Reports have emerged that the global WannaCry ransomware attack in mid-May masked another from cryptocurrency miner Adylkuzz.
Adylkuzz rides on the same Microsoft vulnerability as WannaCry did, but uses an infected machine's resources to mine for Monero, a type of cryptocurrency. Adylkuzz is believed to have infected far more machines, as it was allowed to run free while everyone was focused on dealing with WannaCry, says McAfee, a pure-play cybersecurity organisation.
Steve Grobman, CTO, McAfee, said: “Organisations should never conclude that the absence of a major cyberattack means that they have effective cyberdefenses. WannaCry and Adylkuzz show how important security patches are in building and maintaining those effective defenses, and why regular patching plans to mitigate environment vulnerabilities need to become a higher priority.
"Whenever there is a patch that must be applied, there is a risk associated with both applying, and not applying it. IT managers need to understand what those levels of risk are, and then make a decision that minimises the risk for their organisation. Companies that have become lax in applying patches may not have experienced any attacks that can take advantage of those vulnerabilities, reinforcing the behaviour that it’s okay to delay patching.
"One difference between Adylkuzz and WannaCry is that it is advantageous for Adylkuzz to remain undetected and run as long as possible to maximise the amount of time a machine can be used for mining. This creates an incentive for the cybercriminals of Adylkuzz to cause minimal damage and fly under the radar whereas WannaCry loudly informs the user that a compromise has occurred and causes massive destruction to the data on a platform.
WannaCry and Adylkuzz are the latest reminders of how the ‘to patch or not to patch’ risk analysis needs to be rethought within organisations worldwide.”
Adylkuzz rides on the same Microsoft vulnerability as WannaCry did, but uses an infected machine's resources to mine for Monero, a type of cryptocurrency. Adylkuzz is believed to have infected far more machines, as it was allowed to run free while everyone was focused on dealing with WannaCry, says McAfee, a pure-play cybersecurity organisation.
Steve Grobman, CTO, McAfee, said: “Organisations should never conclude that the absence of a major cyberattack means that they have effective cyberdefenses. WannaCry and Adylkuzz show how important security patches are in building and maintaining those effective defenses, and why regular patching plans to mitigate environment vulnerabilities need to become a higher priority.
"Whenever there is a patch that must be applied, there is a risk associated with both applying, and not applying it. IT managers need to understand what those levels of risk are, and then make a decision that minimises the risk for their organisation. Companies that have become lax in applying patches may not have experienced any attacks that can take advantage of those vulnerabilities, reinforcing the behaviour that it’s okay to delay patching.
"One difference between Adylkuzz and WannaCry is that it is advantageous for Adylkuzz to remain undetected and run as long as possible to maximise the amount of time a machine can be used for mining. This creates an incentive for the cybercriminals of Adylkuzz to cause minimal damage and fly under the radar whereas WannaCry loudly informs the user that a compromise has occurred and causes massive destruction to the data on a platform.
WannaCry and Adylkuzz are the latest reminders of how the ‘to patch or not to patch’ risk analysis needs to be rethought within organisations worldwide.”
Meanwhile, the Check Point Threat Intelligence and Research team registered a new killswitch domain used by a fresh sample of the WannaCry ransomware in mid-May. Registering the domain ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com activated the killswitch, the team said in a blog post.
According to Check Point, the killswitch works in the same way as in earlier versions of the ransomware, with the rest of the code similar to the older versions.
As with other security vendors Sophos has released intelligence on the WannaCry attack. The company also shared a video on how it works, and invites home users to try the new Sophos Home Premium beta, which is free.
David Maciejak, Director of Security Research at Fortinet said, "WannaCry has infiltrated thousands of organisations around the world, including many key institutions. This ransomware is especially notable for its multilanguage ransom demands that support more than two-dozen languages.
“Fortinet addresses organizations’ cyber security challenges with an intelligent Security Fabric that spans the entire network, linking different security sensors and tools together to collect, coordinate, and respond to malicious behaviour whenever it occurs. Only by harnessing all their cyber defence resources in a coordinated way can firms effectively fight massive cyberattacks like WannaCry.”
David Maciejak, Director of Security Research at Fortinet said, "WannaCry has infiltrated thousands of organisations around the world, including many key institutions. This ransomware is especially notable for its multilanguage ransom demands that support more than two-dozen languages.
“Fortinet addresses organizations’ cyber security challenges with an intelligent Security Fabric that spans the entire network, linking different security sensors and tools together to collect, coordinate, and respond to malicious behaviour whenever it occurs. Only by harnessing all their cyber defence resources in a coordinated way can firms effectively fight massive cyberattacks like WannaCry.”
"Therefore, protect yourself by being extra cautious and suspicious of unsolicited emails and always type out web addresses yourself rather than directly clicking on links. Another safeguard is to use antivirus programs that can scan files before they are downloaded, block secret installations and look for malware that may already be on a computer. Don’t make any payments in response to a ransom request – hackers will simply bleed you dry without any promise of return."
Trend Micro noted that it has been tracking WannaCry since April and provided the following snapshot:
- WannaCry ransomware targets and encrypts 176 file types. Some of the file types WannaCry targets are database, multimedia and archive files, as well as Office documents.
- In its ransom note, which supports 27 languages, it initially demands US$300 worth of Bitcoins from its victims—an amount that increases incrementally after a certain time limit. The victim is also given a seven-day limit before the affected files are deleted.
- WannaCry leverages CVE-2017-0144, a vulnerability in Server Message Block (SMB), to infect systems. The security flaw is attacked using an exploit leaked by the Shadow Brokers group—the EternalBlue exploit, in particular.
- WannaCry’s propagation capability is reminiscent of ransomware families like SAMSAM, HDDCryptor, and several variants of Cerber—all of which can infect systems and servers connected to the network without user intervention.
As of mid-May, Fortinet’s tracking analysis shows that there has been an average of more than 4,000 ransomware attacks every day since January 1, 2016.Symantec research shows ransomware attacks grew to 463,841 in 2016, up from 340,665 attacks in 2015 (36% increase) globally. The average ransom per victim grew to US$1,077 in 2016, up from US$294 in 2015 (266% increase) globally.
Nick Savvides, Security Advocate at Symantec Asia Pacific and Japan, said that the WannaCry attack and its variants could escalate as many organisations have not applied the patches to prevent the automatic spread. "The best defense is to ensure the operating systems and security software are up to date and importantly educate users to exercise caution and understand the threats," he said.
Savvides added that ransomware is extremely profitable for cybercriminals so the cyberattacks are expected to continue. He also identified advanced persistent threats (APTs) as a focus for cybercrime.
Savvides added that ransomware is extremely profitable for cybercriminals so the cyberattacks are expected to continue. He also identified advanced persistent threats (APTs) as a focus for cybercrime.
"APTs and ransomware are both very serious threats but operate at different ends of the cybercrime spectrum. Ransomware is generally indiscriminate with the idea to infect as many people as possible to improve the chances of the ransom being paid as the motivation is purely financial. APTs on the other hand are extremely targeted, they are motivated by both money and politics. The cybercriminals spend a lot of time planning their APTs and use very sophisticated tools to achieve their goals. Symantec expects both types of attacks to continue to evolve, to not just improve their ability to compromise but also their ability to evade detection."
posted from Bloggeroid
No comments:
Post a Comment