“Major German manufacturer still down a week after getting hit by ransomware - ZDNet” plus 3 more

Major German manufacturer still down a week after getting hit by ransomware - ZDNet
New Computer App To Help Fight HLB Disease - California Ag Today
Outbreak of rat-borne disease leptospirosis in Royal Canal - The Irish Times
Vulnerability in iTunes and iCloud allowed Windows PC ransomware infection - 9to5Mac

Major German manufacturer still down a week after getting hit by ransomware - ZDNet

Posted: 21 Oct 2019 12:15 PM PDT

Pilz, one of the world's largest producers of automation tools, has been down for more than a week after suffering a ransomware infection.

"Since Sunday, October 13, 2019, all servers and PC workstations, including the company's communication, have been affected worldwide," the Germany-based company wrote on its website.

"As a precaution, the company has removed all computer systems from the network and blocked access to the corporate network."

All the company's locations across 76 countries were impacted and were disconnected from the main network, unable to file orders and check customer statuses.

It took Pilz staff three days to regain access to its email service, and another three days to restore email service for its international locations. Access to the product orders and delivery system was restored only today.

Production capabilities weren't impacted, but unable to check orders, they've been hampered and going at slower rates.

Blame BitPaymer

The German company -- known for its automation relays, controllers, and sensors -- is the latest in a long line of BitPaymer victims, Maarten van Dantzig, Lead Intelligence Analyst at FoxIT, told ZDNet today.

Van Dantzig was able to tie the Pilz infection to BitPaymer after he found and analyzed a BitPaymer sample uploaded on VirusTotal. The sample contained a ransom note with Pilz-related contact details, customized for the company's network.

BitPaymer is a ransomware strain that appeared in the summer of 2017 and has been tied to several high-profile incidents at Scottish hospitals, the PGA, two Alaskan towns (Matanuska-Susitna and Valdez), Arizona Beverages, in attacks leveraging an iTunes zero-day, and, most recently, at French TV station M6.

But BitPaymer is not your regular ransomware strain. BitPaymer's authors engage in what's called "big game hunting," a term coined by Crowdstrike and which describes the act of going only after high-value targets -- in the hopes of extracting a large ransom payment, instead of extorting home consumers for meager profits.

BitPaymer's Dridex partnership

During the past two years, BitPaymer has been distributed exclusively via the Dridex botnet, van Dantzig told ZDNet.

An ESET report from January 2018 claimed the ransomware was the work of the Dridex authors themselves.

Currently, most experts believe the Dridex gang spends their time sending email spam that infects users with the Dridex trojan, compiles a list of victims, and then deploys BitPaymer on the networks of large companies, in the hopes of extracting huge ransoms after encrypting their files.

Historically, this tactic has been pretty lucrative, and BitPaymer has been tied to ransomware demands going as high as $1 million, Van Dantzig told ZDNet today in a phone call.

This cybercrime model of botnet-ransomware partnership is extremely popular these days. A similar "working relationship" also exists between the operators of the Emotet and TrickBot botnets and the Ryuk ransomware gang.

A surge in activity since April this year

You can easily see BitPaymer's modus operandi in the chart below, consisting of submissions to ID-Ransomware, an online service sponsored by the MalwareHunterTeam and Emsisoft where ransomware victims can upload samples and detect the type of ransomware they've been infected.

BitPaymer submissions to ID-Ransomware in the last 12 months
Source: ID-Ransomware (supplied)

Most ID-Ransomware activity charts are smooth, as there are daily submissions from victims who get infected after opening emails or installing ransomware-infected files.

However, for BitPaymer, this is different. The spikes show occasional infections as the ransomware is deployed on a handful of carefully selected targets, rather than spammed out in every direction. This pattern is specific to "big-game hunting" ransomware operations.

Van Dantzig says companies must understand that once they recover from a BitPaymer infection, their job is not done. System administrators must also remove the Dridex trojan from infected hosts, otherwise they'll be reinfected again.

In fact, van Dantzig has seen this happen in the past.

Pilz was not immediately available for comment at the time of publishing.

New Computer App To Help Fight HLB Disease - California Ag Today

Posted: 21 Oct 2019 09:51 AM PDT

October 21, 2019

By Patrick Cavanaugh, Editor

A computer app is now available to anyone curious about how close a HLB infected tree was found near his or her home.

The fight to reduce the incidence of Southern California trees infected with the fatal Huanglongbing disease takes many different strategies, in Southern California, particularly in Orange and LA Counties, where the disease continues to spread in trees in the yards of residents.

UC Scientist and others in the citrus industry are suggesting that homeowners remove citrus trees in their yards and replace them with non-citrus trees.

"One of the things we're suggesting that homeowners do is if they're near where a tree has been removed because it's been declared positive, that, the homeowner consider removing their citrus trees proactively implanting non citrus," said Beth Grafton-Cardwell a UCANR Entomologist based at the Lindcove Research and Extension Center.

And if homeowners want to know how close a positive has been found to their home, they can now find out. The information can be found by going to ucanr.edu/hlbapp. By zooming in, the site gives recommendations as to whether a homeowner should replace a tree or not.

It's not a downloadable app for a smart phone but the web address can be access on the phone and be bookmarked.

"The point of this is because we can't tell in an early infection which trees are infected," said Grafton-Cardwell. "If a homeowner is near a known infected tree, there is a good chance that your trees are already infected and we just can't tell yet."

"So you help your neighbors and the industry by just taking those trees out and then you don't have to have CDFA knocking on your door to spray pesticides or to ask to test your tree, if you just get the tree out," she said.

Already more then 1,600 citrus trees in Southern California have been tested positive for HLB disease, and those trees have been removed.

Outbreak of rat-borne disease leptospirosis in Royal Canal - The Irish Times

Posted: 18 Oct 2019 01:21 PM PDT

Waterways Ireland has warned the public to stay out of the Royal Canal in north Dublin following an outbreak of the rat-borne infection leptospirosis, which can be fatal.

The bacterial infection, which can cause Weil's disease, can be carried by domestic and wild animals but in Ireland it is most commonly caught from rats, through direct contact with the rodents or their urine.

In mild cases patients can suffer from flu-like symptoms, such as headache, chills and muscle pain. However, severe cases can result in organ failure and internal bleeding, which can be "life-threatening" the Health Service Executive (HSE) says.

The HSE notified Waterways Ireland of "a number of cases" of leptospirosis following exposure to the water in the Dublin section of the Royal Canal.

"Individuals are instructed not to engage in swimming, diving or immersive activity such as deliberate capsizing in the Royal Canal in north Dublin, pending further advisory," Waterways Ireland said.

Water-based activities

Companies involved in water-based activities on the canal have also been asked to ensure their clients do not enter the water. The notice applies to the area of the canal between Clonsilla and Spencer Dock.

"Persons with symptoms (a flu-like illness) within a three-week period after engaging in a water-based activity should seek medical attention immediately, mentioning any watercourse exposure," Waterways Ireland said.

While most animals which have contracted leptospirosis have no symptoms, up to one in 10 infected dogs die from the disease. Dog owners are advised to rinse their animals in clean water to reduce the risk of infection if they have been swimming in the canal.

Leptospirosis is most common in tropical areas of the world. However, it is becoming increasingly widespread in urban areas that have low levels of sanitation. It is rare in Ireland with fewer than 20 cases reported most years.

Transmission through sex is possible, but very rare, according to the HSE.

Vulnerability in iTunes and iCloud allowed Windows PC ransomware infection - 9to5Mac

Posted: 11 Oct 2019 12:00 AM PDT

A zero-day vulnerability in iTunes and iCloud apps on Windows PCs enabled attackers to install ransomware without triggering antivirus protections. Ransomware encrypts the entire hard drive or SSD with a key known only to the attacker, enabling them to demand a ransom to decrypt the machine…

NordVPN

ArsTechnica reports that the exploit was discovered by security company Morphisec.

The vulnerability resided in the Bonjour component that both iTunes and iCloud for Windows relies on, according to a blog post. The bug is known as an unquoted service path, which as its name suggests, happens when a developer forgets to surround a file path with quotation marks. When the bug is in a trusted program — such as one digitally signed by a well-known developer like Apple — attackers can exploit the flaw to make the program execute code that AV protection might otherwise flag as suspicious.

Essentially, a bug in Apple's apps meant that an attacker could get them to run a malicious app, while antivirus software wouldn't check what was happening because it was apparently being done by signed Apple apps and therefore automatically flagged as ok.

Apple has patched the vulnerability in iTunes 12.10.1 for Windows and iCloud for Windows 7.14, so PC users should check they have both updates installed. Additionally, if you've ever run iTunes on your PC, even if you later removed it, you could still be at risk.

That's because the iTunes uninstaller doesn't automatically remove Bonjour.

"In most cases, people are not aware that they need to uninstall the Bonjour component separately when uninstalling iTunes. Because of this, machines are left with the updater task installed and working.

We were surprised by the results of an investigation that showed the Bonjour updater is installed on a large number of computers across different enterprises. Many of the computers uninstalled iTunes years ago while the Bonjour component remains silently, un-updated, and still working in the background. Following this discovery, we identified the attack surface and the motivation of the attacker to choose this process for evasion."

Macs are not affected, no matter which version of macOS you are running. Additionally, macOS Catalina replaces iTunes with a brand new Music app.

Morphisec says the vulnerability was being actively exploited to install ransomware called BitPaymer. It reported the issue to Apple and has disclosed details only now that the company has released updates to close the security hole.

Photo: Shutterstock

Check out 9to5Mac on YouTube for more Apple news:

[embedded content]

Search This Blog

Plague

Featured Post

Medical Conditions That Can Keep You from Joining the Military