Search This Blog

Showing posts with label WannaCry Ransomware. Show all posts

Bug in Microsoft RDP allows hackers perform WannaCry level attack


A critical remote execution vulnerability in Microsoft remote desktop services enables let attackers compromise the vulnerable system with WannaCry level malware.

Microsoft recently fixed this RCE vulnerability in Remote Desktop Services – formerly known as Terminal Services, and it’s affected some of the old version of Windows.

A WannaCry attack was one of the notorious cyber attacks in this decade, and it shut down million of computer around the world by exploiting the vulnerability in the RDP protocol.

In this case, Remote Desktop Protocol (RDP) itself is not vulnerable, but attackers need to perform pre-authentication, and it doesn’t require user interaction.

This vulnerability didn’t have any exploit at this time, but in the future, an attacker will create a malware that exploits this vulnerability in a similar way of WannaCry attack.

Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008 and also out of support versions Windows 2003 and Windows XP.

3 Million Endpoints are Vulnerable to This RCE Bug

Initially, an unauthenticated attacker will send the specially crafted malicious request to the vulnerable systems after they establish a connection through RDP.

According to Microsoft, This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An Independent researcher Kevin Beaumont said, based on the Shodan search engine, around 3 million RDP endpoints are directly exposed to the internet.

“There is partial mitigation on affected systems that have Network Level Authentication (NLA) enabled. The affected systems are mitigated against ‘wormable’ malware or advanced malware threats that could exploit the vulnerability, as NLA requires authentication before the vulnerability can be triggered.” Microsoft said.

According to Simon Pope, Director of Incident Response, Microsoft Security Response Center (MSRC) “Customers running Windows 8 and Windows 10 are not affected by this vulnerability”.

WannaCry hero pleads guilty to malware charges

Marcus Hutchins who authors the popular blog MalwareTech, the famous British cybersecurity expert credited with stopping the WannaCry attack in 2017, now faces up to 10 years in prison after pleading guilty on Monday to writing malware to steal banking information in the years prior to his prodigious career as a malware researcher.

Hutchins stated on his website that he has "pleaded guilty to two charges related to writing malware" and added that he now regrets those actions.

Marcus posted a statement on his website and on his Twitter feed too, “I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

Hutchins is a rare talent who has since fallen from the heights of his reputation, after having been associated with multiple malware developments and ransomware cases, as well as lying to the FBI.

Federal prosecutors in Wisconsin and Marcus Hutchins’ attorneys said in a joint court filing Friday that the 24-year-old agreed to plead guilty to developing malware called Kronos and conspiring to distribute it from 2012 to 2015. In exchange for his plea to those charges, prosecutors dismissed eight more.

Marcus was virtually unknown to most in the security community until May 2017 when the UK media revealed him as the “accidental hero” who inadvertently halted the global spread of WannaCry, a ransomware contagion that had taken the world by storm just days before. Hutchins’ arrest in Las Vegas in August 2017, as he was about to board a flight to England, came as a shock. At the time, he told The Associated Press in an interview that he didn’t consider himself a hero but that he was combating malware because “it’s the right thing to do.”

According to security experts, the malware could have infected many more systems worldwide had Hutchins not stemmed the spread of the infection after a spotting a weakness in WannaCry's code. 

Hutchins could receive a more lenient sentence for accepting responsibility, the court filing said. Attorneys said Hutchins understands he could be deported. The sentencing has not been scheduled.

NHS to migrate to Windows 10 to upgrade cybersecurity defences

Microsoft on Saturday announced that The UK Department of Health and Social Care will transition all National Health Service (NHS) computer systems to Windows 10 to better protect against future cyber attacks. 

The Department has made a security deal with Microsoft regarding the same.

According to officials, the operating system’s more advanced security features are the primary reason for the transition, such as the SmartScreen technology equipped with Microsoft Edge and Windows Defender.

One of the other reasons for upgrading their security systems was the damages caused by the WannaCry ransomware attack last year, when NHS was one of the first victims.

“More than a third of trusts in the UK were disrupted by the WannaCry ransomware attack last year, according to the National Audit Office, which led to the cancellation of 6,900 appointments. WannaCry was an international attack on an unprecedented scale that affected organisations across the globe. While it did not specifically target the NHS, the impact on health organisations was significant,” read the announcement by Microsoft.

According to Kaspersky and Microsoft telemetry, over 98 percent of all WannaCry victims were Windows 7 users.

“We have been building the capability of NHS systems over a number of years, but there is always more to do to future-proof our NHS as far as reasonably possible against this threat,” said Jeremy Hunt, the Health and Social Care Secretary. “This new technology will ensure the NHS can use the latest and most resilient software available – something the public rightly expect.”


WannaCry Ransomware in simultaneous attack on firms and organizations around the world


To their utter dismay, May 12, 2017 saw firms and organizations in many countries around the world, including geopolitical rivals Russia and the US, suffer from mass attacks of the Malware WannaCry. This ransom malware appropriately also goes by the names of WCry, WannaCry, WannaCrypt0r and WannaCrypt – it did make some cry.

In a few hours WannaCry infected tens of thousands of devices. Experts from Avast have indicated that upwards of 57000 devices have already been infected. It is understood that Taiwan, Russia and Ukraine were the main targets of the Malware – quite a strange mix. Quoting specialists from Kaspersky, a Russian news agency reported about 45,000 WannaCry attacks in 74 countries around the world, with Russia being the most affected.

Corporate victims include the likes of Fedex, Spanish majors such as Telefonica, Gas Natural, Iberdrola and Santander Bank, and KPMG. The health care sector, already amongst the most vulnerable, was also hit. Targets here included UK’s National Health Service and other medical institutions in the UK

According of journalists of "Medusa", Russian targets included MegaFon, the Ministry of Internal Affairs and the Investigative Committee of the Russian Federation.

This malware, WCry, was first discovered in February 2017. It has evolved and “mutated” over the last few months, and the more potent Vesion 2.0 uses an SMB-exploit of the NSA from a toolkit published earlier by hacker group The Shadow Brokers.

It is believed that “Kafeine”, a French expert, was one of the first to discover the new mutation of Trojan. Kafeine realised that WannaCry was updated and adopted exploit EternalBlue. This exploit was written by NSA whiz kids to use vulnerabilities in SMBV1. A few other security specialists confirmed the discoveries of Kafeine.

Microsoft, in March 2017, developed a fix for ETERNALBLUE. However, paranoia is yet to set in amongst many computer users, and thus many did not make use of the fix. This lackadaisical attitude has now been exploited. As always, a sense of déjà vu prevails amongst cyber security pros.

For those interested, please click below to observe the spread of WannaCry in real-time - . https://intel.malwaretech.com/WannaCrypt.html