Contacts
home

The Russian mobile operator Megafon has been hacked. The Ministry of Internal Affairs and Megafon became victims of a virus attack. The WannaCry virus could have been created by the North Korean hacker group Lazarus.

MOSCOW, May 19 - PRIME, Natalya Karnova. On Friday, subscribers of the mobile operator Megafon encountered communication problems in a number of regions. The company clarified that problems with voice communication are observed in Moscow and several other cities, the “reduction in dialing success” is 30%. Wherein Mobile Internet works as usual, calls are possible through instant messengers. The operator plans to complete the restoration work in the coming hours.

Following Megafon, operators Beeline and Yota reported problems in their networks. Later, Beeline reported that there were problems with only one station, and they had already been fixed. The MTS and Tele2 networks were operating normally at the time of writing.

There is still more speculation than information about the real development of events - perhaps the clearest picture now is for those inside the company, says Denis Kuskov, CEO of the Telecom Daily agency. "We can only state that the problems are not in the hardware base stations. If a channel fails, it can be replaced with backup equipment. It looks like we're talking about software glitch“This is indicated by the fact that problems are being recorded in different regions,” he noted in an interview with the Prime agency.

According to the expert, the reasons for such a failure can be both internal and external - external influence or a virus attack. “Hackers even got into the Pentagon, let alone the operator’s network, which is probably not so well protected. No one is immune from this, especially in our time, when the world is becoming more and more defenseless against computer attacks,” he noted.

TRAIL Wanna CRY

Megafon's message states that the network failure is not related to the WannaCry virus attack; the accident occurred on one of the network equipment elements. At the same time, a large-scale cyber attack with malware worldwide affected Megafon networks on May 15. Then the company reported that it had completed eliminating the consequences of the virus attack.

“We have already seen that the system for issuing driver’s licenses did not work in a number of regions for 24 hours. No one excludes that it could have been affected by a virus. Such attacks usually come in a fan pattern, and may or may not give results depending on how it was configured wave of the virus,” Kuskov notes in this regard.

Attackers use WannaCry to encrypt files in order to extort money for restoring encrypted data. Earlier, Europol Director Rob Wainwright said that a large-scale cyber attack around the world since May 12 affected more than 200 thousand users in 150 countries. Developers Avast antivirus reported 57 thousand hacker attacks using the WanaCrypt0r 2.0 virus. According to the company, the virus is primarily spreading in Russia, Ukraine and Taiwan. Kaspersky Lab reported 45 thousand attempted hacking attacks in 74 countries around the world on Friday. greatest number attempts of infection were observed in Russia.

On Friday, the press service of the Bank of Russia reported the identification of isolated cases of compromise of credit institutions’ resources using the WannaCry virus, the consequences of which were quickly eliminated. Back in April, the Bank of Russia sent out information to banks about methods for detecting malicious emails sent by mail. software type "encryptor" and counteraction to it. In particular, banks received recommendations on installing security update packages for Windows that can counter the WannaCry virus.

WITHOUT SIGNIFICANT CONSEQUENCES

Social and strategic facilities were not affected by Megafon's problems, although information initially appeared that the failure of telephones and the Internet affected the Federal Antimonopoly Service. Later it became known that the failure occurred due to a power outage in the departmental building and was not related to the problems of Megafon. These services were not affected.

The problems with Megafon did not in any way affect the control and communication system of the Ministry of Emergency Situations of the Russian Federation. The departmental digital communication and control network with the integration of various services is operating steadily as usual, the department reported. According to the representative of the Ministry of Emergency Situations, in parallel with the main system, the backup systems management and communications. Thus, problems in the Megafon network did not affect the efficiency and functioning of the ministry. “Only the Ministry of Emergency Situations employees, who are subscribers, felt the inconvenience cellular network“Megafon,” concluded the Ministry of Emergency Situations.

As for the possible consequences for strategic facilities, for now we can only confidently assume that some of the Defense Ministry employees were left without cellular communications, Kuskov agrees. As for the secret objects themselves, other communication and data protection options are used there, and it is unlikely that there will be problems with cellular communication will be critical. However, in the future, no one will be able to give a 100- or even 50-percent guarantee that the next breakdown will be limited only to cellular communications and will not affect social facilities like the Pension Fund, he added.

In addition to telecommunications companies, Russian law enforcement agencies - the Ministry of Internal Affairs and the Investigative Committee - became victims of hacker attacks, according to sources from RBC, as well as Gazeta.Ru and Mediazona.

RBC's interlocutor in Ministry of Internal Affairs spoke about the attack on internal networks departments. According to him, mainly the regional departments of the ministry were attacked. ​He clarified that the virus affected computers in at least three regions of the European part of Russia. The source added that this attack should not affect the work of the Ministry of Internal Affairs. Another RBC interlocutor at the ministry said that hackers could have gained access to the Ministry of Internal Affairs databases, but it is not known whether they managed to download information from there. The attack on the Ministry of Internal Affairs affected only those computers on which the operating system had not been updated for a long time, a source at the department said. The work of the ministry is not paralyzed by hackers, but it is greatly hampered.

IN Germany hackers services of Deutsche Bahn, which is the country's main railway operator. This was reported by the ZDF TV channel with reference to the country's Ministry of Internal Affairs.

US Department of Homeland Security partners technical support and assistance in the fight against the WannaCry ransomware.

What kind of virus?

According to the message Kaspersky Lab , the virus in question is the WannaCry ransomware. “As the analysis showed, the attack occurred through the well-known network vulnerability Microsoft Security Bulletin MS17-010. Then a rootkit was installed on the infected system, using which the attackers launched an encryption program,” the company said.

“All Kaspersky Lab solutions detect this rootkit as MEM: Trojan.Win64.EquationDrug.gen. Our solutions also detect the ransomware that was used in this attack with the following verdicts: Trojan-Ransom.Win32.Scatter.uf, Trojan-Ransom.Win32.Fury.fr, PDM: Trojan.Win32.Generic (components used to detect this malware System Watcher must be enabled),” the company noted.

To reduce the risk of infection, Kaspersky Lab experts advise users to install the official patch from Microsoft, which closes the vulnerability used in the attack, and to prevent such incidents, use threat information services in order to receive timely data on the most dangerous attacks and possible infections.

The hacker attack was also commented on Microsoft . “Today our specialists have added detection and protection against new malware, known as Ransom: Win32.WannaCrypt. In March, we also introduced additional protection against this type of malware with a security update that prevents malware from spreading across the network. Users of our free antivirus and updated Windows versions protected. We work with users to provide additional help"- says a statement from a Microsoft representative in Russia received by RBC.

Representative Solar Security told RBC that the company sees the attack and is currently examining a sample of the virus. “We are not ready to share details right now, but the malware was clearly written by professionals. It cannot yet be ruled out that it is something more dangerous than a ransomware. It is already obvious that the speed of its spread is unprecedentedly high,” the source said. According to him, the damage from the virus is “enormous”; it has affected large organizations in 40 countries, but it is impossible to give an accurate assessment yet, since the capabilities of the malware have not yet been fully studied and the attack is currently in development.

CEO Group-IB Ilya Sachkov told RBC that ransomware similar to the one used in the current attack is a growing trend. In 2016, the number of such attacks increased more than a hundred times compared to the previous year, he said.

Sachkov noted that, as a rule, infection of the device in this case occurs through email. Speaking about WannaCry, the expert noted that this encryption program has two features. “Firstly, it uses the ETERNALBLUE exploit, which was made publicly available by Shadow Brokers hackers. A patch that closes this vulnerability for the OS Windows Vista and older, became available on March 9 as part of bulletin MS17-010. At the same time, a patch for older operating systems like Windows XP and Windows server There will be no 2003, since they are no longer supported,” he said.

“Secondly, in addition to encrypting files, it scans the Internet for vulnerable hosts. That is, if an infected computer gets into some other network, the malware will spread there too, hence the avalanche-like nature of infections,” Sachkov added.

Protection against such attacks, according to Sachkov, can be ensured by using “sandbox” solutions, which are installed on the organization’s network and scan all files sent to employees’ emails or downloaded from the Internet. In addition, the expert recalled, it is important to conduct explanatory conversations with employees about the basics of “digital hygiene” - do not install programs from unverified sources, do not insert unknown flash drives into the computer and do not follow dubious links, as well as update software on time and not use operating systems that are not supported by the manufacturer.

Who is guilty

It is not yet clear who is behind the large-scale cyber attack. Former NSA employee Edward Snowden said that a virus developed by the NSA could have been used in the global hacker attack that occurred on May 12. WikiLeaks previously announced this possibility.

In turn, the Romanian authorities said that behind the attempted attack could be an organization “associated with the cybercrime group APT28/Fancy Bear,” which is traditionally classified as “Russian hackers.”

The Telegraph suggests that the Shadow Brokers group, linked to Russia, may be behind the attack. They link this to hackers' claims in April that they had stolen a "cyber weapon" from the US intelligence community, giving them access to all Windows computers.

Internal computer system The Russian Ministry of Internal Affairs was struck by the virus, Varlamov.ru reports, citing several sources familiar with the situation.

Mediazona's source in the Ministry of Internal Affairs confirmed the fact of infection of departmental computers. According to him, we are talking about departments in several regions.

Previously, information about a possible virus infection appeared on the Pikabu website and the Kaspersky forum. According to some users, this is a virus WCry(also known as WannaCry or WannaCryptor) – it encrypts the user’s files, changes their extension and requires you to buy a special decryptor for bitcoins; otherwise the files will be deleted.

According to users on the Kaspersky forum, the virus first appeared in February 2017, but “has been updated and now looks different than previous versions.”

The Kaspersky press service was unable to promptly comment on the incident, but promised to release a statement in the near future.

Company member Avast Jakub Kroustek reported on Twitter that at least 36 thousand computers in Russia, Ukraine and Taiwan are infected.

Varlamov’s website notes that information also appeared about the infection of computers in public hospitals in several regions of the UK and an attack on a Spanish telecommunications company Telefonica. In both cases, the virus also asks for payment.

The company noted that in March the update already provided additional protection against such viruses.

“Users of our free antivirus and updated version of Windows are protected. We are working with users to provide additional assistance," the company added.

Earlier, Kaspersky Lab reported to Mediazone that the WannaCrypt virus exploits a Windows network vulnerability that was closed by Microsoft specialists back in March.

The Ministry of Internal Affairs confirmed hacker attacks on its computers

The Ministry of Internal Affairs confirmed hacker attacks on its computers, RIA Novosti reports.

According to the press secretary of the Ministry of Internal Affairs Irina Volk, the department information technologies, Communications and Information Protection Ministry recorded a virus attack on the computers of the Ministry of Internal Affairs with operating system Windows.

“Thanks to timely measures taken, about a thousand infected computers were blocked, which is less than 1%,” Volk said, adding that the server resources of the Ministry of Internal Affairs were not infected because they work on other operating systems.

“Currently, the virus has been localized, technical work is being carried out to destroy it and update tools antivirus protection"- said the press secretary of the ministry.

More than six thousand dollars were transferred to the Bitcoin wallets of the hackers who spread the WannaCry virus.

At least 3.5 bitcoins were transferred to the hackers who spread the WannaCry ransomware virus, Meduza writes. According to the exchange rate of $1,740 for one bitcoin at 22:00 Moscow time, this amount is $6,090.

Meduza came to this conclusion based on the history of transactions on Bitcoin wallets to which the virus demanded money be transferred. The wallet addresses were published in a Kaspersky Lab report.

Three wallets carried out 20 transactions on May 12. Basically, 0.16-0.17 bitcoins were transferred to them, which equals approximately $300. The hackers demanded to pay this amount in a pop-up window on infected computers.

Avast counted 75 thousand attacks in 99 countries

IT company Avast reported that the virus WanaCrypt0r 2.0 infected 75 thousand computers in 99 countries, according to the organization’s website.

Mostly computers are infected in Russia, Ukraine and Taiwan.

13 hours ago, a blog entry by computer security specialist Brian Krebs appeared about the transfer of bitcoins to hackers totaling $26,000.

Europol: 200 thousand computers in 150 countries were attacked by a virus

Virus infection WannaCry in three days, more than 200 thousand computers in 150 countries were already exposed, he said in an interview with the British TV channel ITV Europol Director of European Policing Rob Wainwright. His words are quoted Sky News.

“The spread of the virus around the world is unprecedented. "The latest estimates are that there are 200,000 victims in at least 150 countries, including businesses, including large corporations," Wainwright said.

He suggested that the number of infected computers would likely increase significantly when people returned to work on their computers on Monday. At the same time, Wainwright noted that so far people have transferred “surprisingly little” money to the spreaders of the virus.

In China, the virus attacked the computers of 29 thousand institutions

Virus WannaCry attacked the computers of more than 29 thousand institutions, the number of affected computers is in the hundreds of thousands, the Xinhua agency cites data from the Computer Threat Assessment Center Qihoo 360.

According to researchers, computers in more than 4,340 universities and other educational institutions were attacked. Infections were also observed on computers railway stations, postal organizations, hospitals, shopping centers and government agencies.

“There was no significant damage for us, for our institutions - neither for banking, nor for the healthcare system, nor for others,” he said.

“As for the source of these threats, in my opinion, Microsoft manual directly stated this, they said that the primary source of this virus is the intelligence services of the United States, Russia has absolutely nothing to do with it. It’s strange for me to hear something different under these conditions,” the president added.

Putin also called for discussing the problem of cybersecurity “seriously” political level"with other countries. He stressed that it is necessary to “develop a system of protection against such manifestations.”

The virus WannaCry clones appeared

The virus WannaCry two modifications have appeared, Vedomosti writes with reference to Kaspersky Lab. The company believes that both clones were created not by the authors of the original ransomware virus, but by other hackers who are trying to take advantage of the situation.

The first modification of the virus began to spread on the morning of May 14. Kaspersky Lab discovered three infected computers in Russia and Brazil. The second clone learned to bypass a piece of code that was used to stop the first wave of infections, the company noted.

He also writes about virus clones Bloomberg. Founder of the company Comae Technologies, engaged in cybersecurity, Matt Suish said that about 10 thousand computers were infected with the second modification of the virus.

According to Kaspersky Lab, six times fewer computers were infected today than on Friday, May 12.

Virus WannaCry could have been created by a North Korean hacker group Lazarus

Ransomware virus WannaCry could have been created by hackers from the North Korean group Lazarus, according to the specialized website of Kaspersky Lab.

Company specialists drew attention to the analyst’s tweet Google Neela Mehta. As Kaspersky Lab concluded, the message indicates similarities between the two samples - they have a common code. The tweet provides a cryptographic sample WannaCry from February 2017 and sample group Lazarus dated February 2015.

“The detective story is getting tighter and tighter and now the same code has been found in # WannaCry and in the Trojans from Lazarus», -

An information security researcher under the nickname w0rm announced that he had successfully carried out a hacker attack on a Russian operator mobile communications"Megaphone". According to the hacker, they gained access to file system several operator sites. In addition, the hacker had at his disposal the official data of company employees.

According to the hacker, he had the opportunity to gain access to the data of Megafon clients, but he did not do this, guided by ethical considerations. The hacker presented several screenshots as evidence that show file structure one of the hacked sites and a control panel for the domain name megafon.mobi.

The hacker claims that he changed the password to enter his personal account. When changing the password, it turned out that the password consists of only 6 digits, and it can only be changed to the same six-digit digital password. Thus, a password consisting of 6 digits can be guessed quite easily in the absence of brute force blocking mechanisms. The role of such a mechanism on the Megafon website is played by a captcha.

This protection was overcome using an outdated Yandex widget, in which you do not need to enter a captcha. As the hacker reported, 20-30 minutes is enough to gain access to an arbitrary password by guessing the password. personal account By phone number subscriber and study call details, SMS, full name and payment information.

Such a major success prompted the hacker to audit some other domains that belong to the company. As a result, he was able to obtain an archive with backup copy Jira project management systems from the beginning of 2015. Using the credentials of Megafon employees, which were contained in the archive, the hacker gained access to corporate mail and some service resources.

Representatives of Megafon say that no evidence of successful penetration into the system was found. The company is now carrying out additional checks on the facts of messages on social networks.

In May of this year, w0rm already carried out a successful attack on the entertainment website Sprashivay.ru. Then the researcher in general access An archive with service user passwords was posted. Previously, he had carried out successful attacks on foreign media sites such as The Wall Street Journal and Vice.

UPD (05/15/2017):The Megafon company became the victim of a new incident related to information security. Russian mobile operator along with dozens of companies and organizations around the world, became a victim of the Wannacry ransomware activity.

Details can be found in the new from SecureNews.

Did you like the article? Share it
We recommend articles on the topic
Order 343 mail. Order by Russian post. Consequences of failure to appear in court when summonedOrder 343 mail. Order by Russian post. Consequences of failure to appear in court when summoned
How to put a password on a folder on a Windows computer without and with programsHow to put a password on a folder on a Windows computer without and with programs
Pluton – Free Bootstrap HTML5 One Page TemplatePluton – Free Bootstrap HTML5 One Page Template
Visitors are currently discussing
History of the ZX Spectrum: Myths and reality New SpectrumHistory of the ZX Spectrum: Myths and reality New Spectrum Programs
Voice assistant Siri from Apple Siri functions on iPhone 6sVoice assistant Siri from Apple Siri functions on iPhone 6s Anonymity
How to roll back to a previous version of iOS?How to roll back to a previous version of iOS? Browsers
Unlock iPad in four daysUnlock iPad in four days Webmaster