Shadow Brokers Response Team

https://steemit.com/shadowbrokers/@theshadowbrokers/theshadowbrokers-monthly-dump-service-june-2017

 

Q: What is going to be in the next dump?

TheShadowBrokers is not deciding yet. Something of value to someone. See theshadowbrokers’ previous posts. The time for “I’ll show you mine if you show me yours first” is being over. Peoples is seeing what happenings when theshadowbrokers is showing theshadowbrokers’ first. This is being wrong question. Question to be asking “Can my organization afford not to be first to get access to theshadowbrokers dumps?”

 

So the Shadowbrokers will be releasing more allegedly NSA tools this coming month, as referenced in this story – http://bgr.com/2017/05/30/shadow-brokers-nsa-exploits-subscription/.

They are asking for Zcash to be used to purchase access to these latest exploits, which is around the $20k or so.  Now based on what happened in early May with Wannacry and the impact we saw in the UK, this is a concern for us all.  It did not take long from the initial release for someone to take advantage of these tools and weaponize them that had a large scale impact.  The positive side of this, is that now I believe many companies have had a wake up call and have learnt some lessons with regards to patching their systems and paying attention to when the security guy’s tell them to keep software and operating systems updated.

So now we have a couple of weeks until more tools are going to be released, I’m a bit indifferent if I agree with the current thinking of paying to get access to these tools.  This is a sound idea.  Get access to the exploits, research and work with vendors for them to be fixed, that is very commendable.  However it does open up a whole host of ethics and are we essentially going to be held to ransom everytime this happens in the future?  I’m not quite sure if this is the right approach.  With that said, there is the link below to the patreon page, that has more information and you can donate to the cause if you wish.

https://www.patreon.com/shadowbrokers_crisis_team

 

The group calling itself the Shadow Brokers have released several caches of exploits to date. These caches and releases have had a detrimental outcome on the Internet at large, one leak especially resulted in the now in-famous WannaCry ransomware worm – others have been used by criminal crackers to illegally access infrastructure. Many have been analysing the data to determine its authenticity and impact on infrastructure, as a community it has been expressed that the harm caused by exploits could have been mitigated against had the Shadow Brokers been paid for their disclosures.

 

This is an interesting read, that alludes to that the NSA did inform microsoft once the EnternalBlue software was stolen from the NSA.

 

The consequences of the NSA’s decision to keep the flaw secret, combined with its failure to keep the tool secure, became clear Friday when reports began spreading of a massive cyberattack in which the WannaCry software encrypted data on hundreds of thousands of computers and demanded a ransom to decrypt it.

https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html?utm_term=.762b4cedfb72

 

 

UIWIX Ransomware

It was just a matter of time until other organisations or individuals followed the path set by WannaCry last weekend.

Seems there is another variant of ransomware doing the rounds which is exploiting the same loop hole as WannaCry is using port 445 to enumerate and infect other machines on your internal and then external networks.  It is exploiting the same SMB vulnerability (MS17-010).

Mitigation – Just need to  make sure you have the latest updates from microsoft.

If you see traffic to these domains, its likely not good!

aa1[.]super5566[.]com
07[.]super5566[.]com
a1[.]super5566[.]com
www[.]super5566[.]com
08[.]super5566[.]com

https://www.hybrid-analysis.com/sample/c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494?environmentId=100

https://www.hybrid-analysis.com/sample/c72ba80934dc955fa3e4b0894a5330714dd72c2cd4f7ff6988560fc04d2e6494?environmentId=100

SMB Vulnerability MS17-010 NSE – Script to detect MS17-010 (WannaCry Ransomware)

This is taken from the nmap seclist page.  A script for nmap has been written that should allow you to scan your network to determine if its vulnerable.  It may not be perfect but I am sure it will help someone out there.

http://seclists.org/nmap-dev/2017/q2/79
Hey list,

I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as 
expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 
authentication protocols with signing enabled).

Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. 

Cheers!

smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse 
description = [[
Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code
 execution vulnerability (ms2017-010).

The script connects to the $IPC tree, executes a transaction on FID 0 and
 checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to
 determine if the target is not patched against CVE2017-010.

Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with
 signing enabled.

References:
* https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
* https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/
* https://msdn.microsoft.com/en-us/library/ee441489.aspx
* https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb 
]]



Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com


WannaCrypt Ransomware Part 2

It seems the initial wave has been stopped by Researchers, and then we had another one as detailed in the link below.

https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e

More good information and I suggest reading through it all if you have not done so already.  This is a bad weekend for business and infrastructure that is using older systems, but its been a good weekend for the infosec community in coming together and helping and sharing alot of good information with each other.

 

There is a tool you can run on a host that will stop the ransomware from encrypting your machine, however it will still attempt to spread over your network.

Download Here

 

 

wcrypt activity map

 

WannaCrypt Ransomware

In what has been big news over the past 24 hours.  Especially here in the UK is that the NHS has been hit with a large ransomware attack.

http://www.bbc.co.uk/news/technology-39901382

http://blog.talosintelligence.com/2017/05/wannacry.html?m=1

This is a pretty good write up of what was known at the time.

There have been easy fixes for this available for the past 2 months and it was just a matter of time until the tools that were developed by our American Friends, that they would be used against the general public.

Hopefully this is lessons learned for many organisations, and they realise that patching and running fairly up to date operating systems is important and not just something to achieve compliance.

Few more articles that contain good information about these events.

https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/

https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html

 

Also of note.

wannadecrypt

 

If you use intitle:”index of” “@WanaDecryptor@.exe” as a search on google, at the time of this update there are 67 results.

Not a good weekend for the world of IT admins.

The github link referenced below is being kept up today and contains some very good and useful information.

 

 

Protecting customers and evaluating risk – Microsoft

In what feels like perfect timing from Microsoft, it seems they had already released patches for some if not all of the exploits released these past few days by the file dump by the ShadowBrokers.

 

Code Name Solution
EternalBlue Addressed by MS17-010
EmeraldThread Addressed by MS10-061
EternalChampion Addressed by CVE-2017-0146 & CVE-2017-0147
“ErraticGopher” Addressed prior to the release of Windows Vista
EsikmoRoll Addressed by MS14-068
EternalRomance Addressed by MS17-010
EducatedScholar Addressed by MS09-050
EternalSynergy Addressed by MS17-010
EclipsedWing Addressed by MS08-067

 

This has been taken straight from the Microsoft Blog.

Regardless how this happens does not matter, it is just good to know that most if not all of these issues released are patched.

***On 17th April, we have a news article on the BBC that actually covers this story by Microsoft

http://www.bbc.co.uk/news/technology-39620534

It is good to see that we are getting better as an industry to fix and patch these exploits.

 

 

NSA Tools in the Wild

Further apparent NSA tools have been released and this time there is alot more information contained with the files.  This tool in particular looks quite similar to metasploit.

@hackerfantastic have been investigating these tools and posting their findings, I believe there are going to be fun times in the next week or so!

Infected Webpage

hxxp://petroffpianostudio[.]com/ (This may now be cleaned up at the time of posting)

It looks like the the aforementioned webpage is infected with a redirect to download suspect files

Traffic observed after the infection suggests that it will attempt to download executable files from a few different locations.

hxxp://talk-of-the-tyne.co.uk/download1264/
hxxp://willy.pro.br/download3299/
hxxp://freight.eu.com/download3696/

The analysis of the files on hybrid analysis does confirm that these are malicious files

https://www.hybrid-analysis.com/sample/e8d2f149de58eb45b398a84d6d27d568ab1d239584edcb55531fe11da2f9c51b?environmentId=100

Once the executable file is on the host machine, it then attempts to call out to the following

173.230.137.155
206.214.220.79

Upon further analysis we have another file which has been downloaded from the following location

hxxp://matchpointpro.com/lDu52756eeJMW/

https://www.virustotal.com/en/file/4b97fa91d9f33392fde84a2af3500a78621a71b80b3d3486a7b70cdd47187ce3/analysis/1492020556/

https://www.hybrid-analysis.com/sample/4b97fa91d9f33392fde84a2af3500a78621a71b80b3d3486a7b70cdd47187ce3?environmentId=100

I revisited the links later in the day and have a bit more details, we can see they are still serving executable files. Chrome is now blocking and suggesting these files are malicious, and also so is internet explorer. I have not tried them on firefox at this time.

GET /download3299/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-gb
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: willy.pro.br
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 12 Apr 2017 18:16:51 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Keep-Alive: timeout=15
Server: Apache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="6274.exe"
Content-Transfer-Encoding: binary


GET /download1264/ HTTP/1.1
Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-GB
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: talk-of-the-tyne.co.uk
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Date: Wed, 12 Apr 2017 18:16:09 GMT
Server: Apache
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="5198.exe"
Content-Transfer-Encoding: binary
Vary: User-Agent
X-Powered-By: PleskLin
MS-Author-Via: DAV
Keep-Alive: timeout=15, max=100
Connection: Keep-Alive
Content-Type: application/octet-stream


GET /lDu52756eeJMW/ HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3)
Host: matchpointpro.com
Cache-Control: max-age=259200
Connection: keep-alive

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 12 Apr 2017 18:11:09 GMT
Content-Type: application/octet-stream
Connection: keep-alive
Keep-Alive: timeout=15
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Tue, 08 Jan 1935 00:00:00 GMT
Pragma: no-cache
Content-Disposition: attachment; filename="5345.exe"
Content-Transfer-Encoding: binary
ngpass_ngall: 1

 

Still in the process of building my Analysis Lab, so this is not quite how I would like to post, but some information is better than none.