WannaCry: more details about the ransomware attack

Meanwhile, the major attack of WannaCry aka WanaDecrypt0r 2.0 has been stopped. As I noted in my previous post, some  stop switch was found by accident when an expert noticed that a special domain gets addressed from WannaCry. As the domain was available, he registered it hoping to collect more information and data sent out from the ransomware.


Image from malwaretech.com

After the domain was online, the automatic spreading of WannaCry stopped. However, this does not affect already infected systems. Also there are rumors that some Antivirus Programs currently block access to that domain because of unsuspicious data. This would mean in fact that those programs would allow WannaCry to spread more and more.

“EternalBlue”-issue known by NSA for years

The security issue used by WannaCry is called EternalBlue and was part of a leak of NSA documents, spread by The Shadow Brokers in April this year. If they would have noticed Microsoft for that issue, we would not have those massive problems today.

Due to the seriousness of the attack, Microsoft released a patch even for older Windows Versions that are usually not supported anymore.

 

Massive Cyberattack hits UK Health System, Deutsche Bahn

A massive Cyberattack that seems to have source in Russia currently spreads the world. After first analysis by Kaspersky and Avast they think it’s a new version of the crypt locker WannaCry. The software requires a payment of 300$ in bitcoins to release the encryption key, and blackmails the owners that the key would be deleted in few days if not being payed.

Following the latest updates, the ransomware meanwhile successfully attacked more than 75.000 PCs in 100 countries worldwide. Analysing the ransoware, a way to stop spreading seems to be found. According to some press, a security expert noticed a domain being accessed from the ransomware and registered this. After activating that domain the ransomware stopped spreading. Seems some routine stops its work when the domain could be contaced.

In general, this new attack was made possible after some NSA documents were leaked. NSA knew about this security issue for several times, but did not inform the software vendor, keeping millions of PCs unsafe. After the documents were leached, the vendor released a patch for this issue very shortly, which is available since March. Following current situtation, several PCs have yet not installed that update.

Before you now say “user’s fault – why dont install the update?” keep in mind that according to current information big companies or public organisations are affected. Following the usual “update-mess” of some vendors (fix one issue but create two others at the same time) it is absolutely normal for todays administrators NOT to install a patch as soon as it’s available.

Türkei: Nächste Zensur

Gerade erst kam eine neue Nachricht dass die Türkische Regierung erneut mehrere tausend Beamte gekündigt hat. Gestern wurde als nächster Schritt staatlicher Zensur das Online-Lexikon Wikipedia komplett und in allen Sprachen blockiert. 

Begründet wurde dies mit angeblich kritischen falschen Artikeln über die  Türkei. Da angeblich die Betreibergesellschaftvon Wikipedia selbst kontaktiert wurde um diese Artikel zu ändern oder entfernen ist damit auch klar geworden, dass die zuständigen Personen keinerlei Ahnung von der Funktion eines Wiki haben… 

Uploaded terminating accounts, next round

Seems that the known sharehoster Uploaded.net continous to terminate accounts most likely being used to spread illegal content.

Checking users posts in several warez forum, a second big bunch of users were permanentely terminated within last 48 hours.

According to some other blogs, this might be related to a running legal rights process between copyright holders and Uploaded.

Uploaded.net sperrt massenweise Uploader

Uploaded.net Terminates Accounts of Persistent Pirates

FritzBox bug hit ?

Seems AVM introduced a new bug in it’s firmware. After latest update I encountered few times the issue, that “exposed host” was not working any more, without any notice or further warning.

I am using Synology RT1900ac for my internal network, using FritzBox as DSL Modem only. With current issue I guess to have a look for a “pure DSL Modem” …

SHA-1 broken

Seems that a team around Google managed to hit the first SHA1 Collision, creating two identical SHA1 checksums for two absolutely different documents.

At current time, they took about nearly 7000 years of single-CPU and GPU calculation (12 million GPU years) – but we had similar high rates at first attack on PPTP. As we all know, in 2012 it only took 23 hours to attack PPTP due to faster computing power. Within a few more years of development, SHA1 attack might work in similar timeframes.

http://shattered.io/

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html

Flaw in Intel C2000 Chipset series

Ok, we all heard or read that there is a flaw in a series of Intel’s Avoton CPUs. Currently, it seems the only “official” statement is the following quote from The Register:

The well-placed insider, who spoke to The Register on condition of anonymity, said the problem – which results in bricked systems – became apparent to engineers at product makers when the return rate on gear spiked about 18 months ago.

We have a “well-placed insider” who wants to remain anonymous, and based on this everyone starts to blame hardware vendors that do have this Chip installed ? It seems the only official statement at this time from Intel – the guys that produce the CPU itself – is the following:

“AVR54: System May Experience Inability to Boot or May Cease Operation” … “The SoC LPC_CLKOUT0 and/or LPC_CLKOUT1 signals (Low Pin Count bus clock outputs) may stop functioning.”

http://www.intel.com/content/dam/www/public/us/en/documents/specification-updates/atom-c2000-family-spec-update.pdf

According to my experience, ANY computer related product may stop functioning without any further warning. According to Intel, C2000 Series seems to have a slightly higher possibility that they may stop functioning. 

Let’s face the truth – those devices out there are runnnig for more than 18 months. Most of them did not fail, otherwise we would have already read about “All units of Series xxx of company yyy are dying after short time of usage” in the usual news.

JDownloader on Synology DSM

This was the day. I wanted to check my downloads over the night, and connection to my DS916+ took ages. Luckily I had SSH open, so I logged into and checked processes.

Wow – average load of 58, seemed to be related to a running VirtualDSM process. Ok, for fast solution, shut all down. After load was back stable, power back one after the other.

First tried to check my JDownloader Virtual instance – no login available? Tried SSH – login OK. dmesg? lots of terminated processes. df -h? Aha!

Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda1 1998672 1982288 0 100% /
none 507380 0 507380 0% /dev
/tmp 511816 1036 510780 1% /tmp
/run 511816 1568 510248 1% /run

Ok, thanks to some guys to create a JDownloader inofficial app – but, hey guys, why do you allow default logs to fill up system partition?

My fast long-term solution:

rm /var/log/JDownloader.log

ln -sf /dev/null /var/log/JDownloader.log

This will redirect all new JDownloader logs to /dev/null, keeping my system partition stable.

Moving from HMA to IPVanish

As some of you out there, I am using a VPN software from time to time to hide my original identity when browsing the net. One of the main reasons is the high censorship – and lawyers waiting about to sue you after accidentally visiting a “wrong” site, here in germany,

Previously I used HMA – “Hide my Ass” for my privacy. They offer a simple UI, Android client, lots of servers worldwide and they also provide a manual about how to setup your Synology NAS to work with HMA.

Also, when just browsing for “good VPN provider” they are in the top list. So, that was my previous reason.

I guess I took this the too easy way, and I must admit that I did not check for any details when I started to use them. After some time I read some bad news.

-https://vpn.hidemyass.com/vpncontrol/privacy.html

Your IP address is logged by us so that we can prevent any spam, fraud or abuse of our Site and our services. We may store this data for up to two years, unless we are required, for legal reasons or under exceptional circumstances, to retain this data for an extended period.

And yes, HMA is able to track down the IP address of any connection to any user (found at Reddit):

View post on imgur.com

After this, I cancelled my account immediately and searched for another VPN provider. My current favourite is IP Vanish, which offers similar services but no trackable logging. They do not offer a detailed setup, but it was a simple way to also configure my Synology NAS for using IP Vanish.

 

Reopening soon

After few years of absence I decided to reboot this blog shortly. Main decision is because it’s now located on private server and got SSL certificate thank’s to Let’s Encrypt Project.

As you might have noticed, language will more focus on english to be able to contact even more people out there. Eventually I will archive the old blog soon, to make a visible split between the history of 2013 and early, and the time starting now.

Besides of that, main topics will stay the same. So expect more “Just Stuff” coming soon.

If you don't find it here – you'll find it somewhere else.