Skip to main content

Predicting the Future From the Wannacry Ransomware

Okay, so this article isn’t going to focus much on the WannaCry Ransomware that’s wreaking havoc across the globe at the moment. It’ll be more focused on trying to highlight potential cyber-security related events linked to the root of this particular deadly malware, the Equation Group.

So, a little bit of backstory, the first time I ever came across the name Equation Group was some years back when I was doing research for my Master’s degree on malware development and an article was making the rounds about how they had developed a way to exploit the firmware of a hard drive! That exploit truly was a thing of beauty. Of course, they were said to be linked to the US’s NSA but that link is not exactly what this article is about as well. Moving on, I ended up keeping an eye out for any discoveries or articles to do with exploits related to the Equation Group. But then 2016 came and the world of infosec got even more exciting.

A group known as Shadowbrokers apparently hacked the Equation Group and raided a great deal of their exploits and zero-days. A zero day is basically a vulnerability that is discovered but has not yet been patched. The Shadowbrokers then proceeded to auction the stolen exploits to the highest bidder (offering the Equation Group an opportunity to buy back their stolen exploits) but unfortunately for them, the bidding exercise did not go as they wanted.

Enter 2017 and the Shadowbrokers decided to change tactics. In April 2017, they proceeded to leak a part of the stolen exploits from the Equation Group that included ways to hack into Windows OS systems as well as the SWIFT transaction system particularly for the Middle East. Researchers and penetration testers the world over proceeded to download these exploits and test them to verify their validity and usability.  For me, most of my focus was on the Windows exploits because most of these exploits affected the same OS releases many of my friends use (Windows 7, 8, Server 2012). Multiple text-based and video tutorials were then shared online via twitter, 4chan, Reddit and other boards and sites by hobbyists as to how to get the exploits to work.

In my opinion, one of the more interesting aspects of the Equation Group’s exploits was that they had actually developed their own exploit framework, FuzzBunch, which effectively worked like Empire and Rapid7’s Metasploit framework to simplify the exploiting process. One of the simpler exploits I got to demonstrate and execute as a proof-of-concept on a Windows virtual Host was one named EternalBlue which exploited the SMB (Server Message Block) vulnerability. An SMB vulnerability is basically a flaw in the file sharing functionality in selected Windows Systems. Other exploits included EternalRomance, ExplodingCan, EternalSynergy, EternalChampion and DoublePulsar. For those who have read the technical details related to WannaCry, you may have come across articles which highlight that it actually uses the EternalBlue and DoublePulsar exploits to get a foothold in targets before executing the ransomware.

This effectively means that the hackers, who developed the WannaCry ransomware, did not develop the malware from scratch but basically added the Worm functionality to the EternalBlue exploit to enable the ransomware to propagate across a network. In many circles it is then commonly referred to as a Ransomworm.

Fortunately, by some coincidence Microsoft immediately managed to release patches for those vulnerabilities, which are now referred to as MS17-010. The reason I have gone to pains to explain this relationship between WannaCry and the Equation Group is because a number of newer versions of WannaCry are bound to be developed and modified by script kiddies and hackers in order to avoid Intrusion Detection Systems or other network protection mechanisms. We will most likely see more ransomworm attacks or modified versions of the exploits from the Shadowbrokers leak listed earlier.

It also doesn’t really help our cause either that starting from 1 June 2017, the Shadowbrokers have promised to release more of the stolen exploits in a “wine of the month” subscription model which means advanced exploits will be brought into the wild on a monthly basis.  In all likelihood, these exploits will undergo the same evolution that EternalBlue went through. In other words, ransomworms are here to stay so we should definitely buckle up and ensure our operating systems and applications are constantly patched and updated.

Comments

Post a Comment

Popular posts from this blog

Password Cracking: RainbowCrack table generation, sorting and usage

I had to do this demo after one of my students asked for my assistance regarding how to use this tool. Usually, I just assign different tools to them individually depending on the aspect of penetration testing we are covering (session hijacking, vulnerability scanning, etc) and then tell them to submit a report and a video demo of how the tool is used. Anyway, after a brief one-to-one discussion I realized the student had actually done the research on how rainbow tables operate (above and beyond the material in the lecture slides) so I figured that if he was here asking for assistance, he genuinely needed it. The tool is available at the RainbowCrack site.  A detailed description of this nifty tool can also be found here . So, firstly I had to generate the rainbow tables. The command line syntax is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index where: hash_algorithm  Rainbow table is hash algorithm sp...
Post a Comment
Read more

It is not too late to start taking BYOD security seriously

A number of studies have shown that the benefits that come along with a Bring Your Own Device (BYOD) policy are multiple when it comes to improving efficiency of employees. On the basis of these studies, many organizations across the globe proceeded to implement this policy but not all of them managed to carefully consider the impact such a policy would have on the cybersecurity of the organization itself.  With BYOD, you basically allow employees to bring their own devices (such as laptops) to work and connect to the company’s internal network so they can access organizational resources. It also tends to allow said employees to take the devices home and in some cases, get remote access tools installed on the personal devices to allow them to connect to the same internal organizational resources while they are not on site. As you can imagine, the benefits are quite numerous, but as cybersecurity experts, what we naturally tend to look for are weak spots in such policies and h...
Post a Comment
Read more

Forensics: Extraction of email evidence using Wireshark and NetworkMiner

The video at the end of this post is a demo of a solution to a forensic challenge from this site .   The goal of the challenge is to extract necessary information for an investigation from a pcap file. the site, forensicscontest.com, has a number of similar challenges that you can try out as well. Obviously, there is more than one way to skin a pcap (the other methods can be found among the solutions/walkthroughs on the site itself) and in this case 2 tools were used: Wireshark NetworkMiner Just to cover a few "mysterious" sections of the video, there is a point where I sorted the packets in wireshark in alphabetical order then looked for the first SMTP packet. The reason is that since we are investigating email evidence, the common protocols we should search for include IMAP, SMTP etc. In this case, the criminal used SMTP. Next, there is a point where we highlight the stream index in the detailed section of the packet. This is because each stream refers ...
Post a Comment
Read more