Jump to content


Photo

Anyone WannaCry?


  • Please log in to reply
13 replies to this topic

#1 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,921 posts
  • Location:QLD

Posted 16 May 2017 - 09:40 AM

Lucky for me, nothing in my organization yet. But we're counting the minutes, lol.

Gotta love EternalBlue eh? It was a beast of a piece of software, I'm both horrified and somewhat intrigued someone 'weaponized' it.

 

for anyone interested, the best analysis I've found so far is here:

 

 

 

 

Oh, PS. If anyone has a copy of flypaper I can't find a working link anywhere!


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#2 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 13,580 posts
  • Location:Not Trump-Land

Posted 16 May 2017 - 10:34 AM

Bloody NSA ...

Cortana at your service


#3 Rybags

Rybags

    Immortal

  • Super Hero
  • 34,711 posts

Posted 16 May 2017 - 12:49 PM

There still seems misinformation around about the attack vector - from the reliable stuff I've read it's by the SMB vulnerability and not by means of phishing email or dodgy websites.

But I guess it's still no reason to raise your guard in one area and get slack in another.

 

One vulnerability I see is that when doing new installs you're generally left at least a few months behind until you put on updates.  The WSUS offline updates come in handy here although I did one on one machine then checked Windows Update and it still managed to find hundreds of Meg worth of new updates.

 

I mentioned elsewhere I found info that blocking a few TCP and UDP ports should block incoming traffic attempting the exploit, though whether that provides complete protection in itself, no idea.



#4 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,921 posts
  • Location:QLD

Posted 16 May 2017 - 12:53 PM

There still seems misinformation around about the attack vector - from the reliable stuff I've read it's by the SMB vulnerability and not by means of phishing email or dodgy websites.

But I guess it's still no reason to raise your guard in one area and get slack in another.

 

One vulnerability I see is that when doing new installs you're generally left at least a few months behind until you put on updates.  The WSUS offline updates come in handy here although I did one on one machine then checked Windows Update and it still managed to find hundreds of Meg worth of new updates.

 

I mentioned elsewhere I found info that blocking a few TCP and UDP ports should block incoming traffic attempting the exploit, though whether that provides complete protection in itself, no idea.

 

Thats fairly correct, but to be at risk youd have to expose the SMB shares to the internet. Basic NAT should handle it assuming your local PC's arent yet infected.

Also it seems only windows is affected, even if your other OS' are using SMB

 

Look into the abilities of EternalBlue, and that'll tell ya.


Edited by Master_Scythe, 16 May 2017 - 12:58 PM.

Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#5 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,921 posts
  • Location:QLD

Posted 16 May 2017 - 01:40 PM

"In the meantime, a third kill switch appeared in the wild ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com — the fact it contains lmaowould mean, if the above attribution is correct, that the attacker is purposely sending multiple messages:"

 

People trying to link this to North Korea are stupid I think, and yes I know there is matching data between this and Contopee by Lazarus Group...... But it's a stretch.

 

I'm not north korean, but I really do doubt that the NK's are upt to date on their 'Dank Memes'.

http://knowyourmeme.com/memes/ayy-lmao

 

alien.jpg

 

 

Yep, I'm aware there are hundreds if not thousands of professionals "Assessing" this data and analyzing where it's come from.

 

But I don't think it takes a social-media genious to realize  that it's an internet savvy group.

Some dickhead is going to EVENTUALLY put an "Anon" flag on this, just wait for it, but I'd be surprised if it's not just a new group on the block who went too far.

 

I'm fucking reading everything I can hoping for a 'Who Dunnit'.

 

The fact that these new variants keep coming out WITH THE KILL SWITCH STILL IN PLACE, just changed, also points out that its not intended to "take over" it's intended to send a message.

IMO....

It's fucking fascinating.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#6 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 13,580 posts
  • Location:Not Trump-Land

Posted 16 May 2017 - 03:42 PM

The original wannacry randomware didn't have the SMB worm payload, this version has the NSA code in it.


Cortana at your service


#7 Rybags

Rybags

    Immortal

  • Super Hero
  • 34,711 posts

Posted 16 May 2017 - 06:36 PM

IMO every chance the version with new killswitch URL is just something released by script-kiddies who've just patched it into the executable.

 

There still seems to be lack of information like - is it persistent across reboots?  If the infected machine is disconnected from the 'net while this thing's encrypting user files, does it retain the encryption key used until it can be sent back to base then deleted (which might provide some recovery hope).



#8 @~thehung

@~thehung

    Guru

  • Hero
  • 8,522 posts

Posted 17 May 2017 - 01:27 AM

Oh, PS. If anyone has a copy of flypaper I can't find a working link anywhere!


i know, right?

flypaper.png
 
for a free tool, that is mentioned in a lot of places, and by the look of it is all of 47KB, its annoyingly thin on the ground!
no pung intended

#9 Rybags

Rybags

    Immortal

  • Super Hero
  • 34,711 posts

Posted 17 May 2017 - 07:47 AM

Flypaper was part of a bunch of forensic software developed by HBGary Federal which was later aquired by ManTech International.

 

Seems they were a leading edge team in the battle against malware but were also involved in some pretty dubious activities themselves.  https://en.wikipedia.org/wiki/HBGary

From what I could find from a bit of a look around is that any link to their tools hits a dead or irrelavent page.

 

Not helped by the fact that Flypaper is also a 2011 movie and name of a multimedia utility.



#10 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,921 posts
  • Location:QLD

Posted 17 May 2017 - 09:36 AM

Is it persistent across reboots?

No, there is a coding error looking for it's own files. Its persistance module is in the wrong folder.

If the infected machine is disconnected from the 'net while this thing's encrypting user files, does it retain the encryption key used until it can be sent back to base then deleted (which might provide some recovery hope).

 

It's unlikely, there is an ability to re-run the included TOR package, and you do have the onion domain to re-connect to, but nothing in it's code suggests it keeps a key file for future sending.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#11 aliali

aliali

    Titan

  • Super Hero
  • 24,354 posts

Posted 17 May 2017 - 10:51 AM

There still seems misinformation around about the attack vector - from the reliable stuff I've read it's by the SMB vulnerability and not by means of phishing email or dodgy websites.

As I have read it and from my limited understanding of how these things work the initial infection is from a nasty attachment someone opens, however specifics on the initial infection method seems to be bloody sparse.

Once one computer is infected it then spreads across the network via the SMB exploit.

 

This is why I am struggling over how it even infected the large organisations as I would have thought there would be enforced policies in place that prevents any such thing running from an attachment, no matter the OS used.

Also the vulnerability was patched a month or so ago on the supported windows OSs so it really shouldn't have been an issue for those orgs running 7, 8 and 10.

Xp is of course another matter entirely. Apparently the UK health system which has been hit so badly did have an ongoing support contract with Microsoft for XP but actually dropped it a couple of years ago to save money. That's working out well for them now isn't it?


Of course you are my bright little star,

I've miles and miles of files pretty files of your forefather's fruit,

and now to suit our great computer. You're magnetic ink.


#12 Master_Scythe

Master_Scythe

    Titan

  • Hero
  • 19,921 posts
  • Location:QLD

Posted 17 May 2017 - 11:06 AM

 

There still seems misinformation around about the attack vector - from the reliable stuff I've read it's by the SMB vulnerability and not by means of phishing email or dodgy websites.

As I have read it and from my limited understanding of how these things work the initial infection is from a nasty attachment someone opens, however specifics on the initial infection method seems to be bloody sparse.

Once one computer is infected it then spreads across the network via the SMB exploit.

 

This is why I am struggling over how it even infected the large organisations as I would have thought there would be enforced policies in place that prevents any such thing running from an attachment, no matter the OS used.

Also the vulnerability was patched a month or so ago on the supported windows OSs so it really shouldn't have been an issue for those orgs running 7, 8 and 10.

Xp is of course another matter entirely. Apparently the UK health system which has been hit so badly did have an ongoing support contract with Microsoft for XP but actually dropped it a couple of years ago to save money. That's working out well for them now isn't it?

 

 

You can be initially infected by an SMB exploit, if your SMB is exposed to the internet.

So it'll spread between trusted organizations (say, security camera company that VPN's into the hospitals IP cams).

 

Most of those large organizations will allow local executables, because there just isn't enough IT support people to maintain every little oddball request.

What they TRY to do (where I am, included) is make sure the user only has user or guest level access; aka. They can execute things, but can't have admin rights.

UNFORTUNATELY you don't need admin rights to encrypt files you have full access to, and once it's in, it requires no rights to spread.

 

Another thing, is that this virus was WELL timed, most large organizations I've worked for are spot-on 3-months behind on patches, on a rolling update.for the purpose of testing stability.

Its the norm in Government when I was in there.


Wherever you go in life, watch out for Scythe, the tackling IT support guy.

"I don't care what race you are, not one f*cking bit, if you want to be seen as a good people, you go in there and you f*ck up the people who (unofficially) represent you in a negative light!"


#13 aliali

aliali

    Titan

  • Super Hero
  • 24,354 posts

Posted 17 May 2017 - 12:26 PM

Ah thanks for the clarification M_S that makes sense.


Of course you are my bright little star,

I've miles and miles of files pretty files of your forefather's fruit,

and now to suit our great computer. You're magnetic ink.


#14 Jeruselem

Jeruselem

    Guru

  • Atomican
  • 13,580 posts
  • Location:Not Trump-Land

Posted 17 May 2017 - 01:21 PM

Been patching systems all week ... no infections but we have to be prepared.

 

Got an unholy mix of Windows 7, XP, 2008, 2008 R2, 2012, 2012 R2, 2016 and 10 here ...


Edited by Jeruselem, 17 May 2017 - 01:22 PM.

Cortana at your service





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users