Category Archives: Blog

Patriotic Hackers

Published 01/06/2017 / by jeff / Leave a Comment
Leave a Reply

In what is somewhat of a mildly amusing statement, and I am sure not all of the conversation.  Suggests that its down to patriotic  individuals acting on behalf of themselves when they feel there are negative comments made about Russia.

It’s an interesting take on the subject.

https://www.rferl.org/a/russia-putin-patriotic-hackers-target-critics-not-state/28522639.html

 

Responding to a question about concerns in Germany that Russian hackers could meddle in that country’s upcoming federal elections, Putin said it was “theoretically possible” that “patriotic” hackers could attack those who “speak negatively about Russia.”

“At a government level, we are never engaged in this. That’s the most important thing,” Putin said at the televised meeting, which was held during Russia’s annual St. Petersburg International Economic Forum. He added that hackers could come “from any country in the world.”

 

Shadow Brokers Response Team – Retracted

Published 01/06/2017 / by jeff / Leave a Comment
Leave a Reply

As per my previous update, the idea behind what they wanted to do was a good one, but legally not so much.  Seems as humans we just cannot get around doing the right thing and being proactive.  We only understand how to react to when things go wrong.

Shadow Brokers Response Team

Published 31/05/2017 / by jeff / Leave a Comment
Leave a Reply

https://steemit.com/shadowbrokers/@theshadowbrokers/theshadowbrokers-monthly-dump-service-june-2017

 

Q: What is going to be in the next dump?

TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for “I’ll show you mine if you show me yours first” is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking “Can my organization afford not to be first to get access to theshadowbrokers dumps?”

 

So the Shadowbrokers will be releasing more allegedly NSA tools this coming month, as referenced in this story – http://bgr.com/2017/05/30/shadow-brokers-nsa-exploits-subscription/.

They are asking for Zcash to be used to purchase access to these latest exploits, which is around the $20k or so.  Now based on what happened in early May with Wannacry and the impact we saw in the UK, this is a concern for us all.  It did not take long from the initial release for someone to take advantage of these tools and weaponize them that had a large scale impact.  The positive side of this, is that now I believe many companies have had a wake up call and have learnt some lessons with regards to patching their systems and paying attention to when the security guy’s tell them to keep software and operating systems updated.

So now we have a couple of weeks until more tools are going to be released, I’m a bit indifferent if I agree with the current thinking of paying to get access to these tools.  This is a sound idea.  Get access to the exploits, research and work with vendors for them to be fixed, that is very commendable.  However it does open up a whole host of ethics and are we essentially going to be held to ransom everytime this happens in the future?  I’m not quite sure if this is the right approach.  With that said, there is the link below to the patreon page, that has more information and you can donate to the cause if you wish.

https://www.patreon.com/shadowbrokers_crisis_team

 

The group calling itself the Shadow Brokers have released several caches of exploits to date. These caches and releases have had a detrimental outcome on the Internet at large, one leak especially resulted in the now in-famous WannaCry ransomware worm – others have been used by criminal crackers to illegally access infrastructure. Many have been analysing the data to determine its authenticity and impact on infrastructure, as a community it has been expressed that the harm caused by exploits could have been mitigated against had the Shadow Brokers been paid for their disclosures.

 

This is an interesting read, that alludes to that the NSA did inform microsoft once the EnternalBlue software was stolen from the NSA.

 

The consequences of the NSA’s decision to keep the flaw secret, combined with its failure to keep the tool secure, became clear Friday when reports began spreading of a massive cyberattack in which the WannaCry software encrypted data on hundreds of thousands of computers and demanded a ransom to decrypt it.

https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html?utm_term=.762b4cedfb72

 

 

UIWIX Ransomware

Published 17/05/2017 / by jeff / Leave a Comment
Leave a Reply

It was just a matter of time until other organisations or individuals followed the path set by WannaCry last weekend.

Seems there is another variant of ransomware doing the rounds which is exploiting the same loop hole as WannaCry is using port 445 to enumerate and infect other machines on your internal and then external networks.  It is exploiting the same SMB vulnerability (MS17-010).

Mitigation – Just need to  make sure you have the latest updates from microsoft.

If you see traffic to these domains, its likely not good!

aa1[.]super5566[.]com
07[.]super5566[.]com
a1[.]super5566[.]com
www[.]super5566[.]com
08[.]super5566[.]com

https://www.hybrid-analysis.com/sample/c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494?environmentId=100

https://www.hybrid-analysis.com/sample/c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494?environmentId=100

SMB Vulnerability MS17-010 NSE – Script to detect MS17-010 (WannaCry Ransomware)

Published 15/05/2017 / by jeff / Leave a Comment
Leave a Reply

This is taken from the nmap seclist page.  A script for nmap has been written that should allow you to scan your network to determine if its vulnerable.  It may not be perfect but I am sure it will help someone out there.

http://seclists.org/nmap-dev/2017/q2/79
Hey list,

I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as 
expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 
authentication protocols with signing enabled).

Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. 

Cheers!

smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse 
description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
 execution vulnerability (ms2017-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and
 checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
 determine if the target is not patched against CVE2017-010.

Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
 signing enabled.

References:
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
* https://msdn.microsoft.com/en-us/library/ee441489.aspx
* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb 
]]



Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com

WannaCrypt Ransomware Part 2

Published 14/05/2017 / by jeff / Leave a Comment
Leave a Reply

It seems the initial wave has been stopped by Researchers, and then we had another one as detailed in the link below.

https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

More good information and I suggest reading through it all if you have not done so already.  This is a bad weekend for business and infrastructure that is using older systems, but its been a good weekend for the infosec community in coming together and helping and sharing alot of good information with each other.

 

There is a tool you can run on a host that will stop the ransomware from encrypting your machine, however it will still attempt to spread over your network.

Download Here

 

 

wcrypt activity map

 

WannaCrypt Ransomware

Published 13/05/2017 / by jeff / Leave a Comment
Leave a Reply

In what has been big news over the past 24 hours.  Especially here in the UK is that the NHS has been hit with a large ransomware attack.

http://www.bbc.co.uk/news/technology-39901382

http://blog.talosintelligence.com/2017/05/wannacry.html?m=1

This is a pretty good write up of what was known at the time.

There have been easy fixes for this available for the past 2 months and it was just a matter of time until the tools that were developed by our American Friends, that they would be used against the general public.

Hopefully this is lessons learned for many organisations, and they realise that patching and running fairly up to date operating systems is important and not just something to achieve compliance.

Few more articles that contain good information about these events.

https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

 

Also of note.

wannadecrypt

 

If you use intitle:”index of” “@WanaDecryptor@.exe” as a search on google, at the time of this update there are 67 results.

Not a good weekend for the world of IT admins.

The github link referenced below is being kept up today and contains some very good and useful information.

 

WannaCry|WannaDecrypt0r NSA-Cyberweapon-Powered Ransomware Worm

  • Virus Name: WannaCrypt, WannaCry, WanaCrypt0r, WCrypt, WCRY
  • Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
  • Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
  • Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
  • Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).

update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn’t work – it only propagates.

SECURITY BULLETIN AND UPDATES HERE: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Microsoft first patch for XP since 2014: https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Killswitch source: https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/ https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

Exploit details: https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html

Vulnerable/Not Vulnerable

To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).

The MS17-010 patch fixes the vulnerability.

  • Windows XP: Doesn’t spread. If run manually, can encrypt files.
  • Windows 7,8,2008: can spread unpatched, can encrypt files.
  • Windows 10: Doesn’t spread. Even though Windows 10 does have the faulty SMB driver.
  • Linux: Doesn’t spread. If run manually with wine, can encrypt files.

Infections

Informative Tweets

Cryptography details

  • Each infection generates a new RSA-2048 keypair.
  • The public key is exported as blob and saved to 00000000.pky
  • The private key is encrypted with the ransomware public key and saved as 00000000.eky
  • Each file is encrypted using AES-128-CBC, with a unique AES key per file.
  • Each AES key is generated CryptGenRandom.
  • The AES key is encrypted using the infection specific RSA keypair.

The RSA public key used to encrypt the infection specific RSA private key is embedded inside the DLL and owned by the ransomware authors.

https://pastebin.com/aaW2Rfb6 even more in depth RE information by cyg_x1!!

Bitcoin ransom addresses

3 addresses hard coded into the malware.

C&C centers

  • gx7ekbenv2riucmf.onion
  • 57g7spgrzlojinas.onion
  • xxlvbrloxvriy2c5.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion

Languages

All language ransom messages available here: https://transfer.sh/y6qco/WANNACRYDECRYPTOR-Ransomware-Messages-all-langs.zip

m_bulgarian, m_chinese (simplified), m_chinese (traditional), m_croatian, m_czech, m_danish, m_dutch, m_english, m_filipino, m_finnish, m_french, m_german, m_greek, m_indonesian, m_italian, m_japanese, m_korean, m_latvian, m_norwegian, m_polish, m_portuguese, m_romanian, m_russian, m_slovak, m_spanish, m_swedish, m_turkish, m_vietnamese

File types

There are a number of files and folders wannacrypt will avoid. Some because it’s entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:

  • “Content.IE5”
  • “Temporary Internet Files”
  • ” This folder protects against ransomware. Modifying it will reduce protection”
  • “\Local Settings\Temp”
  • “\AppData\Local\Temp”
  • “\Program Files (x86)”
  • “\Program Files”
  • “\WINDOWS”
  • “\ProgramData”
  • “\Intel”
  • “$”

The filetypes it looks for to encrypt are:

.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

credit herulume, thanks for extracting this list from the binary.

more details came from https://pastebin.com/xZKU7Ph1 thanks to cyg_x11

Some other interesting strings

credit: nulldot https://pastebin.com/0LrH05y2

Encrypted file format

typedef struct _wc_file_t {
    char     sig[WC_SIG_LEN]     // 64 bit signature WANACRY!
    uint32_t keylen;             // length of encrypted key
    uint8_t  key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
    uint32_t unknown;            // usually 3 or 4, unknown
    uint64_t datalen;            // length of file before encryption, obtained from GetFileSizeEx
    uint8_t *data;               // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;

credit for reversing this file format info: cyg_x11.

Vulnerability disclosure

The specific vulnerability that it uses to propagate is ETERNALBLUE.

This was developed by “equation group” an exploit developer group associated with the NSA and leaked to the public by “the shadow brokers”. Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.

view raw

Wannacrypt0r-FACTSHEET.md

hosted with ❤ by GitHub

 

Protecting customers and evaluating risk – Microsoft

Published 15/04/2017 / by jeff / Leave a Comment
Leave a Reply

In what feels like perfect timing from Microsoft, it seems they had already released patches for some if not all of the exploits released these past few days by the file dump by the ShadowBrokers.

 

Code Name Solution
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

 

This has been taken straight from the Microsoft Blog.

Regardless how this happens does not matter, it is just good to know that most if not all of these issues released are patched.

***On 17th April, we have a news article on the BBC that actually covers this story by Microsoft

http://www.bbc.co.uk/news/technology-39620534

It is good to see that we are getting better as an industry to fix and patch these exploits.