by Pamela Williams
So here we go again, but this time something is strange and different. Tuesday’s attack contained some puzzling elements to security experts, raising concerns that it may not have been about payment at all. the goal appeared to be “the destabilization of the economic situation and in the civic consciousness of Ukraine” even though it was “disguised as an extortion attempt.” Lets look at what some varied sources are saying.
DEFENSE ONE is saying, “The lesson from Tuesday’s massive cyber attack, beware of updates from Ukrainian accounting apps” that are orders of magnitude larger than normal.” I have no idea what that means exactly, but I am concerned about this virus hitting US hospitals. In such a case, you are talking about lives on the line. Heritage Valley Health Systems, a health care network that runs two hospitals in Western Pennsylvania, also confirmed in a statement to Recode on Tuesday that it was a victim of the same ransomware attack that has spread around the globe. At least one surgery had to be postponed because of the hack, according to a woman interviewed by Pittsburgh Action News 4.
More from DEFENSE ONE: A vulnerability within an obscure piece of Ukrainian accounting software is the root cause of the massive cyber attack that swept the globe Tuesday, according to the Ukrainian law enforcement. The attack hit Ukrainian utilities and airline services, U.S. based pharmaceutical company Merck, Russian oil giant Rosneft and even forced operators at the Chernobyl nuclear power plant to switch to manual radiation monitoring of the site.
The software is called Me.DOC, it’s basically an application for tax reporting and filing for companies that do business in Ukraine. At about 10:30 a.m. GMT Tuesday. MeDoc ran an automatic update on the software, a routine event. That connected every version of Me.Doc on every computer on which it had been installed (so long as it was online) to this address: 220.127.116.11.
That by itself is not unusual.
As the Ukrainian police’s cyber division explained in a Facebook post on Tuesday, updates from Me.doc are usually rather small, about 300 bytes. The update on Tuesday morning ran 333 kilobytes, orders of magnitude larger.
Once host computers download the update — becoming infected — the malware creates a new file called Rundll32.exe. Next it contacts a different network. It then starts running new commands, taking advantage of a particular Windows vulnerability, the same Microsoft vulnerability targeted by Wannacry.
Defense One verified the Ukrainian police’s post with a second researcher who had direct knowledge of the attack and the malware in question
Other cyber security researchers with Russia-based Kaspersky Labs also began pointing to Me.DOC on Tuesday as the likely point of spread.
At this point, no one has claimed responsibility for the attack and authorities have yet to make a hard determination about attribution. Actors backed by the Russian government have been targeting portions of Ukrainian infrastructure since 2015 when a massive attack by a group knocked out power to more than 225,000 people in Ukraine. Hackers pulled a similar stunt in December, a story first reported by Defense One.
Security specialists said the cyberattacks on Tuesday exploited an already patched vulnerability in Windows software. The malware that, once in a computer, locked away data from users who were then told to pay, bore resemblances to the recent WannaCry attack. U.S. software titan Microsoft also called the latest virus ransomware.
After the WannaCry scourge in May, Microsoft urged users to protect machines with the MS17-010 patch. I think most of us did that, but how long is that going to work? The flaw, and the means to exploit it, had previously been disclosed in pirated documents about cyberweapons at the U.S. National Security Agency. Here is where I get angry, in the problem we are now facing we are having to rely on hackers to assist us.
Here is the advice from an expert at www.actuarialpost.co.uk/news/article/petya-ransomware-virus-expert—do-not-power-up-12282.htm
Comments from Dr Mark Hawksworth, Global Technology Specialist Practice Group Leader, Cunningham Lindsey, on the Petya ransomware virus:
Please consider his following advice:
“We expected another wide scale virus attack shortly after Wannacry, as cyber criminals copied and improved on a Wannacry styled virus. If you have any computers that are infected with Petya and your machine has crashed / powered off – do not power up! Use a LiveCD or external machine to recover files. Our Cyber team has been able to ascertain that as long as you do not go past the CHKDSK message, your files are safe and you can recover them. Our global cyber team with centres in Europe, Australia, New Zealand, South Africa, US, Canada, South America and Asia are ready to assist.
Several insurers have been paying ransoms when insured are hit by ransomware, as a quick way of resolving the issue. This only funds the cyber criminals and the short term gain can quickly turn painful if a firm is added to a ‘sucker-list’ by cyber criminals, indicating that you are susceptible to ransom.
Computers affected by Petya now have the added headache that the author’s email account has now been frozen, meaning that paying a ransom is no longer an option as they can’t provide decryption keys”
Current situation of Petrwrap/wowsmith123456 ransomware – percentage of infections by country. pic.twitter.com/Q42WPlBlja
— Costin Raiu (@craiu) June 27, 2017
We do not have good news from Bloomberg: McAfee CEO says attacks are just beginning.
It is really frightening to read that Tuesday’s attack contained some puzzling elements to security experts, raising concerns that it may not have been about payment at all.”There’s something weird about this one.” I would say get ready, this is only the beginning.
Here is another account, which I am very frustrated over! One of the exploits allegedly stolen from the National Security Agency and leaked by the mysterious TheShadowBrokers entity is behind this present global ransomware attack! The last time I said that Wikileaks was irresponsible in spreading these tools, I was harshly jumped on. However, I am saying it again: Wikileaks should never have allowed their publication to spread these tools…just like the NSA is guilty of creating them. It all just infuriates me!
The following is from the US Government:
“It appears that many companies may have put off patching, instead relying on a signature to detect and prevent the malware from executing,” Curt Dukes, former head of information assurance at the NSA says.
“Unfortunately, the adversary re-purposed the malware, perhaps changing the signature (detection capability), and replayed the attack,” he added, saying that it is unclear whether or not the Microsoft patch is ineffective in this case. “It’s also possible that the adversary looked closely at the [Microsoft Service Message Block] component and found another vulnerability that evades the patch.”
F-Secure Chief Researcher Mikko Hypponen tweeted that patched systems are vulnerable because “Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC.”
Dukes, who is now executive vice president at the Center for Internet Security, said the sophistication of the new ransomware suggests an organization with the development budget to be able to weaponize the EternalBlue exploit.
He added that organizations that were not affected by WannaCry are not necessarily immune from Petya.
“Security staff should always assume the developer, or other criminal elements will learn from defensive measures that have been implemented and come at them again,” said Dukes. “It appears that the criminal element has removed many/most of the shortcomings with WannaCry into a new piece of malware.”
Department of Homeland Security spokesperson Scott McConnell said DHS is monitoring the attack and “is coordinating with our international and domestic cyber partners. We stand ready to support any requests for assistance.”
The Department of Defense said it is also tracking the ransomware, but officials would not comment on whether its devices have been patched or if any of its systems have been affected.
So that is pretty much the round up of sources and information on this present cyber attack. Questions remain, and the most important question of all is: Will these attacks destroy our internal structure putting a halt to life as we know it?
Visit our page on Facebook from here :
Check The Source Here: goo.gl/mfPvZ9
Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload which encrypts the NTFS file table, demanding a payment in bitcoin in order to re-gain access to the system.
Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a major global cyberattack, which utilizes the EternalBlue vulnerability previously used by WannaCry earlier in the year.
Petya was first discovered in March 2016; Check Point noted that while it had achieved fewer infections than other ransomware active in early 2016, such as CryptoWall, it contained notable differences in operation that caused it to be “immediately flagged as the next step in ransomware evolution”. Another variant of Petya discovered in May 2016 contained a secondary payload used if the malware cannot achieve administrator-level access.
On June 27, 2017, a major global cyberattack began, utilizing a new variant of Petya. Kaspersky Lab reported infections in France, Germany, Italy, Poland, United Kingdom, and the United States, but that the majority of infections targeted Russia and Ukraine, where more than 80 companies initially were attacked, including the National Bank of Ukraine. McAfee engineer Christiaan Beek stated that this variant was designed to spread quickly, and that it had been targeting “complete energy companies, the power grid, bus stations, gas stations, the airport, and banks” Kaspersky dubbed the variant “NotPetya”, as it has major differences in its operations in comparison to earlier variants.