A new worm: Global cyberattack based on Shadowbrokers vulnerability, payments made in order to get back files
A global cybersecurity attack called “WannaCry” has struck several large organisations worldwide. The attack was based on a recently exposed vulnerability by the Shadow brokers publication, a leak of the NSA. This leak included information on a security hole in Microsoft Windows which was fixed on the 14th of March.
Cybersprint’s CEO Pieter Jansen: “This is a global event with the potential to outgrow the impact of the Slammer virus more than a decade ago. We are seeing similar responses to earlier worms: hospitals shutting down, organisations cutting off internet connectivity and business shutting down. We expect the infection to spread on monday when people are logging back into their work and e-mail environments, clicking on attachments and creating more infections.”
What can you do?
Organizations and end-users should apply Windows Updates immediately. These updates have been around since 14th of March, but have not been applied by all Windows users. Apart from keeping your systems up-to-date, users should never open attachments from unknown e-mail addresses. And even with known addresses caution is required, as it is still unknown what the exact characteristics of this virus are.
Matter of time before this happened
Cybersprint’s CEO Pieter Jansen: “It was a matter of time before this happened: the capabilities of malware have been increasing, tactics have changed. This case proves that somebody was able to combine the best aspects of earlier malware tactics and created a ‘Monster malware'”.
Initial infections are spreading through malicious e-mail attachments. Once infected, computers will try to exploit other neighbor computers through “worm-like” behavior. The last big Worm attack was Slammer in 2003, which hit 75000 computers within its first 10 minutes.
Indicators of Compromise (IOC’s) are being shared between security organisations, in order to collaboratively deter the threat of this global cybersecurity attack. Alienvault’s public IOC-exchangenow contains several patterns that can be applied to organisations in order to determine if they have been hit by WannaCry.
Bitcoin payments have been made to the attackers
The attack installs a “ransomware virus”, where a user’s files are being encrypted and held ransom. Once a payment has been made to a certain bitcoin address, the user receives a decryption key and gains access back to their files.
So far, a total of $7k (4 BTC) in payments have been made to the bitcoin addresses specified by the attackers. This is ‘ransom’ that has been paid by victims of the ransomware attack:
Additional compromise information
Network administrators should block access to at least the following domains:
20 young people including 10 American youngsters from Albuquerque and the Navajo Nation in New Mexico will be welcomed in The Hague by Cybersprint on 21 March 2019. The young coding talents will learn how to use their coding and hacking skills in a positive way and to make the digital world safer. They will also see real life examples of how they could use these skills to increase their career opportunities. The programme is part of the CyberHeroes-week which is set up by Cyberworkplace in Rotterdam and the American Embassy in The Hague.read more
30 master students visited the HSD campus as part of the ‘Entrepreneurial Skills Course’. Cybersprint set three of the students a business challenge to solve.read more
The Minister of Health has issued an investigation to determine whether all Dutch healthcare organisations should be aligned to Z-CERT.read more
Do you have a question?