Some context on the ShadowBroker’s Dump

Photo by Tristan Schmurr, Cyberscoop Apr 21

A good friend of mine, with the handle @loneferret, shed some clarity on the massive dump of exploits two weeks back by the ShadowBrokers. I haven’t said my piece here but believe me I shared my thoughts online as things developed. And Double Pulsar, a backdoor implant, is just that gift that keeps on giving as countless systems appear to be infected. John Matherly of Shodan cited finding at least 45k as of April 21. Dan Gentler aka @viss describes it perfectly as “a loading dock for extra malware”. There is much to be said, but I quite liked the way my friend spun things, so without further ado …

Yet another MS17-010 blog post.
However, the more noise that is generated, the more people will update their systems.

About a week ago now, a bunch of exploits were leaked by a group calling themselves “Shadow Brokers”, or “ShadowBrokers”; both spellings are used it seems ¯\_(ツ)_/¯.
These exploits are serious stuff, as they affect almost every version of Windows, both professional and home (what you have at home most likely), as well as, server editions. There are Linux exploits as well but that’s for another post …

Barely a week has passed, and reports of ransomware being delivered using “Eternalblue” are popping up. Reports of systems being compromised by what we can only assume are “script-kiddies” have also surfaced.

Why keep reading? My goal here isn’t to give a technical lesson nor a course in exploitation, but to spread awareness. When these types of vulnerabilities & exploits are made public, havoc isn’t too far behind.

As a pen-tester the news of exploits originating from an NSA dump was exciting. It gives some insight on what sort of tools\exploits the notorious agency has, and ensures some level of job security for me (I know selfish). But what does this mean for the corporate user? What does this mean for the average user? In a nutshell if you haven’t installed the most recent security updates, you risk having your data stolen, deleted, or your hard drive encrypted and held for ransom.

Tweeted by @belowzeroday, Cyberscoop, Apr 21

I shall try and put this in perspective, in the most entertaining manner I can. So, sit back, grab your morning Irish coffee and step inside my time machine.

Back in 2003 a computer worm made its way through the Internet. This worm infected thousands of systems, both commercial and personal. It ravaged and pillaged everything it could lay its crummy little paws on. It was finally detected in 2008, and given the name “Conficker”. I remember 2008 well. At the time, I was a system administrator for an IT consulting firm & was called upon many times to stomp this little critter. This worm was good, well coded, and went undetected for 5 years! It merged so well with Windows, it really didn’t affect the system’s performance. It was also very good at reproducing itself… kinda like George Forman.

Why was it so successful? How did it manage to get into so many systems? It was a flaw in Windows, much like the flaw leveraged by the exploits in the “ShadowBrokers” dump. Essentially… it’s 2008 all over again. Which begs the question, how long did the NSA have this exploit? Also, were they the only ones? If it took 5 years to catch “Conficker”, one can assume this flaw (and exploit) has been around for at least the same amount time (give or take a year).

So, I beg you, please don’t fear the Windows update window.
Let it run… Embrace it, enjoy it, whisper sweet nothings into its ear.
Because if you don’t, you only have yourself to blame if your browser history ends up on pastebin.

A message from you friendly neighbourhood hacker @loneferret

Ps. This flaw, and others, were fixed back in March of 2017. This piece was written in April 2017.

It Really Was the Lazarus Group, in North Korea with SWIFT


Last week, news broke that the US had linked North Korea to the theft of millions against the Federal Reserve in a series of bank heists involving the SWIFT messengering system.  I did a couple talks last year about banking insecurity as a fairy tale that misrepresented itself in the form of that trusted messengering system, SWIFT.  The deeper I delved, the scarier that fairy tale got. But from the start I had my suspicions about who was behind it and why. Why was a big factor because it ruled out the usual bank cyber crime suspects, aka Russia and Eastern Europe. This was too overt a move for a nation state to make right? Well, that depends which nation state you are.

And this was where my poli sci years kicked in.  I’ve always stood at that intersection of international relations and cybersecurity. It’s one heck of a vantage point. I do threat intel. Still pinching myself because I didn’t know this thing I love to do even existed a few years ago. But as I learn and grow in this field, what becomes increasingly clear is the need for context. That we have to take more than we surmise into account to really get the big picture. And we need the big picture to do this right. Otherwise we risk making the wrong call when we choose to play the attribution blame game, where the stakes are high and the consequences could level a lot more than the proverbial playing field.  So international relations, current affairs, global economy and history all need to be factored in. Then we have data with context and points that link, so we can see patterns.


Linda Davidson/Washington Post

Because for me this story was always so much more than just “hackers went after a billion but only got 81 million”.  Who was behind those hackers? Why Bank of Bangladesh? Who needed a billion badly enough to digitally “rob” a bank? I’ll admit I have my likely crew: Russia, China, North Korea.  In this case, Russia and China were too big to make this kind of a play and have to contend with the global condemnation.  That’s a headache they would rather avoid and neither needed a billion dollars that badly. However, North Korea was a different story: impoverished, starving, and whose wildcard of a leader answered to no one in his quest for nukes. As per a recent story in the Washington Post:

“North Korea has consistently been treated like a joke, but now the joke has nuclear weapons,” said John Park, director of the Korea Working Group at the Harvard Kennedy School. “If you deem Kim Jong Un to be irrational, then you’re implicitly underestimating him.”

Kim Jong Un may be crazy but he’s crazy like a fox.  Hence why the attacks were on banks where nobody would care. Because the truth is first world problems get the attention, not developing nations like those in South East Asia. And of course, security was lax, because the resources just weren’t there. Nor was the mindset.  Corruption and coercion get things done in many parts of the world. How do you factor those into NIST spreadsheets and security audits?

A colleague and I had a great brainstorming session on geopolitics and cybersecurity as we put the details together. His keen insights and my paranoia spun the needle to land on North Korea. We just didn’t have any proof.  Fast forward a few months later, though, and tracks were found in the butter. Remember what I said earlier about the importance of history, context and patterns? Key pieces of code harkened back to the attack on Sony, and some very crafty work by the Lazarus Group.  While it wasn’t a smoking gun, it certainly was substantive. After his work on decoding Stuxnet, I listen when Eric Chien of Symantec weighs in. He knew what he saw there and he called it.

sonyhackIn the realm of cyber criminals, The Lazarus Group are somewhat nebulous, hard to pin down, and known for their ability to die off and then resurrect themselves, hence their name.  They’ve been identified as operating out of North Korea. To me, that means North Korea gives them a safe haven in return for services rendered. They are the bag man for their host supplying “dirty deeds”, just not done dirt cheap.  Because nation states don’t do this stuff for themselves when they need to remain one step removed.  Let me state that things are no where near this simplistic, and yes, China factors into this as well.  But no surprise there given the long-standing partnership between China and North Korea.

lazarus_map_ENWhere does this lead? Well, I did allude to the possibility of global economic chaos being used in the games nations play, because it’s all about the power and money is just a means to that end. Now we have news reports saying how nation states have resorted to robbing banks, and what a terrifying prospect that is. According to Richard Ledgett, Deputy Director of the NSA, in a story by the Wall Street Journal:

“If that linkage is true, that means a nation-state is robbing banks. That is a big deal; it’s different,” he said on Tuesday during a panel discussion at the Aspen Institute.

Mhm. I have a lot more where that came from.

Please click here if you’d like to see my talk on SWIFT and banking insecurities.


FIN7 Spear Phishing, Carbanak and the SEC

FinSec is a thing. It’s rather become my thing, when I delve deeper and find the connections and patterns that emerge. This week, FireEye published a post on a campaign known as FIN7. They identified a spear phishing campaign in late February that targeted people who were filing with the US SEC. FIN7 is described as a

“financially motivated instrusion set that selectively targets victims and uses spear phishing to distribute its malware.”

Sectors identified as targets are in the US but have a global spread and include:

  • Financial services
  • Transportation
  • Retail
  • Education
  • IT services
  • Electronics

Often they target retail and hospitality through POS malware.  Here’s the play by play:

  • Malicious documents drop a VBS script and install a PowerShell backdoor. No question that PowerShell is now the tool of choice for attackers. Set up your IDS to look for signs.
  • The backdoor is a new malware family dubbed POWERSOURCE. It’s based on a tool that is publicly available, DNT_TXT_Pwnage.  What they’ve done is modify it especially in terms of obfuscation. If you can’t find it …
  • FIN7 uses DNS TXT records for the Command and Control. And this DNS TXT – it’s been trending because of how hard it makes detection and hunting for threats around command and control
  • But wait! There’s a second backdoor, installed by POWERSOURCE. This second stage PowerShell backdoor is known as TEXTMATE. It’s fileless malware – yes, that’s a thing now too – that stays memory resident, so you can’t find it easily, and lets the attacker play hide and seek better.
  • There have been instances of a Cobalt Strike Beacon payload.
  • That same domain hosting the Cobalt Strike Beacon also hosted – get ready for it – a CARBANAK backdoor sample that was recently compiled. We know how pervasive CARBANAK is, and that it has recently made a major pivot into the hospitality sector. And, as it happens, something that FIN7 has used in past.

While FireEye says they have not yet determined the objective of FIN7 in this current campaign, I think it’s safe to say they are in it for the money.


New Apache Struts 0Day Exploit

(March 8, 2017) Cisco Talos group has identified attacks against a 0Day vulnerability in Apache Struts, which is a popular Java app framework. An advisory was issued Monday, stating the problem exists in the Jakarta Multipart parser. An attacker could perform a RCE attack with a malicious contenttype value. Users were advised to upgrade or switch to a different implementation of the parser. Numerous attacks appeared to be taking advantage of a publicly released proof of concept to run assorted commands. Struts was previously compromised by Chinese hackers in 2014, who exploited known vulnerabilities to install a backdoor. Message here: keep patches current.


It’s Baaack – The Return of CryptoLocker

Since last week I’ve been following some fascinating reports about the return of this ransomware behemoth. There are increasing accounts about the resurgence of CryptoLocker ransomware.  As we have learned with Lazarus Group and Shamoon, just because it’s dormant doesn’t mean it’s dead.

Attacks have been steadily climbing since January. And what is interesting is how attackers are leveraging the Certified Electronic Email in Italy to spread the joy. This service is used by people who want the assurance they are getting a high level of security. The attack vehicle was a carefully crafted email featuring a digital signature to appear very trustworthy. Attackers utilized Italy’s Certified Electronic Email which legally is like a registered letter, to deliver invoices hiding spam. And it worked. This parallels the similar rise in Dridex in Switzerland reported mid February, again leveraging trusted email providers. As we know, phishing works. “Trust” works. Put the two together … …Attacks were predominantly in Europe, the staging ground for Russian cybercriminals before they launch their malware on America.  Attacks are now heavy in the Netherlands, and have landed on American shores as confirmed by Microsoft’s Malware Protection Center.


Shamoon Update: Ransomware and New Wiper Malware Discovered

Wiper malware is rare – just a handful of occurrences have been documented. However, in the latest appearance of Shamoon, a new ransomware component was uncovered in addition to the disk wiping capability. Because you can’t have too much of a bad thing it would seem.  The ransomware component hasn’t been deployed but is ready for use. The Shamoon 2.0 dropper is a worm that infects computers in Windows domains, leveraging hardcoded previously stolen usernames and passwords. Kaspersky has released a full report on it.

Kaspersky has now identified another wiper malware in the wild. Dubbed “StoneDrill”, it has targeted organizations in Saudi Arabia, but it also went after a petrochemical organization in Europe. At this stage, it seems StoneDrill is similar to the APT group NewsBeef or Charming Kitten, who was linked to the latest Shamoon endeavours. Kaspersky notes “Particularly interesting is the heavy use of anti-emulation techniques in the malware, which prevents the automated analysis by emulators or sandboxes.” far more so than Shamoon.  It also uses VBS scripts to run self-delete scripts but Shamoon did not rely on any external scripts. Also, the disk wiper module in StoneDrill does not get written to disk like Shamoon does. Instead, it is injected directly into the user’s browser process memory, no drivers required.



The ABC’s of APTs: Shamoon

sham35Welcome to the grey zone where politics and cyber meet. APTs or advanced persistent threats, are one of my favourite acronyms (but then you know how I am intrigued by Stuxnet and cartels), and essentially are how nation states get their digital digs at each other. Usually the intention is to get information, because knowledge is power. Cyberespionage can give a competing nation a real competitive advantage in the world economy, among other things. But sometimes, there is a need to control more, and that is where weaponizing code takes on a whole new nasty.

The keyword here is “persistence.”  First, attackers must find their way into the networks of the target. Usually, they employ targeted spear phishing, painstakingly staking out the right victim to receive that loaded email.  The investment of time and money at this point is essential, so as not to tip anyone off. And the emails are crafted so carefully, picking up on points tailored to that recipient so that they will open it, and launch the attachment that will create an entry point for the attacker. There is a reason why phishing is at the heart of so many breaches.

Now, imagine a video game, where you must progressively meet the challenges of each level to go higher. That is the attacker moving through the network, acquiring credentials to gain access to the crown jewels. The strategy is to find someone lower level, then work your way up. Hence, persistence, because this is an investment of both time and patience. Expect the key executives or decision makers to be well-guarded, with access and authorization controls in place. Not the case for someone lower on the food chain. All an attacker needs is to gain access. As proven repeatedly, once in, they can take all the time they need to find what they want. Case in point: the attack on the Ukraine power grid in December 2016.  The attackers were in that system for over nine months, collecting what they needed, notably credentials for the Virtual Private Network, that enabled them to jump the security gap onto the restricted side. As Stuxnet taught us, there is no such thing as air-gapped security.


We know the Russians hacked the US; we know China hacked the US and Canada; and yes, the US has hacked someone too. These are the games nations play. The trick, of course, is not to get caught before you have the prize. And when you do get caught?  Well, as we’ve seen play out, nothing really bad happens. Just expect that your victim will be in your systems. Unless information isn’t the endgame and control is. Then, be prepared for something to go bump in the night.

Shamoon is devastating wiper malware that took out a massive swath of Saudi Aramco when it first debuted in 2012.  Linked to Iran, and an ongoing feud in the region between key players, it was a targeted attack against the oil giant, damaging or destroying 35,000 computers. Sec Def at the time, Leon Panetta, described it as “probably the most destructive cyber attack on a business.”

Wiper malware was used against business targets in  December 2014 destroying the systems in a Vegas casino, The Sands, after owner Sheldon Adelson advocated using nuclear weapons against Iran. The US “publicly cited Iran as the culprit”.   Then Disstrack was used again in December 2015, in the attack that brought Sony to its knees.  These aren’t gangs using cybercrime for monetary gain. These are the equivalent of acts of war, given the level of damage done.

Fast forward to late 2016. Two major attacks happened in Saudi: November 17 taking out systems at the airport and other Saudi government agencies, and then again on November 29. Then, on January 23 there was another attack. The malware used was almost identical to the original Shamoon, aka Disstrack.  Except there were a few key enhancements.  According to Andrew Plato, CEO of Anitian Enterprise Security

 “What is really worrisome about this is it’s just outright destructive. It isn’t really trying to steal anything. It’s the closest things we’re going to get to a cyber bomb”.

The new version, dubbed Shamoon 2, spread through the local network using legitimate counts belonging to users and administrators, with complex passwords likely obtained from an earlier attack. Remember what I said about persistence?  This new version, however went on to attack VDIs, or Virtual Desktops, which previously could have offered some protection because of their ability to load snapshots of systems that were wiped. Now Shamoon had migrated from just Windows-based systems to Linux in the attacks on VDIs.


Now, I don’t want to be alarmist and spread FUD everywhere. Yes, this is serious and destructive. Like Stuxnet, it broke things. And that’s the differentiator. So far, the line hasn’t been crossed where breaking things was deliberately done to harm people. Because as Archer would say: You want cyberwar? Because that’s how you get cyberwar.

While the expectation is that Iran is once again behind the attacks, Symantec has revealed there are multiple parties involved. More than one entity, so collaboration and cooperation.  The report is that an entity known as Greenbug may have assisted in getting the credentials needed for access.  Palo Alto reported on a campaign known as Magic Hound which targeted energy, technology and government with ties or locations in Saudi.  There were links between Magic Hound and two other actors with Iranian ties: Charming Kitten and Rocket Kitten. Finally, putting all this together was the group Timberworm or Cobalt Gypsy.  Per Symantec, Timberworm was behind the January 23 attacks.

Here’s the play by play. First, Timberworm used spear phishing emails with weaponized documents (we warned you about those Office Macros!) to gain initial access into the network. Once there, they used custom malware, along with leveraging existing sysadmin tools to avoid detection, and help them achieve persistent remote access. Quick FYI: custom malware is a hallmark of major organized cybercrime groups or nation state attacks because it costs a lot of time and money to craft, and the stakes are going to be very high.

Apparently Greenbug and Timberworm have been active, penetrating organizations beyond Saudi. Note that Shamoon, however, was only used against the Saudi target. Timberworm is a large operation, as is Greenbug, with targets in a range of areas. We know who they are now, what they can do, and that they have a shared interest. What we don’t know: the endgame. I’m waiting for that other shoe to drop.