Well not really, but I’m going to write a series of posts that will all tie together, which can be a very useful tool for anyone interested in having a security home lab, or even in a new or established security operations centre.
I am going to be using open source software, and showing how they can be used together and create a pretty awesome environment, that in my opinion rivals or if not better than many of the paid and expensive tools in the security industry.
Over the next few weeks and months, I will create guides for the following.
I’m not necessary going to create guides in the order listed above, however I will be starting with cuckoo.
Cuckoo is a fun place to start as you can get a pretty awesome malware sandbox analysis tool up and running in a fairly short amount of time, and see real results and benefits from it. There are so many ways you can customise it and get it working for how you want it in your own environment. Why pay a 3rd party for your malware analysis when you can have a free and powerful version of your own.
Anyhow, enough jibber jabbing. Time for the first update!
I came across an interesting article today, with regards to the Petya / NotPetya cyber attack from last week. This is a very good write up and analysis of how the organisation M.E.Doc appears to have been compromised and used to spread the malware in a series of updates for the software it produces.
This demonstrates how devastating these types of compromises can be and as a defender can make it very difficult to identify and stop this type of attack from happening, if you happen to be the target of said attack.
On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C(aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely.
Another good write up by bleeping computer that contains more information.
Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc’s web host, Wnet, a company that has been accused of having ties to Russia’s intelligence service (FSB).
An investigation into the man’s accusations revealed that the SBU had raided the web host on June 1, for “illegal traffic routing to Crimea in favor of Russian special services.”
It was just a matter of time until other organisations or individuals followed the path set by WannaCry last weekend.
Seems there is another variant of ransomware doing the rounds which is exploiting the same loop hole as WannaCry is using port 445 to enumerate and infect other machines on your internal and then external networks. It is exploiting the same SMB vulnerability (MS17-010).
Mitigation – Just need to make sure you have the latest updates from microsoft.
If you see traffic to these domains, its likely not good!
This is a pretty good write up of what was known at the time.
There have been easy fixes for this available for the past 2 months and it was just a matter of time until the tools that were developed by our American Friends, that they would be used against the general public.
Hopefully this is lessons learned for many organisations, and they realise that patching and running fairly up to date operating systems is important and not just something to achieve compliance.
Few more articles that contain good information about these events.
Vector: All Windows versions before Windows 10 are vulnerable if not patched for MS-17-010. It uses EternalBlue MS17-010 to propagate.
Ransom: between $300 to $600. There is code to ‘rm’ (delete) files in the virus. Seems to reset if the virus crashes.
Backdooring: The worm loops through every RDP session on a system to run the ransomware as that user. It also installs the DOUBLEPULSAR backdoor. It corrupts shadow volumes to make recovery harder. (source: malwarebytes)
Kill switch: If the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is up the virus exits instead of infecting the host. (source: malwarebytes). This domain has been sinkholed, stopping the spread of the worm. Will not work if proxied (source).
update: A minor variant of the virus has been found, it looks to have had the killswitch hexedited out. Not done by recompile so probably not done by the original malware author. On the other hand that is the only change: the encryption keys are the same, the bitcoin addresses are the same. On the other hand it is corrupt so the ransomware aspect of it doesn’t work – it only propagates.
To be infected requires the SMB port (445) to be open, or the machine already infected with DOUBLEPULSAR (and killswitch not registered or somehow blocked, or the network accessing it through a proxy).
The MS17-010 patch fixes the vulnerability.
Windows XP: Doesn’t spread. If run manually, can encrypt files.
Windows 7,8,2008: can spread unpatched, can encrypt files.
There are a number of files and folders wannacrypt will avoid. Some because it’s entirely pointless and others because it might destabilize the system. During scans, it will search the path for the following strings and skip over if present:
“Content.IE5”
“Temporary Internet Files”
” This folder protects against ransomware. Modifying it will reduce protection”
typedef struct _wc_file_t {
char sig[WC_SIG_LEN] // 64 bit signature WANACRY!
uint32_t keylen; // length of encrypted key
uint8_t key[WC_ENCKEY_LEN]; // AES key encrypted with RSA
uint32_t unknown; // usually 3 or 4, unknown
uint64_t datalen; // length of file before encryption, obtained from GetFileSizeEx
uint8_t *data; // Ciphertext Encrypted data using AES-128 in CBC mode
} wc_file_t;
credit for reversing this file format info: cyg_x11.
Vulnerability disclosure
The specific vulnerability that it uses to propagate is ETERNALBLUE.
This was developed by “equation group” an exploit developer group associated with the NSA and leaked to the public by “the shadow brokers”. Microsoft fixed this vulnerability March 14, 2017. They were not 0 days at the time of release.
I revisited the links later in the day and have a bit more details, we can see they are still serving executable files. Chrome is now blocking and suggesting these files are malicious, and also so is internet explorer. I have not tried them on firefox at this time.
