An NSA-derived ransomware worm is shutting down computers worldwide

Enlarge

A highly virulent new strain of self-replicating ransomware shut down computers all over the world, in part by appropriating a National Security Agency exploit that was publicly released last month by the mysterious group calling itself Shadow Brokers.

The malware, known as Wanna, Wannacry, or Wcry, has infected at least 75,000 computers, according to antivirus provider Avast. AV provider Kaspersky Lab said organizations in at least 74 countries have been affected, with Russia being disproportionately affected, followed by Ukraine, India, and Taiwan. Infections are also spreading through the United States. The malware is notable for its multi-lingual ransom demands, which support more than two-dozen languages.

(credit: Kaspersky Lab)

Wcry is reportedly causing disruptions at banks, hospitals, telecommunications services, train stations, and other mission-critical organizations in multiple countries, including the UK, Spain, Germany, and Turkey. FedEx, the UK government's National Health Service, and Spanish telecom Telefonica have all been hit. The Spanish CERT has called it a "massive ransomware attack" that is encrypting all the files of entire networks and spreading laterally through organizations.

Read 11 remaining paragraphs | Comments

Foul-mouthed worm takes control of wireless ISPs around the globe

(credit: Rockydallas)

ISPs around the world are being attacked by self-replicating malware that can take complete control of widely used wireless networking equipment, according to reports from customers and a security researcher who is following the ongoing campaign.

San Jose, California-based Ubiquity Networks confirmed on Friday that attackers are actively targeting a flaw in AirOS, the Linux-based firmware that runs the wireless routers, access points, and other gear sold by the company. The vulnerability, which allows attackers to gain access to the devices over HTTP and HTTPS connections without authenticating themselves, was patched last July, but the fix wasn't widely installed. Many customers claimed they never received notification of the threat.

Nico Waisman, a researcher at security firm Immunity, said he knows of two Argentina-based ISPs that went dark for two days after being hit by the worm. He said he's seen credible reports of ISPs in Spain and Brazil being infected by the same malware and that it's likely that ISPs in the US and elsewhere were also hit, since the exploit has no geographic restrictions. Once successful, the exploit he examined replaces the password files of an infected device and then scans the network it's on for other vulnerable gear. After a certain amount of time, the worm resets infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then disappears. Ubiquity officials have said there are at least two variations, so it's possible that other strains behave differently.

Read 7 remaining paragraphs | Comments

Worm exploits nasty Shellshock bug to commandeer network storage systems

Criminal hackers are actively exploiting the critical shellshock vulnerability to install a self-replicating backdoor on a popular line of storage systems, researchers have warned.

The malicious worm targets network-attached storage systems made by Taiwan-based QNAP, according to a blog post published Sunday by the Sans Institute. The underlying shellshock attack code exploits a bug in GNU Bash that gives attackers the ability to run commands and code of their choice on vulnerable systems. QNAP engineers released an update in October that patches systems against the vulnerability, but the discovery of the worm in the wild suggests a statistically significant portion of users have yet to apply it.

"The attack targets a QNAP CGI script, /cgi-bin/authLogin.cgi, a well known vector for Shellshock on QNAP devices," Johannes B. Ullrich, dean of research at Sans, wrote. "This script is called during login, and reachable without authentication. The exploit is then used to launch a simple shell script that will download and execute a number of additional pieces of malware."

Read 3 remaining paragraphs | Comments

Bizarre attack infects Linksys routers with self-replicating malware

Researchers say they have uncovered an ongoing attack that infects home and small-office wireless routers from Linksys with self-replicating malware, most likely by exploiting a code-execution vulnerability in the device firmware.

Johannes B. Ullrich, CTO of the Sans Institute, told Ars he has been able to confirm that the malicious worm has infected around 1,000 Linksys E1000, E1200, and E2400 routers, although the actual number of hijacked devices worldwide could be much higher. A blog post Sans published shortly after this article was posted expanded the range of vulnerable models to virtually the entire Linksys E product line. Once a device is compromised, it scans the Internet for other vulnerable devices to infect.

"We do not know for sure if there is a command and control channel yet," Ullrich wrote in the update. "But the worm appears to include strings that point to a command and control channel. The worm also includes basic HTML pages with images that look benign and more like a calling card. They include images based on the movie "The Moon" which we used as a name for the worm."

Read 16 remaining paragraphs | Comments