Charging device 

MegaFon suffered a hacker attack. Russian mobile operator Megafon hacked by Megafon hackers

  • 12 May 2017, 19:43 Computer systems of the Ministry of Internal Affairs and Megafon were subject to a virus attack

Internal computer system The Russian Ministry of Internal Affairs was struck by the virus, Varlamov.ru reports, citing several sources familiar with the situation.

Mediazona's source in the Ministry of Internal Affairs confirmed the fact of infection of departmental computers. According to him, we are talking about departments in several regions.

Previously, information about a possible virus infection appeared on the Pikabu website and the Kaspersky forum. According to some users, this is a virus WCry(also known as WannaCry or WannaCryptor) – it encrypts the user’s files, changes their extension and requires you to buy a special decryptor for bitcoins; otherwise the files will be deleted.

According to users on the Kaspersky forum, the virus first appeared in February 2017, but “has been updated and now looks different than previous versions.”

The Kaspersky press service was unable to promptly comment on the incident, but promised to release a statement in the near future.

Company member Avast Jakub Kroustek reported on Twitter that at least 36 thousand computers in Russia, Ukraine and Taiwan are infected.

Varlamov’s website notes that information also appeared about the infection of computers in public hospitals in several regions of the UK and an attack on a Spanish telecommunications company Telefonica. In both cases, the virus also asks for payment.

The company noted that in March the update already provided additional protection against such viruses.

"Users of our free antivirus and updated Windows versions protected. We work with users to provide additional help", the company added.

Previously, Kaspersky Lab Mediazone, which WannaCrypt virus uses network Windows vulnerability, closed by Microsoft specialists back in March.

The Ministry of Internal Affairs confirmed hacker attacks on its computers

The Ministry of Internal Affairs confirmed hacker attacks on its computers, RIA Novosti reports.

According to the press secretary of the Ministry of Internal Affairs Irina Volk, the department information technologies, Communications and Information Protection of the Ministry recorded a virus attack on the computers of the Ministry of Internal Affairs with the Windows operating system.

“Thanks to timely measures taken, about a thousand infected computers were blocked, which is less than 1%,” Volk said, adding that the server resources of the Ministry of Internal Affairs were not infected because they work on other operating systems.

“At the moment, the virus has been localized, engineering works for its destruction and renewal of funds antivirus protection"- said the press secretary of the ministry.

More than six thousand dollars were transferred to the Bitcoin wallets of the hackers who spread the WannaCry virus.

At least 3.5 bitcoins were transferred to the hackers who spread the WannaCry ransomware virus, Meduza writes. According to the exchange rate of $1,740 for one bitcoin at 22:00 Moscow time, this amount is $6,090.

Meduza came to this conclusion based on the history of transactions on Bitcoin wallets to which the virus demanded money be transferred. The wallet addresses were published in a Kaspersky Lab report.

Three wallets carried out 20 transactions on May 12. Basically, 0.16-0.17 bitcoins were transferred to them, which equals approximately $300. The hackers demanded to pay this amount in a pop-up window on infected computers.

Avast counted 75 thousand attacks in 99 countries

IT company Avast reported that the virus WanaCrypt0r 2.0 infected 75 thousand computers in 99 countries, according to the organization’s website.

Mostly computers are infected in Russia, Ukraine and Taiwan.

13 hours ago in the blog of a specialist in the field computer security Brian Krebs has a record of transferring bitcoins to hackers totaling 26 thousand US dollars.

Europol: 200 thousand computers in 150 countries were attacked by a virus

Virus infection WannaCry in three days, more than 200 thousand computers in 150 countries were already exposed, he said in an interview with the British TV channel ITV Europol Director of European Policing Rob Wainwright. His words are quoted Sky News.

“The spread of the virus around the world is unprecedented. The latest estimates are that there are 200,000 victims in at least 150 countries, including businesses, including large corporations,” Wainwright said.

He suggested that the number of infected computers would likely increase significantly when people returned to work on their computers on Monday. At the same time, Wainwright noted that so far people have transferred “surprisingly little” money to the spreaders of the virus.

In China, the virus attacked the computers of 29 thousand institutions

Virus WannaCry attacked the computers of more than 29 thousand institutions, the number of those affected computers coming by hundreds of thousands, Xinhua reports data from the Computer Threat Assessment Center Qihoo 360.

According to researchers, computers in more than 4,340 universities and other educational institutions were attacked. Infections were also observed on computers at railway stations, postal organizations, hospitals, shopping centers and government agencies.

“There was no significant damage for us, for our institutions - neither for banking, nor for the healthcare system, nor for others,” he said.

“As for the source of these threats, in my opinion, Microsoft management directly stated this, they said that the primary source of this virus is the intelligence services of the United States, Russia has absolutely nothing to do with it. It’s strange for me to hear something different under these conditions,” the president added.

Putin also called for discussing the problem of cybersecurity “at a serious political level” with other countries. He stressed that it is necessary to “develop a system of protection against such manifestations.”

The virus WannaCry clones appeared

The virus WannaCry two modifications have appeared, Vedomosti writes with reference to Kaspersky Lab. The company believes that both clones were created not by the authors of the original ransomware virus, but by other hackers who are trying to take advantage of the situation.

The first modification of the virus began to spread on the morning of May 14. Kaspersky Lab discovered three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code that was used to stop the first wave of infections, the company noted.

He also writes about virus clones Bloomberg. Founder of the company Comae Technologies, engaged in cybersecurity, Matt Suish said that about 10 thousand computers were infected with the second modification of the virus.

According to Kaspersky Lab, six times fewer computers were infected today than on Friday, May 12.

Virus WannaCry could have been created by a North Korean hacker group Lazarus

Ransomware virus WannaCry could have been created by hackers from the North Korean group Lazarus, according to the specialized website of Kaspersky Lab.

Company specialists drew attention to the analyst’s tweet Google Neela Mehta. As Kaspersky Lab concluded, the message indicates similarities between the two samples - they have general code. The tweet provides a cryptographic sample WannaCry from February 2017 and sample group Lazarus dated February 2015.

“The detective story is getting tighter and tighter and now the same code has been found in # WannaCry and in the Trojans from Lazarus», -

MegaFon's director of public relations, Petr Lidov, told Kommersant that the company's capital office was subjected to hacker attack. “The computers crashed and a lock screen appeared on them asking for $300 to unlock,” he said. Then information came that the same thing happened to subscribers of Telefonica and Vodafone operators in Spain.

According to Peter Lidov, specialists had to turn off the networks at some stage to prevent the virus from spreading further. “A number of regions were affected; the rest had to be temporarily shut down preventively. This affected retail and customer support services, because operators naturally use PCs to access databases. Call centers have been fixed. This did not affect communications and personal accounts,” said Mr. Lidov.

As Boris Ryutin, a researcher from Digital Security, told Kommersant, MalwareHunterTeam experts and other independent researchers agree that this is a malicious program of the ransomware type, that is, a ransomware virus. “The danger of infection is that, depending on the implementation, the user’s files may be irretrievably lost,” he clarified.

“We see an attack, and the virus is very complex,” Solar Security told Kommersant. this moment we are developing recommendations for countermeasures.” “The virus is very complex, and it cannot yet be ruled out that it is something more dangerous than a simple ransomware. It is already obvious that the speed of its spread is unprecedentedly high,” the company added.

Microsoft representative Kristina Davydova told Kommersant that experts have added detection and protection against new malware, known as Ransom:Win32.WannaCrypt. "In March, we also introduced additional protection against malware of this nature along with a security update that prevents malware from spreading across the network," she said.

An information security researcher under the nickname w0rm announced that he had successfully carried out a hacker attack on Russian operator mobile communications"Megaphone". According to the hacker, they gained access to file system several operator sites. In addition, the hacker had at his disposal the official data of company employees.

According to the hacker, he had the opportunity to gain access to the data of Megafon clients, but he did not do this, guided by ethical considerations. The hacker presented several screenshots as evidence that show the file structure of one of the hacked sites and the control panel domain name megafon.mobi.

The hacker claims that he changed the password to enter his personal account. When changing the password, it turned out that the password consists of only 6 digits, and it can only be changed to the same six-digit digital password. Thus, a password consisting of 6 digits can be guessed quite easily in the absence of brute force blocking mechanisms. The role of such a mechanism on the Megafon website is played by a captcha.

This protection was overcome using an outdated Yandex widget, in which you do not need to enter a captcha. As the hacker reported, 20-30 minutes is enough to gain access to an arbitrary password by guessing the password. personal account By phone number subscriber and study call details, SMS, full name and payment information.

Such a major success prompted the hacker to audit some other domains that belong to the company. As a result, he was able to obtain an archive with backup copy Jira project management systems from the beginning of 2015. Using the credentials of Megafon employees, which were contained in the archive, the hacker gained access to corporate mail and some service resources.

Representatives of Megafon say that no evidence of successful penetration into the system was found. The company is now carrying out additional checks on the facts of messages on social networks.

In May of this year, w0rm already carried out a successful attack on the entertainment website Sprashivay.ru. Then the researcher in general access An archive with service user passwords was posted. Before that, he carried out successful attacks on foreign media sites such as The Wall Street Journal and Vice.

UPD (05/15/2017):The Megafon company has become the victim of a new incident related to information security. Russian mobile operator along with dozens of companies and organizations around the world, became a victim of the Wannacry ransomware activity.

Details can be found in the new from SecureNews.

In addition to telecommunications companies, Russian law enforcement agencies - the Ministry of Internal Affairs and the Investigative Committee - became victims of hacker attacks, according to sources from RBC, as well as Gazeta.Ru and Mediazona.

RBC's interlocutor in Ministry of Internal Affairs spoke about an attack on the department’s internal networks. According to him, mainly the regional departments of the ministry were attacked. ​He clarified that the virus affected computers in at least three regions of the European part of Russia. The source added that this attack should not affect the work of the Ministry of Internal Affairs. Another RBC interlocutor at the ministry said that hackers could have gained access to the Ministry of Internal Affairs databases, but it is not known whether they managed to download information from there. The attack on the Ministry of Internal Affairs affected only those computers that had not been updated for a long time operating system, said an interlocutor at the department. The work of the ministry is not paralyzed by hackers, but it is greatly hampered.

IN Germany hackers services of Deutsche Bahn, which is the country's main railway operator. This was reported by ZDF TV channel with reference to the country's Ministry of Internal Affairs.

US Department of Homeland Security partners technical support and assistance in the fight against the WannaCry ransomware.

What kind of virus?

According to the message Kaspersky Lab , the virus in question is the WannaCry ransomware. “As the analysis showed, the attack occurred through the well-known network vulnerability Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program,” the company said.

“All Kaspersky Lab solutions detect this rootkit as MEM: Trojan.Win64.EquationDrug.gen. Our solutions also detect the ransomware that was used in this attack with the following verdicts: Trojan-Ransom.Win32.Scatter.uf, Trojan-Ransom.Win32.Fury.fr, PDM: Trojan.Win32.Generic (to detect this malware System component Watcher must be enabled),” the company noted.

To reduce the risk of infection, Kaspersky Lab experts advise users to install the official patch from Microsoft, which closes the vulnerability used in the attack, and to prevent such incidents, use threat reporting services in order to receive timely data on the most dangerous attacks and possible infections.

The hacker attack was also commented on Microsoft . “Today our experts have added detection and protection against a new malware known as Ransom: Win32.WannaCrypt. In March, we also introduced additional protection against this type of malware with a security update that prevents malware from spreading across the network. Users of our free antivirus and updated version of Windows are protected. We are working with users to provide additional assistance,” says a statement from a Microsoft representative in Russia received by RBC.

Representative Solar Security told RBC that the company sees the attack and is currently examining a sample of the virus. “We are not ready to share details right now, but the malware was clearly written by professionals. It cannot yet be ruled out that it is something more dangerous than a ransomware. It is already obvious that the speed of its spread is unprecedentedly high,” the source said. According to him, the damage from the virus is “enormous”; it has affected large organizations in 40 countries, but it is impossible to give an accurate assessment yet, since the capabilities of the malware have not yet been fully studied and the attack is currently in development.

CEO Group-IB Ilya Sachkov told RBC that ransomware similar to the one used in the current attack is a growing trend. In 2016, the number of such attacks increased more than a hundred times compared to the previous year, he said.

Sachkov noted that, as a rule, infection of the device in this case occurs through email. Speaking about WannaCry, the expert noted that this encryption program has two features. “Firstly, it uses the ETERNALBLUE exploit, which was posted in open access hackers Shadow Brokers. A patch that closes this vulnerability for the OS Windows Vista and older, became available on March 9 as part of bulletin MS17-010. At the same time, a patch for older operating systems like Windows XP and Windows server There will be no 2003, since they are no longer supported,” he said.

“Secondly, in addition to encrypting files, it scans the Internet for vulnerable hosts. That is, if an infected computer gets into some other network, the malware will spread there too, hence the avalanche-like nature of infections,” Sachkov added.

Protection against such attacks, according to Sachkov, can be ensured by using “sandbox” solutions, which are installed on the organization’s network and scan all files sent to employees’ emails or downloaded from the Internet. In addition, the expert recalled, it is important to conduct explanatory conversations with employees about the basics of “digital hygiene” - do not install programs from unverified sources, do not insert unknown flash drives into the computer and do not follow dubious links, as well as update software on time and not use operating systems that are not supported by the manufacturer.

Who is guilty

It is not yet clear who is behind the large-scale cyber attack. Former NSA employee Edward Snowden said that a virus developed by the NSA could have been used in the global hacker attack that occurred on May 12. WikiLeaks previously announced this possibility.

In turn, the Romanian authorities said that behind the attempted attack could be an organization “associated with the cybercrime group APT28/Fancy Bear,” which is traditionally classified as “Russian hackers.”

The Telegraph suggests that the Shadow Brokers group, linked to Russia, may be behind the attack. They link this to hackers' claims in April that they had stolen a "cyber weapon" from the US intelligence community, giving them access to all Windows computers.