Welcome to the #WannaCry Wine Club

Hello!I am Paul DutotI am here because Paul Johnson asked me again.

You all know me, you can find me at @cyberkryption on Twitter.

It’s Sean’s turn next week….

What shall we talk about?#ShadowBrokers

The story so far…..

Fuzzbunch, Double Pulsar and EternalBlue.

Demo Time

#WanaCry

Malware Impact.

How it propagates?

Defenses – Innoculation Demo

#The Future

What coming up in the next few months……

#ShadowBrokersA little known internet hacking group until recently…

1

2016 2017

Today

Aug Sep Oct Nov Dec 2017 Feb Mar Apr May

Shadow Brokers – Initial Leak 13/8/2016

Shadow Brokers Announce Auction on Pastebin16/8/2016

Self Interview on Medium - Message 3 at https://medium.com/@shadowbrokerss/theshadowbrokers-message-3-af1b181b4811/10/2016

Shadow Brokers drop Unix exploits31/10/2016

Shadow Brokers Dump Windows Toolsets after failed auction #21/12/2017

Shadow Brokers drop new Windows exploits14/4/2017

#WannaCryStarts infecting systems12/5/2017

Shadow Brokers start attempting to sell Windows exploits

14/12/2016

Shadow Brokers dump more Unixexploits

8/4/2017

ShadowBrokers - Timeline

ShadowBrokers -Realease Highlights

DoublePulsarWindows kernel level implant, allows you to load a DLL of your choosing i.e reverse shellhttps://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/

EternalBlueMS17-10 SMB v2 exploit ,works without authentication against Win 7 SP1.

External RomanceSMBv1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2

https://github.com/adamcaudill/EquationGroupLeak / https://github.com/misterch0c/shadowbroker

ExplodingCanIIS6.0 exploit which creates a remote backdoor.FuzzbunchNSA exploitation framework similar to Metasploit

#WannaCryA global ransomware infection

2

WannaCry-Impact

◇ German Railway Network◇ Renault and Nissan Car Plants◇ 48 UK NHS Hospitals◇ KPMG, Santander, Telefonica and FEDEX◇ Chinese Cash Machines◇ Russia – Interia Ministry ,VTB, RZD & Megafon

Internet has taken

to producing

memes ======>

WannaCry - Information#WannaCry – Infection Vector

◇ Spreads via Server Message Block (SMB) a.k.a Windows File Sharing or open RDP sessions.

◇ Checks for DobulePulsar Implant and the uses that to load itself.

◇ If DoublePulsar is not present then use MS17-010 from the #ShadowBrokers to infect.

◇ Checks to see if it can contact kill switch domains, if so then malware becomes inert.

◇ Starts encryption routine and then beacons out to all machines on local subnet to infect.

WannaCry - Information#WannaCry – Technical II

◇ Main malware drops a zip archive with a hardcoded password of ’Wncry@2o17 after exploiation.

◇ Archive includes a number of files.Can you spot the zip archive?

◇ Encryption registers a service ‘ mssecsvc2.0’ in c:\windows\system32 with a display name of ‘Microsoft Security Center (2.0) Service’

WannaCry - Execution#WannaCry – Exeecution Detailed

https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis

WannaCry - Defense#WannaCry – Countermeasures

$createdNew = $False; $mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexA", [ref]$createdNew);

https://gist.github.com/N3mes1s

◇ Patch Ms17-010, obvious, but not always possibly within CNI environments such as NHS, air traffic control and power industry.

◇ Use router ACL’s and VLAN’s to limit access.

◇ Network Segmentation - Use router ACL’s and VLAN’s to limit access and host based firewalls to limit TCP/445 between workstations.

WannaCry - Mutex#WannaCry – Innoculation via Mutexes

http://i.imgur.com/06EFCdS.gif

To Fuzzbench,EternalBlue,DoublePulsar and Beyond

#The FutureMore global ransomware infections to come…

3

““In June, TheShadowBrokers is announcing "TheShadowBrokers Data Dump of the Month" service.

TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club.

Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.”

https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

#The Future

““TheShadowBrokers Monthly Data Dump could be being:

https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition

#The Future - II

◇web browser, router, handset exploits and tools

◇select items from newer Ops Disks, including newer exploits for Windows 10

◇compromised network data from more SWIFT providers and Central banks

◇compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

Thanks!Any questions?You can find me at:◇ @cyberkryption◇ paul.dutot@je.logicalis.com◇ All pictures are internet memes