Global cyberattack disrupts shipper FedEx, UK health system

[Jonathan Fairfield]

Global cyberattack disrupts shipper FedEx, UK health system

By Costas Pitas and Carlos Ruano

 

 

LONDON/MADRID (Reuters) - A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the U.S. National Security Agency hit international shipper FedEx, disrupted Britain's health system and infected computers in nearly 100 countries on Friday.

 

Russian cyber security software maker Kaspersky Lab said its researchers had observed more than 45,000 attacks in 74 countries as of early Friday. Later in the day, security software maker Avast put the tally at 57,000 infections in 99 countries. Russia, Ukraine and Taiwan were the top targets, Avast said.

 

British hospitals and clinics were forced to turn away patients because their computers were infected by a pernicious new form of "ransomware" that rapidly spread across the globe, demanding payments of as much as $600 to restore access and scrambling data.

 

Leading international shipper FedEx Corp <FDX.N> said it was one of the companies whose Microsoft Corp <MSFT.O> Windows system was infected with the malware that security firms said was delivered via spam emails.

 

Only a small number of U.S.-headquartered organizations were infected because the hackers appear to have begun the campaign by targeting organizations in Europe, said Vikram Thakur, research manager with security software maker Symantec.

 

By the time they turned their attention to U.S. organizations, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Thakur said.

 

"Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware," the company said in a statement. "We are implementing remediation steps as quickly as possible."

 

Telecommunications company Telefonica <TEF.MC> was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

 

Portugal Telecom and Telefonica Argentina both said they were also targeted.

 

Private security firms identified the ransomware as a new variant of "WannaCry" that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft's Windows operating system.

 

"Once it gets in and starts moving across the infrastructure, there is no way to stop it," said Adam Meyers, a researcher with cyber security firm CrowdStrike.

 

The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a "worm," or self spreading malware, by exploiting a piece of NSA code known as "Eternal Blue" that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

 

"This is one of the largest global ransomware attacks the cyber community has ever seen," said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

 

The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

 

Microsoft on Friday said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

 

"Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt," Microsoft said in a statement. It said the company was working with its customers to provide additional assistance.

 

SENSITIVE TIMING

 

The spread of the ransomware capped a week of cyber turmoil in Europe that kicked off a week earlier when hackers posted a huge trove of campaign documents tied to French candidate Emmanuel Macron just 1-1/2 days before a run-off vote in which he was elected as the new president of France.

 

On Wednesday, hackers disputed the websites of several French media companies and aerospace giant Airbus <AIR.PA>.Also, the hack happened four weeks before a British parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

 

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year's U.S. election and on the eve of this month's presidential vote in France.

 

But those attacks - blamed on Russia, which has repeatedly denied them - followed an entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

 

On Friday, Russia's interior and emergencies ministries, as well as the country's biggest bank, Sberbank <SBER.MM>, said they were targeted. The interior ministry said on its website that around 1,000 computers had been infected but it had localised the virus. The emergencies ministry told Russian news agencies it had repelled the cyber attacks while Sberbank said its cyber security systems had prevented viruses from entering its systems.

 

NEW BREED OF RANSOMWARE

 

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

 

"Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations," Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

 

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

 

"Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks," Camacho said.

 

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain's National Cryptology Centre of "a massive ransomware attack."

 

Iberdrola <IBE.MC> and Gas Natural <GAS.MC>, along with Vodafone's unit in Spain <VOD.L>, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.

 

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O'Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge and Sabine Siebold; Writing by Mark Trevelyan and Jim Finkle; Editing by Ralph Boulton and Grant McCool)

 

 

-- © Copyright Reuters 2017-05-13

[Jonathan Fairfield]

Global cyber attack fuels concern about U.S. vulnerability disclosures

 

By Dustin Volz

 

WASHINGTON (Reuters) - A global cyber attack on Friday renewed concerns about whether the U.S. National Security Agency and other countries' intelligence services too often hoard software vulnerabilities for offensive purposes, rather than quickly alerting technology companies to such flaws.

 

Hacking tools believed to belong to the NSA that were leaked online last month appear to be the root cause of a major cyber attack unfurling throughout Europe and beyond, security researchers said, stoking fears that the spy agency's powerful cyber weapons had been stolen and repurposed by hackers with nefarious goals.

 

Some cyber security experts and privacy advocates said the massive attack reflected a flawed approach by the United States to dedicate more cyber resources to offence rather than defence, a practice they argued makes the internet less secure.

 

Across the U.S. federal government, about 90 percent of all spending on cyber programs is dedicated to offensive efforts, including penetrating the computer systems of adversaries, listening to communications and developing the means to disable or degrade infrastructure, senior intelligence officials told Reuters in March. 

 

"These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world," Patrick Toomey, a staff attorney with the American Civil Liberties Union, said in a statement.

 

The NSA did not respond to a request for comment.

 

Hospitals and doctors' surgeries in parts of England on Friday were forced to turn away patients and cancel appointments after they were infected with the "ransomware", which scrambled data on computers and demanded payments of $300 to $600 to restore access.

 

Security software maker Avast said it had observed more than 57,000 infections in 99 countries. Russia, Ukraine and Taiwan were the top targets, it said.

 

Private security firms identified the virus as a new variant of 'WannaCry' ransomware with the ability to automatically spread across large networks by exploiting a bug in Microsoft Corp's <MSFT.O> Windows operating system.

 

Security experts said the ransomware used in the attacks leveraged a hacking tool found in a leak of documents in April by a group known as Shadow Brokers.

 

At the time, Microsoft acknowledged the vulnerabilities and said they had been patched in a series of earlier updates pushed to customers, the most recent of which had been rolled out only a month earlier in March. But the episode prompted concerns about whether the tools could be leveraged by hackers to attack unpatched systems.

 

In a statement, a Microsoft spokesman said on Friday its engineers had provided additional detection and protection services against the WannaCry malware and that it was working with customers to provide additional assistance. The spokesman reiterated that customers who have Windows Updates enabled and use the company's free antivirus software are protected.

 

Shadow Brokers first emerged last year and began dumping tranches of documents that it said belonged to the NSA, though the files appeared at least a few years old.

 

Over time, western researchers have grown more confident that Russia may be behind Shadow Brokers and possibly other recent disclosures of sensitive information about cyber capabilities that have been pilfered from U.S. intelligence agencies.

 

Some researchers cast blame not on the NSA but on the hospitals and other customers that appeared to leave themselves open to attack.

 

"The main problem here is organizations taking more than eight weeks to patch once Microsoft released the update," said Chris Wysopal, chief technology officer at the cyber firm Veracode. "Eight weeks is plenty of time for a criminal organisation to develop a sophisticated attack on software and launch it on a wide scale."

 

Former intelligence contractor Edward Snowden, who in 2013 leaked documents to journalists revealing the existence of broad U.S. surveillance programs, said on Twitter the NSA had built attack tools targeting U.S. software that "now threatens the lives of hospital patients."

 

"Despite warnings, (NSA) built dangerous attack tools that could target Western software," Snowden said. "Today we see the cost."

 

(Reporting by Dustin Volz; Editing by Lisa Shumaker)

 

 

-- © Copyright Reuters 2017-05-13

[midas]

Intel's interactive map tracks every malware event worldwide in real-time...

 

https://intel.malwaretech.com/pewpew.html

[Rhys]

....hmmm, it won't harm the new immigration data forms..now will it...

[Wilsonandson]

https://www.nytimes.com/interactive/2017/05/12/world/europe/wannacry-ransomware-map.html?_r=0
This shows you the spread of the ransomware virus across the globe. Frightening that these hackers can affect the whole world.

[Wilsonandson]

Intel's interactive map tracks every malware event worldwide in real-time...
 
https://intel.malwaretech.com/pewpew.html

The ransomware, variably called WanaCryptor 2.0, WannaCry, WCry or WCrypt, seemed to be using an exploit that was developed years ago by the U.S. National Security Agency (NSA) and revealed publicly in a WikiLeaks data dump last month. Microsoft secretly patched Windows against the attack in March, but many systems in large organizations had apparently not been updated.

On this map you can see WCrypt flashing up constantly. Very worrying. Get updated with a patch.

https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

[midas]

Somebody reckoned on the news that attacking hospitals was just a dry run that their next target will be the world's big corporations.

Maybe the banksters will get their just deserts after the 2007 debacle

[tukkytuktuk]

Last night There are users in Thailand who are victims of Wana Decrypt0r 2.0 as well. Someone posted for help on Facebook of thaiadmin.org.

Edited May 13, 2017 by tukkytuktuk

[RuamRudy]

I don't know the specific relevance of the points here, but my company's IT department has issued the following instruction:

 

1. If you have received an email from [email protected] with an attachment, do not open the attachment, delete the email immediately

2. If you have received an email with the attachment nm.pdf,  or _nm.pdf, do not open the attachment, delete the email immediately

[Basil B]

Yes... The NHS in the UK has been hit hard.

 

Quote

NHS cyber-attack: Experts strive to restore NHS computers

IT experts are "working round the clock" to restore NHS computer systems hit by Friday's ransomware attack.

Ciaran Martin, head of the UK's cyber security agency, said it was doing "everything in our power" to get "vital services" back up and running.

The BBC understands about 40 NHS organisations and some GP practices were hit in England and Scotland, with operations and appointments cancelled.

http://www.bbc.co.uk/news/health-39906019

 

Now the British Government has just been bitten hard in the bum maybe they will do something about Mall Ware, Viruses, Scam Emails as they all have, Email addresses to reply to, or websites and bank accounts or bit coin for receiving payments.

 

The UK's cyber security agency should be able to:

• Instruct all UK internet service providers to block email and websites addresses associated with these attacks.
• Instruct all UK banks to block payment transfers to crocks accounts.

The UK Government should outlaw Bit Coin under Money Laundering laws, and take retaliatory action against countries that harbour these crocks.

 

 

[KhunBENQ]

Just tried to download the patch from March for offline installation on an older W7 PC.

Microsoft site is overloaded (Microsoft Update Catalog).

Got a "not found" after minutes of waiting.

 

EDIT: another attempt for the 32 bit version was successful.

(about 2 min waiting)

[alocacoc]

 

Deutsche Bahn.

Edited May 13, 2017 by alocacoc

[Thaiwine]

Wikileaks is more often seen as a good guy for releasing classified data

it's not always good when you don't know what the ramafacations will be.

[alocacoc]

14 minutes ago, KhunBENQ said:

Just tried to download the patch from March for offline installation on an older W7 PC.

Microsoft site is overloaded (Microsoft Update Catalog).

Got a "not found" after minutes of waiting.

 

EDIT: another attempt for the 32 bit version was successful.

(about 2 min waiting)

How to be sure to have this patch already? I just got the May Security update.

[KhunBENQ]

 

3 minutes ago, alocacoc said:

Deutsche Bahn.

Windows uncovered

A "nice change" from the well known huge bluescreens.

 

[KhunBENQ]

1 minute ago, alocacoc said:

How to be sure to have this patch already? I just got the May Security update.

No worry, It's been distributed at latest end of March or so.

What OS do you have?

 

This W7 PC (of the granddaughter) was intentionally set to manual update search by me.

And of course she logs on as a standard user, no admin rights.

[alocacoc]

Windows 7 here. I also intentionally set to manual update. I check every Sunday for updates.

 

I don't get it. How it comes that companies, hospitals didn't install the security patch?

Edited May 13, 2017 by alocacoc

[KhunBENQ]

I opened an additional thread in the IT forum for the technical details/questions:

Please use this for specific technical discussion.

 

[Caps]

Well done the NSA....another great Export by the US

[manarak]

what's alarming is the number of <deleted> using computers and internet.

 

seriously ... you get an email with an attachment from a sender you didn't get any messages before ... you go ahead and open the attachment ?

 

a good security measure would probably be to restrict email and internet use to people who have been trained on security and successfully passed a cybersecurity test.

Edited May 13, 2017 by metisdead
Inflammatory comment removed.

[alocacoc]

And even more alarming:

 

Many NHS trusts still use Windows XP, a version of Microsoft’s operating system that has not received publicly available security updates for half a decade, and even those which are running on newer operating systems are often sporadically maintained.

 

https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20

 

Believe me or not, but I saw the Windows XP logo on Thai ATM and on computers in Thai bank branches.

Edited May 13, 2017 by alocacoc

[Thaiwine]

1 hour ago, Caps said:

Well done the NSA....another great Export by the US

All countries look into ways of making war defensive or offensive, it's the plonkers like wikileaks who realease  stuff like this without a care to the damage they do.

[xvend]

3 hours ago, manarak said:

what's alarming is the number of <deleted> using computers and internet.

 

seriously ... you get an email with an attachment from a sender you didn't get any messages before ... you go ahead and open the attachment ?

 

a good security measure would probably be to restrict email and internet use to people who have been trained on security and successfully passed a cybersecurity test.

 

You have not done your research on how this thing spreads. If you walk into an airport lets say that has free un -secured wifi , it will infect all windows computers without the patch, unknowingly to the user. 

 

As far as your knobs remark, Im sure you have one knob friend that may have you in their contacts list and opens an attachment or clicks a link, which executes a script and sends that one email to you and everyone else in their address book making the email to actually come from the sender. 

 

Ive worked in IT now for 20 years and my best advice if you offer FREE wifi at a your business is to separate that network from your work machines that may require windows. Alternatively, move to cloud applications for mission critical software.

 

Unfortunately at its current state, most enterprise software only runs on windows. The reason why you would not have automatic updates turned on is it could cause system wide incompatibility until a vendor updates.

 

[Wilsonandson]

Alleged cyber hacker Lauri Love has warned that the cyberattack that disabled NHS computers could spread to nearly every country in the world.

Lauri Love is a Finnish-British activist charged extraterritorially with stealing data from United States Government computers including the Federal Reserve, the US Army, Missile Defense Agency, and NASA via hacking.

[alocacoc]

[xvend]

8 minutes ago, alocacoc said:

 LOL exactly.

 

This will hit Thailand hard if it already hasn't (un-registered software)

 

Fortunately, one guy has found a "killswitch"

 

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

 

[alocacoc]

Just now, xvend said:

 

Fortunately, one guy has found a "killswitch"

 

https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack

 

Yes, interesting, The guy who predicted this event weeks ago is convinced there will be very soon a new attack without that "killswitch" feature.

[Grouse]

10 hours ago, Wilsonandson said:

The ransomware, variably called WanaCryptor 2.0, WannaCry, WCry or WCrypt, seemed to be using an exploit that was developed years ago by the U.S. National Security Agency (NSA) and revealed publicly in a WikiLeaks data dump last month. Microsoft secretly patched Windows against the attack in March, but many systems in large organizations had apparently not been updated.

On this map you can see WCrypt flashing up constantly. Very worrying. Get updated with a patch.

https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx

Some NHS computers still running XP! With all the billions spent, is there no IT department?

 

I demand blood on the carpet! If you draw a 6 or more figure salary, carry the can. Pathetic security. I do hope our infrastructure and defence facilities have clued up people ?

[alocacoc]

Renault in France have shut down manufacturing production due to WannaCry .

 

http://www.lepoint.fr/societe/renault-touche-par-la-vague-de-cyberattaques-internationales-13-05-2017-2127044_23.php

[Grouse]

My MacBook is looking particularly fine right now!

 

Joking apart, I await GCHQs massive response to what ever is driving this. Can Bitcoin just be shut down?