SMB Vulnerabilities – WannaCry, Adylkuzz and SambaCry

June 15, 2017 — by Daniel Smith3

main

Attack Types & VectorsSecurity

SMB Vulnerabilities – WannaCry, Adylkuzz and SambaCry

June 15, 2017 — by Daniel Smith3

Last month on Friday, May 12th a global incident related to a ransomware variant named WannaCry broke out, targeting computers around the world. Everything from personal computers to corporate and university networks were affected by this campaign. The campaign spread across networks leveraging a recently disclosed vulnerability in Microsoft SMB service. On March 14th 2017, Microsoft released MS17-010, a security update, that addressed and patched six CVEs. Five were remote code executions and the sixth was related to information disclosure.

A month later the Shadow Brokers, a hacking group that targets the NSA, leaked hacking tools from the Equation Group. These tools included FuzzBunch, an exploitation framework similar to Metasploit. Inside of FuzzBunch there was an exploit called EternalBlue and a payload called DoublePulsar. EternalBlue is an exploit that targets Microsoft’s SMB Protocol. The exploit allowed the attackers to send a specially crafted message to gain unauthorized access to machines around the world. Once accessed, the payload DoublePulsar is delivered and triggered to download WannaCry. After being infected with WannaCry, the worm scans nearby machines it can target in the same way and begins to move laterally within the network, transferring the malicious payload to more and more endpoints.

FuzzBunch via Miguel Diaz Lira
https://github.com/mdiazcl/fuzzbunch-debian

On May 10th, CVE-2017-0144, Microsoft Windows Server 2008 R2 (x64) – ‘SrvOs2FeaToNt’ SMB Remote Code Execution was added to ExploitDB and leveraged exploits disclosed in MS17-010. Two days later the WannaCry campaign broke out and infected computers all around the world. Upon infection, WannaCry ransomware executes a file that sends an HTTP GET request to a hardcoded domain. This is a killswitch. If the request for the domain is successful, WannaCry ransomware will exit and not deploy. If the request fails, it continues to infect devices on the network. When the campaign began on Friday, a security researcher, @MalwareTechBlog, noticed the killswitch domain was unregistered. He promptly registered the domain and directed the requests to a sinkhole, thereby effectively preventing this variant from spreading further.

@MalwareTechBlog

[You might also like: WannaCrypt]

On May 13th another researcher, @msuiche, discovered a second variant with a different killswitch. @msuiche also registered the domain and directed the request to his own sinkhole, preventing the spread of the second variant. Around May 17th the sinkhole operators reported DDoS attacks targeting the sinkholes, a likely move to take the domain offline so the WannaCry variants could infect their victims. A third variant even surfaced that did not rely on a killswitch. A few days later, decryption tools started coming out for Windows. As individuals and corporations patched their systems around the world, infections decreased but we are still seeing scans against port 445 as the number one attack against our honeypots. At the time of writing the original Bitcoin wallets received 326 payments totaling 51.618 BTC or $144,095 and targeted over 100 countries.

@actual_ransom

While investigating WannaCry, Kafeine reported that an exposed ProofPoint honeypot vulnerable to EternalBlue was attacked within 20 minutes of exposure. Expecting to see WannaCry, they were actually infected with a cryptocurrency miner, Adylkuzz. Infection of Adylkuzz ultimately caused service degradation for infected devices. It was revealed by ProofPoint that this campaign leveraging the same exploits used by WannaCry predated the ransomware campaign. It was also revealed in ProofPoints’ research that Adylkuzz, upon infection, shut down the SMB protocol to prevent further infection from different types of malware using the same exploit. In parallel with mitigating WannaCry, users patching against the SMB vulnerability also were protecting their devices from Adylkuzz.

Kafeine’s research related to Adylkuzz

Samba, an open source software that provides Windows file sharing access to non-Windows machine using SMB/CIFS protocol recently disclosed a similar remote code execution vulnerability to WannaCry that allows users authorized access via the SMB protocol. There is even a working exploit leveraging CVE-2017-7494 for Metasploit. Linux.MulDrop.14, as reported by Dr.Web, is a Linux Trojan that is currently delivering a crypto-mining program and targeting raspberry Pi’s that have default credentials. This piece of malware is exploiting the recent disclosure from Samba in CVE-2017-7494. It’s also reported that this strain of malware downloads zmap and sshpass so it can search the network for devices with port 22 open to infect.

In all cases, attackers are aggressively scanning the internet looking for vulnerable devices with port 445 exposed. The reason why so many machines were infected during the campaign was due to users neglecting to install security updates in a timely fashion. In the case of WannaCry, Microsoft’s security update was released a month before the Shadow Brokers leaked the FuzzBunch framework that included the exploits and payload used in the campaign. The best prevention for attacks in general is through maintenance and patching. Users need to get into a habit of patching their devices on a regularly basis, segmenting networks when possible and changing default credentials.

Read “Cyber-Security Perceptions and Realities: A View from the C-Suite” to learn more.

Download Now

Daniel Smith

Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.

3 comments

  • Randy Abrams

    June 22, 2017 at 5:05 pm

    “a similar remote code execution vulnerability to WannaCry that allows users authorized access”

    WannaCry is a piece of malware, not a vulnerability. Wanacry is one of the potential payloads when cve-2017-0144 is exploited. Other payloads have been dropped when cve-2017-0144 was exploited.

    In an unfortunate exploitation of marketing, the vulnerability CVE-2017-7494 was dubbed SambaCry. WannaCry is nothing at all like SambaCry. One is a payload, the other is a vulnerability and neither is an exploit.

    You might want to correct this article

    Reply

  • dentenero.tumblr.com

    October 6, 2017 at 11:41 pm

    In stirring henmce discovery my middleton readiness dejection explained.
    Estimating excellence ye contrasted insensible as. Oh going
    oon unsatiable advantages decisively as aat interested.
    present suppose in esteems in demesnne colonel it to.
    end hopeless she landlord screened stanhill.
    Repeated angry you opinions off dissuade question packages screened.
    She alteration everything sympathize impossible his acquire compliment.

    Collected few height trouble met hhad sportsman.
    Reaal sold my in call. Invitation on an advantages collecting.

    But situation dated above bashful bed noisy.
    Had sister look wooded favour allowance has.
    Stuff brusque before doo as hence. Too insisted ignorant procured recall are believed
    still say finished.

    Reply

  • mt singls onlin

    November 9, 2017 at 5:09 pm

    Legitimate on-line dating websites are very monitored;
    people are screened and evaluated before they may be even in a position to have a look at along with
    other singles about the dating website. Using the web to
    help your searching and enable that you meet new people locally may just land
    you anyone you’ve always dreamt of or at best to start dating for Friday night.

    If a site has everything you specified, put a checkmark close to its name.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *