Author: Sean Gallagher

A new type of malware has been described, one that takes crypto-extortion to a new level. While most cryptographic ransomware variants are selective about what they encrypt—leaving the computer usable to make it easier for the victim to pay—this new entry targets the victim's entire startup drive, encrypting the master file table (MFT).

Called Petya, the new ransomware is just the latest ransomware deliberately tailored for victims within organizations with IT support instead of a broader audience. As BleepingComputer's Lawrence Abrams documented, Petya is currently being delivered via Dropbox links in e-mail messages targeting human resources departments at companies in Germany. The links are purported to be to an application to be installed by the HR employee.

Running the attachment throws up a Windows alert; if the user clicks to continue, Petya is inserted into the master boot record (MBR) of the victim's computer, and the system restarts. On reboot, the malware performs a fake Windows CHKDSK, warning "One of your disks contains errors and needs to be repaired," Petya then flashes up an ASCII skull and crossbones on a red and white screen, announcing "You became victim of the PETYA RANSOMWARE!"

Hospitals and healthcare providers are increasingly falling victim to crypto-ransomware attacks. While attacks over the past few months have not been highly targeted thus far, they have caused a great deal of disruption. And disruptions at hospitals can have a much more dire impact than at most other organizations vulnerable to malware-based extortion.

This past week, that point was brought home again when multiple US hospitals acknowledged that they had been forced to take systems offline in response to crypto-ransomware infestations. And on Wednesday, security researchers at Cisco Talos Research revealed a new strain of crypto-ransomware designed to attack vulnerable servers that appeared to be primarily focused on targets in the healthcare industry.

The latest disruption came on Monday, when Columbia, Maryland based MedStar Health reported malware had caused a shutdown of some systems at its hospitals in Baltimore.

Public networked printers at a number of universities were part of the target pool of a massive print job sent out by hacker and Internet troll Andrew "Weev" Auernheimer. At least seven universities were among those that printed out flyers laden with swastikas and a white-supremacist message.

Since Auernheimer merely sent printouts to the printers and didn't actually do anything to gain access to the printers that would fall into the realm of unauthorized access, it's unlikely that he will be prosecuted in any way. Auernheimer exploited the open nature of university networks to send print jobs to the networked printers, which in some cases were deliberately left open to the Internet to allow faculty and students to print documents remotely. These printers could easily be found with a network scan of public Internet addresses.

The New York Times reports that the flyers were printed at Princeton University, University of California-Berkeley, University of Massachusetts-Amherst, Brown University, Smith College, and Mount Holyoke College, as well as others. Auernheimer took credit for the printouts in an interview with the Times, saying that he had not specifically targeted the universities but had sent the flyer print job to every publicly accessible printer in North America.

It all started with a request from the developers of a messaging application to an open-source developer to change the name of a library. It ended with JavaScript developers around the world crying out in frustration as hundreds of projects suddenly stopped working—their code failing because of broken dependencies on modules that a developer removed from the repository over a policy dispute.

At the center of it all is npm, Inc., the Oakland startup behind the largest registry and repository of JavaScript tools and modules. Isaac Schlueter, npm's creator, said that the way the whole thing shook out was a testament to how well open source works—the missing link was replaced by another developer quickly. But many developers are less than elated by the fact that code they've become dependent on can be pulled out from under them without any notice.

The disruption caused by the wholesale unpublishing of code modules by their author Azer Koçulu was repaired in two hours, Schlueter told Ars, as other developers filled in the holes in the repository. The incident is, however, prompting Schlueter and the team at nmp Inc. to take a look at how to prevent one developer from causing so much collateral damage.

US Attorney General Loretta Lynch, FBI Director James Comey, and other Justice Department officials announced today that a federal grand jury had issued indictments for seven Iranians employed by two information technology companies. The indictments allege that the companies were contracted by the Iranian government to conduct cyber attacks against bank websites in the US and carry out intrusion into the supervisory control and data acquisition (SCADA) network of a dam near Rye, New York.

In a press conference announcing the indictments, Lynch said, "Today, we have unsealed an indictment against seven alleged experienced hackers employed by computer security companies working on behalf of the Iranian government, including the Islamic Revolutionary Guard Corps. A federal grand jury in Manhattan found that these seven individuals conspired together, and with others, to conduct a series of cyberattacks against civilian targets in the United States financial industry that, in all, cost victims tens of millions of dollars."

The seven worked at ITSecTeam (ITSEC) and Mersad Company, both based in Iran. The companies are alleged to be contracted by the Iranian government and the Iranian Revolutionary Guard to conduct a range of network intrusions and attacks, including distributed denial of service campaigns against the websites of several US banks. The DDoS attacks, which started sporadically in December 2011, continued into September 2012—when attacks were ramped up to a "near-weekly basis,' the indictment states. At their peaks, the DDoS attacks reached 140 gigabits per second.

Jonathan Zdziarski, a leading independent Apple iOS security researcher and forensics expert, has a theory about the FBI's newly discovered potential route into the iPhone 5C used by San Bernardino shooter Syed Farook. In a blog post, Zdziarski wrote that the technique the FBI is planning to use to get around having to compel Apple to help bypass the phone's security is likely a method called NAND mirroring—a hardware-based approach that, while effective, is far from the "golden key" software the FBI had sought.

The FBI reported in its filing to delay a hearing on its dispute with Apple, originally scheduled for March 22, that an outside company had approached the FBI with a solution to the "self-destruct" issue preventing the FBI from repeatedly guessing the device's four-digit PIN. In that filing, FBI officials said that they needed just two weeks to certify that they could use the alternative approach to gain access to the phone.

Based on a number of factors, Zdziarski said that the company in question was likely one of the FBI's external forensics contractors and that it was unlikely that it had found a "zero day" software technique to bypass the password. "Whatever technique is being used likely isn't highly experimental (or it'd take more time)," Zdziarski noted. "Chances are the technique has been developed over the past several weeks that this case has been going on."

A month after a Los Angeles hospital was crippled by crypto-ransomware, another hospital is in an "internal state of emergency" for the same reason. Brian Krebs reports that Methodist Hospital in Henderson, Kentucky, shut down its desktop computers and Web-based systems in an effort to fight the spread of the Locky crypto-ransomware on the hospital's network.

Yesterday, the hospital's IT staff posted a scrolling message at the top of Methodist's website, announcing that "Methodist Hospital is currently working in an Internal State of Emergency due to a Computer Virus that has limited our use of electronic web-based services. We are currently working to resolve this issue, until then we will have limited access to web-based services and electronic communications." As of this morning, the message has been taken down from the site.

Methodist Hospital's information systems director told Krebs that the Locky malware, which came in as an attachment to a spam e-mail, attempted to spread across the network after it had infected the computer it was triggered on. Locky has been known to use malicious scripts in Microsoft Office documents as a means of infecting victims' computers. The malware succeeded in infecting several other systems, prompting the hospital staff to shut down all the hospital's computers. Each PC is brought back online individually after being scanned for telltale signs of Locky while off the network.

Facebook and its WhatsApp messaging subsidiary have both announced plans to end support for BlackBerry OS 10 by the end of 2016 despite pleas from BlackBerry's executives. In a blog post, BlackBerry's senior manager in charge of the company's App Ecosystem and Developer Outreach team, Lou Gazzola, expressed disappointment over the decision and urged customers to protest it. "We fought back to work with WhatsApp and Facebook to change their minds, but at this time, their decision stands (but let them know how you feel on social media, using the hashtag #ILoveBB10Apps)," he wrote.

The decision comes as BlackBerry has started to look at paths beyond its own operating system. In late 2015, the company introduced its own Android-based phone, the Priv. And with the introduction of the Passport, BlackBerry began supporting some Android applications on BB OS itself. But the company's executives have continuously tried to attract and keep developers for their native operating system's ecosystem.

Gazzola wrote that despite the Facebook decision, "we have worked hard to ensure our end users have the best experience in light of this decision and are continuing to search for alternate solutions." In an attempt to convince users of the company's commitment and to highlight the efforts of the BlackBerry developer community—which Gazzola said is "creating thousands of apps every month"—Blackberry is launching a featured list of 20 of applications on BlackBerry World called Great Apps on BlackBerry.

Just over a month after successfully putting a satellite into orbit, the government of the People's Democratic Republic of Korea (North Korea) claimed to have successfully built a miniaturized nuclear warhead capable of being placed on ballistic missiles. As if to add emphasis to that message, North Korea's military has gone on a missile testing binge.

On March 10, North Korea launched two "Scud" tactical ballistic missiles from North Hwanghae Province, the North Korean border region just north of Seoul, toward the Sea of Japan. Then on March 17, the North Korean military test-launched longer-ranged ballistic missiles from South Pyongan Province, near the Yellow Sea, across the Korean peninsula. The missiles flew 500 miles, again landing in the Sea of Japan. The latest launches took place early on Thursday morning local time, 20 minutes apart, according to a statement from the Republic of Korea (South Korea) joint chiefs of staff.

John Grisafi, director of intelligence for North Korean watchdog site NK News, believes the missiles launched Thursday were likely the Rodong-1 missile. “It’s beyond any known Scud variant’s range,” he said.

When former Secretary of State Hillary Clinton was pushing to get a waiver allowing her to use a BlackBerry like President Barack Obama back in 2009, the National Security Agency had a very short list of devices approved for classified communications. It was two devices built for the Secure Mobile Environment Portable Electronic Device (SME PED) program. In fact, those devices were the only thing anyone in government without an explicit security waiver (like the one the president got, along with his souped-up BlackBerry 8830) could use until as recently as last year to get mobile access to top secret encrypted calls and secure e-mail.

Despite $18 million in development contracts for each of the vendors selected to build the competing SME PED phones (or perhaps because of it), the resulting devices were far from user-friendly. The phones—General Dynamics' Sectéra Edge and L3 Communications' Guardian—were not technically "smart phones," but instead were handheld personal digital assistants with phone capability, derived from late 1990s and early 2000s technology that had been hardened for security purposes—specifically, Windows CE technology.

At the time Clinton was asking for a phone, only the Sectéra Edge was available (the Guardian was running behind in development). But you couldn't just buy the Edge and be ready to go—it required multiple server-side and phone-side e-mail additions, desktop synchronization software, and other supporting products. Since it had both a secure and nonsecure side, it required separate accessories for each of its modes. The "Executive Kit" version of the Edge, priced for government purchase at $4,750, included: