WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know...
Transcript of WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know...
![Page 1: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/1.jpg)
WanaCrypt0r – What we know so
far
Jake Williams
SANS Instructor / Founder Rendition Infosec
rsec.us
@MalwareJake
![Page 2: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/2.jpg)
• Quick overview
• What we know about WanaCrypt0r
• Some cool reversing stuff
• Staying safe
• Should MS answer about MS17-010?
• Closing thoughts and questions
Agenda
(C) 2017 Rendition Infosec - Jake Williams
![Page 3: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/3.jpg)
Quick Overview
Why are we even here?
![Page 4: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/4.jpg)
• NHS hospitals in England reportedly
turning away ambulances, 16 hospitals
reportedly hit
• Telefonica was reportedly suffering outages
• Russia interior ministry
• German train station in Frankfurt
• Fedex was reported infected
WanaCry first appears 12MAY17
(C) 2017 Rendition Infosec - Jake Williams
![Page 5: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/5.jpg)
What we know about
WanaCrypt0rIt’s relatively early and more is likely to come
![Page 6: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/6.jpg)
• There are two key components - a worm
and a ransomware package
• The worm appears to be spreading using
leaked NSA exploit ETERNALBLUE and
DOUBLEPULSAR
– Targets machines using SMB
How is it spreading?
(C) 2017 Rendition Infosec - Jake Williams
![Page 7: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/7.jpg)
• The malware has a kill switch that
terminates if this domain resolves
• Might have been anti-analysis, but it’s
now registered and neuters the
malware
• My favorite domain of all time:– www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
Current Status
(C) 2017 Rendition Infosec - Jake Williams
![Page 8: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/8.jpg)
Some people are paying
(C) 2017 Rendition Infosec - Jake Williams
![Page 9: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/9.jpg)
Some cool reversing stuff
Now you’re just showing off…
![Page 10: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/10.jpg)
• The malware contains the hardcoded
password WNcry@2ol7
The password…
(C) 2017 Rendition Infosec - Jake Williams
![Page 11: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/11.jpg)
• The malware drops a encrypted zip file
from a resource named “XIA”
The resource…
(C) 2017 Rendition Infosec - Jake Williams
![Page 12: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/12.jpg)
• To drop the resource, use the CFF Explorer
Extracting the resource…
(C) 2017 Rendition Infosec - Jake Williams
![Page 13: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/13.jpg)
• Now just unzip it using the password to get
these files
Extracting the resource (2)
(C) 2017 Rendition Infosec - Jake Williams
![Page 14: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/14.jpg)
• Now just unzip it using the password to get
these files
More fun secrets
(C) 2017 Rendition Infosec - Jake Williams
![Page 15: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/15.jpg)
• It appears the other zip is tor.exe (and
supporting files)
What’s the other zip?
(C) 2017 Rendition Infosec - Jake Williams
![Page 16: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/16.jpg)
• Trying to be convenient for people to find
the decryptor
Convenience is key
(C) 2017 Rendition Infosec - Jake Williams
![Page 17: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/17.jpg)
Staying Safe
Even if you can’t patch, you CAN stay safe
![Page 18: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/18.jpg)
• If you want to stay safe from this, patching
is really the only serious option
• The patch has been available since March…
• If you can’t patch (for instance you are on
Windows Server 2003), consider network
segmentation
Patch, patch, patch
(C) 2017 Rendition Infosec - Jake Williams
![Page 19: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/19.jpg)
• Restrict TCP port 445 traffic to where it is
absolutely needed using router ACLs
• Use Private VLANs if your edge switches
support this feature
• Use host based firewalls to limit
communication on TCP 445, especially
between workstations
• BONUS: This will help protect against lateral
movement as well!
Network Segmentation
(C) 2017 Rendition Infosec - Jake Williams
![Page 20: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/20.jpg)
What about MS17-010?
Yeah, there’s something fishy going on here
![Page 21: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/21.jpg)
• The Shadow Brokers released data about
the exploit in January
– However the actual exploit was kept secret
• Microsoft mysteriously patched the exploit
in March after missing its first Patch
Tuesday ever in February
How did this get out?
(C) 2017 Rendition Infosec - Jake Williams
![Page 22: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/22.jpg)
• How was the vulnerability disclosed?
• Who disclosed it?
• Before it was disclosed, does Microsoft has
telemetry showing that it was used to hack
victims in the wild before January?
• Did the rate of exploitation increase after
January?
What can Microsoft tell the public?
(C) 2017 Rendition Infosec - Jake Williams
![Page 23: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/23.jpg)
• There’s no precedent for Microsoft
releasing this data, but the whole event is
unprecedented
• There has never been a leak of nation state
hacking tools before
• Read more here:
– bit.ly/MS17010-petition
This is unprecedented
(C) 2017 Rendition Infosec - Jake Williams
![Page 24: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/24.jpg)
Closing thoughts and questions
Take your best shot
![Page 25: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/25.jpg)
• 60 day patching cycles aren’t okay
– I’m personally amazed it took this long
• Be ready for more attacks like this in the
future
– Attackers are getting more sophisticated and
will benefit from leaked NSA and CIA hacking
program data and tools
• Don’t forget that WikiLeaks has a trove of
CIA hacking tools that remain unreleased to
us
– But who knows who else has them???
Takeaways
(C) 2017 Rendition Infosec - Jake Williams
![Page 26: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/26.jpg)
• During the live webcast, I said that
DOUBLEPULSAR infections for Internet
connected hosts were up
• This was based on a sampling error. The
current numbers are as follows:
May 12, 2017 DOUBLEPULSAR
![Page 27: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/27.jpg)
• After the webcast, multiple people emailed
me and asked if they should work the
weekend to patch or if the kill switch
mitigated this
– This is an individual risk decision
• But there will be a new variant of this, and
probably sooner than later
– I think ignoring it is probably a career limiting
move for most
Don’t Ignore This Threat
![Page 28: WanaCrypt0r What we know so far - Rendition · 2017. 5. 15. · •Quick overview •What we know about WanaCrypt0r •Some cool reversing stuff •Staying safe •Should MS answer](https://reader034.fdocuments.us/reader034/viewer/2022051911/6000f1f2c1d5cc02f95d4e8d/html5/thumbnails/28.jpg)
That’s all folks!
Thanks for your time
Jake Williams – Rendition Infosec
www.rsec.us
@MalwareJake
(C) 2017 Rendition Infosec - Jake Williams