June 29, 2017

#NotPetya and #Petya compared: any hope for decrypting files? - UPDATED

#NotPetya and #Petya compared: any hope for decrypting files?
Positive Technologies expert Dmitry Sklyarov provides here his comparison of NotPetya ransomware, which attacked companies this week, with a sample of Petya from 2016. Is decryption of ransomed files possible? And what does the code tell us about the malware's creation?
This post considers the portions of the two viruses responsible for MFT encryption. This encryption runs when the ransomware has administrator rights.

June 27, 2017

The new malware that broke out today is slightly similar to Petya ransomware known since 2016

Positive Technologies experts are still analyzing the malware sample and gathering additional data—in particular, information on the mechanism of its intrusion into a network. But even at this point it is obviously not just a new version of WannaCry. This ransomware combines hacking techniques, such as standard utilities for system administration and tools for obtaining passwords to operating systems. This ensures fast spread of the malware within the network and causes a large-scale epidemic—if at least one computer is infected. As a result, the computer is out of operation and data are encrypted.

June 21, 2017

SigPloit framework published: telecom vulnerability testing of SS7, GTP, Diameter, and SIP made easy

Code for the open-source SigPloit framework has been published on GitHub by security researcher Loay Abdelrazek. SigPloit is a convenient framework for testing for vulnerabilities in telecommunication protocols. We cannot say state that this project will have a big effect on the security situation, but this is definitely one of the alarm bells that should be noted by telecom industry.

June 16, 2017

Practical ways to misuse a router

Wi-Fi and 3G routers are all around us. Yet in just one recent month, approximately 10 root shell and administrator account vulnerabilities in home internet devices came to light. And access to tens of millions of IoT devices—routers, webcams, and other gadgets—is available to anyone willing to pay $50 for a shodan.io paid account.

At the same time, developers and vendors of these devices tend to have other priorities than "testing" and "security." Many serious vulnerabilities remain unpatched, and even when patches are released, users are slow to install them. What does this leave us with? Legions of vulnerable devices, lying low until hacked and pressed into service as part of a DDoS botnet.

June 2, 2017

WAF Bypass at PHDays VII: Results and Answers

Continuing the tradition of past years, the WAF Bypass contest was held at last month's PHDays. Participants tried to bypass PT Application Firewall protection mechanisms in order to find special flags accessible through vulnerabilities specially left in web applications. In a series of challenges, the organizers disabled different features of PT Application Firewall, leaving a "way in" for participants to take advantage of. The focus of attention this time was a prototype database firewall (DBFW), which analyzed SQL traffic from applications to databases.