Jump to content
Sign in to follow this  
Master_Scythe

Anyone WannaCry?

Recommended Posts

Lucky for me, nothing in my organization yet. But we're counting the minutes, lol.

Gotta love EternalBlue eh? It was a beast of a piece of software, I'm both horrified and somewhat intrigued someone 'weaponized' it.

 

for anyone interested, the best analysis I've found so far is here:

 

 

 

 

Oh, PS. If anyone has a copy of flypaper I can't find a working link anywhere!

Share this post


Link to post
Share on other sites

There still seems misinformation around about the attack vector - from the reliable stuff I've read it's by the SMB vulnerability and not by means of phishing email or dodgy websites.

But I guess it's still no reason to raise your guard in one area and get slack in another.

 

One vulnerability I see is that when doing new installs you're generally left at least a few months behind until you put on updates. The WSUS offline updates come in handy here although I did one on one machine then checked Windows Update and it still managed to find hundreds of Meg worth of new updates.

 

I mentioned elsewhere I found info that blocking a few TCP and UDP ports should block incoming traffic attempting the exploit, though whether that provides complete protection in itself, no idea.

Share this post


Link to post
Share on other sites

There still seems misinformation around about the attack vector - from the reliable stuff I've read it's by the SMB vulnerability and not by means of phishing email or dodgy websites.

But I guess it's still no reason to raise your guard in one area and get slack in another.

 

One vulnerability I see is that when doing new installs you're generally left at least a few months behind until you put on updates. The WSUS offline updates come in handy here although I did one on one machine then checked Windows Update and it still managed to find hundreds of Meg worth of new updates.

 

I mentioned elsewhere I found info that blocking a few TCP and UDP ports should block incoming traffic attempting the exploit, though whether that provides complete protection in itself, no idea.

 

Thats fairly correct, but to be at risk youd have to expose the SMB shares to the internet. Basic NAT should handle it assuming your local PC's arent yet infected.

Also it seems only windows is affected, even if your other OS' are using SMB

 

Look into the abilities of EternalBlue, and that'll tell ya.

Edited by Master_Scythe

Share this post


Link to post
Share on other sites

"In the meantime, a third kill switch appeared in the wild ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf.com — the fact it contains lmaowould mean, if the above attribution is correct, that the attacker is purposely sending multiple messages:"

 

People trying to link this to North Korea are stupid I think, and yes I know there is matching data between this and Contopee by Lazarus Group...... But it's a stretch.

 

I'm not north korean, but I really do doubt that the NK's are upt to date on their 'Dank Memes'.

http://knowyourmeme.com/memes/ayy-lmao

 

alien.jpg

 

 

Yep, I'm aware there are hundreds if not thousands of professionals "Assessing" this data and analyzing where it's come from.

 

But I don't think it takes a social-media genious to realize that it's an internet savvy group.

Some dickhead is going to EVENTUALLY put an "Anon" flag on this, just wait for it, but I'd be surprised if it's not just a new group on the block who went too far.

 

I'm fucking reading everything I can hoping for a 'Who Dunnit'.

 

The fact that these new variants keep coming out WITH THE KILL SWITCH STILL IN PLACE, just changed, also points out that its not intended to "take over" it's intended to send a message.

IMO....

It's fucking fascinating.

Share this post


Link to post
Share on other sites

The original wannacry randomware didn't have the SMB worm payload, this version has the NSA code in it.

Share this post


Link to post
Share on other sites

IMO every chance the version with new killswitch URL is just something released by script-kiddies who've just patched it into the executable.

 

There still seems to be lack of information like - is it persistent across reboots? If the infected machine is disconnected from the 'net while this thing's encrypting user files, does it retain the encryption key used until it can be sent back to base then deleted (which might provide some recovery hope).

Share this post


Link to post
Share on other sites

Oh, PS. If anyone has a copy of flypaper I can't find a working link anywhere!

i know, right?

 

flypaper.png

 

for a free tool, that is mentioned in a lot of places, and by the look of it is all of 47KB, its annoyingly thin on the ground!

Share this post


Link to post
Share on other sites

Flypaper was part of a bunch of forensic software developed by HBGary Federal which was later aquired by ManTech International.

 

Seems they were a leading edge team in the battle against malware but were also involved in some pretty dubious activities themselves. https://en.wikipedia.org/wiki/HBGary

From what I could find from a bit of a look around is that any link to their tools hits a dead or irrelavent page.

 

Not helped by the fact that Flypaper is also a 2011 movie and name of a multimedia utility.

Share this post


Link to post
Share on other sites

Is it persistent across reboots?

No, there is a coding error looking for it's own files. Its persistance module is in the wrong folder.

If the infected machine is disconnected from the 'net while this thing's encrypting user files, does it retain the encryption key used until it can be sent back to base then deleted (which might provide some recovery hope).

 

It's unlikely, there is an ability to re-run the included TOR package, and you do have the onion domain to re-connect to, but nothing in it's code suggests it keeps a key file for future sending.

Share this post


Link to post
Share on other sites

There still seems misinformation around about the attack vector - from the reliable stuff I've read it's by the SMB vulnerability and not by means of phishing email or dodgy websites.

As I have read it and from my limited understanding of how these things work the initial infection is from a nasty attachment someone opens, however specifics on the initial infection method seems to be bloody sparse.

Once one computer is infected it then spreads across the network via the SMB exploit.

 

This is why I am struggling over how it even infected the large organisations as I would have thought there would be enforced policies in place that prevents any such thing running from an attachment, no matter the OS used.

Also the vulnerability was patched a month or so ago on the supported windows OSs so it really shouldn't have been an issue for those orgs running 7, 8 and 10.

Xp is of course another matter entirely. Apparently the UK health system which has been hit so badly did have an ongoing support contract with Microsoft for XP but actually dropped it a couple of years ago to save money. That's working out well for them now isn't it?

Share this post


Link to post
Share on other sites

 

There still seems misinformation around about the attack vector - from the reliable stuff I've read it's by the SMB vulnerability and not by means of phishing email or dodgy websites.

As I have read it and from my limited understanding of how these things work the initial infection is from a nasty attachment someone opens, however specifics on the initial infection method seems to be bloody sparse.

Once one computer is infected it then spreads across the network via the SMB exploit.

 

This is why I am struggling over how it even infected the large organisations as I would have thought there would be enforced policies in place that prevents any such thing running from an attachment, no matter the OS used.

Also the vulnerability was patched a month or so ago on the supported windows OSs so it really shouldn't have been an issue for those orgs running 7, 8 and 10.

Xp is of course another matter entirely. Apparently the UK health system which has been hit so badly did have an ongoing support contract with Microsoft for XP but actually dropped it a couple of years ago to save money. That's working out well for them now isn't it?

 

 

You can be initially infected by an SMB exploit, if your SMB is exposed to the internet.

So it'll spread between trusted organizations (say, security camera company that VPN's into the hospitals IP cams).

 

Most of those large organizations will allow local executables, because there just isn't enough IT support people to maintain every little oddball request.

What they TRY to do (where I am, included) is make sure the user only has user or guest level access; aka. They can execute things, but can't have admin rights.

UNFORTUNATELY you don't need admin rights to encrypt files you have full access to, and once it's in, it requires no rights to spread.

 

Another thing, is that this virus was WELL timed, most large organizations I've worked for are spot-on 3-months behind on patches, on a rolling update.for the purpose of testing stability.

Its the norm in Government when I was in there.

Share this post


Link to post
Share on other sites

Been patching systems all week ... no infections but we have to be prepared.

 

Got an unholy mix of Windows 7, XP, 2008, 2008 R2, 2012, 2012 R2, 2016 and 10 here ...

Edited by Jeruselem

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×