Law enforcement and IT Security companies have joined forces to disrupt cybercriminal businesses with ransomware connections.

The “No More Ransom” website is an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre and two cyber security companies – Kaspersky Lab and Intel Security – with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.

Since it is much easier to avoid the threat than to fight against it once the system is affected, the project also aims to educate users about how ransomware works and what countermeasures can be taken to effectively prevent infection. The more parties supporting this project the better the results can be. This initiative is open to other public and private parties.

Source: The No More Ransom Project

Edit: It seems that this system creates a whole load of bogus files and dirs and monitors them, not the whole file system. This pollutes the file system and means that people can quite easily write around it.

Every ransomware program goes over files, chooses the ones that look interesting, encrypts them and destroys the originals. You know what else does this? Compression software, legitimate encryption applications and backup and cloud-sync solutions in addition to many more programs. The same behavior is exhibited even if you manually compress a directory with a password and then delete it. Since ransomware encrypts any file anywhere on a computer, it’s extremely difficult to distinguish a legitimate file activity from a malicious one. While every encrypted file increases the likelihood that the ransomware will be detected, each encrypted file equals another important piece of information lost. Every second counts when ransomware starts encrypting files.

Cybereason RansomFree: Behavior – Based Ransomware Blocking Freeware

Cybereason researched more than 40 ransomware strains, including Locky, Cryptowall, TeslaCrypt, Jigsaw and Cerber and identified the behavioral patterns that distinguish ransomware from legitimate applications. Whether a criminal group or nation created the program, all ransomware functions the same way and encrypts as many files as possible. These programs can’t determine what files are important so they encrypt everything based on file extensions.

RansomFree, Cybereason’s behavioral anti-ransomware free tool, takes all these challenges into consideration. By putting multiple deception methods in place, RansomFree detects ransomware as soon as encryption occurs either on a computer or network drive. Once encryption is detected, RansomFree suspends it, displays a popup that warns users their files are at risk and enables them to stop the attack.

RansomFree protects against local encryption as well as the encryption of files on network or shared drives. The encryption of shared files is among the doomsday scenarios an organization can imagine. It takes only one employee on the network to execute ransomware and affect the entire company.

Source: Cybereason Introduces: Free Behavioral-Based Ransomware Blocking

Interesting. Unfortunately Windows only.

New research from Lancaster University, Northwest University in China, and the University of Bath, which benefitted from funding from the Engineering and Physical Sciences Research Council (EPSRC), shows for the first time that attackers can crack Pattern Lock reliably within five attempts by using video and computer vision algorithm software.

By covertly videoing the owner drawing their Pattern Lock shape to unlock their device, while enjoying a coffee in a busy café for example, the attacker, who is pretending to play with their phone, can then use software to quickly track the owner’s fingertip movements relative to the position of the device. Within seconds the algorithm produces a small number of candidate patterns to access the Android phone or tablet.

The attack works even without the video footage being able to see any of the on-screen content, and regardless of the size of the screen. Results are accurate on video recorded on a mobile phone from up to two and a half metres away – and so attacks are more covert than shoulder-surfing. It also works reliably with footage recorded on a digital SLR camera at distances up to nine metres away.

Researchers evaluated the attack using 120 unique patterns collected from independent users. They were able to crack more than 95 per cent of patterns within five attempts.

Complex patterns, which use more lines between dots, are used by many to make it harder for observers to replicate. However, researchers found that these complex shapes were easier to crack because they help the fingertip algorithm to narrow down the possible options.

During tests, researchers were able to crack all but one of the patterns categorised as complex within the first attempt. They were able to successfully crack 87.5 per cent of median complex patterns and 60 per cent of simple patterns with the first attempt.

Source: Your Android device’s Pattern Lock can be cracked within five attempts

The group – Yinzhi Cao and Song Li of from Lehigh University in Pennsylvania, and Erik Wijmans from Washington University in St. Louis – have worked out how to access various operating system and hardware-level features that can fingerprint an individual machine, regardless of browser.

These include screen resolution with zoom; CPU virtual cores; installed fonts and writing scripts; the AudioContext call; GPU features such as line and curve rendering, anti-aliasing, shading, and transparency; and more.

The researchers reckon they can fingerprint a machine with 99.24 per cent accuracy (compared to under 91 per cent for browser fingerprinting).

Cao and friends say there’s one browser that defeats the worst of their attacks: the Tor browser.

Source: It’s not just your browser: Your machine can be fingerprinted easily

WhatsApp’s end-to-end encryption relies on the generation of unique security keys, using the acclaimed Signal protocol, developed by Open Whisper Systems, that are traded and verified between users to guarantee communications are secure and cannot be intercepted by a middleman. However, WhatsApp has the ability to force the generation of new encryption keys for offline users, unbeknown to the sender and recipient of the messages, and to make the sender re-encrypt messages with new keys and send them again for any messages that have not been marked as delivered.

The recipient is not made aware of this change in encryption, while the sender is only notified if they have opted-in to encryption warnings in settings, and only after the messages have been re-sent. This re-encryption and rebroadcasting effectively allows WhatsApp to intercept and read users’ messages.

The security backdoor was discovered by Tobias Boelter, a cryptography and security researcher at the University of California, Berkeley. He told the Guardian: “If WhatsApp is asked by a government agency to disclose its messaging records, it can effectively grant access due to the change in keys.”

The backdoor is not inherent to the Signal protocol. Open Whisper Systems’ messaging app, Signal, the app used and recommended by whistleblower Edward Snowden, does not suffer from the same vulnerability. If a recipient changes the security key while offline, for instance, a sent message will fail to be delivered and the sender will be notified of the change in security keys without automatically resending the message.

WhatsApp’s implementation automatically resends an undelivered message with a new key without warning the user in advance or giving them the ability to prevent it.

Source: WhatsApp backdoor allows snooping on encrypted messages | Technology | The Guardian

MongoDB databases are being decimated in soaring ransomware attacks that have seen the number of compromised systems more than double to 27,000 in a day.

Criminals are accessing, copying and deleting data from unpatched or badly-configured databases.

Administrators are being charged ransoms to have data returned. Initial attacks saw ransoms of 0.2 bitcoins (US$184) to attacker harak1r1, of which 22 victims appeared to have paid, up from 16 on Wednesday when the attacks were first reported.

However, some payments could be benign transfers designed to make it appear victims are paying.

Norway-based security researcher and Microsoft developer Niall Merrigan says the attacks have soared from 12,000 earlier today to 27,633, over the course of about 12 hours.

Merrigan and his associates have now logged some 15 distinct attackers. One actor using the email handle kraken0 has compromised 15,482 MongoDB instances, demanding 1 bitcoin (US$921) to have files returned. No one appears to have paid. Merrigan says he is investigating “OSINT and finding different IOCs as well the actors involved”.

He credits fellow researcher Victor Gevers with helping victims secure their exposed MongoDB databases, 118 so far, according to the updated working sheet.

All told, a whopping 99,000 MongoDB installations are exposed, Gevers says.

MongoDB security is a known problem: up until recently, the software’s default configuration is insecure. Shodan founder John Matherly warned in 2015 that some 30,000 exposed MongoDB instances were open to the internet without access controls.

Source: MongoDB ransom attacks soar, body count hits 27,000 in hours

The attack vector is manifest when victims select autofill while filling out registration forms: attackers hide sensitive fields like street address, date of birth, and phone number, displaying only basic entry boxes like name and email.

Users who type the start of their names will generate a prompt that when selected will throw an option to fill out their complete details. If clicked on a phishing site Kuosmanen describes, a user’s sensitive information will be entered into boxes the user cannot see.

Source: Autocomplete a novel phishing hole for Chrome, Safari crims

We’re excited to announce the release of Project Wycheproof, a set of security tests that check cryptographic software libraries for known weaknesses. We’ve developed over 80 test cases which have uncovered more than 40 security bugs (some tests or bugs are not open sourced today, as they are being fixed by vendors). For example, we found that we could recover the private key of widely-used DSA and ECDHC implementations. We also provide ready-to-use tools to check Java Cryptography Architecture providers such as Bouncy Castle and the default providers in OpenJDK.

Source: Google Online Security Blog: Project Wycheproof

To everyone else, get patching

Source: Dear hackers, Ubuntu’s app crash reporter will happily execute your evil code on a victim’s box

macOS FileVault2 let attackers with physical access retrieve the password in clear text by plugging in a $300 Thunderbolt device into a locked or sleeping mac. The password may be used to unlock the mac to access everything on it. To secure your mac just update it with the December 2016 patches.Anyone including, but not limited to, your colleagues, the police, the evil maid and the thief will have full access to your data as long as they can gain physical access – unless the mac is completely shut down. If the mac is sleeping it is still vulnerable.Just stroll up to a locked mac, plug in the Thunderbolt device, force a reboot (ctrl+cmd+power) and wait for the password to be displayed in less than 30 seconds!

Source: Security | DMA | Hacking: macOS FileVault2 Password Retrieval

Fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa’s network, academics say.

The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and expiry date are determined.

Visa, unlike rival Mastercard, does not detect the flood of requests as unusual, the researchers say.

The attacks, handy for criminals with only partial breach records oof personal information, work against the Alexa Top 400 online merchant sites accroding to findings in the paper Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? [PDF] written by Newcastle University’s Mohammed Aamir Ali, Dr Leonardus Arief, Dr Martin Emms, and professor Aad van Moorsel.

Source: Guessing valid credit card numbers in six seconds? Priceless

Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier, and R6400, firmware version 1.0.1.12_1.0.11 and possibly earlier, contain an arbitrary command injection vulnerability. By convincing a user to visit a specially crafted web site, a remote unauthenticated attacker may execute arbitrary commands with root privileges on affected routers. A LAN-based attacker may do the same by issuing a direct request, e.g. by visiting:

http:///cgi-bin/;COMMAND

An exploit leveraging this vulnerability has been publicly disclosed.

This vulnerability has been confirmed in the R7000 and R6400 models. Community reports also indicate the R8000, firmware version 1.0.3.4_1.1.2, is vulnerable. Other models may also be affected.

Source: Vulnerability Note VU#582384 – Multiple Netgear routers are vulnerable to arbitrary command injection

Ouch!

An attacker can misuse PwC ACE security vulnerability in order to: – make changes to the production systems and their settings including manipulating or corrupting ABAP programs shipped by SAP and making the system and data inoperable; – plant an SAP backdoor for accessing the system and sensitive data later; and – shut down the SAP systems and cause downtime.

Source: Full Disclosure: [ESNC-2041217] Critical Security Vulnerability in PwC ACE Software for SAP Security

Apparently PwC tried to shut these researchers up by sending lawyers at them, instead of working together to close the holes. Before this blew into a court case, the researchers have gone full disclosure. The people at PwC need to learn that security is something that can’t be hidden – if these guys found the holes, someone else will too. Working together with people trying to help you out is a much better strategy than threatening them.

Researchers from SEC Consult have found two backdoor accounts that exist in 80 models of professional Sony security cameras, mainly used by companies and government agencies given their high price.

One set of hard-coded credentials is in the Web interface and allows a remote attacker to send requests that would enable the Telnet service on the camera, the SEC Consult researchers said in an advisory Tuesday.

The second hard-coded password is for the root account that could be used to take full control of the camera over Telnet. The researchers established that the password is static based on its cryptographic hash and, while they haven’t actually cracked it, they believe it’s only a matter of time until someone does.

Source: Backdoor accounts found in 80 Sony IP security camera models | PCWorld

In March 2016, security experts warned that PowerShell had been fully weaponised. In the following month, a report confirmed that PowerShell was used to launch 38% of cyber attacks seen by security firm Carbon Black and its partners in 2015.

Now more than 95% of PowerShell scripts analysed by Symantec researchers have been found to be malicious, with 111 threat families using PowerShell.

Malicious PowerShell scripts are on the rise, as attackers are using the framework’s flexibility to download their payloads, traverse through a compromised network and carry out reconnaissance, according to Candid Wueest, threat researcher at Symantec.

“This shows that externally sourced PowerShell scripts are a major threat to enterprises,” he wrote in a blog post.

The researchers also found that many targeted attack groups use PowerShell in their attack chain because it provides easy access to all major functions of the Microsoft Windows operating system.

PowerShell is also attractive to attackers because it is installed by default on computers running Windows and leaves few traces for analysis. This is because the framework can execute payloads directly from memory.

Source: PowerShell security threats greater than ever, researchers warn

This CLI debugging interface grants the attacker full access to the computer’s hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system.

Source: Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker – Slashdot

Acquired administrator level access to all of the [Microsoft Azure](https://azure.microsoft.com) managed [Red Hat Update Infrastructure](https://access.redhat.com/documentation/en/red-hat-update-infrastructure/3.0.beta.1/paged/system-administrator-guide/chapter-1-about-red-hat-update-infrastructure) that supplies all the packages for all [Red Hat Enterprise Linux](https://www.redhat.com/en/technologies/linux-platforms/enterprise-linux) instances booted from the Azure marketplace.

Basically it’s easy to find all servers, then bump up a package version number, upload it to the update host and get all the Red Hat servers to download and execute that package.

The US Secret Service is tasked with keeping the President and members of his family safe. But newly released documents show that the agency has had trouble keeping tabs on its own equipment. Since 2001, the agency has lost at least 1,024 computers, 736 mobile phones, and 121 guns.

Judicial Watch obtained the numbers through a Freedom of Information Act (FOIA) request filed in January. The Secret Service released the numbers this week, which is broken down into different categories of lost and stolen equipment. Of the 1,024 total computers lost or stolen, the Secret Service has misplaced 744 laptops, 258 desktops, and 22 tablets.

Source: The Secret Service Has Lost 1,024 Computers Since 2001

I have no idea how many personnel the US secret Service has, so can’t say if this is a lot or a little.

CCTV cameras? You’ve been looking in the wrong place

Source: Origin of the beasties: Mirai botnet missing link revealed as DVR player

Looks like digital video recorders offer more functionalities than IP cams and were used in 4/5 attack vectors.

At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.

The attack began Tuesday afternoon, and continued for two days straight, according to a source close to Russia’s Central Bank quoted by RIA Novosti. Sberbank confirmed the DDoS attack on its online services.

“The attacks are conducted from botnets, consisting of tens of thousands computers, which are located in tens of countries,” Sberbank’s press service told RIA.

The initial attack was rather massive and its power intensified over the course of the day.

Source: 5 major Russian banks repel massive DDoS attack — RT News

By using the interference patterns with wifi, you can collect information and detect with 68.9% accuracy what people are typing. The accuracy goes up as you collect more data.

Source: Your body reveals your password by interfering with Wi-Fi

In this paper we describe a new type of threat in which adjacent IoT devices will infect each other with a worm that will spread explosively over large areas in a kind of nuclear chain reaction, provided that the density of compatible IoT devices exceeds a certain critical mass. In particular, we developed and verified such an infection using the popular Philips Hue smart lamps as a platform.
The worm spreads by jumping directly from one lamp to its neighbors, using only their built-in ZigBee wireless connectivity and their physical proximity. The attack can start by plugging in a single infected bulb anywhere in the city, and then catastrophically spread everywhere within minutes, enabling the attacker to turn all the city lights on or off, permanently brick them, or exploit them in a massive DDOS attack.
[…]
To make such an attack possible, we had to find a way to remotely yank already installed lamps from their current networks, and to perform over-the-air firmware updates. We overcame the first problem by discovering and exploiting a major bug in the implementation of the Touchlink part of the ZigBee Light Link protocol, which is supposed to stop such attempts with a proximity test. To solve the second problem, we developed a new version of a side channel attack to extract the global AES-CCM key that Philips uses to encrypt and authenticate new firmware. We used only readily available equipment costing a few hundred dollars, and managed to find this key without seeing any actual updates.

Source: IoT Goes Nuclear – Creating a ZigBee Chain Reaction