Issue 60

Big Boys don't Cry - They do periodic backups

István Kiss
Software Engineer @ FlowTraders

Indeed, this article should be about the WannaCry ransomware, but first let us do a small detour to an event that happened exactly ten days before the madness, and let's talk about the GoogleDocs phishing wave. The scary thing is that, while in the case of WannaCry the "only" human factor was the lack of even basic actions to protect the systems, in the case of the phishing attack the user was actually required to click twice: once to open a link in a strange mail, and once to allow some suspicious website access to their Google account.

At first, the potential victim receives a genuine looking email which announces that a known contact shared a document with them. However, if the potential victim takes a second look, there are some warning signs. The victim is not in the To: list. There is just one visible contact, somebody called hhhh…@mailinator.com. Another warning sign would be that there are usually more than ten hidden contacts. Why would a friend try to hide the rest of recipients? Moving further, the phishing email contains an 'Open in Docs' button, which, when clicked, sends the user to Google's OAuth page for authentication. This action grants permission to the victim's account. In the email we looked at, the URL assigned to the click button contained a redirect parameter, which, once allowed or denied at Google's OAuth page, would redirect the user to an attacker-controlled website.

The button and the redirect sequence are particularly noteworthy since the user needs to click the 'Open in Docs' button, then either click 'Allow' or 'Deny' on Google's OAuth page to contact one of these domains. The fact that there are some really eye-catching signs that should raise some eyebrows in terms of the email's authenticity, and the fact that the user always needed to click something first makes the "just" 0.1% affected Google users (from a total of 1 billion) particularly staggering.

Back to the "big worm" with the timeline of the events:

17th of March: Microsoft releases MS17-010 Security Bulletin: "This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server." We have to note that this update was available for Windows7 and newer distributions. Microsoft officially does not provide support and updates for XP desktop versions since 2014.

14th of April: After a failed auction, a group released about 260MB of material stolen from the "Equation Group", a threat actor suspected of being tied to the NSA. One of these was Eternalblue, an exploit that used the vulnerability fixed by MS17-010, to achieve remote code execution. In the same pack, we can find for example: Eternalromance: Remote privilege escalation exploit (Windows XP to Windows 2008 over TCP port 445), Enternalchampion, Eternalsystem: Remote exploit up to Windows 8 and 2012, Explodingcan : Remote IIS 6.0 exploit for Windows 2003, Eternalsynergy :Windows 8 and Windows Server 2012 exploit, Fuzzbunch:Exploit Framework (Similar to Metasploit) for the exploits.

12th of May: The madness begins. First samples of WannaCry were submitted to VirusTotal.

13th of May: Kill-switch domains were found and registered. Microsoft is now taking what it describes as a "highly unusual" step to provide public patches for Windows operating systems that are in custom support only.

15th of May: WannaCry copycats found: kill-switch is patched out, and bitcoin payment addresses updated.

19th of May: first decryption application appears thanks to Adrien Guinet, Matthieu Suiche, Benjamin Delpy.

What was the root cause?

Starting this Friday wild-fire burned more than 200,000 systems, in over 100 country, with some pretty high-profile victims like FedEx, the UK government's National Health Service, and Spanish telecom Telefonica.

The first cause would be the lack of system updates and vulnerability fixes, either because of using a fifteen-year-old operating system, which does not have official support from Microsoft for two years now, or just because of ignoring the available critical patches that were issued one month earlier. The same category includes using SMBv1, a protocol designed in 1992, whose improved version was available since 2006. Another bad practice was exposing this service directly to the internet. Moreover, there was a lack of up-to-date anti-virus software on the systems. All the big players like Kaspersky, ESET, BitDefender were detecting and disabling the ransomware before it could do any damage. At a certain moment, Microsoft was blaming NSA because it failed to inform the public about the stolen "arsenal". Indeed, it could have helped to have those patches available for WindowsXP before all hell broke out, but it would have been just a drop of water for the firestorm. It would have meant one single patch, or, in the best case scenario, one for each vulnerability that was used in the published tool-suite. Most probably it would have postponed the events, but all those systems without constant support would be completely exposed in the face of any future attack. One could say that "I'm not using Windows, I am using X, the safest OS in the world". There is no such thing like unbreakable system, just low reward /effort ratio. Just think about the majority of web servers, based on different Linux distributions. From time to time, you can see in the national newspapers that "site A was defaced"… Last year, Hillary Clinton's emails were stolen. You would say she could have afforded to hire some experts to secure the servers she was using… Recently, it was discovered that WannaCry was not the first worm from this suite released.

According to research released by Proofpoint, Adylkuzz, a miner for cryptocurrency called Monero became active sometime between 24th of April and 2nd of May, weeks before WannaCry burst onto the scene. And maybe this is just the tip of the iceberg. Besides the desktop/server classical target-group, over the years another two huge groups emerged: mobile phones and the security nightmare we call InternetOfThings.

Let's just play a little with our imagination.

According to Google, there are 1.6 billion android devices around the world. Each of them powerful enough to run WindowsXP without any performance hit. Most of them are somehow connected to the Internet. And the warning sign would be the following. As disclosed by a recent survey from Google, 30% of the devices who visited the PlayStore were running Android KitKat (released in 2013 or later). Think about how many times you installed a system update on your phone, or had a shallow thought to install any kind of antivirus application on it. Google recently cleaned up the PlayStore from about 20,000 not so nicely playing applications. Or, when did you last update the system from your SmartTV, wireless router, smartwatch, wristband, baby monitor, intelligent light system, or any kind of "smart" device? What would happen if somebody would bother to target these devices? You could say that "I'm safe, I don't visit any kind of shady website". A study from last year shows that it is actually much safer to visit any of the major porn sites, than a quick look at your friendly neighbourhood small business website, because the latter is usually an "install and forget" site, without any monitoring, or even simple software updates. The last and the most common excuse is "Why would this happen to me? I am not a rich guy, I'm not a politician, famous actor, nobody cares about me." This is partially wrong. Even though your computer or other devices don't contain your bank account access codes, it could still be a useful tool in a malicious

activity. Your internet connection could be used to hide the true identity of a drug dealer or child molester. Or, in the best case, your devices can be used to mine for somebody's bitcoins.

What can you do to avoid the trouble?

Nothing, as there is no 100% protection. However, you could make the attackers' life a little bit harder.

First, be suspicious. There is a big chance that there is no Nigerian prince who wants to escape his country and even if he existed, why would he choose exactly you, out of the 7 billion living persons? I would say that there would be a bigger chance to find a winner lottery ticket in the forest, handed over to you by a red rabbit in a cylinder hat. So, if it is too good to happen, proceed with caution.

Second, keep your systems up to date. Don't try to find excuses, apply those patches. They will save you from a lot of trouble.

Third, pay attention to what you share on the internet. Reduce the exposed surface to a minimum. The more service/information you share, the bigger the chance that somebody can find some useful information to get into your system.

Invest in a mainline antivirus suite. Most of them come packed together with a pre and easily configurable firewall too (this way you can select which applications can expose anything to the internet).

Invest in a standalone, offline backup storage, and do regular backup of your photo albums, holiday videos, love letters (just a side note this was another famous worm in 2000), articles, research , and anything you consider that is worth paying 300$ to ransomeware.

Latest news

It looks like we will have an interesting July too, as theshadowbrokers just published a mail with the pricing of what they call "monthly dump service":

Q: How do I subscribe and get the next theshadowbrokers' dump (June 2017)?
#1 - Between 06/01/2017 and 06/30/2017 send 100 ZEC to this z_address: zca...
#2 - Include a "delivery email address" in the "encrypted memo field" when sending Zcash
#3 - If #1 and #2 then a confirmation email will be sent to the "delivery email address"
#4 - Between 07/01/2017 and 07/17/2017 a "mass email" will be send to the "delivery email
address" of all "confirmed subscribers" (#1, #2, #3)
#5 - The "mass email" will contain a link and a password for the June 2017 dump

* 1 ZEC is about 255 USD at the time of writing.




  • BT Code Crafters
  • Accesa
  • Bosch
  • Betfair
  • FlowTraders
  • MHP
  • Connatix
  • BoatyardX
  • metro.digital
  • AboutYou
  • Colors in projects


István Kiss wrote also