Category Archives: Internet crime

Timeline: NSA hacking tool to WannaCry

A recent Washington Post article is helping to answer some questions about Microsoft’s actions in recent months. Here’s a timeline of events:

2012 (or possibly earlier): The NSA identifies a vulnerability in Windows that affects all existing versions of the operating system, and has the potential to allow almost unfettered access to affected systems. A software tool — an exploit — is developed either for, or by, the NSA. The tool is called EternalBlue. People at the NSA worry about the potential damage if the tool or the vulnerability became public knowledge. They decide not to tell anyone, not even Windows’ developer, Microsoft.

EternalBlue finds its way into the toolkit of an elite hacking outfit known as Equation Group. Although it’s difficult to know for certain, this group is generally assumed to be operating under the auspices of the NSA. Equation Group may work for the NSA as contractors, or they may simply be NSA employees. Regardless, the group’s actions seem to align with those of the NSA: their targets are generally in places like Iran, Russia, Pakistan, Afghanistan, India, Syria, and Mali.

Early to mid-2016: A hacking group calling themselves The Shadow Brokers somehow gains access to NSA systems or data, and obtains copies of various NSA documents and tools. Among those tools is EternalBlue.

August, 2016: The Shadow Brokers begin publishing their NSA haul on public services like Tumblr.

January 7, 2017: The Shadow Brokers begin selling tools that are related to EternalBlue.

Late January to early February 2017: The NSA finally tells Microsoft about the vulnerability exploited by EternalBlue. We don’t know exactly when this happened, but it clearly happened. The NSA was Microsoft’s source for this vulnerability.

February 14, 2017: Microsoft announces that February’s Patch Tuesday updates will be postponed. Their explanation is vague: “we discovered a last minute issue that could impact some customers.

Late February 2017: The Windows SMB vulnerability exploited by EternalBlue is identified publicly as CVE-2017-0144.

March 14, 2017: March’s Patch Tuesday updates from Microsoft include a fix for CVE-2017-0144, MS17-010. The update is flagged as Critical and described as Security Update for Microsoft Windows SMB Server (4013389). Nothing in Microsoft’s output on March 14 calls special attention to this update.

April 14, 2017: The Shadow Brokers release 300 megabytes of NSA material on Github, including EternalBlue.

May 12, 2017: WannaCry ransomware infection wave begins. The malware uses EternalBlue to infect vulnerable computers, mostly Windows 7 PCs in Europe and Asia. Infected computers clearly had not been updated since before March 14, and were therefore vulnerable to EternalBlue.


It’s now clear that the NSA is the real problem here. They had several opportunities to do the right thing, and failed every time, until it was too late. The NSA’s last chance to look at all good in this matter was after the vulnerability was made public, when they should have made the danger clear to the public, or at least to Microsoft. Because, after all, they knew exactly how useful EternalBlue would be in the hands of… just about anyone with bad intent.

Everyone involved in this mess acted foolishly. But whereas we’ve grown accustomed to corporations caring less about people than about money, government institutions — no matter how necessarily secretive — should not be allowed to get away with what the NSA has done. Especially when you consider that this is just the tip of the iceberg. For every WannaCry, there are probably a thousand other threats lurking out there, all thanks to the clowns at the NSA.

Ars Technica’s analysis.

Techdirt’s analysis.

WannaCry update

According to Kaspersky Labs, almost all of the computers infected with WannaCry (WCry, WannaCrypt) were running Windows 7. A small percentage (less than 1%) were running Windows XP.

Microsoft released updates in March 2017 which — if installed — protect Windows 7 computers from WannaCry infections. So all those Windows 7 WannaCry infections were only possible because users failed to install updates. This is a good argument for either enabling automatic updates, or being extremely diligent about installing updates as soon as they become available.

A researcher at Quarkslab discovered a method for decrypting files encrypted with WannaCry, although it only works on Windows XP, and only if the computer has not been restarted since the files were encrypted.

Building on the discoveries of Quarkslab, researchers at Comae Technologies and elsewhere developed a tool that can decrypt files encrypted by WannaCry on Windows 7 as well as XP. The new tool — dubbed wanakiwi by its developers — uses the same technique as its predecessor and has the same limitation: it doesn’t work if the infected computer has been restarted since encryption occurred.

The Register points out that while the NSA was hoarding exploits, Microsoft was doing something similar with patches. Microsoft is in fact still creating security updates for Windows XP and other ‘unsupported’ software; they just don’t normally make those updates available to the general public. Instead, they are only provided to enterprise customers, which pay substantial fees for the privilege. When Microsoft released the Windows XP patch in response to the WannaCry threat, the patch was already developed; all Microsoft had to do was make it available to the general public. Sure, developing updates costs money, and Microsoft wants to recover those costs somehow, but it seems clear that we would all be better off if they made all updates available to everyone.

Bruce Schneier provides a useful overview of WannaCry, and how best to protect yourself. From the article: “Criminals go where the money is, and cybercriminals are no exception. And right now, the money is in ransomware.”

Update 2017May21: Analysts have confirmed that WannaCry’s initial infections were accomplished by scanning the Internet for computers with open Server Message Block ports, then using the EternalBlue SMB exploit to install the ransomware. Once installed on any computer, WannaCry spread to other vulnerable computers on the same local network (LAN). Earlier assumptions about WannaCry using spam and phishing emails to spread were not accurate.

WannaCrypt variants infecting systems worldwide

The accidental stifling of WannaCrypt’s spread was too good to last, apparently. New versions of the ransomware — unaffected by the serendipitous domain registration of a security researcher — are now making their way around the world. You can even watch the malware spread using MalwareTech’s WannaCrypt live feed.

Our advice remains the same: make sure all your Windows computers have the relevant updates installed, including Windows XP. Microsoft’s Customer Guidance for WannaCrypt attacks is a good place to start; there are links to the updates at the bottom of that page. For more information about the exploit used by WannaCrypt, see Microsoft’s MS17-010 bulletin from March 14.

SANS has a good summary of the technical aspects of WannaCrypt.

Update 2017May16: There’s plenty of blame to go around for this mess. Microsoft is being criticized for abandoning Windows XP when it’s still widely used. Meanwhile, Microsoft is blaming the NSA’s vulnerability hoarding.

WannaCrypt ransomware: Microsoft issues updates for unsupported Windows

Ransomware known as WannaCrypt (aka WCry, WannaCry) has already crippled as many as 75,000 unpatched Windows computers in Europe and Asia. So far it hasn’t done much damage in North America, but that could change quickly.

The flaw WannaCrypt uses to infect Windows computers was patched by Microsoft in March, but unpatched computers and those running unsupported versions of Windows were left unprotected.

Microsoft has long since stopped releasing security updates for Windows XP, but WannaCrypt is spreading quickly, and Windows XP computers are essentially defenseless against it. So Microsoft has taken the unprecedented step of publicly releasing an update that protects Windows XP computers from the flaw that WannaCrypt uses to spread.

If you manage any computers that run Windows XP, you should install the update immediately: download update for 32-bit Windows XP Service Pack 3. There’s more information about this from Microsoft.

Techdirt points out that the flaw WannaCrypt exploits was exposed in the recent NSA tool leaks. Which is exactly the problem when security organizations hoard flaws instead of reporting them responsibly.

Update 2017May14: Apparently a security researcher at MalwareTech registered a (previously unregistered) domain used by WannaCrypt as part of his investigation into the ransomware. This is standard practice, because it often allows researchers to gain a better understanding of their subject. Surprisingly, this move stopped WannaCrypt from doing any further damage.

The latest guidance from NCSC.

Ransomware update

A typical ransomware alert screen. Not something you ever want to see on your computer.

The scourge of ransomware shows no signs of slowing down. A single careless click on a link in an email is all that’s necessary for one of the many varieties of ransomware to install itself and quietly start encrypting data files on your computer, and on any others it can reach. Warning screens like the one above announce the dreadful news: your files are now effectively garbage. Pay the ransom or you’ll never see those files (intact) again.

Reports of ransomware hitting schools and hospitals are depressingly common. There’s evidence that attacks on sensitive targets like hospitals are intentional. Ransomware is now being installed by trojan malware that previously only stole your banking information. Newer televisions and other ‘smart’ devices that are connected to the Internet are being hit with ransomware that limits their functionality. Phony ICANN blacklist removal email is being used to trick people into installing ransomware.

If you’re wondering just how deep this ugliness goes, consider this: at least one strain of ransomware offers to decrypt your files for free if you pass the malware along to at least two other computers.

Assuming you’ve managed to avoid this nightmare, you’re either using strong anti-malware software, or you’ve trained yourself not to indiscriminately click links on the web and in email (hopefully both). Otherwise, you’re probably just lucky. So far, my only encounter with ransomware was a partial infestation of a client PC; the malware was prevented from doing any real damage by antivirus software (Trend Micro’s Worry-Free Business Security for anyone wondering).

Okay, so what’s the good news? Companies like No More Ransom offer services that can (sometimes) reverse the damage caused by ransomware. Of course, the success of this kind of service depends on the type of ransomware; some strains are easier to work around than others. But at least there’s hope for those ransomed files.

Brian Krebs investigation reveals author of Mirai worm

The Mirai worm has compromised thousands of IoT devices that were subsequently used in several recent, massive DDoS attacks, including one against the web site of Brian Krebs, well-known security researcher and blogger.

In an appropriately-lengthy post, Krebs describes the process by which he tracked down the identity of the author of the Mirai worm. It’s a fascinating read.

Krebs has published the results of similar investigations in the past, which is why he’s become a target for DDoS attacks, Swatting, and other despicable acts. It remains to be seen whether he will be the target of any new attacks in the wake of his Mirai investigation.

I applaud Krebs’ persistence and dedication in the face of these attacks. Here’s hoping he keeps fighting the good fight, for the benefit of Internet users everywhere.

BEWARE this nasty, effective, GMail-based phishing attack

By now you should be aware that indiscriminately clicking on anything in an email can be dangerous. Even if you know the sender, and the email looks totally mundane, you’re taking a risk any time you do it.

Recently, a particular kind of phishing email is showing up in inboxes everywhere. These emails look completely ordinary at first glance, and they contain what appears to be an attachment.

When you click the ‘attachment’ to open it, your browser is directed to a phony Google login screen. This in itself may not raise any alarms, since Google — in an effort to improve security — often throws extra login screens at us.

Unfortunately, if you fill in your Google username/email and password, that information goes straight to the perpetrators. Almost immediately after that, your password will be changed and you will have lost control of your Google account. If you’re like most people, you use your Google account for numerous Google sites and services, including Google Drive, Analytics, AdWords, and so on. The potential for damage is extreme.

The goods news is that you can avoid being victimized by this attack by doing something you should already be doing: before you click anything in an email, hover your mouse over the link or ‘attachment’. Most useful web browsers and email applications will show you some information about the item, either in a popup or in the status area at the bottom of the app. What you see should provide all the clues you need. If it’s an attachment, it should show you the file name. If it’s a URL, it should show you an ordinary web address that starts with ‘http://’ or ‘https://’.

Hovering over the fake attachment in these phishing emails shows what looks sort of  like a URL, but starts with ‘data:text/html’. No valid URL will ever look like that.

This blogger wasn’t careful. He clicked the ‘attachment’, then entered his Google username and password on the fake login page. Luckily for him, the ‘login’ failed, which alerted him to the situation. He immediately changed his Google password, and appears to have dodged that bullet.

The Wordfence blog has additional details.

DDoS attacks on Dyn caused outages and slowdowns

If you use Twitter, reddit, Amazon, Tumblr, Spotify or Netflix, you may have noticed that they were slower than usual for parts of yesterday. That’s because the affected sites and services use Dyn, a DNS service provider, and Dyn was hit by two huge DDoS attacks yesterday.

The attacks lasted for a few hours, and while they certainly affected a lot of people, they were no more than an inconvenience for most. Still, the surge in the number and size of these attacks is troubling.

Analysis of the attacks shows that they were made possible by the Mirai botnet, which uses a huge network of poorly-secured (and now compromised) DVRs and security cameras. Those are the same tools used in the recent krebsonsecurity.com and OVH DDoS attacks. The source code for Mirai was released to the public recently, which means just about anyone could have caused the Dyn attacks.

Brian Krebs has more.

Update 2016Oct24: Dyn has released a statement about the attack on their systems, in which they clarify the timeline, and confirm that the Mirai botnet was involved. Meanwhile, security expert Bruce Schneier doesn’t believe that the recent attacks were perpetrated by a state actor such as China. He also doesn’t think they were related to the probing attacks he reported earlier. But he is concerned that the attacks will continue to grow in size and frequency, because nobody involved is motivated to fix the problem.

Chinese device maker Hangzhou Xiongmai has issued a recall for several of its webcam models that were used in the attacks. However, they are only one company out of hundreds (maybe thousands?) of companies producing poorly-secured IoT devices.

Update 2016Oct25: According to Brian Krebs, Xiongmai has also made vague legal threats against anyone issuing ‘false statements’ about the company. This is presumably part of a PR effort to improve the company’s image in the wake of the attacks, but it’s hard to see how this will help anyone. The company’s main objections apparently relate to statements by Brian Krebs and others about users’ ability to change passwords. Testing has shown that back-door, unchangeable passwords exist on some of the affected devices.

Infosec highlights – October 5, 2016

Cryptocurrency-mining malware known as Mal/Miner-C is targeting specific Seagate Central Network Attached Storage (NAS) devices. The malware locates the devices when they’re exposed to the Internet and installs a special file in a public folder. Unwary users try to open the file, which installs the malware on their Windows computer. Once installed, the malware uses available resources to mine the Monero cryptocurrency. There are about 7000 of these devices globally.

It’s standard practice to tell users to lock their computers when they walk away from their desks. A locked computer presents an obstacle to anyone with physical access who’s interested in poking around or stealing data. But in reality, once someone has physical access to a computer, there are ways to gain full access, even when that computer is locked. Now there’s a new technique that simplifies this task. A specially set up thumb drive is inserted in the target computer (Mac or PC), and 20 seconds later, the intruder has valid login credentials in their hands.

Two Factor Authentication (2FA or MFA) is an increasingly-common way to bolster your security when using Internet-based services and web sites. It adds a second step to the login process, which usually involves entering a special code. Many sites and services that offer 2FA send codes to your registered cell phone via SMS text messages. Unfortunately, that specific method (codes via SMS) can be co-opted by attackers who already have your password (which is increasingly likely with all the recent breaches). If you’re using SMS text for 2FA, you should look into more secure methods. Google Authenticator generates temporary, time-limited codes using an app on your smartphone. Duo Security has an app that receives special ‘push’ messages from the site you’re trying to access, and all you have to do is click a button on your cell phone to get in.

Bruce Schneier wants everyone to stop blaming the user for security problems and create systems that are more inherently secure. As things are today, the user gets most of the blame when something goes wrong. Clearly, using weak passwords, re-using passwords, and generally being vulnerable to phishing and other manipulation point to the user as the weak link. But Schneier thinks pointing at the user isn’t helpful, especially when that link is unlikely to ever change. Instead, he wants to limit the involvement of the user; to create fewer security pitfalls. He points to current efforts along those lines, including automatic security updates, and virtualization. Which are both great ideas, as long as us techie folks have a way to bypass those things.

Confirmed: record-breaking DDoS attacks using IoT devices

Another week, another huge DDoS attack, this time against French web hosting provider OVH.

Analysis by security experts has now confirmed that these attacks used a huge network of compromised devices, mostly security cameras and Digital Video Recorders (DVRs). These devices are typically vulnerable out of the box, and unless they are configured properly, they remain vulnerable. Most of the devices in question run a version of BusyBox Linux.

Brian Krebs posted a list of manufacturers that produce hardware known to be affected, based on his research. But his list is only a starting point, and much more work is needed.

Adding to this nightmare is the news that the source code for Mirai, the botnet used for the recent, massive attacks, has been released to the public. We can (and should) expect more attacks in the coming weeks and months.

What can be done to stop this? The best solution would be to complete the work of identifying vulnerable hardware (make and model), and contact the owners of all affected devices with instructions for securing those devices. In practical terms, the first part is relatively straightforward work. The second part is problematic. Who is responsible if a device is being co-opted in DDoS attacks? The user? The service provider? The manufacturer? Many owners of these devices have no idea they are being used like this.

Eventually, the current crop of IoT devices being used in these attacks will be secured. But more new ‘smart’ devices are being manufactured and connected to the Internet every day. Until manufacturers stop shipping unsecure-by-default devices, we’re going to keep seeing these huge attacks.