SEMTA Caught in ransomware attack

cryptoransomware-encryption-300x205The San Francisco Municipal Transportation Agency (SEMTA) was infected with a HDDCryptor ransomware over the weekend. Employee computers were presented with the message “You Hacked, ALL Data Encrypted. Contact For Key ( ID:681, Enter”.

The attack was made using Mamba which rewrites a computer’s Master Boot Record. Local reports indicates that critical assets like payroll, a MySQL database and email servers, as well as employees’ personal computers may have been compromised in the attack.

The attack is estimated to cost the agency US$559,000 each day until resolved.


European Commission experience DDoS attack

The European Commission was attacked around 3pm on November 24th by a DDoS. Both the EU’s main website and the network gateways were targeted in the attack making it difficult for staff to work.

The EC pointed out that nothing was breached and no data was stolen. The Commission’s security team were fighting off another wave of attacks later that evening, SC Magazine reports.

Little is publicly known about the source of the attack.

Crysis ransomware decryptor released by ESET

crysis.PNGA free decryptor tool for the Crysis ransomware has been developed and released by ESET security researchers. Information released on Pastebin and reported by Bleeping computer were used in creating the tool.

Download of the ESET Crysis Decryptor tool is available at

Instructions on how to use the tool is available at

Variants of Crysis ransomware has been spotted in 123 countries since May, 2016 with the most targeted countries being France, Spain and Brazil.

Michigan State University database breached


Students and staff records in a Michigan State University database has been accessed by unauthorized third party

How many victims? 400,000 records of 449 students and staff.

What type of information? Names, social security numbers, MSU identification numbers, and in some cases, date of birth of faculty, staff and students who were employed by MSU between 1970 and Nov. 13, 2016, and students who attended MSU between 1991 and 2016.

What happened?  Michigan State University announced last Friday that a server and a database containing the breached information was accessed by an unauthorized third party on November 13. The database was taken offline in less than 24 hours but the attacker accessed records of 449 individuals.

What was the response?  MSU’s IT team immediately determined the cause and nature of the breach and the MSU Police Department is working with federal law enforcement to investigate the crime. The university already notified affected parties and has offered them two years of identity theft protection, fraud recovery credit card monitoring for free. They also ensured that the database did not contain passwords, financial, acadmeic, contact, gift or health information, according to SC Magazine.

Gatak Trojan delivered through fake Software offering

Five year old Gatak Trojan (Trojan.Gatak) is been distributed through an offer of obtaining pirated software to lure its victims. The malware is spread through online adverts offering pirated software keys that could allow use of premium software at a discount if legit.

Once the ad is clicked, a fake key gen page launches and Gatak is simultaneously delivered to the victim.  Much is known about the Gatak trojan but how the developers profit from the malware is still unclear. One theory is that the malware is used to exfiltrate data which is then sold on the dark web,

Some of the premium software which users are targeted to get keys for are

  • SketchList3D (woodworking design software)
  • Native Instruments Drumlab (sound engineering software)
  • BobCAD-CAM (metalworking/manufacturing software)
  • BarTender Enterprise Automation (label and barcode creation software)
  • HDClone (hard disk cloning utility)
  • Siemans SIMATIC STEP 7 (industrial automation software)

339 Million AdultFriendFinder users compromised

Friend Finder Networks, the company that operates and which was affected by a breach of 3.5 million users information in May, 2015 has been breached again.

How many victims? This time 339 million users including 15 million users whose accounts were deleted but their data were still held by the company.

What type of information? Usernames, email address, date of the last visit, password, last IP address used, browser information, and VIP membership status

What happened? speculates that the breach was carried out through the use of an exploit for a Local File inclusion vulnerability which was publicly revealed last month. Passwords were found in unencrypted format or SHA 1 hashed which are both insecure. 99% of the hashed passwords have already been cracked. The team has decided not to make this particular data set searchable by the general public for now.

What was the response?  Friend Finder Networks has not confirmed the breach but they said the Local File inclusion vulnerability which was allegedly exploited has been fixed.

Quote: “It goes without saying that systems, software and processes should be regularly reviewed as previously accepted risk levels may no longer suffice.” – David Kennerley, director of threat research at Webroot, to SC Media.

Phishing emails promising invites to cybersecurity conference actually dispersing malware

File this one in the “Irony” department: Threat actors have been discovered trying to infect security-minded individuals with a trojan downloader by sending spear phishing emails that offer free invitations to Palo Alto Networks’ Nov. 3 Cyber Security Summit in Jakarta, Indonesia.

Palo Alto Networks’ Unit 42 threat research group identified the malware as the Emissary trojan, which is linked to Lotus Blossom, an advanced persistent threat (APT) group that has historically launched campaigns against multiple countries in Southeast Asia. According to a Palo Alto blog post, the trojan arrives as an malicious Word document attachment bearing the file name “[FREE INVITATIONS] CyberSecurity Summit.doc.” Opening the attachment deploys a decoy document and downloads Emissary, which compromises systems by exploiting a critical vulnerability in Microsoft’s MSCOMCTL.OCX ActiveX controls  (CVE-2012-0158) that dates back to 2012.

By analyzing the original screenshot that was cropped to create the decoy document, Palo Alto found a variety of evidence suggesting that the adversaries’ primarily language is Chinese.