Print

Technical advice on WannaCry global ransomware attack

CYBER SECURITY software specialists at McAfee have released a technical analysis of the so-called WANNACRY ransomware hack, in an effort to help businesses head off an attack.

McAfee researchers Raj Samani and Christiaan Beek released a blog post with co-author Chris McFarland on May 12 in an effort to get the message out to chief technology officers and ICT staff across Australia.

“Over the course of Friday (May 12) we received multiple reports of organisations across multiple verticals being victim to a ransomware attack,” the McAfee team reported. “Once infected, the encrypted files contain the file extension ‘.WNCRYT’.

“Victim computers then proceed to display the below message (pictured) with a demand for $300 to decrypt the files.”  

 

 

 

 

McAfee then provided the following technical information:

 

OBSERVATIONS

Exploit MS17-010:

The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options – details: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx .

Exploit-code is available on multiple sites including this example: https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb

This exploit is also known as the Equation Group’s ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers a couple of weeks ago.

With MS17-010, the attacker can use just one exploit to get remote access with system privileges, meaning both steps (Remote Code Execution +Local Privilege Escalation combined) are using just one bug in SMB protocol.

Analyzing the exploit-code in Metasploit, a famous tool used for hacking, the exploit uses  ‘KI_USER_SHARED_DATA’ which has a fixed memory address (0xffdff000 on 32 bit Windows) to copy payload to and transfer control to it later.

By remotely gaining control over victim PC with system privileges without any user action, the attacker can spray this malware in local network by having control over one system inside this network (get control over all system which is not fixed and affected by this vulnerability) and that one system will spread the ransomware in this case all over the Windows systems vulnerable and not patched to MS17-010.

 

Behaviour:

By using command-line commands, the Volume Shadow copies and backups are removed:

Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

File-size of the ransomware is 3.4 MB (3514368 bytes)

Authors called the ransomware “WANNACRY” – string hardcoded in samples.

Ransomware is writing itself into a random character folder in the ‘ProgramData folder with the file name of “tasksche.exe’ or in C:\Windows\ folder with the file-name ‘mssecsvc.exe’ and ‘tasksche.exe’.

 

Examples:

C:\ProgramData\lygekvkj256\tasksche.exe

C:\ProgramData\pepauehfflzjjtl340\tasksche.exe

C:/ProgramData/utehtftufqpkr106/tasksche.exe

c:\programdata\yeznwdibwunjq522\tasksche.exe

C:/ProgramData/uvlozcijuhd698/tasksche.exe

C:/ProgramData/pjnkzipwuf715/tasksche.exe

C:/ProgramData/qjrtialad472/tasksche.exe

c:\programdata\cpmliyxlejnh908\tasksche.exe

 

Ransomware is granting full access to all files by using the command:

Icacls . /grant Everyone:F /T /C /Q

 

Using a batch script for operations:

176641494574290.bat 

 

Content of Batch-file (fefe6b30d0819f1a1775e14730a10e0e)

echo off

echo SET ow = WScript.CreateObject(“WScript.Shell”)> m.vbs

echo SET om = ow.CreateShortcut(“C:\

WanaDecryptor

.exe.lnk”)>> m.vbs

echo om.TargetPath = “C:\

WanaDecryptor

.exe”>> m.vbs

echo om.Save>> m.vbs

cscript.exe //nologo m.vbs

del m.vbs

del /a %0

Content of ‘M.vbs’

SET ow = WScript.CreateObject(“WScript.Shell”)

SET om = ow.CreateShortcut(“C:\

WanaDecryptor

.exe.lnk”)

om.TargetPath = “C:\

WanaDecryptor

om.Save

 

Indicators of compromise

Hashes:

dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696

201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9

09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa

b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

aae9536875784fe6e55357900519f97fee0a56d6780860779a36f06765243d56

21ed253b796f63b9e95b4e426a82303dfac5bf8062bfe669995bde2208b360fd

2372862afaa8e8720bc46f93cb27a9b12646a7cbc952cc732b8f5df7aebb2450

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85

4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

4b76e54de0243274f97430b26624c44694fbde3289ed81a160e0754ab9f56f32

9cc32c94ce7dc6e48f86704625b6cdc0fda0d2cd7ad769e4d0bb1776903e5a13

78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

5d26835be2cf4f08f2beeff301c06d05035d0a9ec3afacc71dff22813595c0b9

76a3666ce9119295104bb69ee7af3f2845d23f40ba48ace7987f79b06312bbdf

fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a

eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb

043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2

57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4

ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8

f7c7b5e4b051ea5bd0017803f40af13bed224c4b0fd60b890b6784df5bd63494

3e6de9e2baacf930949647c399818e7a2caea2626df6a468407854aaa515eed9

9b60c622546dc45cca64df935b71c26dcf4886d6fa811944dbc4e23db9335640

5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec

24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c

12d67c587e114d8dde56324741a8f04fb50cc3160653769b8015bc5aec64d20b

85ce324b8f78021ecfc9b811c748f19b82e61bb093ff64f2eab457f9ef19b186

3f3a9dde96ec4107f67b0559b4e95f5f1bca1ec6cb204bfe5fea0230845e8301

 

IP-Addresses:

  • 197.231.221.221:9001
  • 128.31.0.39:9191
  • 149.202.160.69:9001
  • 46.101.166.19:9090
  • 91.121.65.179:9001
  • 2.3.69.209:9001
  • 146.0.32.144:9001
  • 50.7.161.218:9001
  • 217.79.179.177:9001
  • 213.61.66.116:9003
  • 212.47.232.237:9001
  • 81.30.158.223:9001
  • 79.172.193.32:443
  • 38.229.72.16:443

 

Domains:

  • iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com (sinkholed)
  • Rphjmrpwmfv6v2e[dot]onion
  • Gx7ekbenv2riucmf[dot]onion
  • 57g7spgrzlojinas[dot]onion
  • xxlvbrloxvriy2c5[dot]onion
  • 76jdd2ir2embyv47[dot]onion
  • cwwnhwhlz52maqm7[dot]onion

 

File Names:

  • @Please_Read_Me@.txt
  • @WanaDecryptor@.exe
  • @This email address is being protected from spambots. You need JavaScript enabled to view it.
  • Please Read Me!.txt (Older variant)
  • C:\WINDOWS\tasksche.exe
  • C:\WINDOWS\qeriuwjhrf
  • 131181494299235.bat
  • 176641494574290.bat
  • 217201494590800.bat
  • [0-9]{15}.bat #regex
  • !WannaDecryptor!.exe.lnk
  • 00000000.pky
  • 00000000.eky
  • 00000000.res
  • C:\WINDOWS\system32\taskdl.exe

 

Bitcoin Wallets

  • 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
  • 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
  • 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Here is a snort rule submitted to Sans from Marco Novak:

alert tcp $HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)

 

And other SNORT rules from Emerging Threats:

(http://docs.emergingthreats.net/bin/view/Main/2024218)

alert smb any any -> $HOME_NET any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Request (set)”; flow:to_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 18 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:set,ETPRO.ETERNALBLUE; flowbits:noalert; classtype:trojan-activity; sid:2024220; rev:1;)

alert smb $HOME_NET any -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:1;)

 

Yara:

rule wannacry_1 : ransom

{

meta:

author = “Joshua Cannell”

description = “WannaCry Ransomware strings”

weight = 100

date = “2017-05-12”

 

Strings:

$s1 = “Ooops, your files have been encrypted!” wide ascii nocase

$s2 = “Wanna Decryptor” wide ascii nocase

$s3 = “.wcry” wide ascii nocase

$s4 = “WANNACRY” wide ascii nocase

$s5 = “WANACRY!” wide ascii nocase

$s7 = “icacls . /grant Everyone:F /T /C /Q” wide ascii nocase

 

Condition:

any of them

}

rule wannacry_2{

meta:

author = “Harold Ogden”

description = “WannaCry Ransomware Strings”

date = “2017-05-12”

weight = 100

strings:

$string1 = “msg/m_bulgarian.wnry”

$string2 = “msg/m_chinese (simplified).wnry”

$string3 = “msg/m_chinese (traditional).wnry”

$string4 = “msg/m_croatian.wnry”

$string5 = “msg/m_czech.wnry”

$string6 = “msg/m_danish.wnry”

$string7 = “msg/m_dutch.wnry”

$string8 = “msg/m_english.wnry”

$string9 = “msg/m_filipino.wnry”

$string10 = “msg/m_finnish.wnry”

$string11 = “msg/m_french.wnry”

$string12 = “msg/m_german.wnry”

$string13 = “msg/m_greek.wnry”

$string14 = “msg/m_indonesian.wnry”

$string15 = “msg/m_italian.wnry”

$string16 = “msg/m_japanese.wnry”

$string17 = “msg/m_korean.wnry”

$string18 = “msg/m_latvian.wnry”

$string19 = “msg/m_norwegian.wnry”

$string20 = “msg/m_polish.wnry”

$string21 = “msg/m_portuguese.wnry”

$string22 = “msg/m_romanian.wnry”

$string23 = “msg/m_russian.wnry”

$string24 = “msg/m_slovak.wnry”

$string25 = “msg/m_spanish.wnry”

$string26 = “msg/m_swedish.wnry”

$string27 = “msg/m_turkish.wnry”

$string28 = “msg/m_vietnamese.wnry”

condition:

any of ($string*)

}

 

 

https://securingtomorrow.mcafee.com

 

ends

Print

Govt spends $12m on ‘positioning’ technology

POSITIONING technologies are already part and parcel of daily life and business across Australia – from using Google Maps on smartphones to emergency management and farming – but there is a lot more to come.

With increasing us and new technologies to come, the Australian Government has announced an investment of $12 million in a two-year program looking into the future of positioning technology in Australia.

Federal Minister for Infrastructure and Transport Darren Chester said the funding would be used to test “instant, accurate and reliable positioning technology that could provide future safety, productivity, efficiency and environmental benefits across many industries in Australia” including transport, agriculture, construction, and resources. 

Research used by the government indicated the wide-spread adoption of improved positioning technology had the potential to generate upwards of $73 billion of value to Australia by 2030.

Mr Chester said the program could test the potential of Satellite Based Augmentation System (SBAS) technology in the four transport sectors—aviation, maritime, rail and road.

“SBAS utilises space-based and ground-based infrastructure to improve and augment the accuracy, integrity and availability of basic Global Navigation Satellite System (GNSS) signals, such as those currently provided by the USA Global Positioning System (GPS),” Mr Chester said.

The future use of SBAS technology was strongly supported by the aviation industry to assist in high accuracy GPS-dependent aircraft navigation.

“Positioning data can also be used in a range of other transport applications including maritime navigation, automated train management systems and in the future, driverless and connected cars,” Mr Chester said.

Minister for Resources and Northern Australia, Matt Canavan said access to more accurate data about the Australian landscape would also help unlock the potential of the North.

“This technology has potential uses in a range of sectors, including agriculture and mining, which have always played an important role in our economy, and will also be at the heart of future growth in Northern Australia,” Senator Canavan said.

“Access to this type of technology can help industry and government make informed decisions about future investments.”

The two-year project will test SBAS technology that has the potential to improve positioning accuracy in Australia to less than five centimetres. Currently, positioning in Australia is usually accurate to 5-10m.

Mr Chester said the SBAS test-bed is Australia's first step towards joining countries such as the US, Russia, India, Japan and many across Europe in investing in SBAS technology and capitalising on the link between precise positioning, productivity and innovation.

The Minister said Geoscience Australia, with the Collaborative Research Centre for Spatial Information (CRCSI), would soon call for organisations from a number of industries including agriculture, aviation, construction, mining, maritime, rail, road, spatial, and utilities to participate in the test-bed.

www.ga.gov.au

 

ends

Print

New data breach notification rules warning for business leaders

BUSINESS owners and leaders will have to count extra cyber security and data breach contingency plans as part and parcel of everyday business from now on, with the recent passing of the Federal Government’s Privacy Amendment (Notifiable Data Breaches) Bill 2016.

The Bill further enshrines Australian Privacy Principle 11, which requires all Australian entities to take reasonable steps to secure personal information they hold.

According to the ACS, the professional association for Australia’s ICT sector, the legislation will produce a heightened focus within the public and private sectors on all aspects of cybersecurity. 

The ACS said for ICT professionals, the Bill gives overdue recognition to the importance of data in the digital economy and the potential for serious harm where, through accident, malfeasance or cyber attack, a data breach occurs.

“As we transition to a digital economy, now more than ever the focus must be on ensuring Australia captures the opportunities of the information age, while protecting the rights of the individual,” ACS president Anthony Wong said. “This legislation will be a critical step forward in the elevation of data protection and cybersecurity issues on the C-suite agenda.

“In an era of Big Data, the protection and privacy of personal information must be a primary consideration in the planning and construction of large scale ICT systems, not an afterthought.

“Given the growing problem of cyber crime, the ACS strongly supports initiatives which demand both the public and private sectors act to prevent cyber threats and address their consequences.

“Over and above the specific legal mechanisms of the new Act, the ACS believes it will give issues concerning data protection and cybersecurity a new level of transparency, lifting overall awareness of cyber safety, how to mitigate risk and ultimately providing better protection for individual citizens. While nothing is ever 100 per cent secure, the Act promises to give Australians who provide personal information to government and business greater confidence,” Mr Wong said.

“To deliver on the promise of this new legislation it is critical to recognise that cybersecurity is a collective responsibility, relevant at all levels of an organisation.

“The ACS looks forward to working with government and industry on best practice approaches to ICT security systems and protocols and the education and training of ICT professionals to meet both the spirit and the letter of the new legislative requirements.”

Mr Wong said the ACS had for many years been a vocal advocate of regulation mandating data breach notification and strongly endorsed the guiding purpose of the Bill, “to allow individuals to take steps to protect themselves from a likely risk of serious harm resulting from a data breach”.

www.acs.org.au

 

ends

Print

Making 3D maps: 2016 GovHack winners announced

WINNER of the No Boundaries Data Hack category in the 2016 GovHack Red Carpet Awards, Legends of Tomorrow, could open up new possibilities for predicting Australia’s regional futures.

Legends of Tomorrow, developed by the Shape the future team from Victoria, used a range of government population, environment and weather data to project the future of neighbourhoods, including population, cultural backgrounds, environment including vegetation and waterways,  and potential future climate conditions. 

The 2016 GovHack Red Carpet Awards were held in Adelaide on October 22. The event is backed by Geoscience Australia and entrants to use government data from multiple states and territories to unlock the value of data across borders..

The winner of the Geoscience Australia's Exploring Underground bounty prize was a 3D printed geophysical data model, created by Victoria's Petrified Data team. Using a series of 2D geoscience datasets from Geoscience Australia, the team created a series of hand-painted 3D printed models including a cool-looking 3D map of geothermal temperatures across the Australian continent.

Geoscience Australia judges also gave a mention to the On Earth, We are On Earth team’s Flood Watch entry which aimed to use datasets published by Geoscience Australia and the Bureau of Meteorology to develop a real-time flood warning app.

GovHack is a three day ‘hackathon’ that sees teams from across Australia and New Zealand compete to develop new applications using open government data. The volunteer-run event is sponsored by large technology companies, several government departments and a range of high-visibility start-ups and innovators.

As part of its contribution to the 2016 competition, Geoscience Australia offered key datasets and sponsored the Exploring Underground bounty prize. Together with PSMA Australia, Geoscience co-sponsored the Major GovHack prize for the best No Boundaries Data Hack. Both prizes were presented at the awards ceremony by the Assistant Minister for Industry, Innovation and Science, Craig Laundy.

Geoscience Australia encourages use of its data for real-world outcomes, and helping people to engage in, understand and use scientific information in their everyday lives. As the national geoscience agency, it holds a vast range of geoscientific and geographic data that supports the management of Australia's precious water resources, hazard modelling for safer communities, exploration for mineral and petroleum resources, as well as helping to manage Australia's maritime jurisdictions.

www.govhack.org

ends