Posts Tagged ‘Kaspersky’

U.S. Flagged Russian Firm Kaspersky as Potential Threat as Early as 2004

November 18, 2017

Intelligence agencies have expressed concern about the cybersecurity company’s software

WASHINGTON—A Russian cybersecurity firm whose products current and former U.S. officials suspect Moscow has used as a tool for spying was flagged by U.S. military intelligence as a potential security threat as early as 2004, according to new information the Defense Department provided to Congress.

In 2013, the Defense Intelligence Agency, the U.S. military spy service, also issued a Pentagon-wide threat assessment about products made by the company, Kaspersky Lab, according to an email this week from the Pentagon to the House Committee on Science, Space and Technology. The contents of the assessment weren’t disclosed.

The DIA “began producing threat reporting referencing Kaspersky Lab as a threat actor as early as 2004,” according to the email, reviewed by The Wall Street Journal, raising questions about why other federal agencies continued to use the firm’s products.

The Journal reported in October that hackers suspected of working for the Russian government targeted a National Security Agency contractor through the contractor’s use of Kaspersky Lab antivirus software and stole details of how the U.S. penetrates foreign computer networks.

Kaspersky has long said it doesn’t assist the Russian government with spying on other countries.

The revelation about Kaspersky comes as concern over Russian infiltration of American computer networks and social-media platforms is growing after the U.S. intelligence assessment that the Russian government worked to help President Donald Trump’s 2016 campaign. Russia has denied meddling in the election.

Kaspersky published a report on Thursday saying that the computer it believes may have belonged to the NSA contractor in question was infected with other malware that could have been responsible for ex-filtrating information.

The company said in a separate statement, in response to the revelation that U.S. military intelligence flagged the firm as a threat actor, that it remains “ready to work with the U.S. government to address any and all concerns and further collaborate to mitigate against cyber threats, regardless of their origin or purpose.” It added: “we maintain that there has yet to be any credible evidence of the risks presented by the company’s products.”

The DIA’s threat analysis center, established in 2009, circulated analysis regarding Kaspersky Lab to various acquisition programs within the Pentagon, according to the email. It also made its views about the potential threat posed by Kaspersky Lab known to other agencies as early as 2012, the email said.

The email the Pentagon official sent this week was a follow-up to questions posed by the committee chairman, Rep. Lamar Smith (R., Texas), about why the Pentagon had decided not to use Kaspersky products while other U.S. federal agencies felt safe to do so.

A top Pentagon cybersecurity official, Essye Miller, told the committee at a hearing this week that the Defense Department hadn’t used Kaspersky products because of intelligence information regarding the firm.

Still, other federal agencies didn’t follow the same precautions and used Kaspersky products. Jeanette Manfra, a top Department of Homeland Security official, said at the hearing that roughly 15% of the federal agencies that checked to see if Kaspersky was operating on their systems found the company’s products. DHS has set a Dec. 12 deadline for all U.S. government agencies to remove the firm’s software.

“We expect to continue to get more information and also get those basic questions answered—like why did they ever start using Kaspersky Lab products?” Rep. Smith said.

Write to Paul Sonne at paul.sonne@wsj.com

 https://www.wsj.com/articles/u-s-flagged-russian-firm-kaspersky-as-potential-threat-in-2004-1510957459
Advertisements

Kaspersky blames NSA hack on infected Microsoft software

November 16, 2017

AFP

11:46 EST, 16 November 2017

The Moscow headquarters of Kaspersky Lab, which the US has alleged has links to Russian intelligence

Embattled computer security firm Kaspersky Lab said Thursday that malware-infected Microsoft Office software and not its own was to blame for the hacking theft of top-secret US intelligence materials.

Adding tantalizing new details to the cyber-espionage mystery that has rocked the US intelligence community, Kaspersky also said there was a China link to the hack.

The Moscow-based anti-virus software maker, which is now banned on US government computers because of alleged links to Russian intelligence, confirmed that someone did apparently steal valuable National Security Agency programs from an NSA worker’s home computer, as first reported by the Wall Street Journal on October 5.

According to the Journal, the person had top secret files and programs from the NSA hacking unit called the Equation Group on his computer, which was also using Kaspersky software protection.

They believe that Russian spies used the Kaspersky program as a back door to discover and siphon off the files, reportedly causing deep damage to the NSA’s own cyber-espionage operations.

US allegations that Kaspersky, which sold more than $600 million of anti-virus software globally in 2015, knowingly or unknowingly helped Russian intelligence in the theft have effectively killed its US business and hurt its worldwide reputation.

– Kaspersky software ‘disabled’ –

Using its own forensic analysis, Kaspersky said the breach of the NSA worker’s computer took place between September and November 2014, rather than 2015 as the Journal reported.

Kaspersky said what was stolen included essential source code for some Equation Group malware, as well as classified documents. Based on the materials, it said the computer appeared to belong to someone involved in creating malware for the Equation Group.

The company claimed, however, that the computer was infected by other malware, including a Russian-made “backdoor tool” hidden in Microsoft Office.

Kaspersky said that the malware was controlled from a computer server base in Hunan, China, and would have opened a path into the computer for anyone targeting an NSA worker.

“Given that system owner’s potential clearance level, the user could have been a prime target of nation-states,” it said.

Kaspersky’s own software would have detected that malware, the company said, except that its software had been turned off.

“To install and run this malware, the user must have disabled Kaspersky Lab products on his machine,” it claimed.

pmh/jh

American Intelligence Horror Story

November 13, 2017

Are U.S. spies losing their technological edge?

The National Security Agency campus in Fort Meade, Maryland in 2013.
The National Security Agency campus in Fort Meade, Maryland in 2013. PHOTO: PATRICK SEMANSKY/ASSOCIATED PRESS
.

NSA, sometimes said to stand for Never Say Anything, does not want to talk about this. But it’s a momentous crisis for the largest US intelligence agency. https://nyti.ms/2jlglTa 

The N.S.A.’s headquarters at Fort Meade in Maryland. Cybertools the agency developed have been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.

nytimes.com

For years technologists have been warning about the possibility of a sort of digital Pearl Harbor in which a hostile foreign power launches a devastating cyber-attack on the United States. Is it already happening?

A disturbing report in the New York Timesdescribes the damage that has been done—and is still being done—by a mysterious group called the Shawdow Brokers, which managed to steal the hacking tools the U.S. National Security Agency has used to spy on other countries. The Times describes an “earthquake that has shaken the N.S.A. to its core” and adds:

Current and former agency officials say the Shadow Brokers disclosures, which began in August 2016, have been catastrophic for the N.S.A., calling into question its ability to protect potent cyberweapons and its very value to national security. The agency regarded as the world’s leader in breaking into adversaries’ computer networks failed to protect its own.

A reported breach of the NSA has been described as “catastrophic” and even worse than Edward Snowden’s massive data leak. CBS News Senior National Security Contributor @MichaelJMorelljoins @CBSThisMorning to discuss

Among the most disturbing aspects of the case is the fact that, long after the theft of critical data was detected, our government still doesn’t know how it happened. The Times writes:

Fifteen months into a wide-ranging investigation by the agency’s counterintelligence arm, known as Q Group, and the F.B.I., officials still do not know whether the N.S.A. is the victim of a brilliantly executed hack, with Russia as the most likely perpetrator, an insider’s leak, or both. Three employees have been arrested since 2015 for taking classified files, but there is fear that one or more leakers may still be in place. And there is broad agreement that the damage from the Shadow Brokers already far exceeds the harm to American intelligence done by Edward J. Snowden, the former N.S.A. contractor who fled with four laptops of classified material in 2013.

Mr. Snowden’s cascade of disclosures to journalists and his defiant public stance drew far more media coverage than this new breach. But Mr. Snowden released code words, while the Shadow Brokers have released the actual code; if he shared what might be described as battle plans, they have loosed the weapons themselves. Created at huge expense to American taxpayers, those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

15 mos intensive investigation & FBI still can’t solve catastrophic NSA hack … but surprised people question certainty of conclusions on DNC hack where it never examined server. https://www.nytimes.com/2017/11/12/us/nsa-shadow-brokers.html 

The N.S.A.’s headquarters at Fort Meade in Maryland. Cybertools the agency developed have been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.

nytimes.com

This NSA disaster occurred on President Obama’s watch and the Times report suggests that Mr. Obama ignored advice from top officials in his national security team to address the management failure because he prioritized the effort to search for potential 2016 Trump campaign links to Russia:

One N.S.A. official who almost saw his career ended by the Shadow Brokers is at the very top of the organization: Adm. Michael S. Rogers, director of the N.S.A. and commander of its sister military organization, United States Cyber Command. President Barack Obama’s director of national intelligence, James R. Clapper Jr., and defense secretary, Ashton B. Carter, recommended removing Admiral Rogers from his post to create accountability for the breaches.

But Mr. Obama did not act on the advice, in part because Admiral Rogers’s agency was at the center of the investigation into Russia’s interference in the 2016 election.

As for President Trump, the question is why he has not initiated a house-cleaning at the top of the NSA.

For all Americans, the question is whether the technological edge that the United States has enjoyed in defense and intelligence for essentially all of our lifetimes is now in jeopardy.

***

Bottom Stories of the Day

Why would Kim Jong-un insult me by calling me “old,” when I would NEVER call him “short and fat?” Oh well, I try so hard to be his friend – and maybe someday that will happen!

Does This Tweet Make Me Look Apophatic?
“Trump mocks North Korea’s Kim, says he would never call him ‘short and fat’,” Fox News, Nov. 12

Annals of Single-Payer Health Care
“Canadian Patients And Doctors Are Sharing ‘Excruciating’ Wait Times On Twitter,” Huff Post, Nov. 3

So Much for the War on Drugs
“GOP Tax Plan Could Deal Blow to Seniors Paying for Long-Term Care,” ElderLawAnswers,” Nov. 10

Hypothesis and Proof

  • “Without Humans, Artificial Intelligence Is Still Pretty Stupid,” The Wall Street Journal, Nov. 12
  • “How to Survive a Robot Apocalypse: Just Close the Door,” The Wall Street Journal, Nov. 10

***

Follow James Freeman on Twitter.

Subscribe to the Best of the Web email with one click.

To suggest items, please email best@wsj.com.

https://www.wsj.com/articles/american-intelligence-horror-story-1510594127

(Carol Muller helps compile Best of the Web. Thanks to Irene DeBlasio, Myles Pollin, Jordan Bruneau, Rod Pennington and Paul Wood.)

Related:

Security Breach and Spilled Secrets Have Shaken the N.S.A. to Its Core

November 13, 2017

A serial leak of the agency’s cyberweapons has damaged morale, slowed intelligence operations and resulted in hacking attacks on businesses and civilians worldwide.

Kaspersky antivirus software sometimes copies your files files

November 4, 2017

Image may contain: tree, sky and outdoor

SAN FRANCISCO (Reuters) – Eugene Kaspersky said his company’s widely used antivirus software has copied files that did not threaten the personal computers of customers, a sharp departure from industry practice that could increase suspicions that the Moscow-based firm aids Russian spies.

The acknowledgement, made in an interview last Friday as part of the Reuters Cyber Security Summit, comes days after Kaspersky’s company said its software had copied a file containing U.S. National Security Agency hacking tools from the home computer of an agency worker in 2014.

 Image may contain: sky and outdoor

Kaspersky’s firm has for years faced suspicions that it has links with Russian intelligence and state-sponsored hackers. Kaspersky denies any cooperation with Russian authorities beyond cyber crime enforcement.

In September, the U.S. Department of Homeland Security banned Kaspersky software from use in federal offices, citing the company’s ties with Russian intelligence. The company is the subject of a long-running probe by the U.S. Federal Bureau of Investigation, sources have told Reuters.

Antivirus software is designed to burrow deeply into computer systems and has broad access to their contents, but it normally seeks and destroys only files that contain viruses or are otherwise threatening to a customer’s computers, leaving all other files untouched.

Searching for and copying files that might contain hacking tools or clues about cyber criminals would not be part of normal operations of antivirus software, former Kaspersky employees and cyber security experts said.

In the Reuters interview, conducted at Kaspersky Lab’s offices in Moscow, Eugene Kaspersky said the NSA tools were copied because they were part of a larger file that had been automatically flagged as malicious.

He said the software removed from the agency worker’s computer included a tool researchers dubbed GrayFish, which the company has called the most complex software it has ever seen for corrupting the startup process for Microsoft’s Windows operating system.

Kaspersky said he had ordered the file to be deleted “within days” because it contained U.S. government secrets.

But he defended the broader practice of taking inert files from machines of people that the company believes to be hackers as part of a broader mission to help fight cyber crime.

“From time to time, yes, we have their code directly from their computers, from the developers’ computers,” Kaspersky told Reuters.

‘IMPROPER PRACTICE’

Three former Kaspersky employees and a person close to the FBI probe of the company, who first described the tactic to Reuters this summer, said copying non-infectious files abused the power of antivirus software. The person associated with the FBI said in one case Kaspersky removed a digital photo of a suspected hacker from that person’s machine.

Eugene Kaspersky declined to discuss specific instances beyond the NSA case, saying he did not want to give hackers ideas for avoiding detection.

“Sometimes we are able to catch cyber criminals, that’s why I am not so comfortable to speak about this to media,” he said in the interview. “Many of them are very clever, they can learn from what I am saying.”

Other industry experts called the practice improper. Mikko Hypponen, chief research officer at Finnish security company F-Secure, said that when his firm’s software finds a document that might contain dangerous code, “it will prompt the user or the administrator and ask if it can upload a copy to us.”

Dan Guido, chief executive of cyber security firm Trail of Bits, which has performed audits on security software, said Kaspersky’s practices point to a larger issue with all antivirus software.

“All of them aggregate a huge amount of information about their clients, which can be easily exploited when put in willing hands,” he said.

U.S. news organizations have reported that Kaspersky, or Russian spies hijacking its service, have been searching widely among customers’ computers for secret files, citing anonymous U.S. intelligence officials. Reuters has not verified such reports.

Kaspersky said he hoped to alleviate concerns about his company by opening up his source code for review by third parties in independently run centers, as well as by raising the maximum amount it offers for information about security flaws in its programs to $100,000.

To read the latest Reuters coverage of cyber security, click on www.reuters.com/cyberrisk

Reporting by Joseph Menn in San Francisco; Additional reporting by Jack Stubbs in Moscow, Jim Finkle and Alastair Sharp in Toronto and Dustin Volz in Washington; Editing by Jonathan Weber and Bill Rigby

Russia’s Kaspersky to Allow Outside Review of Its Cybersecurity Software

October 23, 2017

Company hopes sharing source code will build trust after allegations its software helped Russia spy on Americans

Kaspersky Lab, the Moscow-based cybersecurity firm whose software U.S. officials suspect helped the Russian government spy on Americans, promised to make its source code available for an independent review.

The company said Monday the review is part of a “global transparency initiative” that it hopes will improve the trustworthiness of its products. It said it would hand over the source code for its software in the first quarter of next year but didn’t specify who would undertake the review or how widely the code would be…

 https://www.wsj.com/articles/russian-cybersecurity-firm-kaspersky-to-make-source-code-available-for-review-1508756502
.
Related:
.
.
.

Image result for Eugene Kaspersky, photos

Eugene Kaspersky

*****************************************************

Kaspersky fights spying claims with code review plan

October 23, 2017 — 0745

Apple Pay now in 20 markets, nabs 90% of all mobile contactless transactions where active

Russian cybersecurity software maker Kaspersky Labs has announced what it’s dubbing a “comprehensive transparency initiative” as the company seeks to beat back suspicion that its antivirus software has been hacked or penetrated by the Russian government and used as a route for scooping up US intelligence.

In a post on its website today the Moscow-based company has published a four point plan to try to win back customer trust, saying it will be submitting its source code for independent review, starting in Q1 2018. It hasn’t yet specified who will be conducting the review but says it will be “undertaken with an internationally recognized authority”.

It has also announced an independent review of its internal processes — aimed at verifying the “integrity of our solutions and processes”. And says it will also be establishing three “transparency centers” outside its home turf in the next three years — to enable “clients, government bodies and concerned organizations to review source code, update code and threat detection rules”.

It says the first center will be up and running in 2018, and all three will be live by 2020. The locations are listed generally as: Asia, Europe and the U.S.

No automatic alt text available.

Finally it’s also increasing its bug bounty rewards — saying it will pay up to $100K per discovered vulnerability in its main Kaspersky Lab products.

That’s a substantial ramping up of its current program which — as of April this year — could pay out up to $5,000 per discovered remote code execution bugs. (And, prior to that, up to $2,000 only.)

Kaspersky’s moves follow a ban announced by the US Department of Homeland Security on its software last month, citing concerns about ties between “certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks”.

The US Senate swiftly followed suit, voting to oust Kaspersky software from federal use. While three months earlier the General Services Administration also removed Kaspersky Lab from a list of approved federal vendors.

The extensive system-wide permissions of antivirus software could certainly make it an attractive target for government agents seeking to spy on adversaries and scoop up data, given the trust it demands of its users.

The WSJ has previously reported that Russian hackers working for the government were able to obtain classified documents from an NSA employee who had stored them on a personal computer that ran Kaspersky software.

Earlier this month CEO Eugene Kaspersky blogged at length — rebutting what he dubbed “false allegations in U.S. media”, and writing: “Our mission is to protect our users and their data. Surveillance, snooping, spying, eavesdropping… all that is done by espionage agencies (which we occasionally catch out and tell the world about), not us.”

We’re proud to keep on protecting people against all cyberthreats – no matter of false allegations in U.S. media https://kas.pr/x78t 

Photo published for What’s going on?

What’s going on?

I doubt you’ll have missed how over the last couple months our company has suffered an unrelenting negative-news campaign in the U.S. press.

eugene.kaspersky.com

But when your business relies so firmly on user trust — and is headquartered close to the Kremlin, to boot — words may evidently not be enough. Hence Kaspersky now announcing a raft of “transparency” actions.

Whether those actions will be enough to restore the confidence of US government agencies in Russian-built software is another matter though.

Kaspersky hasn’t yet named who its external reviewers will be, either. But reached for comment, a company spokeswoman told us: “We will announce selected partners shortly. Kaspersky Lab remains focused on finding independent experts with strong credentials in software security and assurance testing for cybersecurity products. Some recommended competencies include, but are not limited to, technical audits, code base reviews, vulnerability assessments, architectural risk analysis, secure development lifecycle process reviews, etc. Taking a multi-stakeholder approach, we welcome input and recommendations from interested parties at transparency@kaspersky.com

She also sent the following general company statement:

Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems.

As there has not been any evidence presented, Kaspersky Lab cannot investigate these unsubstantiated claims, and if there is any indication that the company’s systems may have been exploited, we respectfully request relevant parties responsibly provide the company with verifiable information. It’s disappointing that these unverified claims continue to perpetuate the narrative of a company which, in its 20 year history, has never helped any government in the world with its cyberespionage efforts.

In addition, with regards to unverified assertions that this situation relates to Duqu2, a sophisticated cyber-attack of which Kaspersky Lab was not the only target, we are confident that we have identified and removed all of the infections that happened during that incident. Furthermore, Kaspersky Lab publicly reported the attack, and the company offered its assistance to affected or interested organisations to help mitigate this threat.

Contrary to erroneous reports, Kaspersky Lab technologies are designed and used for the sole purpose of detecting all kinds of threats, including nation-state sponsored malware, regardless of the origin or purpose. The company tracks more than 100 advanced persistent threat actors and operations, and for 20 years, Kaspersky Lab has been focused on protecting people and organisations from these cyberthreats — its headquarters’ location doesn’t change that mission.

“We want to show how we’re completely open and transparent. We’ve nothing to hide,” added Kaspersky in another statement.

Interestingly enough, the move is pushing in the opposite direction of US-based cybersecurity firm Symantec — which earlier this month announced it would no longer be allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products.

Source:https://techcrunch.com/2017/10/23/kaspersky-fights-spying-claims-with-code-review-plan/

US agencies banned from using Russia’s Kaspersky software

September 14, 2017

Federal agencies in the US have 90 days to wipe Kaspersky software from their computers. Officials are concerned about the Russian company’s ties to the Kremlin and possible threats to national security.

Headquarters of Internet security giant Kaspersky in Moscow (Getty Images/AFP/K. Kudryavtsev)

The administration of US President Donald Trump has ordered government agencies to remove products made by Russian company Kaspersky Labs from their computers.

The Department of Homeland Security (DHS) said Wednesday it was concerned that the cybersecurity firm was susceptible to pressure from Moscow and thus a potential threat to national security.

Read more: Facebook, Russia and the US elections – what you need to know

DHS said in a statement that it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies,” as well as Russian laws that might compel Kaspersky to hand over information to the government.

But the makers of the popular anti-virus software have said “no credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions.”

US tech retailer Best Buy confirmed earlier Wednesday that it would no longer sell Kaspersky products, but has declined to give further details on the decision.

Ties between Kaspersky, Kremlin ‘alarming’

Civilian government agencies have 90 days to completely remove Kaspersky software from their computers. The products have already been banned in the Pentagon.

US congressional leaders have applauded the move. Democratic Senator Jeanne Shaheen said the “strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented,” and asked the DHS if the company’s products were used for any critical infrastructure, such as for voting systems, banks and energy supply.

Although Kaspersky Labs was founded by a KGB-trained entrepreneur, Eugene Kaspersky, and has done work for Russian intelligence, the company has repeatedly denied carrying out espionage on behalf of President Vladimir Putin and his government.

es/cmk (AP, Reuters)

http://www.dw.com/en/us-agencies-banned-from-using-russias-kaspersky-software/a-40500232

U.S. Senate moves to ban Moscow-based cybersecurity firm Kaspersky Lab over ties to Russia

June 29, 2017

The Hill

Senate moves to ban Moscow-based cybersecurity firm over ties to Russia
© Getty Images

The Senate’s draft of the Department of Defense’s budget rules reveals a provision that would block the use of products from the Russian-based global cybersecurity firm Kaspersky Lab, citing concerns that the company “might be vulnerable to Russian government influence.”

Reuters reporter Dustin Volz first shared the news in a tweet Wednesday.

“BREAKING: Senate draft of [National Defense Authorization Act] bans use of Kaspersky products by [Department of Justice] due to reports company “might be vulnerable to Russian [government] influence,” Volz tweeted.

The decision to ban the products within the National Defense Authorization Act (NDAA), which specifies budget and expenditures for the Department of Defense, comes after the FBI visited at least 10 Kaspersky employee’s homes.

The investigative agency, however, has not yet contacted the company.While Kaspersky is based in Russia, the company has research centers around the world, including in the U.S.

“As a private company, Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyber espionage efforts,” the company said in a reissued statement.

“The company has a 20-year history in the IT security industry of always abiding by the highest ethical business practices, and Kaspersky Lab believes it is completely unacceptable that the company is being unjustly accused without any hard evidence to back up these false allegations,” the statement continued. “Kaspersky Lab is available to assist all concerned government organizations with any ongoing investigations, and the company ardently believes a deeper examination of Kaspersky Lab will confirm that these allegations are unfounded.”

Its founder, Eugene Kaspersky, has also offered to testify in front Congress after NBC News reported that its employees were largely asked about their relationship between the U.S. and Russian.

http://thehill.com/homenews/senate/339981-senate-moves-to-ban-moscow-based-kaspersky-use-due-to-concerns-about-russian

Image result for Eugene Kaspersky, photos

Eugene Kaspersky

New Threats Fuel Fears of Another Global Cyberattack

May 18, 2017

A new attack hit thousands of computers and a hacking group said it would release more attack software

Staff monitor the spread of ransomware cyberattacks at the Korea Internet and Security Agency in Seoul on May 15. Businesses and security experts fear more cyberattacks could be in the pipeline.

Staff monitor the spread of ransomware cyberattacks at the Korea Internet and Security Agency in Seoul on May 15. Businesses and security experts fear more cyberattacks could be in the pipeline. PHOTO: YONHAP/AGENCE FRANCE-PRESSE/GETTY IMAGES
.

Updated May 17, 2017 8:01 p.m. ET

A new fast-spreading computer attack and a hacking group’s threat to release a fresh trove of stolen cyberweapons are fueling fears among businesses and security experts of another global technology assault.

 

The new attack, called Adylkuzz, follows last week’s WannaCry outbreak, which crippled computers in more than 100 countries over the weekend. Both attacks rely on a Windows bug that was patched on March 14 and only affect PCs that haven’t installed the latest version of Microsoft’s software updates. Unlike its predecessor, Adylkuzz doesn’t lock up computer screens; it slows down systems as it quietly steals processing power to generate a little-known digital currency called Monero.

Adylkuzz began spreading about two weeks ago and by Wednesday had infected more than 150,000 machines around the globe, according to Ryan Kalember, senior vice president with the security intelligence firm Proofpoint Inc. PFPT -5.80% That is nearly the same count as WannaCry, which has largely stopped spreading, security experts said. Security company Kaspersky Lab ZAO pegged the number of Adylkuzz infections at just several thousand by Wednesday.

The news comes a day after a hacking group called the Shadow Brokers separately posted an internet message saying it would release a new trove of cyberattack tools next month. The group claimed to have software that would affect web browsers, routers, mobile phones and Microsoft Corp.’s Windows 10 operating system. Its first trove, which it and Microsoft said was stolen from the National Security Agency, was dumped last month and used by WannaCry.

The spread of the ransom malware that wreaked global havoc over the weekend appears to be slowing down, but how bad was the damage, and who’s to blame? WSJ’s Tanya Rivero has four things you need to know. Photo: European Pressphoto Agency
.

A Microsoft spokeswoman said the company is aware of the new Shadow Brokers claim and that its security teams actively monitor for emerging threats. The NSA has declined to comment on the authenticity of the Shadow Brokers documents or the WannaCry attack.

The threats highlight the growing risks of global assaults for businesses and governments posed by a nexus of mysterious hackers and powerful, government-crafted cyberweapons.

“In a few years we’re going to be looking back and saying that 2017 was clearly a turning point,” said Edward Amoroso, the former security chief at AT&T Inc. “That’s when we started to see businesses affected. If your employees are coming in and they can’t work, that’s a big deal.”

For companies looking to protect their systems, security experts agree on one piece of advice: install patches to Windows software now.

Still, that may not be enough to stop the next attack. “There’s no wall you can build that’s high enough or deep enough to keep a dedicated adversary out,” said John Carlin, a former cybercrimes prosecutor at the Justice Department.

Larger companies will need to step up their security training, patching and planning, he says. Smaller mom-and-pop businesses may need to hand over security to companies that specialize in these services. “It’s crazy to expect a mom-and-pop to on their own have to deal with cybersecurity issues,“ said Mr. Carlin, now the chair of the law firm Morrison & Foerster LLP’s global risk and crisis management practice.

A programmer shows a sample of decrypting source code in Taipei on May 13.

A programmer shows a sample of decrypting source code in Taipei on May 13. PHOTO: RITCHIE B. TONGO/EPA
.

The scope and intensity of the WannaCry cyberattack will bring staffing, investment and policy under review, security chiefs and CIOs have said. Corporate computer security spending is expected to hit $90 billion world-wide this year, an increase of 7.6% from a year earlier, according to research firm Gartner Inc.

That increased spending has helped drive up share prices at security companies such asRapid7 Inc., FireEye Inc. and Symantec Corp. , all of whom have seen shares rise by more than 25% this year.

The recent attacks were much more widespread in Russia, India, Ukraine and Taiwan, Kaspersky said. And while that may have prevented many U.S. companies from feeling the full brunt of the latest attacks, that comes as small consolation for local governments and small- or medium-size businesses that must defend against these threats with limited budgets. The attacks “just keep ratcheting up year after year,” said Dan Lohrmann, chief security officer with the training company Security Mentor Inc. and Michigan’s former chief security officer. “You think it can’t go any higher but every year it does.”

The Shadow Brokers’ release of what it says are U.S. government hacking tools comes after WikiLeaks in March published a cache of alleged Central Intelligence Agency cybersecrets, offering a window into a world where the research and development of computer attacks has become increasingly professionalized.

The stage for today’s cyberattacks was set more than a decade ago. In the mid-2000s, Microsoft, embarrassed by a series of computer worm and virus outbreaks, began to comb through its software for bugs and develop new coding techniques designed to thwart hackers. At the same time, hackers discovered they could command large fees for their work. Apple Inc., for example, pays $200,000 for details on the most severe bugs affecting its software. Government agencies and private corporations often pay more, especially if the research includes “exploit code” that can be used in an attack. Last year, the Federal Bureau of Investigation paid more than $1 million for a hacking tool that gave it access to the iPhone used by the gunman in the San Bernardino, Calif., attack.

These factors have slowed the flow of bugs and the tools that exploit them on public venues, where they were once freely—and more frequently—disclosed, said David Aitel, chief executive at Immunity Inc., a computer-security services company. “There’s a scarcity of high-quality attack tools,” he said.

But if companies thought the risk of attacks had evaporated, WannaCry served as a wake-up call. And the attack could have been much worse if it had made sensitive corporate information public, said Mr. Aitel, a former NSA analyst.

Recent events are “a taste of the kind of threats we may be facing going forward,” said Virginia Sen. Mark Warner, the top Democrat on the Senate Intelligence Committee, which oversees the nation’s spy agencies. “I’m not sure if the whole of government—or for that matter, the whole of society—is fully prepared.”

While few victims appear to have paid the $300 ransom WannaCry demanded from affected users, the software affected hundreds of thousands of systems, including networks at Renault SA and Britain’s public health service. It not only rendered computers unusable but deployed encryption to make data stored on them unreadable.

Another computer worm may soon appear, either based on the Shadow Brokers’ code used by WannaCry or similarly devastating code released by Shadow Brokers in April that was used on Microsoft’s Remote Desktop Protocol software, said Robert M. Lee, chief executive of security consultancy Dragos Inc.

There’s no wall you can build that’s high enough or deep enough to keep a dedicated adversary out.

—John Carlin

And while it isn’t known yet how dangerous any new releases might be, “everything the Shadow Brokers have talked about leaking so far has been legitimate,” he said.

Microsoft, whose Windows software is the most frequent target of attacks, is calling on governments to report software flaws rather than stockpiling or exploiting them.

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Brad Smith, the company’s top lawyer, wrote in a blog post Sunday.

Given the widespread use of these attacks, and the fact that nations such as North Korea are unlikely to abide by international cybersecurity conventions akin to those proposed by Microsoft, Immunity’s Mr. Aitel says such suggestions aren’t likely to be adopted. “No country on earth thinks this is a good idea,” he said.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

Appeared in the May. 18, 2017, print edition as ‘Cyberthreats Breed Deep Unease.’

https://www.wsj.com/articles/new-threats-fuel-fears-of-another-global-cyberattack-1495042636

Researcher finds ‘kill switch’ for cyberattack ransomeware — after cyberattacks wreak havoc globally

May 13, 2017

AFP

© AFP / by Kate BARTLETT | A cybersecurity researcher appears to have discovered a “kill switch” that can prevent the spread of the WannaCry ransomware — for now — that has caused the cyberattacks wreaking havoc globally

HONG KONG (AFP) – 

A cybersecurity researcher appears to have discovered a “kill switch” that can prevent the spread of the WannaCry ransomware — for now — that has caused the cyberattacks wreaking havoc globally, they told AFP Saturday.

The researcher, tweeting as @MalwareTechBlog, said the discovery was accidental, but that registering a domain name used by the malware stops it from spreading.

“Essentially they relied on a domain not being registered and by registering it, we stopped their malware spreading,” @MalwareTechBlog told AFP in a private message on Twitter.

The researcher warned however that people “need to update their systems ASAP” to avoid attack.

“The crisis isn’t over, they can always change the code and try again,” @MalwareTechBlog said.

Friday’s wave of cyberattacks, which affected dozens of countries, apparently exploited a flaw exposed in documents leaked from the US National Security Agency.

The attacks used a technique known as ransomware that locks users’ files unless they pay the attackers a designated sum in the virtual currency Bitcoin.

Affected by the onslaught were computer networks at hospitals in Britain, Russia’s interior ministry, the Spanish telecom giant Telefonica and the US delivery firm FedEx and many other organisations.

“I will confess that I was unaware registering the domain would stop the malware until after I registered it, so initially it was accidental,” @MalwareTechBlog tweeted.

Unfortunately however, computers already affected will not be helped by the solution.

“So long as the domain isn’t revoked, this particular strain will no longer cause harm, but patch your systems ASAP as they will try again.”

The malware’s name is WCry, but analysts were also using variants such as WannaCry.

Forcepoint Security Labs said in a Friday statement that the attack had “global scope” and was affecting networks in Australia, Belgium, France, Germany, Italy and Mexico.

In the United States, FedEx acknowledged it had been hit by malware and was “implementing remediation steps as quickly as possible.”

Also badly hit was Britain’s National Health Service, which declared a “major incident” after the attack, which forced some hospitals to divert ambulances and scrap operations.

Pictures posted on social media showed screens of NHS computers with images demanding payment of $300 (275 euros) in Bitcoin, saying: “Ooops, your files have been encrypted!”

It demands payment in three days or the price is doubled, and if none is received in seven days, the files will be deleted, according to the screen message.

A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider.

Kaspersky researcher Costin Raiu cited 45,000 attacks in 74 countries as of Friday evening.