Security Alerts

  • Greek-Turkish cyberwarfare!
    06 Jul 2017
    The now-known hacking team Turk Hack Team has carried out many security attacks on Turkish cyberspace. Now they are also banning the Greek!!!
    Already the first web defacement attacks have taken place on Greek sites, resulting in the loss of confidential information (name, e-mails, phone, occupational status of employees, etc.) of educational institutions and government organizations.
    The result of the above is the Greek response from hackers who attacked Turkish sites and the leak of confidential information.
    Typically, the Greeks Anonymous are asking Turkish hackers to stop the attacks by indicating that they have government databases in their hands. As they say, they have also gained access to Turkish cameras, having already released a demo video as proof of their actions.

    We inform you that our company, through WAF as a Service and Real Threat Management 24x7 service, provides the necessary site protection mechanisms.

    For more information, please call at +30 210 9203300 or email at n.kladakis@netbull.gr
  • New large-scale cyber attack
    27 Jun 2017
    A large-scale cyber attack with ransomware is currently taking place in Europe, having hit hundreds of businesses and other organizations, including banks, construction and other industries, such as Boryspil Airport in Kiev. In Ukraine, have been recorded several pollution incidents, a "hit" also took place against the country's electricity provider, Ukrenego - which left 230,000 people in the country without electricity for about six hours!
    Incidents are also reported in the Netherlands, and Maersk shipping company having confirmed that several of their online infrastructures have been shut down. Similar announcements were made by Rosnoft, an oil company in Russia.
    According to a Kaspersky Lab researcher, the attack is based on the Petwrap malicious software, a variant of the Petya ransomware, which was discovered last March. What makes the situation extremely worrying is that so far it is not clear how exactly the infection is transmitted. It is, however, not possible to rely on the known exploit, like WannaCry, which exploits vulnerability of the SMB protocol that has not been patched.
    The creators of ransomware have not been identified, but their goal is to collect ransom to "free" infected systems. They require from each victim, the amount of $ 300.

    The following actions are proposed:
     
    • User aware not to open attachments from unknown senders
    • Update the antivirus
    • Update the Intrusion Prevention System
    Our analysts are already alert and monitor any suspicious activity.
  • Subtitles: The new backdoor
    12 Jun 2017
    New way of invading computers!
    Hackers can now attack a computer using malicious software that integrate into movie subtitles that users download unsuspecting. Attack is based on the subtitle processing of movie players software and the large number of subtitle formats (> 20). Each format has unique features and capabilities that can be exploited by a hacker.
    Playback programs, such as Kodi.tv, VLC, etc. used by hackers as an entry door. The attack takes place when the user downloads and activates the infected subtitle file, allowing the hacker to access a computer or any IoT device.
     
    To counter the attack, we suggest:
     
    • Upgrading the Player Software to the latest version.
    • The renewal of the IPS subsystem, to prevent this attack.
    • Monitoring and security incidents management through Netbull Managed Threat Defense Services.
  • New Wave of Attacks?
    02 Jun 2017
    After "WannaCry", comes "EsteemAudit" that exploits a vulnerability of Remote Desktop (port: 3389) protocol of the Windows XP and Windows Server 2003, that are not supported by Microsoft.
    The famous ShadowBrokers group says that "EsteemAudit", as well as "EnglishmanDentist" and "ExplodingCan" is a significant risk to these systems, because the appropriate patches have not been created yet, to makes them safe.

    To counter the attack, we suggest:
     
    • Update the IPS service (Checkpoint Reference: CPAI-2017-0424, Date Published: 18 May 2017) to the latest version, in prevent mode.
    • Disable the RDP service, if possible.
    • Real-time 24x7 monitoring for Remote Desktop attacks through inter-chunk heap overflow vulnerability.
    Our company in the frame of customer protection, has already upgraded their IPS systems and has created the appropriate signature on the security incident management platform, to immediately detect the trace of the attack.
  • Alert for new attacks ?
    26 May 2017
    On the occasion of the first Worldwide Cyber Attack that has hit more than 150 countries, which has also hit our country, affecting the Aristotle University, we inform you that the now-known team “Shadow Brokers” has announced that it will publish a series of exploits, that it would better to know.
     
    The exploits that have been announced are as follows:
     
    • EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit.
    • EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86.  
    • ECHOWRECKER remote Samba 3.0.x Linux exploit.  
    • EASYBEE appears to be an MDaemon email server vulnerability.  
    • EASYFUN EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient pre 9.5.6.  
    • EASYPIX is an IBM Lotus Notes exploit that gets detected as Stuxnet.  
    • EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2.  
    • EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor.  
    • ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges (MS17-010).  
    • EDUCATEDSCHOLAR is a SMB exploit (MS09-050).  
    • EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061).  
    • EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2.  
    • ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's side to send an email to other users.  
    • EPICHERO 0-day exploit (RCE) for Avaya Call Server.  
    • ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003.  
    • ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010).  
    • ETERNALCHAMPION is a SMBv1 exploit.  
    • ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers.  
    • ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067).  
    • ETCETERABLUE is an exploit for IMail 7.04 to 8.05  
    • EXPIREDPAYCHECK IIS6 exploit  
    • EAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release  
    • EASYFUN WordClient / IIS6.0 exploit  
    • ESSAYKEYNOTE
    More information you can find in Exploit DataBase. 
  • First Worldwide Cyber attack!
    12 May 2017
    More than 40,000 are now the attacks that have been recorded in 74 countries during the first cyberwar which hackers have launched. The attack began in Great Britain, where the National Health System was hit and "locked" computers forcing hospitals to send patients elsewhere. But quickly, the attack spread to many countries. The attack was implemented using a new version of WanaCry malware.
    WanaCry or WanaCrypt0r2.0 is software that exploits a Windows vulnerability, seeking the infection of each workstation. Its purpose is to encrypt important files to receive money as ransom to deliver the decryption key. Computer infection can come from a document of Word, PDF, and generally from emailed or infected computer files. It initially infects a computer and tries to spread across the internal network.

    To face the attack, we suggest:
     
    • Updating the Windows operating system with the latest security hotfixes
    • The installation of zero-time malware protection software
    • User awareness
     
    If the machine is infected with WanaCrypt0r ransomware then you should:
     
    • Disconnect the machine from the Internet, and do not send any file to another machine to prevent it from spreading.
    • Clean up the machine, check the network, and restore the files from the backup, if any.
    • Update the Windows operating system with the latest security hotfixes.
    • Install zero-time malware protection software.
  • Cybercriminals steal information from the accounts of Yahoo's users.
    29 Sep 2016
    Yahoo reveals breach about 500 million accounts for which they feel responsible cybercriminals who are supported by the government of a country. In late 2014, cybercriminals penetrated the internal network of the company and received information on unlisted accounts of users. On specific information included names, email addresses, phone numbers, birth dates, hashed passwords, and sometimes encrypted or non security questions and answers.
    Yahoo claims that the attackers had access to sensitive information such as unprotected codes, details of bank accounts and credit or debit card as it was stored in a third system in which the attackers were unable to gain access. The company wanted to reassure users pointed out that there is no indication that the intruders still have access to their system nevertheless advised to change their passwords if they had not been attempted since 2014 and to avoid visiting links or download attached files of suspicious messages.
     
    To protect against similar types of attacks are suggested:
     
    • Installation of an endpoint protection software (antivirus, firewall, IPS, Application Control).
    • Frequent change of passwords.
    • Avoiding the use of the same or similar password on the Internet and to corporate systems.
    • Use strong passwords.
    • The user awareness with the attack techniques used by hackers.
  • Redirector.Paco
    08 Sep 2016
    The Redirector.Paco is a malicious HTTPS type software hijacking click-fraud. Its purpose is to redirect Internet traffic to malicious websites when an unsuspecting user uses a search engine such as Google, Yahoo or Bing.
    For the redirection of traffic, the malware modifies registry of workstations, changing the parameters «AutoConfigURL" and "AutoConfigProxy" so that for every web application that makes a user to connect to a web proxy controlled by the hackers and fed with the results they want.
    The malware is distributed via installers pirated versions of popular software such as WinRAR, YouTube Downloader, etc.

    To protect against this malicious software are proposed:
     
    • Regularly backup
    • Installation of endpoint protection software (antivirus, firewall, IPS, Application Control
    • Installation of malicious zero-code scanning software (zero day protection malware)
  • HummingBad
    03 Aug 2016
    The HummingBad is a new type of Android malicious software affecting millions of smartphones and tablets around the world during the last few days. The creators of this malicious software working for an advertising agency called "Yingmob", which operates outside China. Previously rumored that the company had to purchase a malicious iOS software named "YiSpecter". The HummingBad is a malware which installs a permanent rootkit software on Android devices, it creates false advertising revenues and installs malicious applications. The way that HummingBad works, makes it very difficult to detect it, since the malicious code of this software is encrypted. Furthermore, the malware starts a silent vector type attack, and if failed to launch a second attack on which would have the same opportunity as the first. Finally, each phase of the attack consists of several stages, including decryption and decompression of malicious code. Usually detected as «Android.Trojan.Iop.Y" or "Android.Trojan.Agent.A"

    To protect against this malicious software are proposed:

    • The root account activation to prevent your Android device
    • Do not allow installation of applications from "anonymous sources"
    • The upgrade of the mobile to the operating system's latest version
    • Installation of malicious zero-code scanning software (zero day protection malware)
  • Satana Ransomware
    26 Jul 2016
    Satana Ransomware is a combination of a classic type of malicious ransomware software and Petya. Hackers have developed a new type of malicious ransomware software which destroys the master boot record (MRB), just like Petya. The Satana is designed to penetrate silently in computers and encrypt files. During the encryption in the front of the file name is inserted the email address of the attacker. Then the malware encrypts the MRB and replaces it with a new one. Once the user restarts his computer, the new code is loaded in the MRB and a message will appear requiring ransom to restore the file.

    To protect against this malicious software are proposed:
     
    • Regularly backup
    • Installation of endpoint protection software (antivirus, firewall, IPS, Application Control
    • Installation of malicious zero-code scanning software (zero day protection malware)