Petnya Post-Mortem: Wiper, not Ransom

This wasn’t just another ransomware attack. It marks a pivot. Because these are the games nationstates play. With collateral damage and no impunity because attribution is hard. We left brick and mortar behind some time ago, when the battlefield moved to cyberspace, where there are no boundaries. Moreover, whatever previous rules of battle we followed do not apply.

There was a one-two punch, with the events out of the Ukraine Thursday morning.  Absolutely things were connected and we need to remember that going forward. Bigger picture. Because a lot is at play right now. From my vantage point, as a Poli Sci grad, cyber security is intrinsically tied to whatever is going on in the larger arena. National security. Global security. The whims of the powers that be dictate their machinations of technology, which has become their new and shiny arsenal. They’ve been at it for a while now, but unlike conventional physical battlefields, we don’t witness what plays out until we’re impacted.

What’s critical to me is that this attack was presented as ransomware to throw us off. As described by The Grugq:

This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of “ransomware.”

This was actually a targeted attack against Ukraine, using malware that was highly destructive. This attack was never about making money. It was all about taking down systems and taking away access to essential service, as per this illustration from the blog post by The Grugq :

 

 

 

 

 

 

 

 

 

Think CIA – confidentiality, integrity, accessibility. Ransomware and wiperware go after accessibility. And in our world, downtime can equal death, figuratively as well as literally (think hospitals and critical infrastructure).  As Leslie Carhart says:

Blood is in the Water -Not only have criminals found that ransomware is a great money-making scheme, but nation states and terrorist organizations have realized pseudo-ransomware makes a misleading and effective weapon. A weapon that can cause collateral damage, globally.

 

 

 

 

 

 

There have been some excellent reviews of what this attack was about, and how the Eternal Blue exploit released via ShadowBrokers was yet again leveraged against unpatched systems. Key takeaways were:

  • Unpatched systems will continue to be our undoing and exploited. We’re more at risk now because of that cache of exploits being lobbed at us monthly via the ShadowBrokers.
  • Lateral movement within networks works for attackers and infection spread. Segment. Segregate. Flat networks are an attacker’s dream.
  • Multiple infection vectors. There were as many as 4 ways for the target to be compromised.
  • Backup and test how those restore. Don’t assume anything. And keep backups off the main network
  • Windows.  Everyone uses it. Powershell. Sysinternals. AD. PSExec. Let’s keep learning about these because the attackers sure as heck know what they can do with them.

We know what er are not doing well. It’s catching up with us. Let me end with these words of wisdom by Leslie:

Defense in depth, including human threat hunting and effective detection and prevention at many points, is key. This will involve policy and financial buy-in from many lagging organizations at a new level.

And this sums it up:

 

 

 

 

 

 

These blog posts say everything I could ever want you to know, only better. Please read them:

The Grugq: Pnetya: Yet Another Ransomware Outbreak  .

Leslie Carhart @hacksforpancakes:  Why NotPetya Kep Me Awake (And You Should Worry Too)

Cisco Talos Blog: New Ransomware Variant Netnya Compromises Systems Worldwide

Advertisements

Update: WannaCry Ransomware

 

pewmap

real time botnet tracking map by http://www.malwaretech.com

The number of countries impacted is over 1 00. We are expecting version 2.0 to hit by Monday, because that’s the nature of  these attacks: the attackers know when they have their victims over a barrel, and the maximize the opportunity. Microsoft has issued patches. But what everyone can and must do, over and above applying these specific patches, is this:

  • Ensure you have full, and working backups that are offline and removed from the network.
  • Have a Disaster Recovery/Business Continuity plan that specifically addresses cyber events like this one
  • Be ready with a crisis communications designated spokesperson and prepared statements. If you’ve been hit, and things are going terribly wrong, then you don’t want to be dealing with that and trying to say the right things to press, staff, stakeholders
  • Check in with and listen to your network and sysadmins. They know what’s going on out there. They’ve seen the sh*t that happens, what breaks, and why
  • Don’t evade or deflect this topic. Don’t underplay it, and of course don’t focus on the fear. Have honest discussions with your staff because this is how you creating lasting awareness and create change in behaviours that will better secure your organization

I follow these two experts on the risks to specialized systems, notably ICS or Industrial Control Systems and SCADA, Supervisory Control and Data Acquisition. Note that medical facilities, mass transit, manufacturing and utilities all rely on these specialized systems that are proprietary;  are often set up with hard coded or default passwords that are NOT secure; and with older equipment that just can’t be upgraded so is left to run unpatched until it fails. There is so much more we need to address.

Here is a global snapshot (per CTV news):

russiatrain

Russian Train Control Center Ransomwared

EUROPEAN UNION: Europol’s European Cybercrime Centre, known as EC3, said the attack “is at an unprecedented level and will require a complex international investigation to identify the culprits.”
BRITAIN: Britain’s home secretary said the “ransomware” attack hit one in five of 248 National Health Service groups, forcing hospitals to cancel or delay treatments for thousands of patients — even some with serious aliments like cancer.
GERMANY: The national railway said Saturday departure and arrival display screens at its train stations were affected, but there was no impact on actual train services. Deutsche Bahn said it deployed extra staff to help customers.
RUSSIA: Two security firms — Kaspersky Lab and Avast — said Russia was hit hardest by the attack. The Russian Interior Ministry, which runs the country’s police, confirmed it was among those that fell victim to the “ransomware,” which typically flashes a message demanding payment to release the user’s data. Spokeswoman Irina Volk was quoted by the Interfax news agency Saturday as saying the problem had been “localized” and that no information was compromised. Russia’s health ministry said its attacks were “effectively repelled.”
UNITED STATES: In the U.S., FedEx Corp. reported that its Windows computers were “experiencing interference” from malware, but wouldn’t say if it had been hit by ransomware. Other impacts in the U.S. were not readily apparent.
TURKEY: The head of Turkey’s Information and Communication Technologies Authority or BTK says the nation was among those affected by the ransomware attack. Omer Fatih Sayan said the country’s cyber security centre is continuing operations against the malicious software.
FRANCE: French carmaker Renault’s assembly plant in Slovenia halted production after it was targeted. Radio Slovenia said Saturday the Revoz factory in the southeastern town of Novo Mesto stopped working Friday evening to stop the malware from spreading.
BRAZIL: The South American nation’s social security system had to disconnect its computers and cancel public access. The state-owned oil company Petrobras and Brazil’s Foreign Ministry also disconnected computers as a precautionary measure, and court systems went down, too.
SPAIN: The attack hit Spain’s Telefonica, a global broadband and telecommunications company.

 

Ransomware Updates

We’ve got some new stuff out there. First, for those who torrent, be careful. If you torrent on a Mac, be very careful.  For the second time, ransomware has been designed for the Mac OS.In this case, “Patcher” is poor quality, shoddy code, to the extent that if the victim pays the ransom, they don’t get their files back because that code doesn’t work. It’s getting dropped via fake Adobe Premier Pro and Microsoft Office for Mac.

Second, if Google is telling you “Hoefler test not found”, don’t think you need to install that font. It’s a ploy on certain compromised websites to drop Spora ransomware. And very few AV or anti-malware programs can detect this one.

spora.JPG But, if you play it safe and do as Google says, click Discard and don’t download.  You’ll avoid ransomware.

If you want to know more, I’ve got a Ransomware page.

And saved the best for last. This amazing map from F-Secure shows the timeline of ransomware.  You can see the explosion that took place in 2016.

ransomware-tube-map

https://www.f-secure.com/documents/996508/1030743/cyber-security-report-2017

 

Databases & Ransomware

mongo

This is what led out of the starting gate for 2017.  A heap of MongoDB databases being pillaged by ransomware attacks. Reports were that one quarter of all those servers with MongoDBs on them (99,000 known instances) had been hit.  According to the tally being kept, the numbers rose from 2000 on January 3 to 8, 542 on January 5. By January 9, the total was over 27,000. And the numbers were rising at unprecedented rates. (image from ZDNet article Jan 9 2016)

MongoDB is wildly popular, but given my observations, it has a less than stellar track record when it comes to security. There have been some major instances cited over the past year.  In this case, the reason was not some code vulnerability but a human one. The attacks were due to an abundant lack of security: admin accounts with no password protection; outdate patches; bad attitude. These databases were pretty much left wide open on the internet. And it’s easy to get plucked when you make yourself low-hanging fruit for attackers.

Then, a few days later, there were reports that attacks had moved onto Elasticsearch clusters.  Elasticsearch is a poplar Java-based search engine used in enterprise environments. It’s good for things like log collection, data analytics, visualization.  Now those clusters were being wiped, with the count 600 as of January 13.  Again, these targets were unprotected and open to the internet. According to write ups by Catalin Cimpanu on Bleeping Computer, the attacks quickly moved onto other database servers. https://www.bleepingcomputer.com/news/security/database-ransom-attacks-hit-couchdb-and-hadoop-servers/

https://www.bleepingcomputer.com/news/security/mongodb-hijackers-move-on-to-elasticsearch-servers/

“For the past week, unknown groups of cyber-criminals have taken control of and wiped data from CouchDB and Hadoop databases, in some cases asking for a ransom fee to return the stolen files, but in some cases, destroying data just for fun.These incidents come after crooks hijacked and held data ransom from MongoDB databases since the start of the year.Security experts that have witnessed the first wave of attacks against MongoDB servers predicted that other database servers would be hit as well.A week after the initial attacks on MongoDB, ElasticSearch clusters were also hit. At the time of writing, over 34,000 MongoDB servers and 4,600 ElasticSearch clusters have been held for ransom.”

victor

Researchers within our security community, like Victor Gevers, Niall Merrigan, @sudosev and more,  have been following and reporting on this trend.  When I asked him his thoughts, Victor said “it always gets worse before we see a (re)action”. On his Twitter feed, Victor replied to this comment, which pretty much sums things up. Niall has been actively reporting on the situation, and updating the MondoDBs to 40,000 and Elasticsearch to 5000. As well, he commented on the trend for data to not be returned citing it as”ransack ware”.

Databases were being wiped then replaced with an empty one labeled “Wrning. PWNED”. Point taken. Wiped meaning the data was not left there and encrypted. It was gone. Although if you paid the fee, you could have it restored. But is that a chance you’re willing to take? If you leave the front door open, how likely are you to have backups? In an analysis of what went wrong, referencing the ongoing battles with Shadow IT, Tony Baer made these recommendations on what needs to be done right in his piece on ZDNet http://www.zdnet.com/article/should-the-cloud-close-the-front-door-to-the-database/ :

Looking at the recent MongoDB hacks, you need to take the basic measures that might otherwise be taken for granted. And just as you would with on-premise systems, you’ll need to enforce full “AAA” (authentication, authorization, and accounting) to guard entry. Then, of course, there is the basic hardening of the instances, going down to securing and patching the operating system, ensuring only the right people access the management console, and so on. That means all communications — and we mean all — between client, administrator interface, and the cloud target must be strongly encrypted all the way down to passwords and keys.

This past week, we’ve watched the trend ingest Hadoop, Couch and Cassandra. Hadoop is a major concern, given its prominence in many major organizations, including financial institutions.  Victor reported to Bleeping Computer that the attacks on Hadoop, of which there are about 5400 known instances, looked more like vandalism as no ransom demands were being made.  They had started  January 12, with  “an unknown attacker going by the name of NODATA4U has been accessing Hadoop data stores, wiping data, and replacing all tables with an entry named “NODATA4U_SECUREYOURSHIT.” The attacks on Couch, however, were definitely monetary. A group of attackers, known as “r3l4x” may have been exporting the data or deleting it. Victor and Niall have put together spreadsheets to track the attacks. Other researchers who have joined to help are Bob Diachenko from the MacKeeper Security Research Center, Matt Bromiley from 505Forensics, and Dylan Katz from GitPrime.  Hadoop Sheet:  https://docs.google.com/spreadsheets/d/18-zmpzp87TX9oIbLwChJ3Fn0ldCGysSm-aoje_VvSSc/edit#gid=0

Couchdb Sheet: https://docs.google.com/spreadsheets/d/1iO8nINe1Ia2s40byeOj8BRiXZMpiBkKGJR5AuV7EExY/edit#gid=0

This raises more issues than just those about securing the humans. Consider it an overdue cautionary tale of a long-standing problem that was ripe for exploitation. Now – how many more of these are we aware of, festering within our realms? As everything moves to the cloud, we need to consider security procedures must be adapted to that environment. Cloud may be “somebody else’s server” but it gets complicated fast when you start taking it apart, bit by bit. There are layers of software over hypervisors, sometimes involving third party managed support. Determine where data is stored because of privacy regulations. How close are dev and prod environments, and how clean is that demarcation? Oh yes, I’ve been learning from some cloud security audits. You need to ask the right questions to get the right answers, and we like to operate from assumptions. My bottom line here is that as big data gets bigger, and the cloud surface continues to expand, we need to get more than just the basics right. Or we’ll keep growing orchards of low-hanging fruit.

 

 

The Future of Ransomware

ransom

Ransomware is like like a nasty game of tag: you can try to avoid it but once you’re hit, you’re out. For all we know about doing defence right, following the best practices advocated by NIST and SANS, this particularly malevolent threat has been on an upward trajectory out of the gate since 2016, after trending through 2015.  It’s gone way beyond just phishing for targets and locking down individual files.  Current strains are evasive: like tag, they figure out what anti-virus and security is running on the target system that might detect it and stay hidden. They now go after websites. They lock down entire servers. And they don’t care who the victims are – not even hospitals.

Samsam-ransomware-attack-chain-768x391

If you’ve been reading along with me on Twitter, or happen to be up at 2:00 a.m. like I am, you know that ransomware is what keeps me up at night. Along with some other brilliant minds in our security community who are dedicated to tracking and shutting down this ever-growing threat. These guys really know what they’re doing. Countless hours of research, investigation and analysis have produced this paper:  Ransomware: Past, Present, and Future.   There are definitive pieces that give the lay of the land and map out the course ahead. That is what this piece does. Sincere appreciation for the efforts of  @da_667 @munin @ImmortanJo3 @wvualphasoldier (and others) who put this together. They understand just how widespread the risk is, and time is not a luxury we have. This is essential reading for anyone in tech, security, business, critical infrastructure. Essentially, anyone who needs to safeguard the data and networks their daily business relies on.

From the Talos blog: A fictional Adversary’s workflow of compromise and takeover

dadiagram

Right now, here is what I would advise anyone.  Back you stuff up, frequently, and separately from the network.  Check your patch management situation. Where are your exposures?  How are you handling security awareness, especially around phishing? Do you monitor your systems regularly, so that you have a baseline to compare events against?

And finally, take the time now and please read this: Ransomware: Past, Present and Future by Talos. Because the more people who know about ransomware and where it’s headed, the better we can all work together to secure things.

Thank you for stopping by!

My Layman’s Terms: The Java Deserialization Vulnerability in Current Ransomware

There has been a recent wave of ransomware attacks against hospitals, highly publicized and for good reason. Who the hell attacks hospitals with malicious code that locks up access to critical care systems, and puts our most vulnerable at further risk? Well, there’s more to this story than I can reveal here but I’ve been following the trend for months, and here’s what you need to know.

tweet ransom

FIRST: This was never about the hospitals. They weren’t the specific target. Law enforcement also relies on constant access to critical systems and they are being hit. But this goes so much wider, and we’re missing the bigger picture here. Therein lies the danger.   Samsa/Samsam has been a cash grab for the attackers, with no costs, no penalties. Don’t expect them to stop looking for more revenue streams to hit.

SECOND: This ransomware is not the same old ransomware. We can’t rely on our standard approaches to detect and defend against future attacks. This one goes after servers, so it can bring down entire networks, and doesn’t rely on the social engineering tactics to gain access.  It’s so bad US-CERT has issued this recent advisory.

I’ve laid out what’s been made available on just how this new strain of ransomware works. And I’ve done it in terms to help anybody take a closer look at the middleware running in their systems currently. Because a little knowledge could be dangerous thing used to our advantage this time.

tweetsamsa

WHAT: Extremely dangerous and wholly underated class of vulns

Attackers can gain complete remote control of an app server. Steal or corrupt data accessible from the server. Steal app code. Change the app. Use the server as launching oint for further attacks.

  • No working public exploits against apps til now
  • Remotely executable exploits against major middleware products
  • Powerful functionality that should not be exposed to untrusted users in the ability to hijack deserialization process.

IMPACT: Millions of app servers open to compromise

  • Not easily mitigated
  • Potential for millions of apps to be susceptible
  • Many enterprise apps vulnerable

AFFECTS: All apps that accept serialized Java objects

Remotely executable exploits against major middleware products:

  • WebSphere
  • WebLogic
  • JBoss
  • Jenkins
  • OpenNMS

HOW: Vulnerability is found in how many JAVA apps handle process of object deserialization.

Serialization is how programming languages transfer complex data structures over the network and between computers. Disassembly is the process of breaking an object down into a sequence of bits.

Deserialization is reassembly of those bits. (unserialization)

A Java object is broken down into series of bytes for easier transport.

Then is reassembled back at other end. Think the fly or tranporter

PROBLEM:  many applications that accept serialized objects do NOT validate or check UNTRUSTED input before deserialization or putting things back together. So yes, this is the perfect point to sneak the bad stuff in.

Attackers can INSERT malicious object into data stream and it can execute on the app server

Attack method:  special objects are serialized to cause the standard Java deserialization engine to instead run code the Attacker chooses.

Each of the 5 middleware applications listed above has a Java library called  “commons-collections.” This has a method that can lead to remote code execution when data is deserialized. Because no code should execute during this process.

NEEDS TO HAPPEN:

Enterprises must find all the places they use deserialized or untrusted data. Searching code alone will not be enough. Frameworks and libraries can also be exposed.

Need to harden it against the threat.

Removing commons collections from app servers will not be enough.   Other libraries can be affected.

Contrast Sec has a free tool for addressing issue.  Runtime Applicaton Self-Protection RASP.  Adds code to deserialization engine to prevent exploitation.

Sources:

Why the Java Deserialization Bug is a Big Deal Dark Reading by Jai Vijayan

What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability

Paypal is the latest victim of Java Deserialization Bugs in WebApps

Ransomware: Don’t Get LOCKY’d Out

locked-computer

LOCKY made its debut a week ago, and impacted half a million users around the globe in a day. The numbers have escalated alarmingly since then as this latest crypto-ransomware, developed by the same dark minds behind Dridex banking malware, spreads across platforms and continents.

What YOU Can Do

We’re warning users to beware of phishing emails. Even if it says it is from your bank, they will not send you an email for something requiring your urgent attention with a link or an attachment. The same goes for the CRA or other major financial institutions. MS Word documents masquerade as invoices requiring urgent payments, or bank statements. These will contain malicious macros that launch the malware. Once it gets onto a computer connected to ANY network, it will spread and contaminate rapidly. And any removable devices will also become contaminated, putting others at risk.
DO NOT ENABLE MACROS!

If you suspect you’ve been hit, time is crucial. Contact your support people immediately. We’re here for you. And shut your computer down. You need to cut yourself off from the network immediately. Expect that you will not be using your computer for some time and that you may need to shutdown the network. Given that the encryption is so powerful, the only recourse victims have is to restore from an untainted backup. Or face paying the ransom with no guarantees.

locky

As detailed by researchers at Naked Security for Sophos, LOCKY encrypts a wide range of file types. These include videos, images, PDFs, program source code, and Office files. As well as files in any directory on any mounted drive that the infected computer can access. This is important because this will also include removable drives plugged in at the time or network shares that are accessible like servers and other people’s computers. That is a lot of potential damage. Extend that to a case where an infected user is connected to the network using administrator access and controls; the damage could be widespread. Locky will also encrypt Bitcoin wallet files it finds, thereby stealing any bitcoin that could have paid ransom.
Where’s My Shadow Copy Backup?

But then LOCKY takes things further by removing any Volume Snapshot Service (VSS) files or “shadow copies.” If you use Windows, you know those are the current of live backups Windows takes of work in progress – we all rely on those for when we forget to save, or the system crashes. Unfortunately, for some users these shadow copies have simply become their backup system.

Steps to Stay Safer

  • Make regular backups and keep one off-site
  • Do not enable macros in emails and attachments
  • Be suspicious of attachments from unknown/untrusted sources
  • Do not stay signed on with administrator privileges any longer than you need
  • Keep your security patches up to date
  • Have a DRP with a business continuity plan in place to minimize downtime