Sunday, July 9, 2017

What is the difference between Docker, LXD, and LXC




LinuX Containers (LXC) is an operating system-level virtualization method for running multiple isolated Linux systems (containers) on a single control host (LXC host)

https://wiki.archlinux.org/index.php/Linux_Containers


low level ...

https://linuxcontainers.org/

Docker

by Docker, Inc
a container system making use of LXC containers
so you can: Build, Ship, and Run Any App, Anywhere http://www.docker.com

LXD

by Canonical, Ltd
a container system making use of LXC containers
so that you can: run LXD on Ubuntu and spin up instances of RHEL, CentOS, SUSE, Debian, Ubuntu and just about any other Linux too, instantly, ...http://www.zdnet.com/article/ubuntu-lxd-not-a-docker-replacement-a-docker-enhancement/

Docker vs LXD

Docker specializes in deploying apps
LXD specializes in deploying (Linux) Virtual Machines



LXD (pronounced “lex-dee”) is a container hypervisor from Ubuntu. LXD containers look and act like virtual machines, but have the lightweight performance and scalability of process containers. You can use LXD on its own to deploy traditional workload applications, or you can use Docker containers inside LXD containers to get the best of both technologies.

The infographic below introduces the basic facts about LXD, provides figures on LXD performance, explains how LXD and Docker work together and offers applications of LXD in your business.

Saturday, July 8, 2017

AWS vs Azure vs Google Cloud Platform – Compute



 by Jess Panni

In this series, we’re comparing cloud services from AWS, Azure and Google Cloud Platform. A full breakdown and comparison of cloud providers and their services are available in this handy poster.

We have assessed services across three typical migration strategies:
Lift and shift – the cloud service can support running legacy systems with minimal change
Consume PaaS services – the cloud offering is a managed service that can be consumed by existing solutions with minimal architectural change
Re-architect for cloud – the cloud technology is typically used in solution architectures that have been optimised for cloud

And have grouped services into 10 categories:
Compute
Storage & Content Delivery
Database
Analytics & Big Data
Internet of Things
Mobile Services
Networking
Security & Identity
Management & Monitoring
Hybrid

In this post we are looking at…
Compute

This category covers all services that can be used to run applications in the cloud.
AWS

Amazon is often been seen as the Infrastructure as a Service (IaaS) market leader with their Elastic Compute Cloud (EC2). AWS lets you choose from a range of 40 virtual server instance sizes from low cost ‘nano’ instances to high end memory, storage or GPU optimised products, offering up to 128 ‘vCPU’s and a whopping 2TB of memory (be warned this doesn’t come cheap!). The lower end T2 instances offer baseline performance with the ability to ‘burst’ above the baseline for short periods. EC2 comes with images for Linux and Windows Server. A free tier is available for 1 year (equivalent of running one low end instance) although this is unlikely to be a major decision factor for most organisations. On-demand instances are billed per-hour, and discounted prices are available on instances that are paid up-front, or reserved on a recurring schedule, and there is even a spot pricing option on excess capacity. Auto-scaling these instances is supported, with the ability to scale in response to a range of run-time thresholds reported by CloudWatch.

AWS offers persistent disk options through Elastic Block Store and comes with a variety of SSD and HDD flavours. Disk storage is backed by Elastic Block Store and is automatically replicated across multiple servers within an availability zone (a specific location with an AWS region). Replication across regions is supported by shipping snapshots.

AWS Container Service is Amazon’s solution for running and managing docker containers. It relies on ECS to provide the underlying container instances. Standard images are available or you are free to choose your own. EC2 Container Registryallows developers to publish their docker container images to a private managed repository which is important to support development and devops workflows.

Amazon also offers a good range of PaaS services. Elastic Beanstalk is a PaaS compute solution for running web applications written in Python, PHP, JavaScript, .NET, Ruby, Java and Go. It can scale on request or based on certain run-time thresholds such as CPU usage. Elastic Beanstalk also allows developers to run applications as docker images.

For running discrete compute tasks AWS has Lambda which executes code in response to various triggers, such as application or storage events. Lambda automatically scales to meet demand and supports JavaScript, Python and Java.

AWS has a large number of centers spread spread over 13 geographically dispersed regions, so there are good options for organisations with strict data sovereignty rules.
Azure

Azure has been rapidly closing the gap to Amazon in recent years with Virtual Machines. Coincidentally (perhaps) Azure also offers 40 instance sizes offering up to 20 cores and 140GB of memory. It is good to see Microsoft fully embracing Linux on Azure, so organisations with large Linux estates need not worry about choosing that platform. Red Hat and Windows images are available ‘out of the box’ with other distributions available from the Azure Marketplace. Virtual machines are billed per-minute (and discounts across all Azure services are available on 12 month pre-paid subscriptions or as part of an Enterprise Agreement).

Local (temporary) and persistent disk are supported, with VHDs being stored in Storage page blobs. SSDs are available as Premium Storage options. Azure will automatically replicate data to a neighbouring region (Standard Storage only) as well as locally across fault domains (physically isolated infrastructure). Cross region replication of Premium Storage disks is possible through snapshots.

Azure supports virtual machine auto scaling which can scale VMS in response to metrics reported through the Azure diagnostic extension.

Azure supports running docker containers with Container Service. Container Service supports both Docker Swarm and Mesosphere DC/OS orchestration engines and is backed by Virtual Machines running Linux container instances. Azure doesn’t offer a managed Docker registry, however it is possible to host your own on blob storage.

Microsoft has been traditionally strong with it’s PaaS offerings and they are not about to give up their crown just yet. App Service platform provides a fully managed environment for running .NET, Java, PHP and Node.JS applications. App Service includes Web Jobs for running background worker processes. It also comes with support for running APIs (as opposed to front-end web applications) and Logic Apps, Microsoft’s integration and workflow solution. The latest addition to the App Server family is Azure Functions, Azure’s answer to AWS Lambda.

In between App Services and Virtual Machines lives Cloud Services, the original PaaS solution offered on Azure. Cloud Services brings many of the benefits of PaaS while providing additional control over the underlying OS. This is a useful option for solutions that require the installation of third party components.

For batch workloads Azure has Batch allowing organisations to burst compute over hundreds of thousands of cores.

Microsoft is the first of the three providers to offer a fully fledged cloud microservice platform in Service Fabric. Service Fabric allows developers to write highly resilient and scalable solutions and offers full support for life-cycle management, provisioning, deploying, monitoring and upgrading services.

Azure is available in 24 regions, the most of all three providers. There are also specific Azure cloud instances for various special interests, such as the US Government and China.
Google Cloud Platform

Google’s Compute Engine provides a range virtual machine options. A number of pre-defined virtual server instances are available as well as a novel ‘build your own’ option which lets you choose between 1 and 32 ‘vCPU’/cores and up to 6.5GB of RAM per vCPU. Google’s ‘Predictable’ pricing is based on the number of cores and GB of memory. OS support comes with Linux and Windows, either pre-installed or bring your own. Compute Engine also offers a per-minute billing model and offers discounts for prolonged usage. Temporary and permanent HDD and SSD storage options are available with local redundancy built-in by default and comes with the ability to snapshot disks.

Auto scaling is fully supported with integration into Slackdriver, Google’s cloud monitoring and logging solution.

For batch workloads Google has Preemptible Vms, these are cost effective Compute Engine instances that take advantage of excess Compute Engine capacity. Google may terminate instances based on system events and will always stop instances running after 24 hours.

Google Container Engine can be used to run docker containers and is based on Kubernetes. Container Engine comes with a managed master instance, all other nodes are Compute Engine instances. This is reflected in the pricing which has a flat hourly fee (free for clusters with less than 6 nodes) plus the Compute Engine instance costs. Google offer a private container repository with Container Registry.

Google bundles its managed application services under the App Engine product. It offers a complete platform of running managed application written in Java, PHP, Node.js and Ruby. Where AWS and Azure have chosen to split out their services in to different products, App Engine comes with a no-sql store, memcache, search and traffic management (compared later in this series). This approach offers a cohesive set of related services that are easy to understand and consume.

Google offers their services across 5 geographically dispersed regions.
Conclusion

There is very little to choose between the 3 providers when it comes to virtual servers. Amazon has some impressive high end kit, on the face of it this sound like it would make AWS a clear winner. However, if your only option is to choose the biggest box available you will need to make sure you have very deep pockets, and perhaps your money may be better spent re-architecting your apps for horizontal scale.

Azure’s remains very strong in the PaaS space and now has a IaaS that can genuinely compete with AWS. Looking at the full migration journey, from lift and shift to fully cloud engineered solutions, Azure arguably has the best coverage of the three providers. It’s great to see Microsoft coming out with innovative new services such as Service Fabric, however, if your applications are written in Ruby then your options are limited to virtual machines or Docker containers.

Google offers a simple and very capable set of services that are easy to understand. However, with availability in only 5 regions it does not have the coverage of the other players.

Talking of regions, be aware that not all services are offered in every region. This applies to all three providers, so be sure to check if you have strict requirements on where your data resides.

Next up we will be looking at Storage and Content Delivery.




About the author


Jess has over 18 years’ experience helping companies succeed through the smart use of technology. He has spent most of his career working for leading Microsoft partners across the UK and Australia and is now Principal at endjin, working with clients to envision and execute disciplined innovation programmes. You can follow Jess on twitter.

Friday, June 30, 2017

Petya virus – is it ransomware and which companies have been hit by the global cyber attack?



A CYBER attack dubbed “Petya” has hit computer servers around the world crippling companies in Britain, Europe and Chernobyl.

Here’s what you need to know behind the second major cyber attack – which is being likened to WannaCry – in two months.



GETTY IMAGES


3 Companies have been crippled by an attack dubbed ‘Petya’


What is the Petya?


Petya is a malicious software which targeted victims in the UK, Europe and the US with computer screens warning that their files and systems would be destroyed if they did not send the equivalent of about £300 in bitcoin.


Travis Farral, director of security strategy at tech firm Anomali, said: “This is a global attack. Just like WannaCry, organisations are locked out of their networks and a fee demanded to decrypt files.


“Bitcoin payments are currently already at $2,000+ already. But it’s essential that victims understand that payment may not actually allow them to access their data, and may just fund hackers to commit further crimes.”


The cyber-assault is particularly severe because it is understood that just 10 out of 61 antivirus programs are capable of tackling it.


The source of the attacks was not immediately clear.




3 A view of a computer that has been infected by the Petya ransomware

What is ransomware?


Ransomware is a virus which takes over a device (or computer) and freezes its files.


Hackers use it to hold the recipient to ransom, asking for money in return for access to their documents.


The ransomware can be spread by accidentally clicking a bad link.


It’s often shared in an email, or in some cases hackers could booby-trap a website they know employees will visit, like a government portal.


Security experts always advise against paying a ransom, as hackers will often destroy the files anyway.


Criminal gangs will send out thousands of these emails, called phishing scams, in the hope that just a few will click on the link.
Is the Petya virus a ransomware?


The virus that is sweeping the globe is believed to be a “wiper” designed to cause mayhem and is not actually ransomware.


Cyber experts say Petya is hell-bent on destroying files permanently.


Russian cybersecurity expert at Kaspersky Labs wrote in a blogpost: “After an analysis of the encryption routine of the malware used in the Petya attacks, we have thought that the threat actor cannot decrypt victims’ disk, even if a payment was made.


“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain.


“Instead, it appears it was designed as a wiper pretending to be ransomware.


“What does it mean? Well, first of all, this is the worst case news for the victims – even if they pay the ransom they will not get their data back.


“Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.”
Which companies have been hit by the Petya ransomware attack?




3 Where the attacks are known to have hit so far


British advertising giant WPP and the French industrial group Saint-Gobain all said they came under attack and put protection protocols in place to avoid data loss.


Ukraine was the worst hit, with government ministries, banks, utilities, telecom operators and major companies attacked.


Computers at the Chernobyl nuclear power plant have been infected, although there is not believed to be any risk of radioactive contamination.


Shipping giant A.P. Moller-Maersk, a firm which handles one out of seven containers shipped globally, said its systems were down across “multiple sites and business units due to a cyber attack”.


The crippling virus has forced the Danish company to halt operations at the fully automated Maasvlakte II terminal in Rotterdam.


Mondelez, the owners of Cadbury, were also hit in the devastating attack.


Russian oil giant Rosneft announced that its servers has been hit by a “powerful hacking attack” carried out “against the company’s servers”.


Russian web security firm Group-IB said the Petya ransomware was used in today’s massive attack on oil, telecommunications and financial companies in the former Soviet Union.

Tuesday, May 16, 2017

Technology Mania : all security reports and analytics about wanacry ransom-ware

wanacry ransomware
wanacry ransom-ware

our products detected and successfully blocked a large number of ransomware attacks around the world. In these attacks, data is encrypted with the extension “.WCRY” added to the filenames.
Our analysis indicates the attack, dubbed “WannaCry”, is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed “EternalBlue”) has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.
Unfortunately, it appears that many organizations have not yet installed the patch.
Source: https://support.kaspersky.com/shadowbrokers
A few hours ago, Spain’s Computer Emergency Response Team CCN-CERT, posted an alert on their site about a massive ransomware attack affecting several Spanish organizations. The alert recommends the installation of updates in the Microsoft March 2017 Security Bulletin as a means of stopping the spread of the attack.
The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. We have confirmed additional infections in several additional countries, including Russia, Ukraine, and India.
It’s important to understand that while unpatched Windows computers exposing their SMB services can be remotely attacked with the “EternalBlue” exploit and infected by the WannaCry ransomware, the lack of existence of this vulnerability doesn’t really prevent the ransomware component from working. Nevertheless, the presence of this vulnerability appears to be the most significant factor that caused the outbreak.
CCN-CERT alert (in Spanish)

Analysis of the attack

Currently, we have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia. It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher.
Geographical target distribution according to our telemetry for the first few hours of the attack
The malware used in the attacks encrypts the files and also drops and executes a decryptor tool. The request for $600 in Bitcoin is displayed along with the wallet. It’s interesting that the initial request in this sample is for $600 USD, as the first five payments to that wallet is approximately $300 USD. It suggests that the group is increasing the ransom demands.
The tool was designed to address users of multiple countries, with translated messages in different languages.
Language list that the malware supports
Note that the “payment will be raised” after a specific countdown, along with another display raising urgency to pay up, threatening that the user will completely lose their files after the set timeout. Not all ransomware provides this timer countdown.
To make sure that the user doesn’t miss the warning, the tool changes the user’s wallpaper with instructions on how to find the decryptor tool dropped by the malware.
An image used to replace user’s wallpaper
Malware samples contain no reference to any specific culture or codepage other than universal English and Latin codepage CP1252. The files contain version info stolen from random Microsoft Windows 7 system tools:
Properties of malware files used by WannaCry
For convenient bitcoin payments, the malware directs to a page with a QR code at btcfrog, which links to their main bitcoin wallet 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94. Image metadata does not provide any additional info:
One of the Bitcoin wallets used by the attackers: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
One of the attacker wallets received 0.88 BTC during the last hours
Another Bitcoin wallets included in the attackers’ “readme.txt” from the samples are:
115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn – 0.32 BTC
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw – 0.16 BTC
1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY
For command and control, the malware extracts and uses Tor service executable with all necessary dependencies to access the Tor network:
A list of dropped files related to Tor service
In terms of targeted files, the ransomware encrypts files with the following extensions:
.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc
The file extensions that the malware is targeting contain certain clusters of formats including:
  1. Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  2. Less common and nation-specific office formats (.sxw, .odt, .hwp).
  3. Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv)
  4. Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  5. Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  6. Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  7. Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  8. Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  9. Virtual machine files (.vmx, .vmdk, .vdi).
The WannaCry dropper drops multiple “user manuals” on different languages:
Bulgarian, Chinese (simplified), Chinese (traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese
The example of a “user manual” in English:
What Happened to My Computer?
Your important files are encrypted.
Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to
recover your files, but do not waste your time. Nobody can recover your files without our decryption service.

Can I Recover My Files?
Sure. We guarantee that you can recover all your files safely and easily. But you have not so enough time.
You can decrypt some of your files for free. Try now by clicking .
But if you want to decrypt all your files, you need to pay.
You only have 3 days to submit the payment. After that the price will be doubled.
Also, if you don't pay in 7 days, you won't be able to recover your files forever.
We will have free events for users who are so poor that they couldn't pay in 6 months.
How Do I Pay?
Payment is accepted in Bitcoin only. For more information, click .
Please check the current price of Bitcoin and buy some bitcoins. For more information, click .
And send the correct amount to the address specified in this window.
After your payment, click . Best time to check: 9:00am - 11:00am GMT from Monday to Friday.
Once the payment is checked, you can start decrypting your files immediately.
Contact
If you need our assistance, send a message by clicking .

We strongly recommend you to not remove this software, and disable your anti-virus for a while, until you pay and the payment gets processed. If your anti-virus gets
updated and removes this software automatically, it will not be able to recover your files even if you pay!
It also drops batch and VBS script files, and a “readme” (contents are provided in the appendix).
Just in case the user closed out the bright red dialog box, or doesn’t understand it, the attackers drop a text file to disk with further instruction. An example of their “readme” dropped to disk as “@Please_Read_Me@.txt” to many directories on the victim host. Note that the English written here is done well, with the exception of “How can I trust?”. To date, only two transactions appear to have been made with this 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn bitcoin address for almost $300:
Q: What's wrong with my files?

A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted.
If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely!
Let's start decrypting!
Q: What do I do?
A: First, you need to pay service fees for the decryption.
Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software.
Run and follow the instructions! (You may need to disable your antivirus for a while.)
Q: How can I trust?
A: Don't worry about decryption.
We will decrypt your files surely because nobody will trust us if we cheat users.

* If you need our assistance, send a message by clicking on the decryptor window.
Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:
  • attrib +h .
  • icacls . /grant Everyone:F /T /C /Q
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • @WanaDecryptor@.exe fi
  • 300921484251324.bat
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
  • C:\Users\xxx\AppData\Local\Temp\taskdl.exe
The malware checks the mutexes “Global\MsWinZonesCacheCounterMutexA” and “Global\MsWinZonesCacheCounterMutexA0” (Update: Thanks Didier Stevens for the correction on the extra mutex name!) to determine if a system is already infected. It also runs the command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
This results in an UAC popup that user may notice.
UAC popup to disable Volume Shadow Service (System Restore)
The malware use TOR hidden services for command and control. The list of .onion domains inside is as following:
  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • Xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • sqjolphimrr7jqw6.onion

Mitigation and detection information

Quite essential in stopping these attacks is the Kaspersky System Watcher component. The System Watcher component has the ability to rollback the changes done by ransomware in the event that a malicious sample managed to bypass other defenses. This is extremely useful in case a ransomware sample slips past defenses and attempts to encrypt the data on the disk.
System Watcher blocking the WannaCry attacks
Mitigation recommendations:
  1. Make sure that all hosts are running and have enabled endpoint security solutions.
  2. Install the official patch (MS17-010) from Microsoft, which closes the affected SMB Server vulnerability used in this attack.
  3. Ensure that Kaspersky Lab products have the System Watcher component enabled.
  4. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Once again, make sure MS17-010 patches are installed.
Samples observed in attacks so far:
4fef5e34143e646dbf9907c4374276f5
5bef35496fcbdbe841c82f4d1ab8b7c2
775a0631fb8229b2aa3d7621427085ad
7bf2b57f2a205768755c07f238fb32cc
7f7ccaa16fb15eb1c7399d422f8363e8
8495400f199ac77853c53b5a3f278f3e
84c82835a5d21bbcf75a61706d8ab549
86721e64ffbd69aa6944b9672bcabb6d
8dd63adb68ef053e044a5a2f46e0d2cd
b0ad5902366f860f85b892867e5b1e87
d6114ba5f10ad67a4131ab72531f02da
db349b97c37d22f5ea1d1841e3c89eb4
e372d07207b4da75b3434584cd9f3450
f529f4556a5126bba499c26d67892240
Kaspersky Lab detection names:
Trojan-Ransom.Win32.Gen.djd
Trojan-Ransom.Win32.Scatter.tr
Trojan-Ransom.Win32.Wanna.b
Trojan-Ransom.Win32.Wanna.c
Trojan-Ransom.Win32.Wanna.d
Trojan-Ransom.Win32.Wanna.f
Trojan-Ransom.Win32.Zapchast.i
PDM:Trojan.Win32.Generic
Kaspersky Lab experts are currently working on the possibility of creating a decryption tool to help victims. We will provide an update when a tool is available.

Appendix

Batch file
@echo off
echo SET ow = WScript.CreateObject("WScript.Shell")> m.vbs
echo SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")>> m.vbs
echo om.TargetPath = “C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe”>> m.vbs
echo om.Save>> m.vbs
cscript.exe //nologo m.vbs
del m.vbs
del /a %0
m.vbs
SET ow = WScript.CreateObject("WScript.Shell")
SET om = ow.CreateShortcut("C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe.lnk")
om.TargetPath = "C:\Users\ADMINI~1\AppData\Local\Temp\@WanaDecryptor@.exe"
om.Save
article from:Securlist.com

*Raed also this all security reports and analytics about wanacry ransom-ware



*Krebsonsecurity*





Tuesday, May 2, 2017

PCs with Intel Server Chipsets, Launched in Past 9-Years, Can be Hacked Remotely


Monday, May 01, 2017 Swati Khandelwal



A critical remote code execution (RCE) vulnerability has been discovered in the remote management features on computers shipped with Intel processors for nearly a decade, which could allow attackers to take control of the computers remotely.

The RCE flaw (CVE-2017-5689) resides in the Intel's Management Engine (ME) technologies such as Active Management Technology (AMT), Small Business Technology (SBT), and Intel Standard Manageability (ISM), according to an advisory published Monday by Intel.

These features allow a systems administrator to remotely manage large fleets of computers over a network (via ports 16992 or 16993) in an organization or an enterprise.



Since these functions are present only in enterprise solutions, and mostly in server chipsets, the vulnerability doesn't affect chips running on Intel-based consumer PCs.

According to the Intel advisory, this critical security vulnerability was discovered and reported in March by security researcher Maksim Malyutin of Embedi, and could be exploited in two ways:

An unprivileged network attacker could gain system privileges to provisioned Intel manageability SKUs: Intel AMT and ISM. However, Intel SBT is not vulnerable to this issue.
An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs: Intel AMT, ISM, and SBT.

How Bad is this Vulnerability
In short, a potential attacker can log into a vulnerable machine's hardware and silently perform malicious activities, like tampering with the machine, installing virtually undetectable malware, using AMT's features.

The PC's operating system never knows what's going around because AMT has direct access to the computer's network hardware. When AMT is enabled, any packet sent to the PC's wired network port will be redirected to the Management Engine and passed on to AMT – the OS never sees those packets.



These insecure management features have been made available in various, but not all, Intel chipsets for nearly a decade, starting from Nehalem Core i7 in 2008 to this year's Kaby Lake Core, with a higher degree of a flaw for users on Intel vPro systems.

Fortunately, none of these Management Engine features come enabled by default, and system administrators must first enable the services on their local network. So, basically if you are using a computer with ME features enabled, you are at risk.

Despite using Intel chips, modern Apple Mac computers do not ship with the AMT software and are thus not affected by the flaw.


Affected Firmware Versions & How to Patch
The security flaw affects Intel manageability firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 for Intel's AMT, ISM, and SBT platforms. However, versions before 6 or after 11.6 are not impacted.

Intel has rated the vulnerability as highly critical and released new firmware versions, instructions to detect if any workstation runs AMT, ISM, or SBT, a detection guide to check if your system is vulnerable, and a mitigation guide for those organizations that can not immediately install updates.

The chipmaker is recommending vulnerable customers install a firmware patch as soon as possible.

"Fixing this requires a system firmware update in order to provide new ME [management engine] firmware (including an updated copy of the AMT code). Many of the affected machines are no longer receiving firmware updates from their manufacturers, and so will probably never get a fix," CoreOS security engineer Matthew Garrett explained in a blog post. "Anyone who ever enables AMT on one of these devices will be vulnerable."

"That's ignoring the fact that firmware updates are rarely flagged as security critical (they don't generally come via Windows Update), so even when updates are made available, users probably won't know about them or install them."You can head on to Intel advisory for further details.

Hacker leaks 'Orange is the New Black' Season 5 after Netflix refused to Pay Ransom



The Dark Overlord (TDO) posted links to the first 10 episodes of the upcoming season of "Orange Is the New Black" show to a piracy website after Larson Studios and Netflix failed to fulfill the group's ransom demand.

According to Netflix's website, the season 5 of "Orange Is the New Black" show is scheduled to debut June 9 and supposed to run 13 episodes. But TDO claimed that only the first 10 episodes were available at the time the group gained access to the show.


On Saturday, the group headed on to Twitter and posted links to a Pastebin page, GitHub profile, and the Pirate Bay torrent site sharing Episode 1 of "Orange Is The New Black" season 5 show.

At the time of writing, the Pastebin (web archive) and GitHub links went down, but the Pirate Bay torrent file remained up, and users have downloaded and shared its content.

10 out of 13 "Orange Is The New Black" Season 5 Episodes Leaked Online


Following the release of Episode 1, TDO posted links to Pastebin and a second torrent file, hosted on The Pirate Bay, which includes episodes 2 through 10 of the season 5 of "Orange Is The New Black."

According to the Pastebin post, the group released 10 episodes of the show because Netflix didn't pay a ransom demand.

Here's what the TDO's statement posted on Pastebin (web archive) stated:
"It didn't have to be this way, Netflix. You're going to lose a lot more money in all of this than what our modest offer was. We're quite ashamed to breathe the same air as you. We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. And to the others: there's still time to save yourselves. Our offer(s) are still on the table - for now."
In an interview with the DataBreaches.net, the hacking group revealed it managed to steal "hundreds of GBs [gigabytes] of unreleased and non-public media" from the servers of Larson Studios, an ADR (additional dialogue recorded) studio based in Hollywood in late 2016.

The Dark Overlord Demanded 50 BTC


While the group did not reveal its attack method nor how much ransom it demanded, according to a copy of a contract allegedly signed between TDO and Larson, the hacking group asked for 50 BTC ($70,422) by January 31.

But after the studio stopped responding to the group's email requests in January, TDO turned to Netflix, which also did not pay the ransom either, eventually forcing the group to release the first 10 episodes of season 5 of "Orange Is The New Black" after two months.

Netflix said in a statement that it was "aware of the situation. A production vendor used by several major TV studios had its security compromised, and the appropriate law enforcement authorities are involved."

The Dark Overlord Threatens to Leak More Shows to the Internet


After releasing all the 10 episode of the unreleased show, TDO threatened to leak other unreleased shows and movies from several other studios in its possession.

The Dark Overlord tweeted"Who is next on the list? FOX, IFC, NAT GEO, and ABC. Oh, what fun we're all going to have. We're not playing games anymore."

The hacking group provided a list of unreleased shows and movies (some are released on their scheduled date) it stole from different studios, which includes:
  • A Midsummers Nightmare – TV Movie
  • Bill Nye Saves The World – TV Series
  • Breakthrough – TV Series
  • Brockmire – TV Series
  • Bunkd – TV Series
  • Celebrity Apprentice (The Apprentice) – TV Series
  • Food Fact or Fiction – TV Series
  • Hopefuls – TV Series
  • Hum – Short
  • It's Always Sunny in Philadelphia – TV Series
  • Jason Alexander Project – TV Series
  • Liza Koshy Special – YoutubeRed
  • Lucha Underground – TV Series
  • Lucky Roll – TV Series
  • Making History ) – TV Series
  • Man Seeking Woman – TV Series
  • Max and Shred – TV Series
  • Mega Park – TV Series
  • NCIS Los Angeles – TV Series
  • New Girl – TV Series
  • Orange Is The New Black – TV Series
  • Portlandia – TV Series
  • Steve Harveys Funderdome – TV Series
  • Story of God with Morgan Freeman – TV Series
  • Superhuman – TV Series
  • The Arrangement – TV Series
  • The Catch – TV Series
  • The Middle – TV Series
  • The Stanley Dynamic – TV Series
  • The Thundermans – TV Series
  • Undeniable with Joe Buck – TV Series
  • X Company – TV Series
  • Above Suspicion – Film
  • Handsome – Film
  • Rebel In The Rye – Film
  • Win It All – Film
  • XXX Return of Xander Cage – Film
The Dark Overlord is a known hacking group that was responsible for cyber attacks on Gorilla Glue and Little Red Door, an Indiana Cancer Services agency. The group also put 655,000 healthcare records lifted from 3 separate data breaches up for sale on the dark web.
Related Posts Plugin for WordPress, Blogger...