Some of the NSA’s leaked code appears to have been used to create a massive ransomware worm which has infected over 230,000 computers in 99 countries. The software scrambles files demanding ransom payments in bitcoin in 28 languages. If the ransom is not paid by a certain time, the fee is doubled. After several days recovery is not possible.
View a live map of the infection’s spread.
A kill switch has been found in the code, which prevents new infections. This has been activated by researchers and should slow or stop the spread. However, different versions of the attack may be released and all vulnerable systems still have an urgent need to be patched.
The cyberextortion attack hitting dozens of countries spread quickly and widely thanks to an unusual confluence of factors: a known and highly dangerous security hole in Microsoft Windows, tardy users who didn’t apply Microsoft’s March software fix, and a software design that allowed the malware to spread quickly once inside university, business and government networks.
Not to mention the fact that those responsible were able to borrow weaponized software code apparently created by the U.S. National Security Agency to launch the attack in the first place.
Other criminals may be tempted to mimic the success of Friday’s “ransomware ” attack, which locks up computers and hold people’s files for ransom. Experts say it will be difficult for them to replicate the conditions that allowed the so-called WannaCry ransomware to proliferate across the globe.
But we’re still likely to be living with less virulent variants of WannaCry for some time. And that’s for a simple reason: Individuals and organizations alike are fundamentally terrible about keeping their computers up-to-date with security fixes.
…With ransomware, criminals typically trick individuals into opening an email attachment containing malicious software. Once installed, the malware just locks up that computer without spreading to other machines.
The hackers behind WannaCry took things a step further by creating a ransomware worm, allowing them to demand ransom payments not just from individual but from entire organizations — maybe even thousands of organizations. …
Once inside an organization, WannaCry uses a Windows vulnerability purportedly identified by the NSA and later leaked to the internet. Although Microsoft released fixes in March, the attackers counted on many organizations not getting around to applying those fixes. Sure enough, WannaCry found plenty of targets.
Since security professionals typically focus on building walls to block hackers from entering, security tends to be less rigorous inside the network. WannaCry exploited common techniques employees use to share files via a central server.
“Malware that penetrates the perimeter and then spreads inside the network tends to be quite successful,” said Johannes Ullrich, director of the Internet Storm Center at the SANS Institute. …
“When any technique is shown to be effective, there are almost always copycats,” said Steve Grobman, chief technology officer of McAfee, a security company in Santa Clara, California. But that’s complicated, because hackers need to find security flaws that are unknown, widespread and relatively easy to exploit.
In this case, he said, the NSA apparently handed the WannaCry makers a blueprint — pre-written code for exploiting the flaw, allowing the attackers to essentially cut and paste that code into their own malware.
Mikko Hypponen, chief research officer at the Helsinki-based cybersecurity company F-Secure, said ransomware attacks like WannaCry are “not going to be the norm.” But they could still linger as low-grade infections that flare up from time to time.
For instance, the Conficker virus, which first appeared in 2008 and can disable system security features, also spreads through vulnerabilities in internal file sharing. As makers of anti-virus software release updates to block it, hackers deploy new variants to evade detection.
Conficker was more of a pest and didn’t do major damage. WannaCry, on the other hand, threatens to permanently lock away user files if the computer owner doesn’t pay a ransom, which starts at $300 but goes up after two hours.
The damage might have been temporarily contained. An unidentified young cybersecurity researcher claimed to help halt WannaCry’s spread by activating a so-called “kill switch.” Other experts found his claim credible. But attackers can, and probably will, simply develop a variant to bypass this countermeasure.
The attack is likely to prompt more organizations to apply the security fixes that would prevent the malware from spreading automatically. “Talk about a wake-up call,” Hypponen said.
Companies are often slow to apply these fixes, called patches, because of worries that any software change could break some other program, possibly shutting down critical operations.
“Whenever there is a new patch, there is a risk in applying the patch and a risk in not applying the patch,” Grobman said. “Part of what an organization needs to understand and assess is what those two risks are.”
Friday’s attack might prompt companies to reassess the balance. And while other attackers might use the same flaw, such attacks will be steadily less successful as organizations patch it.
Microsoft took the unusual step late Friday of making free patches available for older Windows systems, such as Windows XP from 2001. Before, Microsoft had made such fixes available only to mostly larger organizations that pay extra for extended support, yet millions of individuals and smaller businesses still had such systems.
But there will be other vulnerabilities to come, and not all of them will have fixes for older systems. And those fixes will do nothing for newer systems if they aren’t installed.
WannaCry is believed to use the EternalBlue exploit, which was developed by the U.S. National Security Agency to attack computers running Microsoft Windows operating systems. Although a patch to remove the underlying vulnerability had been issued on 14 March 2017, delays in applying security updates left some users and organisations vulnerable
… It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols.
The Shadow Brokers—the mysterious person or group that over the past eight months has leaked a gigabyte worth of the National Security Agency’s weaponized software exploits—just published its most significant release yet. Friday’s dump contains potent exploits and hacking tools that target most versions of Microsoft Windows and evidence of sophisticated hacks on the SWIFT banking system of several banks across the world.
Friday’s release—which came as much of the computing world was planning a long weekend to observe the Easter holiday—contains close to 300 megabytes of materials the leakers said were stolen from the NSA. The contents (a convenient overview is here) included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. It also included a framework dubbed Fuzzbunch, a tool that resembles the Metasploit hacking framework that loads the binaries into targeted networks. Independent security experts who reviewed the contents said it was without question the most damaging Shadow Brokers release to date.
“It is by far the most powerful cache of exploits ever released,” Matthew Hickey, a security expert and co-founder of Hacker House, told Ars. “It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it.
A number of these attacks appear to be 0-day exploits which have no patch and work completely from a remote network perspective.”
One of the Windows zero-days flagged by Hickey is dubbed Eternalblue. It exploits a remote code-execution bug in the latest version of Windows 2008 R2 using the server message block and NetBT protocols. Another hacking tool known as Eternalromance contains an easy-to-use interface and “slick” code.
Hickey said it exploits Windows systems over TCP ports 445 and 139. The exact cause of the bug is still being identified. Friday’s release contains several tools with the word “eternal” in their name that exploit previously unknown flaws in Windows desktops and servers.
The full list of tools documented by Hickey are:
ETERNALROMANCE — Remote privilege escalation (SYSTEM) exploit (Windows XP to Windows 2008 over TCP port 445)
ENTERNALCHAMPION, ETERNALSYSTEM — Remote exploit up to Windows 8 and 2012
ETERNALBLUE — Remote Exploit via SMB & NBT (Windows XP to Windows 2012)
EXPLODINGCAN — Remote IIS 6.0 exploit for Windows 2003
EWORKFRENZY — Lotus Domino 6.5.4 and 7.0.2 exploit
ETERNALSYNERGY — Windows 8 and Windows Server 2012
FUZZBUNCH — Exploit Framework (Similar to Metasploit) for the exploits.
Eternalblue is a remote exploit that exploits a remote code execution vulnerability via SMBv1 and NBT over TCP ports 445 and 139. The current Eternalblue exploits target Windows operating systems from Windows XP to Windows Server 2012. Newer Windows systems, such as Windows 10 and Windows Server 2016, remain untargeted for the moment. It is most likely a matter of time before the exploits are modified to target these systems as well. A positive but mysterious thing to mention is that the vulnerabilities have been patched by Microsoft in March. This happened exactly one month before the exploits were released to the public which indicates that Microsoft was informed one way or another.
WannaCry also reportedly uses DOUBLEPULSAR, present in the same ShadowBrockers release, to inject into running processes as part of this infection process.
On April 14th, 2017 an underground hacker group is known as “The Shadow Brokers (TSB)” made the fifth set of hacking tools stolen from another hacking group called the “equation Group” available on the Internet. These tools consisted of a set of highly weaponized attack tools and utilities which could be used to gain control of and exploit computer systems and specifically targeted older Microsoft Windows Operating Systems.
This release by TSB represented the fifth time the group had made weaponized hacking tools believed to be sourced from the National Security Agency available online. …
WannaCry malware first appears as a phishing attack, with millions of targeted emails being sent to individuals in organizations across the world with the attractive offers of jobs, requests for invoice payments, promises of tax rebates and a hundred other standard phishing lures. However, all the messages had one thing in common, they all contained an innocuous looking .zip attachment. This .zip attachment was a disguised executable file and once clicked on by the unsuspecting user, and the machine was infected with the WannaCry Ransomware
From this point on the machine no longer belonged to the organization and would perform only two tasks; Encrypting the user’s files and propagating WannaCry to other locally connected computer systems.
A friend asked why they can’t just trace whoever redeems the money in Bitcoin?
… all transaction between Bitcoin addresses are stored forever, and so are fully traceable.
Although all transactions are stored, people can take steps to remain anonymous.
… when you really want to make sure people cannot trace transactions back to you, you could use Bitcoin laundry systems. These are services that take your coins, shuffle them around among many different addresses they own, and let you receive the coins – minus the commission they take – back at another address for you. When you use a sophisticated Bitcoin laundry service, it is practically impossible to trace your coins. But beware, when dealing with very large amounts of bitcoins, this will be harder to achieve. Consider laundring your coins in smaller chunks.
I’d assume the people who created this would also be using several stolen identities when they do launder the bitcoins, but I haven’t heard anything about that. Here’s another interesting point:
The value of bit coin could go up now due to demand, so someone in a position that owned a lot of bit coin could make even more money from the valuation.
… ever-increasing demand for Bitcoin will keep driving the price up until people don’t want to buy or hold it anymore.
At that point, by the way, unless Bitcoin has become widely accepted as a legal means of exchange (as “money”), the price of Bitcoin will collapse. And anyone who thinks the price of Bitcoin can’t collapse all the way to zero is delusional.
Today one bit coin is $1,782.80. It could increase to a million dollars. It could fall to $0.
Satoshi Nakamoto, the mysterious creator of bitcoin, is said to have mined almost million Bitcoins in 2009.
Bitcoin, the four-year-old virtual currency that approximates cash on the internet, now powers an economy worth more than $1 billion and is widely admired for the technical sophistication that allows it to operate without a central authority. It got its own ticker on CNBC and inspired a legion of startups. And yet, we still don’t know where it came from.
Bitcoin is designed to mimic gold in some ways. Anyone can “mine” for new Bitcoins by running the Bitcoin client. The process is designed to get more difficult as more people start mining. At first, the client could create 50 Bitcoins in an hour running on an average laptop. It now takes a day to generate three Bitcoins using a powerful machine that does nothing else.
It was generally assumed that Nakamoto has been mining Bitcoins since the very beginning and probably owned a large amount. But if Lerner’s analysis is correct, Nakamoto is likely hoarding an eye-popping fortune of almost a million Bitcoins, worth more than $100 million at today’s market price.
To this day, Satoshi Nakamoto remains undiscovered. If I knew, I wouldn’t tell, but he, she or they would be intelligent, creative and familiar with cryptography prior to January 2009, when the first bit coins were issued.
About WannaCry, I agree with this sentiment:
Washington Post technology reporter Brian Fung suggested that this was one major lesson politicians should take away from the debacle: The concept of law enforcement agencies having “back doors” to computer programs and systems, even if it is for national security reasons, dramatically increases the risk that criminal groups or other bad actors will also find these vulnerabilities. “It would be like leaving keys under a doormat, which good guys could certainly use, but also bad guys, too,” Fung wrote Saturday.