Tag Archives: News

NSA: Angst vor den ShadowBrokers

Allem Anschein nach hat die NSA bereits in der Vergangenheit Angst vor der Hacker-Gruppe ShadowBrokers. Nach einem Bericht bei heise.de hatte die NSA die Firma Microsoft bereits sehr frühzeitig nach der ersten Veröffentlichung von teilen der geleakten Daten über die Eternal-Blue Lücke informiert. Nur so war es Microsoft letztendlich möglich, die Lücke innerhalb weniger Tage nach der endgültigen Veröffentlichung zu schließen.

Offensichtlich wurde die Lücke über mehr als 3 Jahre vor der NSA aktiv genutzt um unberechtigterweise in Windows-Systeme weltweit einzubrechen. Da die Lücke nicht exklusiv der NSA gehört konnten somit möglicherweise auch andere Geheimdienste oder Hacker über eben die selbe Lücke auf die Rechner zugreifen.

Da die Hacker im kommenden Monat weitere Dokumente veröffentlichen wollen kann man vermuten, dass die NSA bereits weitere unbekannte Lücken an viele Hersteller gemeldet haben – um einen weiteren Angriff wie WannaCry zu vermeiden.

NSA-Hack: Die nächsten Veröffentlichungen

The Shadow Brokers, die vor kurzem Informationen aus NSA-Dokumenten veröffentlicht haben, aus denen die WannaCry-Attacke vom letzten Wochenende hervorgegangen ist, haben möglicherweise noch viel sensiblere Daten in Händen.

In einem Post hat die Gruppe angekündigt, ein “Monatliches Datenpaket” zu veröffentlichen, welches Methoden und Programme aufzeigt um

  • Web Browser, Router, Mobilgeräte anzugreifen und zu übernehmen
  • Ausgewählte Methoden und Programme aktueller Exploits, inklusive Methoden zum Angriff auf Windows 10
  • [von der NSA] ermittelte Daten bezüglich SWIFT Provider und Zentralbanken
  • [von der NSA] ermittelte Daten betreffend Russischen, Chinesischen, Iranischen und/oder Nordkoreanischen Atomwaffen und Raketenprogramme
Unveröffentlichte Windows 10 Zero-day exploits

Die ShadowBrokers haben angeboten, alle Daten unter Verschluss zu halten, sofern eine “verantwortungsbewusste Gruppe” die Daten kauft. Nach weiteren Informationen der Gruppe soll die NSA an große Konzerne Geld zahlen, damit diese bestimmte Lücken nicht beseitigen.

TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?
Source: ShadowBrokers

The Shadow Brokers made the screenshots available in January. The NSA supposedly realized what the Shadow Brokers had and told Microsoft. Microsoft took the unprecedented step of skipping Patch Tuesday in February and then released the SMB (Server Message Block) fix in March that was used by WannaCry and not dumped by the Shadow Brokers until April.
Source: networkworld

Wir können gespannt sein, was im Juni kommen wird …

Hinweis: Dies ist die deutsche Version des gestrigen englischen Blogs

NSA-Exploit: Next and bigger round

The Shadow Brokers, who published informations about stolen NSA-Documents which first results was the WannaCry attack of last weekend, announced to have even more sensitive data and details available.

In a blog post, the group said it was setting up a “monthly data dump” and that it could offer tools to break into

  • web browser, router, handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and Central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
Undisclosed Windows 10 Zero-day exploits

 

They offered to keep all data secret “if a responsible party” buys all the stolen data. Following more and also previous posts from the group, according to the ammount of stolen data and how fast a patch to some previous published leaks was published, it is most likely that the NSA pays big companies for not fixing several exploits.

TheShadowBrokers is thinking Google Project Zero is having some former TheEquationGroup member. Project Zero recently releasing “Wormable Zero-Day” Microsoft patching in record time, knowing it was coming? coincidence?
Source: ShadowBrokers

The Shadow Brokers made the screenshots available in January. The NSA supposedly realized what the Shadow Brokers had and told Microsoft. Microsoft took the unprecedented step of skipping Patch Tuesday in February and then released the SMB (Server Message Block) fix in March that was used by WannaCry and not dumped by the Shadow Brokers until April.
Source: networkworld

We will see if and what will be published in June …

WannaCry: next round on the way

According to some reports, a new version of WannaCry that does ignore the yesterday registered Domain has been found in the wild. The new version seems to be same to the previous, but will most likely not being stopped.

New infections tomorrow

As lots of PCs are off due to weekend, several experts expect a second flow of infections on Monday morning – when lots of computers are powered on in companies worldwide. Secondly they also expect new versions of the ransomware the very next days.  By now, approx 150 different variants of the ransomware have been detected.

Only 40.000 US$ income by now

By now only few people payed the money to release their data – compared to the very high amount of infected machine worldwide. This might be due to several big companies affected, which mostly run a good backup strategy allowing them to simply reset their machines. As the bitcoins wallets are known, it’s easy to check them all for current the income.

WannaCry: more details about the ransomware attack

Meanwhile, the major attack of WannaCry aka WanaDecrypt0r 2.0 has been stopped. As I noted in my previous post, some  stop switch was found by accident when an expert noticed that a special domain gets addressed from WannaCry. As the domain was available, he registered it hoping to collect more information and data sent out from the ransomware.


Image from malwaretech.com

After the domain was online, the automatic spreading of WannaCry stopped. However, this does not affect already infected systems. Also there are rumors that some Antivirus Programs currently block access to that domain because of unsuspicious data. This would mean in fact that those programs would allow WannaCry to spread more and more.

“EternalBlue”-issue known by NSA for years

The security issue used by WannaCry is called EternalBlue and was part of a leak of NSA documents, spread by The Shadow Brokers in April this year. If they would have noticed Microsoft for that issue, we would not have those massive problems today.

Due to the seriousness of the attack, Microsoft released a patch even for older Windows Versions that are usually not supported anymore.

 

Massive Cyberattack hits UK Health System, Deutsche Bahn

A massive Cyberattack that seems to have source in Russia currently spreads the world. After first analysis by Kaspersky and Avast they think it’s a new version of the crypt locker WannaCry. The software requires a payment of 300$ in bitcoins to release the encryption key, and blackmails the owners that the key would be deleted in few days if not being payed.

Following the latest updates, the ransomware meanwhile successfully attacked more than 75.000 PCs in 100 countries worldwide. Analysing the ransoware, a way to stop spreading seems to be found. According to some press, a security expert noticed a domain being accessed from the ransomware and registered this. After activating that domain the ransomware stopped spreading. Seems some routine stops its work when the domain could be contaced.

In general, this new attack was made possible after some NSA documents were leaked. NSA knew about this security issue for several times, but did not inform the software vendor, keeping millions of PCs unsafe. After the documents were leached, the vendor released a patch for this issue very shortly, which is available since March. Following current situtation, several PCs have yet not installed that update.

Before you now say “user’s fault – why dont install the update?” keep in mind that according to current information big companies or public organisations are affected. Following the usual “update-mess” of some vendors (fix one issue but create two others at the same time) it is absolutely normal for todays administrators NOT to install a patch as soon as it’s available.

Türkei: Nächste Zensur

Gerade erst kam eine neue Nachricht dass die Türkische Regierung erneut mehrere tausend Beamte gekündigt hat. Gestern wurde als nächster Schritt staatlicher Zensur das Online-Lexikon Wikipedia komplett und in allen Sprachen blockiert. 

Begründet wurde dies mit angeblich kritischen falschen Artikeln über die  Türkei. Da angeblich die Betreibergesellschaftvon Wikipedia selbst kontaktiert wurde um diese Artikel zu ändern oder entfernen ist damit auch klar geworden, dass die zuständigen Personen keinerlei Ahnung von der Funktion eines Wiki haben… 

Uploaded terminating accounts, next round

Seems that the known sharehoster Uploaded.net continous to terminate accounts most likely being used to spread illegal content.

Checking users posts in several warez forum, a second big bunch of users were permanentely terminated within last 48 hours.

According to some other blogs, this might be related to a running legal rights process between copyright holders and Uploaded.

Uploaded.net sperrt massenweise Uploader

Uploaded.net Terminates Accounts of Persistent Pirates

SHA-1 broken

Seems that a team around Google managed to hit the first SHA1 Collision, creating two identical SHA1 checksums for two absolutely different documents.

At current time, they took about nearly 7000 years of single-CPU and GPU calculation (12 million GPU years) – but we had similar high rates at first attack on PPTP. As we all know, in 2012 it only took 23 hours to attack PPTP due to faster computing power. Within a few more years of development, SHA1 attack might work in similar timeframes.

http://shattered.io/

https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html