Архив метки: вирус

Украина подверглась самой крупной в истории кибератаки вирусом Petya

Сегодня утром ко мне обратились мои клиенты с паническим криком «Никита, у нас все зашифровано. Как это произошло?». Это была крупная компания 1000+ машин, с последними обновлениями лицензионного Windows, настроенным файрволом, порезанными правами для юзеров и антифишинг фильтрами для почтовиков.

Спустя час позвонили представители другой крупной компании, у них тоже все зашифровано, под 2000 машин. Атака началась с крупных бизнес структур и уже час или два спустя я узнал, что «Ощадбанк», «УкрПочта» и «ПриватБанк» тоже под атакой.

Что случилось? И о развитии ситуации под катом.

То, о чем все кибер эксперты, включая меня, говорили днями и ночами! Украина не защищена от кибератак, но сейчас не об этом.

Украинский кибер сегмент подвергся очередной атаке, на этот раз Ransomware шифровальщики Petya и Misha стали шифровать компьютер крупных украинских предприятий, включая критические объекты инфраструктуры, такие как «Київенерго» и «Укренерго», думаю, по факту, их в тысячи раз больше, но чиновники как обычно будут об этом молчать, пока у вас не погаснет свет.

На данный момент темпы распространения вируса оказались настолько быстрые, что государственная фискальная служба отключила все коммуникации с интернетом, а в некоторых важных государственных учреждениях работает только закрытая правительственная связь. По моей личной информации, профильные подразделения СБУ и Киберполиции уже переведены в экстренный режим и занимаются данной проблемой. Ситуация динамически развивается и мы будем освещать. Зашифрованы не только крупные компании, но и банкоматы вместе с целыми отделениями банков, телевизионные компании и так далее…

Теперь о технических деталях

Пока что известно, что #Petya шифрует MBR загрузочный сектор диска и заменяет его своим собственным, что является новинкой в мире Ransomware, егу друг #Misha, который прибывает чуть позже, шифрует уже все файлы на диске. Петя и Миша не новы, но такого глобального распространения не было ранее. Пострадали и довольно хорошо защищенные компании.image

В интренете уже начали появляться попытки написания дешифровщиков: github.com/leo-stone/hack-petya (UPD: подходит только для старых версий шифровальщиков до 26.06.17)

Однако, их работоспособность не подтверждена.

Проблема так же состоит в том, что для перезаписи MBR Пете необходима перезагрузка компьютера, что пользователи в панике успешно и делают, «паническое нажатие кнопки выкл» я бы назвал это так.

Из действующих рекомендаций по состоянию на 17 часов 27 июня, я бы посоветовал НЕ ВЫКЛЮЧАТЬ компьютер, если обнаружили шифровальщика, а переводить его в режим гибернации, с отключением от интернета.

Личные предположения:

Вирус получил название «Petya» в честь президента Украины Петра Порошенко и наиболее массовый всплеск заражения наблюдается, именно в Украине и именно на крупных и важных предприятиях Украины.

Инструменты:

На сайте мы создадим раздел Petya and Misha Decrypt, где будем выкладывать все найденные инструменты для дешифровки, которые самостоятельно проверять не успеваем. Просим остальных экспертов и специалистов в области информационной безопасности присылать информацию в личные сообщения для эффективной коммуникации.

UPD: Дешифровальщиков пока нет, те что выложены в интернете, подходят только к старым версиям.

UPD2: Сайт министерства внутренних дел Украины отключен. Силовики переходят в экстренный режим.
image

Источник

Вирус Snake/Uroburos атакует украинских пользователей

Вредоносная активность, направленная на пользователей из Украины, увеличилась после отстранения от власти четвертого президента Украины Виктора Януковича.

Несколько десятков компьютерных сетей на территории Украины подверглись атаке в рамках вредоносной кампании под названием «Snake». Об этом сообщает издание Enca со ссылкой на отчет британской BAE Systems.

Компания, в свою очередь, утверждает, что с начала текущего года государственные коммуникационные сети подверглись 14 крупным атакам со стороныхакеров.При этом за весь 2013 год этот показатель был вдвое меньше. Поданнымэкспертов, кибератаки стали более активными после того, как от власти был отстранен четвертый президент Украины Виктор Янукович.

Вирус по структуре несколько напоминает Stuxnet, который в 2010 году использовали для нарушения работы внутренних сетей ядерных разработок Ирана. В связи с тем, что на протяжении нескольких дней Uroburos может оставаться неактивным, обнаружить его весьма сложно.

Напомним, что согласно информации G Data, Snake или Uroburosпохищает файлыс зараженных компьютеров и перехватывает сетевой трафик. Вирус был создан для работы в режиме P2P для установки связи между инфицированными системами. Благодаря этому злоумышленник может получить удаленный доступ к компьютеру синтернет-подключениемдля того, чтобы управлять другими ПК в локальной сети.

Подробнее:http://www.securitylab.ru/news/450360.php

Stuxnet добрался до российской АЭС

Интересное продолжение получила история об американо-израильском кибероружии Stuxnet, которое применялось против иранской ядерной программы, а за ходом операции «Олимпийские игры» следил лично президент США.

Stuxnet предполагалось внедрить на компьютеры иранских заводов по обогащению урана. Код программы помогал нарушить штатный режим работы центрифуг Siemens P-1, так что со временем центрифуги выходили из строя по «непонятным» причинам.

Программа успешно выполнила поставленную задачу. Но проблема в том, что на определенном этапе Stuxnet вышел из под контроля и начал распространяться в интернете, угрожая другим целям, кроме иранских. Пулитцеровский лауреат Дэвид Сангер в своей книге «Confront and Conceal» говорит, что ошибка была во второй версии программы, которую независимо от американцев написали израильские коллеги.

Новые подробности о последствиях операции «Олимпийские игры» сообщил российский эксперт Евгений Касперский. Во время пресс-конференции в Австралии он сказал, что его друг, который работает на одной из АЭС, обнаружил вирус Stuxnet в локальной сети предприятия, не подключенной к интернету (см. после 27-й минуты на видео).

«Все, что вы делаете, является бумерангом, — сказал Евгений Касперский. — Оно возвращается к вам обратно. Это киберпространство. В нем нет границ, и на многих предприятиях работают одинаковые системы».

Известно, что Stuxnet заразил компьютеры на нескольких предприятиях, в том числе в США, но впервые стало известно о заражении атомной электростанции за пределами Ирана.

Более того, Касперский не остановился на этом. Он сказал, что «российские космические парни», с которыми он тоже знаком, сообщили о «периодическом заражении» компьютеров Международной космической станции по мере того, как новые космонавты прибывают на станцию со своими флэшками.

Источник

Computer Viruses Are «Rampant» on Medical Devices in Hospitals

A meeting of government officials reveals that medical equipment is becoming riddled with malware.

 

Health scare: Much hospital equipment uses software that can be vulnerable to viruses.

Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.

While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.

Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.

In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.

As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.

«I find this mind-boggling,» Fu says. «Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.»

The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security & Privacy Advisory Board, of which Fu is a member, in Washington, D.C. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.

«It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,» Olson said during the meeting, referring to high-risk pregnancy monitors. «Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.»

The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved, Olson said in a subsequent interview.

At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.

Olson told the panel that infections have stricken many kinds of equipment, raising fears that someday a patient could be harmed. «We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can’t be used, or they become compromised to the point where their values are adjusted without the software knowing,» he said. He explained that when a machine becomes clogged with malware, it could in theory «miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm.»

Often the malware is associated with botnets, Olson said, and once it lodges inside a computer, it attempts to contact command-and-control servers for instructions. Botnets, or collections of compromised computers, commonly send spam but can also wage attacks on other computer systems or do other tasks assigned by the organizations that control them (see «Moore’s Outlaws«).

In September, the Government Accountability Office issued a report warning that computerized medical devices could be vulnerable to hacking, posing a safety threat, and asked the FDA to address the issue. The GAO report focused mostly on the threat to two kinds of wireless implanted devices: implanted defibrillators and insulin pumps. The vulnerability of these devices has received widespread press attention (see «Personal Security» and «Keeping Pacemakers Safe from Hackers«), but no actual attacks on them have been reported.

Fu, who is a leader in researching the risks described in the GAO report, said those two classes of device are «a drop in the bucket»: thousands of other network-connected devices used for patient care are also vulnerable to infection. «These are life-saving devices. Patients are overwhelmingly safer with them than without them. But cracks are showing,» he said. (Fu wasTechnology Review’s Innovator of the Year in 2009.)

Malware problems on hospital devices are rarely reported to state or federal regulators, both Olson and Fu said. This is partly because hospitals believe they have little recourse. Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don’t offer updates, Fu says. And such reporting is not required unless a patient is harmed. «Maybe that’s a failing on our part, that we aren’t trying to raise the visibility of the threat,» Olson said. «But I think we all feel the threat gets higher and higher.»

Speaking at the meeting, Brian Fitzgerald, an FDA deputy director, said that in visiting hospitals around the nation, he has found Beth Israel’s problems to be widely shared. «This is a very common profile,» he said. The FDA is now reviewing its regulatory stance on software, Fitzgerald told the panel. «This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff, and making a systematic approach to this,» he said.

In an interview Monday, Tam Woodrum, a software executive at the device maker GE Healthcare, said manufacturers are in a tough spot, and the problems are amplified as hospitals expect more and more interconnectedness. He added that despite the FDA’s 2009 guidance, regulations make system changes difficult to accomplish: «In order to go back and update the OS, with updated software to run on the next version, it’s an onerous regulatory process.»

Olson said that in his experience, GE Healthcare does offer software patches and guidance on keeping devices secure, but that not all manufacturers have the same posture. He added that the least-protected devices have been placed behind firewalls. But to do that with all a hospital’s software-controlled equipment would require more than 200 firewalls—an unworkable prospect, he said.

John Halamka, Beth Israel’s CIO and a Harvard Medical School professor, said he began asking manufacturers for help in isolating their devices from the networks after trouble arose in 2009: the Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that «could not be patched due to [regulatory] restrictions.» He said, «No one was harmed, but we had to shut down the systems, clean them, and then isolate them from the Internet/local network.»

He added: «Many CTOs are not aware of how to protect their own products with restrictive firewalls. All said they are working to improve security but have not yet produced the necessary enhancements.»

Fu says that medical devices need to stop using insecure, unsupported operating systems. «More hospitals and manufacturers need to speak up about the importance of medical-device security,» he said after the meeting. «Executives at a few leading manufacturers are beginning to commit engineering resources to get security right, but there are thousands of software-based medical devices out there.»

Source

 

Computer Viruses Are «Rampant» on Medical Devices in Hospitals

A meeting of government officials reveals that medical equipment is becoming riddled with malware.

Health scare: Much hospital equipment uses software that can be vulnerable to viruses.

Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.

While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.

Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.

In a typical example, at Beth Israel Deaconess Medical Center in Boston, 664 pieces of medical equipment are running on older Windows operating systems that manufactures will not modify or allow the hospital to change—even to add antivirus software—because of disagreements over whether modifications could run afoul of U.S. Food and Drug Administration regulatory reviews, Fu says.

As a result, these computers are frequently infected with malware, and one or two have to be taken offline each week for cleaning, says Mark Olson, chief information security officer at Beth Israel.

«I find this mind-boggling,» Fu says. «Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There’s little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.»

The worries over possible consequences for patients were described last Thursday at a meeting of a medical-device panel at the National Institute of Standards and Technology Information Security & Privacy Advisory Board, of which Fu is a member, in Washington, D.C. At the meeting, Olson described how malware at one point slowed down fetal monitors used on women with high-risk pregnancies being treated in intensive-care wards.

«It’s not unusual for those devices, for reasons we don’t fully understand, to become compromised to the point where they can’t record and track the data,» Olson said during the meeting, referring to high-risk pregnancy monitors. «Fortunately, we have a fallback model because they are high-risk [patients]. They are in an IC unit—there’s someone physically there to watch. But if they are stepping away to another patient, there is a window of time for things to go in the wrong direction.»

The computer systems at fault in the monitors were replaced several months ago by the manufacturer, Philips; the new systems, based on Windows XP, have better protections and the problem has been solved, Olson said in a subsequent interview.

At the meeting, Olson also said similar problems threatened a wide variety of devices, ranging from compounders, which prepare intravenous drugs and intravenous nutrition, to picture-archiving systems associated with diagnostic equipment, including massive $500,000 magnetic resonance imaging devices.

Olson told the panel that infections have stricken many kinds of equipment, raising fears that someday a patient could be harmed. «We also worry about situations where blood gas analyzers, compounders, radiology equipment, nuclear-medical delivery systems, could become compromised to where they can’t be used, or they become compromised to the point where their values are adjusted without the software knowing,» he said. He explained that when a machine becomes clogged with malware, it could in theory «miss a couple of readings off of a sensor [and] erroneously report a value, which now can cause harm.»

Often the malware is associated with botnets, Olson said, and once it lodges inside a computer, it attempts to contact command-and-control servers for instructions. Botnets, or collections of compromised computers, commonly send spam but can also wage attacks on other computer systems or do other tasks assigned by the organizations that control them (see «Moore’s Outlaws«).

In September, the Government Accountability Office issued a report warning that computerized medical devices could be vulnerable to hacking, posing a safety threat, and asked the FDA to address the issue. The GAO report focused mostly on the threat to two kinds of wireless implanted devices: implanted defibrillators and insulin pumps. The vulnerability of these devices has received widespread press attention (see «Personal Security» and «Keeping Pacemakers Safe from Hackers«), but no actual attacks on them have been reported.

Fu, who is a leader in researching the risks described in the GAO report, said those two classes of device are «a drop in the bucket»: thousands of other network-connected devices used for patient care are also vulnerable to infection. «These are life-saving devices. Patients are overwhelmingly safer with them than without them. But cracks are showing,» he said. (Fu wasTechnology Review’s Innovator of the Year in 2009.)

Malware problems on hospital devices are rarely reported to state or federal regulators, both Olson and Fu said. This is partly because hospitals believe they have little recourse. Despite FDA guidance issued in 2009 to hospitals and manufacturers—encouraging them to work together and stressing that eliminating security risks does not always require regulatory review—many manufacturers interpret the fine print in other ways and don’t offer updates, Fu says. And such reporting is not required unless a patient is harmed. «Maybe that’s a failing on our part, that we aren’t trying to raise the visibility of the threat,» Olson said. «But I think we all feel the threat gets higher and higher.»

Speaking at the meeting, Brian Fitzgerald, an FDA deputy director, said that in visiting hospitals around the nation, he has found Beth Israel’s problems to be widely shared. «This is a very common profile,» he said. The FDA is now reviewing its regulatory stance on software, Fitzgerald told the panel. «This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff, and making a systematic approach to this,» he said.

In an interview Monday, Tam Woodrum, a software executive at the device maker GE Healthcare, said manufacturers are in a tough spot, and the problems are amplified as hospitals expect more and more interconnectedness. He added that despite the FDA’s 2009 guidance, regulations make system changes difficult to accomplish: «In order to go back and update the OS, with updated software to run on the next version, it’s an onerous regulatory process.»

Olson said that in his experience, GE Healthcare does offer software patches and guidance on keeping devices secure, but that not all manufacturers have the same posture. He added that the least-protected devices have been placed behind firewalls. But to do that with all a hospital’s software-controlled equipment would require more than 200 firewalls—an unworkable prospect, he said.

John Halamka, Beth Israel’s CIO and a Harvard Medical School professor, said he began asking manufacturers for help in isolating their devices from the networks after trouble arose in 2009: the Conficker worm caused problems with a Philips obstetrical care workstation, a GE radiology workstation, and nuclear medical applications that «could not be patched due to [regulatory] restrictions.» He said, «No one was harmed, but we had to shut down the systems, clean them, and then isolate them from the Internet/local network.»

He added: «Many CTOs are not aware of how to protect their own products with restrictive firewalls. All said they are working to improve security but have not yet produced the necessary enhancements.»

Fu says that medical devices need to stop using insecure, unsupported operating systems. «More hospitals and manufacturers need to speak up about the importance of medical-device security,» he said after the meeting. «Executives at a few leading manufacturers are beginning to commit engineering resources to get security right, but there are thousands of software-based medical devices out there.»