2. Hello!
I am Paul Dutot
I am here because Paul Johnson asked me again.
You all know me, you can find me at @cyberkryption
on Twitter.
It’s Sean’s turn next week….
3. What shall we talk about?
#ShadowBrokers
The story so far…..
Fuzzbunch, Double Pulsar and EternalBlue.
Demo Time
#WanaCry
Malware Impact.
How it propagates?
Defenses – Innoculation Demo
#The Future
What coming up in the next few months……
5. 2016 2017
Today
Aug Sep Oct Nov Dec 2017 Feb Mar Apr May
Shadow Brokers – Initial Leak
13/8/2016
Shadow Brokers Announce Auction
on Pastebin
16/8/2016
Self Interview on Medium - Message 3 at
https://medium.com/@shadowbrokerss/t
heshadowbrokers-message-3-af1b181b481
1/10/2016
Shadow Brokers drop Unix exploits
31/10/2016
Shadow Brokers Dump Windows Toolsets
after failed auction #2
1/12/2017
Shadow Brokers drop new
Windows exploits
14/4/2017
#WannaCry
Starts infecting
systems
12/5/2017
Shadow Brokers start attempting to sell
Windows exploits
14/12/2016
Shadow Brokers
dump more Unix
exploits
8/4/2017
ShadowBrokers - Timeline
6. ShadowBrokers -
Realease Highlights
DoublePulsar
Windows kernel level
implant, allows you to
load a DLL of your
choosing i.e reverse
shell
https://countercept.com/our-
thinking/analyzing-the-
doublepulsar-kernel-dll-injection-
technique/
EternalBlue
MS17-10 SMB v2
exploit ,works without
authentication against
Win 7 SP1.
External Romance
SMBv1 exploit over TCP
port 445 which targets
XP, 2003, Vista, 7,
Windows 8, 2008, 2008
R2
https://github.com/adamcaudill/EquationGroupLeak / https://github.com/misterch0c/shadowbroker
ExplodingCan
IIS6.0 exploit which
creates a remote
backdoor.
Fuzzbunch
NSA exploitation
framework similar to
Metasploit
8. WannaCry-Impact
◇ German Railway Network
◇ Renault and Nissan Car Plants
◇ 48 UK NHS Hospitals
◇ KPMG, Santander, Telefonica and FEDEX
◇ Chinese Cash Machines
◇ Russia – Interia Ministry ,VTB, RZD & Megafon
Internet has taken
to producing
memes ======>
9. WannaCry - Information
#WannaCry – Infection Vector
◇ Spreads via Server Message Block (SMB) a.k.a
Windows File Sharing or open RDP sessions.
◇ Checks for DobulePulsar Implant and the uses that
to load itself.
◇ If DoublePulsar is not present then use MS17-010
from the #ShadowBrokers to infect.
◇ Checks to see if it can contact kill switch domains, if
so then malware becomes inert.
◇ Starts encryption routine and then beacons out to
all machines on local subnet to infect.
10. WannaCry - Information
#WannaCry – Technical II
◇ Main malware drops a zip archive with a hardcoded
password of ’Wncry@2o17 after exploiation.
◇ Archive includes a number of files.Can you spot the
zip archive?
◇ Encryption registers a service ‘ mssecsvc2.0’ in
c:windowssystem32 with a display name of
‘Microsoft Security Center (2.0) Service’
12. WannaCry - Defense
#WannaCry – Countermeasures
$createdNew = $False;
$mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexA", [ref]$createdNew);
https://gist.github.com/N3mes1s
◇ Patch Ms17-010, obvious, but not always possibly
within CNI environments such as NHS, air traffic
control and power industry.
◇ Use router ACL’s and VLAN’s to limit access.
◇ Network Segmentation - Use router ACL’s and
VLAN’s to limit access and host based firewalls to
limit TCP/445 between workstations.
16. “
“In June, TheShadowBrokers is announcing
"TheShadowBrokers Data Dump of the Month" service.
TheShadowBrokers is launching new monthly subscription
model. Is being like wine of month club.
Each month peoples can be paying membership fee, then
getting members only data dump each month. What
members doing with data after is up to members.”
https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition
#The Future
17. “
“TheShadowBrokers Monthly Data Dump could be being:
https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition
#The Future - II
◇web browser, router, handset exploits and tools
◇select items from newer Ops Disks, including newer
exploits for Windows 10
◇compromised network data from more SWIFT
providers and Central banks
◇compromised network data from Russian, Chinese,
Iranian, or North Korean nukes and missile programs
18. Thanks!
Any questions?
You can find me at:
◇ @cyberkryption
◇ paul.dutot@je.logicalis.com
◇ All pictures are internet memes
Editor's Notes
Before #WannaCry , there was ADYLKUZZ malware as detailed by Proofpoint reasearcher Kafeine at https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar
The attack turned off vulnerable SMB hosts after exploiting them, this lessened the effects of WannaCry