Image

The Shadow Brokers Most Damaging Release
This last release contained, among other things, FUZZBUNCH – an exploitation framework complete with numerous exploits, implants and a listening post for remotely accessing compromised hosts. I’ve spent a good bit of time exploring FUZZBUNCH and in my estimation, the tools are probably three to four years old based on the use of Python 2.6.x and the lack of reference to any Windows OS newer than Windows Server 2012 RTM. This is particularly interesting to me because if FUZZBUNCH is truly an unaltered NSA tool, this is evidence that 0-day exploits were in use for years without being publicly discovered. After a few hours working with the tool, it became clear that one exploit in particular, called ETERNALBLUE, stood out from the pack.Image

Image

Image

Image

Unknown Attackers Leverage ETERNALBLUE For Ransomware
This is where the WannaCrypt ransomware attack comes into the picture. An unidentified individual or group saw the immense value of the ETERNALBLUE attack and set to work retasking this stealthy cyber weapon into a worm carrying a ransomware payload. The attack went live on Friday, May 12, apparently spreading through traditional worm techniques leveraging the many public IPs running SMB services. Once a server is compromised, the worm goes to work scanning for open SMB on the local subnet. The worm would then use ETERNALBLUE and DOUBLEPULSAR to load the WannaCrypt ransomware onto compromised hosts. Once installed, the ransomware would, in classic fashion, encrypt user data and display a message demanding the equivalent of $300 in bitcoin to recover the data. The ransom note instructed users that after three days, the ransom would double and after seven days, the data would be irrevocably destroyed. In the days following the attack, malware researchers began reporting connections between the code used in this attack and other attacks, which had previously been attributed to North Korean hackers. This may be evidence of North Korean involvement or it may simply be a false flag intended to give this impression. The worm propagated very quickly leaving a trail of destruction in its wake. Researchers have identified successful attacks in at least 150 countries with hundreds of thousands of computers locked. The considerable significance of this attack was already becoming clear in the early hours of Friday as reports came in that dozens of hospitals throughout the UK were finding themselves locked out of patient records. Operations had to be rescheduled and some number of patients had to be diverted to other hospitals. Fortunately, before the day was done, a malware researcher stumbled onto a kill-switch for the worm. This lucky break is likely what stopped the malware from spreading through North America with the devastating speed that was seen in Europe and Asia. By Monday, this researcher had been awarded a $10,000 bounty by HackerOne for their role in saving the day. It is important to note, however, that it would be trivial for anyone to restart the new campaign and, this time, without the kill-switch.Staying Safe
If nothing else, the events of the last week are a clear demonstration that too many organizations fail to implement the security best practices preached by Tripwire and others in the industry. Patches protecting against ETERNALBLUE and other exploits were available from Microsoft two months before the launch of WannaCry for all supported Windows versions. (It’s also interesting to note that while patches were not publicly available for the 14-year-old and now unsupported Windows 2003 and XP operating systems, Microsoft had, in fact, authored patches for these OS around the same time as the MS17-010 fixes for other systems.) The top of every security professional’s priority list should be applying patches quickly and comprehensively. (This also, of course, means not running deprecated OS like Windows XP or 2003.) Based on numerous analyses of real-world attacks, the use of 0-day is, by all accounts, rare, so staying up-to-date with security patches does, in fact, mitigate the vast majority of exploit-based attacks. Interestingly, a two-year-old study from Google found that among security experts, the top security practice was to install software updates whereas non-experts thought the most important thing was to run antivirus software. Ironically, installing software updates wasn’t on the non-expert list and running antivirus wasn’t on the top responses from security experts. Another important takeaway from this attack is that far too many organizations have SMB services (TCP 445 and/or TCP 139) exposed on public IP addresses. I cannot figure out why a network administrator would intentionally expose this service to the Internet. VPN should be deployed in any situation where there is a need for external access to SMB. The elephant in the room on this topic, of course, is SMBv1. Although it is an ancient protocol which lacks important security features and was officially deprecated nearly four years ago, it is still enabled by default all the way up to Windows 10 and Server 2016. The current version (SMBv3.1.1) was announced two years ago and introduced with Windows 10 and Server 2016. A good Windows security policy should include disabling SMBv1 as outlined here.Summing Things Up
A quick recap of these safety tips is as follows:- Install security patches as quickly as possible.
- Discontinue use of unsupported OS.
- Restrict access from the Internet to SMB and other non-public services.
- Disable SMBv1 throughout your networks.