Palestra Jeferson Propheta - Wanna Cry more

Date, specific business group MCAFEE CONFIDENTIALITY LANGUAGE 1
WannaCry | More
jp@mcafee.com

# man @mcafee
30+ Security Engineers in Latin America
• Intelligence Services (Including SOCs, Law enforcement Agencies)
• Finance Fraud Prevention Group
• DDoS and Defacement handler
• Honey pot, phoney pot and honey network (sudo su -)
• Incident Response

Shadow Brokers, August, 16: Alleged they hacked in to
Equation Group and that they have their cyber weapons;
“
”

The Shadow Brokers: Hacker group that published several leaks
containing hacking tools.
Some of those tools are associated to a global and domestic(US)
surveillance efforts, especially related to Equation Group
https://en.wikipedia.org/wiki/The_Shadow_Brokers
https://en.wikipedia.org/wiki/
Global_surveillance_disclosures_(2013%E2%80%93present)

Equation Group: known as one of the most sophisticated cyber-attack groups in
the world. About 60 actors.
• How sophisticated? Malwares capable of reprogramming a hard disk
drive firmware.
• What can they do with it? ability to infect and transmitted through
the hard drive firmware of several of the major hard drive manufacturers.
• Bonus: creating and use hidden disk areas and virtual disk systems for its purposes
• How much malware they wrote: about 500 malware infections in more
than 42 countries.
• Sponsored Attacks? Really? Timestamps in the malware seem to indicate
that programmers worked Monday-Friday 08:00-17:00
https://en.wikipedia.org/wiki/Equation_Group

Some of the tools/vulnerability they used are related to toolbox that used by a
group dubbed Advanced Network Technology
• BULLDOZER: hidden wireless bridge
• CANDYGRAM: tripwire device that emulates a GSM cellphone tower.
• DEITYBOUNCE: Technology that installs a backdoor software implant on Dell PowerEdge servers
• DROPOUTJEEP: "A software implant for the Apple iPhone that utilizes modular mission applications to
provide specific SIGINT functionality. This functionality includes the ability to remotely push/pull files from
the device. SMS retrieval, contact list retrieval, voicemail, geolocation, hot mic, camera capture, cell tower
location, etc. Command, control and data exfiltration can occur over SMS messaging or a GPRS data
connection. All communications with the implant will be covert and encrypted.
• IRONCHEF: Technology that can "infect" networks by installing itself in a computer I/O BIOS
• JETPLOW: Firmware that can be implant to create a permanent backdoor in a Cisco PIX series and ASA
firewalls
• NIGHTSTAND: Portable system that wirelessly installs Microsoft Windows exploits from a distance of up
to eight miles
• TOTEGHOSTLY: Software that can be implanted on a Windows mobile phone allowing full remote control.
* There are 48 known tools at ANT Toolbox: https://en.wikipedia.org/wiki/
NSA_ANT_catalog

there’s | more…
Some unknown tools (so far for some people) leaked by Shadow
Brokers:
• DEWDROP
• INCISION
• JACKLADDER
• ORANGUTAN
• PATCHICILLIN
• RETICULUM
• SIDETRACK
• STOCSURGEO
I’ll let you do your own research on this on.

Shadow Brokers, August, 16: Alleged they hacked in to
Equation Group and that they have their cyber weapons;
“
”
So, back to Shadow Brokers

There are 5 main leaks associated with Shadow Brokers:

• First leak: "Equation Group Cyber Weapons Auction - Invitation": the one I just
mentioned before;
• Second Leak: "Message #5 - TrickOrTreat"
• Third Leak: "Message #6 - BLACK FRIDAY / CYBER MONDAY SALE"
• Fourth Leak: "Don't Forget Your Base"
• Fifth Leak: "Lost in Translation": This leak includes, amongst other things, the tools and
exploits codenamed: DANDERSPIRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR,
ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY.

• …Fifth Leak: "Lost in Translation": Exploits and utilities
EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit
EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC
and x86.
ECHOWRECKER remote Samba 3.0.x Linux exploit.
EASYBEE appears to be an MDaemon email server vulnerability
EASYFUN EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient pre 9.5.6
EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet
EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2
EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008,
2008 R2, and gives SYSTEM privileges (MS17-010)
EDUCATEDSCHOLAR is a SMB exploit (MS09-050)
EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061)
EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to 8.5.2
ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger executable code on the client's
side to send an email to other users
EPICHERO 0-day exploit (RCE) for Avaya Call Server

ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server 2003
ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8 and Server 2012 SP0 (MS17-010)
ETERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)
ETERNALCHAMPION is a SMBv1 exploit
ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2 domain controllers
ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
ECLIPSEDWING is an RCE exploit for the Server service in Windows Server 2008 and later (MS08-067)
ETRE is an exploit for IMail 8.10 to 8.22
ETCETERABLUE is an exploit for IMail 7.04 to 8.05
FUZZBUNCH is an exploit framework, similar to MetaSploit
ODDJOB is an implant builder and C&C server that can deliver exploits for Windows 2000 and later, also not
detected by any AV vendors
EXPIREDPAYCHECK IIS6 exploit
EAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2, 2003 SP1 & Base Release
EASYFUN WordClient / IIS6.0 exploit
ESSAYKEYNOTE
EVADEFRED

PASSFREELY utility which "Bypasses authentication for Oracle servers"
SMBTOUCH check if the target is vulnerable to samba exploits like ETERNALSYNERGY, ETERNALBLUE,
ETERNALROMANCE
ERRATICGOPHERTOUCH Check if the target is running some RPC
IISTOUCH check if the running IIS version is vulnerable
RPCOUTCH get info about windows via RPC
DOPU used to connect to machines exploited by ETERNALCHAMPIONS
NAMEDPIPETOUCH Utility to test for a predefined list of named pipes, mostly AV detection. User can add
checks for custom named pipes.

Some exploits targeting the Windows operating system, has been patched
with Microsoft Security Bulletin on March 14, 2017, one month before the
leak occurred. One of them was MS17-010.

WannaCry in a nutshell
The WannaCry ransomware, also known as Wanna Decryptor, leverages
a Windows SMB exploit, dubbed EternalBlue, that allows a remote
hacker to hijack computers running on unpatched Microsoft Windows
operating system. 
 
Once infected, WannaCry also scans for other unpatched PCs connected
to the same local network, as well as scans random hosts on the wider
Internet, to spread itself quickly.

Why is it so nasty?

WannaCry doesn’t rely on the traditional vector for ransomware, email
phishing attacks. Instead, it spreads like a worm from infected system to
infected system by scanning heavily over TCP port 445 (Server Message
Block/SMB), then encrypting files.

http://thehackernews.com/2017/05/how-to-wannacry-ransomware.html

How was it WW
Day 1: Cryout — WannaCry targeted over 200,000 computers in 120
countries.
Day 2: The Patch Day — A security researcher successfully found a way to
slow down the infection rate, and meanwhile, Microsoft releases
emergency patch updates for unsupported versions of Windows (back to
Windows XP but not to Windows 2000).
Day 3: New Variants Arrives — Some new variants of WannaCry, with and
without a kill-switch, were detected in the wild would be difficult to stop
for at least next few weeks.

Source: http://thehackernews.com/2017/05/how-to-wannacry-
ransomware.html

Day 4, Day 5, … craziness
Many computers at Day 5 wasn`t patched yet. Many servers with Windows
2000 still doesn`t have a contingency plan, AVs disabled, out-of-day, not
communicating with console…

Day 6: Adylkuzz shows up to the public. Some Intel services talked about
this malware back in April 24th. This little dude use PCs to mine
cryptocurrency “Monero” (good thing about it? To avoid reinfection on the
same computer Adylkuzz disables SMB, so is a computer is infected with
Adylkuzz it will not be infected by WannaCry)

This cyber-attack brought down many organisations to
their knees
“
”somebody

What else to expect:
Back in time:
Fifth Leak: "Lost in Translation": This leak includes, amongst other
things, the tools and exploits codenamed: DANDERSPIRITZ, ODDJOB,
FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE,
ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY.
There’s | more.
Get Ready for the 'Wine of Month Club'

Wine of month club
So, anyone buying the membership of the "wine of month club" would
be able to get exclusive access to the upcoming leaks, which the Shadow
Brokers claims would include: 
• Exploits for web browsers, routers, and smartphones.
• Exploits for operating systems, including Windows 10.
• Compromised data from banks and Swift providers.
• Stolen network information from Russian, Chinese, Iranian, and North
Korean nuclear missile programs.
https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-
comey-wanna-cry-edition

The Vault
7 March 2017: WikiLeaks released a series of leaks code-named “Vault
7” that compromises 8.761 documents and files. It includes dozens of
malwares targeting iPhone, Android, SmartTVs and Windows.

Main concerns now are related to 2 Malware Frameworks

The Vault
7 March 2017: WikiLeaks released a series of leaks code-named “Vault
7” that compromises 8.761 documents and files. It includes dozens of
malwares targeting iPhone, Android, SmartTVs and Windows.

Main concerns now are related to 2 Malware Frameworks
• AfterMidnight
• Assassin
Those are not simple exploits. Both tools are entire Frameworks,
exploitation, persistence, C&C etc.

AfterMidnight – Malware Framework
AfterMidnight is a DLL that self-persists as a Windows Service DLL and provides secure execution of “Gremlins”
via a HTTPS based Listening Post (LP).
Once installed on a target machine AM will call back to a configured LP on a configurable schedule, checking
to see if there is a new plan for it to execute. If there is, it downloads and stores all needed components
before loading all new gremlins in memory. https://wikileaks.org/vault7/document/
AfterMidnight_v1_0_Users_Guide

Assassin – Malware Framework
Assassin consists of four subsystems: Implant, Builder, Command and Control, and Listening Post.
The ‘Implant‘ provides the core logic and functionality of this tool on a target Windows machine, including
communications and task execution. It is configured using the ‘Builder’ and deployed to a target computer via
some undefined vector.
The ‘Builder‘ configures Implant and ‘Deployment Executables’ before deployment and “provides a custom
command line interface for setting the Implant configuration before generating the Implant,” reads the tool’s user
guide.
The ‘Command and Control‘ subsystem acts as an interface between the operator and the Listening Post (LP),
while the LP allows the Assassin Implant to communicate with the command and control subsystem through a
web server.
https://wikileaks.org/vault7/document/Assassin_v1_4_Users_Guide/

Hive (Vault 8 leak) November 9th 2017
https://wikileaks.org/vault8/

How nasty can it be?

It will probably depend on how much of those things you will do:

• “Doing-nothingness”
• “Doing-sameness”
• “It will not happeness”
• “I'm okness”
• “No needness”

Ligue Dja!

Is machine learning alone the answer?

Is machine learning alone the answer?
https://www.popsci.com/byzantine-science-deceiving-artificial-intelligence

Don’t trust machines 100% - remember Skynet!
https://www.popsci.com/byzantine-science-deceiving-artificial-intelligence

How to prevent from those new attacks?
… I really don't know. But no need to run to the mountains or get back
to the typewriter.

…. What I know is that you need to work on your security maturity
posture.
Assess your organization, run cyber hygiene, strong patching program,
backup & education.

MCAFEE CONFIDENTIAL 31
Efficacy vs Time

MCAFEE CONFIDENTIAL 32
Protection-only strategy is a terrible mistake
Investing time and energy in Protection only is not enough!!
Look in the past!

Find a balance on protection, detection and remediation

Clarity is the key to take decisions
Assess your organization against some security framework to measure your
security maturity (compare what you have with something)
All basic things such: ISO 27.002, NIST, COBIT, SOX, CRITICAL CONTROLS have to be
covered.
Understating where you are at, define were you want to be (select your taste for
risk)
Create a Plan A and follow this plan till the end
Plan B should be all about reinforcing Plan A

Have an Incident Response Plan in place (tested)
How to act in front of an incident
from call-tree, war-room to IR “how-to documents” for the most important areas
Why is it important to test?

No train, no gain. Cyber Security posture is like a muscle, you have to be trained to
understand how to act.

• Dry Run Exercises…
• Malware infection
• DDoS
• Social Engineering

Consider having some Honeypots, Honeypots networks, etc.

Consider some Intel for your Security Operation
• “Fresh” and “Good” Info
• Malware Analysis
• Mitigation Strategies

* during WannaCry incident many companies was still trying to figure out
what happened 10 hours after the first infection (some of them are still
trying)
Phone Call 15:00 Friday, 12 May:
customer: “What is happening to my network?”
me: “Turn your TV on”

Know what your Security Tools are able to do. Understand it. Do some
homework. Ask for help before something bad happen. If you don't
invest in education now, I’ll charge you much more to do incident
response ☺

Keep your security tools basics working
• Communications
• Repositories
• Versions
• Dashboards
• Reports
Come on. Security Tools aren’t cheap. Block and forget is the worst thing
you could do with your security investment.

You plan should also consider some hardening.

You know how much customer who did some SMB hardening got
infected by WannaCry? : None

What about products?
Presentations is kinda ending… you not selling any product?

It’s not about products!. it’s how you connect the dots!

You may need products! Of course!
Consider some whitelisting type of technology for some sort of systems
such the ones with fixed functions.

I might say you could have some sandboxing tool to help you out too.
Webgateway with antimalware, Data Loss Prevention Program in place,
SIEM solution, and so forth but…
Play by programs not by projects. See the big picture first!
that’s for another presentation

No one person, product or organization can fight cybercrime
alone.
Collaborative attitude is the only way to overcame the greatest
challenge of the digital age – cybercrime
Thank you
End.

MCAFEE CONFIDENTIAL
McAfee, the McAfee logo and [insert <other relevant McAfee Names>] are trademarks or registered trademarks of McAfee LLC or its subsidiaries in the U.S. and/or other countries.
Other names and brands may be claimed as the property of others.
Copyright © 2017 McAfee LLC.
41

Palestra Jeferson Propheta - Wanna Cry more

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Palestra Jeferson Propheta - Wanna Cry more

Similar to Palestra Jeferson Propheta - Wanna Cry more (20)

More from BHack Conference

More from BHack Conference (9)

Recently uploaded

Recently uploaded (20)

Palestra Jeferson Propheta - Wanna Cry more