회사소개

제품

안내

고객지원

Company

Product

Information

Support

Thông tin về công ty

Sản phẩm

Thông tin

Hỗ trợ chung

mainslide-img01

APT Defense No.1 Leader

Network & Endpoint Security Professional Company

npcore-main02

APT Defense No.1 Leader

Network & Endpoint Security Professional Company

npcore-main03

APT Defense No.1 Leader

Network & Endpoint Security Professional Company

npcore-main04

APT Defense No.1 Leader

Network & Endpoint Security Professional Company

mainslide-img01

APT Defense No.1 Leader

Network & Endpoint Security Professional Company

npcore-main02

APT Defense No.1 Leader

Network & Endpoint Security Professional Company

npcore-main03

APT Defense No.1 Leader

Network & Endpoint Security Professional Company

npcore-main04

APT Defense No.1 Leader

Network & Endpoint Security Professional Company

News & Notice more +

Title Date
Cyberattack (Petya Ransomware) Hits Ukraine Then Spreads Internationally, Similar to WannaCry
28hack1-master768.jpg ▲ Several companies have been affected by the Petya cyberattack, including, from left, Rosneft, the Russian energy giant; Merck, a pharmaceutical company; and Maersk, a shipping company. Left, Sergei Karpukhin/Reuters; center, Matt Rourke/Associated Press; right, Enrique Castro Sanchez/Agence France-Presse — Getty Images Computer systems from Ukraine to the United States were struck on Tuesday in an international cyberattack that was similar to a recent assault that crippled tens of thousands of machines worldwide. In Kiev, the capital of Ukraine, A.T.M.s stopped working. About 80 miles away, workers were forced to manually monitor radiation at the old Chernobyl nuclear plant when their computers failed. And tech managers at companies around the world, from Maersk, the Danish shipping conglomerate, to Merck, the drug giant in the United States, were scrambling to respond. It was unclear who was behind this cyberattack, and the extent of its impact was still hard to gauge Tuesday. It started as an attack on Ukrainian government and business computer systems — an assault that appeared to have been intended to hit the day before a holiday marking the adoption in 1996 of Ukraine’s first Constitution after its break from the Soviet Union. The attack spread from there, causing collateral damage around the world. The outbreak was the latest and perhaps the most sophisticated in a series of attacks making use of dozens of hacking tools that were stolen from the National Security Agency and leaked online in April by a group called the Shadow Brokers. Like the WannaCry attacks in May, the latest global hacking took control of computers and demanded digital ransom from their owners to regain access. The new attack used the same National Security Agency hacking tool, Eternal Blue, that was used in the WannaCry episode, as well as two other methods to promote its spread, according to researchers at the computer security company Symantec. The National Security Agency has not acknowledged its tools were used in WannaCry or other attacks. But computer security specialists are demanding that the agency help the rest of the world defend against the weapons it created. “The N.S.A. needs to take a leadership role in working closely with security and operating system platform vendors such as Apple and Microsoft to address the plague that they’ve unleashed,” said Golan Ben-Oni, the global chief information officer at IDT, a Newark-based conglomerate hit by a separate attack in April that used the agency’s hacking tools. Mr. Ben-Oni warned federal officials that more serious attacks were probably on the horizon. The vulnerability in Windows software used by Eternal Blue was patched by Microsoft in March, but as the WannaCry attacks demonstrated, hundreds of thousands of groups around the world failed to properly install the fix. “Just because you roll out a patch doesn’t mean it’ll be put in place quickly,” said Carl Herberger, vice president for security at Radware. “The more bureaucratic an organization is, the higher chance it won’t have updated its software.” Because the ransomware used at least two other ways to spread on Tuesday, even those who used the Microsoft patch could be vulnerable, according to researchers at F-Secure, a Finnish cybersecurity firm. A Microsoft spokesman said the company’s latest antivirus software should protect against the attack. The Ukrainian government said several of its ministries, local banks and metro systems had been affected. A number of other European companies, including Rosneft, the Russian energy giant; Saint-Gobain, the French construction materials company; and WPP, the British advertising agency, also said they had been targeted. Ukrainian officials pointed a finger at Russia on Tuesday, although Russian companies were also affected. Home Credit bank, one of Russia’s top 50 lenders, was paralyzed, with all of its offices closed, according to the RBC news website. The attack also affected Evraz, a steel manufacturing and mining company that employs about 80,000 people, the RBC website reported. In the United States, the multinational law firm DLA Piper also reported being hit. Hospitals in Pennsylvania were being forced to cancel operations after the attack hit computers at Heritage Valley Health Systems, a Pennsylvania health care provider, and its hospitals in Beaver and Sewickley, Penn., and satellite locations across the state. A National Security Agency spokesman referred questions about the attack to the Department of Homeland Security. “The Department of Homeland Security is monitoring reports of cyberattacks affecting multiple global entities and is coordinating with our international and domestic cyber partners,” Scott McConnell, a department spokesman, said in a statement. Computer specialists said the ransomware was very similar to a virus that emerged last year called Petya. Petya means “Little Peter,” in Russian, leading some to speculate the name referred to Sergei Prokofiev’s 1936 symphony “Peter and the Wolf,” about a boy who captures a wolf. Reports that the computer virus was a variant of Petya suggest the attackers will be hard to trace. Petya was for sale on the so-called dark web, where its creators made the ransomware available as “ransomware as a service” — a play on Silicon Valley terminology for delivering software over the internet, according to the security firm Avast Threat Labs. That means anyone could launch the ransomware with the click of a button, encrypt someone’s systems and demand a ransom to unlock it. If the victim pays, the authors of the Petya ransomware, who call themselves Janus Cybercrime Solutions, get a cut of the payment. That distribution method means that pinning down the people responsible for Tuesday’s attack could be difficult. The attack is “an improved and more lethal version of WannaCry,” said Matthieu Suiche, a security researcher who helped contain the spread of the WannaCry ransomware when he created a kill switch that stopped the attacks. In just the last seven days, Mr. Suiche noted, WannaCry had tried to hit an additional 80,000 organizations but was prevented from executing attack code because of the kill switch. Petya does not have a kill switch. 28hack2-master675.png ▲ A screenshot of what appeared to be the ransomware affecting systems worldwide on Tuesday. The Ukrainian government posted the shot to its official Facebook page. Petya also encrypts and locks entire hard drives, whereas the earlier ransomware attacks locked only individual files, said Chris Hinkley, a researcher at the security firm Armor. The hackers behind Petya demanded $300 worth of the cybercurrency Bitcoin to unlock victims’ machines. By Tuesday afternoon, online records showed that 30 victims had paid the ransom, although it was not clear whether they had regained access to their files. Other victims may be out of luck, after Posteo, the German email service provider, shut down the hackers’ email account. In Ukraine, people turned up at post offices, A.T.M.s and airports to find blank computer screens, or signs about closures. At Kiev’s central post office, a few bewildered customers milled about, holding parcels and letters, looking at a sign that said, “Closed for technical reasons.” The hackers compromised Ukrainian accounting software mandated to be used in various industries in the country, including government agencies and banks, according to researchers at Cisco Talos, the security division of the computer networking company. That allowed them to unleash their ransomware when the software, which is also used in other countries, was updated. The ransomware spread for five days across Ukraine, and around the world, before activating Tuesday evening. “If I had to guess, I would think this was done to send a political message,” said Craig Williams, the senior technical researcher at Talos. One Kiev resident, Tetiana Vasylieva, was forced to borrow money from a relative after failing to withdraw money at four automated teller machines. At one A.T.M. in Kiev belonging to the Ukrainian branch of the Austrian bank Raiffeisen, a message on the screen said the machine was not functioning. Ukraine’s Infrastructure Ministry, the postal service, the national railway company, and one of the country’s largest communications companies, Ukrtelecom, had been affected, Volodymyr Omelyan, the country’s infrastructure minister, said in a Facebook post. Officials for the metro system in Kiev said card payments could not be accepted. The national power grid company Kievenergo had to switch off all of its computers, but the situation was under control, according to the Interfax-Ukraine news agency. Metro Group, a German company that runs wholesale food stores, said its operations in Ukraine had been affected. At the Chernobyl plant, the computers affected by the attack collected data on radiation levels and were not connected to industrial systems at the site, where, although all reactors have been decommissioned, huge volumes of radioactive waste remain. Operators said radiation monitoring was being done manually. Cybersecurity researchers questioned whether collecting ransom was the true objective of the attack. “It’s entirely possible that this attack could have been a smoke screen,” said Justin Harvey, the chief security officer for the Fidelis cybersecurity company. “If you are an evildoer and you wanted to cause mayhem, why wouldn’t you try to first mask it as something else?” Nicolas Duvinage, head of the French military’s digital crime unit, told Agence France-Presse the attack was “a bit like a flu epidemic in winter”, adding: “We will get many of these viral attack waves in coming months.” The growing fight against cyber-attacks has seen protection spending surge around the world, with the global cyber security market estimated to be worth some £94bn ($120bn) this year – more than 30 times its size just over a decade ago. [By NICOLE PERLROTH, MARK SCOTT and SHEERA FRENKEL of The New York Times  |  JUNE 27, 2017]
New
2017.06.28
NPCore participated in the '2017 Cybersecurity Business Partnership Day' to enter the US market.
▲ NPCore's CEO, Han, Seung-Chul, who participated in the '2017 Cybersecurity Business Partnership Day', is introducing products. Nine domestic information security companies participated in the '2017 Cybersecurity Business Partnership Day' held in Washington, D.C., US from June 7 to 8. The conference was hosted by the MSIFP(Ministry of Science, ICT and Future Planning) and KISIA and KOTRA to help domestic information security companies enter US market . 9 domestic information security companies and more than 30 promising US buyers participated in this conference and they had 1:1 business meeting and networking between companies. The domestic companies that participated in the conference were ▲ KIWONTECH (email security) ▲ NAONWORKS (convergence security solution), ▲ Nable Communications (communication security), ▲ SECUVE (system security and biometrics authentication), ▲ NPCore (endpoint security), ▲ EYL (quantum pulse generator), ▲ KTB Solution (security authentication system), ▲ Fasoo.com (Data and Application Security), ▲ HancomSecure (integrated password key management). At the 'Information Security Forum', which was held as an additional event, speakers such as the Federal Audit Office introduced US information security trends. The US information security market is the largest market in the world, taking about 40% of the global market. The federal government is actively investing and purchasing. US is one of the areas with high occurrence of cybercrimes all over the world and WannaCry Ransomware attack that was the hottest issue all over the world is still scaring US. So continuous increase of demand for information security is expected. KISIA and KOTRA are supporting domestic information security companies' entering US market due to MOU contract with the ISA(Security Industry Association) of US in 2015 when the dispatch of US economic delegation. Last year, following the Korea-US ICT Policy Forum, they held 'US Business Partnership' that 15 domestic information security companies participated in. KISIA's president Hong, Gi-yung said, "This conference will chance to show our company's original technology and strengthen the entry into the North American market, the world's largest information security market." KISIA and KOTRA will hold a '2017 UK Cybersecurity Business Partnership Day' in the UK at the end of June. Han Seung-Chul, CEO of NPCore which is one of the participating Korean companies, said, "Among the US buyers I consulted, ELITE System, ICS, and GINIA responded positively. US companies are generally positively considering data security product's installation and technology convergence to prevent this incident due to 'WannaCry Ransomware' attack which was big issue last month. To enter the US market with data security product, we need to prepare for this environment by reflecting the reality that we have to produce in US or OEMs and shift servers to the US and execute the update using the server in the US."
2017.06.19
'Erebus Ransomware' attacked and encrypted Web hosting company

After the file is decrypted, the Ransomware can still be executed.

▲ 에레버스 랜섬웨어 감염 화면. 하우리 제공 ▲ The screen attacked by Erebus Ransomware. Web hosting company 'Internet Nayana' was attacked by Erebus Ransomware on June 10th. 153 out of 300 Linux servers and websites of domestic enterprise and universities, organization, etc. managed by this company are attacked, and the files of 5,000 sites were encrypted, so a lot of damage is expected. Ministry of Science, ICT and Future Planning explained on 12th "Unlike WannaCry Ransomware, the Erebus Ransomware seems to target at certain company. Internet Nayana is currently recovering the server and KISA is also supporting the necessary actions." Internet Nayana announced as follows on the 11th through the notice. "Internet Nayana has thoroughly implemented security and double backup, but hacker attacked these server's data via Ransomware. We first confirmed the Ransomware attack at 01:30 on June 10, 2017, and immediately we reported it to KISA(Korea Internet & Security Agency) and the e-crime unit, so they're currently investigating. Erebus Ransomware targeted and attacked Linux servers and 153 Linux servers were attacked. The hacker's initial requirement for recovery was 10 bitcoin (28,845 USD) per Linux server. The hacker's final requirement on the 11th is 5.4 bitcoin (15,476 USD) per Linux server by 23:59 on June 14th. We tried to recover with the backed up data, but confirmed that the internal backup including the original file and the external backup were attacked and entrypted by Ransomware all. We are doing our best to protect our customers' interests by discussing other company that can take over about web hosting, server hosting, domain, consigned management : services originally managed by Internet Nayana. We are looking into ways to recover the data that Ransomware encrypted, but it is difficult to recover it right now because the investigation is being conducted by e-crime unit and KISA." They said. An official of KISA said, "It will take time to find the exact attacking route because of a lot of servers to analyze." "Erebus Ransomware is run by elevated privilege on the PC using the bypassing method the UAC(User Account Control) security function using the Windows Event Viewer. By modifying the registry, the ransomware hijacked the connection for the '.msc' extension and it is run according to the privilege of the Event Viewer executed in elevated mode. In order to make it difficult to trace, the Ransomware downloads the 'anonymous (Tor) browser client' itself and uses it for network communication. And encrypts key files including 70 extensions exist in the user PC. Also the Ransomware changes the file extensions using the 'ROT-3' encryption method. When encryption is complete, it displays an alert window and the Ransomware infection note. And it removes the 'Volume Shadow Copy' in the encryption process to delete recovery point, so Windows can not be restored. After the file is decrypted, Ransomware can still remain and be executed, so you should remove the Ransomware malware file also completely." [Source : DAILYSECU's Journalist Gil, Min-Kwon | mkgil@dailysecu.com | Monday, June 12th, 2017]
2017.06.18
NPCore launched and demonstrated new products in MPIS 2017

NPCore launched and demonstrated new products in MPIS 2017

▲ 엔피코어 권경남 차장은 ‘우리를 위협할 의료기관 최신 APT 및 랜섬웨어 공격 대응 방안’을 주제로 발표를 진행. MPIS 2017. Medical Center Privacy Information Security Conference (MPIS) 2017 was held on May 18th at the Korean Federation of Science and Technology Hall with the participation of about 400 medical information security practitioners successfully. At this conference, NPCore's director, Kwon, Kyung-Nam presented the theme of 'The countermeasures against the latest APT and Ransomware attacks threatening medical center'. He explained Ransomware attack trends and countermeasures with WannaCry Ransomware case and demonstrated new product at booth exhibition. ▲ 권경남 차장, MPIS 2017 발표현장 [Source : DAILYSECU's reporter, Gil, Min-Kwon | mkgil@dailysecu.com  Monday, May 22nd, 2017]
2017.06.12
WannaCry ransomware massively attacks computer systems all over the world
wannacry infection map A new ransomware strain named WannaCry (aka WannaDecryptor, aka WannaCryptor, aka WanaCypt0r, aka WCry) has infected more than 57,000 computers in 74 countries around the world so far. According to Avast malware researcher Jakub Kroustek, most of the detections are coming from Russia, Ukraine, India and Taiwan. wannacry attack distribution Kaspersky Lab forum users report that the WannaCry ransomware managed to infiltrate the internal computer system of the Ministry of Internal Affairs of Russia and Investigative Committee of Russia. “It first appeared in February 2017, but now it’s updated and looks different than previous versions”, said one of the Kaspersky Lab forum users. Spain’s Computer Emergency Response Team CCN-CERT also posted an alert on their site about a widescale ransomware attack affecting a few Spanish organizations. The National Health Service (NHS) in the U.K. also issued an alert and confirmed infections at 16 medical institutions. The WannaCry attacks are initiated using an SMBv2 remote code execution in Microsoft Windows OS. The EternalBlue exploit has been made publically available through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14. However, many companies and public organizations have not yet installed the patch to their systems. The ransomware encrypts the files and also drops multiple ransomware notes on different languages. WannaCry demands to pay $300 in Bitcoin wallet. WannaCry virus provides timer countdown warning that the payment amount will be raised after 3 days and the victim will completely lose their personal files after 7 days. wannacry ransom demand The ransomware also changes the victim’s wallpaper with instructions on how to pay the ransom demand and how to get the decryptor tool. wannacry ransom note The transactions statistics of Bitcoin wallets used by WannaCry creators show that some of the victims have already paid the ransom. The file extensions targeted by the WannaCry ransomware include:
  • Commonly used office file extensions (.ppt, .doc, .docx, .xlsx, .sxi).
  • Archives, media files (.zip, .rar, .tar, .bz2, .mp4, .mkv).
  • Emails and email databases (.eml, .msg, .ost, .pst, .edb).
  • Database files (.sql, .accdb, .mdb, .dbf, .odb, .myd).
  • Developers’ sourcecode and project files (.php, .java, .cpp, .pas, .asm).
  • Encryption keys and certificates (.key, .pfx, .pem, .p12, .csr, .gpg, .aes).
  • Graphic designers, artists and photographers files (.vsd, .odg, .raw, .nef, .svg, .psd).
  • Virtual machine files (.vmx, .vmdk, .vdi).

How to Prevent WannaCry infection?
1. Make sure that all hosts have enabled endpoint anti-malware solutions. 2. Install the official Windows patch (MS17-010), which closes the SMB Server vulnerability used in this ransomware attack. 3. Scan all systems. After detecting the malware attack as MEM:Trojan.Win64.EquationDrug.gen, reboot the system. Make sure MS17-010 patches are installed. 4. Backup all important data to an external hard drive or cloud storage service. [Source : MalwareLess, May 12, 2017, https://malwareless.com/wannacry-ransomware-massively-attacks-computer-systems-world] A more obvious defense is to install a Zombie ZERO that defends a new Ransomware based on behaviors. Zombie ZERO can defend the second WannaCry against new and variant Ransomware without signatures. Existing antiviruses can not prevent the upcoming WannaCry, a new malware. For more information, please call +82-2-1544-5317 or visit www.npcore.com. Go to Ransomware Response Solution on Endpoint : ZombieZERO EDR for Ransomware
2017.05.14

Malicious behavior detect report more +