Welcome to the #WannaCry Wine Club
•Download as PPTX, PDF•
1 like•425 views
A talk about WannaCry malware and the ShadowBrokers. Th e talk features a demo of the leaked NSA tool set.
Recommended
More Related Content
What's hot
What's hot (10)
Similar to Welcome to the #WannaCry Wine Club
Similar to Welcome to the #WannaCry Wine Club (20)
More from Paul Dutot IEng MIET MBCS CITP OSCP CSTM
More from Paul Dutot IEng MIET MBCS CITP OSCP CSTM (10)
Recently uploaded
Recently uploaded (20)
Welcome to the #WannaCry Wine Club
- 1. Welcome to the #WannaCry Wine Club
- 2. Hello! I am Paul Dutot I am here because Paul Johnson asked me again. You all know me, you can find me at @cyberkryption on Twitter. It’s Sean’s turn next week….
- 3. What shall we talk about? #ShadowBrokers The story so far….. Fuzzbunch, Double Pulsar and EternalBlue. Demo Time #WanaCry Malware Impact. How it propagates? Defenses – Innoculation Demo #The Future What coming up in the next few months……
- 4. #ShadowBrokers A little known internet hacking group until recently… 1
- 5. 2016 2017 Today Aug Sep Oct Nov Dec 2017 Feb Mar Apr May Shadow Brokers – Initial Leak 13/8/2016 Shadow Brokers Announce Auction on Pastebin 16/8/2016 Self Interview on Medium - Message 3 at https://medium.com/@shadowbrokerss/t heshadowbrokers-message-3-af1b181b481 1/10/2016 Shadow Brokers drop Unix exploits 31/10/2016 Shadow Brokers Dump Windows Toolsets after failed auction #2 1/12/2017 Shadow Brokers drop new Windows exploits 14/4/2017 #WannaCry Starts infecting systems 12/5/2017 Shadow Brokers start attempting to sell Windows exploits 14/12/2016 Shadow Brokers dump more Unix exploits 8/4/2017 ShadowBrokers - Timeline
- 6. ShadowBrokers - Realease Highlights DoublePulsar Windows kernel level implant, allows you to load a DLL of your choosing i.e reverse shell https://countercept.com/our- thinking/analyzing-the- doublepulsar-kernel-dll-injection- technique/ EternalBlue MS17-10 SMB v2 exploit ,works without authentication against Win 7 SP1. External Romance SMBv1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2 https://github.com/adamcaudill/EquationGroupLeak / https://github.com/misterch0c/shadowbroker ExplodingCan IIS6.0 exploit which creates a remote backdoor. Fuzzbunch NSA exploitation framework similar to Metasploit
- 7. #WannaCry A global ransomware infection 2
- 8. WannaCry-Impact ◇ German Railway Network ◇ Renault and Nissan Car Plants ◇ 48 UK NHS Hospitals ◇ KPMG, Santander, Telefonica and FEDEX ◇ Chinese Cash Machines ◇ Russia – Interia Ministry ,VTB, RZD & Megafon Internet has taken to producing memes ======>
- 9. WannaCry - Information #WannaCry – Infection Vector ◇ Spreads via Server Message Block (SMB) a.k.a Windows File Sharing or open RDP sessions. ◇ Checks for DobulePulsar Implant and the uses that to load itself. ◇ If DoublePulsar is not present then use MS17-010 from the #ShadowBrokers to infect. ◇ Checks to see if it can contact kill switch domains, if so then malware becomes inert. ◇ Starts encryption routine and then beacons out to all machines on local subnet to infect.
- 10. WannaCry - Information #WannaCry – Technical II ◇ Main malware drops a zip archive with a hardcoded password of ’Wncry@2o17 after exploiation. ◇ Archive includes a number of files.Can you spot the zip archive? ◇ Encryption registers a service ‘ mssecsvc2.0’ in c:windowssystem32 with a display name of ‘Microsoft Security Center (2.0) Service’
- 11. WannaCry - Execution #WannaCry – Exeecution Detailed https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis
- 12. WannaCry - Defense #WannaCry – Countermeasures $createdNew = $False; $mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexA", [ref]$createdNew); https://gist.github.com/N3mes1s ◇ Patch Ms17-010, obvious, but not always possibly within CNI environments such as NHS, air traffic control and power industry. ◇ Use router ACL’s and VLAN’s to limit access. ◇ Network Segmentation - Use router ACL’s and VLAN’s to limit access and host based firewalls to limit TCP/445 between workstations.
- 13. WannaCry - Mutex #WannaCry – Innoculation via Mutexes http://i.imgur.com/06EFCdS.gif
- 14. To Fuzzbench,EternalBlue ,DoublePulsar and Beyond
- 15. #The Future More global ransomware infections to come… 3
- 16. “ “In June, TheShadowBrokers is announcing "TheShadowBrokers Data Dump of the Month" service. TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club. Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.” https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition #The Future
- 17. “ “TheShadowBrokers Monthly Data Dump could be being: https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition #The Future - II ◇web browser, router, handset exploits and tools ◇select items from newer Ops Disks, including newer exploits for Windows 10 ◇compromised network data from more SWIFT providers and Central banks ◇compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
- 18. Thanks! Any questions? You can find me at: ◇ @cyberkryption ◇ paul.dutot@je.logicalis.com ◇ All pictures are internet memes
Editor's Notes
- Before #WannaCry , there was ADYLKUZZ malware as detailed by Proofpoint reasearcher Kafeine at https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar The attack turned off vulnerable SMB hosts after exploiting them, this lessened the effects of WannaCry