Weekly Magazine - 12.06.2020

Cyber News JUNE 12th, 2020 | #4 HIGHLIGHTS Westech, a company involved in nuclear reactor maintenance in the USA, fell victim to a MAZE ransomware attack. Sensitive data was also leaked. Proof was made publicly available on new programming for realizing the SMBGhost security fault which allows injecting a remote code – without the user’s permission. Third time ice cream? Hackers implant ransomware in programs meant to decode and release locked files. Research conducted by Securelink: almost 80% of cyber attacks are linked to passwords. 6 months community service for Israelis involved in dark net sale of DDoS service prevention program. ATTACKS Ransomware attack against a company dealing with nuclear reactor maintenance: sensitive data leaked An article published by Sky News indicates a particularly worrying activity. Hackers successfully penetrated a nuclear network, stole files containing sensitive data, and inserted the notorious MAZE ransomware which codes files. The ransom figure demanded from Westech has not yet been disclosed. Westech provides maintenance services to the USA military’s nuclear reactors. It is still unknown whether the hackers are holding classified military information, but from files already leaked on the internet, the hackers certainly have access to sensitive data. Westech’s spokesperson confirmed to Sky News that the company was breached, its computers were encrypted, and that investigation is ongoing to identify which data has been stolen. www.helena-sec.com Helena-sec Helenasec [email protected]

ATTACKS The new method: STOP Djvu decoding software for files attacked by ransomware contains ransomware virus A new and particularly contemptible method for inserting ransomware into computers has recently been uncovered. How does the method operate? The attackers first encode the computer, then contact the owner of the computer they locked, seemingly innocently suggesting that their software ensures the victimized files can be decoded – for free. Once the software has been downloaded and activated, the computer’s files undergo a repeat encryption which makes things even worse, and the attack shows results on the internet, as testified by data on the ID- Ransomware site, a website that identifies ransomware programs and is currently showing some 600 searches per day linked to “Stop Djvu,” making it the most active ransomware so far this year. Currently there is no solution other than paying the hackers. We recommended that you increase awareness around this issue. The new method: STOP Djvu decoding software for files attacked by ransomware contains ransomware virus A study published by Secure Link indicates that almost 80% of cyber attacks which led to damage through leaked data were caused by obtaining passwords through phishing. This data is identical to a report published by the company in 2017, which actually showed lower percentages of access to admin accounts in company computers based on passwords obtained through phishing attacks. A general attack can disclose company and data base passwords which are then leaked to the internet, and enable other attackers to gain access to your company. Never make it easy for hackers! It is important to remember that different passwords should be used for each service as a way of reducing access to any accounts linked to your organization. From the report we can also conclude that disclosed passwords to information were relatively easy to guess, or could be found on social networks. www.helena-sec.com Helena-sec Helenasec [email protected]

SECURITY FLAW Proof of new software for CVE-2020-0796, also known as SMBGhost The CVE-2020-0796 security flaw allows the attacker to distribute malware from one computer to the next without needing any actions on the user’s part. Systems open to this flaw are Windows 10 versions 1909 and 1903, including Server Core. Microsoft repaired the security flaw in March 2020 but proof of the new software was recently made public on Twitter (https://vimeo. com/426301998) showing that the security flaw is still viable. Much like SMBGhost, it is found in the I Wanna Cry and NotPetya malware that similarly exploited the earlier EternalBlue and EternalRomance security flaws, which took advantage of flaws in the Server Message Block protocols. What can you do in the meantime? Read up on the explanation in the guide put out by Microsoft: https://portal.msrc.microsoft.com/en-US/ security-guidance/advisory/adv200005 SECURITY FLAW 6 months community service sentences for Israelis who sold illegal Denial of Service services on the dark net Two Israelis were recently handed down penalties of 6 months community service each following their 2016 activities. Aged 18 at the time, they developed and operated their “vDos” system, which denies access to internal servers and services. They sold their software on the dark net. The DDoS (Distributed Denial of Service) type service was sold through several tracks based on the client’s needs and financial acumen. According to the presented data, the vDoS software was responsible for most of the internet service denial attacks between 2012 and 2016. In an interview with the KrebsonSecurity data security blog, Boaz Dolev, CEO of ClearSky Cyber Security, expressed deep disappointment in the court’s handling of this case. “I firmly believe that because their action caused damage to so many companies, the court should have handled the case differently,” Dolev said. “The fact that they were under 18 when they carried out their crime saved them from a deservedly harsher sentence.” www.helena-sec.com Helena-sec Helenasec [email protected]

OUR WEEKLY RECOMMENDATION: INSTALL THE UBLOCK ADD-ON - AND WHY YOU SHOULD DO THAT IMMEDIATELY The CVE-2020-0796 security flaw allows the attacker to distribute malware from one computer to the next without needing any actions on the user’s part. Systems open to this flaw are Windows 10 versions 1909 and 1903, including Server Core. Microsoft repaired the security flaw in March 2020 but proof of the new software was recently made public on Twitter (https://vimeo.com/426301998) showing that the security flaw is still viable. Much like SMBGhost, it is found in the I Wanna Cry and NotPetya malware that similarly exploited the earlier EternalBlue and EternalRomance security flaws, which took advantage of flaws in the Server Message Block protocols. What can you do in the meantime? Read up on the explanation in the guide put out by Microsoft: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/adv200005