SummaryThe Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.
This is taken from the nmap seclist page. A script for nmap has been written that should allow you to scan your network to determine if its vulnerable. It may not be perfect but I am sure it will help someone out there.
Hey list, I need some help testing the script smb-vuln-ms17-010. I tested it on a vulnerable win7 machine and it works as expected but I suspect there might be some issues with newer Windows versions and certain smb configurations (v2 authentication protocols with signing enabled). Don't forget to send me packet captures if you run into servers that are incorrectly marked as not vulnerable. Cheers! smb-vuln-ms17-010: https://github.com/cldrn/nmap-nse-scripts/blob/master/scripts/smb-vuln-ms17-010.nse description = [[ Attempts to detect if a Microsoft SMBv1 server is vulnerable to a remote code execution vulnerability (ms2017-010). The script connects to the $IPC tree, executes a transaction on FID 0 and checks if the error "STATUS_INSUFF_SERVER_RESOURCES" is returned to determine if the target is not patched against CVE2017-010. Tested on a vulnerable Windows 7. We might have some issues with v2 protocols with signing enabled. References: * https://technet.microsoft.com/en-us/library/security/ms17-010.aspx * https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/ * https://msdn.microsoft.com/en-us/library/ee441489.aspx * https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/smb/smb_ms17_010.rb ]] Paulino Calderon Pale || @calderpwn on Twitter || http://www.calderonpale.com
— Florian Roth (@cyb3rops) 15 May 2017
It seems the initial wave has been stopped by Researchers, and then we had another one as detailed in the link below.
More good information and I suggest reading through it all if you have not done so already. This is a bad weekend for business and infrastructure that is using older systems, but its been a good weekend for the infosec community in coming together and helping and sharing alot of good information with each other.
There is a tool you can run on a host that will stop the ransomware from encrypting your machine, however it will still attempt to spread over your network.
— Hacker Fantastic (@hackerfantastic) May 14, 2017
In what has been big news over the past 24 hours. Especially here in the UK is that the NHS has been hit with a large ransomware attack.
This is a pretty good write up of what was known at the time.
There have been easy fixes for this available for the past 2 months and it was just a matter of time until the tools that were developed by our American Friends, that they would be used against the general public.
Hopefully this is lessons learned for many organisations, and they realise that patching and running fairly up to date operating systems is important and not just something to achieve compliance.
Few more articles that contain good information about these events.
Also of note.
If you use intitle:”index of” “@WanaDecryptor@.exe” as a search on google, at the time of this update there are 67 results.
Not a good weekend for the world of IT admins.
The github link referenced below is being kept up today and contains some very good and useful information.
— Hacker Fantastic (@hackerfantastic) 13 May 2017
hxxp://petroffpianostudio[.]com/ (This may now be cleaned up at the time of posting)
It looks like the the aforementioned webpage is infected with a redirect to download suspect files
Traffic observed after the infection suggests that it will attempt to download executable files from a few different locations.
hxxp://talk-of-the-tyne.co.uk/download1264/ hxxp://willy.pro.br/download3299/ hxxp://freight.eu.com/download3696/
The analysis of the files on hybrid analysis does confirm that these are malicious files
Once the executable file is on the host machine, it then attempts to call out to the following
Upon further analysis we have another file which has been downloaded from the following location
I revisited the links later in the day and have a bit more details, we can see they are still serving executable files. Chrome is now blocking and suggesting these files are malicious, and also so is internet explorer. I have not tried them on firefox at this time.
GET /download3299/ HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-gb User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3) Accept-Encoding: gzip, deflate Host: willy.pro.br Cache-Control: max-age=259200 Connection: keep-alive
HTTP/1.1 200 OK Date: Wed, 12 Apr 2017 18:16:51 GMT Content-Type: application/octet-stream Connection: keep-alive Keep-Alive: timeout=15 Server: Apache Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: Tue, 08 Jan 1935 00:00:00 GMT Pragma: no-cache Content-Disposition: attachment; filename="6274.exe" Content-Transfer-Encoding: binaryGET /download1264/ HTTP/1.1 Accept: application/x-ms-application, image/jpeg, application/xaml+xml, image/gif, image/pjpeg, application/x-ms-xbap, */* Accept-Language: en-GB User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3) Accept-Encoding: gzip, deflate Host: talk-of-the-tyne.co.uk Cache-Control: max-age=259200 Connection: keep-alive
HTTP/1.1 200 OK Date: Wed, 12 Apr 2017 18:16:09 GMT Server: Apache Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: Tue, 08 Jan 1935 00:00:00 GMT Pragma: no-cache Content-Disposition: attachment; filename="5198.exe" Content-Transfer-Encoding: binary Vary: User-Agent X-Powered-By: PleskLin MS-Author-Via: DAV Keep-Alive: timeout=15, max=100 Connection: Keep-Alive Content-Type: application/octet-streamGET /lDu52756eeJMW/ HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3) Host: matchpointpro.com Cache-Control: max-age=259200 Connection: keep-alive
HTTP/1.1 200 OK Server: nginx Date: Wed, 12 Apr 2017 18:11:09 GMT Content-Type: application/octet-stream Connection: keep-alive Keep-Alive: timeout=15 Cache-Control: no-cache, no-store, max-age=0, must-revalidate Expires: Tue, 08 Jan 1935 00:00:00 GMT Pragma: no-cache Content-Disposition: attachment; filename="5345.exe" Content-Transfer-Encoding: binary ngpass_ngall: 1
Still in the process of building my Analysis Lab, so this is not quite how I would like to post, but some information is better than none.
Saw this article today and its quite interesting.
A quick search of the string “1760468715” shows there are quite a few websites that have been compromised.
This is quite a clever but old technique that is referred to as Dotless IP’s. A google search will find quite a few results, with several posts from around 15 or so years ago.
In order to work out the IP address the value represents you can perform a fairly straight forward calculation.
If you had the IP address 172.16.4.8
You can calculate this as follows
172 * 16777216 = 2885681152
16 * 65536 = 1048576
4 * 256 = 1024
8 * 1 = 8
Add the bold figures up.
So if you were to enter this address in your browser http://2886730760
It would attempt to take you to 172.16.4.8
Just another way of hiding in plain sight.