Last month on Friday, May 12th a global incident related to a ransomware variant named WannaCry broke out, targeting computers around the world. Everything from personal computers to corporate and university networks were affected by this campaign. The campaign spread across networks leveraging a recently disclosed vulnerability in Microsoft SMB service. On March 14th 2017, Microsoft released MS17-010, a security update, that addressed and patched six CVEs. Five were remote code executions and the sixth was related to information disclosure.
A month later the Shadow Brokers, a hacking group that targets the NSA, leaked hacking tools from the Equation Group. These tools included FuzzBunch, an exploitation framework similar to Metasploit. Inside of FuzzBunch there was an exploit called EternalBlue and a payload called DoublePulsar. EternalBlue is an exploit that targets Microsoft’s SMB Protocol. The exploit allowed the attackers to send a specially crafted message to gain unauthorized access to machines around the world. Once accessed, the payload DoublePulsar is delivered and triggered to download WannaCry. After being infected with WannaCry, the worm scans nearby machines it can target in the same way and begins to move laterally within the network, transferring the malicious payload to more and more endpoints.
On May 10th, CVE-2017-0144, Microsoft Windows Server 2008 R2 (x64) – ‘SrvOs2FeaToNt’ SMB Remote Code Execution was added to ExploitDB and leveraged exploits disclosed in MS17-010. Two days later the WannaCry campaign broke out and infected computers all around the world. Upon infection, WannaCry ransomware executes a file that sends an HTTP GET request to a hardcoded domain. This is a killswitch. If the request for the domain is successful, WannaCry ransomware will exit and not deploy. If the request fails, it continues to infect devices on the network. When the campaign began on Friday, a security researcher, @MalwareTechBlog, noticed the killswitch domain was unregistered. He promptly registered the domain and directed the requests to a sinkhole, thereby effectively preventing this variant from spreading further.
On May 13th another researcher, @msuiche, discovered a second variant with a different killswitch. @msuiche also registered the domain and directed the request to his own sinkhole, preventing the spread of the second variant. Around May 17th the sinkhole operators reported DDoS attacks targeting the sinkholes, a likely move to take the domain offline so the WannaCry variants could infect their victims. A third variant even surfaced that did not rely on a killswitch. A few days later, decryption tools started coming out for Windows. As individuals and corporations patched their systems around the world, infections decreased but we are still seeing scans against port 445 as the number one attack against our honeypots. At the time of writing the original Bitcoin wallets received 326 payments totaling 51.618 BTC or $144,095 and targeted over 100 countries.
While investigating WannaCry, Kafeine reported that an exposed ProofPoint honeypot vulnerable to EternalBlue was attacked within 20 minutes of exposure. Expecting to see WannaCry, they were actually infected with a cryptocurrency miner, Adylkuzz. Infection of Adylkuzz ultimately caused service degradation for infected devices. It was revealed by ProofPoint that this campaign leveraging the same exploits used by WannaCry predated the ransomware campaign. It was also revealed in ProofPoints’ research that Adylkuzz, upon infection, shut down the SMB protocol to prevent further infection from different types of malware using the same exploit. In parallel with mitigating WannaCry, users patching against the SMB vulnerability also were protecting their devices from Adylkuzz.
Samba, an open source software that provides Windows file sharing access to non-Windows machine using SMB/CIFS protocol recently disclosed a similar remote code execution vulnerability to WannaCry that allows users authorized access via the SMB protocol. There is even a working exploit leveraging CVE-2017-7494 for Metasploit. Linux.MulDrop.14, as reported by Dr.Web, is a Linux Trojan that is currently delivering a crypto-mining program and targeting raspberry Pi’s that have default credentials. This piece of malware is exploiting the recent disclosure from Samba in CVE-2017-7494. It’s also reported that this strain of malware downloads zmap and sshpass so it can search the network for devices with port 22 open to infect.
In all cases, attackers are aggressively scanning the internet looking for vulnerable devices with port 445 exposed. The reason why so many machines were infected during the campaign was due to users neglecting to install security updates in a timely fashion. In the case of WannaCry, Microsoft’s security update was released a month before the Shadow Brokers leaked the FuzzBunch framework that included the exploits and payload used in the campaign. The best prevention for attacks in general is through maintenance and patching. Users need to get into a habit of patching their devices on a regularly basis, segmenting networks when possible and changing default credentials.