Ready to Start Your Career?
May 19, 2017
UNM4SK3D: WannaCry, Bell Canada, and CIA
May 19, 2017
#ransomwareYou've probably heard so much about it that by now you WannaCry, but on May 12th what is believed to be the most massive ransomware campaign 'WannaCry' targeted over 45,000 computers in 74 countries, including United States, Russia, Germany, Turkey, Italy, Philippines and Vietnam, and that the number grew to an estimated 237,000 in 99 countries by mid week. What makes WannaCry so unique and nasty is its ability to self-spread without even need to click on any link or a file. When a single computer in your organization is hit by WannaCry, the worm looks for other vulnerable computers and infects them as well. Once infected with the ransomware, victims are asked to pay up to $300 in Bitcoin to remove the infection from their PCs, otherwise, their PCs are unusable, and their files remain locked. By Monday morning, 181 payments had been made to the attackers totaling 29.46564365 BTC ($50,504.23 USD).The attackers behind the campaign are leveraging a Windows exploit harvested from the NSA called 'EternalBlue,' which was dumped by the Shadow Brokers hacking group over a month ago. Microsoft released a patch for the vulnerability in March (MS17-010), but many users and organizations who did not patch their systems are vulnerable. "The exploit has the capability to penetrate into machines running unpatched version of Windows XP through 2008 R2 by exploiting flaws in Microsoft Windows SMB Server. This is why WannaCry campaign is spreading at an astonishing pace," reports The Hacker News.According to a different report, 16 hospitals across the UK and the NHS were shut down after doctors were unable to access patient files. Another report states that 85% of computers at the Spanish telecom firm, Telefonica, was infected with this malware. At least 1,600 U.S. organizations have also reportedly been affected, including FedEx. Since the incident, Microsoft has just released an emergency security patch update for all its unsupported version of Windows, including Windows XP, Vista, Windows 8, Server 2003 and 2008 Editions. (Apply the patch now!)As for who is behind the attacks, nothing has been 100% confirmed (the typical nature of cyber attacks), but Neel Mehta, a security researcher at Google, found evidence that suggests WannaCry is linked to a state-sponsored hacking group in North Korea, known for cyber attacks against South Korean organizations. The code found in the WannaCry malware was identical to the code used in an early 2015 version of Cantopee, a malicious backdoor developed by Lazarus Group. The Lazarus Group of hackers is believed to be responsible for the 2013 DarkSeoul operation, the devastating 2014 Sony Pictures Hack, and the 2016 Bangladesh $81 Million bank heist. However, it is possible that WannaCry authors may have purposely copied code from Lazarus' backdoor program in an attempt to mislead researchers and law enforcement as they investigate.Shortly after the malware began to spread, a security researcher tweeting as 'MalwareTech' accidentally triggered a kill switch that prevented further spreading of WannaCry. But, because this is the Internet- that's not where the story ends. Costin Raiu from Kapersky Labs confirmed that there is a WannaCrypt variant without a kill switch, and equipped with SMB exploit that would help it to spread rapidly without disruption. Worse, the new WannaCry variant without a kill-switch is apparently created by someone else, not the hackers behind the initial WannaCry ransomware. Everyone should expect a new wave of ransomware attacks and continue to follow the news for updates.In light of this recent attack, popular news media has been heavily reporting on WannaCry and it seems for once cyber security is getting the attention it deserves. Whether it will become more of a priority going forward, is too soon to tell. Still, the event and subsequent coverage prompted a surge in cyber security stocks as investors sought safety.
This attack demonstrates the opportunistic nature of commercial malware authors to re-use the most powerful of exploit techniques to further their aims, which is ultimately to make money. -SophosLabs VP, Simon ReedFor even more WannaCry resources from industry leaders, visit the Cybrary CH4NN3LS page. We recommend 'Play 3 Has Entered the Game' from Talos.
#hackedNot so surprising, as we were all distracted by WannaCry, two separate data breaches have been reported, one in DocuSign, a major provider of electronic signature technology, and another in BELL, Canada’s largest telecommunications company.On Monday, Bell Canada confirmed that the data of 1.9 million customers had been stolen, but did not specify from which particular service they had been taken. Among the stolen credentials were email addresses, names, and telephone numbers. However, Bell assured its customers that there's no indication of hacker's access to "financial, password or other sensitive personal information," and that the incident is not linked to the global WannaCry ransomware attacks. The unknown hackers posted a statement reading: "We are releasing a significant portion of Bell.ca's data due to the fact that they have failed to [co-operate] with us, this shows how Bell doesn't care for its [customers'] safety and they could have avoided this public announcement… Bell, if you don't [co-operate], more will leak :)." There is no indication who is behind the breach, but the company is working with the Canadian law enforcement authorities to figure out who was responsible.As for DocuSign, they confirmed a breach to one of its email systems when investigating the cause of an increase in DocuSign-impersonating phishing emails. An unknown group of hackers managed to breach the electronic signature technology provider's email systems and steal a database containing the email addresses of DocuSign customers. The attackers then used the stolen data to conduct an extensive phishing campaign to target the DocuSign's users over the past week. Sent from domains including firstname.lastname@example.org, the emails included a downloadable Microsoft Word document, which when clicked, installs "macro-enabled-malware" on the victim's computers. The number of victims has not been confirmed, nor has anyone taken credit for the attack, but DocuSign claims only email addresses have bee accessed.
As part of our ongoing investigation, today we confirmed that a malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email. -DocuSign representativeKeep your information safe from breaches. Read 'Protecting Data Against State Level Adversaries.'
#wikileaks (drip, drip)It seems as though Bell Canada and DocuSign hackers weren't the only one's who took advantage of the WannaCry distraction. Wikileaks released a new batch of CIA Vault 7 leaks, the 8th in the series, detailing two apparent CIA malware frameworks for the Microsoft Windows platform. Malware programs dubbed 'AfterMidnight' and 'Assassin,' are designed to monitor and report back actions on the infected remote host computer running the Windows operating system and execute malicious actions specified by the CIA. According to a statement from WikiLeaks, 'AfterMidnight' allows its operators to dynamically load and execute malicious payload on a target system. "The main controller of the malicious payload, disguised as a self-persisting Windows Dynamic-Link Library (DLL) file and executes 'Gremlins,' small payloads that remain hidden on the target machine by subverting the functionality of targeted software, surveying the target, or providing services for other gremlins." When 'AfterMidnight' is installed on a target machine, it uses an HTTPS-based Listening Post (LP) system called 'Octopus' to check for any scheduled events. If an event is found, the malware downloads and stores all required components before loading new gremlins in the memory. In the user guide under the heading of Advanced, last updated August 2014, AfterMidnight users were warned with the notice: “You can destroy everything in the universe by following these directions. User discretion is advised.”'Assassin' is a similar tool which runs the implant within a Windows service process, allowing the operators to perform malicious tasks on an infected machine, but has four subsystems: Implant, Builder, Command and Control, and Listening Post. 'Implant' provides the core logic and functionality of this tool on a target Windows machine, including communications and task execution. 'Builder' configures Implant and 'Deployment Executables' before deployment. 'Command and Control' acts as an interface between the operator and the 'Listening Post,' while the LP allows the 'Assassin Implant' to communicate with the command and control subsystem through a web server. Both are 'Assassin ' and 'AfterMidnight' are persistent and can be scheduled to autonomously uninstall on a specific date and time. The 21-page Assassin Training documentation, last updated June 2014, which ironically appears to be a PowerPoint presentation, has one section titled 'Assassin Tasking for Fun and Profit.'
This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. -Microsoft President, Brad SmithRead 'Vault 7 Vulnerabilities in Anti-Virus Solutions' to go more in-depth on what's been revealed by Wikileaks.