Gotham Security Daily Threat Alerts

By Nancy Rand
Posted in Security
On April 12, 2016

April 11, Softpedia – (International) Petya ransomware unlocked, you can now recover password needed for decryption. Two security researchers discovered ways to help victims of the Petya ransomware retrieve locked files and unlock computers after one researcher created two Web sites where victims can obtain the decryption password, and another researcher from Emsisoft created a tool that can help generate passwords needed to unlock victims’ computers. Source

April 11, SecurityWeek – (International) Nuclear exploit kit uses Tor to download payload. Researchers from Cisco discovered that the Nuclear exploit kit (EK) was dropping a Tor client file, named “tor.exe”, for Microsoft Windows to execute a request via the Tor anonymity network to download a secondary payload as several domains listed in the network traffic of the Nuclear exploit kit (EK) were never registered and were not associated with any Domain Name System (DNS) traffic. Researchers noted that as attackers used Tor to download a second payload, the malware was more difficult to track back to its hosting system. Source

April 9, Softpedia – (International) CryptoHost ransomware locks your data in a password-protected RAR file. Security researchers from MalwareForMe, MalwareHunterTeam, Bleeping Computer, and an independent researcher discovered a way to recover RAR files locked by the CryptoHost ransomware after an analysis of the ransomware revealed it was using a combination of the users’ ID number, motherboard serial number, and the C:\ volume serial number to generate a secure hash algorithm (SHA) 1 hash, which was used to give the RAR file’s name and the file’s password. Researchers stated victims will need to open the Windows Task Manager, find the cryptohost.exe process, stop its execution, and unzip the RAR file. Source

April 8, SecurityWeek – (International) Cisco releases critical security updates. Cisco released six security advisories including a high impact vulnerability in the Web application programming interface (API) of the Cisco Prime Infrastructure and Evolved Programmable Network Manager (EPNM) that could allow an attacker to send a crafted Uniform Resource Language (URL) request to bypass role-based access control (RBAC) and gain elevated privileges, as well as a vulnerability in the TelePresence Server that that could allow an attacker to cause a kernel panic and reboot the device, among other vulnerabilities. Source

April 8, KENS 5 San Antonio – (Texas) Ransomware attacks 20 North East ISD schools. The North East Independent School District in Texas announced April 8 that 3 separate ransomware incidents beginning in February, encrypted about 2.5 terabytes of data, impacting all 20 campuses and 2 departments. Authorities asserted that students’ personal information was not compromised and that encrypted files were deleted and replaced with backup data. Source

Nancy Rand

Nancy Rand

Nancy has more than 20 years’ experience in information technology and security, solving business issues and implementing best-practice solutions that support organizational objectives. Her expertise includes leveraging, optimizing, and implementing diverse technology platforms, and management of large-scale technology projects.