Sunday, May 14, 2017

WannaCry Ransomware

Ransomware .
Ransomware - a type of malicious software designed to encrypt all your files, which will not be decrypted by the attacker until a sum of money is paid.

Check out my other post relating to Ransomware Risk Mitigation


WannaCry Ransomware :
This ransomware spreads via known vulnerabilities, which was patched recently by Microsoft MS17-010 . Once the system is targeted the files are encrypted and a countdown appears. The popup demands $300 dollars of payment to be made via bitcoin.





Which files are encrypted?
WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:
  • .123
  • .3dm
  • .3ds
  • .3g2
  • .3gp
  • .602
  • .7z
  • .ARC
  • .PAQ
  • .accdb
  • .aes
  • .ai
  • .asc
  • .asf
  • .asm
  • .asp
  • .avi
  • .backup
  • .bak
  • .bat
  • .bmp
  • .brd
  • .bz2
  • .cgm
  • .class
  • .cmd
  • .cpp
  • .crt
  • .cs
  • .csr
  • .csv
  • .db
  • .dbf
  • .dch
  • .der
  • .dif
  • .dip
  • .djvu
  • .doc
  • .docb
  • .docm
  • .docx
  • .dot
  • .dotm
  • .dotx
  • .dwg
  • .edb
  • .eml
  • .fla
  • .flv
  • .frm
  • .gif
  • .gpg
  • .gz
  • .hwp
  • .ibd
  • .iso
  • .jar
  • .java
  • .jpeg
  • .jpg
  • .js
  • .jsp
  • .key
  • .lay
  • .lay6
  • .ldf
  • .m3u
  • .m4u
  • .max
  • .mdb
  • .mdf
  • .mid
  • .mkv
  • .mml
  • .mov
  • .mp3
  • .mp4
  • .mpeg
  • .mpg
  • .msg
  • .myd
  • .myi
  • .nef
  • .odb
  • .odg
  • .odp
  • .ods
  • .odt
  • .onetoc2
  • .ost
  • .otg
  • .otp
  • .ots
  • .ott
  • .p12
  • .pas
  • .pdf
  • .pem
  • .pfx
  • .php
  • .pl
  • .png
  • .pot
  • .potm
  • .potx
  • .ppam
  • .pps
  • .ppsm
  • .ppsx
  • .ppt
  • .pptm
  • .pptx
  • .ps1
  • .psd
  • .pst
  • .rar
  • .raw
  • .rb
  • .rtf
  • .sch
  • .sh
  • .sldm
  • .sldx
  • .slk
  • .sln
  • .snt
  • .sql
  • .sqlite3
  • .sqlitedb
  • .stc
  • .std
  • .sti
  • .stw
  • .suo
  • .svg
  • .swf
  • .sxc
  • .sxd
  • .sxi
  • .sxm
  • .sxw
  • .tar
  • .tbk
  • .tgz
  • .tif
  • .tiff
  • .txt
  • .uop
  • .uot
  • .vb
  • .vbs
  • .vcd
  • .vdi
  • .vmdk
  • .vmx
  • .vob
  • .vsd
  • .vsdx
  • .wav
  • .wb2
  • .wk1
  • .wks
  • .wma
  • .wmv
  • .xlc
  • .xlm
  • .xls
  • .xlsb
  • .xlsm
  • .xlsx
  • .xlt
  • .xltm
  • .xltx
  • .xlw
  • .zip
What to do if you have been attacked by WannaCry?

For now, do not pay the ransom. Restore the files from your backup.
Most of the previous ransomware attacks have a  way to decrypt the files without paying the ransom. However for wannacry at this moment there is no way.

Has the infection been contained?

Yes the infection being spread has been halted for now. Thanks to the good intentions of a researcher called MalwareTech.

 but everyone seems sure that another such attack is imminent.


Precautions to be taken:
  

Windows Update MS17-010
The virus uses ETERNALBLUE exploit, which is closed by Microsoft security update MS17-010 released in March. I recommend that you check update center for presence of such an update (by code) on your computer (for example, code for Windows 7 will be KB4012212 or KB4012215).
If updates are not installed, you can download them from official Microsoft website:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx


Close ports 135 and 445
According to the reports of antivirus companies, wcrypt penetrates computers through SMB (Server Message Block) ports. To prevent penetration, we block the ports 135 and 445 through which the virus penetrates (in most cases they are not used by ordinary users).
To do this, open the console with administrator rights (cmd.exe -> run as administrator). And we execute in turn 2 commands (after each command there should be status OK).
netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=135 name="Block_TCP-135"

netsh advfirewall firewall add rule dir=in action=block protocol=TCP localport=445 name="Block_TCP-445"


Disabling SMBv1 support
The vulnerability can also be closed by completely disabling SMBv1 support. Run this command in cmd (run as administrator).
dism /online /norestart /disable-feature /featurename:SMB1Protocol
 
 




To prevent yourself from future Ransomware Attacks:


Back up necessary data from time to time. 

Update your OS to the latest. (the recent NSA exploit leaks about OS like XP will trigger more ransomware with different flavors)

Updating Antivirus or having the best, does not provide necessary protection against such attacks.

Do not open any emails from unknown senders.

Close the ports which you do not use.

Check out my other post relating to Ransomware Risk Mitigation
 


References:
For a detailed view on the attack:
https://blogs.technet.microsoft.com/mmpc/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/


 

Wednesday, January 18, 2017

Layoff the Bhim App (For Now)


BHIM app the UPI payment app introduced by the Indian PM is just another UPI app.

There are far too many competitors of BHIM such ICICI UPI app, HDFC UPI app, Axis Pay, PhonePe, SBI Pay etc.

However, BHIM was hailed as the most secure

“BHIM uses three-factor authentication and hence, is relatively more secure from a consumer point of view. It also combines the convenience of a mobile wallet with the security of net banking,” he said.

When a user opens BHIM application for the first time, the application automatically binds itself to their device ID and phone number — both of which are unique. This means that the same UPI cannot be used from two phones. The BHIM application will also not work on a phone which doesn’t have a SIM card.

“This uniquely identifies not just the device but the active number. If there is some fraud…you have an operational number plus the device ID, which in some cases can be masked, but a combination of both makes it easy to track the cell phone and law enforcement agencies can physically trace the person, if needed.” said a security firm researcher.

“The third factor is the UPI PIN, set by the user, which will be required for every transaction through the application.” No user would be able to do transactions without the UPI PIN, he said.



However after few days after the release of the app, lot of people are complaining about the app being sluggish.

There are other security concerns of the app such as,

  • The back button is not restricted and you can move back and forth the payment page.
  • The app is prone to SQL injection attacks.
  • The app is slow, (in fairness so are majority of the UPI apps)

So it is definitely worth to wait before you jump onto BHIM. The app makers stated that they are working on the issues and will release an update at the earliest.

Wednesday, December 14, 2016

Uber Tracking your location after completing your Ride.



Uber has said that it will track your location for 5 mins after completing your ride.
It claims, it will help in better consumer experience as location is key in it's game.

Till now we do not know how long it has been tracking its users after completing their ride. I did happen to read the wired article, which says how Uber has a "God View" and how it is a source of entertainment at parties :|
Yes, Uber app in the background can also track your location.



To disable the tracking, you will need to disable location permission on ur phone;
for all your apps or Uber specific location permission(Android Marshmallow and above)


Friday, December 9, 2016

Rise of the Mirai Botnet

Image result for botnet 





Mirai Botnet is the one which you might have heard that kicked dyn out of gear.
Thats right it is indeed the recruiter of an army of zombies ie. unsecured Internet Connected devices.

Internet connected devices such as your computer, router, webcam etc are all vulnerable to this malware.

The malware follows a simple strategy of compromising the internet connected devives by

Take Over the Device

using the default username and password of the device to gain access and add it to its army.
It also uses BruteForce Dictionary attack to gain passwords.

Clear the hurdles

Mirai also kills any existing malwares on the devices, so that it maximizes its potential. It also prevents
remote login so that it can not be stopped in the middle of the attack.

Execute


Once Mirai is in control of the device it waits for commands to be executed by the central server.


The Do-Not List:
It also has a list which it refrains from scanning.(for unknown purpose or to prevent from gaining attention.)

Once the botnet has enough devices in its army, it begins attacking the target via DDOS.



How to Prevent Mirai.?

Change your default/ weak password of your devices.

Disable remote logging/ wan . (if not used.)


Attack on DYN.
DYN is a DNS management systems which helps in the lookup of the the domain names to the IP addresses.
Since this DNS infra was attacked by mirai botnet the DNS lookupsites like amazon, twitter and many other sites were unable to access to the consumers.

The attack was mitigated by using scrubbing services (the traffic is rerouted to new servers or data centers which identifies fake trafficfrom the real one)
On rebooting the devices, the attack can be stopped.

The source code has been released on one of the hacker forums,
https://github.com/jgamblin/Mirai-Source-Code

 

Thursday, December 1, 2016

Watchout for Gooligan- Check if you are affected now!

Image result for red android


Gooligan is a malware that affects android os phones particularly V4 &5. This malware was reported first mid of 2016. This malware steals the authentication tokens of your google accounts such as drive, mail etc and installs adwares which inturn generates revenue for the installed apps.

More Details:https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi

List of Apps installed by Gooligan: http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/

Check here if your account is being compromised
https://gooligan.checkpoint.com/

If you find your account is compromised then it would be safe to do a clean install of the OS on your phone, a  factory reset on your phone wont get you that far. Also change passwords immediately of your google accounts. Gooligan does not access user data nor modifies OS/ system files.

Use Google Play Store to download apps and be careful while installing apps from 3rd party websites.

Sunday, November 27, 2016

Paytm POS app rolled back on Security Concerns

Image result for paytm merchants

Paytm which has been in the news ever since the demonetisation drive in India, had rolled out a POS app. This app has been rolled back citing security concerns highlighted by the concerned parties.

The current app allows payment via QR code. Customer scans the QR code of the merchant via the app to make the payment. Transferring money instantly to the destined account/ wallet. This is a secure way to make a payment because QR code payments use tokens to make the transaction. 

What was the problem with the new POS app?



This new feature would require the customer to key in his card number and PIN into the Paytm app of the merchant. 

As we are aware of key loggers and other screen grabbing softwares which can be installed by the merchant in his device, the unaware customer keys-in his card details into the Paytm app of the merchant while being unaware that it is being recorded by the key logger app thus the customer's card data is compromised.

Paytm has said repeatedly that it is a PCI-DSS (Payment Card Industry Data Security Standard ) and conducts several security audits. One of the main requirement to comply to PCI DSS is that the merchant should not hold card data of its customer in it's systems. While it might be true that Paytm does not hold customer card data, but this new feature in this application would allow the customer to pay by entering his card details just like any other e-commerce site's payment page. The same risks you would face while entering the card details online, you would face the same here except the added risk that the payment you do is not on your device but that of the merchant.

Image result for pos device

As many would agree that the same type of attack can be performed on the POS by installing some malware / malicious code. It is true that such an attack can be performed but it requires some deep knowledge of the working PED/ POS device and being able to post / transmit the data. There are encrypted PED/ POS devices but even they can be fused with malicious code. But the hack (if you would like to call it that) is not universal to all devices. There are many vendors of POS devices in the market and each have different set of instructions/operations, thus hacking such a device actually needs extensive knowledge of the device and the system it is placed inn. 

But in case of the POS that was in the Paytm app it is vulnerable to key-loggers and performing a  keylogging attack doesnt need an expert. It is fairly easy to install an app from the app store and set the keystrokes entered on the device to be mailed every set period of time.

Paytm has said that it will rollout the app after getting additional certifications.


Wednesday, November 23, 2016

BlackNurse - A new variant of DDOS

Image result for ddos


This new attack was discovered by TDC engineers. http://www.blacknurse.dk/

The attack falls on the lines of an ICMP flood attack. The ICMP flood attack involves flooding the target with large amount of traffic whereas black nurse attack requires a very minimal ping traffic while leveraging on ICMP Type 3 Code 3 ( Destination Port Not Reachable ) .

An attack from a laptop can go upto 180 megabits per sec and bring down the firewall effectively. The attack is effective and Cisco and Palo Alto and a few more. This attack is possible only if you have allowed ICMP Type 3 Code 3 to outside interfaces.

http://soc.tdc.dk/blacknurse/blacknurse.pdf

Test your system with this Proof of Concept Code to check if you are vulnerable.
https://github.com/jedisct1/blacknurse

If vulnerable check with your vendor website to mitigate the risk.

Worst case- your router crashes and after the flooding, your router comes back up.