 IPV4ADDR
103[.]27[.]164[.]42 IPV4ADDR
112[.]133[.]214[.]38 IPV4ADDR
114[.]79[.]141[.]59 IPV4ADDR
115[.]115[.]174[.]67 IPV4ADDR
115[.]178[.]96[.]66 IPV4ADDR
115[.]249[.]29[.]78 IPV4ADDR
117[.]211[.]164[.]245 IPV4ADDR
117[.]218[.]84[.]197 IPV4ADDR
117[.]239[.]102[.]132 IPV4ADDR
117[.]239[.]144[.]203 IPV4ADDR
117[.]240[.]190[.]226 IPV4ADDR
117[.]247[.]63[.]127 IPV4ADDR
117[.]247[.]8[.]239 IPV4ADDR
118[.]67[.]237[.]124 IPV4ADDR
125[.]17[.]79[.]35 IPV4ADDR
125[.]18[.]9[.]228 IPV4ADDR
14[.]102[.]46[.]3 IPV4ADDR
14[.]139[.]125[.]214 IPV4ADDR
14[.]141[.]129[.]116 IPV4ADDR
180[.]211[.]97[.]186 IPV4ADDR
182[.]156[.]76[.]122 IPV4ADDR
182[.]72[.]113[.]90 IPV4ADDR
182[.]73[.]165[.]58 IPV4ADDR
182[.]73[.]245[.]46 IPV4ADDR
182[.]74[.]42[.]194 IPV4ADDR
182[.]77[.]61[.]231 IPV4ADDR
183[.]82[.]199[.]174 IPV4ADDR
183[.]82[.]33[.]102 IPV4ADDR
203[.]110[.]91[.]252 IPV4ADDR
203[.]196[.]136[.]60 IPV4ADDR
203[.]88[.]138[.]79 IPV4ADDR
43[.]249[.]216[.]6 IPV4ADDR
45[.]118[.]34[.]215 IPV4ADDR
139[.]255[.]62[.]10 IPV4ADDR
128[.]65[.]184[.]131 IPV4ADDR
128[.]65[.]187[.]94 IPV4ADDR
178[.]248[.]41[.]117 IPV4ADDR
185[.]113[.]149[.]239 IPV4ADDR
185[.]115[.]164[.]86 IPV4ADDR
185[.]46[.]218[.]77 IPV4ADDR
213[.]207[.]209[.]36 IPV4ADDR
217[.]218[.]90[.]124 IPV4ADDR
217[.]219[.]193[.]158 IPV4ADDR
217[.]219[.]202[.]199 IPV4ADDR
37[.]235[.]21[.]166 IPV4ADDR
37[.]98[.]114[.]90 IPV4ADDR
78[.]38[.]114[.]15 IPV4ADDR
78[.]38[.]182[.]242 IPV4ADDR
125[.]212[.]132[.]222 IPV4ADDR
175[.]100[.]189[.]174 IPV4ADDR
81[.]0[.]213[.]173 IPV4ADDR
98[.]101[.]211[.]162 IPV4ADDR
181[.]119[.]19[.]118 IPV4ADDR
181[.]119[.]19[.]141 IPV4ADDR
181[.]119[.]19[.]196 IPV4ADDR
181[.]119[.]19[.]5 IPV4ADDR
181[.]119[.]19[.]50 IPV4ADDR
181[.]119[.]19[.]54 IPV4ADDR
181[.]119[.]19[.]56 IPV4ADDR
181[.]119[.]19[.]58 IPV4ADDR
181[.]119[.]19[.]74 IPV4ADDR
190[.]105[.]225[.]232 IPV4ADDR
41[.]92[.]208[.]194 IPV4ADDR
41[.]92[.]208[.]196 IPV4ADDR
41[.]92[.]208[.]197 IPV4ADDR
209[.]183[.]21[.]222 IPV4ADDR
190[.]82[.]74[.]66 IPV4ADDR
190[.]82[.]86[.]164 IPV4ADDR
111[.]207[.]78[.]204 IPV4ADDR
119[.]10[.]74[.]66 IPV4ADDR
122[.]114[.]89[.]131 IPV4ADDR
122[.]114[.]94[.]26 IPV4ADDR
139[.]217[.]27[.]203 IPV4ADDR
221[.]208[.]194[.]72 IPV4ADDR
221[.]235[.]53[.]229 IPV4ADDR
77[.]78[.]100[.]101 IPV4ADDR
81[.]0[.]213[.]173 IPV4ADDR
62[.]243[.]45[.]227 IPV4ADDR
117[.]232[.]100[.]154 IPV4ADDR
59[.]90[.]93[.]138 IPV4ADDR
125[.]160[.]213[.]239 IPV4ADDR
27[.]123[.]221[.]66 IPV4ADDR
36[.]71[.]90[.]4 IPV4ADDR
191[.]233[.]33[.]177 IPV4ADDR
200[.]57[.]90[.]108 IPV4ADDR
5[.]79[.]99[.]169 IPV4ADDR
203[.]160[.]191[.]116 IPV4ADDR
196[.]25[.]89[.]30 IPV4ADDR
82[.]223[.]213[.]115 IPV4ADDR
82[.]223[.]73[.]81 IPV4ADDR
91[.]116[.]139[.]195 IPV4ADDR
195[.]74[.]38[.]115 IPV4ADDR
210[.]202[.]40[.]35 IPV4ADDR
104[.]192[.]193[.]149 IPV4ADDR
173[.]0[.]129[.]65 IPV4ADDR
173[.]0[.]129[.]83 IPV4ADDR
191[.]234[.]40[.]112 IPV4ADDR
199[.]167[.]100[.]46 IPV4ADDR
208[.]180[.]64[.]10 IPV4ADDR
208[.]78[.]33[.]70 IPV4ADDR
208[.]78[.]33[.]82 IPV4ADDR
216[.]163[.]20[.]178 IPV4ADDR
50[.]62[.]168[.]157 IPV4ADDR
64[.]29[.]144[.]201 IPV4ADDR
66[.]175[.]41[.]191 IPV4ADDR
66[.]232[.]121[.]65 IPV4ADDR
66[.]242[.]128[.]11 IPV4ADDR
66[.]242[.]128[.]12 IPV4ADDR
66[.]242[.]128[.]13 IPV4ADDR
66[.]242[.]128[.]134 IPV4ADDR
66[.]242[.]128[.]140 IPV4ADDR
66[.]242[.]128[.]158 IPV4ADDR
66[.]242[.]128[.]162 IPV4ADDR
66[.]242[.]128[.]163 IPV4ADDR
66[.]242[.]128[.]164 IPV4ADDR
66[.]242[.]128[.]170 IPV4ADDR
66[.]242[.]128[.]173 IPV4ADDR
66[.]242[.]128[.]179 IPV4ADDR
66[.]242[.]128[.]181 IPV4ADDR
66[.]242[.]128[.]185 IPV4ADDR
66[.]242[.]128[.]186 IPV4ADDR
66[.]242[.]128[.]223 IPV4ADDR
71[.]125[.]1[.]130 IPV4ADDR
71[.]125[.]1[.]132 IPV4ADDR
71[.]125[.]1[.]133 IPV4ADDR
71[.]125[.]1[.]138 IPV4ADDR
72[.]167[.]53[.]183 IPV4ADDR
75[.]103[.]110[.]134 IPV4ADDR
96[.]65[.]90[.]58 IPV4ADDR
98[.]101[.]211[.]140 IPV4ADDR
98[.]101[.]211[.]170 IPV4ADDR
98[.]101[.]211[.]251 IPV4ADDR
98[.]113[.]84[.]130 IPV4ADDR
98[.]159[.]16[.]132 IPV4ADDR
197[.]211[.]212[.]14 IPV4ADDR
78[.]39[.]125[.]67 IPV4ADDR
80[.]191[.]171[.]32 IPV4ADDR
85[.]185[.]30[.]195 IPV4ADDR
85[.]9[.]74[.]159 IPV4ADDR
89[.]165[.]119[.]105 IPV4ADDR
91[.]106[.]77[.]7 IPV4ADDR
91[.]98[.]112[.]196 IPV4ADDR
91[.]98[.]126[.]92 IPV4ADDR
91[.]98[.]36[.]66 IPV4ADDR
94[.]183[.]177[.]90 IPV4ADDR
95[.]38[.]16[.]188 IPV4ADDR
27[.]114[.]187[.]37 IPV4ADDR
116[.]90[.]226[.]67 IPV4ADDR
113[.]203[.]238[.]98 IPV4ADDR
115[.]186[.]133[.]195 IPV4ADDR
182[.]176[.]121[.]244 IPV4ADDR
182[.]187[.]139[.]132 IPV4ADDR
37[.]216[.]67[.]155 IPV4ADDR
84[.]235[.]85[.]86 IPV4ADDR
103[.]241[.]106[.]15 IPV4ADDR
203[.]118[.]42[.]155 IPV4ADDR
58[.]185[.]197[.]210 IPV4ADDR
123[.]231[.]112[.]147 IPV4ADDR
222[.]165[.]146[.]86 IPV4ADDR
122[.]146[.]157[.]141 IPV4ADDR
140[.]136[.]205[.]209 IPV4ADDR
110[.]77[.]137[.]38 IPV4ADDR
118[.]175[.]22[.]10 IPV4ADDR
125[.]25[.]206[.]15 IPV4ADDR
203[.]147[.]10[.]65 IPV4ADDR
58[.]82[.]155[.]98 IPV4ADDR
61[.]91[.]47[.]142 IPV4ADDR
185[.]134[.]98[.]141 IPV4ADDR
2D2B88AE9F7E5B49B728AD7A1D220E84 MD5
9A5FA5C5F3915B2297A1C379BE9979F0 MD5
BA8C717088A00999F08984408D0C5288 MD5
1B8AD5872662A03F4EC08F6750C89ABC MD5
E034BA76BEB43B04D2CA6785AA76F007 MD5
EB9DB98914207815D763E2E5CFBE96B9 MD5
143cb4f16dcfc16a02812718acd32c8f MD5
1ecd83ee7e4cfc8fed7ceb998e75b996 MD5
35f9cfe5110471a82e330d904c97466a MD5
5dd1ccc8fb2a5615bf5656721339efed MD5
81180bf9c7b282c6b8411f8f315bc422 MD5
e3d03829cbec1a8cca56c6ae730ba9a8 MD5
1216da2b3d6e64075e8434be1058de06 MD5
e48fe20eb1f5a5887f2ac631fed9ed63 MD5

 

Ref:

U.S. Government issues alerts about malware and IP addresses linked to North Korean cyber attacks

https://www.dhs.gov/blog/2017/11/14/dhs-and-fbi-release-joint-technical-alerts-malicious-north-korean-cyber-activity

https://www.theguardian.com/us-news/2017/nov/14/north-korea-malware-us-networks

http://securityaffairs.co/wordpress/65582/malware/fallchill-volgmer-hidden-cobra.html

https://hotforsecurity.bitdefender.com/blog/us-government-issues-alert-about-north-korean-hidden-cobra-cyber-attacks-19215.html

https://www.us-cert.gov/ncas/alerts/TA17-318B

 

OVERVIEW:

Multiple vulnerabilities have been discovered in the Google Android operating system (OS), the most severe of which could allow for arbitrary code execution. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

 

SYSTEMS AFFECTED:

  • Android OS builds utilizing Security Patch Levels issued prior to November 6, 2017.

 

RISK:

  • Large and medium entities: High
  • Small entities: High
  • Home users: High

 

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for arbitrary code execution within the context of a privileged process. Details of these vulnerabilities are as follows:

  • Multiple elevation of privilege vulnerabilities in Framework. (CVE-2017-0830, CVE-2017-0831)
  • Multiple arbitrary code execution vulnerabilities in Media Framework. (CVE-2017-0832, CVE-2017-0833, CVE-2017-0834, CVE-2017-0835, CVE-2017-0836)
  • Multiple information disclosure vulnerabilities in Media Framework. (CVE-2017-0839, CVE-2017-0840)
  • An arbitrary code execution vulnerability in System. (CVE-2017-0841)
  • An information disclosure vulnerability in System. (CVE-2017-0842)
  • Multiple elevation of privilege vulnerabilities in Kernal components. (CVE-2017-9077, CVE-2017-7541)
  • An elevation of privilege vulnerability in MediaTek components. (CVE-2017-0843)
  • An elevation of privilege vulnerability in NVIDIA components. (CVE-2017-6264)
  • Multiple arbitrary code execution vulnerabilities in Qualcomm components. (CVE-2017-11013, CVE-2017-11015, CVE-2017-11014)
  • Multiple elevation of privilege vulnerabilities in Qualcomm components. (CVE-2017-11092, CVE-2017-9690, CVE-2017-11017)
  • An information disclosure vulnerability in Qualcomm components. (CVE-2017-11028)
  • Multiple elevation of privilege vulnerabilities in System. (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088)

 

Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of a privileged process. These vulnerabilities could be exploited through multiple methods such as email, web browsing, and MMS when processing media files. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

 

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by Google Android or mobile carriers to vulnerable systems, immediately after appropriate testing.
  • Remind users to only download applications from trusted vendors in the Play Store.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments, especially from un-trusted sources.

 

REFERENCES:

Google Android:

https://source.android.com/security/bulletin/2017-11-01

A new vulnerability in Dynamic Data Exchange protocol (DDE) in Microsoft Office has been discovered. The DDE protocol is a set of messages and guidelines, it sends messages between applications that share data and uses shared memory to exchange data between applications.

Attackers could exploit DDE to launch malware via infected Office file attachments, for example in Word and Excel files, by performing code execution without using macros, the applications that support DDE display no security warnings to victims, except asking them if they want to update the document with the data from the linked files. Then, victims would be prompted with a message informing them that the document contains links to external files, asking them to allow or deny the content to be retrieved and displayed:

 

 

If allowed, the malicious document will communicate to the attacker hosted content in order to retrieve code that’ll be executed to initiate the malware infection.

In addition, Outlook’s emails that support Rich Text Format (RTF) can be exploited to launch DDE attacks without sending malicious Office attachments within email body.

 

How to Protect Yourself:

  • Deny the content to be retrieved and displayed through the pop message by clicking “No”.
  • View all email messages in plain text format, if necessary.
  • Ensure to open attachments from verified sources.
  • Word Files: Disable the option below which listed under the general group on Options.

  • Excel Files: Enable options shown below which listed under the general group on Options.

For More Information about DDE: https://msdn.microsoft.com/en-us/library/windows/desktop/ms648774(v=vs.85).aspx

 

A good read for Information Security Architect, courtesy of its author, Geoff Rob.

  1. Listen and Learn: Clients will appreciate much more your understanding their environment and business requirements fully before you try to sell them your solution. This builds the customer’s trust in you.
  2. Lead Diplomatically: In most cases the client is paying not only for a service but also a motivated person to take charge of the situation and provide a clear direction. Always be prepared to give other people time and space to express themselves.
  3. Your Area of Expertise: Understand in depth a specific area of technology and take leadership in it. Collaborate with other leaders who can supplement your knowledge in other areas.
  4. Repeatability: Capitalize on work already done for other clients. By using experiences from similar client situations and adapting them to your client’s situation, you can deliver a solution faster with a higher success rate.
  5. Market Awareness: Have a global view of alternative solutions available on the market and be able to discuss and compare them with your solution.
  6. Business Sense: Understand the costs and business impacts of the technology and the solutions you are proposing. Keep business benefits and the client’s priorities paramount.
  7. Design Acceptance: During the initial part of the design phase, be open and frank with the client and look for acceptance of a solution. This is far better than spending weeks developing something in isolation and then fighting for acceptance later. Discuss design principles and constraining factors and be prepared to defend the design rationale behind your solution.
  8. Don’t Go to Extremes: Adopt a common-sense approach to planning and design of a solution and match it to the client’s situation. What the marketing hype promotes, or what you think might be interesting to experiment with, may not always be suitable. What is good for one client may not be suitable for others. Keep an open mind.
  9. Best Fit: If a solution is too complex or costly for a client to implement, look at the part that could solve a majority of problems. Suggest an optimal solution that stays within the client’s budget and yet brings a maximum of benefits.
  10. Leverage Client’s Investment: Wherever possible use the infrastructure already in place to effect transitions. Question the sense of putting in technology for short-term use with doubtful benefits. An example of this is a transitional infrastructure put in place at heavy cost and that becomes obsolete when the project is finished.

Hackers are increasingly targeting you through your smartphone. They send texts that trick you into doing something against your own best interests. At the moment, there is a mystery shopping scam going on, starting out with a text invitation, asking you to send an email for more info which then gets you roped into the scam.

Always, when you get a text, remember to “Think Before You Tap”, because more and more, texts are being used for identity theft, bank account take-overs and to pressure you into giving out personal or company confidential information. Here is a short video made by USA Today that shows how this works: https://www.youtube.com/watch?v=ffck9C4vqEM

Spot social engineering red flags and think twice before falling for these scams.

 

Let’s stay safe out there.

Massive ransomware infection spreading across the globe. It exploits the EternalBlue exploit from the Shadowbrokers dump released last month.

File Name : tasksche.exe
SHA : ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

Please apply this patch immediately to all endpoints. https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

This malware is using Social Engineering to target companies.  The emails trick users into clicking files and attachments that use a vulnerability which was addressed by MS17-010 in March 2017 to spread, so please check that all your machines have the latest updates installed.

The IT systems of around 40 NHS organizations across the UK have been affected by a ransomware attack. Non-emergency operations have been suspended and ambulances are being diverted as a result of the attack.

Non-health focused organizations around the world are also being affected, including Spanish telecommunications firm Telefonica which reported a serious issue affecting its internal network as a result of a cyberattack earlier today. The strain is called “Wanna Decrypt0r” which asks $300 from victims to decrypt their computers.

Bleepingcomputer said: “Whoever is behind this ransomware has invested heavy resources into Wana Decrypt0r’s operations. In the few hours this ransomware has been active, it has made many high-profile victims all over the world. According to Avast security researcher Jakub Kroustek, Wana Decrypt0r made over 57,000 victims in just a few hours.

The ransomware’s name is WCry, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or Wana Decrypt0r. As everybody keeps calling it “Wana Decrypt0r,” this is the name we’ll use in this article, but all are the same thing, which is version 2.0 of the lowly and unimpressive WCry ransomware that first appeared in March.”

Sky News Technology Correspondent Tom Cheshire described the attack as “unprecedented”. The ransomware appears to use NSA 0-day ETERNALBLUE and DOUBLEPULSAR exploits  which were made public earlier this year by a group calling itself the Shadow Brokers.

Looks like initial infection vector is a phishing/macro email.

According to CrowdStrike’s vice president of intelligence Adam Meyers, the initial spread of WannaCry is coming through spam, in which fake invoices, job offers and other lures are being sent out to random email addresses. Within the emails is a .zip file, and once clicked that initiates the WannaCry infection.

But the most concerning aspect of WannaCry is its use of the worm-like EternalBlue exploit. “This is a weapon of mass destruction, a WMD of ransomware. Once it gets into an unpatched PC it spreads like wildfire,” he told Forbes. “It’s going through financials, energy companies, healthcare. It’s widespread.”

Given the malware is scanning the entire internet for vulnerable machines, and as many as 150,000 were deemed open to the Windows vulnerability as of earlier this month, WannaCry ransomware explosion is only expected to get worse over the weekend.

MITIGATION STRATEGIES AND RECOMMENDATIONS:  
This section is used to discuss how the threat can be prevented, contained, and removed.  This section can vary depending on the nature of the threat.

Threat Specific Mitigating Guidelines

  • SMB should be disabled if not required for business use.
  • MS17-010 use has been confirmed and that vulnerability should be patched immediately.
  • All SMB-related patches should be applied to servers as soon as practical.
  • Any Microsoft updates that haven’t been applied to servers should be applied as soon as possible.
  • A notice to all users should be sent regarding this attack and a reminder about clicking links or opening files in emails from suspicious or unknown sources should be sent.
  • Review current backup policies and procedures and be prepared to perform a restore in case of infection – it is never a good idea to pay the ransom in a ransomware attack if at all avoidable.
  • Verify as well that no users have Administrative and especially not Domain privileges have been infected and if so please reset the passwords two times.
  • The priority is that your anti-virus can detect the malware. Verify that you have up-to-date signatures.
  • Make sure that users have the level of knowledge required to never click on suspicious attachments even if they are displayed with a familiar icon (office or PDF document). Where an attachment opening offers the execution of an application, users must under no circumstances accept execution and in doubt, users should you consult and/or consult the competent computer.

Recommended Best Practices  

Below are recommended IT security best practices.  These will help mitigate the initial infection vectors used by most malware, as well as prevent or slow the spread of secondary infections.

  • Disable default user accounts
  • Educate users to void following links to untrusted sites.
  • Always execute browsing software with least privileges possible
  • Turn on Data Execution Prevention (DEP) for systems that support it
  • Maintain a regular patch and update cycle for OS and installed software
  • For additional details please reference: http://technet.microsoft.com/en-us/library/dd277328.aspx

 

The media has released these stories:-

https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit-by-large-scale-cyber-attack  
http://elpais.com/elpais/2017/05/12/inenglish/1494588595_636306.html
http://www.ibtimes.co.uk/telefonica-hack-ransomware-attack-internal-network-forces-computer-shut-down-1621350

 

Following IP Addresses, hashes and websites must be blocked by network admins:

62.138.10.60
82.94.251.227
213.239.216.222
51.255.41.65
86.59.21.38
198.199.64.217
83.169.6.12
192.42.115.102
104.131.84.119
178.254.44.135
163.172.25.118
108.165.22.125
27.254.44.204

5hdnnd74fffrottd[.]com
babil117[.]com
balprodukt[.]ru
bellevillenorfolkterriers[.]co.uk
bellevillenorfolkterriers[.]co[.]uk
biolume[.]nl
bitsslab[.]com
bitsslab[.]com/
boaevents[.]com
byydei74fg43ff4f[.]net
byydei74fg43ff4f[.]net/af/
demelkwegtuk[.]nl
diejosch[.]de
domainway[.]de
easysupport[.]us
edluke[.]com
enboite[.]be
etadjewellery[.]com
geo-zamer[.]ru
jisrcenter[.]com
jomajaco[.]com
julian-g[.]ro
kbelgesi[.]net
kitchenandgifts[.]com
koreancars-club[.]ru
monowheels[.]ru
oklahomagunlawyers[.]com
outback-cycles[.]de
panaceya-n[.]ru
pgringette[.]ca
phinamco[.]com
prystel[.]com
taddboxers[.]com
takanashi[.]jp
takipediliyoruz[.]com
techno-kar[.]ru
tending[.]info
thegoldclubs[.]com
tiskr[.]com
trans-atm[.]com
trebleimp[.]com
trialinsider[.]com
villa31[.]com
volley-bal[.]be
vscard[.]net
wipersdirect[.]com
ws.osenilo[.]com
ws[.]osenilo[.]com

FileHash-SHA256    09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

FileHash-SHA256     24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

FileHash-SHA256    2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

FileHash-SHA256    2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

FileHash-SHA1    45356a9dd616ed7161a3b9192e2f318d0ab5ad10

FileHash-SHA256    4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

FileHash-MD5    4fef5e34143e646dbf9907c4374276f5

FileHash-MD5    509c41ec97bb81b0567b059aa2f50fe8

FileHash-SHA1    51e4307093f8ca8854359c0ac882ddca427a813c

domain    57g7spgrzlojinas.onion

FileHash-MD5    5bef35496fcbdbe841c82f4d1ab8b7c2

domain    76jdd2ir2embyv47.onion

FileHash-MD5    775a0631fb8229b2aa3d7621427085ad

FileHash-MD5    7bf2b57f2a205768755c07f238fb32cc

FileHash-MD5    7f7ccaa16fb15eb1c7399d422f8363e8

FileHash-MD5    8495400f199ac77853c53b5a3f278f3e

FileHash-MD5    84c82835a5d21bbcf75a61706d8ab549

FileHash-MD5    86721e64ffbd69aa6944b9672bcabb6d

FileHash-SHA1    87420a2791d18dad3f18be436045280a4cc16fc4

FileHash-MD5    8dd63adb68ef053e044a5a2f46e0d2cd

FileHash-MD5    b0ad5902366f860f85b892867e5b1e87

FileHash-SHA256    b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

FileHash-SHA1    bd44d0ab543bf814d93b719c24e90d8dd7111234

FilePath
C:\Windows\mssecsvc.exe
0
FilePath
C:\WINDOWS\tasksche.exe
0
domain
cwwnhwhlz52maqm7.onion

FileHash-MD5    d6114ba5f10ad67a4131ab72531f02da

FileHash-MD5    db349b97c37d22f5ea1d1841e3c89eb4

FileHash-MD5    e372d07207b4da75b3434584cd9f3450

FileHash-SHA1    e889544aff85ffaf8b0d0da705105dee7c97fe26

FileHash-SHA256    ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

FileHash-MD5    f107a717f76f4f910ae9cb4dc5290594

FileHash-MD5 f529f4556a5126bba499c26d67892240

FileHash-SHA256    f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

domain    gx7ekbenv2riucmf.onion

domain    sqjolphimrr7jqw6.onion

hostname    www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

domain    xxlvbrloxvriy2c5.onion

5722daf5c0b91363808d46a2c5b93a8f70f0dadd94866148d1d77975ba04d211
f98a35ab5f9fa47a49db5535b654cebb5bc99bf5
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
45356a9dd616ed7161a3b9192e2f318d0ab5ad10
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
509c41ec97bb81b0567b059aa2f50fe8
51e4307093f8ca8854359c0ac882ddca427a813c
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
84c82835a5d21bbcf75a61706d8ab549
87420a2791d18dad3f18be436045280a4cc16fc4
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
bd44d0ab543bf814d93b719c24e90d8dd7111234
db349b97c37d22f5ea1d1841e3c89eb4
e889544aff85ffaf8b0d0da705105dee7c97fe26
f107a717f76f4f910ae9cb4dc5290594
f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
920e964050a1a5dd60dd00083fd541a2
2c42611802d585e6eed68595876d1a15
83506e37bd8b50cacabd480f8eb3849b
f99ce7dc94308f0a149a19e022e4c316

Microsoft Office users are under attack from a zero-day vulnerability. Researchers at Proofpoint sounded the alarm about a critical 0-day threat known as CVE-2017-0199 in Microsoft Word that allowed phishing attacks be sent to millions of users claiming to be a PDF sent to them by their company photocopier. Security firm McAfee first publicly posted about the new zero-day vulnerability in Microsoft Word files on April 7, with security firm FireEye following with its own disclosure a day later on April 8.

 

This one is particularly bad because it bypasses exploit mitigations built into Windows, doesn’t require users to enable macros. The issue, as described by McAfee and FireEye is found in Microsoft Office’s Word application, specifically linked to Rich Text Format (RTF) documents. The vulnerability is present in all versions of Microsoft Office, including the latest Office 2016 edition running on the Windows 10 operating system. The actual vulnerability is a flaw in the Windows Object Linking and Embedding (OLE) component that enables content to be linked inside of documents.

 

“The exploit connects to a remote server (controlled by the attacker), downloads a file that contains HTML application content, and executes it as an .hta file,” McAfee explained in its disclosure. McAfee added that due to the fact that the .hta file is executable, an attacker is able to gain full code execution on the victim’s machine. 

 

For it’s part, FireEye reported that it has seen the vulnerability used in attacks, deploying various malicious payloads from different well-known malware families. FireEye specifically noted that an embedded OLE2link object is used in the attack, triggering the malicious .hta file, which then executes the malicious payload. FireEye explains in its disclosure that the malicious script ends up terminating the winword.exe (Word application) process, in turn loading a decoy document.

 

“The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link,” FireEye warns.

 

Emails in this type of attack used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from [device] may be “copier”, “documents”, “noreply”, “no-reply”, or “scanner”. The subject line in all cases read “Scan Data” and included attachments named “Scan_123456.doc” or “Scan_123456.pdf”, where “123456” was replaced with random digits. Note that while this type of attack does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing.

 

Solution:

1) Patch. Microsoft released its regular batch of security patches – including a fix for this Office zero-day vulnerability CVE-2017-0199. Turns out that this wasn’t the only thing needed patching. An elevation of privilege vulnerability in Internet Explorer (CVE-2017-0210) that would allow an attacker to convince a user to visit a compromised website was also fixed.

2) If you cannot patch for some reason. Here is a quick fix to prevent this exploit from working by adding the following to your Windows registry: Software\Microsoft\Office\15.0\Word\Security\FileBlock\RtfFiles to 2 and OpenInProtectedView to 0.

There is a new spin on an existing phishing scam you need to be aware of. Bad guys are doing research on you personally using social media and find out where and when you (might) travel for business. Next, they craft an email especially for you with an airline reservation or receipt that looks just like the real thing, sent with a spoofed “From” email address that also looks legit.

Sometimes, they even have links in this email that go to a website that looks identical to the real airline, but it is fake. They try to do two things: 1) try to steal your company username and password, and 2) try to trick you into opening the attachment which could be a PDF or DOCX. If you click on the link or open the attachment, your workstation will possibly get infected with malware that allows the bad guys to hack into your network.

Remember, if you want to check any airline reservations or flight status, open your browser and type the website name in the address bar or use a bookmark that you yourself set earlier. Do not click on links in emails to go to websites. And as always…. Think before You Click!