Wannacry ransomware attack

On May 12, 2017 a new ongoing cyberattack struck the world. The ransomware computer worm, Wannacry ( or WanaCrypt, WanaCryptor 2.0, Wanna Decryptor ) is targeting Microsoft’s operating system, Windows. So far infected more than 230000 computers in 150 countries. They send the software in an email, so be careful of suspicious arrivals in your mailbox.

The older versions (Windows XP, Windows Server 2003) are particularly endangered. Microsoft have taken precautions and issued a critical patch on March 14, to remove the underlying vulnerability for supported operating systems, after the backdoor have been revealed.

Shortly after the attack, a web security researcher (also a blogger) called “MalwareTech” inadvertently established an effective kill switch by registering a website mentioned in the code of the ransomware. The kill switch is the type of code that some attackers use to halt the spreading of the infection if things get out of hand. It did slow the spread of the infection, but new versions have been detected without the killswitch.

According to Europol the ransomware campaign was unprecedented in scale. The attack affected many of the National Health Service hospitals in England and Scotland. The attack infected computers, MRI scanners, blood-storage refrigerators and theatre equipment. On May 12 some NHS services had to turn away non-critical emergencies and some ambulances were diverted. Nissan Motor Manufacturing UK and Renault also halted production due to the cyber attack.

Attack through subtitles

Check Point researchers revealed a new form of attack vector that uses subtitles to attack. By creating malicious subtitle files, attackers can take control over users’ devices completely. A few major media players are endangered, estimated over 200 million users. Vulnerabilities were found in VLC, Kodi, Popcorn-time and strem.io.

This method is referred as ‘attack vectors’. So far there were two major categories in attack vectors. One persuaded the user to visit a malicious website, the other tricks the user to run an infected file. Check Point’s research revealed a new possible attack vector, that can take over a device completely, when subtitles are loaded in the media player.

The root of the problem is that there are over 25 subtitle formats, with different features and capabilities. This forces the media players to accept many forms of files, opening up security vulnerabilities. The new attack can use this vulnerability to get into the user’s computer. The subtitle files are perceived as nothing more than text files, so Anti-Virus software and other security solutions don’t confirm their real nature.

VLC has over 170 million downloads, Kodi is reaching 40 million unique users each month, so more than 200 million users are threatened by this new type of attack. By taking complete control over the user’s device the attacker can cause some serious harm. They can steal sensitive information, install ransomware, or even delete any files and much more. Since the entry point is a media player, not only personal computers are in danger, but mobile devices or smart TVs as well.

The attackers can upload malicious subtitles to many sites and some players can download subtitles automatically. By manipulation the website’s ranking, the attackers can improve the threat to spread the new attack. The affected media players already published their fixed versions, so be sure to update if you use any of these. Popcorn-time’s update is not yet available for automatic download, but you can reach it and install manually.

Judy malware

Another widespread malware was found on Google Play by Checkpoint. The malware called “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses the infected devices to generate clicks on advertisements, making revenues for the creators. The malware reached a spread between 4.5 million and 18.5 million installs. Some of the apps were on Google Play for years, but all were updated recently. After reporting, the apps were swiftly removed from the store.

The malicious apps are all developed by a Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp. The company develops apps for both Android and iOS, and it is quite unique to find an actual organization behind mobile malware. In addition to displaying large amount of advertisement they actually generate fraudulent clicks for their own benefits. The malware infected apps have really good reputation on Google Play, but some users have reported suspicious activities. Once again proven, that good ratings do not necessarily mean that the software is safe to use.