WannaCry Exploit Could Infect Windows 10

Thank you guys .

 

I think it is time to backup a bit and analyze how the NSA or another like caliber actor employed the attack and how it was deployed in the Wannacry incident.

1. The NSA excels at finding vulnerabilities like the SMBv1 one.
2. It then decided which targets it wanted to exploit.
3. It then performed recon and penetration like testing against the target's external network to determine where it was vulnerable. I will also speculate that if it wasn't vulnerable, the NSA then attempted to create a like vulnerability though other means such as e-mail, hijacking the target's web site, you name it.
4. It then entered the network through the found or created external network vulnerability and remotely exploited SMBv1 to create the backdoor to perform subsequent remote activities through.

In the WanaCry attack, the SMBv1 vulnerability was known. The attack wasn't a targeted one but an opportunistic one which would entailing randomly "pinging" servers and then exploring the external network for an entry point. It is doubtful that any other means were deployed to make the external network vulnerable. However, it is possible that a "front-end" attack could have been performed to open an external port on the server for ingress. All that is needed would be a "legit looking" outbound app connection.

The bottom line is you stop attacks like this by "locking down" first your external network and secondly, your internal network. Use a router with an internal firewall. Make sure the router supports statefull communication and is NAT capable. Make sure the router admin access is protected via a strong password. Opening "pinholes" on your router for remote gamer access and the like creates vulnerabilities. Use of a VPN is a vulnerability since it bypasses all your internal inbound firewall rules. Simply using a "public" internal firewall profile will disable any SMB activity and additionally lock down your internal network inbound ports. Besides a strong internal firewall, IDS protection will additional allow for locking down all remote access protocols, SMB access to the Admin shares, detailed inbound packet analysis, and blocking by CVE detection such as done by Eset and Kaspersky in the Wannacry episode. Etc., etc..

Now for the issue of if you find a backdoor has been set on your PC. The standard recommendation has been and remains to do a "military grade" disk wipe or replace the drive and reinstall your OS. Also, this is one instance where a disk image backup won't help you since you have no knowledge of when the backdoor was actually set. If you took an image backup immediately after initial OS installation, it is probably safe to use although a fresh install is preferable since it will give you the latest OS release. Restoring your data files also has to proceed with caution since those might be infected.

 

OMG, hehehe, this is never going to end. If I deactivate my wilders and MT accounts for a month or two, please understand why.

 

Massive cyber attack occurring in the Ukraine right now, public transport, banks, government and businesses all hit...Itman, the solution please

 

Pray hard. Then "bitch to high heaven" about Microsoft OS security.

 

lol, I don't depend on MS security, I eagerly wait for your take on other researchers findings

 

Amen.

Amen, again.

 

I see you were not kidding and thanks for creating a new thread on this new cyber attack. Not looking good.

 

https://www.wilderssecurity.com/thr...-infect-windows-10.394550/page-7#post-2686343

Hallelujah.

 

Indeed, so:

Since when a system compromised (aka EB able to propagate + DP installed and injecting into any process it wants) is deemed still protected and safe , and the said security product labelled as "victorious" over the attack...

"hey guys, i have HIV but my health doesn't degrade further because i took a medicine that stopped one of the opportunist diseases i may be victim, so i'm protected from HIV " really?!

If people believe in that nonsense, i have no more time to waste on this topic and let them live in their security dreamworld.

 

"If people believe in that nonsense, i have no more time to waste on this topic and let them live in their security dreamworld"

I do! Now the acid test, are you a man of your word?

 

https://thehackernews.com/2017/06/petya-ransomware-attack.html

 

There was a new thread created by clubhouse on this new attack. Kaspersky is now saying it is not Petya but rather a whole new attack scheme.

 

AV products just need to make sure they restrict access to PhysicalDrive0... Then Petya will always fail without a zero-day bypass. Problem solved.

 

Interesting indeed.

For starters, read this thread: https://www.wilderssecurity.com/threads/a-cyberattack-the-world-isnt-ready-for.394950/#post-2687301. Next, review my prior comments about what the mitigation should be if a backdoor is set on a device. If the device is part of a network, those comments apply to all devices on the network.

The most likely scenario going on, baring further details in this latest attack, is this. The installations getting currently hit are ones that were unpatched in the WannaCry attack. They thought they had "dodged the ransomware bullet" since none of their files were encrypted. They subsequently patched their devices against the SMBv1 exploit and thought they were now safe from any further attacks. Very wrong assumption.

What happened was their files were not encrypted because the "kill switch" took out WannsCry's C&C server communication mechanism to delivery the ransomware payload. However, the backdoor had been set on these devices making them vulnerable to any future attacks. This is what is currently underway now. The fact that WMI is being used is not unique; the EternalPot attack employed that. PsExec can be used for remote execution and can escalate privledges to System level among other things.

Bottom line - the Microsoft patch prevents the EternalBlue backdoor from being set. It doesn't nothing to prevent use of backdoor once it has been set. Once a backdoor is set, the malware immediately goes about setting up mechanisms to protect the backdoor and maintain it for persistence. These include but are not limited to changing system settings plus access rights and privileges. Existing backdoors have been found on devices that are years old. They are sitting there in a dormant state but ready to spring into action at their creator's command or, any hacker lucky enough to discover one.

-EDIT- Looks like a "one two punch": https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine/ . Hijack a commonly used Ukrainian application, then utilize the existing backdoor. Actually, this is the most effective way to bypass all security detection mechanisms. The backdoor port bindings would be to those used by the hijacked application.

 

We need to keep this new attack in the new thread otherwise it becomes too hard to follow.

 

Will do. Commented here since someone directly asked me about it. Also it fits in with my prior backdoor comments.

 

Finally got a reply back from the test tool developer. I am posting it below. It is self-explanatory. I will test out his revised code when I get a chance and post back if I got the APC call option for a non-reflective .dll to run successfully:

Hi itman,


Thanks for your report, sorry I couldn't respond until now but I have been on vacation.


I did a bit of investigation and it seems that using every thread for the APC does seem to cause a crash sometimes but not others. It seems to somehow mess up the destination address when sections are loaded which causes protection errors. I'm not actually sure why this is, but I pushed new code so it now prompts you for each thread so you can choose to only inject into certain threads. So you can keep answering "yes" until you see your message box appear and then you can say no to the other threads.


The only reason I originally had it use all threads was that sometimes a thread would not reach a state where the APC was triggered, and I wasn't sure the best way to select a likely candidate, so I used a scattergun approach as it was just for quick tests anyway. Hopefully this little mod to the code will make it a bit easier to test it out. I'm sure there are some clever ways to select a "good" thread for APC but I'm no APC ninja!


I've tested it out on Win10 and Win7 and it does work with your MessageBox64.dll.

Thanks,
Matt

 

Now for the really .......... scary part. This is all speculation but I believe plausible.

I assume that ShadowBrokers has "Prime" clients. These are the hacking concerns that will pay the many thousands of dollars a unknown exploit commands. These outfits get "first pick" at these exploits. Thereafter, ShadowBrokers will offer the exploits to the general hacking community at discounted prices that these concerns will only pay. Also assumed is these unknown exploits are a very closely guarded ShadowBrokers item.

The question is how long in possession did ShadowBrokers have the NSA backdoor exploits prior to Microsoft being "tipped off" by the NSA of their existence and the resultant patches issued? It is this unknown timeframe where anyone could have had one of these backdoor exploits installed by a ShadowBrokers "Prime" customer. It is a given that these "Prime" hacking concerns are not interested in the mass spreading of ransomware and the like. Their targets are high-value corp. concerns and the potential profit or secrets that can be had from the theft of company data or the disruption of company operations.

 

Read again my post, and the analogy i made, so you really believe that if a kernel exploit and backdoor is still running on your system, your system is safe, seriously?!

btw, one person is not the majority. If you feel protected then good for you...but i tell you , in that case i mentioned, you are not.

 

Agreed. This thread has gone so far off the rails, I have stopped reading it any further.

 

Well, at least my theory was right. VS isn't able to block the DP backdoor, and isn't able to block in-memory payloads like PeddleCheap. It can however block payloads that are disk-based. And it also blocks certain modules of PeddleCheap that need to run a child process in order to operate. So it proves that AE tools like VS and EXE Radar (with strict parent-child process control) are very useful in interfering with these kind of attacks. But for completely blocking advanced in-memory malware you probably need specialized anti-exploit and HIPS.

 

I almost forgot that I said I would post back on my testing results using the revised test tool.

Try as I might, I could not get the test tool to run properly using a non-reflective .dll using APC injection method. It would inject the non-reflective .dll into a process's memory w/o issue but every attempt to run the .dll resulted in the same DEP stack hash error on Win 10 x64 ver. 1607. Such was not the case for a reflective .dll using APC injection method, so I used that .dll for testing.

A surprise was that the test tool author added an AppContainer bypass in the revised version which allowed for successful injection and execution of the .dll in IE11's AppContainer protected process.

My suggestion is to use the test tool with a reflective .dll to test your security solution's online banking protection. You might be very surprised with the results.

Also for clarification, the .dll injection method used by the test DoublePulsar loader does not use process hollowing; it directly memory injects the .dll and executes it in the running targeted process.