Emergency Hotlines: LANDLINE (+63) 2 911 – 8688

New computer virus spreads from Ukraine to disrupt world business

by UNTV News   |   Posted on Thursday, June 29th, 2017

 

Customers queue in ‘Rost’ supermarket in Kharkiv, Ukraine June 27, 2017 in this picture obtained from social media. MIKHAIL GOLUB via REUTER

A computer virus wreaked havoc on firms around the globe on Wednesday as it spread to more than 60 countries, disrupting ports from Mumbai to Los Angeles and halting work at a chocolate factory in Australia.

Risk-modeling firm Cyence said economic losses from this week’s attack and one last month from a virus dubbed WannaCry would likely total $8 billion. That estimate highlights the steep tolls businesses around the globe face from growth in cyber attacks that knock critical computer networks offline.

“When systems are down and can’t generate revenue, that really gets the attention of executives and board members,” said George Kurtz, chief executive of security software maker CrowdStrike. “This has heightened awareness of the need for resiliency and better security in networks.”

The virus, which researchers are calling GoldenEye or Petya, began its spread on Tuesday in Ukraine. It infected machines of visitors to a local news site and computers downloading tainted updates of a popular tax accounting package, according to national police and cyber experts.

It shut down a cargo booking system at Danish shipping giant A.P. Moller-Maersk (MAERSKb.CO), causing congestion at some of the 76 ports around the world run by its APM Terminals subsidiary..

Maersk said late on Wednesday that the system was back online: “Booking confirmation will take a little longer than usual but we are delighted to carry your cargo,” it said via Twitter.

U.S. delivery firm FedEx said its TNT Express division had been significantly affected by the virus, which also wormed its way into South America, affecting ports in Argentina operated by China’s Cofco.

The malicious code encrypted data on machines and demanded victims $300 ransoms for recovery, similar to the extortion tactic used in the global WannaCry ransomware attack in May.

Security experts said they believed that the goal was to disrupt computer systems across Ukraine, not extortion, saying the attack used powerful wiping software that made it impossible to recover lost data.

“It was a wiper disguised as ransomware. They had no intention of obtaining money from the attack,” said Tom Kellermann, chief executive of Strategic Cyber Ventures.

Brian Lord, a former official with Britain’s Government Communications Headquarters (GCHQ) who is now managing director at private security firm PGI Cyber, said he believed the campaign was an “experiment” in using ransomware to cause destruction.

“This starts to look like a state operating through a proxy,” he said.

ETERNAL BLUE

The malware appeared to leverage code known as “Eternal Blue” believed to have been developed by the U.S. National Security Agency.

Eternal Blue was part of a trove of hacking tools stolen from the NSA and leaked online in April by a group that calls itself Shadow Brokers, which security researchers believe is linked to the Russian government.

That attack was noted by NSA critics, who say the agency puts the public at risk by keeping information about software vulnerabilities secret so that it can use them in cyber operations.

U.S. Representative Ted Lieu, a Democrat, on Wednesday called for the NSA to immediately disclose any information it may have about Eternal Blue that would help stop attacks.

“If the NSA has a kill switch for this new malware attack, the NSA should deploy it now,” Lieu wrote in a letter to NSA Director Mike Rogers.

The NSA did not respond to a request for comment and has not publicly acknowledged that it developed the hacking tools leaked by Shadow Brokers.

The target of the campaign appeared to be Ukraine, an enemy of Russia that has suffered two cyber attacks on its power grid that it has blamed on Moscow.

ESET, a Slovakian cyber-security software firm, said 80 percent of the infections detected among its global customer base were in Ukraine, followed by Italy with about 10 percent.

Ukraine has repeatedly accused Moscow of orchestrating cyber attacks on its computer networks and infrastructure since Russia annexed Crimea in 2014.

The Kremlin, which has consistently rejected the accusations, said on Wednesday it had no information about the origin of the attack, which also struck Russian companies including oil giant Rosneft (ROSN.MM) and a steelmaker.

“Unfounded blanket accusations will not solve this problem,” said Kremlin spokesman Dmitry Peskov.

Austria’s government-backed Computer Emergency Response Team (CERT) said “a small number” of international firms appeared to be affected, with tens of thousands of computers taken down.

Microsoft, Cisco Systems Inc and Symantec Corp (SYMC.O) said they believed the first infections occurred in Ukraine when malware was transmitted to users of a tax software program.

Russian security firm Kaspersky said a news site for the Ukraine city of Bakhumut was also hacked and used to distribute the ransomware.

A number of the victims were international firms with have operations in Ukraine.

They include French construction materials company Saint Gobain (SGOB.PA), BNP Paribas Real Estate (BNPP.PA), and Mondelez International Inc (MDLZ.O), which owns Cadbury chocolate.

Production at the Cadbury factory on the Australian island state of Tasmania ground to a halt late on Tuesday after computer systems went down. — By Eric Auchard and Dustin Volz | FRANKFURT/WASHINGTON

(Additional reporting by Jack Stubbs in Moscow, Alessandra Prentice in Kiev, Helen Reid in London, Teis Jensen in Copenhagen, Maya Nikolaeva in Paris, Shadia Naralla in Vienna, Marcin Goettig in Warsaw, Byron Kaye in Sydney, John O’Donnell in Frankfurt, Ari Rabinovitch in Tel Aviv, Noor Zainab Hussain in Bangalore; Writing by Eric Auchard, David Clarke and Jim Finkle; Editing by David Clarke and Andrew Hay)

Tags: , , , , , , , , ,

Leave a Reply

Time limit is exhausted. Please reload CAPTCHA.

Exclusive: Wannacry hits Russian postal service, exposes wider security shortcomings

by UNTV News   |   Posted on Thursday, May 25th, 2017

A woman walks past a branch of Russian Post in Moscow, Russia, May 24, 2017. REUTERS/Maxim Shemetov

Russia’s postal service was hit by Wannacry ransomware last week and some of its computers are still down, three employees in Moscow said, the latest sign of weaknesses that have made the country a major victim of the global extortion campaign.

Wannacry compromised the post office’s automated queue management system, infecting touch-screen terminals which run on the outdated Windows XP operating system, one of the workers said. Terminals were still blank in some parts of Moscow this week but it was not clear exactly how many branches had been affected.

A spokesman for Russian Post, a state-owned monopoly, said no computers were infected, but some terminals were temporarily switched off as a precaution. “The virus attack did not touch Russian Post, all systems are working and stable,” he said.

Other institutions in Russia have said they were infected by the virus, highlighting Moscow’s readiness to show it too is a frequent victim of cyber crime in the face of allegations from the United States and Europe of state-sponsored hacking.

The Interior Ministry, mobile operator MegaFon and state rail monopoly Russian Railways all reported infections, with employees locked out of their computers and the creators of the virus demanding ransoms of $300 to $600.

The Russian central bank said on Friday the virus had also compromised some Russian banks in isolated cases.

That the infected post office terminals ran on Windows XP – which Microsoft stopped supporting in 2014 – points to the widespread use of outdated software in Russia, which experts say left the country disproportionately vulnerable to the attack.

Of 300,000 computers infected worldwide, 20 percent were in Russia, according to an initial estimate by cybersecurity researchers last week.

Globally, few ransoms have been paid after many victims found they could restore their systems from backups.

The post office outages also illustrate what investigators say is a common misconception about Wannacry: infected computers are more likely to be part of antiquated systems not deemed important enough to update with the latest security patches, rather than machines integral to the company’s core business.

“Many companies in Russia use outdated unpatched systems and older anti-malware solutions,” said Nikolay Grebennikov, vice president for R&D at data protection company Acronis. “In big companies upgrades are hard to perform and avoided because of budget and scale.”

SCRUTINY

Russia’s relationship to cyber crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking Democratic Party servers. Moscow has denied the allegations.

Investigators are yet to track down Wannacry’s criminal authors, saying they likely used a hacking tool built by the U.S. National Security Agency (NSA) and leaked online in April.

It has not previously been reported that the Russian postal service, which employs more than 350,000 people, had been hit by the virus.

“The head guys rang on Thursday and said we had to turn off the terminals immediately. They said this extortion virus had infected them,” a worker at a branch in northwest Moscow said, declining to be identified discussing internal company matters.

“They rang again yesterday and said we could turn them back on. We did that, but you can see they still don’t work.”

Employees at a second post office confirmed the electronic queuing system was broken but said they did not know why.

Two sources at Russian Railways said the company had suffered a “huge” cyber attack and a small number of computers were infected without damaging any important files.

The extent of the damage had been limited, one of the sources said, because a lot of computers were turned off at the end of the working week. “We were lucky it was a Friday night,” he said.

Megafon, which is Russia’s second biggest mobile operator, declined to comment on how the virus had got into its system.

It said the virus had caused a temporary outage of its customer support services. “Our sales points suffered worst of all because Windows, which had the exploited vulnerability, is more widely used in retail,” a company statement said.

COMPUTER PIRACY

The frequent use of pirated software in Russia also helped spread the Wannacry infection, investigators said, as unlicensed products do not receive security updates.

Reuters has found no evidence any of Russian companies infected with the Wannacry virus were using unlicensed software.

But computer piracy is a long-standing issue for technology companies in Russia, one which has as become increasingly acute as the country’s economic slump and falling earnings make licensed products prohibitively expensive.

Data compiled by the BSA Software Alliance trade group shows 64 percent of software products in Russia were pirated in 2015 – a black market industry worth $1.3 billion – compared to a global average of 39 percent.

“Piracy is still wide spread in Russia, especially if we are talking about home users,” Grebennikov said. “This is because of poverty. If an operating system costs say 500 rubles, people would buy it.”

Microsoft’s Windows 10 operating system currently costs around 8,000 rubles ($140.92) in Russia, around a fifth of the average monthly wage of 39,000 rubles. Online, the same product can be illegally downloaded for free. — By Jack Stubbs | MOSCOW

(Additional reporting by Gleb Stolyarov and Maria Kiselyova; Editing by Philippa Fletcher)

Tags: , , , ,

Hackers mint crypto-currency with technique in global ‘ransomware’ attack

by UNTV News   |   Posted on Wednesday, May 17th, 2017

Hacking stock photo. (REUTERS)

A computer virus that exploits the same vulnerability as the global “ransomware” attack has latched on to more than 200,000 computers and begun manufacturing digital currency, experts said Tuesday.

The development adds to the dangers exposed by the WannaCry ransomware and provides another piece of evidence that a North Korea-linked hacking group may be behind the attacks.

WannaCry, developed in part with hacking techniques that were either stolen or leaked from the U.S. National Security Agency, has infected more than 300,000 computers since Friday, locking up their data and demanding a ransom payment to release it.

Researchers at security firm Proofpoint said the related attack, which installs a currency “miner” that generates digital cash, began infecting machines in late April or early May but had not been previously discovered because it allows computers to operate while creating the digital cash in the background.

Proofpoint executive Ryan Kalember said the authors may have earned more than $1 million, far more than has been generated by the WannaCry attack.

Like WannaCry, the program attacks via a flaw in Microsoft Corp’s Windows software. That hole has been patched in newer versions of Windows, though not all companies and individuals have installed the patches.

Digital currencies based on a technology known as blockchain operate by enabling the creation of new currency in exchange for solving complex math problems. Digital “miners” run specially configured computers to solve the problems and generate currency, whose value ultimate fluctuates according to market demand.

Bitcoin is by far the largest such currency, but the new mining program is not aimed at Bitcoin. Rather it targeted a newer digital currency, called Monero, that experts say has been pursued recently by North Korean-linked hackers.

North Korea has attracted attention in the WannaCry case for a number of reasons, including the fact that early versions of the WannaCry code used some programming lines that had previously been spotted in attacks by Lazarus Group, a hacking group associated with North Korea.

Security researchers and U.S. intelligence officials have cautioned that such evidence is not conclusive, and the investigation is in its early stages.

In early April, security firm Kaspersky Lab said that a wing of Lazarus devoted to financial gain had installed software to mine Monero on a server in Europe.

A new campaign to mine the same currency, using the same Windows weakness as WannaCry, could be coincidence, or it could suggest that North Korea was responsible for both the ransomware and the currency mining.

Kalember said he believes the similarities in the European case, WannaCry and the miner were “more than coincidence.”

“It’s a really strong overlap,” he said. “It’s not like you see Monero miners all over the world.”

The North Korean mission to the United Nations could not be reached for comment, while the FBI declined to comment. — By Joseph Menn | SAN FRANCISCO

(Fixes spelling of digital currency in paragraphs 11 and 14 to Monero not Moreno.)

(Reporting by Joseph Menn; Editing by Jonathan Weber and Cynthia Osterman)

Tags: , , , ,

Some businesses in Asia disrupted by cyber attack, authorities brace for more

by UNTV News   |   Posted on Monday, May 15th, 2017

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

Asian governments and businesses reported some disruptions from the WannaCry ransomware worm on Monday but cybersecurity experts warned of a wider impact as more employees turned on their computers and checked e-mails.

In China, the world’s second-largest economy, payment systems and government services reported some outages from the ransomware attack, but far less than feared. Disruptions were low in the rest of Asia, including Japan, India, South Korea and Australia.

The WannaCry worm, which erupted on Friday, locked up hundreds of thousands of computers in more than 150 countries, hitting factories, hospitals, shops and schools worldwide.

While the effect on Asian entities on Monday was less severe than anticipated, industry professionals flagged potential risks in the future. Companies that were hit by the worm, which is spread mostly by email, may be wary of making it public, they added.

“We’re looking at (the) victims’ profiles, we’re still seeing a lot of victims in the Asia-Pacific region. But it is a global campaign, it’s not targeted,” said Tim Wellsmore, Director of Threat Intelligence, Asia Pacific at cybersecurity firm FireEye Inc FEYE.N.

“But I don’t think we can say it hasn’t impacted this region to the extent it has some other regions.”

Michael Gazeley, managing director of Network Box, a Hong Kong-based cybersecurity firm, said there were still “many ‘landmines’ waiting in people’s in-boxes” in the region, with most of the attacks having arrived via e-mail.

However, financial markets in Asia were unfazed by news of the cyberattack, with stocks mostly up across the region during the day.

In China, energy giant PetroChina (601857.SS) said payment systems at some of its petrol stations were hit, although it had been able to restore most of the systems. Several Chinese government bodies, including police and traffic authorities, reported they had been impacted by the hack, according to posts on official microblogs.

Chinese tech firm Qihoo 360 said the rate of infection on Monday had slowed significantly from the past two days.

“Previous concerns of a wide-scale infection of domestic institutions did not eventuate,” the firm said.

Japan’s National Police Agency reported two breaches of computers in the country on Sunday – one at a hospital and the other case involving a private person – but no loss of funds.

Industrial conglomerate Hitachi Ltd. (6501.T) said the attack had affected its systems at some point over the weekend, leaving them unable to receive and send e-mails or open attachments in some cases. The problem is still ongoing, the company said.

In India, the government said it had only received a few reports of attacks on systems and urged those hit not to pay attackers any ransom. No major Indian corporations reported disruptions to operations.

BANKS ESCAPE

A spokesman for the Hong Kong Exchanges and Clearing, one of the region’s biggest bourses, said all systems were so far working normally. “We remain highly vigilant,” he said.

A cybersecurity researcher in Asia who declined to be named said that while most banks globally had escaped damage, not all had installed patches in time.

The result was that some phishing e-mails slipped through and were activated by users, but were caught by other security systems in place.

At Indonesia’s biggest cancer hospital, Dharmais Hospital in Jakarta, around 100-200 people packed waiting rooms after the institution was hit by cyber attacks affecting scores of computers. By late morning, some people were still filling out forms manually, but the hospital said 70 percent of systems were back online now.

Elsewhere in the region, companies warned users and staff not to click on attachments or links. One school in South Korea barred its pupils from using the internet. Taiwan’s government appeared to have escaped major infection, possibly because regulations there require all departments to install software updates as soon as they are available.

South Korea’s presidential Blue House office said nine cases of ransomware were found in the country, but did not provide details on where the cyber attacks were discovered.

In Australia, Dan Tehan, the government minister responsible for cybersecurity, said just three businesses had been hit by the bug, despite worries of widespread infection. There were no reported cases in New Zealand.

Cyber security experts said the spread of the ransomware had slowed since its appearance on Friday but that the respite might only be brief.

For one thing, the attackers or copycat attackers may have developed new versions of the worm, although a British-based security researcher who thwarted an earlier version of the worm told Reuters most of these reports had been proven false.

NEW VERSION

In Hong Kong, Gazeley said his team had found a new version of the worm that didn’t use e-mail to lure victims.

Instead, it loaded scripts onto hacked websites where users who clicked on a malicious link would be infected directly. He said it was too early to tell how many websites had been affected.

In a blog post on Sunday, Microsoft (MSFT.O) President Brad Smith appeared to tacitly acknowledge what researchers had already widely concluded: The ransomware attack leveraged a hacking tool built by the U.S. National Security Agency that leaked online in April.

The non-profit U.S. Cyber Consequences Unit research institute estimated that total losses would range in the hundreds of millions of dollars, but not exceed $1 billion.

Infected computers appear to largely be out-of-date devices that organizations deemed not worth the price of upgrading or, in some cases, machines involved in manufacturing or hospital functions that proved too difficult to patch without possibly disrupting crucial operations, security experts said.

Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks. — By Jeremy Wagstaff and Dustin Volz | SINGAPORE/WASHINGTON

(Additional reporting by Jessica Yu in TAIPEI, Sam Nussey and Kaori Kaneko in TOKYO, Michelle Price in HONG KONG, Samuel Shen and David Stanway in SHANGHAI, Christine Kim in SEOUL, Engen Tham and Cate Cadell in BEIJING, Byron Smith in Sydney, Ed Davies and Agustinus Da Costa in JAKARTA, Euan Rocha in MUMBAI; Writing by Sam Holmes; Editing by Raju Gopalakrishnan)

Tags: , , , ,