News & Updates

So far, nobody had an idea that who was behind WannaCry ransomware attacks?

But now there is a clue that lies in the code.

Neel Mehta, a security researcher at Google, found evidence that suggests the WannaCry ransomware, that infected 300,000 machines in 150 countries over the weekend, is linked to a state-sponsored hacking group in North Korea, known for cyber attacks against South Korean


APT32 is a new APT group discovered by security experts at FireEye that is targeting Vietnamese interests around the globe.

The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a state-sponsored hacking group.

The hackers targeting organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

“APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.” states the analysis published by FireEye.

FireEye highlighted that currently, it is impossible to precisely link the group to the Vietnamese government even if the information gathered by the hackers would be of very little use to any other state.

According to the experts, the cyber attacks seemed to be assessing the victims’ adherence to Vietnamese regulations but the Vietnamese government denies its involvement.

“The government of Vietnam does not allow any form of cyber-attacks against organizations or individuals,” said foreign ministry spokeswoman Le Thi Thu Hang. “All cyber-attacks or threats to cybersecurity, must be condemned and severely punished in accordance with regulations and laws.”

Back to the last wave of attacks, the APT32 hackers use phishing emails containing a weaponized attachment. It is interesting to note that the attachment is not a Word document, instead, it is an ActiveMime file containing an OLE file containing malicious macros.

Another element of innovation for this campaign is that attacker tracked the success of the phishing emails, using legitimate cloud-based email analytics. The phishing attachments contain an HTML image tags.

“When a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist.” reads the analysis. “Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.”

The embedded macros create two scheduled tasks to gain persistence for the backdoors used by the hackers.

The first task executes the Squiblydoo application to enable the download of a backdoor from APT32 infrastructure. The second leads to a secondary backdoor delivered as a multi-stage PowerShell script configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.


APT32 threat actors regularly cleared select event log entries in order to conceal their operations, they also heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon’s Invoke-Obfuscation framework.

The arsenal of APT32 includes a custom suite of backdoors such as Windshield, Komprogo, Soundbite, Phoreal, and Beacon.

FireEye warns of the increasing number of nation-state actors using cyber operations to gather intelligence.

“FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests,” Concluded FireEye. “As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.”

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – APT32, cyber espionage)

medianet_width = “600”;
medianet_height = “120”;
medianet_crid = “757750211”;
medianet_versionId = “111299”;
(function() {
var isSSL = ‘https:’ == document.location.protocol;
var mnSrc = (isSSL ? ‘https:’ : ‘http:’) + ‘//’ + (isSSL ? ‘&https=1’ : ”);

The post APT32, a new APT group alleged linked to the Vietnamese Government is targeting foreign corporations appeared first on Security Affairs.

Source: Security affairs

By now I am sure you have already heard something about the WannaCry ransomware, and are wondering what’s going on, who is doing this, and whether your computer is secure from this insanely fast-spreading threat that has already hacked nearly 200,000 Windows PCs over the weekend.

The only positive thing about this attack is that — you are here — as after reading this easy-to-understandable


In the IT security community several experts start linking the WannaCry ransomware to the Lazarus Group due to similarities in the attack codes.

The security researcher at Google Neel Mehta published a mysterious tweet using the #WannaCryptAttribution hashtag. What did he mean?

According to experts at Kaspersky, the string is a portion of code that Neel noticed in a very early variant of WannaCry ransomware found in February 2017 and in one of the malware used by the notorious Lazarus APT group dated back February 2015.

Wannacry ransomware vs Lazarus_02-1024x549

What does it all mean?

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.

The experts at Symantec have spotted in the past at least three strains of malware used by the group, Backdoor.Fimlis, Backdoor.Fimlis.B, and Backdoor.Contopee, which have been used in targeted attacks against financial institutions.

The attackers exploited “watering holes” in order to infect the machines of a specific audience with previously unknown malware.

Researchers speculate the group was responsible for the last wave of attacks against banks worldwide, for the Sony hack, and the DarkSeoul operation.

Is it possible that attackers behind the WannaCry have used a false flag?

Experts from Kaspersky believe that the theory of a false flag is improbable because the portion of shared code appears only in the early version of WannaCry, but was removed later.

“For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry.” reads a blog post shared by Kaspersky Lab.

The question is: is there a link between early February WannaCry variant and the sample used in the recent massive cyber attacks?

According to Kaspersky, the answer is “YES”.  The recent variant is able to target more file extension targets for encryption.

“We strongly believe the February 2017 sample was compiled by the same people, or by people with access to the same sourc ecode as the May 2017 Wannacry encryptor used in the May 11th wave of attacks.” continues Kaspersky.

Kaspersky shared the YARA rule used to find the WannaCry sample.

Let me close with the analysis shared by Matthieu Suiche from Comae:

“The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money.

If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware.

This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from Equation Group to create global chaos.

In the meantime, a third kill switch appeared in the wild — the fact it contains lmaowould mean, if the above attribution is correct, that the attacker is purposely sending multiple messages:

  • A Global provocation message to the Law Enforcement & Security researcher community to be translated as “Keep Trying”.
  • Enforce the theory that the last iteration of WannaCry is a destructive operation to create political mayhem.!

Stay tuned

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – WannaCry ransomware, cybercrime)

medianet_width = “600”;
medianet_height = “120”;
medianet_crid = “757750211”;
medianet_versionId = “111299”;
(function() {
var isSSL = ‘https:’ == document.location.protocol;
var mnSrc = (isSSL ? ‘https:’ : ‘http:’) + ‘//’ + (isSSL ? ‘&https=1’ : ”);

The post Security experts link WannaCry ransomware to Lazarus Group appeared first on Security Affairs.

Source: Security affairs

Today, HTC is taking the wraps off its newest flagship smartphone, the HTC U11. This is a proper Snapdragon 835 flagship—Qualcomm’s latest chip—and it comes with two notable features: a fancy “squeeze” function that launches a configurable action and dual hotword support for both the Google Assistant and Amazon Alexa.

The HTC U11 is priced at $650/£650 and launches in the UK in June. A US launch will follow at a later date.

Read 11 remaining paragraphs | Comments


Enlarge / A cryptocurrency mining farm. (credit: Marco Krohn)

On Friday, ransomware called WannaCry used leaked hacking tools stolen from the National Security Agency to attack an estimated 200,000 computers in 150 countries. On Monday, researchers said the same weapons-grade attack kit was used in a much-earlier and possibly larger-scale hack that made infected computers part of a botnet that mined cryptocurrency.

Like WannaCry, this earlier, previously unknown attack used an exploit codenamed EternalBlue and a backdoor called DoublePulsar, both of which were NSA-developed hacking tools leaked in mid April by a group calling itself Shadow Brokers. But instead of installing ransomware, the campaign pushed cryptocurrency mining software known as Adylkuzz. WannaCry, which gets its name from a password hard-coded into the exploit, is also known as WCry.

Kafeine, a well-known researcher at security firm Proofpoint, said the attack started no later than May 2 and may have begun as early as April 24. He said the campaign was surprisingly effective at compromising Internet-connected computers that have yet to install updates Microsoft released in early March to patch the critical vulnerabilities in the Windows implementation of the Server Message Block protocol. In a blog post published Monday afternoon, Kafeine wrote:

Read 4 remaining paragraphs | Comments



Will we ever get a bonafide Call of Duty, Battlefield, or Halo game in virtual reality? Sony’s latest PlayStation VR game Farpoint is at its most compelling when it responds with a resounding “yes.”

I mean, by golly, we have it now: a VR gun game where you use a joystick to run, aim a gun with your hands, blast bad guys, and feel like a not-sick-at-all badass. Nausea, comfort, and immersion all work in Farpoint‘s favor when the game fires on all cylinders. PSVR owners may feel moved to buy it just to see this long-awaited promise come to fruition. (Farpoint can be purchased with a brand-new PlayStation VR Aim Controller; I also explore just how unnecessary the controller turns out to be—and how good that is for the future of PSVR games.)

But that purchase won’t be met with a full game that merits “legendary” or even “damned good” status. Impulse Gear Studios clearly devoted a lot of resources to nailing the feel of sit-down VR combat, and that focus has left some basic gameplay and plot issues unresolved.

Read 34 remaining paragraphs | Comments


Enlarge / The five fundamentals of Fluent. (credit: Microsoft)

Formerly known as Project Neon, the Microsoft Fluent Design System is the latest iteration in the development of Microsoft’s look-and-feel for Windows.

Fluent builds on the Metro design language introduced with Windows Phone. Metro was designed for touch devices in particular; with Fluent, Microsoft is aiming at devices ranging from those without any display at all, through phones, tablets, traditional PCs, to virtual and augmented reality systems. Fluent also marks a shift from a design primarily focused on consumption, to one that also incorporates content creation. This generally means that Fluent will have to scale to denser, more feature-rich interfaces than Metro ever did.

As well as broadening the scope of the new design approach, Microsoft is also trying to do a better job of getting designers and developers to understand it. The documentation for Fluent is already arguably more comprehensive than it ever was for Metro. It combines both design guidelines and developer references to show not just what to do but also how to do it.

Read 21 remaining paragraphs | Comments


Enlarge (credit: Rishabh Mishra)

When Volkswagen’s diesel scandal broke in 2015, much was made of how the cars spewed the pollutant nitrogen oxide (NOx) in dramatic excess of regulators’ standards during real-world driving. But that wasn’t what ultimately got VW Group in trouble with officials from the US Environmental Protection Agency (EPA) and European Union regulators. The key problem was that diesel VWs, Audis, and even Porsches included undisclosed “defeat devices,” or lines of code in the car’s software, that regulators didn’t know about. This code permitted the diesel cars to run cleaner in a lab than on the road.

In most cases, regulators know that vehicles will run dirtier during some real-world driving conditions than they do during the lab tests. They also know that lab tests are designed narrowly enough that automakers can exploit them. US regulators don’t uniformly test emissions under real-world conditions (although the EPA conducted a review of diesel vehicles after the VW Group scandal).

A new study published in Nature has now calculated the effect of lax practices in regulation and come up with a body count—38,000 people around the world prematurely died in 2015 as a result of excess particulate matter (including NOx) and ozone emissions from diesel vehicles.

Read 10 remaining paragraphs | Comments


Enlarge / The Falcon 9 rocket is ready to go for Monday night’s launch. (credit: SpaceX)

7:55pm ET Update: After launching right on time, the Inmarsat spacecraft reached low-Earth orbit, and after two successive burns by the Falcon 9’s second stage, the satellite deployed successfully into geostationary transfer orbit. This means SpaceX has now performed six successful missions in 2017, all in the last four months.

Original post: Tonight, SpaceX will attempt to launch its sixth Falcon 9 rocket of 2017. If successful, this take-off would put SpaceX on course to launch more than a dozen missions this year and, possibly, as many as eighteen. The 49-minute launch window opens at 7:21pm ET Monday (0:21am UK Tuesday), and the rocket will deliver an Inmarsat-5 F4 communications satellite to a geostationary transfer orbit. Weather is near ideal for a launch from Kennedy Space Center this evening, with a 90-percent chance of favorable conditions.

Because the satellite is so heavy—more than six metric tons—and going to a higher orbit, the Falcon 9 rocket won’t have enough fuel to make a return attempt, even at sea. The company has not disclosed whether it will make another experimental attempt to recover the rocket’s payload fairing.

Read 3 remaining paragraphs | Comments