Information Security News
by Sean Gallagher
2 more images in gallery
There has been a lot of ingenuity poured into creating crypto-ransomware, the money-making malware that has become the scourge of hospitals, businesses, and home users over the past year. But none of that ingenuity applies to Ranscam, a new ransom malware reported by Cisco's Talos Security Intelligence and Research Group.
Ranscam is a purely amateur attempt to cash in on the cryptoransomware trend that demands payment for "encrypted" files that were actually just plain deleted by a batch command. "Once it executes, it, it pops up a ransom message looking like any other ransomware," Earl Carter, security research engineer at Cisco Talos, told Ars. "But then what happens is it forces a reboot, and it just deletes all the files. It doesn't try to encrypt anything—it just deletes them all."
Talos discovered the file on the systems of a small number of customers. In every case, the malware presented exactly the same message, including the same Bitcoin wallet address. The victim is instructed:>
http://arstechnica.com/security/2016/07/posing-as-ransomware-windows-malware-just-deletes-victims-files/#p3">Read 6 remaining paragraphs | Comments
A campaign that targeted a European energy company wielded malware that's so sneaky and advanced it almost certainly is the work of a wealthy nation, researchers said Tuesday.
The malware contains about 280 kilobytes of densely packed code that, like a ninja warrior, cleverly and stealthily evades a large number of security defenses. It looks for and avoids a long list of computer names belonging to sandboxes and honeypots. It painstakingly dismantles antiviruses one process at a time until it's finally safe to uninstall them. It takes special care when running inside organizations that use facial recognition, fingerprint scanners, and other advanced access control systems. And it locks away key parts of its code in encrypted vaults to prevent it from being discovered and analyzed.
Once the malware has gained administrative control of a computer, it uses its lofty perch to survey the connected network, report its findings to its operators, and await further instructions. From then on, attackers have a network backdoor that allows them to install other types of malware, either for more detailed espionage or potentially sabotage. Researchers from security firm SentinelOne found the malware circulating in an underground forum and say it has already infected an unnamed energy company in Europe.
As usual for the second Tuesday fo the month, Microsoft today released its monthly security updates. Microsoft released a total of 11 bulletins. 6 are rated critical, and the remaining five are rated important.
One of the Bulletins (MS16-093) affects Adobes Flash player and is a copy of Adobes advisory.
None of the bulletins stick out as special. There are no bulletins that affect vulnerabilities for which exploits have been observed. But two bulletins included already known vulnerabilities:
%%cve:2016-3287%% , a vulnerability in Secure Boot.
%%cve:2016-3272%% , an information disclosure vulnerability in the Windows Kernel.
I dont consider either vulnerability very serious.
As far as prioritizing the patches go, I would as usual attend to the Internet Explorer, Edge, Flash and Office patches first.
The printer spool issue is interesting. An attacker could use the vulnerability to install arbitrary print drivers, which of course would lead to arbitrary code execution. As a workaround, Microsoft suggests that you do restrict printer that your users can use to print. This sounds like a good control, and you should use this vulnerability to make sure the printer configurations are sufficiently adjusted.