welcome to the #wannacry wine club
TRANSCRIPT
Welcome to the #WannaCry Wine Club
Hello!I am Paul DutotI am here because Paul Johnson asked me again.
You all know me, you can find me at @cyberkryption on Twitter.
It’s Sean’s turn next week….
What shall we talk about?#ShadowBrokers
The story so far…..
Fuzzbunch, Double Pulsar and EternalBlue.
Demo Time
#WanaCry
Malware Impact.
How it propagates?
Defenses – Innoculation Demo
#The Future
What coming up in the next few months……
#ShadowBrokersA little known internet hacking group until recently…
1
2016 2017
Today
Aug Sep Oct Nov Dec 2017 Feb Mar Apr May
Shadow Brokers – Initial Leak 13/8/2016
Shadow Brokers Announce Auction on Pastebin16/8/2016
Self Interview on Medium - Message 3 at https://medium.com/@shadowbrokerss/theshadowbrokers-message-3-af1b181b4811/10/2016
Shadow Brokers drop Unix exploits31/10/2016
Shadow Brokers Dump Windows Toolsets after failed auction #21/12/2017
Shadow Brokers drop new Windows exploits14/4/2017
#WannaCryStarts infecting systems12/5/2017
Shadow Brokers start attempting to sell Windows exploits
14/12/2016
Shadow Brokers dump more Unixexploits
8/4/2017
ShadowBrokers - Timeline
ShadowBrokers -Realease Highlights
DoublePulsarWindows kernel level implant, allows you to load a DLL of your choosing i.e reverse shellhttps://countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/
EternalBlueMS17-10 SMB v2 exploit ,works without authentication against Win 7 SP1.
External RomanceSMBv1 exploit over TCP port 445 which targets XP, 2003, Vista, 7, Windows 8, 2008, 2008 R2
https://github.com/adamcaudill/EquationGroupLeak / https://github.com/misterch0c/shadowbroker
ExplodingCanIIS6.0 exploit which creates a remote backdoor.FuzzbunchNSA exploitation framework similar to Metasploit
#WannaCryA global ransomware infection
2
WannaCry-Impact
◇ German Railway Network◇ Renault and Nissan Car Plants◇ 48 UK NHS Hospitals◇ KPMG, Santander, Telefonica and FEDEX◇ Chinese Cash Machines◇ Russia – Interia Ministry ,VTB, RZD & Megafon
Internet has taken
to producing
memes ======>
WannaCry - Information#WannaCry – Infection Vector
◇ Spreads via Server Message Block (SMB) a.k.a Windows File Sharing or open RDP sessions.
◇ Checks for DobulePulsar Implant and the uses that to load itself.
◇ If DoublePulsar is not present then use MS17-010 from the #ShadowBrokers to infect.
◇ Checks to see if it can contact kill switch domains, if so then malware becomes inert.
◇ Starts encryption routine and then beacons out to all machines on local subnet to infect.
WannaCry - Information#WannaCry – Technical II
◇ Main malware drops a zip archive with a hardcoded password of ’Wncry@2o17 after exploiation.
◇ Archive includes a number of files.Can you spot the zip archive?
◇ Encryption registers a service ‘ mssecsvc2.0’ in c:\windows\system32 with a display name of ‘Microsoft Security Center (2.0) Service’
WannaCry - Execution#WannaCry – Exeecution Detailed
https://www.endgame.com/blog/wcrywanacry-ransomware-technical-analysis
WannaCry - Defense#WannaCry – Countermeasures
$createdNew = $False; $mutex = New-Object -TypeName System.Threading.Mutex($true, "MsWinZonesCacheCounterMutexA", [ref]$createdNew);
https://gist.github.com/N3mes1s
◇ Patch Ms17-010, obvious, but not always possibly within CNI environments such as NHS, air traffic control and power industry.
◇ Use router ACL’s and VLAN’s to limit access.
◇ Network Segmentation - Use router ACL’s and VLAN’s to limit access and host based firewalls to limit TCP/445 between workstations.
WannaCry - Mutex#WannaCry – Innoculation via Mutexes
http://i.imgur.com/06EFCdS.gif
To Fuzzbench,EternalBlue,DoublePulsar and Beyond
#The FutureMore global ransomware infections to come…
3
““In June, TheShadowBrokers is announcing "TheShadowBrokers Data Dump of the Month" service.
TheShadowBrokers is launching new monthly subscription model. Is being like wine of month club.
Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.”
https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition
#The Future
““TheShadowBrokers Monthly Data Dump could be being:
https://steemit.com/shadowbrokers/@theshadowbrokers/oh-lordy-comey-wanna-cry-edition
#The Future - II
◇web browser, router, handset exploits and tools
◇select items from newer Ops Disks, including newer exploits for Windows 10
◇compromised network data from more SWIFT providers and Central banks
◇compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
Thanks!Any questions?You can find me at:◇ @cyberkryption◇ [email protected]◇ All pictures are internet memes