WannaCry ransomware – My thoughts

WannaCry ransomware – My thoughts

The beginning of this weekend, started on a very rough note, for most of us in the cyber security domain; thanks to the WannaCry / Wcry / WannaCrypt ransomware.

At the time of this writing, this malware has infected more than a million machines across the world, impacting organisations in more than a dozen countries, with UK, Russia, Spain and India being the most hit. 

There has been enough written about the WannaCry / Wcry / WannaCrypt. And so in this post I want to focus on the technical aspects of how this malware has been constructed and it’s propagation. 

I found Talos analysis of this malware to be the most comprehensive and is an excellent read for anyone who is keen to understand this malware under the hood. 

Let’s approach our analysis alongside the cyber kill chain framework. 
There is enough evidence that email was used as the “Delivery” mechanism to deliver the payload of this attack. Once delivered onto a machine, this malware spreads via SMB; that is the Server Message Block protocol typically used by Windows computers to communicate with other file systems over a network. An infected computer then propagates the infection to other vulnerable machines in the same network. The same vector is also used to spread across hosts which are externally facing, and have inbound connections allowed on on TCP ports 139 and 445. 
It also appears, in order for the malware to “Laterally move”, it uses the notorious Doublepulsar backdoor, as Talos notes:

Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.

And if there are no machines found which have been previously compromised and implanted with DOUBLEPULSAR, the malware uses ETERNALBLUE for the initial exploitation of this SMB vulnerability. And this is exactly the cause for this activity to look like a worm propagation across the World Wide Web. 

The Kill switch

The security researcher tweeting from @MalwareTechBlog has become the #AccidentalHero, in the last two days, for saving the mankind (or “machinekind”) from this whole fiasco. 

The researchers from Cisco Umbrella team first observed DNS requests for one of WCry’s kill switch domains (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com), early on May 12th, with the hit count going as high as 6000-7000 requests per second by late evening. 
If you look closely, the domain composition looks nearly human typed, with most of the characters falling into the top rows of a typical keyboard. 
The reason why this domain is being called a kill switch is due to the role it plays in the overall execution of this malware, as shown in the code below:

As Talos notes, 

The above subroutine attempts an HTTP GET to this domain, and if it fails, continues to carry out the infection. However if it succeeds, the subroutine exits. The domain is registered to a well known sinkhole, effectively causing this sample to terminate its malicious activity.

Dwelling deeper into the dropper and the payload itself, it is observed that there are two files which are essential for the exploit to be run – mssecsvc.exe which executes the file tasksche.exe. Once the kill switch domain is checked, and the logic as explained earlier is checked, the file mssecsvc.exe is run. The second execution is run to check the IP address of the infected system and then attempts to connect on TCP port 445, of every IP address in the same subnet. When a successful response is received proving that the IP address is of a node in the network, the SMB vulnerability is used to connect and then transfer the data. This is the vulnerability that Microsoft has addressed in the bulletin MS17-010.

Talos goes further and explains how this malware scans for local and network disk drives and identifies files with certain extensions, before starting to encrypt them all. Post the encryption is complete, the @wanadecryptor@.exe is run which is the pop-up or note that shows up on the computer screen of the victim’s machine. Then an external connection is launched onto Tor networks, in order to proxy their communication outbound, through the Tor network. 

All this sounds exciting and quite sophisticated to be detected by any intrusion detection system, isn’t it? But the key to detecting this kind of attack, wouldn’t be possible by using signatures or fingerprints (hashes of the malware file or the IOCs that have been discovered so far), but by using a good anomaly and behaviour detection system. 

I will write more on this once more information about the propagation of this malware comes to light. But I think in this particular case, it is very evident that prevention is and has to be the key focus are for all the organisations and individual computer users alike. 
Before I get into that, I would also like to highlight the political angle to this entire story. 
Political angle

Edward Snowden has been quite vocal about NSA’s involvement in this, on his twitter account. 

I am not that interested in getting into the political angle here, as it only causes anger and frustration, but I would just like to recall the drama played last year when a whole bunch of people wanted Apple to create a special version of iOS for the U.S. government, under the promise that it would never escape their safe hands and get into the wild. What happened this time folks? How did this vulnerability got out loose and into the hands of these adversaries, impacting businesses, important government departments (impacting German Auto Bahn) and people’s lives (impacting UK’s NHS)”?

So what now?

Well, we’re pretty much in clean-up mode. All the major anti-virus vendors have released signatures for WannaCry / Wcry / WannaCrypt. And while everyone is busy investigating what and how it happened, and some resting in peace thanking the #AccidentalHero for the kill switch, I am sure the advisories are already working on newer variants of this malware. 
But the most important lesson to be reiterated here is something that the security community has been preaching for a long long time – keep all your software up to date, and apply all the security patches on a regular basis. It’s more about the processes and the governance around it, that is more important than waiting for a machine learning and artificial intelligence based intrusion detection system to pick all this up and block them for you. As our old doctor used to say, prevention is better than cure!
Calling some of these preventive steps again, many of which are obvious to most people:

  1. Keep your operating system and the applications running on them, up to date
  2. Test and apply the patches, especially the security patches, early on
  3. Have a fool-proof backup strategy, and test them at least once every yea
  4. Do not open emails or attachments from unknown or suspicious senders
  5. Lock down computers, by providing minimal access, based on need basis
  6. Limit the access to network resources; in this case ransomware can only lock down files on systems that it can access 
  7. Only open ports that are essential for your business to operate. In this particular case, it was found in many cases that inbound TCP 139 and 445 was allowed in many of the perimeter firewalls. 
  8. Block all unnecessary outbound connections – especially the ones that use anonymity like Tor. Only thieves want to conceal themselves. 
  9. If you are still having difficulty in implementing all of the above measures, then one must depend on a strong treat “detection” system, beyond conventional anti-virus applications and use intrusion detection systems that use machine and deep learning to detect and block the “unknowns”. 

I have blogged about the last point, in various bog posts. More on using those techniques for WannaCry, in another blog post. 
Happy patching!


Hunting through Log Data with Excel

SANS just published an interesting paper on using Excel for incident investigations. 

A good read for incident responders to learn how to use Microsoft Excel and some of its more advanced features during an intrusion if a SIEM or similar product is not available (who doesn’t have them these days!?)

This guide will contain up to three methods for each example presented. First, the paper will show some of the things you can do with Excel by just using the toolbar commands. Second, if available, an Excel Function will be created to show how it can be slightly automated. Third, to enhance the Excel Function process even further, Visual Basic for Applications (VBA) code will be provided. Knowing alternate ways of manipulating different types of data will allow you to incorporate the results into the standard output described below.

Thoughts on Union Bank hack

Thoughts on Union Bank hack

It was recently reported in the media, that Union Bank, one of the leading Public sector banks in India, was hacked last year (July 2016). Funds to the tune of about $171 million was siphoned off, and a 7 country hunt had to be spearheaded at the top levels of government to reverse the theft. 

Though the events involved in the breach itself are interesting and needs a detailed analysis, what caught my attention is how the Bank managed to track the trail of the fund transfer to the last mile and how quickly they recovered every single penny that was stolen, within a week’s time. 

Gopika Gopakumar and Leslie D’Monte of Live Mint have the best analysis report of this incident, I’ve seen so far. 

I highly recommend their report. 

I have taken some excerpts from their report and shared my thoughts on them. Let’s get straight to how the hackers got into the Bank’s systems:

Phishing e-mails were sent to 15 email IDs. “Three people reported that the email was suspicious to the IT security. The other Union Bank employees were “technically-savvy” persons. They noticed that although the email address said @rbi.org.in, it had an attachment that a zip file. Within the zip file, there was a dot (xer) file and not a dot pdf file, which is why they reported it as suspicious”

I am curious to know how legitimate was the RBI email ID that was used here – if it was a real RBI domain and a valid RBI email address, then this is a matter of larger concern as this raises questions about RBI’s email system being hacked before this incident. This requires a lot more serious investigation. 

If you look at these sequence of events, from Cyber Kill Chain perspective, this is a successful demonstration of “Delivery” followed by “Exploit & Installation”. 
Then, the malware once downloaded on one system, started spreading across the Bank’s network and eventually onto the Bank’s servers, demonstrating a successful “Internal Recon”, followed by “Lateral movement”. 

To me, this looks like a classic case of externally originating exploit attempt, followed by internal recon and lateral movement. Though it is easier said than done, I feel that a good security anomaly detection system would have been able to flag this off, considering the sequence of events revealed by this report – pre and post exploit. Also, I am curious to know what were the Intrusion and Anomaly detection tools and techniques the bank had deployed, which failed to detect these events occurring within the bank’s internal systems and network. 

So, if the Bank didn’t detect these patterns while they were occurring, how did the Bank discover this anomaly? Thanks to SWIFT’s (Society for Worldwide Interbank Financial Telecommunication) daily reconciliation report, as Live Mint goes on to report:

“When a bank does a SWIFT transaction during the day, they typically get a reconciliation report the next day and all the corresponding banks send them the “end-of-the-day balance” report the following morning.

When Union Bank got it from the originating bank, they saw a difference of $170 million and that alerted them because of one mistake—the hackers deleted the six entries they had made.”

This is an interesting revelation of how the SWIFT system actually tracks any transaction anomalies, and I am sure this system is a lot more sophisticated. But what the hackers did, appears to be utterly dumb to me – deleting their transaction logs, whilst leaving the funds debit logs unchanged! 

Coming to the recovery of the funds itself, and where it took the Bank a few extra days:

“One tricky negotiation was with the Taiwanese government with which India doesn’t have diplomatic ties, particularly as a court order was needed to secure the banking reversal instruction. However, with some pushing from U.S. officials, the entire $171 million was traced.”

It is commendable to see how the bank, worked with the Indian Govt. agencies, including CERT-IN and RBI, and other international banks in getting the money back in a few days. This entire episode is worth a case study on how other national and international banks should mobilise the right tools, people and government and inter-country legal processes, for executing an effective cybersecurity incident response procedure. 

The CEO of SWIFT India, acknowledged the impact of cyber threats to the banking industry, and thanks to the various guidelines laid out by RBI (Reserve Bank of India), there appears to be good momentum amongst the public and private sector banks in India, in implementing cyber security controls in thwarting such security threats. 

“Cyber threat is real and is growing”. According to him, the pace of digitization that we have seen in the last decade and at a more accelerated pace, requires the same level of investment on the cyber side as well. The regulator (RBI), he added, has introduced regulations around a CISO (chief information and security officer) directly reporting to the board. There is also a customer security programme where “we are now mandating 27 controls, of which 16 are mandates and 11 are advisory. If you don’t have 16, we will start reporting to the regulator.”

Closing thoughts:

Though the Incident report of this breach will never be made public, and it shouldn’t, the most important learning from this incident, for other banks and the cyber security community, would be, to know what controls worked and what didn’t:

  • both technical control in terms of the intrusion detection tools/techniques that worked and didn’t work, or could have worked (if the bank didn’t have them – for ex., Machine Learning based threat detection tools which can detect new/unknown patterns of threats a lot more efficiently than tradition systems”, and
  • non-technical controls (security awareness initiatives amongst the bank’s employees, and the processes and SLA established between the Bank and CERT-IN, RBI, Legal depts (Cyber Vigilance committee), and the cross-border relations with other nations).

Finally, the fact that caught my attention and made me read more about the Union Bank hack – the recovery of the stolen funds – Kudos to the collaborative effort between the officials from Union Bank, Cert-In, RBI in not only investigating and tracking the trail of the money flow, but also recovering every cent of the theft, in 6 days. Great work!

One of my friends in the cyber security industry, posed a very logical question to me – if Google can keep a track of where am I going, what and where am I eating, what I am watching and what am I reading, inspite of me being in the general public domain and Google merely using the open internet to track all this, why is an Enterprise/Organisation, still unable to track the use of its own resources and assets by its entities (users, machines, devices), within the network that the organisation has provisioned and controls?

NetFlow-based security tool for Incident Response

NetFlow-based security tool for Incident Response

Charles Herring of Lancope has a short but interesting post on how NetFlow data can be leveraged for Incident Response purposes.

He says

The collection and analysis of network metadata, such as NetFlow, is an effective way to identify advanced attacks, insider threats or data exfiltration.

There are three major features/activities required by an effective NetFlow management tool:

  • Deduplicate the flow to remove redundant information
  • Directionality to determine the relationship between flow endpoints
  • Robust Querying capabilities

There is a Part 2 coming up soon, which will focus on the Analytics aspects of this.

Title Image courtesy: jimjansen.blogspot.com

Identifying actionable threat intelligence

Identifying actionable threat intelligence

Ran Mosessco from Websense Security Labs has a very interesting post on solving a key issue every Security Analysts in a SOC (Security Operations Center) faces – the overwhelming amount of security alerts (even after correlation), also called Attack Indicators, an Analyst has to acknowledge and investigate.

Actionable threat intelligence is buried deep within terabytes of seemingly interesting but irrelevant data. Plausible deniability, false positives, lack of traceability and attribution, skillful attackers, adaptation of warfare techniques, and the like only add to the confusion. How does one bubble up prioritized, actionable threat intelligence in an automated fashion from the depths of the data morass?

This approach is still at a nascent stage and requires further study and we need to come up with an implementable solution. But I think this is a good place to start, and the following lines capture the way forward, accurately:

With attacks becoming more advanced and sophisticated each day, combining big data engineering, unsupervised machine learning, global threat intelligence and cybersecurity know-how is required to deal with them in a timely, automated and efficient manner.

This topic is one of my key focus areas professionally, and so I will be writing more about it here. 

Title Image credit: communities.websense.com