Lada Ray~ Why Haven’t USA/West Collapsed Yet?
Please share this free video and subscribe to Lada Ray YT Channel!
COPYRIGHT NOTICE! ALL EARTH SHIFT WEBINARS, ESW2 INVERTED COLLAPSE, and THIS VIDEO are Copyright Lada Ray, 2017. All rights reserved.
HEADS UP, THREE-WEBINAR SUBSCRIBERS!
On your exclusive LINKS & NEWS PAGE, we have posted an advanced update on the preliminary release dates for the upcoming Earth Shift Webinars 3 and 4, THE FUTURE OF MONEY and LADA RAY PERIOD 8 PREDICTIONS! We’ve also posted an advanced notice re. the FREE Live Follow-Up Q&A Webinar! Visit your LINKS Page to see this info! MORE TO COME SOON!
Buy complete THREE WEBINAR SERIES — and SAVE!
Buy EARTH SHIFT WEBINAR 2 INVERTED COLLAPSE!
Buy EARTH SHIFT WEBINAR 3 THE FUTURE OF MONEY!
Buy EARTH SHIFT WEBINAR 4 LADA RAY PERIOD 8 PREDICTIONS!
GO TO ALL…
View original post 87 more words
WikiLeaks has just published a new batch of the ongoing Vault 7 leak, and this time the whistleblowing website has unveiled a classified malware for that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
In short, the malware does it by capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots’ locations.
Here’s How the CIA’s ELSA Malware Works
The Elsa system first installs the malware on a targeted WiFi-enabled machine using separate CIA exploits to gain persistent access on the device.
The malware then uses Wi-Fi hardware of the infected computer to scan nearby visible WiFi access points (AP) and records their ESSID – stands for Extended Service Set Identifier (IEEE 802.11 wireless networking), MAC address and signal strength at regular intervals.
In order to perform this data collection, the ELSA malware does not require the targeted computer to be connected to the Internet. Instead, it only requires the malware to be running on a device with Wi-Fi enabled.
“If [the target device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp,” WikiLeaks notes.
The collected information is then stored in encrypted form on the targeted device for later exfiltration.
The CIA malware itself doesn’t beacon (transfer) this data to the agency’s server, instead, the operator (CIA hacker) downloads the encrypted log files from the device using separate CIA exploits and backdoors.
The operator then decrypts the log files and performs further analysis on their target.
The CIA hacker (operator) then uses additional back-end software to match collected access point data from exfiltrated log files with public geolocation databases (from Google and Microsoft) and finds the exact location of their target.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA tool suite for Microsoft Windows, dubbed Brutal Kangaroo, that targets closed networks or air-gapped computers within an organization or enterprise without requiring any direct access.
Since March, the whistleblowing group has published 12 batches of “Vault 7” series, which includes the latest and last week leaks, along with the following batches:
- Cherry Blossom – a CIA’s framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
- Pandemic – a CIA’s project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
- Athena – A CIA’s spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft’s Windows operating systems, from Windows XP to Windows 10.
- AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
- Archimedes – A man-in-the-middle attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
- Scribbles – Software supposedly designed to embed ‘web beacons’ into confidential documents, allowing the CIA to track insiders and whistleblowers.
- Grasshopper – A framework that allowed the CIA to easily create custom malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
- Marble – Disclosed the source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
- Dark Matter – Hacking exploits the CIA designed to target iPhones and Macs.
- Weeping Angel – Spying tool used by the spy agency to infiltrate smart TV’s, transforming them into covert microphones.
- Year Zero – CIA hacking exploits for popular hardware and software.
The Shadow Brokers, a notorious hacking group that leaked US cyberweapons — which were also abused by the recent ransomware disasters WannaCry and Petya or NotPetya — has now threatened to unmask the identity of a former hacker who worked for the NSA.
Besides this, the Shadow Brokers group has also doubled the price for its monthly subscription model of NSA’s built hacking tools and zero-day exploits from 100 ZEC (Zcash) to 200 ZEC, which is around $64,400 USD.
Moreover, the hacking group has also announced a VIP service for people, who will be entertained by the group for their queries on the leaked hacking tools and exploits.
Last month, the Shadow Brokers announced to release more zero-days exploits and hacking tools developed by the US spy agency every month from June 2017, but only to private members who will subscribe for receiving exclusive access to the future leaks.
The Shadow Brokers’ June data dump costs 100 ZEC, but after looking at successful growth in the number of subscribers for this month, the group said it is raising the price for the next month’s subscription.
Threatens to Unmask Equation Group Hacker
In typically broken English, the mysterious hacking group threatened to unmask a former member of the NSA’s elite hacking group called Equation Group, who developed several hacking tools to break into Chinese organizations.
The Shadow Brokers did not reveal much about the former Equation Group member, except that the person is living in Hawaii and currently a “co-founder of a new security company and is having much venture capital.”
“TheShadowBrokers is having special invitation message for ‘doctor’ person theshadowbrokers is meeting on Twitter. ‘Doctor’ person is writing ugly tweets to theshadowbrokers,” the group said. “Then doctor person is deleting ugly tweets, maybe too much drinking and tweeting?”
“TheShadowBrokers is hoping ‘doctor’ person is deciding to subscribe to dump service in July. If theshadowbrokers is not seeing subscription payment with corporate email address of email@example.com then theshadowbrokers might be taking tweets personally and dumping data of ‘doctor’ persons hacks of China with real id and security company name.”
Well, that’s enough of a threat.
Since June is going to end, it seems like the Shadow Brokers subscribers who paid in June will start receiving zero-day exploit and hacking tools from the first week of July.
Although what the June dump would contain is not clear at the moment, the group’s last announcement claimed that the upcoming data dump would include:
- Compromised data from banks and Swift providers.
- Exploits for operating systems, including Windows 10.
- Exploits for web browsers, routers, and smartphones.
- Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.
A critical vulnerability has been discovered in Microsoft-owned most popular free web messaging and voice calling service Skype that could allow hackers to remotely execute malicious code and crash systems.
Skype is a free online service that allows users to communicate with peers by voice, video, and instant messaging over the Internet. The service was acquired by Microsoft Corporation in May 2011 for US$8.5 Billion due to its worldwide popularity.
Security researcher Benjamin Kunz-Mejri from Germany-based security firm Vulnerability Lab discovered the previously unknown stack buffer overflow vulnerability, which is documented in CVE-2017-9948, in Skype Web’s messaging and call service during a team conference call.
“The issue can be exploited remotely via session or by local interaction. The problem is located in the print clipboard format & cache transmit via remote session on Windows XP, Windows 7, Windows 8 and Windows 10. In Skype v7.37 the vulnerability is patched,” the security firm wrote.
No User Interaction Needed
What’s worst? The stack buffer overflow vulnerability doesn’t require any user interaction, and only require a low privilege Skype user account.
So, an attacker can remotely crash the application “with an unexpected exception error, to overwrite the active process registers,” or even execute malicious code on a target system running the vulnerable Skype version.
The issue resides in the way Skype uses the ‘MSFTEDIT.DLL’ file in case of a copy request on local systems.
Here’s How Attackers can Exploit this Flaw
According to the vulnerability report, attackers can craft a malicious image file and then copy and paste it from a clipboard of a computer system into a conversation window in the Skype application.
“The limitation of the transmitted size and count for images via print of the remote session clipboard has no secure limitations or restrictions. Attackers [can] crash the software with one request to overwrite the EIP register of the active software process,” researchers from Vulnerability Lab says.
“Thus allows local or remote attackers to execute own codes on the affected and connected computer systems via the Skype software,” they added.
Proof-of-Concept Code Released
The security firm has also provided proof-of-concept (PoC) exploit code that you can use to test the flaw.
Vulnerability Lab reported the flaw to Microsoft on 16th May, and Microsoft fixed the issue and rolled out a patch on 8 June in Skype version 7.37.178.
If you are Skype user, make sure that you run the latest version of the application on your system in order to protect themselves from cyber attacks based on this vulnerability.
Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers.
The ransomware has been wreaking havoc across the globe today, locking hard drive MFT and MBR sections and preventing computers from booting. Unless victims opted to pay a ransom (which is now pointless and not recommended), there was no way to recover their systems.
In the first hours of the attack, researchers believed this new ransomware was a new version of an older threat called Petya, but they later discovered that this was a new strain altogether, which borrowed some code from Petya, hence the reason why they recently started it calling it NotPetya, Petna, or as we like to call it SortaPetya.
Researchers flocked to find killswitch mechanism
Because of the ransomware’s global outreach, many researchers flocked to analyze it, hoping to find a loophole in its encryption or a killswitch domain that would stop it from spreading, similar to WannaCry.
While analyzing the ransomware’s inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.
This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.
While this does prevent the ransomware from running, this method is more of a vaccination than a kill switch. This is because each computer user must independently create this file, compared to a “switch” that the ransomware developer could turn on to globally prevent all ransomware infections.
How to Enable the NotPetya/Petna/Petya Vaccine
To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only. For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.
Please note that he batch file will also create two addition vaccination files called perfc.dat and perfc.dll. While my tests did not indicate that these additional files are needed, I added them for thoroughness based on the replies to this tweet.
This batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat
For those who wish to vaccinate their computer manually, you can do so using the following steps. Please note that these steps are being created to make it as easy as possible for those with little computer experience. For those who have greater experience, you can do it in quite a few, and probably better, ways.
First, configure Windows to show file extensions. For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below.
Once you have enabled the viewing of extensions, which you should always have enabled, open up the C:\Windows folder. Once the folder is open, scroll down till you see the notepad.exe program.
Once you see the notepad.exe program, left-click on it once so it is highlighted. Then press the Ctrl+C( ) to copy and then Ctrl+V ( ) to paste it. When you paste it, you will receive a prompt asking you to grant permission to copy the file.
Press the Continue button and the file will be created as notepad – Copy.exe. Left click on this file and press the F2 key on your keyboard and now erase the notepad – Copy.exe file name and type perfc as shown below.
Once the filename has been changed to perfc, press Enter on your keyboard. You will now receive a prompt asking if you are sure you wish to rename it.
Click on the Yes button. Windows will once again ask for permission to rename a file in that folder. Click on the Continue button.
Now that the perfc file has been created, we now need to make it read only. To do that, right-click on the file and select Properties as shown below.
The properties menu for this file will now open. At the bottom will be a checkbox labeled Read-only. Put a checkmark in it as shown in the image below.
Now click on the Apply button and then the OK button. The properties Window should now close. While in my tests, the C:\windows\perfc file is all I needed to vaccinate my computer, it has also been suggested that you create C:\Windows\perfc.dat and C:\Windows\perfc.dll to be thorough. You can redo these steps for those vaccination files as well.
Your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.
Additional reporting by Lawrence Abrams.
6/28/17 8:26AM EST: This article has been updated to clarify in more detail how the batch script works
Bleeping Computer Petya/NotPetya coverage:
Watch out, readers! It is ransomware, another WannaCry, another wide-spread attack.
The WannaCry ransomware is not dead yet and another large scale ransomware attack is making chaos worldwide, shutting down computers at corporates, power supplies, and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and demanding $300 in bitcoins.
According to multiple sources, a new variant of Petya ransomware, also known as Petwrap, is spreading rapidly with the help of same Windows SMBv1 vulnerability that the WannaCry ransomware abused to infect 300,000 systems and servers worldwide in just 72 hours last month.
“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.” Mikko Hypponen confirms, Chief Research Officer at F-Secure.
Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.
Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Petya ransomware replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Don’t Pay Ransom, You Wouldn’t Get Your Files Back
Infected users are advised not to pay the ransom because hackers behind Petya ransomware can’t get your emails anymore.
Posteo, the German email provider, has suspended the email address i.e. firstname.lastname@example.org, which was behind used by the criminals to communicate with victims after getting the ransom to send the decryption keys.
At the time of writing, 23 victims have paid in Bitcoin to ‘1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX‘ address for decrypting their files infected by Petya, which total roughly $6775.
Petya! Petya! Another Worldwide Ransomware Attack
Screenshots of the latest Petya infection, shared on Twitter, shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here’s what the text read:
“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
According to a recent VirusTotal scan, currently, only 16 out of 61 anti-virus services are successfully detecting the Petya ransomware malware.
Petya Ransomware Hits Banks, Telecom, Businesses & Power Companies
|Supermarket in Kharkiv, East Ukraine|
Petya ransomware has already infected — Russian state-owned oil giant Rosneft, Ukrainian state electricity suppliers, “Kyivenergo” and “Ukrenergo,” in past few hours.
“We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine’s Security Service (SBU) to switch them back on,” Kyivenergo’s press service said.
There are reports from several banks, including National Bank of Ukraine (NBU) and Oschadbank, as well as other companies confirming they have been hit by the Petya ransomware attacks.
“We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers’ business is our top priority. We will update when we have more information,” the company said.
The ransomware also impacts multiple workstations at Ukrainian branch’s mining company Evraz.
Three Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, are also affected in the latest Petya attack.
How Petya Ransomware Spreading So Fast?
Symantec, the cyber security company, has also confirmed that Petya ransomware is exploiting SMBv1 EternalBlue exploit, just like WannaCry, and taking advantage of unpatched Windows machines.
“Petya ransomware successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010),” security researcher using Twitter handle HackerFantastic tweeted.
EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.
Microsoft has since patched the vulnerability for all versions of Windows operating systems, but many users remain vulnerable, and a string of malware variants are exploiting the flaw to deliver ransomware and mine cryptocurrency.
Just three days ago, we reported about the latest WannaCry attack that hit Honda Motor Company and around 55 speed and traffic light cameras in Japan and Australia, respectively.
Well, it is quite surprising that even after knowing about the WannaCry issue for quite a decent amount of time, big corporates and companies have not yet implemented proper security measures to defend against such threat.
How to Protect Yourself from Ransomware Attacks
Since Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line).
Prevent Infection & Petya Kill-Switch
Researcher finds Petya ransomware encrypt systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.
“If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine.” HackerFantastic tweeted. “Use a LiveCD or external machine to recover files“
PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.
To safeguard against any ransomware infection, you should always be suspicious of unwanted files and documents sent over an email and should never click on links inside them unless verifying the source.
To always have a tight grip on your valuable data, keep a good back-up routine in place that makes their copies to an external storage device that isn’t always connected to your PC.
Moreover, make sure that you run a good and effective anti-virus security suite on your system, and keep it up-to-date. Most importantly, always browse the Internet safely.