Difference between revisions of "How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business"

From Botnets.fr
Jump to navigation Jump to search
(Created page with "{{Publication| Link=https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}}")
 
 
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{Publication| Link=https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}}
{{Publication
|Botnet=LockerGoga,
|Target=Norsk Hydro, Altran,
|Year=2019
|Date=2019/03/21
|Link=https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880
|Author=Kevin Beaumont,
|Type=Blogpost
|Abstract=While we may be sharing Indicators of Compromise — IoCs — a long list of meaningless hashes aren’t enough to protect people. The cyber security industry and partners missed a trick here, as we knew a major company had been attacked in a meaningful way, but it wasn’t followed up.
 
Additionally, the digital certificate being used to sign the ransomware was used to sign other malicious code — in fact it had only been used to sign malicious code — and had been issued to a company with £1 of assets which wasn’t even a trading company. Upon being informed of this, the Certificate Authority failed to revoke the certificate in a timely manner — a continuing issue with the same Certificate Authority, which is trusted by all Windows certificate stores. To compound the issue even when revoked a vast majority of security tools fail to do anything, as they do not retrieve the CRL and check the serial number for revocation. All security and technology should immediately block or flag code signed with specifically distrusted certificates. Essentially, there are cascading failures in the technology and security industry to protect customers.
}}

Latest revision as of 10:33, 23 March 2019

(Publication) Google search: [1]

How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business
Botnet LockerGoga
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target Norsk Hydro, Altran
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2019 / 2019/03/21
Editor/Conference
Link https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880 (Archive copy)
Author Kevin Beaumont
Type Blogpost

Abstract

While we may be sharing Indicators of Compromise — IoCs — a long list of meaningless hashes aren’t enough to protect people. The cyber security industry and partners missed a trick here, as we knew a major company had been attacked in a meaningful way, but it wasn’t followed up.

Additionally, the digital certificate being used to sign the ransomware was used to sign other malicious code — in fact it had only been used to sign malicious code — and had been issued to a company with £1 of assets which wasn’t even a trading company. Upon being informed of this, the Certificate Authority failed to revoke the certificate in a timely manner — a continuing issue with the same Certificate Authority, which is trusted by all Windows certificate stores. To compound the issue even when revoked a vast majority of security tools fail to do anything, as they do not retrieve the CRL and check the serial number for revocation. All security and technology should immediately block or flag code signed with specifically distrusted certificates. Essentially, there are cascading failures in the technology and security industry to protect customers.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2019BFR5363,
   editor = {},
   author = {Kevin Beaumont},
   title = {How Lockergoga took down Hydro — ransomware used in targeted attacks aimed at big business},
   date = {21},
   month = Mar,
   year = {2019},
   howpublished = {\url{https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880}},
 }