WannaCrypt ransomware worm targets out-of-date systems

It seems that WannaCry was not spread by email.
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/

 

Good read
Link: https://medium.com/@thegrugq/internet-of-wilderness-of-mirrors-9eaa24bd99d8

 

Interesting read. Thanks @WildByDesign

 

@EASTER You're welcome

 

Nice read.
It seems that Windows XP was indeed not targeted.

 

Which is odd because the very first announcements seemed to hint at XP given they would be a likely candidate as fas as being considered OLD by many.

What really is striking is that this more accurate development makes more sense in that if I recall there was a mass rush to get to Windows 7 (something I missed out on BTW) and plenty of businesses turned to 7 as they're base O/S after release and thereafter.

Meaning there's literally more Windows 7 units in operation around the world?

 

Yes I would also speculate that attackers targeted most used OS and didn't test or modify exploit implementation for older OS (in this case Windows XP). "Security through obscurity"?
Well without update Windows XP is still vulnerable and it can be compromised by other malware using similar delivery methods.

 

This is how the whole thing started per the Malwarebytes article:

For starters, the ports in question are 137-139, and 445. The only way this could have occurred is if malware entered the network via like open ports on the server. Not even the most incompetent network administrator will allow those ports to be open externally on the server to the public portion of the Internet.

As far as the internal local network goes, all endpoint client firewalls including the built-in Windows one only allow incoming traffic from the trusted network for the noted ports. And, only if file and device sharing is enabled i.e. private firewall profile.

My opinion is the malware somehow and yet to be determine entered either the WLAN(wireless local network) or WAN(wide-area network linking remote locations). Which means there is a yet to be identified network exploit in play.

Here's another ransomware posted by @stapp: https://www.wilderssecurity.com/threads/xdata-ransomware-on-a-rampage-in-ukraine.394156/ that just surfaced in the last 24 hours. Notably:

Bottom line - I believe the current situation is a lot worse that is being publically stated in that local network intrusions are occurring and no one seems to know how it is occurring.

-EDIT- I forgot to mention port 135 which is also used by SMB to allow Service Control Manger to be run remotely. I originally though this was the WannaCry attack vector since the first thing it did was to create a service. However, @aigle tests showed the service was created locally via .bat and cmd.com execution.

One other possibility is WannaCry deployed a 0-day dropper arriving via Internet connection that no one detected and immediately deleted the dropper once the exploit was employed or not deployed since the patch was in place.

 

FireEye usually has one of the best detail analyses on malware and true to that, they have one for WannaCry. Excerpts from the article are shown below.

Also, appears I was wrong on how WannaCry's service was created. I initially though it was done remotely. Then @aigle's testing lead me to believe it was locally. FireEye's analysis clearly shows it was done remotely via RPC Service Control Manger means.

The FireEye analysis shows that once a PC was exploited, it used the RPC remote communication for login to Windows domain which uses lsass.exe via outbound port 135 connection. Once in the domain, it was free to remotely create its service on each network client which in turn ran all subsequent ransomware activities.

Again, the FireEye article does not explain how the exploit dropper arrived on the source device that spread the worm. That may never be known since it would involve an analysis similar to that done it in real pandemic virus research which involves finding the original day-1 infected host.

https://www.fireeye.com/blog/products-and-services/2017/05/wannacry-ransomware-campaign.html

 

The actual "probing" code to determine if a target was vulnerable for SMBv1 exploiting is located here:

Microsoft Windows - Unauthenticated SMB Remote Code Execution Scanner (MS17-010) (Metasploit)
https://www.exploit-db.com/exploits/41891/

It is dated 4/17/2017. So it is reasonable to assume this code or a reasonable facsimile of it was deployed in the WannaCry attack.

 

The lsass.exe process in W. 7 can not be hardened:

https://technet.microsoft.com/en-us/library/dn408187(v=ws.11).aspx

 

It also appear that some Wilders folks believe they are protected against SMB based exploits doing .dll injection because they are running a local security product that prevents .dll injection. You are not. SMB processing is performed by ntoskrnl.exe i.e the system process. It is that process that has been exploited to do the malicious .dll injection.

 

Yup, and Microsoft issued the patch for the SMB vulnerability in March 2017.
https://support.microsoft.com/en-us/help/4013389/title
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

 

"Samsung working with South Korean government to increase protection against WannaCry...

...Samsung says the WannaCry ransomware cyberattack has raised alarm over mobile phone security. The company has also said that it’s going to work with the government of South Korea to increase protection..."

https://www.sammobile.com/2017/05/2...ment-to-increase-protection-against-wannacry/

 

"Symantec says 'highly likely' North Korean hacking group behind ransomware attacks

Cyber security firm Symantec (SYMC.O) said on Monday it was "highly likely" a hacking group affiliated with North Korea was responsible for the WannaCry cyber attack this month..."

http://www.reuters.com/article/us-cyber-attack-northkorea-idUSKBN18I2SH

 

"There’s new evidence tying WCry ransomware worm to prolific hacking group [N. Korean associated Lazarus Group]

Common tools, techniques, and infrastructure make link 'highly likely.'.."

https://arstechnica.com/security/20...ry-ransomware-worm-to-prolific-hacking-group/

 

http://news.softpedia.com/news/wannacry-386-ransomware-samples-discovered-515946.shtml

 

https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

 

Yeah, I already figure this out starting with my postings here: https://www.wilderssecurity.com/thr...ttacks-says-malwarebytes.394187/#post-2678272

Will also add that Internet facing Win 7 boxes could also have been the entry point if:

1. They had previously been infected with Conficker which would have left the SMB ports exploitable.
2. They were never patched against the original Conficker worm malware.

Again, part of the Shadow Brokers dump was a new vers. of Conficker that has shown up at infected sites.

https://technet.microsoft.com/library/security/ms08-067

 

FYI

https://www.grahamcluley.com/seven-years-conficker-worm-dead-dominating/https://www.grahamcluley.com/seven-years-conficker-worm-dead-dominating/

 

https://securelist.com/blog/researc...t-can-help-you-restore-files-after-infection/

 

https://www.theregister.co.uk/2017/05/31/windows_xp_probably_too_primitive_to_spread_wannacrypt/

 

http://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/

 

Memory forensics of Eternalblue
Link: http://markus.co/memory-forensics/2017/06/04/eternalblue-smb.html

Excellent, concise read!

 

Very good find and yes, excellent read up. Thanks again @WildByDesign