Tag Archives: Cyber Attack

Hackers hit Russian bank customers, planned international cyber raids

FILE PHOTO: The logo of Sberbank is seen on top of a building in central Moscow, Russia April 22, 2016. REUTERS/Maxim Zmeyev/File Photo

By Jack Stubbs

MOSCOW (Reuters) – Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters.

Their campaign raised a relatively small sum by cyber-crime standards – more than 50 million roubles ($892,000) – but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.

Russia’s relationship to cyber crime is under intense scrutiny after U.S. intelligence officials alleged that Russian hackers had tried to help Republican Donald Trump win the U.S. presidency by hacking Democratic Party servers.

The Kremlin has repeatedly denied the allegation.

The gang members tricked the Russian banks’ customers into downloading malware via fake mobile banking applications, as well as via pornography and e-commerce programs, according to a report compiled by cyber security firm Group-IB which investigated the attack with the Russian Interior Ministry.

The criminals – 16 suspects were arrested by Russian law enforcement authorities in November last year – infected more than a million smartphones in Russia, on average compromising 3,500 devices a day, Group-IB said.

The hackers targeted customers of state lender Sberbank <SBER.MM>, and also stole money from accounts at Alfa Bank and online payments company Qiwi <QIWI.O>, exploiting weaknesses in the companies’ SMS text message transfer services, said two people with direct knowledge of the case.

Although operating only in Russia before their arrest, they had developed plans to target large European banks including French lenders Credit Agricole <CAGR.PA>, BNP Paribas <BNPP.PA> and Societe Generale <SOGN.PA>, Group-IB said.

A BNP Paribas spokeswoman said the bank could not confirm this information, but added that it “has a significant set of measures in place aimed at fighting cyber attacks on a daily basis”. Societe Generale and Credit Agricole declined comment.

The gang, which was called “Cron” after the malware it used, did not steal any funds from customers of the three French banks. However, it exploited the bank service in Russia that allows users to transfer small sums to other accounts by sending an SMS message.

Having infected the users’ phones, the gang sent SMS messages from those devices instructing the banks to transfer money to the hackers’ own accounts.

The findings illustrate the dangers of using SMS messages for mobile banking, a method favored in emerging countries with less advanced internet infrastructure, said Lukas Stefanko, a malware researcher at cyber security firm ESET in Slovakia.

“It’s becoming popular among developing nations or in the countryside where access to conventional banking is difficult for people,” he said. “For them it is quick, easy and they don’t need to visit a bank… But security always has to outweigh consumer convenience.”

CYBER CRIMINALS

The Russian Interior Ministry said a number of people had been arrested, including what it described as the gang leader. This was a 30-year-old man living in Ivanovo, an industrial city 300 km (185 miles) northeast of Moscow, from where he had commanded a team of 20 people across six different regions.

Four people remain in detention while the others are under house arrest, the ministry said in a statement.

“In the course of 20 searches across six regions, police seized computers, hundreds of bank cards and SIM cards registered under fake names,” it said.

Group-IB said the existence of the Cron malware was first detected in mid-2015, and by the time of the arrests the hackers had been using it for under a year.

The core members of the group were detained on Nov. 22 last year in Ivanovo. Photographs of the operation released by Group-IB showed one suspect face down in the snow as police in ski masks handcuffed him.

The “Cron” hackers were arrested before they could mount attacks outside Russia, but plans to do that were at an advanced stage, said the investigators.

Group-IB said that in June 2016 they had rented a piece of malware designed to attack mobile banking systems, called “Tiny.z” for $2,000 a month. The creators of the “Tiny.z” malware had adapted it to attack banks in Britain, Germany, France, the United States and Turkey, among other countries.

The “Cron” gang developed software designed to attack lenders including the three French groups, it said, adding it had notified these and other European banks at risk.

A spokeswoman for Sberbank said she had no information about the group involved. However, she said: “Several groups of cyber criminals are working against Sberbank. The number of groups and the methods they use to attack us change constantly.”

“It isn’t clear which specific group is being referred to here because the fraudulent scheme involving Android OS (operating system) viruses is widespread in Russia and Sberbank has effectively combated it for an extensive period of time.”

Alfa Bank did not provide a comment. Qiwi did not respond to multiple requests for comment.

Google <GOOGL.O>, the maker of Android, has taken steps in recent years to protect users from downloading malicious code and by blocking apps which are insecure, impersonate legitimate companies or engage in deceptive behaviors.

A Google spokesman said: “We’ve tracked this malware family for several years and will continue to take action on its variants to protect our users.”

FAKE MOBILE APPS

The Russian authorities, bombarded with allegations of state-sponsored hacking, are keen to show Russia too is a frequent victim of cyber crime and that they are working hard to combat it. The interior and emergencies ministries, as well as Sberbank, said they were targeted in a global cyberattack earlier this month.

Since the allegations about the U.S. election hacking, further evidence has emerged of what some Western officials say is a symbiotic relationship between cyber criminals and Russian authorities, with hackers allowed to attack foreign targets with impunity in return for cooperating with the security services while Moscow clamps down on those operating at home.

The success of the Cron gang was facilitated by the popularity of SMS-banking services in Russia, said Dmitry Volkov, head of investigations at Group-IB.

The gang got their malware on to victims’ devices by setting up applications designed to mimic banks’ genuine apps. When users searched online, the results would suggest the fake app, which they would then download. The hackers also inserted malware into fake mobile apps for well-known pornography sites.

After infecting a customer’s phone, the hackers were able to send a text message to the bank initiating a transfer of up to $120 to one of 6,000 bank accounts set up to receive the fraudulent payments.

The malware would then intercept a confirmation code sent by the bank and block the victim from receiving a message notifying them about the transaction.

“Cron’s success was due to two main factors,” Volkov said. “First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement.”

($1 = 56.0418 roubles)

(The story is refiled to fix typo in spelling of Societe Generale)

(Additional reporting by Maya Nikolaeva in Paris and Eric Auchard in Frankfurt; Editing by Christian Lowe and David Stamp)

North Korea says linking cyber attacks to Pyongyang is ‘ridiculous’

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Michelle Nichols

UNITED NATIONS (Reuters) – North Korea’s deputy United Nations envoy said on Friday “it is ridiculous” to link Pyongyang with the WannaCry “ransomware” cyber attack that started to sweep around the globe a week ago or the hacking of a U.N. expert monitoring sanctions violations.

WannaCry has infected more than 300,000 computers in 150 nations. It threatens to lock out victims who have not paid a ransom within one week of infection. French researchers said on Friday they had found a last-chance way to save encrypted files.

“Relating to the cyber attack, linking to the DPRK, it is ridiculous,” North Korea’s Deputy U.N. Ambassador Kim In Ryong told a news conference when asked if Pyongyang was involved in the global WannaCry attack or the U.N. hack.

North Korea is also known as the Democratic People’s Republic of Korea (DPRK).

“Whenever something strange happens, it is the stereotype way of the United States and the hostile forces that kick off noisy anti-DPRK campaign deliberately linking with DPRK,” Kim said.

Symantec <SYMC.O> and Kaspersky Lab said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.

A spokesman for the Italian mission to the United Nations, which chairs the U.N. Security Council North Korea sanctions committee, said on Friday that a member of the U.N. panel of experts who monitor sanctions violations had been hacked.

No further details on the extent of the hack or who might be responsible were immediately available.

The U.N. Security Council first imposed sanctions on North Korea in 2006 and has strengthened the measures in response to the country’s five nuclear tests and two long-range rocket launches. Pyongyang is threatening a sixth nuclear test.

(Reporting by Michelle Nichols; Editing by Jonathan Oatis and Grant McCool)

WannaCry attack is good business for cyber security firms

FILE PHOTO: A hooded man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Joseph Menn

SAN FRANCISCO (Reuters) – For Kris Hagerman, chief executive of UK-based cyber security firm Sophos Group Plc <SOPH.L>, the past week could have been bad. The WannaCry “ransomware” attack hobbled some of its hospital customers in Britain’s National Health Service, forcing them to turn away ambulances and cancel surgeries.

The company quickly removed a boast on its website that “The NHS is totally protected with Sophos.” In many industries, that sort of stumble would likely hit a company’s reputation hard.

Yet on Monday, three days after the global malware attack was first detected, Sophos stock jumped more than 7 percent to set a record high and climbed further on Wednesday after the company raised its financial forecasts.

As for most other cyber security firms, highly publicized cyber attacks are good for business, even though experts say such attacks underscore the industry’s failings.

“We are making good progress and are doing a good job,” Hagerman said in an interview this week. “People ask ‘How come you haven’t solved the cyber crime problem?’ and it’s a little like saying ‘You human beings have been around for hundreds of thousands of years, how come you haven’t solved the crime problem?'”

Hagerman pointed out that his company only claimed to protect 60 percent of NHS affiliates and that other factors contributed to the disaster at the hospitals.

“They have their own budgets. They have their own approach to IT generally and IT security,” Hagerman said of individual hospitals, which pick their own operating systems, patching cycles and network setups. Microsoft Corp <MSFT.O> had issued a patch in March for the flaw WannaCry exploited in Windows operating systems.

Yet Hagerman acknowledged that Sophos did not update its basic antivirus software to block WannaCry until hours after it hit customers.

HIGH STAKES

Security experts say hospitals, where the stakes are especially high, represent a case study in how legacy industries need to up their cyber security game.

“We’ve tolerated a pretty poor level of effectiveness, because so far the consequences of failure have been acceptable,” said Josh Corman, a cyber security industry veteran now working on related issues at the Atlantic Council and a member of a healthcare security task force established by the U.S. Congress.

“We are going to see failure measured in loss of life and a hit to GDP, and people will be very surprised.”

Some long-lived medical devices have more than a thousand vulnerabilities, Corman said, and perhaps 85 percent of U.S. medical institutions have no staff qualified for basic cyber security tasks such as patching software, monitoring threat advisories and separating networks from one another.

Increasingly serious cyber security problems are partly an inevitable consequence of the growing complexity of digital technology.

But there are other causes too, including a lack of accountability that stems from the wide range of technology handlers: computer software vendors, antivirus suppliers, in-house professionals, consultants and various regulators.

Ultimately, Corman said, hospitals need to hire solid cyber security people instead of another nurse or two.

GOOD FOR BUSINESS

“What’s needed is punishment of the negligent,” said Ross Anderson, a University of Cambridge pioneer in studying the economics of information security, referring to the hospitals that did not stop WannaCry.

“This is not about technology. This is about people fouling up in ways people would get a pink slip for” in less-insulated environments, he said, meaning they would lose their jobs.

For now, though, there are few signs of any revamp in large institutions’ approach to cyber security – and little incentive for contractors in the cyber security industry to change.

Sophos was not the only company whose stock rose on Monday, as the global scale of WannaCry became apparent. Shares of U.S.-based FireEye Inc <FEYE.O> and Qualys Inc <QLYS.O> both rose more than 5 percent.

But Sophos stood out, aided by higher expectations for a product the company introduced last year to fend off ransomware – so called because the authors of the malware demand a ‘ransom’ to restore a user’s infected computer – which worked at the hospitals that had installed it.

“It’s good news for our business,” one Sophos employee, who asked not to be named, told Reuters this week. “We were so inundated with people calling us.”

(Reporting by Joseph Menn; Editing by Jonathan Weber and Bill Rigby)

Companies use kidnap insurance to guard against ransomware attacks

FILE PHOTO: A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS/File Photo

By Suzanne Barlyn and Carolyn Cohn

NEW YORK/LONDON (Reuters) – Companies without cyber insurance are dusting off policies covering kidnap, ransom and extortion in the world’s political hotspots to recoup losses caused by ransomware viruses such as “WannaCry”, insurers say.

Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as $100,000 for $10 million in data breach insurance.

Some companies do not even consider it because they do not think they are targets.

The kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas where violence related to oil and mining operations is common, such as parts of Africa and Latin America. Companies could also tap them to cover losses following the WannaCry attack, which used malicious software, known as ransomware, to lock up more than 200,000 computers in more than 150 countries, and demand payments to free them up. Pay-outs on K&R for ransomware attacks may be lower and the policies less suitable than those offered by traditional cyber insurance, insurers say.

“There will be some creative forensic lawyers who will be looking at policies,” said Patrick Gage, chief underwriting officer at CNA Hardy, a specialist commercial insurer, in London.

He added, however, that given that K&R policies are geared towards a threat to lives, “our absolute preference is that people buy specific cover, rather than relying on insurance coverage that is not specific”.

American International Group Inc, Hiscox Ltd and the Travelers Companies Inc have been receiving ransomware claims from some customers with K&R policies as ransomware attacks become more common, the companies said.

The insurers declined to comment on total claims, citing confidentiality and client security concerns.

“We are seeing claims (over the past 18 months) but not a huge uptick,” a Hiscox spokeswoman said. “These are within expectations and entirely manageable.”

She declined to say whether the firm had seen any such claims from the WannaCry attacks though Tom Harvey, an expert in cyber risk management at catastrophe modeling firm RMS, said “insurers with kidnap and ransom books will want to look closely at their policy wordings to see whether they are exposed.”

A sharp rise in ransomware attacks in the past 18 months has driven companies to use K&R policies to cover some of their damages if they do not have direct cyber coverage or cannot meet initial cyber policy deductible costs, insurers said.

Symantec Corp,, a cyber security firm based in Mountain View in California, observed over 460,000 ransomware attempts in 2016, up 36 percent from 2015, the company said. The average payment demand ballooned from $294 to $1,077, a 266 percent increase. But as the threat mounts, K&R insurers are at risk from steeper claims than they had anticipated. They are responding by making changes to their policies, which were not designed around ransomware, insurance brokers said. MORE DAMAGING THEN KIDNAPPING Most of the computers affected by WannaCry were outside the United States, where companies have been slow to buy cyber insurance. Nearly 90 percent of the world’s annual cyber insurance premium of $2.5-3 billion comes from the U.S. market, according to insurance broker Aon Plc.

Global companies typically buy K&R policies without ransomware in mind. But instances of high-tech hacks and online ransom demands can hit a company’s business more than an executive being held hostage.

“If your CFO (chief financial officer) gets kidnapped, the company is going to continue to function,” said Bob Parisi, cyber product leader for insurance broker Marsh & McLennan Companies Inc.

“If you get a get a piece of malware in the system, you might have two factories that stop working. The actual damage is probably greater.”

The K&R policies, which typically do not have deductibles, cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities, said Kevin Kalinich, global head of Aon’s cyber risk practice.

Still, K&R policies may provide only a quick fix since they were not designed for ransomware. Companies can add coverage for business interruption, but the upper limits for pay-outs are usually lower than for a cyber policy, insurers say.

K&R insurers have been adapting to ransomware-related claims – some are modernizing coverage by setting up Bitcoin accounts for clients to speed up ransom payments, brokers said.

But insurers are mindful of their own risks.

Some have added deductibles, said Anthony Dagostino, head of global cyber risk at Willis Towers Watson PLC advisory and brokerage.

AIG has reduced business interruption coverage available for K&R policies to a $1 million maximum, from much higher and more flexible limits, said Tracie Grella, global head of cyber risk insurance at AIG.

“Insurers didn’t anticipate there would be this much ransomware activity,” Grella said.

(Reporting by Suzanne Barlyn and Carolyn Cohn; Editing by Carmel Crimmins adn Timothy Heritage)

Bitcoin’s murkier rivals line up to displace it as cybercriminals’ favourite

FILE PHOTO: A Bitcoin (virtual currency) paper wallet with QR codes and a coin are seen in an illustration picture taken in Paris, France May 27, 2015. REUTERS/Benoit Tessier/File Photo

By Jemima Kelly

LONDON (Reuters) – Bitcoin is well-entrenched as the preferred payment for cybercriminals like the WannaCry hackers who have hit more than 300,000 computers over the past week, but cryptocurrencies offering more anonymity are threatening to displace it.

A key reason for bitcoin’s dominance in the nefarious online underworld, say technologists and cybercrime experts, is its size – the total value of all bitcoins in circulation is more than twice that of the nearest of hundreds of rivals.

That makes it easy for victims to access enough to pay the ransoms demanded, and for hackers to cash out of it via online exchanges to spend money in the real world.

Bitcoin was set up in 2008 by someone – or some group – calling themselves Satoshi Nakamoto, and was the first digital currency to successfully use cryptography to keep transactions secure and hidden, making traditional financial regulation difficult if not impossible.

Money is sent from one anonymous online “wallet” to another with no need for a third party to validate or clear the transactions.

In the WannaCry attack, the addresses of three anonymous bitcoin wallets were given to victims, with a demand for ransom payments from $300 worth of bitcoin, with a promise the affected machines would be decrypted in return, a promise that no evidence has shown will be kept.

But since the way that Bitcoin functions is via the blockchain – a giant, virtually tamper-proof, shared ledger of all bitcoin transactions ever made – payments can be traced, if users do not have the sophistication to take further steps to cloak themselves using digital anonymity tools.

“In the initial days of bitcoin, people…didn’t realise they were recording for posterity on the blockchain every financial transaction that ever took place,” said Emin Gun Sirer, a computer science professor at Cornell University.

Bitcoin addresses are anonymous, but users can be traced through IP addresses or by analysing money flows.

If criminals using bitcoin want to stay truly anonymous, Gun Sirer said, they have to go through a number of additional, complex steps to make sure they do not get caught.

It is not yet clear what level of sophistication the WannaCry hackers have when it comes to laundering their cryptocurrency, as none of the money has yet been moved out of the three bitcoin wallets linked to the ransomware, which have had over $80,000 worth of bitcoin paid into them so far. [http://tmsnrt.rs/2rqaLyz]

But some have suggested that the fact that the WannaCry hackers demanded bitcoin shows how amateur they are.

“If it was me, I would want people to use bitcoin all day, because you can trace it,” said Luke Wilson, vice president for law enforcement at Elliptic, a London-based security firm that tracks illicit bitcoin transactions and that counts the U.S. Federal Bureau for Investigations (FBI) among its clients.

Wilson, who used to work at the FBI, where he set up a taskforce to investigate the use of virtual currencies, did not disclose all the ways that Elliptic and law enforcement agencies find criminals using bitcoin. But sometimes, he said, the offenders make as obvious a mistake as withdrawing money from a bitcoin wallet directly into their bank accounts.

CAT-AND-MOUSE GAME

More sophisticated criminals use obfuscation methods that make it very hard to be tracked down. One of the most basic ones is a technique known as “chain-hopping”, whereby money is moved from one cryptocurrency into another, across digital currency exchanges – the less-regulated the better – to create a money trail that is almost impossible to track.

Newer and more complex money-laundering methods have also emerged in recent years, which make it very difficult for law enforcement and bitcoin security firms such as Elliptic or New-York-based Chainalysis to track down cybercriminals.

“It’s a cat-and-mouse game – as police and companies like Elliptic catch up to criminals’ techniques, they invent new techniques,” said Jerry Brito, executive director of the Washington, D.C.-based Coin Center, a not-for-profit advocacy group focusing on public policy issues around cryptocurrency.

These techniques are not foolproof, however – chain-hopping, for example, relies on unregulated exchanges that do not carry out know-your-customer (KYC) checks, and security firms say they will develop ways to trace such methods.

MONERO HACK

Easier, perhaps, would be for cybercriminals to use next-generation cryptocurrencies that have built-in anonymity from the start, such as Monero, Dash and Z-Cash.

And indeed, experts said late on Tuesday that a computer virus that exploits the same vulnerability as the WannaCry attack had latched on to more than 200,000 computers and begun using them to manufacture – or “mine” – Monero currency.

But with a total value of around $425 million – a little over 1 percent of that of bitcoin – converting that currency into spendable cash might not be so easy, and it is also much harder for victims to access, alternative payments experts said.

That is why the Monero attack did not demand a ransom, but rather used the infected computers’ computing power to create new currency.

“This used to happen in bitcoin before it became big – there were loads of botnets that went into computers that used to mine bitcoin, but you now can’t basically mine bitcoin on normal computers because you need specialist hardware,” said Chainalysis CEO Jonathan Levin.

Levin said such bitcoin-based attacks were carried out several years ago, when mining it was still largely a hobby for tech geeks using their home computers.

As the bitcoin price has risen and as transaction numbers have grown, the computers have become so specialized that only they can only perform the function of bitcoin mining.

“If Monero does become adopted and is as big and liquid (as bitcoin), that means the crime (will) move from using computers to mine to getting to extortion,” Levin said.

French researchers find last-ditch cure to unlock WannaCry files

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Eric Auchard

FRANKFURT (Reuters) – French researchers said on Friday they had found a last-chance way for technicians to save Windows files encrypted by WannaCry, racing against a deadline as the ransomware threatens to start locking up victims’ computers first infected a week ago.

WannaCry, which started to sweep round the globe last Friday and has infected more than 300,000 computers in 150 nations, threatens to lock out victims who have not paid a sum of $300 to $600 within one week of infection.

A loose-knit team of security researchers scattered across the globe said they had collaborated to develop a workaround to unlock the encryption key for files hit in the global attack, which several independent security researchers have confirmed.

The researchers warned that their solution would only work in certain conditions, namely if computers had not been rebooted since becoming infected and if victims applied the fix before WannaCry carried out its threat to lock their files permanently.

The group includes Adrien Guinet, who works as a security expert, Matthieu Suiche, who is an internationally known hacker, and Benjamin Delpy, who helped out by night, in his spare time, outside his day job at the Banque de France.

Suiche has published a blog with technical details summarizing what the group of passing online acquaintances has developed. He links to a tool called Wannakey built by Guinet, the creator of the original concept.

“THE ONLY WORKABLE SOLUTION”

Guinet, a security researcher at Paris-based Quarks Lab, published the basic technique for decrypting WannaCry files on Thursday, which Delpy then figured out how to turn into a practical tool to salvage files.

Suiche, based in the United Arab Emirates and one of the world’s top security researchers, provided advice and testing to ensure the fix worked across all various versions of Windows.

Wannakey was quickly tested and shown to work on Windows 7 and older Windows versions XP and 2003, Suiche said, adding that he believes the hastily developed fix also works with Windows 2008 and Vista.

“(The method) should work with any operating system from XP to Win7,” Suiche told Reuters via direct message on Twitter.

“This is not a perfect solution. But this is so far the only workable solution to help enterprises to recover their files if they have been infected and have no back-ups,” Suiche said of network back-up and retrieval systems which allow users with infected computers to restore them after re-imaging their PCs.

Classic customer help desk procedures typically advise users reporting computer problems to reboot their machines, but fast-acting users who pulled the plug on their PCs or otherwise did not attempt to repair them can benefit, the researchers said.

(Editing by Maria Sheahan and Gareth Jones)

U.S. cyber bill would shift power away from spy agency

An undated aerial handout photo shows the National Security Agency (NSA) headquarters building in Fort Meade, Maryland. NSA/Handout via REUTERS

By Joel Schectman

WASHINGTON (Reuters) – A bill proposed in Congress on Wednesday would require the U.S. National Security Agency to inform representatives of other government agencies about security holes it finds in software like the one that allowed last week’s “ransomware” attacks.

Under former President Barack Obama, the government created a similar inter-agency review, but it was not required by law and was administered by the NSA itself.

The new bill would mandate a review when a government agency discovers a security hole in a computer product and does not want to alert the manufacturer because it hopes to use the flaw to spy on rivals. It also calls for the review process to be chaired by the defense-oriented Department of Homeland Security rather than the NSA, which spends 90 percent of its budget on offensive capabilities and spying.

Republican Senator Ron Johnson of Wisconsin and Democratic Senator Brian Schatz of Hawaii introduced the legislation in the U.S. Senate Homeland Security and Governmental Affairs Committee.

“Striking the balance between U.S. national security and general cyber security is critical, but it’s not easy,” said Senator Schatz in a statement. “This bill strikes that balance.”

Tech companies have long criticized the practice of withholding information about software flaws so they can be used by government intelligence agencies for attacks.

Hackers attacked 200,000 in more than 150 countries last week using a Microsoft Windows software vulnerability that had been developed by the NSA and later leaked online.

Microsoft President Brad Smith harshly criticized government practices on security flaws in the wake of the ransomware attacks. “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote in a blog post.

Agencies like the NSA often have greater incentives to exploit any security holes they find for spying, instead of helping companies protect customers, cyber security experts say.

“Do you get to listen to the Chinese politburo chatting and get credit from the president?” said Richard Clayton a cyber-security researcher at the University of Cambridge. “Or do you notify the public to help defend everyone else and get less kudos?”

Susan Landau, a cyber security policy expert at Worcester Polytechnic Institute, said that in putting DHS in charge of the process, the new bill was an effort to put the process “into civilian control.”

The new committee’s meetings would still be secret. But once a year it would issue a public version of a secret annual report.

The NSA did not immediately respond to a request for comment.

(Reporting by Joel Schectman; Editing by Jonathan Weber and David Gregorio)

Hackers mint crypto-currency with technique in global ‘ransomware’ attack

A hooded man holds a laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration

By Joseph Menn

SAN FRANCISCO (Reuters) – A computer virus that exploits the same vulnerability as the global “ransomware” attack has latched on to more than 200,000 computers and begun manufacturing digital currency, experts said Tuesday.

The development adds to the dangers exposed by the WannaCry ransomware and provides another piece of evidence that a North Korea-linked hacking group may be behind the attacks.

WannaCry, developed in part with hacking techniques that were either stolen or leaked from the U.S. National Security Agency, has infected more than 300,000 computers since Friday, locking up their data and demanding a ransom payment to release it.

Researchers at security firm Proofpoint said the related attack, which installs a currency “miner” that generates digital cash, began infecting machines in late April or early May but had not been previously discovered because it allows computers to operate while creating the digital cash in the background.

Proofpoint executive Ryan Kalember said the authors may have earned more than $1 million, far more than has been generated by the WannaCry attack.

Like WannaCry, the program attacks via a flaw in Microsoft Corp’s <MSFT.O> Windows software. That hole has been patched in newer versions of Windows, though not all companies and individuals have installed the patches.

Digital currencies based on a technology known as blockchain operate by enabling the creation of new currency in exchange for solving complex math problems. Digital “miners” run specially configured computers to solve the problems and generate currency, whose value ultimate fluctuates according to market demand.

Bitcoin is by far the largest such currency, but the new mining program is not aimed at Bitcoin. Rather it targeted a newer digital currency, called Monero, that experts say has been pursued recently by North Korean-linked hackers.

North Korea has attracted attention in the WannaCry case for a number of reasons, including the fact that early versions of the WannaCry code used some programming lines that had previously been spotted in attacks by Lazarus Group, a hacking group associated with North Korea.

Security researchers and U.S. intelligence officials have cautioned that such evidence is not conclusive, and the investigation is in its early stages.

In early April, security firm Kaspersky Lab said that a wing of Lazarus devoted to financial gain had installed software to mine Monero on a server in Europe.

A new campaign to mine the same currency, using the same Windows weakness as WannaCry, could be coincidence, or it could suggest that North Korea was responsible for both the ransomware and the currency mining.

Kalember said he believes the similarities in the European case, WannaCry and the miner were “more than coincidence.”

“It’s a really strong overlap,” he said. “It’s not like you see Monero miners all over the world.”

The North Korean mission to the United Nations could not be reached for comment, while the FBI declined to comment.

(Fixes spelling of digital currency in paragraphs 11 and 14 to Monero not Moreno.)

(Reporting by Joseph Menn; Editing by Jonathan Weber and Cynthia Osterman)

Jim Bakker: The Lord Told Me President Trump’s Life Is in Danger – Charisma

During the same podcast interview with Charisma Media founder Steve Strang in which he discussed the WannaCry ransomware attack is an end-times event, Jim Bakker shared that he sometimes feels alone in his calls to pray for President Donald Trump.

But another word he received from the Lord has added to his urgency.

“There is going to be an attempt on our president’s life very soon,” he said. “We need to pray for the protection of our president.”

Bakker said the president’s election last November was a miracle, and “the adversary is so angry because they expected to win.” They’re not going to give up until they destroy him, he added.

Read more: Jim Bakker: The Lord Told Me President Trump’s Life Is in Danger – Charisma

Researchers say global cyber attack similar to North Korean hacks

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

By Ju-min Park and Dustin Volz

SEOUL/WASHINGTON (Reuters) – Cybersecurity researchers have found evidence they say could link North Korea with the WannaCry cyber attack that has infected more than 300,000 computers worldwide, as global authorities scrambled to prevent hackers from spreading new versions of the virus.

A researcher from South Korea’s Hauri Labs said on Tuesday their own findings matched those of Symantec <SYMC.O> and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.

Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.

The attacks, which slowed on Monday, are among the fastest-spreading extortion campaigns on record.

In China, foreign ministry spokeswoman Hua Chunying said she had no information to share, when asked about the origin of the attack and whether North Korea might be connected.

Several Asian countries have been affected by the malware, although the impact has not been as widespread as some had feared.

In Malaysia, cybersecurity firm LE Global Services said it identified 12 cases so far, including a large government-linked corporation, a government-linked investment firm and an insurance company. It did not name any of the entities.

“We may not see the real picture yet, as companies are not mandated to disclose security breaches to authorities in Malaysia,” said LE Global CEO Fong Choong Fook.

“The real situation may be serious. In one of the cases, the attack was traced back to early April.”

Vietnam’s state media said on Tuesday more than 200 computers had been affected.

Taiwan Power Co. <TAIWP.UL> said that nearly 800 of its computers were affected, although these were used for administration, not for systems involved in electricity generation.

EXPERTS URGE CAUTION

FireEye Inc <FEYE.O>, another large cyber security firm, said it was also investigating, but it was cautious about drawing a link to North Korea.

“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller said.

U.S. and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cyber security firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

An official at South Korea’s Korea Internet & Security Agency said on Tuesday the agency was sharing information with intelligence officials on recent cases reported for damages but was not in position to investigate the source of the attack.

The official declined to comment on intelligence-related matters.

A South Korean police official that handles investigations into hacking and cyber breaches said he was aware of reports on the North Korean link, but said police were not investigating yet.

Victims haven’t requested investigations but they want their systems to be restored, the official said.

North Korea has denied being behind the Sony and banking attacks. North Korean officials were not immediately available for comment and its state media has been quiet about the matter.

Hauri researcher Choi said the code bore similarities with those allegedly used by North Korean hackers in the Sony and bank heists. He said based on his conversations with North Korean hackers, the reclusive state had been developing and testing ransomware programs since August.

In one case, alleged hackers from North Korea demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall, Choi added.

The North Korean mission to the United Nations was not immediately available for comment on Monday.

While the attacks have raised concerns for cyber authorities and end-users worldwide, they have helped cybersecurity stocks as investors bet governments and corporations will spend more to upgrade their defenses.

Cisco Systems <CSCO.O> closed up 2.3 percent on Monday and was the second-biggest gainer in the Dow Jones Industrial Average.

(Additional reporting by Jess Macy Yu in Taipei, My Pham in Hanoi, Michael Martina in Beijing and Liz Lee in Kuala Lumpur; Writing by Jeremy Wagstaff in Singapore; Editing by Sam Holmes, Michael Perry and Mike Collett-White)