To note the Samsung Galaxy S8 is the first flagship smartphone with iris acknowledgment.They provide a video demonstration with simple steps.The biometric system is manufactured by the organization Princeton Identity Inc.
This technique guarantees to be more secure however it doesn’t confront the test made by CCC. They demonstrated it can be compromised by building a dummy.
By utilizing the photo of the proprietor you can open the phone effectively, it enables access for attackers to phone and even to the wallet if Samsung implements iris recognization system for that.
CCC Spokesman Dirk Engling said, "For those who love the data on their phones or
who even thinks they want to pay with their phone, they are better able to rely on
the proven PIN code protection instead of on their own personal characteristics,".
Indeed, even with fingerprint recognition systems, CCC Spokesman Dirk Engling says CCC staff and biometrics scientist starbug could demonstrate that they can be effortlessly overcome by utilizing basic methods for the relating sensor of iPhones.
How to Build iris key
Pictures can be caught with a camera in night mode or with an implicit infrared filter.In this camera frequency the details of dark eyes, which are hard to see in the noticeable area, are seen very clear.
Depending on the environment, shine and complexity should be balanced. In the event that all structures are obviously unmistakable, the iris picture can be printed with a commercially accessible printer. The best outcomes were starbug entertainingly with Samsung mark laser printers.
The best outcomes were starbug entertainingly with Samsung mark laser printers.
The safety risk is even greater in the iris than in fingerprints, as the biometric
feature is displayed much more exposed. In the simplest case, a high-resolution
image from the Internet is enough to capture images of Iriden, "said Dirk Engling.
With a specific end goal to adjust the dummy of the state of a genuine eye, a contact focal point connected over the expression is suitable.
The most costly of the methodology for defeating iris acknowledgment was by a wide margin is buying a Smartphone.
A new Cyber Attack Spreading through Vulnerable Subtitles which Downloaded by Victims Media Player and threatens more than 200 Millions of vulnerable Machine in worldwide which leads to complete take over to the infected machine .
This cyber attack is delivered when movie subtitles are loaded by the user’s media player which is delivering by tricks victims.
Attackers used two Major Attack Vectors to spreading crafting malicious subtitle files into Victims Media Player.
Attackers Forced victims to Visit Malicious Website to Download Subtitles
Tricks victims into running a malicious file on his computer.
Vulnerable Media Players are wildly used Media players including VLC, Kodi, Popcorn Time and Stremio.
Currently this Malicious subtitles repositories are Treated as Trusted Source by the Vulnerable Media Players.
According to Checkpoint Researchers, This method requires little or no deliberate action on the part of the user, making it all the more dangerous.
Many websites are serving Subtitles to Download and import into Media Players which is the potential Attack method to easily spread this Malicious Subtitles links.
This Critical subtitles Attack may perform into PC, a smart TV, devices which infected by this Malicious Subtitles .
infected Media Players VLC has over 170 million downloads of its latest version alone, which was released June 5, 2016. Kodi (XBMC) has reached over 10 million unique users per day, and nearly 40 million unique users each month.
This Attack will leads to stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more. Checkpoint said.
Proof Of Concepts Video:
Here Checkpoint Submitted a Proof of Concepts for Complete take over of the the Victims Machine by the attacker via the infected media Players.
Once Malicious Subtitles loaded into the Victims Media Player ,then it will execute the Remote code and take over the entire Victims Machine.
This Attack still under investigation by Checkpoint and They didn’t revead any technical Details.
Bitcoin Price Climbs as High as Ever reaches $2000 without precedent for history. The cash’s value ascended as much as 2.62% amid the session according to Coindesk’s BPI.
The cost has shot up by 60 percent in the course of the most recent month and that has pulled in numerous Indians to this digital money.
Source: CoinDesk
Bitcoin Value Climbs more than $1000 at the start of 2017 for the first time in last three years. At 09:00, the BPI( Bitstamp Price Index) saw bitcoin reach $1006.32.
Now it records an Enormous growth in the last four months and $2000, interesting to know how bitcoin work, click here.
Now many countries started making as legal which cause a huge increase in bitcoin price.Japan started accepting bitcoin as a legal currency, Russia has decided to make it legal in the near future, Australia going to accept bitcoins as legal currency from July 2017.
Greenspan says “Bitcoin is gaining some serious momentum among investors on our
platform, with 88% of Bitcoin traders still buying the asset.”
China transforming into one of the greatest markets as excessively numerous Chinese individuals began utilizing bitcoins which additionally prompts fall of their local currency yuan.
Indian’s started invested in bitcoins around 9.5% in their global holdings, says times of India report.
Benefits of Bitcoin
Individuals purchasing bitcoins not exclusively to pay for Ransom, Bitcoins can be utilized to finish the International payments in short time.
Digital forms of money are advanced monetary standards that execute cryptography as a central part of the protocol, Bitcoin utilizes SHA-256 encryption for both its Proof-of-Work (PoW).
The security of the bitcoin convention lies in the exchange piece chain.It can be put away carefully, either locally or on the online.
Biggest Bitcoin Wallet Hack
We also heard about Bitcoin exchange Firm Yapizon Hacked recently which is one of the Hottest Bitcoin Wallets of South Koren.
Bitcoin exchange Firm Yapizon Hacked and Stolen Around “3816.2028 Bitcoin” ( Nearly 5 Million USD) on Saturday, April 22, 2017
This is also one of the biggest hacking attack in Bitcoin History.
[jpshare]A New Network Worm called “MicroBotMassiveNet” (Nick Name:EternalRocks) Discovered Recently which is also Performing in SMB Exploit as Wannacry .“MicroBotMassiveNet” self Replicate with the targeting network and Exploit the SMB Vulnerability.
NSA Hacking tools are the major medium for “MicroBotMassiveNet” (Nick Name:EternalRocks) to Spread and Self Replicate Across the Network by using Remote Exploitation by the Help of 7 NSA Hacking tools which i have mentioned below.
Wannacry used only 2 NSA Hacking Tools which is ETERNALBLUEfor initial Compromising the target system and DOUBLEPULSARfor Replicate to across the network where Vulnerable Machine existed.
EternalRocks Properties
Initially its Reached to the Honeypot Network of Croatian Government’s CERT Security Expert Miroslav Stampar
Stages of Exploitation
According to Miroslav Stampar , in First Stage of “MicroBotMassiveNet” Malware downloads necessary .NET components from Internet, while dropping svchost.exe and taskhost.exe
svchost.exe is used to Download the component and unpacking and running Tor from https://archive.torproject.org/. once its Finished the First Stage then it will move to the second stage for Unpacking the payloads and further Exploitation.
In second stage taskhost.exe is being Downloaded from the onion website http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and run the taskhost.exe .
it will Download after a Predefined time of 24 Hours so untill that Researcher wait for getting response from C&C Server.
After Running this Process its contain a Zip files shadowbrokers.zip and Unpacking the unpack directories which is payloads/, configs,bins/ .
Extracted Shadowbrokers File
In Configuration Folder we can find the 7 NSA Hacking Tools of (ETERNALBLUE, ETERNALCHAMPION, ETERNALROMANCE and ETERNALSYNERGY, along with related programs: DOUBLEPULSAR, ARCHITOUCH and SMBTOUCH)
7 NSA hacking Tools list FromExtracted Shadowbrokers File
Another Folder contains DLL of Shellcode Payload, in the Files which has been Downloaded from shadowbrokers.zip
Once file has successfully unpacked then it will scan the random port of 445 on the internet.
This payload push it to First stage Malware and it expects running Tor process from first stage for instructions from C&C. Researcher explained .
Since it has performing with Many NSA hacking tools its may developed for Hidden Communications with the Victims which controllable via C&C server commands.
EternalRocks could represent a serious threat to PCs with defenseless SMB ports presented to the Internet, if its creator could ever choose to weaponize the worm with ransomware, a Bank trojan, RATs, or whatever else.
Further More Technical Analysis and IOC’s has been explained by Miroslav Stampar in Github
Culprits in charge of this new and advanced technique for ATM jackpotting were distinguished in various nations over various timeframes in 2016 and 2017.
The attempts of some of the EU Member States and Norway, upheld by Europol’s European Cybercrime Center (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), finished in the capture of 27 people connected with purported ATM “Discovery” assaults crosswise over Europe.
BlackBox attack
The ATM “Discovery” progress beginning showed up in Western Europe in 2015, however, most captures happened in 2016 and 2017, with the predominant later in the Kingdom of Spain this month.
There were captured inside the European country (3), Republic of Estonia (4), France (11), European country (2), Balkan state (2), Kingdom of Spain (2) and Kingdom of Norway (3).
The device can send transfer commands that make the ATM give all money. In this manner, misfortunes can be noteworthy and checked in a huge number of Euros.
In this specific attack, the criminals incorporated an extra stride: They connected to the controller a USB-based circuit board that NCR accepts was intended to trick the ATM’s center into supposing it was as yet associated with the money dispenser.
Attack origins
Culprits involved in ATM Black Box assaults come essentially from nations, for example, Romania, Moldova, Russia, and Ukraine. A portion of the examinations are still on-going and additionally captures are normal soon.
Europol’s European Cybercrime Center composed 4 operational gatherings in 2016 and 2017 so as to trade knowledge and encounter and the nations took an joined are Croatia, Czech Republic, Denmark, Estonia, France, Germany, Greece, Hungary, Ireland, Italy, the Netherlands, Poland, Romania, Slovak Republic, Slovenia, Spain, the United Kingdom, Moldova, Norway and the United States.
Attacks in Rising
ATM related extortion attacks expanded by 26%, up from 18,738 in 2015 to 23,588 in 2016.Losses because of ATM related misrepresentation assaults were up 2% when contrasted and 2015 (up from €327 million to €332 million). The Asia-Pacific locale and the USA are the
The Asia-Pacific locale and the USA are the places the larger part of such misfortunes were accounted for. ATM related physical assaults rose 12% when contrasted and 2015 (up from 2,657 to 2,974 occurrences).
Our joint efforts to tackle this new criminal phenomenon resulted in significant
arrests across Europe. However, the arrest of offenders is only one part of
stopping this form of criminality. Increasingly we need to work closely with the
ATM industry to design out vulnerabilities at a source and prevent the crime taking
place. This industry and law enforcement cooperation combined with the work with
banks and prosecutors can make a major difference in stopping this growing form
of crime.” Says Head of Europol’s European Cybercrime Centre,Steven Wilson
EAST Executive Director Lachlan Gunn, said: "While the rise in ATM Black Box
attacks is a concern, we are pleased to note that many of these attacks were
not successful.
Zomato Reports a massive Data breach that, 17 Million user records were stolen. Zomato over 120 million active users in worldwide and Zomato offers details of best cities to people’s find food orders and Restaurants.
A Security team from Zomoto Discovered this biggest Data breach and reports to their registered users.
According to the report by Zomato, the Stolen data’s contain information’s such as Registered users USERNAME and Hashed PASSWORD.
since all the password contains encrypted hash format Zomato believe and report that, there is no way to reversed and Decrypt to plain text.
Data’s Disclosed in Darkweb
Hackers Released all the stolen Zomoto users information’s such as username and password into Dark web Market and fix a cost for the whole package of Zomato data for USD 1,001.43 (BTC 0.5587), reports Hackeread
This leaked information contains user names and hashed passwords are registered via both app and website by zomoto users.
According to Hackread analyze the report, revealed email address checked and tried to send a password to reset email to some of the email addresses which is in the leaked sources and its revealed that they are registered with Zomato.
Zomoto reports, “Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.”
Also, zomato requested users to change their password for any other services where they are using the same password.
A critical SQL Injection Vulnerability( CVE-2017-8917) with Joomla! 3.7, if you are Joomla user it’s you need to update immediately.
Joomla! is a content management system (CMS), that allows you to make websites and powerful on-line applications.
A content management system software that keeps track of each piece of content on your internet site, very like your native library keeps track of books and stores them.
The serious advantage of employing a CMS is that it needs virtually no technical ability or information to manage. Since the CMS manages all of your content, you do not ought to.
SQL Injection in Joomla 3.7
SQL Injection is currently ranked #1 on the OWASP Top 10 chart which means that it is responsible for a large portion of public disclosures and security breaches. Read more
Webmasters are strongly recommended to update to version 3.7.1 and the affected version CMS versions 3.7.0.
Reported By
This particular vulnerability was reported Marc Montpas from Securi, they discovered this vulnerability while conducting regular search audits with their WAF.
How to update
Once you log in to your admin panel yourwebsite.com/administrator, in the quick link section you can see a notification for the update.
By clicking that it will take you Joomla update and you need to click on Install the update and in few minutes Joomla upgraded to new version.
It is always a good idea to backup your WordPress before proceeding with the update, if there are any issues, you can restore your website.
Most expected WordPress 4.7.5 is now available for update. This security update covers six security issues that exist with WordPress version 4.7.4 including CSRF.
Security Issues addressed
Insufficient redirect validation within the communications protocol category. Reported by Ronni Skansing.
Improper handling of post meta information values within the XML-RPC API. Reported by guided missile Thomas.
Lack of capability checks for post meta information within the XML-RPC API. Reported by mountain Bidner of the WordPress Security Team.
A Cross website Request Forgery (CSRF) vulnerability was discovered within the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered once trying to transfer terribly massive files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered associated with the Customizer. Reported by Weston Ruter of the WordPress Security Team.
CSRF Vulnerability
CSRF holds number eight in OWSAP top 10 list.Cross Site Request Forgery is one of the most common forms of attack by online spammers and scammers.
Explicitly of this attack is a bit complex, it’s prevalence is common.But CSRF attacks can be predicted easily. Read More about CSRF.
XSS Vulnerability
XSS is a very commonly exploited vulnerability type which is very widely spread and easily detectable.
An attacker can inject untrusted snippets of JavaScript into your application without validation. This JavaScript is then executed by the victim who is visiting the target site. Read More about XSS.
XML-RPC
It’s a specification and a collection of implementations that enable computer code running on disparate operational systems, running in several environments to form procedure calls over the net.
Adding to the security updates WordPress 4.7.5 contains 3 maintenance fixes to the 4.7 release series, for release notes.
How to update
WordPress 4.7.3 contains 39 maintenance fixes to the 4.7 release series. Updates are simple Dashboard >> Updates >> Update Now.
It is always a good idea to backup your WordPress before proceeding with the update, if there are any issues, you can restore your website.
Wannacry (WannaCrypt,WanaCrypt0r 2.0,Wanna Decryptor), A Computer Malware family called Ransomware that actually target the Microsoft Windows Operating systems SMB exploit leaked by the Shadow Broker that encrypting data and demanding ransom payments in the cryptocurrencybitcoin
This Ransomware rule spreads by means of spam messages and malicious download links uniquely intended to lock the documents on a PC, until the casualty pays the payment request, more often than not $300-$500 in Bitcoins.
This Attack Started on 12 May 2017 and Infected more than 3,00,000 computers in over 150 countries which consider as on of the Biggest Ransomware cyber Attack which world Never Faced.
Russia, Ukraine, India, and Taiwan are the countries which Faced Major Hit by Wanncry Ransomware.
How Wannacry infect your machine :
Wannacry used infect medium by Spam and Phishing Emails with embedded link which forced victims to Click the link and its leads to check whether or not for Microsoft Windows Machine unpatched(MS Released patch for SMB FLow).
Once installed Wannacry uses DoublePulsarbackdoor developed by the U.S. National Security Agency, it spread through local networks and remote hosts and find the unpatched MS Operating systems.
The ransomware perpetrators used publicly available exploit code for the patched SMB “EternalBlue” vulnerability, CVE-2017-0145.
According to the Microsoft, The exploit code used by WannaCrypt was designed to work only against unpatched Windows 7 and Windows Server 2008 (or earlier OS) systems, so Windows 10 PCs are not affected by this attack.
Afer Finding all the file format it will rename the file format like , if the file format is “example.png” it will rename as “example.png.WNCRY”
Wannacry also perform and generate an file called “@Please_Read_Me@.txt“ in each and every folder where already encrypted files . this contain ransom message shown in the replaced wallpaper image in Desktop .
After this, executable will run and ransom note which indicates a $300 ransom in Bitcoins as well as a timer.
When you tap on the Check Payment catch, the ransomware associates back to the TOR C2 servers to check whether an installment has been made. Regardless of the possibility that one was made, the ransomware will automatically decrypt your files .
if payment has not been made its will give replay like,you didn’t pay or we did not confirm you account.
Infected Companies and Countries
WannyCRY Ransomware outbreak performs all over the world in many countries.including Russia, Ukraine, India and Taiwan are the countries which Faced Major Hit by Wanncry Ransomware.
Russian Interior Ministry, Chinese universities, Hungarian telcos, FedEx branches, hospitals across England and Spanish telecommunications company, Telefonica.
TeIefonica IT staff is desperately telling employees to shut down computers and VPN connections in order to limit the ransomware’s reach.
Kaspersky Lab have uncovered new evidence linking the WannaCry ransomware code to North Korea.
Renault‘s partner company Nissan was also affected, a UK representative affirmed that records at its Sunderland plant were affected on Friday night, however, wouldn’t affirm reports that creation was ended.
Andhra Pradesh Police
Automobile Dacia
Chinese public security bureau, Ministry of Internal Affairs of the Russian Federation
NHS Scotland
Universitas Jember
PetroChin
Vivo
Government of Gujarat
LATAM Airlines Group
Cambrian College
MegaFon
Russian Railways
Hitachi
Government of West Bengal
NHS Scotland
Timrå kommun
LATAM Airlines Group
Nissan Motor Manufacturing UK
Colombia’s Instituto Nacional de Salud
Faculty Hospital
Nitra
University of Milano-Bicocca
Sandvik
PetroChina
National Health Service (England)
Cambrian College
Sberbank
Ministry of Foreign Affairs (Romania)
Dharmais Hospital
FedEx
RBI (India) asks all bank to update their ATM’s
The Reserve Bank of India has asked banks to update specific Windows patches on ATMs urgently and not to operate ATM machines unless updates are in place,” TOI quoted an official with a public sector bank as saying.
ATM machines are highly valuable assets and vulnerable to infect the malware due lack of updates.
Many of the ATM Machines are running old version of Win OS which essentially needed for updates for this situation.
In this case, RBI instructed to all bank that immediately update the all ATM machine OS which runs under un-patched Operating systems around India and strictly intimate not to operate it before the update.
Comodo Firewall 10 Prevent your System from Wannacry Ransomware:
In this case, Comodo always one step ahead to prevent such a sophisticated Cyber attacks. Comodo CEO Melih Abdulhayoğlu explains in his Blog Post,
Before Wannacry infects to your System, comodo Firewall 10 create a virtual hard drive, a virtual registry and virtual COM interface (Fake Hard Drive) which has been created earlier wannacry entered into victims machine.
So what happens Next, wannacry ransomware start writing with virtual hard drive .and obviously, its has no idea where I am actually performing my Encryption process on files.
so virtual hard disk will be infected that has no such important files .finally victims all files has been successfully Protected by Comodo Firewall 10.
Initially, halts ransomware attack and warns by Malware Tech
Security Researcher Malwaretech (Social Name) who halted the global spread of an unprecedented ransomware attack by registering a garbled domain name hidden in the malware has warned the attack could be rebooted with help of Darien Huss from security firm Proofpoint.
MalwaIf the domain was unregistered, the ransomware would start encrypting files. But if the domain was registered, the ransomware would stop its infection process.
By registering this domain, MalwareTech had accidentally triggered a worldwide kill-switch for the ransomware’s self-spreading feature.
It states that it doesn’t mean wanncry infection has over. But the specific version of wanncry infection has been stopped.
Wannacry Ransomware Technical Analysis:
Here you can see Wcry infected tree Process.
Wannacry Guidelines for safe by Microsoft:
These are the safe guidelines for Wannacry Guidelines.
Be careful to click on harmful links in your emails.
Be wary of visiting unsafe or unreliable sites.
Never click on a link that you do not trust on a web page or access to Facebook or messaging applications such as WatSab and other applications.
If you receive a message from your friend with a link, ask him before opening the link to confirm, (infected machines send random messages with links).
Keep your files backed up regularly and periodically.
Be aware of fraudulent e-mail messages that use names similar to popular services such as PayePal instead of PayPal or use popular service names without commas or excessive characters.
Use anti-virus and Always make have the last update.
Make sure your windows have the last update close the gap
if you didn’t update the Windows please follow the Manual method to turn of the SMB Manually.
Control Panel—>Programs—>Programs and Features.
(CREDIT:Microsoft)
Remove check Box SMB1.0/CIF File Sharing Support.
Once you have done this, Restart your computer. Finally your computer has been protected and wannacry cannot perform after this function has been done.
Wannacry outbreak cost
As per the Some Experts Analyse, world till yesterday(16-05-2017) WannaCry ransomware has potentially infected and Damage Cost Around $1 billion in bitcoins from their victims.
However, till Sunday evening, close to $33,000 was paid to the hackers in bitcoins, in order to unlock their systems.
Ransoms from $300 to $600 are being demanded by the hackers who installed WannaCry ransomware.
Wannycry Finally taught to whole world that how much important to keep eye on Cyber Security and Update your Technology environment.
The WannaCry ransomware attack, which made global headlines recently, is one of the most destructive and far-reaching cyberattacks in recent history. Spanning across over 150 countries, the attack affected hundreds of thousands of organizations, including major corporations, healthcare providers, and governmental agencies. WannaCry leveraged a critical vulnerability in Microsoft Windows systems, exploiting the SMB (Server Message Block) protocol.
Rajashekar Yasani, a Senior Security Engineer with years of experience in managing cybersecurity for diverse organizations, provides insights on the attack’s nature, its impact, and, most importantly, how to identify and mitigate such threats. Rajashekar also shares advice on improving overall security posture to prevent similar attacks in the future.
Q1: Can you briefly explain what the WannaCry ransomware attack was, and how did it affect organizations globally?
Rajashekar Yasani: The WannaCry attack was a ransomware campaign that spread rapidly across the globe in May 2017. It encrypted files on infected systems and demanded a ransom in Bitcoin to restore access to the data. The attack exploited a vulnerability in the Windows operating system, specifically in the SMBv1 protocol. This vulnerability was originally discovered by the NSA and was later leaked by a group known as the Shadow Brokers. Once the attack began, it quickly propagated across networks, impacting organizations worldwide, including government agencies, hospitals, and companies in various sectors.
WannaCry caused major disruptions, particularly in the UK’s National Health Service (NHS), where it led to the cancellation of medical appointments, delays in treatments, and significant operational issues. The ransomware encrypted files, including sensitive data, making it difficult for affected organizations to operate normally until the ransom was paid or backups were restored.
Q2: What are the specific CVEs associated with the WannaCry attack, and why were they significant?
Rajashekar Yasani: The WannaCry attack primarily exploited a vulnerability identified as CVE-2017-0144, which is a critical flaw in the SMBv1 protocol used by Windows operating systems. The vulnerability allowed attackers to execute remote code on affected systems, facilitating the spread of the ransomware across vulnerable devices within a network. Microsoft had released a patch for this vulnerability in March 2017, but many organizations failed to apply the update, leaving their systems exposed to the attack.
In addition to CVE-2017-0144, the attack also leveraged EternalBlue, a tool developed by the NSA, and DoublePulsar, a backdoor that was used to install the ransomware on compromised machines. These tools were also leaked by the Shadow Brokers, amplifying the impact of the attack and enabling it to spread rapidly across the globe.
Q3: How did WannaCry spread so quickly, and why was it so difficult to contain?
Rajashekar Yasani: WannaCry spread rapidly due to the exploitation of the SMBv1 vulnerability, which allowed the ransomware to propagate within networks without requiring user interaction. Once it infected one machine, it could easily spread to other vulnerable machines on the same network, making it highly effective in large organizations with many unpatched systems.
Moreover, the ransomware utilized a worm-like mechanism, meaning it could infect a device without any action required from the user. This made it different from traditional ransomware, which typically relies on phishing emails or malicious downloads. The combination of a powerful exploit and worm capabilities made WannaCry extremely difficult to contain once it began spreading, especially for organizations that hadn’t applied the security patches released by Microsoft earlier.
Q4: What are the key steps organizations should take to mitigate the risks associated with ransomware attacks like WannaCry?
Rajashekar Yasani: There are several steps organizations can take to protect themselves from ransomware attacks like WannaCry:
Apply Security Patches: Always ensure that your systems are up to date with the latest security patches. Microsoft released a patch for CVE-2017-0144 in March 2017, but many systems remained unpatched. Regularly update all software, especially critical systems, to prevent the exploitation of known vulnerabilities.
Disable SMBv1: SMBv1 is an outdated and vulnerable protocol. It’s crucial to disable it on all systems to prevent attackers from exploiting vulnerabilities in the protocol.
Use Firewall Rules: Regarding firewall changes, one of the key mitigations during the WannaCry attack involved blocking SMB ports (445, 137-139) at the firewall level to prevent the worm from spreading across networks.
Implement Network Segmentation: Segment your network to prevent lateral movement of ransomware within the organization. If one system becomes infected, network segmentation can help contain the spread.
Backups and Disaster Recovery Plans: Ensure that you have regular, secure backups of critical data. In the event of a ransomware attack, having a clean backup can make recovery much easier without the need to pay the ransom.
Employee Awareness and Training: Train employees to recognize phishing attempts and avoid opening suspicious attachments or clicking on malicious links. Ransomware is often delivered through social engineering tactics like phishing emails.
Use Endpoint Protection Software: Use antivirus and endpoint protection software that can detect and block malicious activity. Many modern security solutions can detect ransomware behaviors and stop them before they encrypt your files.
Q5: How important is it to adopt a comprehensive security framework for ransomware prevention, and how does that help long-term cybersecurity resilience?
Rajashekar Yasani: Adopting a comprehensive security framework is essential in building long-term resilience against ransomware and other cyber threats. Organizations should consider frameworks such as NIST Cybersecurity Framework or CIS Controls, which provide a structured approach to cybersecurity and include measures like vulnerability management, incident response planning, and continuous monitoring.
Having a proactive security posture means that your organization is prepared for any kind of cyber threat, including ransomware. A comprehensive security strategy should involve layered defenses, rapid detection, and effective response capabilities. It’s also important to ensure that your security practices are continuously evaluated and improved in response to evolving threats.
Q6: Could you explain the importance of collaboration among government, private sector, and cybersecurity professionals to combat threats like WannaCry?
Rajashekar Yasani: Collaboration between government agencies, private sector organizations, and cybersecurity professionals is critical for combating global cyber threats like WannaCry. Cyberattacks are increasingly becoming international in nature, so a coordinated approach is necessary for sharing threat intelligence and improving defenses across sectors.
Government agencies, like the U.S. Department of Homeland Security, often provide valuable guidance and resources to the private sector, while cybersecurity professionals can offer their expertise in detecting, mitigating, and responding to attacks. Private companies, particularly those with sensitive data or critical infrastructure, play a significant role in securing their networks and sharing information about attacks to help others prepare and defend against similar threats.
The WannaCry attack highlighted the importance of patch management, cybersecurity education, and incident response. Governments, cybersecurity experts, and the private sector must work together to develop and share best practices and to protect against future, more sophisticated cyber threats.
Q7: With the WannaCry ransomware attack potentially causing losses estimated at $4 billion and making 2017 one of the worst years for ransomware scams, what does this incident reveal about the current state of cybersecurity preparedness and response, and what steps should organizations take to improve their defenses against such large-scale threats?
Rajashekar Yasani: The WannaCry ransomware attack highlighted significant vulnerabilities in cybersecurity preparedness, particularly around patch management and timely updates. The $4 billion potential loss emphasizes the need for proactive defense strategies, including regular patching, network segmentation, and strong backup practices. Additionally, organizations must foster cybersecurity awareness and ensure robust incident response plans. This incident is likely to influence regulatory bodies to enforce stricter cybersecurity standards. Moving forward, organizations should focus on continuous monitoring, rapid detection, and collaboration with government and industry groups to improve defenses against future threats.
Conclusion
The WannaCry ransomware attack serves as a stark reminder of the importance of proactive cybersecurity measures. By staying updated on vulnerabilities, applying patches, disabling unnecessary protocols, and ensuring strong backup practices, organizations can significantly reduce their risk of falling victim to ransomware. A collective, multi-sector approach to cybersecurity will also enhance our collective ability to combat evolving cyber threats.