Wanna Cry, how the US dodged the bullet... vol 6 rel 3

As you already know, a few days ago, a global cyber pathogen spread accross Europe, a cryptolocker type malware called wannacry.  We thought we would share what exactly happened and how the US dodged the bullet...

Wannacry was a cryptolocker type of malware that exploited a Windows vulnerability call EternalBlue, which allowed malefactors to gain remote access to computers and install an encryptor that would hold data hostage until a bitcoin time limited randsom of $300 (doubling in 7 days) demand was paid.  Although anyone diligent with their updates were immune, for Microsoft patched in security update MS17-010, dated March 14 of this year; Many were exposed, as evidenced by the thousands of infected machines accross Europe - such as it is, many people don't keep up with Microsoft's updates.

Meanwhile, a researcher, looking at it's code, subsequently, provided a virtual kill switch that stopped the global cyber assault from spreading in the U.S. this weekend, but before the brake was thrown thousands of computers in Europe and Russia were affected and ransoms were demanded. Experts were bracing for a new attack.

A UK security researcher who goes by the handle @MalwareTech late last week inadvertently saved the day when he registered a domain whose address he spotted in the WannaCry malware, a move than resulted in a kill switch effect, instructing the malware to stand down in the infected machines.

His actions accidentally discovered a sandbox check of the malware. To those not familiar with the term, a sandbox is a pseudo environment that is used to attract malware and let it think its running in a real environment - so it can do its deed in a space where not only can it do no harm, but in an environment that records all it's secrets effectively revealing how to thwart it.   

In a blog post on Saturday, @MalwareTech recounted his experience of registering the WannaCry domain, and how it ultimately quelled that attack variant. The malware tries to connect to the registered domain: if the connection is unsuccessful, it shakes down the machine for ransom. If it gets a handshake, it "exits" the victim's machine, he said. He said he now believes the domain was not a kill switch to stop the attack if it got out of control, but instead "a badly thought out anti-analysis" tool. He wrote. WannaCrypt used one hardcoded domain, so when the researcher registered the domain, "it caused all infections globally to believe they were inside a sandbox and exit…thus we initially unintentionally prevented the spread and and further ransoming of computers infected with this malware."

While the “WannaCry” ransomware isn’t spreading as quickly as it was just a few days ago, we are not out of the woods as of yet.  A hacking group known as the Shadow Brokers released a treasure trove of NSA exploits and hacking tools just a few weeks ago. Now comes word via PC World that the Shadow Brokers may just be getting started.

 “On Tuesday, following the WannaCry attacks, the Shadow Brokers posted a new message online in which they claim to have many more Equation exploits that haven’t been leaked yet, the report notes. “The group wants to make them available as part of a new subscription-based service that it plans to launch in June.”



According to a statement posted on Steemit, the Shadow Brokers are putting together a service it likens to a wine of the month club, wherein every month members will receive a new batch of exploits. As is to be expected, the group notes that what members do with the exploits is completely up to them. Regarding the type of exploits the Shadow Brokers is promising to deliver, the group says it will deliver exploits for web browsers, routers, handsets and more. The group even says it may dole out “compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs.


While some of the exploits in the possession of the Shadow Brokers have already been patched, the rapid spread of WannaCry underscores how many individuals and institutions are still running laughably outdated software.

Interestingly enough, the NSA exploits the Shadow Brokers have may have come from a former NSA contractor who is said to have absconded with 50 terabytes of classified data and upwards of 75% of the hacking tools used and developed by the NSA’s Tailored Access Operations unit.

 Mitigation

The best mitigations for this particular threat (and many others) are:

• Training users not to click on suspicious emails / attachments

• Staying on top of patches (vulnerability management) and if you have a system that you can’t patch, make sure you take other steps to properly secure it.  For example, If you have the second update installed, then this vulnerability no longer exists for you,

• Properly segmenting your network to mitigate lateral movement between systems

• A end user Anti-malware agent.

 Just in case...

If you want a set it forget it solution:

A non-signature anti-malware agent is your best bet:

• Small footprint - Just an Equation 5 Mb is size vs signature database types that require 300+ MB of your machine's memory (2^nd only to the O/S).
• Identifies and blocks both known and unknown threats – it doesn’t have to know it to stop it.
• Real time detection and prevention of malware through the application of Infinity machine learning models.
• Self-protection (prevention against user or attacker tampering)

Contact rricker@continuityfocus.com for more details...

___________________________________________

We would like to thank our sponsors, for without them - our fine content wouldn't be deliverable!

Rick's Cafe' American

____________________________________________

Source(s)

• http://www.pcworld.com/article/3197110/security/shadow-brokers-teases-more-windows-exploits-and-cyberespionage-data.html
• https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition
• https://www.wired.com/2017/05/accidental-kill-switch-slowed-fridays-massive-ransomware-attack/
• https://www.theguardian.com/technology/2017/may/13/accidental-hero-finds-kill-switch-to-stop-spread-of-ransomware-cyber-attack
• https://www.extremetech.com/internet/249346-registering-domain-accidentally-triggered-ransomwares-kill-switch

So “Once more unto the breach, dear friends, once more;”

____________________________________________________________

About Rick Ricker

An IT professional with over 23 years experience in Information Security, wireless broadband, network and Infrastructure design, development, and support.

For more information, contact Rick at (800) 399-6085 x502