(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Veritas NetBackup and NetBackup Appliance CVE-2017-8858 Arbitrary File Write Vulnerability
LibreOffice 'vcl/source/filter/jpeg/jpegc.cxx' Heap Buffer Overflow Vulnerability
NVIDIA GeForce Experience CVE-2017-6250 Local Code Execution Vulnerability
APPLE-SA-2017-05-15-6 iTunes 12.6.1
APPLE-SA-2017-05-15-4 watchOS 3.2.1
Google Android Qualcomm Pin Controller Driver CVE-2017-0619 Privilege Escalation Vulnerability

Enlarge / Identical code found in WCry and 2015 malicious backdoor could be a smoking gun that provides crucial clues about the origin of Friday's ransomware worm. (credit: Jo Christian Oterhals)

A researcher has found digital fingerprints that tie the WCry ransomware worm that menaced the world on Friday to a prolific hacking operation that previously generated headlines by attacking Sony Pictures, the Bangladesh Central Bank, and South Korean banks.

The link came in a cryptic Twitter message from Neel Mehta, a security researcher at Google. The tweet referenced identical code found in a WCry sample from February and an early 2015 version of Cantopee, a malicious backdoor used by Lazarus Group, a hacking team that has been operating since at least 2011. Previously discovered code fingerprints already tied Lazarus Group to the highly destructive hack that caused hard drives in South Korea to self-destruct in 2013, wiped almost a terabyte's worth of data from Sony Pictures in 2014, and siphoned almost $1 billion from the Bangladesh Central Bank last year by compromising the SWIFT network used to transfer funds.

Over a matter of hours on Friday, Wcry used leaked National Security Agency-developed code to attack an estimated 200,000 computers in 150 countries. Also known as WannaCry, the self-replicating malware encrypted hard drives until victims paid ransoms ranging from $300 to $600. Infected hospitals soon responded by turning away patients and rerouting ambulances. Businesses and government agencies all over the world quickly disconnected computers from the Internet, either because they were no longer working or to prevent them from being hit. The outbreak was largely contained because the attackers failed to secure a domain name hard-coded into their exploit.

Read 10 remaining paragraphs | Comments

NTP CVE-2015-7702 Incomplete Fix Denial of Service Vulnerability
NTP CVE-2015-7692 Incomplete Fix Denial of Service Vulnerability
Secunia Research: FLAC "read_metadata_vorbiscomment_()" Memory Leak Denial of Service Vulnerability
[security bulletin] HPESBHF03745 rev.1 - HPE Intelligent Management Center (iMC) PLAT, Remote Code Execution
Microsoft Office CVE-2017-0264 Memory Corruption Vulnerability
Microsoft Office CVE-2017-0261 Remote Code Execution Vulnerability

Enlarge / Google's "Project Treble" aims to streamline Android updates, but when it comes to security, Google could still be doing more. (credit: Google)

Last Friday, Google announced a major new initiative that promises to solve one of the many problems that keeps Android phones from being promptly updated. Coming as a part of the forthcoming Android O, Google will soon begin separating the Android operating system from the hardware-specific drivers and firmware on each individual Android phone in a move called "Project Treble." If successful, Project Treble will prevent a repeat of what we saw last year with Android Nougat, when Qualcomm’s unwillingness to support the update on older hardware made it impossible for companies to release the update on older devices even if they wanted to.

But as we wrote last week, this is still just a solution for one of Android’s many update problems. Treble can help OEMs support older hardware for longer and with less effort, and that’s unquestionably a good thing. But the core issue remains: wireless carriers and phone makers are still the gatekeepers for updates, and since they all make their money primarily from selling new hardware, they have little incentive to offer continued support for stuff they’ve already sold—especially once it’s no longer on store shelves.

There are technical and political reasons why Android updates don’t come directly from Google. On the technical side, carriers need to do their own validation and testing to prevent network problems, and OEMs need to make sure that their skins and other differentiating features work with new Android versions before releasing them. Politically, OEMs and carriers don’t want to become “dumb” conduits for Google’s software and services, since it reduces their ability to differentiate themselves from their competitors, and they don’t want to be subject to Google’s every whim or demand.

Read 9 remaining paragraphs | Comments


I’ve finally found enough time between e-mails and Skype calls to write up the crazy events that occurred over Friday, which was supposed to be part of my week off. You’ve probably read about the Wanna Decryptor (aka WannaCrypt or WCry) fiasco on several news sites, but I figured I’d tell my story.

I woke up at around 10am and checked onto the UK cyber threat sharing platform where I had been following the spread of the Emotet banking malware, something that seemed incredibly significant until today. There were a few of your usual posts about various organisations being hit with ransomware, but nothing significant... yet. I ended up going out to lunch with a friend, meanwhile the WannaCrypt ransomware campaign had entered full swing.

When I returned home at about 2:30, the threat sharing platform was flooded with posts about various NHS systems all across the country being hit, which was what tipped me off to the fact this was something big. Although ransomware on a public sector system isn’t even newsworthy, systems being hit simultaneously across the country is. (Contrary to popular belief, most NHS employees don’t open phishing e-mails, which suggested that something to be this widespread it would have to be propagated using another method.)

Read 29 remaining paragraphs | Comments


Enlarge (credit: Stephen Brashear / Getty Images News)

Two days after a National Security Agency-derived ransomware worm infected 200,000 computers in 150 countries, Microsoft on Sunday criticized the stockpiling of exploits by government spies, warning it results in damage to civilians.

The unusually blunt message from Microsoft President and Chief Legal Officer Brad Smith came after a weekend of tense calm, as security professionals assessed damage from Friday's outbreak and braced themselves for the possibility of follow-on attacks that might be harder to stop. It also came 24 hours after Microsoft took the highly unusual step of issuing patches that immunize Windows XP, 8, and Server 2003, operating systems the company stopped supporting as many as three years ago.

Sunday's salvo tacitly noted the NSA's key role in Friday's attack, which copied almost verbatim large sections of two highly advanced hacking tools that were stolen from the NSA and leaked to the world at large last month by a mysterious group calling itself Shadow Brokers. In the post, Smith wrote:

Read 5 remaining paragraphs | Comments


Update New Kill Switch Confirmed:

kill switch: ayylmaotjhsstasdfasdfasdfasdfasdfasdfasdf[.]com





After a consensus among the handlers we are moving infocon back to green. We will continue to monitor and update this situation as as it evolves. Please keep the reports and observations flowing in! We will leave the diaries on WannaCry up for another few hours then move back to regular posts.

If you have not seen, Dr J put together an excellent presentation (https://isc.sans.edu/presentations/WannaCry.ppt)summarizing this situation, and we have a Slack Dshield channel (Slack) that you can join the real-time chatter.

@packetalien Handler on Duty

The ransomware was first noticed on Fridayand spread very quickly through many large organizations worldwide [verge]. Unlike prior ransomware, this sample used the SMBv1 ETERNALBLUE exploit to spread. ETERNALBLUE became public about a month ago when it was published as part of the Shadowbroker archive of NSA hacking tools [shadow].

A month prior to the release of the hacking tool, Microsoft had patched the vulnerability as part of the March Patch Tuesday release. The patch was released for Windows Vista, Windows Server 2008 and later versions of Windows as part of MS17-010 in March [MS17-010]. In response to the rapid spread of WannaCry, on Friday Microsoft released a patch for older versions of Windows, going back to Windows XP and Windows Server 2003 [msft].

At the time of the initial WannaCry outbreak, we also noticed a significant increase in scanning for port 445 [port445]. The increase was likely caused by infected systems scanning for more victims. It is not clear how the infection started. There are some reports of e-mails that include the malware as attachment seeding infected networks. But at this point, no actual samples have been made public. It is possible that the worm entered acorporate network via vulnerable hosts that had port 445 exposed to the internet. The WannaCry malware itself does have no e-mail component.

The malware will first check if it can reach a specific website at http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com.

It will also check if a registry key is present. It will not run if either the registry key is present or the website is reachable. The domain has been registered and a web server has been set up by a security researcher. This significantly reduced the impact of WannaCry. A tool was released that will assist in setting the registry keys, which will also reduce the risk of infection. Over the weekends, reports indicated that new versions of the worm were spreading that used slightly different kill switches. But all current versions check a website and check for registry keys. Rendition Infosec released a Tearst0pper tool that can be used to set the registry entries. [tearst0pper]

The malware creates a 2048 bit RSA key pair. The private key is encrypted using a public key that is included with the malware. For each file, a new random AES key is generated. This random AES key is then encrypted using the public user key. To decrypt the files, the users private key needs to be decrypted, which requires the malware authors private key. Unlike some other ransomware, no network communication is needed to generate these keys [pastebin]. The password [email protected] is not used to encrypt files. It is only used by the malware to decrypt some of its components. [endgame]

Encrypted files use the extension. wncry. To decrypt the files, the user is asked to pay $300, which will increase to $600 after a few days. The ransomware threatens to delete all files after a week.

In addition to encrypting files, the malware also installs a DOUBLEPULSAR back door. The backdoor could be used to compromise the system further. The malware will also install Tor to facilitate communication with the ransomware author.

New variants have been reported over the weekend with slight changes to the kill switch domain and registry keys.

We expect to reduce the Infocon back to green on Monday.

What Can You do to prevent Infection?

  • Apply MS17010 to Windows Vista and later (Windows Server 2008 and later)
  • Apply Fridays patch to Windows XP or Window Server 2003.
  • Verify correct patch application
  • Make sure the kill switch domain and website is reachable from your network without proxy. If not, setup an internal DNS sinkhole and redirect to an internal website. Do not block access to the website.
  • Deploy the registry key inoculation [tearst0pper]
  • Disable SMBv1 [msftsmbv1]
  • Make sure systems are running up to date anti-malware

Indicators of Compromise:


PowerPoint for Presentations to Management


Friday SANS Webcast with technical details



[verge] https://www.theverge.com/2017/5/14/15637888/authorities-wannacry-ransomware-attack-spread-150-countries

[shadow] https://github.com/misterch0c/shadowbroker

[ms17-010] https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

[msft] https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

[port445] https://isc.sans.edu/port.html?port=445

[pastebin] https://pastebin.com/aaW2Rfb6

[tearst0pper] https://www.renditioninfosec.com/2017/05/wanacry-because-your-organization-is-slow-to-patch-stop-the-tears-with-tearst0pper/

[msftsmbv1] https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012

[sans] https://www.sans.org/webcasts/special-webcast-wannacry-ransomeware-threat-105160


Johannes B. Ullrich, Ph.D. , Dean of Research, SANS Technology Institute

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status