Is North Korea Stocking Up on Bitcoin?

Is North Korea Stocking Up on Bitcoin?
 

Three security firms have reported a connection between WannaCry ransomware and malware used by the Lazarus group, a cyber crime group made up of unknown individuals.

Google security researcher Neel Mehta tweeted sample hashes from the WannaCry ransomware and the Contopee backdoor, which had previously been employed by the shadowy Lazarus Group. The group is responsible for the Sony hack, the SWIFT bank attacks, as well as other attacks on financial institutions. Some experts posit they hail from the North Korean government, but hard evidence is lacking.

Still, three security firms – Kaspersky Lab, Symantec, and BAE Systems – claim there could be a connection between North Korea’s Lazarus Group and WannaCry. To be sure, the groups are not exactly concluding that North Korea is behind WannaCry. The connections are pretty light, including but code written in C++ and compiled in Visual Studio 6.0. Comae found connections to North Korea, as well.

“The implementation of this [random buffer generator] function is very unique,” according to Sergcks Ongoing?

Europol’s chief told BBC the ransomware was designed to enable “infection of one computer to quickly spread across the networks…That’s why we’re seeing these numbers increasing all the time.”

She added: “Even if a fresh attack does not materialise on Monday, we should expect it soon afterwards.”

The ransomware, reformatted after MalwareTech’s solution, has been spread by individuals copying the attack. “We are in the second wave,” Matthieu Suiche of Comae Technologies, tells the New York Times earlier in the week. “As expected, the attackers have released new variants of the malware. We can surely expect more.”

Microsoft president and chief legal officer Brad Smith on Sunday lambasted governments over the weekend for hoarding information about security flaws in computer systems instead of cooperating with multinational companies. He wrote:

Microsoft, which had to create a patch for Windows XP (they haven’t provided support for the OS since 2014), released a statement addressing how they are trying to undermine the attackers ability to exploit their systems. They also have choice words for the U.S. government.
 

“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.

An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call.”

If North Korea is behind the WannaCry attacks, then its raised less than $100,000 via the ransomware’s bitcoin bounty.

David Ogden
Entrepreneur

 

 

David

UK Security Researcher Pulls Handbrake on Global Ransomware Menace

UK Security Researcher Pulls Handbrake on Global Ransomware Menace

UK Security Researcher Pulls Handbrake on Global Ransomware Menace

A U.K.-based cyber researcher known as MalwareTech stopped the WannaCry ransomware that gained control of thousands of computers worldwide, forcing victims to pay $300 in bitcoin to restore their files.

WannaCry was able to exploit a Windows vulnerability leaked in April and use a hacking tool believed to be stolen from the National Security Agency (NSA).

The ransomware spread across 75,000 PCs, including 48 hospitals in the U.K.
 

Accidental Fix

MalwareTech discovered an unregistered domain name in WannaCry and purchased it for $10.69. Armed with the tool, the researcher pointed the domain to a sinkhole (a server that finds and analyzes malware traffic). The domain turned out to be a kill switch that enables someone to gain control of the ransomware.

The domain was intended to be unregistered, the MalwareTech noted. By registering it, subsequent actions were prevented.

The domain is a “sandbox” feature where security tools test code in a secluded environment on a PC. The address where MalwareTech registered his or her domain was pinged to all infected PCs, not just the sandboxed PCs.

The domain was meant as an “anti-sandbox” measure they didn’t think through sufficiently, MalwareTech said.

Cisco Talos and other security firms confirmed the malware attack ended thanks to MalwareTech’s actions. Computers already infected, however, could still be at risk.

 

Shadow Brokers Behind The Hack?

Talos said the malware was leaked by the Shadow Brokers, a hacking group believed to have dumped NSA hacking tools.

Talos said the hackers will try to install WannaCry by means of a backdoor called DoublePulsar leaked by Shadow Brokers. If the backdoor was not embedded on a target Windows PC, it would try to exploit a flaw in the Microsoft OS Server Message Block, which is a network file sharing protocol.

Victims have been told not to pay the $300 ransom.

Microsoft and anti-virus providers have introduced WannaCry detections.

Microsoft issued an advisory that it is releasing a patch for Windows XPs that are out of support and its recommending companies disable the SMBv1 protocol.

Up-to-date Windows machines are safe from the ransomware.

Rob Wainwright, head of Europol, Europe’s chief law enforcement official, told the media he is concerned the numbers of victims could grow when people turn on their machines Monday morning.

A researcher at Proofpoint, Darien Huss, first discovered MalwareTech’s sinkhole was stopping the spread of the malware.

Huss agreed that the actors involved are amateurs based on the kill switch deployment. He said it is likely another attack will be coming soon.

 Nearly $53k in bitcoin ransoms paid with WannaCry

Other Ransomware Versions Can Pose Risks

MalwareTech noted on Twitter that Version 1 was stoppable but Version 2 will likely remove the flaw.

The researcher claimed on Twitter to be providing the National Cyber Security Centre in the U.K. data to notify infected companies.

On Monday, MalwareTech advised people via Twitter they are at risk if they turn on a system without the MS 17-010 patch and TCP port 445 open.

MalwareTech, who did not reveal their gender, did not wish to be celebrated as a hero for stemming the spread of the malware. MalWareTech noted on Twitter that he or she wanted anonymity in order not to have to deal with journalists.

 

David Ogden
Entrepreneur

 

By Lester Coleman

David