News

"A list of IP addresses including access data of IoT devices with activated remote access was floating around on the Internet." - heise.de

An unknown person has published a list of 8233 IP addresses along with valid usernames and passwords for IoT devices such as routers on Pastebin, warns security researcher Ankit Anubhav.

The list is said to have been online and regularly updated since June. Since there have been reports about this list, the number of hits is said to have risen from 700 to over 13,000.

The BSI warns all companies that have used the accounting software "M.E.Doc" in recent months.
According to the BSI, the threat situation revealed by the NotPetya outbreak is greater than previously assumed. The update function of the Ukrainian accounting software "M.E.Doc" has allegedly been used to spread malware since mid-April 2017.

The BSI therefore warns that companies that have used this software may have been infected with spyware unnoticed, even if they were not directly affected by the NotPetya outbreak. According to analyses by IT security researchers, variants of the malware distributed via the update function make it possible to spy on data in the affected company networks.

In addition to urgently installing the patch MS17-010, the BSI therefore recommends a number of other measures. Among other things, computers on which "M.E.Doc" was used or which can be accessed from such computers should be checked for possible infections. Infected computers should be reinstalled and all passwords used should be changed. Backups created after April 13 should also be considered potentially compromised. If in doubt, external specialists should be called in, according to the BSI.

The BSI asks affected companies to report this at meldestelle@bsi.bund.de.

The Trojan, which spread rapidly on Tuesday, is similar to the "Petya" Trojan that appeared in 2016. However, security researchers classify it as a new Trojan and therefore usually refer to it as "NotPetya". Although the Trojan initially gave the impression of being ransomware like "WannaCry", the aim is clearly not to extort a ransom from those affected. >The attackers are not even able to decrypt the data again</a. The suspicion has therefore now been confirmed that the main aim of "NotPetya" is to paralyze companies and cause as much damage as possible.

Among other things, it spreads via the vulnerability in the SMB protocol that was already used by "WannaCry". However, other distribution channels have been added. After infecting the first system in a network, the Trojan looks for a domain controller as its next target. There it collects a list of systems in the network, which it then specifically infects. In doing so, it also uses admin passwords that it has previously tried to capture on the domain controller.

A mechanism has now been found for the currently observed version of "NotPetya" that can prevent infection. The Trojan checks whether certain files exist and aborts execution if they do. Creating these files as a precautionary measure, at least on the domain controllers and all particularly vulnerable systems, could therefore protect companies from damage. This filecan be used for this purpose.

Of course, a new variant that no longer reacts to the presence of these files can be put into circulation at any time, which is why this should not remain the only measure. In any case, IT managers should also check whether all security updates from Microsoft have been installed on all domain controllers and whether appropriate measures have been taken to harden them.

The report "Wir hacken Deutschland" was shown on ARD on 22.05.2017 at 22:45.

ARD describes the content as follows: "The "Internet of Things" is making its way into our four walls - with intelligent coffee machines, smart light bulbs and surveillance systems to boot. The film makes it clear how we are becoming increasingly vulnerable to networked systems."

For all those who missed this successful contribution yesterday, it is available in the ARD media library until 22.05.2018.

Seit Freitag wird über weltweite IT-Sicherheitsvorfälle mit hoher Schadenswirkung berichtet, die durch die Ransomware "WannaCry" ausgelöst werden. German companies are also affected. Infection can occur via an email with a compressed file attachment. Antivirus filters on mail servers usually do not filter out the malware. Once a system in a network is infected, the malware uses a vulnerability in Microsoft Windows to spread further in the network without the user having to do anything.

By chance, a way was found to contain the spread of the malware for the time being by registering a domain that functions as a kind of "killswitch". To benefit from this, it is essential that the domain iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is accessible and that traffic to it is not filtered by a proxy or virus protection software.

However, new variants have already been spotted in which this "killswitch" has no effect. Therefore, the most important countermeasure is to install the Microsoft security update MS-17-010 on all devices with a Windows operating system as soon as possible. Microsoft hat auch Updates für ältere Versionen von Windows veröffentlicht, inklusive Windows XP.

The BSI has summarized general information and recommendations for action to protect against ransomware in a dossier that can be downloaded from the BSI-Webseite. The BSI provides businesses and public authorities with information and recommendations for action via the established channels CERT-Bund , UP KRITIS and Allianz für Cyber-Sicherheit.

Update 2017-05-18

The US-CERT has a Fact Sheet zu WannaCry published.

Download available

During the CERT@VDE workshop at the Hannover Messe 2017, we were asked by visitors whether we could make the presentations available online. We are happy to comply with this request and are publishing the presentations here as PDF files:

• Vorstellung CERT@VDE
  Andreas Harner (VDE Verband der Elektrotechnik Elektronik Informationstechnik e.V.)
• Schwachstellen im Umfeld von Prozess-IT
  Dr. Kai Lorentz (Weidmüller Interface GmbH & Co. KG)
• Umgang mit Schwachstellenmeldungen – Vorteile durch CERT@VDE
  Jens Schmidt (Pepperl+Fuchs GmbH)
• Vertrauensvolle Behandlung – Auf kurzem Weg zwischen Anbietern und Anwendern
  Dr. Lutz Jänicke (Phoenix Contact GmbH & Co. KG)
• Noch ein CERT! Warum?
  Prof. Dr. Klaus-Peter Kossakowski (DFN-CERT Services GmbH)

The CERT@VDE website is online as of today

Following the VDE press conference at the Hannover Messe 2017 this morning, this website was released to the public. We are delighted that the work of the last few weeks is now bearing fruit.

We will probably make a few more changes to this first public version over the next few days. Feedback on the content and design of the website is welcome.