Mediaboss Marketing

Cybersecurity researchers have discovered a new worm that uses seven of the NSA's leaked exploits.

If the NSA's leaked hacking tools had a Voltron, it would be EternalRocks.

On Sunday, researchers confirmed new malware, named EternalRocks, that uses seven exploits first discovered by the National Security Agency and leaked in April by the Shadow Brokers group. Experts described the malware as a "doomsday" worm that could strike suddenly.

Earlier this month, the WannaCry ransomware plagued hospitals, schools and offices around the world and spread to more than 300,000 computers. It uses two NSA exploits that were leaked by the Shadow Brokers, EternalBlue and DoublePulsar. A few days later, researchers found Adylkuzz, new malware that spread using those same exploits and created botnets to mine for cryptocurrency.

Now, there's EternalRocks. Miroslav Stampar, a cybersecurity expert for Croatia's CERT, first discovered the hodgepodge of hacks on Wednesday. The earliest findings of EternalRocks goes all the way back to May 3, he wrote in a description on GitHub.

EternalRocks uses EternalBlue, DoublePulsar, EternalChampion, EternalRomance, EternalSynergy, ArchiTouch and SMBTouch -- all tools leaked by the Shadow Brokers. Stampar said he found the packed hack after it infected his honeypot, a trap set to monitor incoming malware.

The majority of the tools exploit vulnerabilities with standard file sharing technology used by PCs called Microsoft Windows Server Message Block, which is how WannaCry spread so quickly without being noticed. Microsoft patched these vulnerabilities in March, but many outdated computers remain at risk.

Unlike WannaCry, which alerts victims they've been infected through ransomware, EternalRocks remains hidden and quiet on computers. Once in a computer, it downloads Tor's private browser and sends a signal to the worm's hidden servers.

Then, it waits. For 24 hours, EternalRocks does nothing. But after a day, the server responds and starts downloading and self-replicating. That means security experts who want to get more information and study the malware will be delayed by a day.

"By delaying the communications the bad actors are attempting to be more stealthy," Michael Patterson, CEO of security firm Plixer, said in an emailed statement. "The race to detect and stop all malware was lost years ago."

It even names itself WannaCry in an attempt to hide from security researchers, Stampar said. Like variants of WannaCry, EternalRocks also doesn't have a kill-switch, so it can't be as easily blocked off.

For now, EternalRocks remains dormant as it continues to spread and infect more computers. Stampar warns the worm can be weaponized at any time, the same way that WannaCry's ransomware struck all at once after it had already infected thousands of computers.

Because of its stealthy nature, it's unclear how many computers EternalRocks has infected. It's also unclear what EternalRocks will be weaponized into. Plixer said the worm could be immediately turned into more ransomware or trojan attacks for banking.

The NSA has been widely criticized for holding onto these exploits without warning the companies involved. On Wednesday, Congress introduced a bill that would force the government to hand over its cyber arsenal to independent review boards.

The NSA didn't immediately respond to a request for comment.

CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.

Logging Out: Welcome to the crossroads of online life and the afterlife.

Continue reading here:
'Doomsday' worm uses seven NSA exploits (WannaCry used two) - CNET

Everyone is talking about WannaCry(pt), the latest ransomware worm that attacked over 150 countries across the globe. It hit hospitals, universities, businesses, a telco, train stations and more. Microsoft responded by releasing emergency security patches for Windows versions as far back as XP. To Microsoft's credit they had released a patch for the issue in February, well before this exploit hit, so those that did not update were the ones hit. The lesson here is to install your security patches when they are available.

The exploit was via a vulnerability in the SMB file share system. The bug was found after the NSA's EternalBlue tool was stolen, yes, the NSA was using the exploit. Initially the tool was used to hack into devices but this latest version was added to ransomware. The unlock cost is between US$300 (10,400 baht) to $600 regardless of the target. It also adds Doublepulsar, a backdoor that allows the machine to be remotely controlled, also stolen from the NSA. BitDefender sent an email saying I was already protected but many were not. The attack was stopped when a clever person in the UK found the kill switch. There are rumours that North Korea was behind this attack like they were with the big Sony hack a while back. Others are suggesting it was a much smaller group.

The potential next version of Android, or its replacement, called Fuchsia has been tested in an early development build. The need for such a product was triggered by Oracle's litigation against Google to get Android royalties. It is open source and you can find it on Github. Hotfix's Kyle Bradshaw compiled the most recent version and you can see what it looks like by searching for "Fuchsia OS Armadillo preview" on YouTube.

With the world moving away from the PC and towards the notebook many are looking for a solution for multi-monitor support. Modern notebooks are so thin they no longer have monitor ports but don't despair, there are many solutions to try. Thunderbolt ports support video, audio, standard data transmission and power. You will of course need a Thunderbolt compatible monitor. Another solution, for those with only one Thunderbolt or USB-C port, is to get a docking station. For older users, the options include a splitter cable, a splitter box and perhaps some USB-to-HDMI adaptors. If you have the right kind of notebook, e.g. a Razor, then you may even be able to use a proper graphics card inside an external box. Those that have tried or used multiple monitors rarely want to go back to one.

The MP3 or MPEG Audio Layer III format has been officially killed off by the Fraunhofer Institute, which did not renew the IP rights and ceased their licensing programme. No, MP3 is not gone, it has essentially become free. MP3 is still a popular format even though others like AAC variants and MPEG-H have more features, better audio quality and use less bandwidth. With the growth of memory on devices many also now use FLAC, a lossless format rather than MP3 which reduces information but "tricks" the ears into hearing all the sound. The most recent example is MQA that may be the basis for the next great streaming technology.

Since I didn't get the LG V20 phone I'm now looking at the Huawei P10 Plus. This is a 5.5-inch QHD+ phone with 6GB of memory and 128GB of storage for a fraction of the price of the Samsung S8. The Leica dual camera is very good and it comes with the latest Kirin 960 processor. It supports a microSD but you would have to be doing a lot of 4K recording to even need such an expansion of up to an additional 256GB. A 3,750mAh non-removable battery adds some extra life and it is Android 7. Unlocked versions are already available for as low as US$630 (21,750 baht) in some places.

I was at a presentation demonstrating the SQLServer on Linux recently and besides the fact that it installs quickly, the advantage of this is that you can set up a virtual machine on a Windows 7 PC and run the latest versions like 2016 or the newest 2017. For Red Hat, Ubuntu and SUSE the product is fully integrated and an update is a simple command line. In the demo using Oracle's free VM, an Ubuntu core virtual machine was created and then SQLServer installed, which was then accessible from the Windows SQL Server Management Studio. Apart from one step involving partitioning, it was all seamless and fast. There are plenty of tutorials on the internet to walk you through this.

Finally for this week, Cray the supercomputer people are moving to supercomputing as a service model, which given how everything else is going should come as no surprise.

Read the original:
Thank the NSA for latest global ransomware - Bangkok Post

By Ms. Smith, Network World | May 21, 2017 8:58 AM PT

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Your message has been sent.

There was an error emailing this page.

While you wont be forgetting the WannaCry ransomware attack, it is likely you will be hearing a lot more about the alleged NSA-linked EternalBlue exploit and DoublePulsar backdoor, as it seems a wide range of bad guys have them in their toy boxes. At least one person is leveraging seven leaked NSA hacking tools for a new EternalRocks network worm.

Malwarebytes believes WannaCry did not spread by a malicious spam email campaign but by a scanning operation that searched for vulnerable public-facing SMB ports, then used EternalBlue to get on the network and used DoublePulsar to install the ransomware.

EternalBlue was part of the Shadow Brokers April 14 dump of NSA hacking tools. Almost immediately, sophisticated attackers started repackaging the EternalBlue exploit. Security firm Secdo reported that three weeks before the WannaCry attack, at least three different actors were leveraging the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the U.S.

The attack leaves no trace. By spawning threads inside legitimate apps to impersonate those apps, the attack can evade advanced next-gen antivirus solutions. The attacks, according to Secdo, might pose a much bigger risk than WannaCry because many endpoints may still be compromised despite having installed the latest security patch.

The security firm suggested one threat actor was stealing credentials using a Russian-based IP, and another threat actor seemed to be using EternalBlue in opportunistic attacks to create a Chinese botnet.

Secdo added:

Even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

Security firm Proofpoint spotted an attack using EternalBlue and DoublePulsar to install a cryptocurrency mining botnet. This attack, which also began before WannaCry, may be larger in scale and may even have limited the spread of WannaCry because this attack shuts down SMB networking to prevent further infections with other malware via that same vulnerability. Every time Proofpoint exposed a lab box vulnerable to EternalBlue attacks, it was added to the cryptocurrency mining botnet within 20 minutes.

Perhaps the most worrying news about attacks came from researcher Miroslav Stampar. It is the most worrying because the EternalRocksnetwork worm doesnt just use EternalBlue and DoublePulsar like WannaCry did. Oh no, it uses seven different NSA hacking tools: EternalBlue, Eternalchampion, Eternalromance, Eternalsynergy, Doublepulsar, Architouch and SMBtouch.

Stampar learned of EternalRocks after it infected his SMB honeypot. Its original name was MicroBotMassiveNet, but EternalRocks is listed as a product name under Taskhost Properties. It disguises itself as WannaCry as if hoping to fool security researchers, yet it doesnt drop ransomware. Instead, it seems to be gaining a foothold to launch future attacks.

During the first stage, EternalRocks installs TOR as a C&C communications channel. The second stage doesnt begin immediately; instead, the C&C server waits 24 hours before responding with shadowbrokers.zip. Stampar said the delayed downloader for the zipped file, which contains NSA hacking tools leaked by the Shadow Brokers, seems to be a full-scale cyber weapon.

After that is unpacked, the EternalRocks worm begins scanning for open 445 ports on the internet and pushes the first stage of the malware through payloads.

There is no kill switch like there was in WannaCry. Stampar told Bleeping Computer, The worm is racing with administrators to infect machines before they patch. Once infected, he can weaponize any time he wants, no matter the late patch.

The second stage of the infection currently has a detection rate of 45/61 on VirusTotal, but Stampar warned that EternalRocks was going to be huge.

He later added:

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues.

Sponsored Links

Read the original here:
EternalRocks network worm uses 7 NSA hacking tools - Network World

The NSA's exploit toolkit has been weaponized to target critical systems all over the world. So much for the debate over the theoretical downside of undisclosed vulnerabilities. (It also inadvertently provided the perfect argument against encryption backdoors.) The real world has provided all the case study that's needed.

It appears the NSA finally engaged in the Vulnerabilities Equity Process -- not when it discovered the vulnerability, but rather when it became apparent the agency wouldn't be able to prevent it from being released to the public. What's happened recently has been devastating and Microsoft -- whose software was targeted -- has expressed its displeasure at the agency's inaction.

Maybe the agency will be a bit more forthcoming in the future. Ellen Nakashima and Craig Timberg of the Washington Post report former NSA employees and officials had concerns about the undisclosed exploit long before the Shadow Brokers gave it to the world.

When the National Security Agency began using a new hacking tool called EternalBlue, those entrusted with deploying it marveled at both its uncommon power and the widespread havoc it could wreak if it ever got loose.

Some officials even discussed whether the flaw was so dangerous they should reveal it to Microsoft, the company whose software the government was exploiting, according to former NSA employees who spoke on the condition of anonymity given the sensitivity of the issue.

Officials called it "fishing with dynamite." The exploit gave the NSA access to so much on compromised computers, the agency obviously couldn't bear the thought of voluntarily giving up such a useful hacking tool. But when it was first deployed, some inside the agency felt the vulnerability might be too powerful to be left undisclosed.

But there were plenty of others who viewed disclosure as "disarmament." Somehow, despite three straight years of leaked documents, the NSA still felt it had everything under control. The Shadow Brokers NSA exploit auction made it clear the NSA was no better at securing its software stash than it was at keeping thousands of internal documents from wandering out the door.

The only upshot is the NSA has now witnessed what kind of damage its exploits can do in the wrong hands. Since the agency cannot possibly ensure this sort of thing won't happen again, the question now is how much of other people's security is the agency willing to sacrifice in the name of national security?

The NSA appears to believe it handled this as well as it could given the circumstances, but the outcome could have so much worse. The chain of events leading to the NSA's eventual disclosure helped minimize the collateral damage. It has very little to do with the steps the NSA took (or, more accurately, didn't take).

What if the Shadow Brokers had dumped the exploits in 2014, before the [US] government had begun to upgrade software on its computers? What if they had released them and Microsoft had no ready patch?

There's your intelligence community nightmare fuel. Had the vulnerability managed to take down US government hardware and software, the NSA would be facing even more criticism and scrutiny that it already is.

The NSA appears to only disclose vulnerabilities when forced to. It may possibly hand over those it finds to be of limited use. Former NSA head Keith Alexander says the agency turns over "90%" of the vulnerabilities it discovers, but that percentage seems inflated. The NSA spent years as "No Such Agency." It's only been the last four years that it's been forced to engage in more transparency and accountability, so it's tough to believe it's spent years proactively informing affected companies about the flaws in their products.

In any event, the NSA's second-guesswork will have do for now. Some legislators are hoping to shore up the vulnerabilities reporting process, but it's likely by the time it heads for the Oval Office desk, it will be riddled with with enough national security exceptions to make it useless. With the Shadow Brokers hinting they still have more dangerous exploits to release (including one affecting Windows 10), the decision to disclose these vulnerabilities will once again be informed by the NSA's inability to keep its hacking tools secure, rather than any internal examination of its hoarder mentality.

Follow this link:
NSA Was Concerned About Power Of Windows Exploit Long Before It Was Leaked - Techdirt

The National Security Agency has decided to halt a controversial surveillance program, but this was just the tip of an iceberg of government abuses of privacy and due process.

The NSA said recently that it will no longer engage in warrantless spying on Americans' digital communications that merely mention a foreign intelligence target, referred to in the intelligence community as "about" communications. The agency had claimed the authority to engage in such surveillance under Section 702 of the Foreign Intelligence Surveillance Act, which allows it to target non-U.S. citizens or residents believed to be outside the country, although Americans' communications are oftentimes swept up as well.

"NSA will no longer collect certain internet communications that merely mention a foreign intelligence target," the agency announced in a statement. "Instead, NSA will limit such collection to internet communications that are sent directly to or from a foreign target."

"Even though NSA does not have the ability at this time to stop collecting 'about' information without losing some other important data, the Agency will stop the practice to reduce the chance that it would acquire communications of U.S. persons or others who are not in direct contact with a foreign intelligence target," it continued.

The agency's decision is certainly welcome, though we must make the perhaps generous assumption that it will do -- or not do, in this case -- what it says it will, and that it will not simply change its mind in the future.

We are reminded of the public testimony of then-National Intelligence Director James Clapper at a March 2013 Senate Intelligence Committee hearing. At one point, Sen. Ron Wyden, D-Ore., asked Clapper plainly, "Does the NSA collect any type of data at all on millions, or hundreds of millions of Americans?" Clapper then lied to his face, and the faces of all Americans, saying, "No, sir," and then, "Not wittingly." Within a matter of months, news stories based on information from the Edward Snowden leaks would reveal the NSA's bulk collection of Americans' phone metadata and internet communications.

Then there is the matter of the "backdoor search loophole," by which the FBI or other agencies may search NSA databases for information about Americans collected under Section 702 without having to go through all that pesky business of obtaining a warrant.

The Fourth Amendment is quite clear: Government searches require a warrant issued by a judge based on probable cause and describing the specific "place to be searched, and the persons or things to be seized." New technology may make our communications quicker and more convenient -- as well as more easily recorded -- but it does not alter that fundamental principle.

-- By the L.A. Daily News editorial board, Digital First Media

See original here:
EDITORIAL: NSA halts one abuse, but many remain - Lowell Sun