SMB Vulnerabilities – WannaCry, Adylkuzz and SambaCry


Last month on Friday, May 12th a global incident related to a ransomware variant named WannaCry broke out, targeting computers around the world. Everything from personal computers to corporate and university networks were affected by this campaign. The campaign spread across networks leveraging a recently disclosed vulnerability in Microsoft SMB service. On March 14th 2017, Microsoft released MS17-010, a security update, that addressed and patched six CVEs. Five were remote code executions and the sixth was related to information disclosure.

A month later the Shadow Brokers, a hacking group that targets the NSA, leaked hacking tools from the Equation Group. These tools included FuzzBunch, an exploitation framework similar to Metasploit. Inside of FuzzBunch there was an exploit called EternalBlue and a payload called DoublePulsar. EternalBlue is an exploit that targets Microsoft’s SMB Protocol. The exploit allowed the attackers to send a specially crafted message to gain unauthorized access to machines around the world. Once accessed, the payload DoublePulsar is delivered and triggered to download WannaCry. After being infected with WannaCry, the worm scans nearby machines it can target in the same way and begins to move laterally within the network, transferring the malicious payload to more and more endpoints.

FuzzBunch via Miguel Diaz Lira
https://github.com/mdiazcl/fuzzbunch-debian

On May 10th, CVE-2017-0144, Microsoft Windows Server 2008 R2 (x64) – ‘SrvOs2FeaToNt’ SMB Remote Code Execution was added to ExploitDB and leveraged exploits disclosed in MS17-010. Two days later the WannaCry campaign broke out and infected computers all around the world. Upon infection, WannaCry ransomware executes a file that sends an HTTP GET request to a hardcoded domain. This is a killswitch. If the request for the domain is successful, WannaCry ransomware will exit and not deploy. If the request fails, it continues to infect devices on the network. When the campaign began on Friday, a security researcher, @MalwareTechBlog, noticed the killswitch domain was unregistered. He promptly registered the domain and directed the requests to a sinkhole, thereby effectively preventing this variant from spreading further.

@MalwareTechBlog

[You might also like: WannaCrypt]

On May 13th another researcher, @msuiche, discovered a second variant with a different killswitch. @msuiche also registered the domain and directed the request to his own sinkhole, preventing the spread of the second variant. Around May 17th the sinkhole operators reported DDoS attacks targeting the sinkholes, a likely move to take the domain offline so the WannaCry variants could infect their victims. A third variant even surfaced that did not rely on a killswitch. A few days later, decryption tools started coming out for Windows. As individuals and corporations patched their systems around the world, infections decreased but we are still seeing scans against port 445 as the number one attack against our honeypots. At the time of writing the original Bitcoin wallets received 326 payments totaling 51.618 BTC or $144,095 and targeted over 100 countries.

@actual_ransom

While investigating WannaCry, Kafeine reported that an exposed ProofPoint honeypot vulnerable to EternalBlue was attacked within 20 minutes of exposure. Expecting to see WannaCry, they were actually infected with a cryptocurrency miner, Adylkuzz. Infection of Adylkuzz ultimately caused service degradation for infected devices. It was revealed by ProofPoint that this campaign leveraging the same exploits used by WannaCry predated the ransomware campaign. It was also revealed in ProofPoints’ research that Adylkuzz, upon infection, shut down the SMB protocol to prevent further infection from different types of malware using the same exploit. In parallel with mitigating WannaCry, users patching against the SMB vulnerability also were protecting their devices from Adylkuzz.

Kafeine’s research related to Adylkuzz

Samba, an open source software that provides Windows file sharing access to non-Windows machine using SMB/CIFS protocol recently disclosed a similar remote code execution vulnerability to WannaCry that allows users authorized access via the SMB protocol. There is even a working exploit leveraging CVE-2017-7494 for Metasploit. Linux.MulDrop.14, as reported by Dr.Web, is a Linux Trojan that is currently delivering a crypto-mining program and targeting raspberry Pi’s that have default credentials. This piece of malware is exploiting the recent disclosure from Samba in CVE-2017-7494. It’s also reported that this strain of malware downloads zmap and sshpass so it can search the network for devices with port 22 open to infect.

In all cases, attackers are aggressively scanning the internet looking for vulnerable devices with port 445 exposed. The reason why so many machines were infected during the campaign was due to users neglecting to install security updates in a timely fashion. In the case of WannaCry, Microsoft’s security update was released a month before the Shadow Brokers leaked the FuzzBunch framework that included the exploits and payload used in the campaign. The best prevention for attacks in general is through maintenance and patching. Users need to get into a habit of patching their devices on a regularly basis, segmenting networks when possible and changing default credentials.

Read “Cyber-Security Perceptions and Realities: A View from the C-Suite” to learn more.

Download Now

Daniel Smith

Daniel is the Head of Research for Radware’s Threat Intelligence division. He helps produce actionable intelligence to protect against botnet-related threats by working behind the scenes to identify network and application-based vulnerabilities. Daniel brings over ten years of experience to the Radware Threat Intelligence division. Before joining, Daniel was a member of Radware’s Emergency Response Team (ERT-SOC), where he applied his unique expertise and intimate knowledge of threat actors’ tactics, techniques, and procedures to help develop signatures and mitigate attacks proactively for customers.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center