A brief history of wipers

The documentation of Azov, Fantasy, and Sandals, comes days after researchers at security firm Kaspersky detailed CryWiper, a never-before-seen wiper that attacked courts and mayoral offices in Russia.

The wiper discoveries come as this form of destructive malware has grown increasingly common over the past decade. In 2012, a wiper known as Shamoon wreaked havoc on Saudi Arabia's Saudi Aramco and Qatar's RasGas. Four years later, a new variant of Shamoon returned and struck multiple organizations in Saudi Arabia.

In 2017, self-replicating malware Russia initially unleashed on Ukraine spread across the globe in a matter of hours. Known as NotPetya, the wiper caused an estimated $10 billion in damage, making it the most costly cyberattack in history. In the past year, a flurry of new wipers has appeared. They include DoubleZero, IsaacWiper, HermeticWiper, CaddyWiper, WhisperGate, AcidRain, Industroyer2, and RuRansom

arstechnica.com

Effective, fast, and unrecoverable: Wiper malware is popping up everywhere

by Dan Goodin - Dec 12, 2022 11:44 pm UTC

4 - 5 minutes

---

Wiper malware from no fewer than 9 families has appeared this year. Now there are 2 more.

Getty Images

"Over the past year, a flurry of destructive wiper malware from no fewer than nine families has appeared. In the past week, researchers cataloged at least two more, both exhibiting advanced codebases designed to inflict maximum damage.

On Monday, researchers from Check Point Research published details of Azov, a previously unseen piece of malware that the company described as an “effective, fast, and unfortunately unrecoverable data wiper.” Files are wiped in blocks of 666 bytes by overwriting them with random data, leaving an identically sized block intact, and so on. The malware uses the uninitialized local variable char buffer[666].

Script kiddies need not apply

After permanently destroying data on infected machines, Azov displays a note written in the style of a ransomware announcement. The note echoes Kremlin talking points regarding Russia’s war on Ukraine, including the threat of nuclear strikes. The note from one of two samples Check Point recovered falsely attributes the words to a well-known malware analyst from Poland.

Despite the initial appearance of an undertaking by juvenile developers, Azov is by no means unsophisticated. It’s a computer virus in the original definition, meaning it modifies files—in this case, adding polymorphic code to backdoor 64-bit executables—which attack the infected system. It’s also entirely written in assembly, a low-level language that’s extremely painstaking to use but also makes the malware more effective in the backdooring process. Besides the polymorphic code, Azov uses other techniques to make detection and analysis by researchers harder.

“Although the Azov sample was considered skidsware when first encountered (likely because of the strangely formed ransom note), when probed further one finds very advanced techniques—manually crafted assembly, injecting payloads into executables in order to backdoor them, and several anti-analysis tricks usually reserved for security textbooks or high-profile brand-name cybercrime tools,” Check Point researcher Jiri Vinopal wrote. “Azov ransomware certainly ought to give the typical reverse engineer a harder time than the average malware.”

A logic bomb built into the code causes Azove to detonate at a predetermined time. Once triggered, the logic bomb iterates over all file directories and executes the wiping routine on each one, except for specific hard-coded system paths and file extensions. As of last month, more than 17,000 backdoored executables had been submitted to VirusTotal, indicating that the malware has spread widely.

Last Wednesday, researchers from security firm ESET disclosed another previously unseen wiper they called Fantasy, along with a lateral movement and execution tool named Sandals. The malware was spread using a supply-chain attack that abused the infrastructure of an Israeli firm that develops software for use in the diamond industry. Over a 150-minute period, Fantasy and Sandals spread to the software maker’s customers engaged in human resources, IT support services, and diamond wholesaling. The targets were located in South Africa, Israel, and Hong Kong.

Fantasy heavily borrows code from Apostle, malware that initially masqueraded as ransomware before revealing itself as a wiper. Apostle has been linked to Agrius, an Iranian threat actor operating out of the Middle East. The code reuse led ESET to attribute Fantasy and Sandals to the same group.

READ MORE Page: 1 2 Next →

Dan Goodin / Dan is the Security Editor at Ars Technica, which he joined in 2012 after working for The Register, the Associated Press, Bloomberg News, and other publications. Find him on Mastodon at: https://infosec.exchange/@dangoodin 

RELATED CONTENT 

Latest Articles

• 
  Security

  Play ransomware claims attack on Belgium city of Antwerp

  The Play ransomware operation has claimed responsibility for a recent cyberattack on the Belgium city of Antwerp.

  • Lawrence Abrams
  • December 12, 2022
  • 06:34 PM
  • 0
• 
  Security

  New Python malware backdoors VMware ESXi servers for remote access

  A previously undocumented Python backdoor targeting VMware ESXi servers has been spotted, enabling hackers to execute commands remotely on a compromised system.

  • Bill Toulas
  • December 12, 2022
  • 04:26 PM
  • 0
• 
  Security

  Twitter confirms recent user data leak is from 2021 breach

  Twitter confirmed today that the recent leak of millions of members' profiles, including private phone numbers and email addresses, resulted from the same data breach the company disclosed in August 2022.

  • Bill Toulas
  • December 12, 2022
  • 02:27 PM
  • 0
• 
  Security

  Uber suffers new data breach after attack on vendor, info leaked online

  Uber has suffered a new data breach after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor in a cybersecurity incident.

  • Lawrence Abrams
  • December 12, 2022
  • 01:30 PM
  • 0
• 
  Security

  Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks

  Fortinet urges customers to patch their appliances against an actively exploited FortiOS SSL-VPN vulnerability that could allow unauthenticated remote code execution on devices.

  • Lawrence Abrams
  • December 12, 2022
  • 12:15 PM
  • 0
• 
  Security

  Cloudflare's Zero Trust suite now available for free to at-risk groups

  Cloudflare has made its 'Cloudflare One Zero Trust' security suite free to public interest groups, election sites, and state organizations that are currently part of Project Galileo and the Athenian Project.

  • Bill Toulas
  • December 12, 2022
  • 09:53 AM
  • 0
• 
  Deals

  Get started in Linux with this certification training bundle deal

  Knowledge of Linux is a foundational skill for advancing your IT career. This dozen-course bundle can help you get the most from it for $69. 98% off the $3540 MSRP.

  • BleepingComputer Deals
  • December 12, 2022
  • 07:24 AM
  • 0
• 
  Security

  Clop ransomware uses TrueBot malware for access to networks

  Security researchers have noticed a spike in devices infected with the TrueBot malware downloader created by a Russian-speaking hacking group known as Silence.

  • Bill Toulas
  • December 11, 2022
  • 11:22 AM
  • 0
• 
  Microsoft

  Microsoft adds screen recording to Windows 11 Snipping Tool

  Microsoft is adding a built-in screen recorder to the Windows 11 Snipping Tool that will enable users to capture videos of their desktop without the need for a third-party app.

  • Sergiu Gatlan
  • December 11, 2022
  • 10:15 AM
  • 0
• 
  Deals

  Get a refurb Galaxy Note 9 for under $170 in this limited time deal

  The December Deal of the Day is a Samsung Galaxy Note 9, fully refurbished and now available for less than $160.

  • BleepingComputer Deals
  • December 11, 2022
  • 08:12 AM
  • 0
• 
  Security

  Air-gapped PCs vulnerable to data theft via power supply radiation

  A new attack method named COVID-bit uses electromagnetic waves to transmit data from air-gapped systems isolated from the internet over a distance of at least two meters (6.5 ft), where its captured by a receiver.

  • Bill Toulas
  • December 10, 2022
  • 10:06 AM
  • 7
• 
  Deals

  Kickstart your cybersecurity career with this 150 hours online course deal

  This full cybersecurity course bundle contains nearly 150 hours of education and exercises, and you can now get lifetime access to all five courses for $69, a savings of hundreds off the total MSRP.

  • BleepingComputer Deals
  • December 10, 2022
  • 08:27 AM
  • 0
• 
  Security

  Hackers earn $989,750 for 63 zero-days exploited at Pwn2Own Toronto

  Pwn2Own Toronto 2022 has ended with competitors earning $989,750 for 63 zero-day exploits (and multiple bug collisions) targeting consumer products between December 6th and December 9th.

  • Sergiu Gatlan
  • December 10, 2022
  • 03:02 AM
  • 0
• 
  Security

  The Week in Ransomware - December 9th 2022 - Wide Impact

  This week has been filled with research reports and news of significant attacks having a wide impact on many organizations.

  • Lawrence Abrams
  • December 09, 2022
  • 07:02 PM
  • 0
• 
  Security

  Rackspace warns of phishing risks following ransomware attack

  Cloud computing provider Rackspace warned customers on Thursday of increased risks of phishing attacks following a ransomware attack affecting its hosted Microsoft Exchange environment.

  • Sergiu Gatlan
  • December 09, 2022
  • 02:51 PM
  • 0
• 
  Security

  Australia arrests 'Pig Butchering' suspects for stealing $100 million

  The Australian Federal Police (AFP) have arrested four suspected members of a financial investment scam syndicate estimated to have stolen $100 million from victims worldwide.

  • Bill Toulas
  • December 09, 2022
  • 01:17 PM
  • 0
• 
  Microsoft

  Microsoft Edge 109 is the last version to support Windows 7/8.1

  Microsoft Edge will drop support for Windows 7 and Windows 8/8.1 after the release of version 109 on January 12th, 2023.

  • Sergiu Gatlan
  • December 09, 2022
  • 01:10 PM
  • 1
• 
  Security

  Antivirus and EDR solutions tricked into acting as data wipers

  A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response (EDR) and antivirus (AV) software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers.

  • Bill Toulas
  • December 09, 2022
  • 12:00 PM
  • 2
• 
  Security

  Samsung Galaxy S22 hacked in 55 seconds on Pwn2Own Day 3

  On the third day of Pwn2Own, contestants hacked the Samsung Galaxy S22 a fourth time since the start of the competition, and this time they did it in just 55 seconds.

  • Sergiu Gatlan
  • December 09, 2022
  • 10:48 AM
  • 0
• 
  Security

  Holiday 2022 deal: 20% off Zero2Automated malware analysis training

  Zero2Automated, the creators of the popular malware analysis and reverse-engineering course, is having a Christmas special where you can get 20% off all courses on their site, with additional goodies thrown in.

  • Lawrence Abrams
  • December 09, 2022
  • 09:00 AM
  • 0

• 1
• 2
• 3
• 4
• 5
• 
  
• 
  

View More

LATEST CORONAVIRUS ILLUSTRATED DATA INFORMATION

Health officials and experts are renewing calls for masking as respiratory illnesses surge and Americans prepare for holidays.

ACTION>  The CDC recommends that all people over the age of 2 wear a high-quality mask in public, indoor settings when community levels are high, and vulnerable people should also mask when levels are medium. Additionally, the CDC still recommends that people mask while using public transportation, including airplanes, buses, trains, and subway systems.

 

rstechnica.com

Officials, experts call for masking as illnesses slam US ahead of holidays

by Beth Mole - Dec 12, 2022 11:24 pm UTC

5 - 6 minutes

---

Nearly 10% of US counties have "high" transmission levels and should be masking.

FINDING: COVID-19 cases and hospitalizations, meanwhile, are on the rise, signaling the potential start of a much-dreaded winter wave. According to data tracking by The New York Times, cases are up 56 percent over the last two weeks and hospitalizations, which typically lag behind case rises, are up 28 percent. The Centers for Disease Control and Prevention is reporting that about 9 percent of US counties have high COVID-19 Community Levels, which are based on case numbers and hospital capacity. An additional 35 percent of US counties reportedly have medium community levels.

✓ Last week, CDC Director Rochelle Walensky noted that Americans also don't need to wait for health officials to recommend or even require masking to protect themselves."One need not wait for CDC action in order to put a mask on," she said. She also said that the agency is "actively looking into" including transmission rates of all respiratory illnesses—not just COVID-19—into its community levels categories, which determine when people should mask. If the agency made such a change soon, it could mean that masking recommendations could abruptly go into effect for the vast majority of the US.

Beth Mole / Beth is Ars Technica’s health reporter. She’s interested in biomedical research, infectious disease, health policy and law, and has a Ph.D. in microbiology.

RELATED to 

www.nytimes.com

Covid in the U.S.: Latest Maps, Case and Death Counts

24 - 30 minutes

---

The Times recently began using C.D.C. data based on death certificates for locations that do not report deaths regularly or comprehensively. The federal data updates approximately once a month, which may appear as a spike in deaths.

New reported cases 

Hot spots

Average daily cases per 100,000 people in past week

About this data

State trends 

Officials, experts call for masking as illnesses slam US ahead of holidays

This table is sorted by places with the most cases per 100,000 residents in the last seven days. Charts show change in daily averages and are each on their own scale. Select a table header to sort by another metric.

 

Latest trends

• An average of 2,283 cases per day were reported in Arizona in the last week. Cases have increased by 19 percent from the average two weeks ago. Deaths have increased by 3 percent.
• Since the beginning of the pandemic, a total of 2,353,530 cases have been reported. At least 1 in 229 residents have died from the coronavirus, a total of 31,824 deaths.
• January 2022 was the month with the highest average cases, while January 2021 was the month with the highest average deaths in

Tracking Coronavirus in Arizona: Latest Map and Case Count

Updated Dec. 12, 2022

 

How to read Covid data now

Higher test positivity rates are a sign that many infections are not reported — even if they are tested for at home. This results in a more severe undercount of cases. The number of hospitalized patients with Covid is a more reliable measure because testing is more consistent in hospitals.

Reported cases, deaths and other trends by county

This table is sorted by places with the most cases per 100,000 residents in the last seven days. Statewide data often updates more frequently than county-level data, and may not equal the sum of county-level figures. Charts show change in daily averages and are each on their own scale. The state releases new data once a week. Prior to Feb. 27, 2022, it released new data data daily.

Cases by region

This chart shows how average daily cases per 100,000 people have changed in different parts of the country. The state with the highest recent average cases per 100,000 people is shown.

• West
• Midwest
• South
• Northeast

 NOTE: "...Jack Lynch, chief operating officer for EducationSuperHighway, said in an interview that the FCC is not checking to see if every unit in an apartment building has adequate broadband service. Instead, he said, it considers an entire building served if service is adequate in one location, which Lynch said could miss people who have poor service and underestimate how many people in a state do not have high-speed connections.

✓ As a result, the map may not illuminate “digital redlining,” in which broadband companies have failed to create strong service in poorer areas, EducationSuperHighway’s director of government affairs and policy, Scott Quinn, said at a conference last week organized by NewDeal, a group of progressive state and local officials. 

 

“Low-income and public housing buildings may have wiring that goes to the leasing office or to the common area, or a convenience store on the first floor,” he said. “But that doesn't mean that the units in that building actually have that same speed.”

www.route-fifty.com

Fears Grow Over Plan to Distribute Billions in Broadband Dollars

By Kery Murakami,Senior Reporter

10 - 13 minutes

| December 8, 2022

State and local officials are raising alarm about what they say are major flaws with a federal map that will guide where the infrastructure money is sent. They want the Biden administration to extend a timeline for flagging the problems.

• Broadband
• Infrastructure
• State and Federal Relations

"In several states around the country, officials say they are finding major problems with a crucial, new federal map meant to show the adequacy of internet service at the household level. 

The Federal Communications Commission map, released last month, is critical in determining how the Biden administration will distribute billions of dollars in federal broadband funding from last year’s infrastructure law around the country. But state and local officials say they’re seeing discrepancies that have them concerned the money will not go to the places where it’s most needed to give Americans improved access to high-speed internet.

With a deadline looming in just over a month for states to find inaccuracies in the map that could affect how much of the money they’ll get, some heads of state broadband offices and local officials are saying the federal government should offer more time to find and report problems.

Each state in the nation is guaranteed to receive at least $100 million from the $42.5 billion Broadband Equity, Access, and Deployment program in the Infrastructure Investment and Jobs Act to build or improve broadband networks in areas that lack service.

The concern among state and local officials is that the National Telecommunications and Information Administration will use the FCC’s map to decide by June 30 how to spread around the rest of the money, which is the bulk of what’s available. The agency will determine how much each state will get based on the extent to which they have poor internet access.

 

State and local officials acknowledge that the latest map more accurately shows what parts of the country have, or do not have, adequate service compared to a previous version. But still, state broadband directors and others see significant flaws.

In Vermont, for instance, Robert Fish, deputy director of the state’s broadband office, said in an interview that nearly 22%, or nearly a fourth of the locations in the state, aren’t even on a draft of the FCC’s map, meaning they would not be counted if they have poor service. 

Another 11% of locations in the state on the FCC map do not have recognizable addresses, he said.

“We're very concerned,” Fish said. “The way the map is set up right now, and the way the program is set up right now in terms of allocations, runs the risk of leaving Vermont residents behind. And it's not just Vermont residents, it’s residents everywhere.”

“There needs to be more time to get this right,” Fish added. “This is a generational opportunity.”

In Washington state, broadband director Mark Vasconi said he’s still working with cities and counties to figure out how accurate the FCC map is. But already, he said, researchers he is working with have found a major problem that makes him question the map’s accuracy.

Sixty percent of residences and businesses in one town on tribal land do not appear on the FCC’s map. And since the locations are likely to not have adequate service, not including them could underestimate how much money the state needs.

An FCC spokeswoman told Route Fifty that the agency is committed to fixing as many inaccuracies “as possible” before NTIA decides how much each state will get. 

But to do that, the spokeswoman said the FCC and the NTIA are encouraging states and territories to raise problems with the map “as soon as possible and no later than January 13, 2023 to give them the best opportunity for those challenges to be included in the version of the map that NTIA will use for its allocations.”

NTIA spokesman Charles Meisch stressed the Jan. 13 date isn’t a hard deadline. But he also said that in order to fix any problems before NTIA decides how to spread the money around, it would be best to report any inaccuracies by the date, just a little over a month away.

While Vermont has already filed a challenge with the FCC to fix the problems it has found, Fish said the magnitude of how wrong the map is in his state has him concerned about whether other states and localities will have enough time to find all the inaccuracies that exist within the next month, particularly with the holidays approaching.

Washington’s Vasconi said he doesn’t want to “throw rocks” at the FCC. 

“This map is, I think, a really honest attempt to increase the accuracy,” he said. But because of the discrepancies he’s seen, including the missing homes and businesses on tribal land, “we don't know how incorrect it is, right?”

“I think it's pretty clear from some of our initial examinations, it's pretty wrong,” Vasconi added.

Fish said NTIA should send states the minimum $100 million they are guaranteed. But the rest of the money should not be divvied up until it’s clear the problems with the map are fixed. 

Vasconi agreed, saying that with more time to identify shortcomings, the map will become more accurate. “If you get the map wrong, and you use this version of the map, you're gonna be basing funding decisions and funding allocations on what is the least accurate of these maps because the maps will subsequently be getting better,” he said. “Slow it down to get it right.”

While the broadband dollars will go to states to decide how to distribute, county and city officials are also concerned about the tight timeline. State broadband offices are relying on local governments to help identify problems with the map. But if they’re unable to flag potential inaccuracies in the next month, it could affect how much their states get and pass on to them. 

Palm Beach County, Florida Commissioner Gregg Weiss, a member of the National Association of Counties’ Broadband Task Force, said the group has discussed asking the FCC to push back the deadline, and could decide to make the request at a meeting next week.

“There is concern over how much time we have and that’s especially true with our more rural counties that have even less resources, and the ability to be able to review the data and respond effectively and accordingly,” Weiss said.

Gerard Lederer, a broadband consultant who works with the National League of Cities and other local governments, stressed that local officials, particularly in cities, are grateful to the Biden administration for providing the funding. But he said they are also worried about the timeline. “I think a lot of local government officials would like there to be more time, given state broadband offices are saying that they don't have enough time,” he said.

Sen. Shelley Moore Capito, a West Virginia Republican and a co-founder of the Senate Broadband Caucus, has also raised doubts about the map.

“After careful review, I have some concerns about how these maps represent West Virginia’s coverage,” she said in a video shared on social media, urging people in her state to check the quality of broadband service the FCC says they have and file their own challenge if it’s wrong.

Criticism of the maps extends beyond just what street addresses and geographic areas are and aren’t served. . .

“Low-income and public housing buildings may have wiring that goes to the leasing office or to the common area, or a convenience store on the first floor,” he said. “But that doesn't mean that the units in that building actually have that same speed.”

“What we're seeing is that a lot of these buildings in high poverty areas are being marked as served and we know for a fact that they're not,” Quinn added. 

A national nonprofit, which advocates for increasing broadband access, EducationSuperHighway founded the No Home Left Offline Coalition, whose members include the National League of Cities, the National Association of Counties and African American Mayors Association.

In addition, Vermont’s Fish complained that the map judges whether or not a home or a business has adequate service based on what broadband companies advertise as the available speed in an area. In addition, under the FCC’s procedure, the burden is on those filing a challenge to prove their internet speeds are not adequate, he said.

Fish called it a “half-baked” approach to assessing service.

For example, he said the map shows some rural parts of Vermont have adequate broadband because companies advertise high enough speeds through wireless service. But that may not be what customers actually experience in those areas due to terrain and other factors.

“If you cut down all the trees and maybe blow the top off the mountain,” broadband speeds could be as advertised, Fish said. “It's just not grounded in reality,” he added. “It's grounded in the advertising of these companies that have a big motive to show that they have coverage.”

 

Courtesy Post: CDC says that Maricopa County is in the high category for COVID transmission

  If you are sick with a respiratory illness, stay home and away from others, especially if you cannot wear a mask around others to decrease the spread of illness.

 

Administrative Offices 4041 N Central Ave, #1400 • Phoenix, Arizona 85012 Phone: (602) 506-6900 • Fax: (602) 506-6885	WeArePublicHealth.org

You are subscribed to the Public Health News Feed for Maricopa County, Arizona.

Public Health Alerts Public to Rise in COVID-19, Flu and RSV Cases

12/09/2022 10:00 AM MST

PHOENIX (December 9, 2022)— According to Maricopa County Department of Public Health (MCDPH), cases of COVID-19, influenza (flu), and respiratory syncytial virus (RSV) are all higher than usual for this time of year, and COVID-19 and flu cases are still increasing. MCDPH is encouraging everyone ages six months and older to get vaccinated against COVID and flu to prevent additional cases as people gather this holiday season.

“Respiratory viruses can cause severe disease, especially in infants, young children, and older adults,” said Dr. Nick Staab, medical epidemiologist at MCDPH. “It is concerning to see so many cases before many holiday gatherings and travel have even happened. We are already seeing a strain on our healthcare systems.”

✓ Influenza cases are now “widespread” in Maricopa County, which is the highest category of flu spread. 

✓✓ The CDC says that Maricopa County is in the high category for COVID transmission. At this level of transmission, the CDC recommends wearing a mask indoors in public, which includes during travel and in other public settings.

✓✓✓ RSV cases are more than two times higher than during the average peak.

Residents are encouraged to get vaccinated and to recognize the signs of respiratory illnesses. There is no vaccine for RSV, but flu and COVID-19 vaccines are effective at preventing many infections and reducing the severity of breakthrough infections. 

> People with symptoms should stay home and away from others unless they’re seeking healthcare. If going out is necessary, they should wear a mask around others. Getting tested by a medical provider can confirm which virus a person has and determine treatment options.

Symptoms of COVID-19, flu, and RSV can include:

• Runny or stuffy nose
• Coughing/sore throat
• Fever
• Muscle or body aches
• Fatigue
• Headaches

In children under age one, symptoms of RSV can also include irritability, decreased appetite, decreased activity, and pauses while breathing (apnea).

“Staying up-to-date on flu and COVID-19 vaccines is a simple way to prevent infections, reduce the spread of respiratory illness and prevent severe disease,” said Dr. Staab. “You can get them on the same day at many places, and there’s still time to get vaccinated before the holidays.” It’s best to get vaccinated at least two weeks ahead of gatherings or travel so the body has time to build up protection.

> Protection from vaccines is enhanced by also using other prevention tactics. These include proper and frequent hand-washing; wearing a mask in crowded indoor areas; and avoiding touching your eyes, nose and mouth with unwashed hands. If you are sick with a respiratory illness, stay home and away from others, especially if you cannot wear a mask around others to decrease the spread of illness.

For more information:

• See a listing of MCDPH’s community vaccine events and where to find other vaccine providers at Maricopa.gov/VaccineLocations.
• See data on local spread of COVID-19 at Maricopa.gov/COVID19data
• See data on local spread of flu and RSV at Maricopa.gov/flu.

###