WannaCry Was Not A Phishing Attack

Uploaded on 2017-06-07 in BUSINESS-Services-IT & Telecoms, FREE TO VIEW, GOVERNMENT-Law Enforcement, NEWS-Cybersecurity News

The WannaCry ransomware threat didn’t begin with malware-infected phishing emails as first suspected, according to a new analysis from Malwarebytes.

The security vendor claimed it had been “an easy mistake to make”, but that in reality, the now-infamous campaign began by scanning for vulnerable SMB ports exposed to the public Internet.

Security researchers have had a busy week since the WannaCry ransomware outbreak that wreaked havoc on computers worldwide. 

News of the infection and the subsequent viral images showing everything from large display terminals to kiosks being affected created pandemonium in ways that haven’t been seen since possibly the MyDoom worm circa 2004.

News organisations and other publications were inundating security companies for information to provide to the general public, and some were all too happy to oblige.

Information quickly spread that a malicious spam campaign had been responsible for circulating the malware. This claim will usually be a safe bet, as ransomware is often spread via malicious spam campaigns.

Admittedly, we also first thought the campaign may have been spread by spam and subsequently spent the entire weekend pouring through emails within the Malwarebytes Email Telemetry system searching for the culprit. But like many others, our traps came up empty.

Claims of WannaCry being distributed via email may have been an easy mistake to make. Not only was the malware outbreak occurring on a Friday afternoon, but around the same time a new ransomware campaign was being heavily distributed via malicious email and the popular Necurs botnet. 

Some may have seen the rash of news occurring on their feeds, an uptick in ransomware-themed document malware in their honeypots, and then jumped to conclusions as a way to be first with the news.

Indeed, the ‘ransomworm’ that took the world by storm was not distributed via an email malspam campaign. 

Rather, research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware.

We will present information to support this claim by analysing the available packet captures, binary files, and content from within the information contained in the ShadowBrokers dump, and correlating what we know thus far regarding the malware infection vector.Here’s what we know:

EternalBlue

EternalBlue is an SMB exploit affecting various Windows operating systems from XP to Windows 7 and various flavors of Windows Server 2003 & 2008. The exploit technique is known as HeapSpraying and is used to inject shellcode into vulnerable systems allowing for the exploitation of the system. The code is capable of targeting vulnerable machine by IP address and attempting exploitation via SMB port 445. The EternalBlue code is closely tied with the DoublePulsar backdoor and even checks for the existence of the malware during the installation routine.

The ability of this code to beacon out to other potential SMB targets allows for propagation of the malicious code to other vulnerable machines on connected networks. This is what made the WannaCry ransomware so dangerous. The ability to spread and self-propagate causes widespread infection without any user interaction.

DoublePulsar

DoublePulsar is the backdoor malware that EternalBlue checks to determine the existence and they are closely tied together. This particular malware uses an APC (Asynchronous Procedure Call) to inject a DLL into the user mode process of lsass.exe. Once injected, exploit shellcode is installed to help maintain persistence on the target machine. After verifying a successful installation, the backdoor code can be removed from the system.

The purpose of the DoublePulsar malware is to establish a connection allowing the attacker to exfiltrate information and/or install additional malware (such as WannaCry) to the system. These connections allow an attacker to establish a Ring 0 level connection via SMB (TCP port 445) and or RDP (TCP port 3389) protocols.

Putting it all together

The information we have gathered by studying the DoublePulsar backdoor capabilities allows us to link this SMB exploit to the EternalBlue SMB exploit. It’s really not hard to do so as both were patched as part of the MS17-017 Security Bulletin prior to this event, and as previously mentioned, were both released in the well-publicised ShadowBrokers-NSA dumps.

Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks.

Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.

So what did we learn?

Don’t jump to conclusions. Malware analysis is difficult and it can take some time to determine attribution to a specific group, and/or to assess the functionality of a particular campaign, especially late on a Friday (which BTW, can all you hackers quit making releases on Fridays!!). First, comes stopping the attack, second comes analyzing the attack. Remember, patience is a virtue.

Update, update, UPDATE! Microsoft released patches for these exploits prior to their weaponisation. Granted, patches weren’t available for all Operating Systems, but the patch was available for the vast majority of machines. 

This event even forced Microsoft to release a patch for the long-ago EOL Windows XP, which gets back to the first thing that was said. UPDATE! Why are there still machines on XP!? These machines are vulnerable (beyond this attack) to the ransomware functionality of this attack and they need to be updated.

Disable unnecessary protocols. SMB is used to transfer files between computers. The setting is enabled on many machines but is not needed by the majority. Disable SMB and other communications protocols if not in use.

Network Segmentation is also a valuable suggestion as such precautions can prevent such outbreaks from spreading to other systems and networks, thus reducing exposure of important systems. Finally, don’t horde exploits. Microsoft president Brad Smith used this event to call out the ‘nations of the world’ to not stockpile flaws in computer code that could be used to craft digital weapons.

Malwarebytes:       Infosecurity-Magazine:

You Might Also Read: 

Microsoft Tech-Support Using WannaCry:

Protect Yourself Against Ransomware:

Ignoring Software Updates…:

 

« Sun Tzu's Art of Cyberwar
N. Korea Fires Another Ballistic Missile »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Stratogent

Stratogent

Stratogent does IT and Cybersecurity operations. We specialize in high-touch and high-change IT environments, especially in the biotech and pharma industry verticals.

OCERT

OCERT

OCERT is the National Computer Emergency Response Team of Oman.

Paramount Computer Systems

Paramount Computer Systems

Paramount is a regional leader in the Middle East for cybersecurity solutions and consulting services.

Norton Rose Fulbright

Norton Rose Fulbright

Norton Rose Fulbright is a global business law firm. Practice areas include Data protection, Privacy and Cybersecurity.

Dispersive Networks

Dispersive Networks

Dispersive Virtual Network is a carrier-grade software-defined programmable network that is inspired by battlefield-proven wireless radio techniques.

Snyk

Snyk

Snyk is the leader in developer security. We empower the world’s developers to build secure applications and equip security teams to meet the demands of the digital world.

National Digital Exploitation Centre (NDEC) - United Kingdom

National Digital Exploitation Centre (NDEC) - United Kingdom

NDEC is a project to create a centre of cyber and digital development and education for the UK. It will offer training in digital practices, cyber security and research.

PSYND

PSYND

PSYND is a Swiss consultancy company based in Geneva specialized in CyberSecurity and Identity & Access Management.

Secure Blockchain Technologies (SBT)

Secure Blockchain Technologies (SBT)

SBT is a team of Enterprise IT Security Professionals weaving security and Blockchain Technology into our customer’s operational fabric.

Next47

Next47

Next47 is a global venture firm, backed by Siemens, committed to turning today's impossible ideas into tomorrow's indispensable industries.

NodeSource

NodeSource

NodeSource helps organizations run production-ready Node.js applications with greater visibility into resource usage and enhanced awareness around application performance and security.

e5 Lab

e5 Lab

e5 Lab seeks to develop solutions to challenges faced by the shipping industry including digital transformation, autonomous technologies and big data in order to promote safe and efficient operations.

Altospam

Altospam

Altospam is a full service corporate email protection, integrating multiple security levels for your emails.

Block Harbor Cybersecurity

Block Harbor Cybersecurity

Block Harbor has worked closely with automakers, suppliers, and regulators since 2014 on vehicle cybersecurity.

Solcon Capital

Solcon Capital

Solcon Capital is a forward-looking, technology-focused investment firm that is committed to identifying and investing in the most promising areas of innovation and development in the tech industry.

RealDefense

RealDefense

RealDefense develops and markets various privacy, security and optimization technologies and services for consumers and small businesses.