I thought I would create a page for myself just to keep some idea of the timelines and order of things and to make sense of what I’m reading.
How it started :
The US intelligence Agency had a 0-day called EternalBlue.
EternalBlue looks like this : https://www.youtube.com/watch?v=6rrY0S8x3HQ
Approx 14th April 2017 “The ShadowBrokers” leaked this code amongst other exploits into the public domain. (Link to leak)
In less than 24 hours, Microsoft announced that seven of the leaked exploits were patched.
It appears that modern computer systems like Windows 10 are immune to this, however, legacy systems would be a prime target.
The CVE is MS17-010 and appears to be an updated version of MS08-067
It appears that you need both DoublePulsar (to create the backdoor) and EternalBlue to create the full exploit.
What Happened Next :
With the code public script-kiddies (the click and go wanna-be hackers) then had their fun with it and the over-whelming message from the information security industry was
PATCH NOW!
The Main Attack(s) :
The code was weaponised to create a ransomware – dubbed WCry / WannaCry / WanaCrytor
It appears the main attack hit Spanish companies :
(but also other countries: Taiwan, Russia, Turkey, Kazakhstan, Indonesia, Vietnam, Japan, Germany, Ukraine, and the Philippines)
Telefonica Spain – $300 to 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
Analysis of Attack :
Infection comes from an embedded file in a Word Document. Hedgehog Security has a good blog on it.
It uses Tor for outbound connectivity.
The NHS Attack :
I first noticed it on CiSP the NCSC information sharing system about a Ransomware attack on the NHS. Then the BBC covered it then it went viral.
The attack is spreading …
Bitcoin Accounts from ScreenShots
Full screen image : 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Direct from infected computer : 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
BBC Screenshot : 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
London GP (Same photo) : 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn
YouTube Video : 1QAc9S5EmycqjzzWDc1yiWzr9jJLC8sLiY
Speculation : Maybe it is a buy-your-own-ransomware kit and we are seeing the different wallets maybe
Who is the attacker :
Unknown.
Why was the NHS hit so hard :
Speculation : the NHS was hit as they have legacy systems that cannot run on patched/upgraded/Windows 10 systems. May explain why some University Hospitals are also being hit. It would be good if we could find a copy of the infected Word document. Having seen and heard of cases in education where vendors try to charge triple the normal costs seeing government departments as cash cows, some are not able to upgrade due to the extortionate costs. Therefore they end up having to rely on legacy systems. I suspect that some of the IT infrastructure in the NHS cannot be upgraded as the software vendors don’t have upgrade paths to Windows 10.
Recommendations :
- Use your head – look for suspicious emails
- Advise colleagues friends and families:
- Don’t open suspicious attachments
- Don’t click on suspicious links
- If you see a program in a Word Document .. just don’t !
- If you’re at work and you’re not sure .. phone IT support
- Advise colleagues friends and families:
- Update all Anti-Virus/Anti-Malware
- Make sure you have upgraded/patched your computer
- Ensure you have backed up everything you can’t afford to lose!
Leave a Reply