Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WannaCry? No Thanks!

251 views

Published on

- What is WannaCry?
- What are its Worm, Exploit, Botnet, Backdoor, Ransomware characteristics?
- WannaCry and the end of the world?
- Malware Prevention?
- Is it a big deal? Comparison with other malware
- WannaCry, a Military and Political Perspective

Published in: Internet
  • Be the first to comment

WannaCry? No Thanks!

  1. 1. WANNA CRY? NO THANKS!
  2. 2. ABOUT ME Roberto Martelloni COBIT®5(F), CISM, CISSP, CCSP, CSSLP, CSPO, CSM Since 1995 I’ve been contributing to the Info/Cyber Security field for fun and profit (cit.) About 17 years of work experience in defence, oil and gas and finance industries. OWASP, Free and Open Source Software Contributor, and rock-climber*
  3. 3. ABOUT THE PRESENTATION • What is WannaCry? • What are its Worm, Exploit, Botnet, Backdoor, Ransomware characteristics • WannaCry and the end of the world? • Malware Prevention? • Is it a big deal? Comparison with other malware • WannaCry, a Military and Political perspective • Questions & Answers, Money and Tomatoes
  4. 4. WHAT IS WANNACRY? Malicious Software (Malware) is an umbrella term used to refer to a variety of forms of hostile or intrusive software. Malware is defined by its malicious intent, acting against the requirements of the computer user.
  5. 5. A MALWARE TAXONOMY? Virus Worm Botnet Backdoor Exploit Trojan Rootkit HackTool Spyware Adwere Ransomware Ram Scrapers …
  6. 6. MALWARE ATTRIBUTE ENUMERATION AND CHARACTERIZATION (MAEC) • MAEC™ International in scope and free for public use, MAEC is a standardized language for encoding and communicating high-fidelity information about malware based upon attributes such as behaviors, artifacts, and attack patterns. • By eliminating the ambiguity and inaccuracy that currently exists in malware descriptions and by reducing reliance on signatures, MAEC aims to improve human-to-human, human-to-tool, tool-to-tool, and tool-to-human communication about malware; reduce potential duplication of malware analysis efforts by researchers; and allow for the faster development of countermeasures by enabling the ability to leverage responses to previously observed malware instances. • https://maec.mitre.org/
  7. 7. WANNACRY BEHAVIORS, ARTIFACTS, AND ATTACK PATTERNS (https://malwr.com) (https://cuckoosandbox.org/)
  8. 8. WANNACRY CHARACTERISTIC • Replicates itself to spread to other computersWorm • Takes advantage of a bug or vulnerability to cause unintended or unanticipated behaviourExploit • Bypass normal authentication in a computer systemBackdoor • Network of private computers infected with malicious software and controlled as a group without the owners' knowledgeBotnet • Blocks access to the victim's data or threatens to publish it until a ransom is paidRansomware
  9. 9. WANNACRY WORM AND EXPLOIT CHARACTERISTICS • Propagates using EnternalBlue Exploit • Exploit developed by the U.S. National Security Agency (!) as part of their Cyber Arsenals • On Tuesday, March 14, 2017, Microsoft issued security bulletin MS17-010 to patch EternalBlue • On Friday, April 14, 2017, Exploit was leaked by The Shadow Brokers (TSB)
  10. 10. WANNACRY WORM AND EXPLOIT CHARACTERISTICS • EternalBlue exploits a vulnerability (CVE-2017-0144) in Microsoft's implementation of the Server Message Block (SMBv1) protocol (shared drivers) • Remote Code Execution without Authentication (!) • The version of Microsoft Windows Vulnerable are • XP Embedded SP3 x86/x64, SP2 X64 • Vista x86/64 Edition SP 2.0 • Server 2012 R2 0, 2012 0 • Server 2008 R2 x64/Itanium SP1-2, x32 SP2 • Server 2003 x32/x64 SP2 • RT 8.1, 8.0 X86/X64 • 7 for x86/x64 SP1 • 10 x86/x64 Version 0, 1607, 1511
  11. 11. WANNACRY WORM AND EXPLOIT CHARACTERISTICS March 14, 2017 • Microsoft Release Patches April 14, 2017 • Shadow Broker Leaks May 12, 2017 • WannaCry Attack May 14, 2017 • XP Security Patches
  12. 12. WANNACRY BACKDOOR CHARACTERISTICS • DoublePulsar is a backdoor implant tool developed by the U.S. National Security Agency's (NSA) • On April 14, 2017, the backdoor was leaked by The Shadow Brokers (TSB)
  13. 13. WANNACRY BACKDOOR CHARACTERISTICS • Ring 0 BackDoor (highest privilege level) • Implant workflow (simplified) • Determine CPU Architecture x86/x64 • Locate the Server Message Block (SMBv1) driver • Patch it to implant the BackDoor • Using a special «Knock» to ping, exec, kill
  14. 14. WANNACRY BOTNET CHARACTERISTICS • Command & Control on Tor Network • gx7ekbenv2riucmf.onion • 57g7spgrzlojinas.onion • xxlvbrloxvriy2c5.onion • 76jdd2ir2embyv47.onion • cwwnhwhlz52maqm7.onion
  15. 15. WANNACRY RANSOMWARE CHARACTERISTICS • Each Ransom between $300 to $600 • Languages: Bulgarian, Chinese (simplified/traditional), Croatian, Czech, Danish, Dutch, English, Filipino, Finnish, French, German, Greek, Indonesian, Italian, Japanese, Korean, Latvian, Norwegian, Polish, Portuguese, Romanian, Russian, Slovak, Spanish, Swedish, Turkish, Vietnamese • Payment through following bitcoin addresses • https://blockchain.info/address/13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 • https://blockchain.info/address/12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw • https://blockchain.info/address/115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn • Total transaction 337, Total amount 50.77421311 BTC, Last Transaction 2017-06-02 11:43:27 (!)
  16. 16. WANNACRY RANSOMWARE CHARACTERISTICS • Each infection generates a new RSA-2048 keypair • For each target file type: • Create a new AES key • Encrypt the AES key using RSA key and store it • Encrypt the file using AES-128-CBC
  17. 17. WANNACRY RANSOMWARE CHARACTERISTICS .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der
  18. 18. WANNACRY LIFECYCLE Exploitation Backdoor Installation Join the Botnet Ransomware Installation Worm Propagation
  19. 19. WANNACRY AND THE END OF THE WORLD?
  20. 20. WANNACRY AND THE END OF THE WORLD? Marcus Hutchins, known as MalwareTech The Kill switch Website www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com
  21. 21. WANNACRY LIFECYCLE Exploitation Backdoor Installation Join the Botnet Ransomware Installation Worm Propagation
  22. 22. MALWARE PREVENTION? Latest Software Updates (ALWAYS!) Antivirus Backup Hardening Network Segmentation and Firewalling Intrusion Detection System Security Operation Center and Incident Response Business Continuity and Disaster Recovery
  23. 23. WANNACRY AND OTHER MALWARE 12,000,000 10,500,000 6,215,000 3,600,000 380,000 230,000 0 2,000,000 4,000,000 6,000,000 8,000,000 10,000,000 12,000,000 14,000,000 Mariposa Conficker Marina Botnet Zeus Mirai WannaCry Infected Hosts
  24. 24. WHAT IS THE BIG DEAL THEN? “Hospitals and doctors' surgeries across Britain were forced to turn away patients and cancel appointments after the cyberattack crippled some computer systems in the country's health service.” Hospital affected by the Ransomware in Indonesia, Slovakia, Ontario, England, Scotland (http://www.aljazeera.com/news/2017/05/disruption-uk-hospitals-hit-cyber-attack- 170512160000368.html)
  25. 25. WHAT IS THE BIG DEAL THEN? • Most of the tools used for WannaCry attacks are from U.S. National Security Agency (!) • The Shadow Brokers Leaks • Shady release of patches by Microsoft before the vulnerabilities were leaked
  26. 26. THE NATO COOPERATIVE CYBER DEFENSE CENTRE OF EXCELLENCE • Goal is to support its member nations and NATO with cyber defence expertise in the fields of technology, strategy, operations and law. • Belgium, the Czech Republic, Estonia, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, the Netherlands, Poland, Slovakia, Spain, Turkey, the United Kingdom, the United States, Austria, Finland and Sweden • The Tallinn Manual 2.0 is the most comprehensive analysis of how existing international law applies to cyberspace and Cyber Operations
  27. 27. PRESENTATION RECAP • What is WannaCry? • What are its Worm, Exploit, Botnet, Backdoor, Ransomware characteristics • WannaCry and the end of the world? • Malware Prevention? • Is it a big deal? Comparison with other malware • WannaCry, a Military and Political perspective • Questions & Answers, Money and Tomatoes
  28. 28. THANK YOU ROBERTO MARTELLONI RMARTELLONI@GMAIL.COM HTTPS://WWW.LINKEDIN.COM/IN/RMARTELLONI/

×