Joined: 25 Jul 2005
Location: St. Pauls, Bristol, England
|Posted: Mon May 15, 2017 10:41 am Post subject: 74 countries hit by NSA-powered WannaCrypt ransomware
|74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+
All you need to know – from ports to samples
Game over ... Screenshot from a WannaCrypt-infected PC
13 May 2017 at 00:16, Iain Thomson
Special report The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations.
In response, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, such as XP and Server 2003, as well as modern builds.
To recap, WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft's SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining unpatched systems are therefore vulnerable and can be attacked.
This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.
Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.
And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That's another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.
Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today by a UK infosec bod, who spotted the dot-com in the reverse-engineered binary; that registration was detected by the ransomware, which immediately halted its worldwide spread.
Connections to the magic domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – were sinkholed to a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we're told. "IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon," said the researcher. The infosec bod admitted they registered the domain first, then realized it was a kill switch. Still, job done.
Here are some quick links to much more technical details we've gathered:
Cisco's Talos team has dissected the malware, describing its components.
A scrapbook page linking to samples of the malware, its command-and-control addresses, Bitcoin wallet addresses for ransoms, and so on.
A decrypted sample of the software nasty is here.
An exploit for MS17-010 written in Python with example shellcode. This is based on the Eternalblue tool stolen from the NSA, and was developed by infosec biz RiskSense. It reveals that the SMB server bug is the result of a buffer overflow in Microsoft's code. A 32-bit length is subtracted into a 16-bit length, allowing an attacker to inject more data than they should into the networking service and ultimately hijacking the system. Disabling SMBv1 disables the bug, and is recommended in any case. You should also firewall off SMB ports 139 and 445 from the outside world, and restrict access to the service where possible on internal networks.
You can track infections in real time, here. There are at least 104,000 identified infected hosts worldwide.
MalwareBytes has a study of the worm component, here.
Microsoft has advice for customers, here. There's also an emergency patches for operating systems as far back as WindowsXP, here. Please install them if you need to.
The software nasty has today ransacked the UK's national healthcare service, forcing hospitals to shut down to non-emergency patients; torn through Spanish telco Telefónica; and many other organizations. In what is looking like one of the biggest malware attacks in recent memory, the bulk of the infections are in Russia – including the state's interior ministry; the virus has claimed high-profile targets around the world.
♪ Been around the world and I–I–I, I can't find my data ... Source: Kaspersky Lab
We're told 16 NHS health trusts in the UK were taken out by the malware. Prime Minister Theresa May said the code "has crippled" Brit hospitals, and that Blighty's surveillance nerve center GCHQ is looking into the outbreak. The NHS is thought to have been particularly hard hit because of the antiquated nature of its IT infrastructure. A large part of the organization's systems are still using Windows XP, which is no longer supported by Microsoft, and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.
Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget hospital in Norfolk, Lanarkshire, and Leicester.
US companies have also been hit. FedEx told The Reg: "Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers." Essentially, staff have been told to turn off their non-critical systems, and to keep it that way until the mess is cleaned up – which could take the whole weekend, or longer.
Meanwhile, Scottish Power was also reported as hit, but it told us that it just took down some non-essential systems as a precaution. Germany's rail system was infected, it appears.
To counter the spread of the malware, security firms pushed out file and network traffic signatures to detect the ransomware-worm hybrid's presence and kill it. Microsoft was quick off the ball, emitting signatures for the malware for its systems.
"Today our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt," a Microsoft spokesperson told The Reg.
"In March, we provided a security update which provides additional protections against this potential attack. Those who are running our free antivirus software and have Windows Update enabled, are protected. We are working with customers to provide additional assistance.”
NSA exposure puts us all at risk
As described above, the worm uses the EternalBlue and DoublePulsar exploits swiped from the NSA's arsenal of hacking tools. It would have been great if the bugs targeted by the agency had been patched years ago; instead, they were fixed by Microsoft in March just before the Shadow Brokers dumped the programs online in April. We assume either the NSA or the brokers tipped off the Redmond giant so that updates to kill off the SMB bug could be pushed out before the exploits publicly leaked.
So, yes, Microsoft issued security fixes to address the vulnerabilities attacked by those cyber-weapons, but as is the way with users and IT departments big and small, not everyone has patched, or can patch, and are now paying the price. The initial infection point appears to be spear-phishing emails, thrown at people within organizations, with the malware hidden in attachments that, when opened, trigger a cyber-contagion on the internal network. The malware is a hybrid design that has a worm element, allowing it to spread through internal structures for maximum effect.
According to an analysis by Payload Security, the malware drops a number of programs on the system, including Tor, and adds itself to the Windows Registry so it persists across reboots. It can fetch software modules to gain new abilities, and uses various techniques to hinder reverse-engineering: decrypted samples of the executables are available from the above links.
The code encrypts a wide variety of documents on a computer, including any attached storage, and snatches any keys for remote-desktop access. It deletes volume snapshots, and disables system repair tools. It also scans the infected system's settings to work out the user's language, and pulls up a ransom demand in the correct lingo for the victim. It changes the desktop backdrop, too, to grab the victim's attention.
According to a study by Kaspersky, it appears the malware controllers are getting greedier as infection rates grow. The initial infections asked for $300 worth of Bitcoin, however later infection notices have upped this price to $600. A check on the Bitcoin strings show a few thousand dollars' worth of Bitcoin have already been sent to the criminals.
"We have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia," said Kaspersky's research team.
"It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher."
What is to be done?
This is just the first wave: there is nothing stopping someone from making a new worm that attacks the MS17-010 bug to silently compromise vulnerable systems, or adapting the WannaCrypt binaries to cause more damage.
So, what's the solution? If you're already infected then there's not a lot you can do other than wipe the system and reinstall from offline unaffected backups – if you have them.
It's possible that the malware writers will have screwed up and put the decryption key in the code itself – such slip-ups have happened in the past. Researchers are picking the code apart byte by byte trying to find such clues, but this looks like a reasonably sophisticated piece of software so that's a long shot.
If you haven't been infected, make sure your security patches are up to date. Kill off SMBv1 at the very least, and block access to it from outside your network. The exploits the malware uses have already been patched, and there's no excuse for getting caught out as a private user. It's understandable that IT managers with annoying corporate policies and heavy workloads have been forced to hold back patches, or are unable to apply them. If you can update your installations, drop everything and get patching.
And we'd sure appreciate it if you could stop clicking on attachments from unknown parties, too. ®
"The maintenance of secrets acts like a psychic poison which alienates the possessor from the community" Carl Jung
Joined: 25 Jul 2005
Location: St. Pauls, Bristol, England
|Posted: Sat May 20, 2017 1:03 pm Post subject:
|British Nuclear Submarines, Microsoft and That Ransomware Attack
By Graham Vanbergen
Global Research, May 15, 2017
True Publica 14 May 2017
The BBC has reported that the recent ransomware attack hit 100 countries. Cyber-security firm Avast said it had seen 75,000 cases of the ransomware – known as ‘WannaCry’ and variants of that name – around the world. Russia was hit the worst. State owned organisations such as health care, railway systems, water and electricity seemed target of choice. This along with telecoms infrastructure and energy suppliers, postal services, educations services and financial institutions.
The infections seem, by all accounts to be deployed via a worm – a program that parasitically spreads by itself between computers with alarming speed and effectiveness. So fast, that this cyber-attack had the potential to hit critical infrastructure that supports human life and disable it in under one day to over 3 billion people. The demands by the cyber-criminals were simple – they wanted electronic money such as BitCoin to unlock the data.
Microsoft was the only fully vulnerable operating system and said it was pushing out automatic Windows updates to defend clients from WannaCry.
Who are culprits? The BBC blame hackers known as ‘The Shadow Brokers’, who made it freely available in April, saying it was a “protest” about US President Donald Trump.
But let’s not forget who the really big culprits are here. The American and British government’s are at total fault. They both fund the NSA and GCHQ. Both advocate government snooping and spying into every citizen of the world, let alone their own. Both advocate the banning of secure encryption communication services and both have spent millions on developing tools to hack and crack these systems at will.
The NSA in America lost all of these hacking tools, specifically the one that caused this attack and subsequent mayhem across the world. The hackers exploited a piece of NSA code known as “Eternal Blue.”
From Wikileaks Vault7 Files:
“Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”
British Ex ambassador Craig Murray:
“The arms race between major powers to develop cyber warfare and cyber surveillance capacity is a massive threat to the security of the internet. It is the very governments who most like to claim they need to intervene to protect us, who are in fact creating the dangers they cite. This is NSA software; WikiLeaks “Vault 7” leak has revealed the similar massive effort at the CIA in developing destructive software.
That is not to say the NSA or US government is behind this worldwide attack. But it is to say that western governments are spending billions of pounds on developing malware, which they cannot themselves keep safe. This should be viewed in the same light as chemical weapons programmes. Urgent international action to outlaw weaponised malware development should be a priority for the international community, as the danger to increasingly IT dependent services is extreme. The United States is the biggest aggressor and the biggest danger.”
I have stated for some time now in numerous articles that our own government are becoming our biggest enemies today. Far from being killed by a crazy swivel-eyed black flag waving extremist brandishing a scimitar with a Semtex vest, the likelihood is that a cyber-attack will disable critical services or that your personal data will be stolen causing absolute chaos to normal life.
In Britain, Theresa May was Home Secretary for 6 years. She was, and as PM still is responsible for the cyber-defences of the country. The mainstream press have not mentioned once that Theresa May has failed to protect Britain in any tangible way from this attack.
And as Craig Murray continues:
“Underfunded NHS Trusts have privatised IT management and outsourced the control and security of their computer systems to contractors, as part of the general rip-up of the NHS to provide private profit. These companies are more interested in maximising profits than safeguarding against contingent attacks. Very few NHS Trusts now employ their own NHS team of dedicated computer specialists maintaining and caring for their systems, including their defences.
Corporate profits have been great though. Remember that extraordinary numbers of MPs have financial links to private healthcare firms. If the Tories win a landslide, doubtless the numbers of MPs personally profiting from NHS privatisation will increase still further.”
But it gets potentially worse than cancelled operations and emergency ambulances being sent in the wrong direction. It’s possibly worse than people dying in corridors of hospitals when, metaphorically speaking, the lights go off.
In 2008, the UK’s nuclear submarines were fitted out with exactly the same systems that have just been involved in this cyber-attack.
From a 2008 article – The Register:
Royal Navy completes Windows for Submarines™ rollout
“The programme is called Submarine Command System Next Generation (SMCS NG), and uses varying numbers of standard multifunction consoles with two LCD screens, hooked up on an internal Ethernet network installed on each sub. Initial reports as the programme developed suggested that the OS in question would be Windows 2000, but those who have worked on it have since informed the Reg that in fact it is mostly based on XP.”
Windows were so chuffed at “Windows for Submarines” they even advertised the fact to the entire world (HERE)
“Windows for Submarines is the programme undertaken by the Royal Navy and BAE Systems to equip the nuclear-propelled and nuclear-armed warship fleet with a Windows-based command system. The transition to the Windows for Submarines command system on HMS Vigilant, a Trident nuclear missile submarine, was completed in just 18 days.”
This Microsoft blog is an open forum and even then an incredulous audience were questioning such a decision. Here are the first four reactions of dozens of responses.
Omar Amer December 18, 2008 at 4:27 am: I have to ask in all seriousness – why was windows chosen over unix or linux? Granted a nuclear sub is a very mission critical operation – which is exactly why I’m bewildered at the choice of windows operating system. please shed some light on this.
Russell Quinn December 18, 2008 at 6:31 am: 18 days? You guys tested this right?
Mjoo December 18, 2008 at 7:56 am: And what about the future when Windows 2000 and XP security is no longer supported? (Which by the look of it is right around the bend)
Reno December 18, 2008 at 8:57 am: What about the blue screen of death? What about fatal boot error due to ntfs corruption? Yikes !
Don’t think anything could possibly go wrong when a British Trident submarine, fitted with American manufactured (and maintained) nuclear warheads – managed via American developed software infected with American hacking tools when the red button is pushed? Think again.
MPs accuse Theresa May of covering up Trident malfunction
The Guardian wrote that Theresa May was
“under pressure to come clean in the House of Commons about the failure of a Trident missile test after MPs accused her of covering up the truth before a crucial parliamentary vote on renewing the nuclear deterrent.”
There was a catastrophic test-firing of the UK’s Trident II D5 ballistic missile in June last year off the coast of Florida. This was not some revolutionary new development still at the experimental stage.
The missile completed its design stage in 1989 and was deployed a year later. Nor was the Vanguard-class nuclear submarine that fired it, HMS Vengeance, new. It has been in service since 1999. So there should not have been the kind of malfunction that saw the missile targeted in the direction of west Africa head off in the opposite direction towards the US mainland. Any teething troubles should have been worked out long ago.
The Ministry of Defence said:
“The problem appears to have involved telemetry data, information gathered from various points and fed to the missile. There seem to have been a communication breakdown involving directional data.“
This is the same submarine class that was fitted with ‘Windows for Submarines’. In other words, the outdated software failed. Microsoft stopped supporting the MS XP system completely in 2014.
Think about that just for a moment. A nuclear missile was actually fired from a British submarine, albeit without being armed, and instead of heading towards Africa it went speeding off in the wrong direction towards America – a nation of warmongers, who themselves have 5,000 world obliterating nuclear weapons on a hair-trigger. Thankfully, the ‘abort mission’ button worked.
The original source of this article is True Publica
Copyright © Graham Vanbergen, True Publica, 2017
"The maintenance of secrets acts like a psychic poison which alienates the possessor from the community" Carl Jung