DSCI Advisories on Recent Cyberattacks

DSCI Advisory - 'Maze' Ransomware

Cybercriminals are using new forms of ransomware, especially 'Maze' amid the COVID19 outbreak and targeting companies across the globe. The Maze ransomware attack is an example of advancing malware that tends to move laterally in the network and has the potential to cause disruptions and information stealing for extortion, as per the available information. It supposedly gets delivered via emails having attachments embedded with macros to encrypt files using sophisticated techniques.

NASSCOM and DSCI advise caution and vigilance against such attack family. In wake of this recent Maze ransomware attacks, we have released an advisory and a detailed technical analysis of the ransomware.

DSCI advisory on Troldesh & Camubot

As part of our Threat Intelligence & Research initiative, we are glad to publish this advisory. This edition includes information on:

  • Troldesh (Shade) – a new variant in action that continues to hit businesses
  • CamuBot Banking Malware – a malware which disguises as a security module and steals your banking credentials with the capacity to bypass biometrics

This advisory is an effort to spread awareness over pertinent cyber threats and includes advice for organization about best practices to follow and better combat against sophisticated cyber-attacks.

DSCI Updates on BadRabbit Ransomware

What is BadRabbit Ransomware? 27-10-2017
BadRabbit (assigned by GroupIB) is a ransomware virus that affects Microsoft Windows based systems. This ransomware outbreak has had a considerable impact in the affected countries. This is ransomware is reported to be an improved variant of NotPetya ransomware. It demands a ransom of $280 worth of Bitcoins (0.05 BTC).

DSCI Updates on CCleaner

What’s this CCleaner Attack?
Recently security researchers at Cisco Talos discovered that malicious hackers had injected a malware into Piriform CCleaner and CCleaner Cloud. This is of concern because CCleaner is used by over 75 million users worldwide to optimize their PCs. It was reported that approximately 2.27 million users were affected by the malware-laden version of CCleaner. Piriform confirmed that CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems, were illegally modified before they were released to public. The attackers had penetrated into one of the update servers of Piriform and injected a two-staged backdoor in the executable binaries of CCleaner and CCleaner Cloud. This backdoor is capable of remotely executing code on the affected systems. It was reported to target top technology companies. The rogue server has been taken down now.

How to counter this malicious attack

1. Remove the affected versions of CCleaner and CCleaner Cloud.

2. Download the latest stable release from Piriform website.

3. It is also advised, though not mandatory, to format and re-install the affected endpoints.

4. Organisations, using an application backlisting solution, can block the installation of affected versions of CCleaner and CCleaner Cloud.

To know more about the attack, read our blog: CCleaner

DSCI Updates on BlueBorne

What is BlueBorne?
BlueBorne is a collection of several vulnerabilities in the Bluetooth protocol. As a result, a new attack vector affecting mobile, desktop and IoT operating systems, has been created. Through this attack, a malicious entity can gain complete control of the target device, including access to any stored information. It was discovered by a US based IoT security lab, Armis. They released 8 vulnerabilities in the implementation of Bluetooth protocol. When combined, these vulnerabilities make it easy for an unauthenticated, remote attacker to obtain private information about the device or user or execute arbitrary code on the device.

Watch this video for a demonstration of this attack on Android devices:


DSCI Updates on Petya Ransomware

What is Petya Ransomware?
Petya / Petrwrap / NotPetya / GoldenEye / ExPetr (assigned by Kaspersky labs) is a ransomware virus that affects Microsoft Windows based systems. This ransomware outbreak, though smaller than the previous WannaCry attack, has had a considerable impact. This is a new version of the previously known Petya ransomware virus. It demands payment in bitcoin wallet and contains a personal Posteo email ID, wowsmith123456@posteo.net. It demands a ransom of $300 worth of Bitcoins.

Petya / GoldenEye / ExPetr Ransomware Crisis

CERT-In Advisory

Reference link of CERT-In Advisory: Click Here

Incident Response Help Desk

DSCI Updates on WannaCry Ransomware

A new ransomware named as “Wannacry” is spreading widely and globally.

WannaCry encrypts the files on infected Windows systems. This ransomware spreads by using a vulnerability in implementations of Server Message Block (SMB) in Windows systems. This exploit is named as ETERNALBLUE. The ransomware called WannaCrypt or WannaCry encrypts the computer’s hard disk drive and then spreads laterally between computers on the same LAN. The ransomware also spreads through malicious attachments to emails.

Best Practices Compilation on Wannacry/ WannaCrypt Ransomware

CERT-In Advisory

Reference link of CERT-In Advisory: Click Here

Incident Response Help Desk

CERT-In presentation on WannaCry