Facebook Twitter YouTube SoundCloud RSS

#WannaCrypt – NSA Powered Bug Hits Global Targets

21st Century Wire says…

The Russians were blamed for this cyber attack by British mainstream’s The Independent, but that article including all its related social media got pulled down quickly. Fake news covered up very quickly.

What’s very interesting is that the highest amount of victims of this cyber attack were based in Russia. Worth thinking about.

(Source – Kaspersky Labs)

More on this report from The Register…

(Image – Smashing Hub)

Iain Thompson
The Register

The WannaCrypt ransomware worm, aka WanaCrypt or Wcry, today exploded across 74 countries, infecting hospitals, businesses including Fedex, rail stations, universities, at least one national telco, and more organizations.

In response, Microsoft has released emergency security patches to defend against the malware for unsupported versions of Windows, such as XP and Server 2003, as well as modern builds.

To recap, WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft’s SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining unpatched systems are therefore vulnerable and can be attacked.

This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet.

Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data.

And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That’s another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.

Fortunately, a kill switch was included in the code. When it detects that a particular web domain exists, it stops further infections. That domain was created earlier today by a UK infosec bod, who spotted the dot-com in the reverse-engineered binary; that registration was detected by the ransomware, which immediately halted its worldwide spread.

Connections to the magic domain – iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com – were sinkholed to a server in California, and the admins of the infected systems reaching out to the dot-com will be notified, we’re told. “IP addresses from our sinkhole have been sent to FBI and ShadowServer so affected organisations should get a notification soon,” said the researcher. The infosec bod admitted they registered the domain first, then realized it was a kill switch. Still, job done.

The software nasty has today ransacked the UK’s national healthcare service, forcing hospitals to shut down to non-emergency patients; torn through Spanish telco Telefónica; and many other organizations. In what is looking like one of the biggest malware attacks in recent memory, the bulk of the infections are in Russia – including the state’s interior ministry; the virus has claimed high-profile targets around the world.


We’re told 16 NHS health trusts in the UK were taken out by the malware. Prime Minister Theresa May said the code “has crippled” Brit hospitals, and that Blighty’s surveillance nerve center GCHQ is looking into the outbreak. The NHS is thought to have been particularly hard hit because of the antiquated nature of its IT infrastructure. A large part of the organization’s systems are still using Windows XP, which is no longer supported by Microsoft, and Health Secretary Jeremy Hunt cancelled a pricey support package in 2015 as a cost-saving measure.

Computers were locked in Aintree, Blackpool, Broomfield Hospital in Essex, Colchester General Hospital, all hospital systems in Derbyshire, Great Yarmouth, East and North Hertfordshire, James Paget hospital in Norfolk, Lanarkshire, and Leicester.


US companies have also been hit. FedEx told The Reg: “Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware. We are implementing remediation steps as quickly as possible. We regret any inconvenience to our customers.” Essentially, staff have been told to turn off their non-critical systems, and to keep it that way until the mess is cleaned up – which could take the whole weekend, or longer.

As described above, the worm uses the EternalBlue and DoublePulsar exploits swiped from the NSA’s arsenal of hacking tools. It would have been great if the bugs targeted by the agency had been patched years ago; instead, they were fixed by Microsoft in March just before the Shadow Brokers dumped the programs online in April. We assume either the NSA or the brokers tipped off the Redmond giant so that updates to kill off the SMB bug could be pushed out before the exploits publicly leaked.

So, yes, Microsoft issued security fixes to address the vulnerabilities attacked by those cyber-weapons, but as is the way with users and IT departments big and small, not everyone has patched, or can patch, and are now paying the price. The initial infection point appears to be spear-phishing emails, thrown at people within organizations, with the malware hidden in attachments that, when opened, trigger a cyber-contagion on the internal network. The malware is a hybrid design that has a worm element, allowing it to spread through internal structures for maximum effect.

According to an analysis by Payload Security, the malware drops a number of programs on the system, including Tor, and adds itself to the Windows Registry so it persists across reboots. It can fetch software modules to gain new abilities, and uses various techniques to hinder reverse-engineering: decrypted samples of the executables are available from the above links.

The code encrypts a wide variety of documents on a computer, including any attached storage, and snatches any keys for remote-desktop access. It deletes volume snapshots, and disables system repair tools. It also scans the infected system’s settings to work out the user’s language, and pulls up a ransom demand in the correct lingo for the victim. It changes the desktop backdrop, too, to grab the victim’s attention.

According to a study by Kaspersky, it appears the malware controllers are getting greedier as infection rates grow. The initial infections asked for $300 worth of Bitcoin, however later infection notices have upped this price to $600. A check on the Bitcoin strings show a few thousand dollars’ worth of Bitcoin have already been sent to the criminals.

We have recorded more than 45,000 attacks of the WannaCry ransomware in 74 countries around the world, mostly in Russia,” said Kaspersky’s research team.

It’s important to note that our visibility may be limited and incomplete and the range of targets and victims is likely much, much higher…

Continue this report at The Register





Get Your Copy of New Dawn Magazine #203 - Mar-Apr Issue
Get Your Copy of New Dawn Magazine #203 - Mar-Apr Issue