UNM4SK3D: Petya, CIA, and Google
On Tuesday, news of a ‘NotPetya’ ransomware attack which targeted several countries, including Russia, Ukraine, France, India and the United States, demanding $300 in ransom spread like wildfire as fears of ‘another WannaCry’ hit. Now, just a few days later, and after much analysis, this ‘ransomware’ is actually said to be a destructive wiper malware.
The creator of the original ransomware, Janus, sold Petya as a Ransomware-as-a-Service (RaaS) to other hackers in March 2016. After further analysis by security expert Matt Suiche, it was determined by his team that the new ‘NotPetya’ is a ‘wiper malware,’ not ransomware. Unlike traditional malware, Petya does not encrypt files on a targeted system one at a time, but reboots infected computers and encrypts the hard drive’s master file table (MFT). This “renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.” Petya then makes a copy of the MBR and replaces it with malicious code and a ransom note, leaving the computer inaccessible until the ransom is paid. In the newest version, ‘NotPetya,’ there is no copy of the MBR, leaving infected computers unbootable even if victims get the decryption keys.
At last count, almost 45 victims had paid a total of $10,500 in Bitcoins but still failed to get their files returned. This is due to the fact that the email set up by hackers to send decryption keys was shut down by the German email provider. According to Kapersky Labs, “Our analysis indicates there is little hope for victims to recover their data. We have analyzed the high-level code of the encryption routine, and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks.” While much is still speculation at this point, the theory that this malware outbreak was meant to serve as a smoke-screen for a state-sponsored attack against Ukraine, whose local metro, the airport in Kiev, electricity supplier, main bank, and the state telecom were affected, may be accurate. An investigation by Talos Intelligence reveals that the malware has possibly been spread through a malicious software update to a Ukrainian tax accounting system called ‘MeDoc.’
We recommend that Cybrarians stay updated with the news of this attack as new information is released. In the meantime, PT Security advised in a tweet to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.
We believe the ransomware was, in fact, a lure to control the media narrative, especially after the WannaCry incident, to attract the attention on some mysterious hacker group rather than a national state attacker. -Suiche
For more on this malware and the potential for cyber warfare, read ‘NotPetya is a Cyber Weapon, Not Ransomware’ from KnowBe4.
Hopefully you’re not tired of hearing about the Vault7 leaks because this digital faucet just keeps drip, drip, dripping. The latest from Wikileaks reveals a type of malware named ‘Elsa’ for all the Frozen fans, which can track geo-location of targeted PCs and laptops running Microsoft Windows OS.
Essentially, ‘Elsa’ works by “capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots’ locations.” The malware project consists of two components: the processing component (Operator Terminal) and the implant (Windows Target). The malware installs on WiFi-enabled machines using CIA exploits to gain access on the specified device. Using the Wi-Fi hardware, it can scan for the nearest Wi-Fi access points. Most terrifying is that the device does not have to be connected to the Internet to be targeted by Elsa, as it only requires the malware to be running on a device that is Wi-Fi enabled.
While the CIA malware doesn’t transfer this data to the agency’s server, it allows the CIA hacker to download the encrypted log files from the device using separate CIA exploits and backdoors. The operator can decrypt log files and perform further analysis. According to Wikileaks, CIA Hackers have the ability to customize the malware depending upon the target and operational objectives such as “sampling interval, the maximum size of the log file and invocation/persistence method.” This tool is just the latest in the series of 12 documents, and it seems these leaks will only continue. Until then, in the words of Elsa, ‘Let it go, let it go….’
If [the target device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. -Wikileaks
Need to catch up on some of the other tools released by Wikileaks? Read this recent edition of UNM4SK3D for more.
The Big G just got hit with a Big fine, $2.7 billion worth, by European antitrust officials for manipulating search results since 2008. This is said to be the largest ever financial penalty against Google for breaking the EU competition law. You might want to Google it, or maybe not.
Google’s loss of this intense regulatory battle comes after a 7-year investigation beginning in 2010 after the European Commission received multiple complaints. The Commission believes Google uses their search engine power to manipulate results promoting Google sponsored comparison shopping service at the top of all search results, to which their evidence seems to agree. Findings indicate that consumers click more often on results that are more visible, especially those results appearing higher up in Google’s search results. (Obviously). But this traffic led to more revenue for Google and less in comparison to other vendors.
With a total revenue in 2016 of almost $90 Billion, $2.7 billion was calculated to be the result of the comparison shopping results in Europe. In addition to the fine, the Commission has ordered Google to “stop its illegal conduct and anti-competitive practices within the 3-month deadline or warned to face a further penalty of up to 5% of the average daily worldwide turnover of the Alphabet, Google’s parent company.” This could mean that Google will need to change their search ranking algorithm if their appeal is denied.
We respectfully disagree with the conclusions announced today. We will review the Commission’s decision in detail as we consider an appeal, and we look forward to continuing to make our case. -Google spokesperson
For ways to use Google more effectively, go in depth with ‘Tips for Using Google Like a Ninja.’
The financial loss from cybercrime in the U.S. exceeded $1.3 billion in 2016, a rise of 24%, according to a report by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3).
Cryptography, or the art of writing or solving secret codes, has allowed private communication for thousands of years, but can you crack the message? Test your cryptography knowledge in a revolutionary way and gain hands-on experience necessary to become a security professional. In the Cryptography skill assessment, you will encounter problems derived from weaknesses in real-world systems and solve modern cryptographic constructions.
Not only will the Cryptography skill assessment allow you to develop your practical skills, but it will also test your critical thinking. There are 8 exercise topics for this skill assessment, with 21 challenges total at varying levels of difficulty (easy-hard) per exercise.
Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the infosec field and is working to make cyber security news more interesting. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.