NSA Used EternalBlue Exploit For Five Years Before It Was Leaked

The NSA has been using the EternalBlue exploit for their own purposes for five years before disclosing the vulnerability to Microsoft, which is at the heart of WannaCry. The main reason the exploit was disclosed can be attributed to the fact that public exposure of the exploit could have very serious and widespread consequences due to the vast number of vulnerable devices that are exploitable in the wild (which is exactly what happened when it was repackaged with self-propagating ransomware code)

Some NSA officials, as reported by The Washington Post, discussed how dangerous the exploit was, deliberating on whether to disclose the issue to Microsoft. The amount of intelligence haul from use of the exploit was described by a former NSA employee as “unreal”.

“It was like fishing with dynamite,” said a second.

Brad Smith, Microsoft’s President, compared the NSA’s failure to keep the code secured to “the U.S. military having some of its Tomahawk missiles stolen

This is not an isolated incident as the agency suffered massive data exfiltration in 2013 when contractor Edward Snowden leaked massive amounts of secret documents.

A timeline analysis on how we got to the WannaCry ransomware situation we’re currently facing is summarized below:

  1. About 5 years ago: NSA develops initial exploit for zero-day vulnerability dubbed “EternalBlue

During the early iterations of EternalBlue, it was prone to making systems crash, so it’s nicknamed EternalBlueScreen, dubbed after the infamous Blue Screen of Death (BSoD) that Windows systems display when they encounter a fatal system error. NSA makes upgrades to “EternalBlue” to mitigate BSoD issues with time.

  1. Spring 2014: Obama administration kicks off a new process to vet vulnerability among the FBI, the NSA, the CIA, and the Department of Homeland Security
  2. August 2016: ShadowBrokers dump a set of exploits, of which EternalBlue was a part of.

Note: These hacking tools are identical to those breached by former NSA Contractor Harold T. Martin III, according to former officials.

  1. October 2016: Harold Martin is arrested after the FBI found massive amounts of classified data collections from various agencies.
  2. Between October – January 2016: NSA discloses vulnerability to Microsoft
  3. January 2016: ShadowBrokers announce the auction of dozens of NSA tools
  4. February 2016: Microsoft abruptly cancels February’s scheduled patch release over “last minute issues
  5. March 2017: Microsoft releases security bulletin MS17-010 which addresses SMB vulnerability used by WannaCry Ransomware
  6. May 2016: WannaCry gets deployed and causes massive havoc worldwide

The question we should be asking is: What if the Shadow Brokers had released this exploit back in 2014? An NSA employee described it as follows:

“If one of our targets discovered we were using this particular exploit and turned it against the United States, the entire Department of Defense would be vulnerable,” the second employee said. “You just have to have a foothold inside the network and you can compromise everything.”

If that was the positioin of the DoD as described above, how much more devastating would the leakage of this exploit have been to the rest of the world (financial, critical nationwide infrastructure, medical facilities, service industries, etc.) if it was leaked earlier?

References:

The Washington Post  |  ArsTechnica  |  Softpedia

Advertisements

WannaCry Ransomware Causes Havoc Worldwide

The WannaCry ransomware, also known as wncry, has been attributed to the recent U.K.’s National Security Agency (NSA) cyberattack. It has infected the systems of at least 16 U.K. trusts and is spreading worldwide. Reports from Spain’s computer response team CCN-CERT reported that telecommunications firm Telefonica was hit as well.

What is Ransomware?

Ransomware is a type of malicious software that can prevent you from using your PC normally. Ransomware can stop certain applications from running (e.g. Web browser), encrypt files on your system and demand that you pay a “ransom” to gain access to your files. However, there is no guarantee that paying the fine will you access back to your files.

WannaCry Ransomware

The ransomware encrypts files on the infected host and changes the extensions to .wnry, .wcry, .wncry and .wncrypt. The lockscreen payment instructions are for the user to send  around $300 worth of bitcoin to an anonymous address.

Wanna-Decryptor

The attack appears to be using a Windows Server Message Block (SMB) exploit using EternalBlue / DoublePulsar. Microsoft released a patch for this in March for the following affected operating systems: Windows Vista, 7, 8, 10 and versions of the Windows Server software.

The source of infection has yet to be determined, but it is most likely that it spread via phishing email. Below is an excerpt from a threat analysis done by MalwareBytes:

“ …the initial component that gets dropped on systems appears to be a worm that contains and runs the ransomware, spreading itself using the ETERNALBLUE SMB vulnerability (MS17-010).

The WinMain of this executable first tries to connect to the website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com. It doesn’t actually download anything there, just tries to connect. If the connection succeeds, the binary exits.

This was probably some kind of kill switch or anti-sandbox technique… Therefore, nothing will happen on any new systems that runs the executable.”

Due to the proliferation and criticality of this attack, Microsoft has availed security updates for unsupported systems that did not receive March’s security update. They had this to say regarding unsupported operating systems in the wake of the WannaCry ransomware attacks:

“We also know that some of our customers are running versions of Windows that no longer receive mainstream support. That means those customers will not have received the above mentioned Security Update released in March. Given the potential impact to customers and their businesses, we made the decision to make the Security Update for platforms in custom support only, Windows XP, Windows 8, and Windows Server 2003, broadly available for download…”

You can read Microsoft’s Customer Guidance for WannaCrypt Attacks here.

Check out the following Indicators of Compromise (IOCs):

IP Address / Ports

197.231.221.211:9001
128.31.0.39:9191
149.202.160.69:9001
46.101.166.19:9090
91.121.65.179:9001
197.231.221.211
128.31.0.39
149.202.160.69
46.101.166.19
91.121.65.179

Domains

http://www.btcfrog.com/qr/bitcoinpng.php?address
http://www.rentasyventas.com/incluir/rk/imagenes.html
http://www.rentasyventas.com/incluir/rk/imagenes.html?retencion=081525418
http://gx7ekbenv2riucmf.onion
http://57g7spgrzlojinas.onion
http://xxlvbrloxvriy2c5.onion
http://76jdd2ir2embyv47.onion
http://cwwnhwhlz52maqm7.onion

MD-5 Hashes

5a89aac6c8259abbba2fa2ad3fcefc6e
05da32043b1e3a147de634c550f1954d
8e97637474ab77441ae5add3f3325753
c9ede1054fef33720f9fa97f5e8abe49

SHA-1 Hashes

6fbb0aabe992b3bda8a9b1ecd68ea13b668f232e

SHA-256 Hashes

0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd
228780c8cff9044b2e48f0e92163bd78cc6df37839fe70a54ed631d3b6d826d5
2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
3ecc7b1ee872b45b534c9132c72d3523d2a1576ffd5763fd3c23afa79cf1f5f9
43d1ef55c9d33472a5532de5bbe814fefa5205297653201c30fdc91b8f21a0ed
49fa2e0131340da29c564d25779c0cafb550da549fae65880a6b22d45ea2067f
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
616e60f031b6e7c4f99c216d120e8b38763b3fafd9ac4387ed0533b15df23420
66334f10cb494b2d58219fa6d1c683f2dbcfc1fb0af9d1e75d49a67e5d057fc5
8b52f88f50a6a254280a0023cf4dc289bd82c441e648613c0c2bb9a618223604
8c3a91694ae0fc87074db6b3e684c586e801f4faed459587dcc6274e006422a4
aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

At the time of this post, it seems there has been a slow-down in the continued amount of infections worldwide (live tracking) after security researchers registered the domain that WannaCry attempts to connect to during the initial execution stages.

Countermeasures:

  1. Patch your systems
  2. Back up your data regularly and ensure you keep off-site copies
  3. Be cautious about unsolicited emails and attachments

References:

The Register  |  Wired  |  Naked Security  |  Network World  |  BlueLiv

Handbrake App for Mac Hacked to Spread Spyware!

Handbrake, the popular multi-platform Mac video transcoder, has been infected with a Remote Access Trojan (RAT) that steals login credentials from OSX KeyChain, Apple’s password management system, and browser-stored passwords.

The Trojan is a new variant of the Russian-attributed OSX.Proton. Its capabilities include keylogging, screenshot captures, and webcam control. Apart from stealing data from infected devices, it can also allow attackers to connect remotely via VNC or SSH.

For those who downloaded the app between 2nd May 2017 and 6th May 2017, they should verify that their devices are not infected with Malware (Now would be a good time to get anti-malware software, lol).

The app download file – HandBrake-1.0.7.dmg – hosted on the secondary download mirror (download.handbrake.fr) was replaced by a malicious version that doesn’t match the  SHA-1 / SHA-256 hashes on the official Handbrake website or GitHub Wiki. The security warning from Handbrake urges customers to verify the file hashes before running it.

The download mirror has been shut down for further investigation. However, the primary download mirror and the website were unaffected.

Handbrake_Website

If you suspect you have been infected, the first thing to look for is an “activity_agent” process running in the OSX Activity Monitor application; a sure indication of infection. If your applications built-in updater is earlier than version 1.0, you should verify that your system has not been infected as the older releases do not use DSA Signature verification. How, you ask?…

First, check for SHA-1 / SHA-256 hashes for the download file as follows:

  1. Open a terminal
  2. Change directory to where you downloaded Handbrake
  3. Run the following command to verify both SHA-1 and SHA-256 hashes:
shasum -a 1 HandBrake-* && shasum -a 256 HandBrake-*

Note: The following checksums are verified to be infected:

SHA-1: 0935a43ca90c6c419a49e4f8f1d75e68cd70b274

SHA-256: 013623e5e50449bbdf6943549d8224a122aa6c42bd3300a1bd2b743b01ae6793

Secondly, run the following command to verify the GPG Public Key:

gpg --verify filename.xyx.sig

where filename is the sig file for the downloaded HandBrake binary. The ID should be “HandBrake Team“.

GPG signatures are available here.

Removal procedures are as follows (run on Terminal):

launchctl unload ~/Library/LaunchAgents/fr.handbrake.activity_agent.plist
rm -rf ~/Library/RenderFiles/activity_agent.app

If ~/Library/VideoFrameworks/ contains proton.zip, remove the folder.

Remove any “Handbrake.app” installs you may have.

Be sure to change all the passwords that may be in your OSX KeyChain or any browser-stored passwords to be on the safe side.

There is still no word on how the attackers were able to compromise the secondary download mirror as yet. However, Apple has updated XProtect in order to enable detection of the Trojan.

Interestingly enough, the main author of Handbrake is also the author of the Transmission BitTorrent client for Mac. The download mirror for this app was hacked in March 2016 as well. This time, the client was replaced with a version that contained the KeRanger ransomware. To make things better, the same download mirror was hacked again, this time with the Keydnap infostealer.

The HandBrake Team is independent of the Transmission Developers,” HandBrake said in its advisory. “The projects share history in the sense that the same author created these apps but he is not part of the current HandBrake team of developers. We do not share our virtual machines with the Transmission project.

In the meantime, take a look at the VirusTotal analysis and a comprehensive malware analysis of the new OSX/Proton variant here!

References:

Threat Post  |  Bleeping Computer  |  The Register  |  ZDNet  |  Handbrake Forum