IoT Security Incidents

Internet of Things [IoT] is the latest trend in the market. As always, anything related to Information and Data, there are hackers lurking around to make the maximum utilization of any security vulnerabilities overlooked by our efficient developers. Hackers have put in their blood and soul to understand the various loopholes in an IoT and are posing constant challenge to the developer community. Here is a summary gathered from various sources related to the IoT devices that were compromised and what are the best practices to keep our devices secure from further hacking incidents.

IoT Security Incidents
IoT Security Incidents
  1. Stuxnet:
    • Between 2010 and 2014
    • Target: Industrial programmable logic controllers (PLCs), illustrates the inherent danger in IoT devices
    • Attack: The attack was purportedly launched to sabotage the uranium enrichment facility in Natanz, Iran. Many experts believe that Stuxnet destroyed up to 1,000 centrifuges. Stuxnet was not a typical IoT attack, because it relied on the PLC devices to be connected to a machine running the Windows operating system. Even so, this should have served as a clear warning sign that smart devices can be compromised
    • Lesson Learnt: Mission-critical devices that rely on a standard PC platform should not be attached to a WAN unless absolutely necessary and need to be safeguarded from access by non-critical personnel.
  2. Mirai Botnet (aka Dyn Attack):
    • 2016
    • Target: Infected numerous IoT devices (primarily older routers and IP cameras)
    • Attack: Took down Etsy, GitHub, Netflix, Shopify, SoundCloud, Spotify, Twitter, and a number of other major websites. This piece of malicious code took advantage of devices running out-of-date versions of the Linux kernel and relied on the fact that most users do not change the default usernames/passwords on their devices.
    • Lesson Learnt:
      • Devices that cannot have their software, passwords, or firmware updated should never be implemented.
      • Changing the default username and password should be mandatory for the installation of any internet device
      • Passwords for IoT devices should be unique per device, especially when they are connected to the Internet.
      • Always patch IoT devices with the latest software and firmware updates to mitigate vulnerabilities.
  3. Hack-able Cardiac Devices from St. Jude:
    • January 2017
    • Target: St. Jude Medical’s implantable cardiac devices.
    • Attack: The devices, like pacemakers and defibrillators, are used to monitor and control patients’ heart functions and prevent heart attacks. The vulnerability occurred in the transmitter that reads the device’s data and remotely shares it with physicians. The FDA said hackers could control a device by accessing its transmitter. Once in, they could deplete the battery or administer incorrect pacing or shocks, the FDA said
    • Lesson Learnt:Have an authorization mechanism in-place to ensure only authorized physicians have access to such devices
  4. Owlet Wi-fi baby Heart Monitor:
    • 2016
    • Target: Owlet Wi-fi baby heart monitoring device
    • Attack: A device alerting parents when their babies experience heart troubles. The connectivity element makes them exploitable and if manufacturers and developers don’t consider this and take extra steps to secure devices at the hardware layer, these are stories that we will, unfortunately, keep hearing.
    • Lesson Learnt: Manufacturers need to secure devices at the hardware layer
  5. TREDNET Webcam Hack:
    • April 2010 until January 2012
    • Target: SecurView cameras for various uses ranging from home security to baby monitoring and claimed as secure
    • Attack: TREDNET had faulty software that let anyone who obtained a camera’s IP address look through it — and sometimes listen as well. TRENDnet transmitted user login credentials in clear, readable text over the Internet, and its mobile apps for the cameras stored consumers’ login information in clear, readable text on their mobile devices, the FTC said.
    • Lesson Learnt: It is basic security practice to secure IP addresses against hacking and to encrypt login credentials or at least password-protect them, and TRENDnet’s failure to do so was surprising.
  6. Jeep Hack:
    • July 2015
    • Jeep SUV
    • Attack: By exploiting a firmware update vulnerability, a team of researchers were able to take total control of a Jeep SUV using the vehicle’s CAN bus, hijacked the vehicle over the Sprint cellular network and discovered they could make it speed up, slow down and even deviate off the road. It’s proof of concept for emerging Internet of Things (IoT) hacks: While companies often ignore the security of peripheral devices or networks, consequences can be disastrous.
    • Lesson Learnt: Manufacturers need to secure the peripheral devices and networks
  7. Thermal power reboot:
    • November 2016
    • Target: Heating system of two buildings in the city of Lappeenranta, Finland
    • Attack:  This was another DDoS attack; in this case, the attack managed to cause the heating controllers to continually reboot the system so that the heating never actually kicked in. Because the temperatures in Finland dip well below freezing at that time of year, this attack was significant.
    • Lesson Learnt: Your network needs to be frequently monitored for DDoS (and other) attacks. The second you see suspect activity on your network… act.
  8. Bricker-bot:
    • May 2017
    • Target: Unsecured internet-connected devices
    • Attack: This attack worked in similar fashion to the Mirai botnet, in that it relied upon a DDoS attack and users not changing the default username/password of their device. The biggest difference between Brickerbot and Mirai botnet is that Brickerbot (as the name implies) simply kills the device. This could be a serious hit on a company’s bottom line if a large deployment of IoT devices are rolled out, only to have them simultaneously bricked.
    • Lesson Learnt: If your devices include a default username/password, you should immediately change them.
  9. Botnet barrage:
    • 2017
    • Target: Unnamed university’s slow or inaccessible network connectivity
    • Attack: When senior members of the campus IT staff started receiving numerous complaints about slow or inaccessible network connectivity, they discovered their name servers were producing a high volume of alerts and showed an abnormal number of sub-domains related to seafood. It turned out more than 5,000 discrete systems were found to be making hundreds of DNS lookups every 15 minutes. The botnet spread via brute force attack to break through weak passwords on IoT devices.
    • Lesson Learnt: Always be on the alert for suspect network activity and make sure to secure your IoT devices with stronger than usual passwords.


Deloitte Hacked !!

What actually happened: On the 25th of September 2017, news about Deloitte being the victim of a cyber-attack hit the social media. One of the Big Four’s had compromised its global clients’ confidential emails, usernames, passwords, IP addresses, architectural diagrams for businesses and health information. A few email attachments with sensitive security and design details are also considered compromised.


About the Firm: One of the world’s “big four” accountancy firm along with Ernst and Young (E&Y), KPMG, and PricewaterhouseCoopers (PWC). Deloitte provides auditing, tax consultancy and high-end cybersecurity advice to some of the world’s biggest banks, multinational companies, media enterprises, pharmaceutical firms and government agencies.

Attack Pattern: It was said Deloitte discovered the hack in March 2017, however it is believed the attackers may have had access to its systems since October or November 2016. Unlike Amazon Web Service and Google’s cloud platform, Microsoft too has its own cloud platform namely, Azure. Deloitte stored all its official emails on the Azure cloud service.

Microsoft Azure Deloitte Hack
Microsoft Azure Deloitte Hack

Hackers compromised the firm’s global email server through an “administrator’s account” that, granted the hackers an privileged access to the cloud.

According to sources, this privileged account required just a single password instead of a “two-factor authentication”.

Who have been impacted so far: Till date, it is said that six of Deloitte’s clients have been informed that their information were “impacted” by the hack. Deloitte’s internal review into the incident is ongoing.

According to sources, an estimated 5million emails were in the ”cloud” and could have been been accessed by the hackers. Deloitte said the number of emails that were at risk was a fraction of this number.

Post Attack: “In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” a spokesman said.

“As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators.

“The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers.

“We remain deeply committed to ensuring that our cybersecurity defences are best in class, to investing heavily in protecting confidential information and to continually reviewing and enhancing cybersecurity. We will continue to evaluate this matter and take additional steps as required.

“Our review enabled us to determine what the hacker did and what information was at risk as a result. That amount is a very small fraction of the amount that has been suggested.”

“Cyber risk is more than a technology or security issue, it is a business risk,” Deloitte tells potential customers on its website.

“While today’s fast-paced innovation enables strategic advantage, it also exposes businesses to potential cyber-attack. Embedding best practice cyber behaviours help our clients to minimise the impact on business.”

Deloitte has a “CyberIntelligence Centre” to provide clients with “round-the-clock business focussed operational security”.

“We monitor and assess the threats specific to your organisation, enabling you to swiftly and effectively mitigate risk and strengthen your cyber resilience,” its website says. “Going beyond the technical feeds, our professionals are able to contextualize the relevant threats, helping determine the risk to your business, your customers and your stakeholders.”

Conclusion: Irrespective of the name or nature of the Business carried out by any Organization, Company or Firm, hacking incidents are bound to occur. There is no stop to such incidents. When a “big four” firm itself was lenient enough in its process of procuring a third party cloud service such as Azure, how secure are we over the cloud then?

Multi-factor Authentication (MFA) is not a new term in IT, Organizations should first conduct thorough Design Reviews, read the service documents, installation guides, come up with a customized Service Level Agreement (SLA), Possible Breach Agreement (PBA) and then sign documents with other parties. Just because the other party is an established firm in the Industry doesn’t mean we wave-off our due diligence and loose all the trust earned in the Industry.

Till next time, stay safe, be secure.


Petya – Recommendations Updates

In our previous blog, we saw technical details and fix recommendations from various security agencies and security professionals.

According to multiple reports, this Petya ransomware campaign has infected organizations in several sectors including finance, transportation, energy, commercial facilities, and healthcare. While these victims are business entities, other Windows systems without patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145 are at risk of infection.

Negative consequences of ransomware infection include the following:

  • temporary or permanent loss of sensitive or proprietary information,
  • disruption to regular operations,
  • financial losses incurred to restore systems and files, and
  • potential harm to an organization’s reputation.

NCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that the encrypted files will be released. In this incident, the email address for payment validation was shut down by the email provider, so payment is especially unlikely to lead to data recovery. [1](link is external) According to the reports, below sites are C2 payment sites for this activity. These sites are not included in the CSV package as IOCs.


Network Signatures

Organizations are recommended to coordinate with their security vendors to ensure appropriate coverage for this threat. Because there is overlap between the WannaCry and Petya activities, many of the available rulesets can protect against both malware strains when appropriately implemented. The following rulesets provided in publically available sources may help detect this activity:

  • sid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2](link is external)
  • sid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table Dereference (CVE-2009-3103)”[3](link is external)
  • sid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4](link is external)
Recommended Steps for Prevention
  • Apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.[5](link is external)
  • Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate in-bound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
  • Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
  • Ensure anti-virus and anti-malware solutions are set to automatically conduct regular scans.
  • Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
  • Configure access controls including file, directory, and network share permissions with least privilege in mind. If a user only needs to read specific files, they should not have write access to those files, directories, or shares.
  • Disable macro scripts from Microsoft Office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full Office suite applications.
  • Develop, institute, and practice employee education programs for identifying scams, malicious links, and attempted social engineering.
  • Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
  • Test your backups to ensure they work correctly upon use.
  • Utilize host-based firewalls and block workstation-to-workstation communications.
Recommendations for Network Protection
  • Disable SMBv1 and
  • Block all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.

Note: disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices. The benefits of mitigation should be weighed against potential disruptions to users.

Review US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations [6] and consider implementing the following best practices:

  1. Segregate networks and functions.
  2. Limit unnecessary lateral communications.
  3. Harden network devices.
  4. Secure access to infrastructure devices.
  5. Perform out-of-band network management.
  6. Validate integrity of hardware and software.
Recommended Steps for Remediation
  • Contact law enforcement. We strongly encourage you to contact a local Cyber Security Incidence Report office upon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.
  • Implement your security incident response and business continuity plan. Ideally, organizations should ensure they have appropriate backups so their response is simply to restore the data from a known clean backup.
General Advice for Defending Against Ransomware

Precautionary measures to mitigate ransomware threats include:

  • Ensure anti-virus software is up-to-date.
  • Implement a data backup and recovery plan to maintain copies of sensitive or proprietary data in a separate and secure location. Backup copies of sensitive data should not be readily accessible from local networks.
  • Scrutinize links contained in emails, and do not open attachments included in unsolicited emails.
  • Only download software—especially free software—from sites you know and trust.
  • Enable automated patches for your operating system and Web browser.

Until next time, stay secure.

SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)
3. On-premise classroom trainings

Download our brochure at:

Learn more about our Security Offerings at:



Petya – Ransomware, malware, worm, virus

PETYA !! What’s in the name ? A thick black smoke which crashed the world with its jet BLACK screen and RED font.

When a security professional identifies a SQL Injection, Cross-site Scripting (XSS), Distributed Denial of Service (DDOS) or even coincidently stumbled upon a Remote Code Execution (RCE) attack, the Development team’s first reaction to the list of reported vulnerabilities will be “So What the Fuzz?? What is the impact to the Business?? We have invested heavily in Web Application Firewall (WAF), load balancers; given proper KT to Developers on security, etc. do you think we all are dumb and WAFs are incapable of stopping a simple RCE?? We are running the latest version of TLS and have a proper Patch Management Process in-place. We will keep aside your findings, since our Clients want this Application to move to Production tonight, give us a sign-off or face my wrath”. Now is the time for those Security Professionals to show such Development Teams real-time consequences of not fixing those identified security vulnerabilities.

  • Recent Past:
    • Brief: On May 12th 2017, the world woke up and helplessly saw a massive Ransomware attack their computers by encrypting all their personal data on their respective computers. This Ransomware was named WannaCry / WannaCrypt.
    • Technical Details:
    • Attack pattern: Mostly received as part of a Phishing email:
      • Users receive a infected file, opens the file and lets malicious code into the computer
      • The code then executes by encrypting most of the file formats with a encryption on a remote command control server and locks down all the user data on the local user machine
      • Once the encryption process is complete, users are requested to reboot their computers after which users will be unable to access any files
      • A Ransom demand screen is displayed to the end user who tries accessing their own files, demanding them to make a payment of $300 in BitCoins to get the decryption key
      • User makes the payments, there were no records of any user getting back their encrypted data
    • The fix: Though this Ransomware created a mess overnight and infected nearly 3,00,000 computers worldwide, this attack was short-lived since a security researcher stumbled upon the fix by accidently buying a domain ending with “” thus putting an end to this nightmare
  • Present:
    • Brief: Even before the world could come out of the threat from WannaCry, there were several rumours of the second version of the same Ramsomware. UIWIX was one such infamous Ramsomware which couldn’t make a great hype in the market. On the 27th of June 2017, the world was unknowingly awaiting to embrace a similar but much effective version of WannaCry. This time the name was inherited from one of the earlier Ransomware’ namely PETYA. As of Tuesday, Microsoft countedat least 12,500 infected systems across 65 countries and counting. Those include Belgium, Brazil, Britain, Denmark, Germany, Russia and the United States.
    • Technical Details:

Petya is a ransomware family which crashes the system by gaining access to the Master Boot Record (MBR). This spreads over the windows Server Message Block (SMB), reportedly using the ETERNALBLUE exploit tool, which exploits the CVE-2017-0144 vulnerability initially released by Shadow Brokers in April 2017.

Petya also called as NotPetya, SortaPetya, Petna, ExPetr, GoldenEye and Nyetya was initially believed to be a Ransomware, however there are some security practioners who claim Petya to be a wiper which deletes data completely from ones hard disk making it impossible for the user to access his/her files again.


Observations by security experts:

  • In a Ransomware attack, each victim gets supplied with a unique bitcoin address to help attackers know who has paid. But NotPetya gives the same address to every victim
  • The listed email was an account hosted by the German company Posteo, was quickly shut the account down, thus making it impossible for victims to reach the attackers
  • Even if a victim paid the ransom, security firm Kaspersky Labsuspects that NotPetya’s developers can’t decrypt any computers
  • In the case of NotPetya, the installation ID, which a victim who has paid must furnish to the attackers, so they can reveal the decryption key to a victim, is comprised solely of random data
  • “That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” Kaspersky Lab researchers Anton Ivanov and Orkhan Mamedov write
    • Attack Pattern:
      • Petya Attack Pattern

      • Infection: Well-known Ukrainian software MEDoc was infected with the Petya DLL by attackers to deliver the same to its end users
      • Installation: This variant of Petya is spread as a DLL file and id dependent on another process before it takes action on the system. Once executed, the Master Boot Record (MBR) is overwritten and creates a scheduled task to reboot the system. After the system reboots, the malware displays a fake “chkdisk” scan which tricks the victim into believing the program is repairing their hard drive. In reality, the malware is encrypting the NTFS Master File Table in the background. The fake chkdisk completes and the malware displays a ransom note which demands a payment of $300 in bitcoin
      • Communication: Petya contains no Command and Control mechanisms that are currently known. After a host is infected, there is no communication from the malware back to the attacker
      • Circulation: Petya uses the following mechanisms to spread across hosts:
        • Scans the local /24 to discover enumerate ADMIN$ shares on other systems, then copies itself to those hosts and executes the malware using PSEXEC. This is only possible if the infected user has the rights to write files and execute them on system hosting the share
        • Uses the Windows Management Instrumentation Command-line (WMIC) tool to connect to hosts on the local subnet and attempts to execute itself remotely on those hosts. It can use Mimikatzto extract credentials from the infected system and use them to execute itself on the targeted host
        • And finally attempts to use the ETERNALBLUE exploit tool against hosts on the local subnet. This will only be successful if the targeted host does not have the MS17-010 patches deployed
      • The fix: Here are some fix recommendations from various sites to help protect users from this ransomware malware worm from infecting your computers
      • Future: Not sure how much this hurts the human emotions, but future is not all can foresee. [On a lighter note] We have to look up to the Prophecies documented by Nostradamus to help us find an answer to all these human pains. [On a serious note, as said by a great person] If a hacker wants to attack you, there is nothing much that you can do to stop, but just make it harder for him/her to attack.
      • Reason behind all these attacks: Phishing emails, ignorance from users, SMB version 1, NSA, Shadow Brokers, EternalBlue, MEDoc, Petya DLL



WannaCry and Petya are just the tip of the iceberg, there are many such security vulnerabilities out in the wild just waiting to be unleashed. Ransomware is undoubtedly the current threat to be dealt with and ASAP. The actors behind this threat are continuously experimenting & enhancing their hacking skills on real-time users and creating havoc globally.

This is not the time to freak out; it’s a learning curve for both hackers and end users. With the current day scenario, there are going to be a lot of openings in the information security field. So keep yourselves updated, educated and remember – ignorance is not an option

Until next time, stay secure.

SecureFirst Solutions Private Limited is a security centric Product-cum-Services Organization assisting its Clients to develop and maintain security applications. Our offerings are classified broadly into two categories:
1. Product: Vulnerability Management System (VMS)
2. Services: Security as a Service (SaaS)
3. On-premise classroom trainings

Download our brochure at:

Learn more about our Security Offerings at:



UIWIX Ransomware

By now we are aware of what happened on May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.


Just within a weeks time that is on May 17, 2017 another Ransomware namely: UIWIX is out to disrupt the market.


This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It connects to certain websites to send and receive information.

Figure 1 Ransom demand screen displayed by UIWIX Trojan
Figure 1 Ransom demand screen displayed by UIWIX Trojan 

This Ransomware avoids encrypting files with the following strings in their file name:

  • .com; .sys; boot.ini; Bootfont.bin; bootmgr; BOOTNXT; BOOTSECT.BAK; NTEDETECT.COM; ntldr; NTUSER.DAT; PDOXUSRS.NET
  • \Windows; \Program Files

It avoids encrypting files on machines that have a locale set to Russia, Kazakhstan, or Belarus.

Microsoft solution:

Run antivirus or antimalware software. Use the following free Microsoft software to detect and remove this threat:·         Windows Defender Antivirus  for Windows 10 and Windows 8.1, or Microsoft Security Essentials for Windows 7 and Windows Vista

You should also run a full scan. A full scan might find hidden malware.

Advanced troubleshooting: To restore your PC, you might need to download and run Windows Defender Offline. See Microsoft’s advanced troubleshooting page for more help.


Threat Behavior:

This ransomware can arrive on a machine by leveraging the following vulnerability:

Figure 2 UIWIX Email
Figure 2 UIWIX Email


The malware creates the following named mutex:

  • hfdXrXzQBcKLlsrZ

The malware will not run if a debugger is present, or if any of the following virtualized or sandboxed environments are found:

  • Avast; Comodo; Cuckoo; Sandboxie; Sunblet Sandbox; VirtualBox; VirtualPC; VMWare; WpePro


Attempts to encrypt files

The ransomware attempts to encrypt all the files on the machine, except for the following:

  • Files that are in the following folders:
    • <DRIVE_LETTER>:\Windows
    • <DRIVE_LETTER>:\Program Files
  • Files with file names that contain any of the following strings:
    • .com; .sys; boot.ini; Bootfont.bin; Bootmgr; BOOTNXT; BOOTSECT.BAK; NTDETECT.COM; Ntldr; NTUSER.DAT; PDOXUSRS.NET

It avoids encrypting files on machines that have a locale set to Russia, Kazakhstan, or Belarus.

Once encryption is carried out, the malware appends a unique identifier to the encrypted file, along with the “.UIWIX” extension.

For example, if a file named picture.jpg is encrypted, its resulting name will be picture.jpg._<identifier string>.UIWIX.

Demands ransom

A text file containing the ransom note, named _DECODE_FILES.txt, is also dropped in the malware’s current directory. The ransom note contains the following text:


    Your personal code: <identifier>

    To decrypt your files, you need to buy special software. 
     Do notattempt to decode or modify files, it may be broken. 
     To restore data, follow the instructions!

    You can learnmore at this site: 
     <TOR link>
     <TOR link>
     <TOR link>

    If a resource is unavailable for a long time to install and use the tor browser. 
     After you start the Tor browser you need to open this link <TOR link>

Steals credentials

The malware can steal credentials and other information from the following browsers:

  • Chrome; Comodo Dragon; Microsoft Edge; Firefox; Internet Explorer; Opera; Safari; Yandex

It can also steal credentials from the following applications:

  • FileZilla; Jabber; Miranda; Outlook; Rdp; SmartFtp; Thunderbird; Windows Live

Attempts to connect to URLs

The malware may try to contact the following URLs:

  • http://<random characters>.onion/gt34987.php


Zomato confirms 17millions user credentials put on sale by hackers

[Update: 18-May-2017] 60% of our users use third party OAuth services (i.e. Google and Facebook) for logging in to Zomato. We don’t have any passwords for these accounts – therefore, these users are at zero risk – both within Zomato, as well as on Google and Facebook (and any other services where the same Google/Facebook ID is being used to log in). For all our other users, as a safety measure, we strongly advise changing your passwords on other services where you might have used the same password as Zomato – we are also sending emails to such users prompting them to do the same as we speak.


[Earlier: 17-May-2017] Over 120 million users visit Zomato every month. What binds all of these varied individuals is the desire to enjoy the best a city has to offer, in terms of food. When Zomato users trust us with their personal information, they naturally expect the information to be safeguarded. And that’s something we do diligently, without fail. We take cyber security very seriously – if you’ve been a regular at Zomato for years, you’d agree.


The reason you’re reading this blog post is because of a recent discovery by our security team – about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.

We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.


Important note – payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked.


As a precaution, we have reset the passwords for all affected users and logged them out of the app and website. Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised. [Update: The hacker has provided exact details of how he/she stole the data. The loophole has been plugged to prevent any further data leakage. Complete update:]


How can this stolen information be misused?

Since we have reset the passwords for all affected users and logged them out of the app and website, your zomato account is secure. Your credit card information on Zomato is fully secure, so there’s nothing to worry about there.


What next?

Over the next couple of days and weeks, we’ll be actively working to plug any more security gaps that we find in our systems.

  • We’ll be further enhancing security measures for all user information stored within our database
  • A layer of authorisation will be added for internal teams having access to this data to avoid the possibility of any human breach.

We regret any disruption this may cause and appreciate your immediate attention to this information. If you have queries/concerns, please do not hesitate to contact our security team by sending an email directly to and we’ll reach out to you right away.


WannaCry Ransomware: UPDATE

WannaCry Ransomware: UPDATE

Update Published: Thursday, May 18, 2017

In Short

DO NOT REBOOT your infected machines and TRY wanakiwi ASAP*!
*ASAP because prime numbers may be over written in memory after a while. More details available from the Author

Update Published: Tuesday, May 16, 2017 5:04PM IST

How it all started?

During the first week of February 2017, a security researcher publicly disclosed a zero-day vulnerability in Windows 10, Windows 8.1 and Server editions after Microsoft failed to patch it in the past three months.


The zero-day memory corruption flaw resides in the implementation of the SMB (server message block) network file sharing protocol that could allow a remote, unauthenticated attacker to crash systems with denial of service attack, which would then open them to more possible attacks.

According to US-CERT, the vulnerability could also be exploited to execute arbitrary code with Windows kernel privileges on vulnerable systems, but this has not been confirmed right now by Microsoft.

“By connecting to a malicious SMB server, a vulnerable Windows client system may crash (BSOD) in mrxsmb20.sys.”Current Day Scenario

WannaCry Ransomware: 22-year-old ‘accidentally’ stops attacks, warns against more to come. WannaCry ransomware has affected more than 200,000 victims in 150 countries, which also includes India.

Very recently, a 22-year-old came in as a blessing in disguise when he accidentally put a halt to a vast number of attacks by the devastating WannaCry ransomware by buying a domain name hidden in the program for about £8.29 (Rs 700 approximately). WannaCry ransomware essentially locks a user out of their computer and demands a ransom paid in BitCoin to return control. The young analyst, whose identity is still concealed, tweets by the name of MalwareTech on Twitter, and works for a security firm called Kryptos Logic. He admitted that he had not realized that buying the domain name would have this fortunate effect.

I will confess that I was unaware registering the domain would stop the malware until after i registered it, so initially it was accidental.

— MalwareTech (@MalwareTechBlog) May 13, 2017
How he basically disabled the ransomware attack

The attack was that a particular domain name which was purchased by him, is believed to have been written into the software by the hackers to act as a kill switch. Therefore, each time the program tried to infect a computer, it would try to contact the web page; if it failed, WannaCry would carry on with the attack, but if it succeeded it would stop.

In an interview with the Daily Beast, MalwareTech said he noticed the domain name, a string of nonsensical letters ending in, in the code. He saw that the domain wasn’t registered and thought of purchasing it. After buying the domain name, he pointed it to a ‘sinkhole’ server, which is used as a safe place to dump malicious web traffic, hoping simply to get more information about WannaCry.

“Immediately we saw five or six thousand connections a second.” He said that appeared to have stopped large numbers of attacks, but confessed he had done this “completely by accident.” However, he warned that despite this accidental save, people need to be precautious because the hackers could simply alter the program to carry on making attacks again. “If we did stop it, there’s like a 100 per cent chance they’re going to fire up a new sample and start that one again,” he said.

The WannaCry ransomware is spread by taking advantage of a Windows vulnerability that Microsoft released a security patch for in March. But computers and networks that didn’t update their systems remained at risk. Russia and Britain were among the worst-hit countries by the attack. The programme takes control over a user’s system and brings up a message telling users they can recover their files only if they send $300 (which has now believed to be increased to $600) in bitcoins to a specific address.

So far, Criminals behind WannaCry Ransomware have received nearly 100 payments from victims, total 15 Bitcoins, equals to USD $26,090.
Reported incidents from India
  • Till now, the global cyber-attack has affected more than 200,000 victims in 150 countries, which also includes India
  • Four computers of two village panchayats in Kerala were hit, at the Thariyode panchayat office in the hilly district of Wayanad
  • A section of computers of Andhra Pradesh’s police departments were affected too
  • Computers in 18 police units in Chittoor, Krishna, Guntur, Visakhapatnam and Srikakulam districts were affected
What should you do to be safe?
  • Keeping a back up is the safest and most effective way to deal with the threat
  • India’s Computer Emergency Response Team (CERT-In) has advised users to back up all their essential files offline, in a hard disk or pendrive
  • Individual users as well as organisations have been asked to apply patches to their Windows system(s) as mentioned in the Microsoft Bulletin MS17-010, which is marked critical
  • Don’t open emails or links in e-mails from people even in your contact list. E-mail has proven to an effective carrier in the case of ‘Wannacry’ ransomeware
  • Avoid downloading from websites that are not trustworthy; even attachments from unsolicited e-mails
  • Update Antivirus on all your systems and download Microsoft’s latest software patches. For unsuported Windows versions such as XP, Vista etc, the user can download the necessary patch from this link.
  • While browsing, one should steer clear from unsafe websites and employ essential filters on your browser.
  • Use security tools on IT ministry website for higher safety
What can be done if you are an victim to ransomware cyber attack?
  • Though there is no way out, there are a few loopholes one could use to either minimise the damage or stop it from spreading. According to CERT-In, the user should immediately disconnect the affected system to stop it from spreading.
  • Since the encryption does not happen instantly, the user should immediately try to back-up the essential files as soon as possible. This will help minimise the damage.
  • According to CERT-In, victims of the ransomware are advised not to pay the ransom as there is no gaurantee that the files will be returned. Instead, report any such case with CERT-In at and other law enforcement agencies. 
Also Read:

WannaCry Ransomware Analysis

What has happened?

On May 12, 2017 a new variant of the Ransom.CryptXXX family (Detected as Ransom.Wannacry) of ransomware began spreading widely impacting a large number of organizations, particularly in Europe.

What is the WannaCry ransomware?

WannaCry encrypts data files and ask users to pay a US$300 ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.

Figure 1 Ransom demand screen displayed by WannaCry Trojan
Figure 1 Ransom demand screen displayed by WannaCry Trojan

It also drops a file named !Please Read Me!.txt which contains the ransom note.

Figure 2 Ransom demand note from WannaCry Trojan
Figure 2 Ransom demand note from WannaCry Trojan

WannaCry encrypts files with the following extensions, appending .WCRY to the end of the file name:

  • .123; .3dm; .3ds; .3g2; .3gp; .602; .7z; .ARC; .PAQ; .accdb; .aes; .ai; .asc; .asf; .asm; .asp; .avi; .backup; .bak; .bat; .bmp; .brd; .bz2; .cgm; .class; .cmd; .cpp; .crt; .cs; .csr; .csv; .db; .dbf; .dch; .der; .dif; .dip; .djvu; .doc; .docb; .docm; .docx; .dot; .dotm; .dotx; .dwg; .edb; .eml; .fla; .flv; .frm; .gif; .gpg; .gz; .hwp; .ibd; .iso; .jar; .java; .jpeg; .jpg; .js; .jsp; .key; .lay; .lay6; .ldf; .m3u; .m4u; .max; .mdb; .mdf; .mid; .mkv; .mml; .mov; .mp3; .mp4; .mpeg; .mpg; .msg; .myd; .myi; .nef; .odb; .odg; .odp; .ods; .odt; .onetoc2; .ost; .otg; .otp; .ots; .ott; .p12; .pas; .pdf; .pem; .pfx; .php; .pl; .png; .pot; .potm; .potx; .ppam; .pps; .ppsm; .ppsx; .ppt; .pptm; .pptx; .ps1; .psd; .pst; .rar; .raw; .rb; .rtf; .sch; .sh; .sldm; .sldx; .slk; .sln; .snt; .sql; .sqlite3; .sqlitedb; .stc; .std; .sti; .stw; .suo; .svg; .swf; .sxc; .sxd; .sxi; .sxm; .sxw; .tar; .tbk; .tgz; .tif; .tiff; .txt; .uop; .uot; .vb; .vbs; .vcd; .vdi; .vmdk; .vmx; .vob; .vsd; .vsdx; .wav; .wb2; .wk1; .wks; .wma; .wmv; .xlc; .xlm; .xls; .xlsb; .xlsm; .xlsx; .xlt; .xltm; .xltx; .xlw; .zip
Figure 3 How Ransomware Works
Figure 3 How Ransomware Works

It propagates to other computers by exploiting a known SMB remote code execution vulnerability in Microsoft Windows computers. (MS17-010)

Who is impacted?

A number of organizations globally have been affected, the majority of which are in Europe and China.

Is this a targeted attack?

No, this is not believed to be a targeted attack at this time. Ransomware campaigns are typically indiscriminate.

Am I protected against this threat?

The Blue Coat Global Intelligence Network (GIN) provides automatic detection to all enabled products for web-based infection attempts.

Symantec and Norton customers are protected against WannaCry using a combination of technologies.


Customers should run LiveUpdate and verify that they have the following definition versions or later installed in order to ensure they have the most up-to-date protection:

  • 20170512.009

SONAR protection

Network based protection

Symantec also has the following IPS protection in place which has proven highly effective in proactively blocking attempts to exploit the MS17-010 vulnerability:

The following IPS signature also blocks activity related to Ransom.Wannacry:

Organizations should also ensure that they have the latest Windows security updates installed, in particular MS17-010 to prevent spreading.

Why is it causing so many problems for organizations?

WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers which do not have the latest Windows security updates applied are at risk of infection.

Can I recover the encrypted files?

Decryption is not available at this time but Symantec is investigating. Symantec does not recommend paying the ransom. Encrypted files should be restored from back-ups where possible.

What are best practices for protecting against ransomware?

  • New ransomware variants appear on a regular basis. Always keep your security software up to date to protect yourself against them.
  • Keep your operating system and other software updated. Software updates will frequently include patches for newly discovered security vulnerabilities that could be exploited by ransomware attackers.
  • Email is one of the main infection methods. Be wary of unexpected emails especially if they contain links and/or attachments.
  • Be extremely wary of any Microsoft Office email attachment that advises you to enable macros to view its content. Unless you are absolutely sure that this is a genuine email from a trusted source, do not enable macros and instead immediately delete the email.
  • Backing up important data is the single most effective way of combating ransomware infection. Attackers have leverage over their victims by encrypting valuable files and leaving them inaccessible. If the victim has backup copies, they can restore their files once the infection has been cleaned up. However organizations should ensure that back-ups are appropriately protected or stored off-line so that attackers can’t delete them.
  • Using cloud services could help mitigate ransomware infection, since many retain previous versions of files, allowing you to “roll back” to the unencrypted form.

Additional indicators and technical information about Ransom.Wannacry

When the Trojan is executed, it drops the following files:

  • [PATH_TO_TROJAN]\!WannaDecryptor!.exe
  • [PATH_TO_TROJAN]\c.wry
  • [PATH_TO_TROJAN]\f.wry
  • [PATH_TO_TROJAN]\m.wry
  • [PATH_TO_TROJAN]\r.wry
  • [PATH_TO_TROJAN]\t.wry
  • [PATH_TO_TROJAN]\u.wry
  • [PATH_TO_TROJAN]\TaskHost
  • [PATH_TO_TROJAN]\00000000.eky
  • [PATH_TO_TROJAN]\00000000.pky
  • [PATH_TO_TROJAN]\00000000.res
  • %Temp%\0.WCRYT
  • %Temp%\1.WCRYT
  • %Temp%\2.WCRYT
  • %Temp%\3.WCRYT
  • %Temp%\4.WCRYT
  • %Temp%\5.WCRYT
  • %Temp%\hibsys.WCRYT

Note: [PATH_TO_TROJAN] is the path where the Trojan was originally executed.

The Trojan then creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”Microsoft Update Task Scheduler” = “”[PATH_TO_TROJAN]\[TROJAN_EXE_NAME]” /r”

The Trojan also sets the following registry entry:

  • HKEY_CURRENT_USER\Control Panel\Desktop\”Wallpaper” = “%UserProfile%\Desktop\!WannaCryptor!.bmp”

The Trojan creates the following mutexes:


The Trojan then terminates the following processes using taskkil /f /iml:

  • sqlwriter.exe
  • sqlserver.exe
  • Microsoft.Exchange.*
  • MSExchange*

It then searches for and encrypts files with the following extensions:

  • .123; .3dm; .3ds; .3g2; .3gp; .602; .7z; .ARC; .PAQ; .accdb; .aes; .ai; .asc; .asf; .asm; .asp; .avi; .backup; .bak; .bat; .bmp; .brd; .bz2; .cgm; .class; .cmd; .cpp; .crt; .cs; .csr; .csv; .db; .dbf; .dch; .der; .dif; .dip; .djvu; .doc; .docb; .docm; .docx; .dot; .dotm; .dotx; .dwg; .edb; .eml; .fla; .flv; .frm; .gif; .gpg; .gz; .hwp; .ibd; .iso; .jar; .java; .jpeg; .jpg; .js; .jsp; .key; .lay; .lay6; .ldf; .m3u; .m4u; .max; .mdb; .mdf; .mid; .mkv; .mml; .mov; .mp3; .mp4; .mpeg; .mpg; .msg; .myd; .myi; .nef; .odb; .odg; .odp; .ods; .odt; .onetoc2; .ost; .otg; .otp; .ots; .ott; .p12; .pas; .pdf; .pem; .pfx; .php; .pl; .png; .pot; .potm; .potx; .ppam; .pps; .ppsm; .ppsx; .ppt; .pptm; .pptx; .ps1; .psd; .pst; .rar; .raw; .rb; .rtf; .sch; .sh; .sldm; .sldx; .slk; .sln; .snt; .sql; .sqlite3; .sqlitedb; .stc; .std; .sti; .stw; .suo; .svg; .swf; .sxc; .sxd; .sxi; .sxm; .sxw; .tar; .tbk; .tgz; .tif; .tiff; .txt; .uop; .uot; .vb; .vbs; .vcd; .vdi; .vmdk; .vmx; .vob; .vsd; .vsdx; .wav; .wb2; .wk1; .wks; .wma; .wmv; .xlc; .xlm; .xls; .xlsb; .xlsm; .xlsx; .xlt; .xltm; .xltx; .xlw; .zip

Encrypted files will have .WCRY appended to the end of the file names.

The Trojan then deletes the shadow copies of the encrypted files.

The Trojan drops the following files in every folder where files are encrypted:

  • !WannaDecryptor!.exe.lnk
  • !Please Read Me!.txt

The contents of the !Please Read Me!.txt is a text version of the ransom note with details of how to pay the ransom.

The Trojan downloads Tor and uses it to connect to a server using the Tor network.

It then displays a ransom note explaining to the user what has happened and how to pay the ransom.

Indicators of compromise


  • dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696
  • 201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9
  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
  • aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56
  • 21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd
  • 2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32
  • 9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13
  • 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df
  • be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844
  • 5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9
  • 76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf
  • fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a
  • eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb
  • 043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2
  • 57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4
  • ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
  • f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494
  • 3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9
  • 9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640
  • 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • 3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301

IP Addresses

  • 231.221.221:9001
  • 31.0.39:9191
  • 202.160.69:9001
  • 101.166.19:9090
  • 121.65.179:9001
  • 3.69.209:9001
  • 0.32.144:9001
  • 7.161.218:9001
  • 79.179.177:9001
  • 61.66.116:9003
  • 47.232.237:9001
  • 30.158.223:9001
  • 172.193.32:443
  • 229.72.16:443


  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (sinkholed)
  • Rphjmrpwmfv6v2e[dot]onion
  • Gx7ekbenv2riucmf[dot]onion
  • 57g7spgrzlojinas[dot]onion
  • xxlvbrloxvriy2c5[dot]onion
  • 76jdd2ir2embyv47[dot]onion
  • cwwnhwhlz52maqm7[dot]onion


  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe
  • @WanaDecryptor@.exe.lnk
  • Please Read Me!.txt (Older variant)
  • C:\WINDOWS\tasksche.exe
  • C:\WINDOWS\qeriuwjhrf
  • bat
  • bat
  • bat
  • [0-9]{15}.bat #regex
  • !WannaDecryptor!.exe.lnk
  • pky
  • eky
  • res
  • C:\WINDOWS\system32\taskdl.exe

Bitcoin Wallets

  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Here is a snort rule submitted to Sans from Marco Novak:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

And other SNORT rules from Emerging Threats:


alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)



rule wannacry_1 : ransom



author = “Joshua Cannell”

description = “WannaCry Ransomware strings”

weight = 100

date = “2017-05-12”


$s1 = “Ooops, your files have been encrypted!” wide ascii nocase

$s2 = “Wanna Decryptor” wide ascii nocase

$s3 = “.wcry” wide ascii nocase

$s4 = “WANNACRY” wide ascii nocase

$s5 = “WANACRY!” wide ascii nocase

$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase


any of them


rule wannacry_2{


author = “Harold Ogden”

description = “WannaCry Ransomware Strings”

date = “2017-05-12”

weight = 100


$string1 = “msg/m_bulgarian.wnry”

$string2 = “msg/m_chinese (simplified).wnry”

$string3 = “msg/m_chinese (traditional).wnry”

$string4 = “msg/m_croatian.wnry”

$string5 = “msg/m_czech.wnry”

$string6 = “msg/m_danish.wnry”

$string7 = “msg/m_dutch.wnry”

$string8 = “msg/m_english.wnry”

$string9 = “msg/m_filipino.wnry”

$string10 = “msg/m_finnish.wnry”

$string11 = “msg/m_french.wnry”

$string12 = “msg/m_german.wnry”

$string13 = “msg/m_greek.wnry”

$string14 = “msg/m_indonesian.wnry”

$string15 = “msg/m_italian.wnry”

$string16 = “msg/m_japanese.wnry”

$string17 = “msg/m_korean.wnry”

$string18 = “msg/m_latvian.wnry”

$string19 = “msg/m_norwegian.wnry”

$string20 = “msg/m_polish.wnry”

$string21 = “msg/m_portuguese.wnry”

$string22 = “msg/m_romanian.wnry”

$string23 = “msg/m_russian.wnry”

$string24 = “msg/m_slovak.wnry”

$string25 = “msg/m_spanish.wnry”

$string26 = “msg/m_swedish.wnry”

$string27 = “msg/m_turkish.wnry”

$string28 = “msg/m_vietnamese.wnry”


any of ($string*)



McAfee urges all its customers to ensure McAfee’s DAT updates have been applied to ensure the latest protection. We furthermore advise customers to be diligent in applying security updates for all the software solutions they use.


NSA Targeting SWIFT Messaging Network

A hacking group – Shadow Brokers who claimed to have access to tools used by NSA had earlier released the password for an encrypted cache of Unix exploits, including a remote root zero-day exploit for Solaris OS, and the TOAST framework the group put on auction last summer.

Again on the 14th of April 2017 more hacking tools and exploits were released by the Shadow Brokers.

These hacking tools have been named as OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar, and others.

The latest dump comprises of 3 folders: Windows, Swift, and OddJob.

The SWIFT folder contains PowerPoint presentations, evidence, credentials and internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.

SWIFT Architecture
SWIFT Architecture

SWIFT (Society for Worldwide Interbank Telecommunication) is a global financial messaging system that thousands of banks and organizations across the world use to transfer billions of dollars every day.

“A SWIFT Service Bureau is the kind of the equivalent of the Cloud for Banks when it comes to their SWIFT transactions and messages; the banks’ transactions are hosted and managed by the SWIFT Service Bureau via an Oracle Database and the SWIFT Softwares,” security researcher Matt Suiche explains in a blog post.

The folder includes SQL scripts that search for information from the Oracle Database like the list of database users and the SWIFT message queries.


Besides this, the folder also contains Excel files that indicate that the NSA’s elite cyber attack unit Equation Group had hacked and gained access to many banks around the world, the majority of which are located in the Middle East like UAE, Kuwait, Qatar, Palestine, and Yemen.

“SWIFT Host of Palestinian Bank was running Windows 2008 R2 vulnerable to exploit framework FUZZBUNCH.” Matt tweeted.