Kategorie

A security researcher has discovered a code injection vulnerability in the thumbnail handler component of GNOME Files file manager that could allow hackers to execute malicious code on targeted Linux machines. Dubbed Bad Taste, the vulnerability (CVE-2017-11421) was discovered by German researcher Nils Dagsson Moskopp, who also released proof-of-concept code on his blog to demonstrate the

Dropping in to BSidesLV while you're in Vegas? Come and see our data scientists talk about machine learning and the threats there - we'd love to say hi

Lidé, kteří se chystají do USA, můžou po příletu do země očekávat delší čekání. Ve středu vešlo v platnost první z nařízení amerického ministerstva vnitřní bezpečnosti, podle kterého se musí elektronika každého člověka cestujícího do země svobody přísně zkontrolovat. Znamená to, že lidé na ...

The first half of 2017 began with two intriguing ransomware events, both partly enabled by wormable exploit technology dumped by a group calling themselves “The ShadowBrokers”. These WannaCry and ExPetr ransomware events are the biggest in the sense that they spread the quickest and most effectively of known ransomware to date. With this extraordinary effectiveness and speed, one might expect that at least one of the groups would walk away with a very large cash haul. But that is not the case.

King Richard the I, held for a King’s Ransom of 100,000 marks. The largest ransom in known history. At the time, twice England’s GDP

Both of these incidents were carried out by two very different groups that appear to have been capable of obtaining, but minimally interested in, a king’s ransom. This missing financial motivation is strange, considering the royal capabilities of the exploits that they used to deploy their ransomware.

Also unusual, and preceding and relevant to these 2017 ransomware events, is that groups carrying out aggressive, destructive acts were more straightforward about the matter. We first posted our destructive BlackEnergy (BE) findings in 2014, along with discussion of their “dstr” plugin and odd DDoS features. Allegedly BE later took down large parts of the electrical grid in Ukraine for almost a half day. Later we described the Destover components used in the worm-enabled, destructive, politically motivated Sony incident. And Shamoon and StonedDrill have been pushed in the Middle East around turbulent political situations as well. These components were all wiper technology, delivered in a very intentional and destructive manner. It’s interesting that these spectacles all coincided with large political events and interests. So this new need to cloak their destructive activity or sabotage is an interesting shared change in tactics.

WannaCry Deployment

WannaCry deployment efforts began much earlier than has been publicly discussed. Our private report subscribers received early information that the attackers were spearphishing targets globally by at least March 14th. These messages contained links to files hosted at file sharing services. When clicked, the link led to what recipients thought were resumes related to job applications with a filename “Resume.zip” containing “Job Inquiry – Resume 2017.exe”.

This executable maintained a modified Adobe pdf file icon, and dropped both more malware (droppers and downloader chains that later led to WannaCry installations) and immediately opened decoy job applications. Here is an image of one of the decoys. While we couldn’t find it online, it may be a rip of a legitimate document:

Most of these targets were soft (likely to run the exe and likely did not have advanced network defense programs in place), their locations dispersed globally, and their organizations’ profiles inconsistent.

The group attempted to deploy the first version of WannaCry ransomware to these and various other targets over the next two months, with no success or observable effort to collect bitcoin from this activity. And, even after the ETERNALBLUE spreader exploit with the DOUBLEPULSAR code and its oddly mistaken kill switch likely was hastily added to the ransomware, the attackers did not focus much more development or attention on collecting bitcoin. At one point, the actor sent a light set of messages encouraging users to pay BTC to their wallet.

This sort of inexpensive, two month long activity also may tell us a bit about the actor, their capabilities, and their interests — slow, practical, and somewhat hiding their interests in a very odd way.

While the Sony incident demonstrated the theft and use of stolen credentials and reliable lateral movement, even that credential theft itself required little effort on the part of the attackers. Entire spreadsheets of admin passwords were left open on network shares. Bizarre permission configurations were maintained within the network. The actor had little to do in order to spread a wiper with its audio-video payload to lob oddball jibes at Sony and its executives, and post  pastebin threats at movie-goers and share the company’s dirty laundry over p2p. Understanding and co-opting a software update infrastructure was unnecessary in the Sony incident. But a low-tech worming component was also built into the toolset, highly effective most likely because of a low security environment, not because of a previously 0day component.

ExPetr Deployment

ExPetr deployment was sharp, advanced, and technically agile. The group precisely targeted a major accounting software supplier to Ukrainian organizations. They also compromised a news website in UA to further waterhole targets outside the reach of the M.E.Doc network.

Once inside the M.E.Doc network, they gained access to the software update infrastructure and used that access to further steal credentials within target customer organizations. It’s interesting that delivery of the original poisoned installer occurred in April, and the large scale wiping event occurred much later. Also, not all systems receiving attempted Telebot deployments later received an ExPetr deployment. And, not all systems receiving attempted ExPetr deployments had previously received an attempted Telebot deployment.

Oddly, the two month delay in delivering the worm-enabled ExPetr variant is unexpectedly similar to the delay we saw with WannaCry. Later, they delivered the WMI/PsExec/ETERNALBLUE/ETERNALROMANCE-weaponized ExPetr sabotage variant. But in a substantial advance from Wannacry, even if Windows systems were patched, the attackers had stolen credentials for effective lateral movement and could wipe/crypt target systems. This addition also tells us that this attacker wanted to focus on effectively operating the confines of Ukrainian-connected organizations. The worming components also didn’t generate random network connections outside of the target networks. The variant included both native win64 and win32 MSVC-compiled Mimikatz-inspired components dropped to disk and run, stealing passwords for maximum privilege and spread, like those for domain admin and various network service accounts.

The ExPetr attackers apparently did not return with widely spread taunts or messages for their targets, or drag out the incident by requesting BTC transactions for disk decryption.

Comparison Table

WannaCry ExPetr Spearphishing Yes – dependent Minimal (if any) – reported initial entry Waterholing No Yes Supply side server compromise No Yes Capable of developing wormable exploit No Seemingly not Initial activity March 14 April 15 Ransomware/wiper spread date May 12 (two months later) June 27 (two months later) Targeting Global and opportunistic Focused primarily within one country ETERNALBLUE Yes Yes ETERNALROMANCE No Yes DOUBLEPULSAR Yes  Yes (minor modification) Advanced credential theft and spreading No Yes Advanced anti-malware evasion No Yes Wiper functionality No Yes Properly implemented crypto No Yes Rushed mistakes Unregistered kill switch domain Not really – possibly MBR overwrite algorithm (unlikely) Financial draw No Minimal Code sharing with other projects Yes Yes

The recent ETERNALBLUE/ETERNALROMANCE/DOUBLEPULSAR-enabled WannaCry and ExPetr incidents share similarities. Not in the sense that they were carried out by the same actor; it is most likely that they were not. One APT was rushed, opportunistic, not as technically capable as the other, while the other APT was practical, agile, and focused. But we are at the start of a trend emerging for this unusual tactic – APT camouflage destructive targeted activity behind ransomware.

More info:
Ransomware in targeted attacks
PetrWrap: the new Petya-based ransomware used in targeted attacks

LinuxSecurity.com: This year marks the 20th anniversary of Black Hat, the information security conference founded by Jeff Moss in 1997. What began as a single meetup in Las Vegas has expanded around the world to host events in the United States, Europe, and Asia.

LinuxSecurity.com: A Russian man who helped create and spread the notorious Citadel malware back in 2011 was sentenced Wednesday to five years in prison by a federal judge in Atlanta.

An unknown hacker has just stolen nearly $32 million worth of Ethereum – one of the most popular and increasingly valuable cryptocurrencies – from Ethereum wallet accounts linked to at least three companies that seem to have been hacked. This is the third Ethereum cryptocurrency heist that came out two days after an alleged hacker stole $7.4 million worth of Ether from trading platform

Senator Ron Wyden is pushing to mandate government-wide use of the email authentication protocol DMARC “to ensure that hackers cannot send emails that impersonate federal agencies.”

Your daily round-up of some of the other stories in the news

Mark Vartanyan, seen here in 2014. (credit: Mark Vartanyan / Instagram)

A Russian man who helped create and spread the notorious Citadel malware back in 2011 was sentenced Wednesday to five years in prison by a federal judge in Atlanta.

According to the Associated Press, Mark Vartanyan will receive two years' credit for time already served in Norway, where he had been living previously. He was extradited to the United States in December 2016 and was arraigned and pleaded guilty to hacking charges in March 2017. Vartanyan had apparently been helping prosecutors with their investigation "from the start."

In September 2015, another Russian man, Dimitry Belorossov, was sentenced to 4.5 years on similar charges. In 2014, Ars reported how the malware was being used to target password managers and financial data.

Read 1 remaining paragraphs | Comments

A long-standing bug in the network authentication protocol called Kerberos led to a security hole in Windows, Linux and more.

If you are hoverboard rider, you should be concerned about yourself. Thomas Kilbride, a security researcher from security firm IOActive, have discovered several critical vulnerabilities in Segway Ninebot miniPRO that could be exploited by hackers to remotely take "full control" over the hoverboard within range and leave riders out-of-control. <!-- adsense --> Segway Ninebot miniPRO is a

Myspace is still there, and so's your old account

Criminals have made use of the leaked source code for the Nukebot banking Trojan, crafting modified versions of the malware to target banks in the U.S. and France.

Bodycams aimed at law enforcement will soon be able to identify stolen bicycles, missing children and other "objects of interest".

As part of its ongoing Vault 7 leaks, the whistleblower organisation WikiLeaks today revealed about a CIA contractor responsible for analysing advanced malware and hacking techniques being used in the wild by cyber criminals. According to the documents leaked by WikiLeaks, Raytheon Blackbird Technologies, the Central Intelligence Agency (CIA) contractor, submitted nearly five such reports to

The UK government plans to put age verification in front of pornographic websites from April 2018

LinuxSecurity.com: Millions of IoT devices relying on widely used third-party toolkit gSOAP could face a zero-day attack, security firm Senrio disclosed Tuesday, which dubbed the vulnerability Devil's Ivy.