WannaCrypt ransomware worm targets out-of-date systems

Some additional nasty's that WannaCry v2 does per Carbon Black. Besides deleting shadow volume copies, it also does the following:

https://www.carbonblack.com/2017/05/13/protect-organization-wannacry-ransomware/

 

Eset did a blog posting that clears up at present, delivery method appears to be unknown:

https://www.welivesecurity.com/2017/05/15/wannacryptor-key-questions-answered/

 

"While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February
And it took three months to release despite Eternalblue leak..."

https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/

Grrrrrrr !

 

Well to be fair, OS is not supported any more. Patch was designed for paying customers that pay for updates and did receive update in March. Regular users should probably install newer OS.

 

Thanks for Eset for raising the backdoor possibility in this attack. I think I now have a pretty good idea on how this attack took place.

If it's anything NSA excels in, it is finding backdoors in existing software including Windows. For anyone who doesn't know what a backdoor is, they are built in access points used by developers to debug/monitor software execution. They are supposed to be removed once the software is released for production. Inevitably some are overlooked and remain. Also I have always believed that Microsoft has intentionally left select backdoors in the OS to likewise monitor it; especially after a new release. Additionally, malware can install its own backdoor. It can then lay dormant and use that backdoor at some later date. A backdoor can be accessed pretty much in the same way RDP works. That is a remote source can pretty much do anything the current logged on use can do.

As far as this WannaCry attack goes, the SMBv1 vulnerability patch MS issued is pretty a smoke screen for the real vulnerability that has existed in Win OSes up till Win 10. That is, the port 445 remote access vulnerability. What Microsoft actually patched was that vulnerability which coincidentally is used by SMB. If you review the Endgame detail analysis of WannaCry, you will clearly see the code to access port 445.

Observing recently ransomware attacks, I believe the malware developers have adopted NSA tactics to actively seek out existing software and OS backdoors. Many of these attacks are currently being mistaken for sloppy and insecure protection configurations for RDP use. Although that may be the case, I believe backdoor use is also exponentially increasing. If malware can gain remote access to a device via a backdoor, the first thing it will do is try to disable existing security software. The easiest way to do that is to access its GUI and disable it there. So security software GUI modification password/captcha access is recommended. If your security solution doesn't have such capability, find one that does. Additional backdoor mitigations are insuring that your router has NAT and statefull packet inspection(SPI) and your software firewall has SPI. SPI prevents any unsolicited inbound Internet traffic. This will require the malware to have to install something on the target device that will generate an outbound connection request. Likewise, it is important to periodically test router firewalls to ensure no open ports exist that aren't explicitly defined as such. Router firewalls can and have been hacked by insecure router security settings.

 

NHS was too lazy or negligent to update their computers to Windows 10 Enterprise LTSB.

We're talking about mission-critical network PCs that contain data related to patient health and safety.

Sure, Microsoft patched the XP vulnerability but its a sobering reminder there are other flaws XP hackers may be able to exploit governments and corporate IT departments don't know about.

When you can upgrade, do. Malware is rapidly developing and always probing for a new attack vector.

 

So it was only XP that fell foul of wannacry?

 

No. It was any Win ver. other than Win 10 which the patch had not been applied to.

As far as XP goes, it was no longer supported so the patch was not available until after the fact by Microsoft. What appears to have happened in the U.K. was the NHS had contracted with MS for extended XP support and the patch was made available in April but had not yet been installed as noted in another Wilders thread.

 

Are you referring to "Doublepulsar"?

https://www.theregister.co.uk/2017/05/13/wannacrypt_ransomware_worm/

https://isc.sans.edu/forums/diary/Detecting SMB Covert Channel Double Pulsar/22312

----
rich

https://nmap.org/nsedoc/scripts/smb-double-pulsar-backdoor.html

 

So many related threads its kinda hard to know where to post!

Hunting the cyber-attackers

http://www.bbc.co.uk/news/world-39940032

 

No. I am referring to the following code from the Endgame previously posted link:

For starters, WannaCry only employed the NSA exploits if the target was vulnerable to them; namely all the activity under above step 2. b). If the target is not vulnerable, appears WannaCry as noted in above step 2. a) is dumping the payload into C:\Windows or an alternative directories as noted below and running it from there if it can get away with it.

Alternative directories and other nasty activity done by WannaCry:

http://www.business-standard.com/ar...reading-know-all-about-it-117051300483_1.html

This activity especially above steps 2. a) 1 through 3 lead me to believe that WannaCry entered the target through an existing or previously created backdoor in the system.

-EDIT-

https://serverfault.com/questions/714051/run-service-control-sc-exe-command-on-secure-port

Additional ref. on how to run sc.exe hidden: https://www.wilderssecurity.com/thr...g-banks-around-the-globe.391870/#post-2651004

 

After the events of these days, make the test below:

https://www.grc.com/x/ne.dll?bh0bkyd2

Proceed - All Service Ports

 

https://arstechnica.com/security/20...itcoin-take-tops-70k-as-its-spread-continues/

 

I have ports 88 & 89 open on the test and the rest stealthed, the two open ports are only open when I am using AirVpn.

 

WannaCry ransomware attack


https://en.wikipedia.org/wiki/WannaCry_ransomware_attack

 

Nice conclusion. I assume you are referring to what you wrote earlier:

----
rich

 

Can any body tel me how a typical home user can get this ransomware? Were there any home users infected in fact?

Thanks

 

Also this attack was so widespread and evolved so quickly, I find the e-mail delivery method quite suspect. This attack has all the fingerprints of being nation state initiated.

 

Seriously doubt any non-commercial interests were targeted. Haven't seen any like postings to date.

 

Hello aigle,

If your port 445 is open, this would be an easy way in. I referenced this in my first post regarding file and print sharing, which, if enabled, use port 445. Many exploits have used this entry point. But the puzzle is, how does this infection start in the first place?

Articles refer to home users as targets, but I've not seen any direct references to cases.

This thread has been interesting with getting inside the malware and following its path when installed. Not usually my area of interest, since I'm more concerned about how exploits get started in the first place.

How did the dropper initially get installed? No one is sure (as of today, anyway). Bogus emails have been suggested, but none have been shown.

Very puzzling!

----
rich

 

I concur.

While that type of analysis is beyond my interest and expertise, the sophistication of the entire scenario suggests quite advanced capabilities.

----
rich

 

News is saying today finger pointing is to North Korea.

https://www.theregister.co.uk/2017/05/16/wannacrypt_north_korea_theory/

 

And the news is saying proceeds from North Korea's previous cyber hacks fund its military programs. So far, though, doesn't seem to be a lot of return on the investment--around 70,000 USD, enough to buy what, a few military uniforms? You wonder what was paid for the kit originally, as it's speculated North Korean hackers (or some other group) developed the actual WCry ransomware. An isolationist nation, little wonder funds would be "gotten" this way.

 

As hawki suggested in an earlier post, hawki believes that the motivation for the WannaCry attack was not purely financial. Disruption, chaos, fear, costs of business time and data lost, a dry-run for a more devestating attack, and/or a demonstration of capabilities are more than likely the motives here. What good is a deterrent unless the enemy knows what it is capable of?