Tag: WannaCrypt

  • Petya and WannaCrypt Ransomware Propagation

    Petya and WannaCrypt Ransomware Propagation

    Ransomware is not new, as was covered in a previous post.  Over the past two months, the Internet has been overrun by two malware variants which are responsible for destroying an immense amount of data and crippling corporations.  In this post, we will use the concepts of access and authorization discussed in Think Like a Hacker to analyze its operation and better understand its propagation.

    The Internet was introduced to a new type of ransomware on May 12, 2017 – one that leveraged an effective self-replicating (a.k.a. worm) capability to infect a large number of systems in a short amount of time.

    Propagation of WannaCrypt was successful primarily due to its use of a powerful remote code execution vulnerability dubbed EternalBlue.  Although novel, the implementation of EternalBlue in WannaCrypt was more of a copy-and-paste approach to an already disclosed and patched vulnerability.

    EternalBlue

    On April 14, 2017, a series of exploits were published to the Internet by a group under the name ShadowBrokers.  This group had previously published other batches of exploits; however, previous disclosures were not nearly as powerful as EternalBlue.

    EternalBlue is a tool which exploits a vulnerability in the Microsoft Windows implementation of the SMB 1.0 protocol. SMB is used heavily by Windows systems in an enterprise setting to transfer data between systems.  Additionally, many non-enterprise users utilize this protocol to transfer files between systems, such as file sharing.  For more detailed technical information about the vulnerability exploited by EternalBlue, check out CVE-2017-0144.

    EternalBlue is a remote code execution exploit, which means successful execution of the exploit would enable an attacker to run arbitrary code on its host.  In the case of WannaCrypt, the arbitrary code was itself – thus enabling the worming behavior.

    Access

    The widespread use of SMB throughout both public and private networks provided the malware to access a very large number of potentially vulnerable systems.  Once a machine became infected, any machine accessible to that infected host over SMB may become the next potential victim.  This created a target rich environment when paired with the worm capability implemented in WannaCrypt.

    Authorization

    The vulnerability exploited by EternalBlue could be accomplished without credentials, thus making the authorization required to execute this vulnerability effectively anonymous.  Once exploited, EternalBlue enabled the attacker to execute code using the effective authorization of the SMB server service, whose identity is the “SYSTEM” account.  As such, any code executed in this context will likely be unrestricted.

    Effective Access and Authorization by Proxy

    WannaCrypt utilized this pattern to rapidly infect systems throughout the Internet, starting with a single vulnerable system, then infecting any unpatched hosts which it could access over TCP 445 (vulnerable machines are those that had not installed MS17-010).

    When paired with the lack of authentication needed to execute the exploit, this provided a platform for a highly effective worm.

    EternalBlue-WormPetya \ NotPetya

    Just as the world was updating their systems to avoid WannaCrypt, another worm entered the picture – Petya.  Like WannaCrypt, Petya leveraged EternalBlue to enable itself to propagate rapidly.  Being on the heels of another worm utilizing EternalBlue means that fewer vulnerable systems will remain available for attack.  Unfortunately, Petya didn’t stop at using EternalBlue.

    Credential Theft

    Petya was the “enterprise” version of WannaCrypt designed to take advantage of organizations with lax credential hygiene.  According to the write-up by the Microsoft Malware Protection Center, Petya contained a tool with a large degree of similarity to Mimikatz, a tool commonly used for credential theft.

    Use of pass the hash and credential theft as a form of self-propagation is rather new.  Traditionally, tools of this type are run manually by penetration testing teams in search of enterprise configurations where a single credential provides local administrative authority to multiple systems.  Petya marks the first documented time this technique was utilized to provide worm behavior at scale.

    Petya’s use of credential theft tools shows a particular interest in attacking enterprise networks, as these tools are much more effective in environments where single sign-on or shared local administrator credentials are used.  Additionally, Petya’s focus on accounts logged on using Remote Desktop Protocol (RDP) further demonstrates its interest in enterprises.

    Successful use of credential theft enables the malware to masquerade as the stolen identity, thus providing authorization equivalent to logging on with that credential.  In enterprises where every user has membership in the local “Administrators” group, a single stolen domain credential can provide local administrator authority to every workstation.  If the stolen account has additional permissions beyond that of a workstation administrator (for example, a domain admin or member server admin), that instance of malware will gain the authority of that credential.

    An infected machine will attempt to use these credentials to copy the Petya malware to the new victim machine and will attempt to start it using either PSExec or WMIC, both common administrative tools (the latter being a built-in Windows utility).

    Access

    Replication using EternalBlue is highly similar to WannaCrypt, therefore it doesn’t bear repeating.

    When EternalBlue will not work, Petya will attempt to utilize credentials stolen through use of its credential theft tool to connect to potential targets over SMB.  Therefore, in theory SMB must be available for Petya to propagate at all.

    PSExec uses SMB to communicate with a target, which is presumably available if the malware is able to propagate in the first place.  On the other hand, WMIC utilizes Windows Management Instrumentation (WMI) which is implemented over Remote Procedure Call (RPC).  This means that if the malware must use this means of propagation, an additional form of access must be available – access to both TCP port 135 (the RPC locator service) and whichever port the target is running WMI on (typically a random port between 1024 and 49152).  WMIC was likely used as a work-around to accommodate for high security environments that block PSExec.

    Authorization

    If the target machine is not vulnerable to EternalBlue, Petya will attempt to use credentials stolen on its currently infected host to infect the new victim.  To succeed, the stolen credential must have local administrative authorization (or equivalent) to the new infection target to enable copying of the Petya malware to the new target.

    Unfortunately, many organizations provide administrative authority broadly within an enterprise to enable users to install their own software or to allow use of legacy applications.  In addition, many organizations do not yet protect credentials of administrative accounts through credential hygiene or Credential Guard (a feature of Windows 10 and Windows Server 2016).  As such, these enterprises remain vulnerable to credential theft and reuse attack.

    Petya-WormProtection

    Defense against malware such as the Petya worm requires security to be implemented in systems architecture, since software is only a part of the issue.  Widespread use of accounts with local administrator authority can pose significant risk to an enterprise.  Utilize techniques such as Service Centric Architecture to limit exposure of high value accounts.  Additionally, Bring Your Own Device (BYOD) design can limit exposure to this class of attack by ensuring devices used by end users cannot expose credentials with administrative authorization to enterprise resources (i.e., non-domain member systems).

    In addition, it is important to ensure machines throughout your enterprise remain at the latest patch level to avoid infection using recently discovered software exploitation techniques.

    Last, always ensure your machine is running antimalware software with the latest definitions.  Antimalware companies focus heavily on detecting and preventing self-propagating malware such as the WannaCrypt and Petya ransomware worms.

  • Understanding Ransomware, Such as WannaCrypt, and their Origins and Evolution

    Understanding Ransomware, Such as WannaCrypt, and their Origins and Evolution

    Recently, the world was reminded of the impact that a simple piece of commodity malware can have when paired with a remotely exploitable vulnerability. WannaCrypt, a ransomware worm first seen en masse on May 12, 2017, demonstrated that although we have come a very long way in information security, we still have many improvements to make. To better understand the situation, let’s take a look at ransomware’s origins.

    AidsInfo

    WannaCrypt follows in the footsteps of a large number of ransomware predecessors.  The earliest recorded ransomware malware is the AIDSInfo Trojan, first seen around December of 1989.  A pioneer of its time, AIDS Info was distributed on floppy disks and would randomly choose when to infect its host.  When it did, the malware would replace the AUTOEXEC.BAT file on the target (a batch file that specified the boot order of a DOS machine) with itself, then encrypted the names and hid non-essential files.  The ransom portion?  AIDS Info included a EULA which demanded payment of $189 or $378 for licensing of the malware to PC Cyborg Corporation.

    Truly, malware that encrypts only file names is less devastating than one that destroys the data itself – but for the time, it was highly impactful.  A better example of ransomware would be the famous Cryptolocker.  This malware began widespread distribution in late 2013 and was spread as an e-mail attachment.

    Cryptolocker

    Cryptolocker was significant in a number of ways.  First, it used asymmetric cryptography to encrypt the target’s data.  For those who are unfamiliar, asymmetric cryptography uses a pair of mathematically related keys whereby data encrypted with one part of the key pair can only be decrypted with the corresponding paired key.

    Second, the dawn of bitcoin enabled untraceable financial transactions.  This means that money transferred between Cryptolocker victims and the hacking group were processed covertly, thus making it difficult to track the attackers.

    Last, servers used to interact with the users were hosted using a network tunneling solution known as Tor.  This means that the server’s real address information was rendered untraceable, thus enabling the attackers to remain hidden while negotiating with victims.

    SamSam \ Samas

    While effective, Cryptolocker still required the victim to initiate the malware – typically through opening a malicious e-mail attachment.  In early 2016, a hacking group created a new ransomware variant that was spread manually by breaking into the target’s network and distributing the executable – commonly through use of PSExec.  This malware, known as SamSam or Samas, began by targeting hospitals.

    Image result for samas ransom

    SamSam initially identified that there were numerous servers throughout the internet that remained vulnerable to a long-patched vulnerability in JBoss – a suite of middleware capabilities commonly used in Java development efforts.  The vulnerability targeted by SamSam, CVE-2010-0738, had been long identified and patched by the time the SamSam group began exploiting it for ransomware distribution.  Initial targets for SamSam were primarily hospitals and medical facilities; however, the group later moved to breaking into servers that exposed remote desktop protocol (RDP) to the Internet.

    SamSam changed the game in that it was the first major ransomware variant to actively exploit vulnerabilities in an enterprise for purposes of distribution.  Much like Cryptolocker, payments were made using bitcoin to a server hosted on the Tor network.

    WannaCrypt

    Today, we are dealing with a new evolution in ransomware – WannaCrypt is the first self-replicating (worm) ransomware variant.  Worm capability for this malware is provided through exploitation of a recently disclosed vulnerability to the SMB protocol, exposed in a dump of hacking tools allegedly developed by the NSA.  The vulnerability, addressed by bulletin MS17-010, provided remote code execution to anonymous users over the SMB protocol.

    The worm capability enabled WannaCrypt to spread very quickly – impacting thousands of machines in less than a day.  Despite the patch being published two months prior, WannaCrypt brought to light the large number of machines that were not up to date.

    Lessons Learned

    Ransomware has taught us some painful lessons in the past; however, we seem to remain susceptible to new variants.  Here are a few lessons we should all impart to limit the impact of ransomware in the future.

    Keep up-to-date on patches

    Both SamSam and WannaCrypt exploited vulnerabilities that had already been patched.  Keeping your systems up-to-date reduces their susceptibility to attack.

    Additionally, be sure to implement a patch management strategy for all software in your environment.  Software with remotely exploitable vulnerabilities may yield the ability to execute code up to the privilege level that the vulnerable process executes under.  If that process can write to a file, so can ransomware.

    Limit excessive user permissions

    A standard user can encrypt any file that they have write access to – whether it is on their system or not.  As such, ransomware can infect a single host and encrypt files on a file server.  Limiting where users are able to write protects those files from tamper in the event of a ransomware attack.

    Ensure antimalware is up-to-date

    Many ransomware variants are identified and addressed by antimalware technologies rapidly; however, if antivirus definitions are out-of-date your machine remains susceptible to attack.

    Additionally, some antimalware companies, such as Microsoft, offer up to the second protection against malware that may not be in the machine’s signature files.  One example of this is Microsoft Active Protection Service (MAPS) which checks suspicious files against the cloud to determine if they reside in newly published signatures.

    Always have a backup

    Backups are very important when recovering from a ransomware attack.  Additionally, ensure that an offline backup of highly valuable data is performed periodically – attackers have been known to destroy online backups.

    Limit network-accessible ports

    WannaCrypt requires a vulnerable instance of Windows’ SMB service to propagate using its worm capability.  Using the Windows Firewall to block SMB connections when they are not needed can limit the exposure of your endpoints.

    Prevent execution of unapproved executables

    In most cases, ransomware is invoked by a user running software obtained from an untrusted source, such as an e-mail attachment.  Allowing users to run code arbitrarily downloaded from the Internet poses a risk to any writeable data store.

    To reduce this risk, consider preventing execution of programs from directories where users have write permissions using a capability such as Microsoft AppLocker.  This approach takes time and testing, but limiting locations where programs can be executed will ultimately protect your organization and its data from an unknowing user putting it at risk.

    References

    DISCLAIMER: Opinions and statements made within this article are solely the opinion of the author and do not reflect those of his employer of their affiliates.