Skip to main content

Predicting the Future From the Wannacry Ransomware

Okay, so this article isn’t going to focus much on the WannaCry Ransomware that’s wreaking havoc across the globe at the moment. It’ll be more focused on trying to highlight potential cyber-security related events linked to the root of this particular deadly malware, the Equation Group.

So, a little bit of backstory, the first time I ever came across the name Equation Group was some years back when I was doing research for my Master’s degree on malware development and an article was making the rounds about how they had developed a way to exploit the firmware of a hard drive! That exploit truly was a thing of beauty. Of course, they were said to be linked to the US’s NSA but that link is not exactly what this article is about as well. Moving on, I ended up keeping an eye out for any discoveries or articles to do with exploits related to the Equation Group. But then 2016 came and the world of infosec got even more exciting.

A group known as Shadowbrokers apparently hacked the Equation Group and raided a great deal of their exploits and zero-days. A zero day is basically a vulnerability that is discovered but has not yet been patched. The Shadowbrokers then proceeded to auction the stolen exploits to the highest bidder (offering the Equation Group an opportunity to buy back their stolen exploits) but unfortunately for them, the bidding exercise did not go as they wanted.

Enter 2017 and the Shadowbrokers decided to change tactics. In April 2017, they proceeded to leak a part of the stolen exploits from the Equation Group that included ways to hack into Windows OS systems as well as the SWIFT transaction system particularly for the Middle East. Researchers and penetration testers the world over proceeded to download these exploits and test them to verify their validity and usability.  For me, most of my focus was on the Windows exploits because most of these exploits affected the same OS releases many of my friends use (Windows 7, 8, Server 2012). Multiple text-based and video tutorials were then shared online via twitter, 4chan, Reddit and other boards and sites by hobbyists as to how to get the exploits to work.

In my opinion, one of the more interesting aspects of the Equation Group’s exploits was that they had actually developed their own exploit framework, FuzzBunch, which effectively worked like Empire and Rapid7’s Metasploit framework to simplify the exploiting process. One of the simpler exploits I got to demonstrate and execute as a proof-of-concept on a Windows virtual Host was one named EternalBlue which exploited the SMB (Server Message Block) vulnerability. An SMB vulnerability is basically a flaw in the file sharing functionality in selected Windows Systems. Other exploits included EternalRomance, ExplodingCan, EternalSynergy, EternalChampion and DoublePulsar. For those who have read the technical details related to WannaCry, you may have come across articles which highlight that it actually uses the EternalBlue and DoublePulsar exploits to get a foothold in targets before executing the ransomware.

This effectively means that the hackers, who developed the WannaCry ransomware, did not develop the malware from scratch but basically added the Worm functionality to the EternalBlue exploit to enable the ransomware to propagate across a network. In many circles it is then commonly referred to as a Ransomworm.

Fortunately, by some coincidence Microsoft immediately managed to release patches for those vulnerabilities, which are now referred to as MS17-010. The reason I have gone to pains to explain this relationship between WannaCry and the Equation Group is because a number of newer versions of WannaCry are bound to be developed and modified by script kiddies and hackers in order to avoid Intrusion Detection Systems or other network protection mechanisms. We will most likely see more ransomworm attacks or modified versions of the exploits from the Shadowbrokers leak listed earlier.

It also doesn’t really help our cause either that starting from 1 June 2017, the Shadowbrokers have promised to release more of the stolen exploits in a “wine of the month” subscription model which means advanced exploits will be brought into the wild on a monthly basis.  In all likelihood, these exploits will undergo the same evolution that EternalBlue went through. In other words, ransomworms are here to stay so we should definitely buckle up and ensure our operating systems and applications are constantly patched and updated.

Comments

Post a Comment

Popular posts from this blog

Password Cracking: RainbowCrack table generation, sorting and usage

I had to do this demo after one of my students asked for my assistance regarding how to use this tool. Usually, I just assign different tools to them individually depending on the aspect of penetration testing we are covering (session hijacking, vulnerability scanning, etc) and then tell them to submit a report and a video demo of how the tool is used. Anyway, after a brief one-to-one discussion I realized the student had actually done the research on how rainbow tables operate (above and beyond the material in the lecture slides) so I figured that if he was here asking for assistance, he genuinely needed it. The tool is available at the RainbowCrack site.  A detailed description of this nifty tool can also be found here . So, firstly I had to generate the rainbow tables. The command line syntax is: rtgen hash_algorithm charset plaintext_len_min plaintext_len_max table_index chain_len chain_num part_index where: hash_algorithm  Rainbow table is hash algorithm specific. R
Post a Comment
Read more

Malware Analysis: A Python Malware on campus 1

So a few weeks back after a class I'd taken with them,  a number of my students told me of a particular malware that was affecting students' computers, in particular, computers running Windows OS. According to them, if you tried to open a folder that was residing on the USB stick with the malware, the malware would delete some of your files and convert folders into executable files. Granted, the likelihood of a random folder miraculously transforming into a single executable file was kinda "out there" but I figured I'd check it out and use that as a teaching moment for those interested in venturing into malware analysis. So I tasked them to bring me a sample of the malware so I could take a look at it and maybe figure it out. I advised one of them to download DumpIt  and then extract the memory dump from an infected computer using a clean flash disk and then bring it to me. How do you do this exactly? here's how: Download DumpIt . It's a portable
Post a Comment
Read more

How I Recovered my Corrupted 2TB Hard Drive without having to copy everything to another Drive

So, a little back story. I have a 2 Terabyte external hard drive that's split into 3 partitions for backup; one for entertainment, one for work and one for personal projects. A friend of mine had a Lenovo laptop that was having challenges with installing WLAN drivers (you'd install the drivers and they'd keep giving an error that drivers aren't working. If you tried to uninstall them, they'd just reappear...but that's a whole different story). Anyway, my friend decided to roll-back from Windows 10 to Windows 8 and wanted to copy one of the test builds from my 2TB HDD so I lent it to him. Little did I know that that Lenovo laptop had other plans for me. Upon connecting the external hard drive to the Lenovo laptop, it immediately read it as a FAT32 formatted drive (it was actually NTFS formatted) and had 1.82 TB free space of the "actual" size 1.82 TB. Where panic would have ensued for many, I managed to keep in the growing irritation at such a thing
1 comment
Read more