What these cyber attacks are starting to resemble
14 May 2017 – This past Friday a major ransomware attack affected 100 countries and scores of organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, the railway system in Russia, and FedEx in the US.
NOTE: this threat is still under active investigation, so the situation may change as we learn more. Over the weekend I have been conversing with scores of contacts in my intelligence community and cyber security database and the situation has been “fluid”. Several of my contacts allowed me to observe their analysis of the malware via their honeypots.
The malware responsible for this attack is a ransomware variant known as “WanaCrypt0r 2.0″ or “WannaCry”. According to the cybersecurity experts I spoke with the exploit has been widely analyzed and studied by the security industry as well as on various underground hacking forums. Those hacking forums have been buzzing all weekend.
The malware has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin.
When a computer is infected, the ransomware typically contacts a central server for the information it needs to activate, and then begins encrypting files on the infected computer with that information. Once all the files are encrypted, it posts a message asking for payment to decrypt the files – and threatens to destroy the information if it doesn’t get paid, often with a timer attached to ramp up the pressure. Most ransomware is spread hidden within Word documents, PDFs and other files normally sent via email, or through a secondary infection on computers already affected by viruses that offer a back door for further attacks.
It is important to note that this is not a threat that simply scans internal ranges to identify where to spread; it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the internet. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities.
If you have been following media reports this offensive exploitation framework was released as part of the Shadow Brokers cache that was recently released to the public. In keeping with almost everything else in the world of cyberwarfare, attribution is tricky. And contacts in the intelligence community tell me it is unlikely that the Shadow Brokers were directly involved in the ransomware strike: instead, some opportunist developer seems to have spotted the utility of the information in the leaked files, and updated their own software accordingly. As for the Shadow Brokers themselves, no-one really knows, but fingers point towards Russian actors as likely culprits.
The four most intriguing questions discussed this weekend:
1. the ransomware tactic behind this global cyberattack on Friday was nothing new. But new digital tools mean that hackers don’t even need to have any skills to do this anymore.
2. this is not over. The attackers will realize they are being stopped by “kill switches” so they’ll change the code and then they’ll start again. Enable Windows update, update and then reboot. But also note there are most likely other variants of the malware with different kill switches that will continue to spread.
3. the legal community is flummoxed. The release of these new exploits has allowed ransomeware authors to profit without committing a crime. A malware author that sells his wares is no different than any other product supplier. This is the issue, because even the legality surrounding malware-as-service is very grey. If structured in a way that the user actually enters all the data and launches the binary that does the work, is the hosting provider liable?
4. governments still do not “get it” when they use the ubiquitous term “cyber warfare”. This lack of understanding leads to events like those on Friday.
I do not intend to cover all of these questions in depth but simply make a few general comments. For the large number of you with whom I have been conversing about Question #3 this weekend, I strongly recommend you attend the Georgetown Law Cybersecurity Institute this coming week (details here), much of it being webcast live. The founding chairperson is long-time friend and colleague (and cyber law maven) Christina Ayiotis. My media team will be attending and we’ll have video interviews, etc. after the event.
Let’s get some technical stuff out of the way
NOTE: much credit for the following goes to Martin Lee and his team at Cisco Intelligence; Lee Matters, privacy and security hacker and long-time chum; and David Grout and his team at FireEye.
WannaCry is believed to use the EternalBlue exploit, which was developed by the U.S. National Security Agency (NSA) to attack computers running Microsoft Windows operating systems. Although a patch to remove the underlying vulnerability for supported systems had been issued on 14 March 2017, delays in applying security updates and lack of support by Microsoft of legacy versions of Windows left many users vulnerable. Due to the scale of the attack, to deal with the unsupported Windows systems, Microsoft has taken the unusual step of releasing updates for all older unsupported operating systems from Windows XP onwards.
Shortly after the attack began a researcher found an effective kill switch, which prevented many new infections. This greatly slowed the spread. However, it has been reported that subsequently new versions of the attack have been detected which lack the kill switch, thus able to spread to systems in which the vulnerability has not been patched.
EternalBlue exploits a vulnerability known as “MS17-010” in Microsoft’s implementation of the Server Message Block (SMB) protocol. Starting from 21 April 2017, security researchers started reporting that computers with the DOUBLEPULSAR backdoor (another malicious code released by the Shadow Brokers) was installed in the tens of thousands.
By April 25, reports estimated the number of infected computers to be up to several hundred thousands, with numbers varying between 55,000 to nearly 200,000, growing everyday. Warnings went out that “some sort of massive attack was imminent”.
On 12 May 2017, WannaCry began affecting computers worldwide. The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. When executed, the malware first checks the “kill switch” website. If it is not found, then the ransomware encrypts the computer’s hard disk drive, then attempts to exploit the SMB vulnerability noted above to spread out to random computers on the Internet, and “laterally” to computers on the same Local Area Network (LAN). As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of $300 in bitcoin within three days.
The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017, nearly two months before the attack. The patch was to the SMB protocol used by Windows. Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers. Any organization still running the older Windows XP were at particularly high risk because until 13 May, no security patches had been released since April 2014. Following the attack, Microsoft released a security patch for Windows XP.
According to the Wired magazine blog over the weekend, affected systems will also have had the DOUBLEPULSAR backdoor installed.
It is speculated that WannaCry first spread through a massive email phishing campaign by which email attachments were used to infect machines. Although another ransomware was spread through messages from a bank about a money transfer around the same time, no evidence for an initial email phishing campaign has been found in this case.
WannaCrypt would then attempt to install via the leaked backdoor DoublePulsar. If that backdoor wasn’t present on the target Windows system it would attempt to exploit a vulnerability in the SMB, an outdated network file sharing protocol.
Then, as any other typical ransomware strain, it would infect the computer and encrypt all its data. Once this process is completed it locks the computer to show a demand for ransom.
It will also attempt to spread to other machines on the same local network and scan the Internet for more vulnerable machines.
The ransomware campaign was unprecedented in scale according to Europol. And many cyber experts told me that while the attack appears to be “low-level” stuff, given the ransom demands of $300, this could be the precursor to an attack on crucial infrastructure, like nuclear power plants, dams or railway systems.
Now … everybody can play!
I have written a number of posts about the continuation of a trend called “democratization of digital skills” with hacking becoming available to average people through downloadable, inexpensive software, much of which is on display at hacker events like Black Hat and DefCon in Las Vegas every year.
There is so much common knowledge out there. I once wrote about the vulnerabilities in phone switches – SS7 switches, for those who like jargon – that have been long used by the NSA to locate cell phones. This same technology is sold by the U.S. company Verint and by the UK company Cobham to third-world governments, and hackers have demonstrated the same capabilities at numerous technology conferences. An eavesdropping capability that was built into phone switches to enable lawful intercepts was used by still unidentified unlawful intercepters in the Middle East last year.
Because modern computer technology is inherently democratizing. Today’s NSA secrets … in those rare instances these days when they can remain secret … become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon. And hacked.
And now the advent of these new tools that come “right out of the box” and need only a simple set-up instruction: you can wrap victims’ data with tough encryption technology, hard-to-trace digital currency like Bitcoin, and even online sites that offer to do the data ransoming in return for a piece of the action, making this method of cybertheft much easier. You simply don’t even need to have any coding skills to do this anymore.
Ransomware has allowed people who are not computer experts to become computer thieves. It used to be that hackers had to be a little creative and skilled to get money out of people. No longer. Lee Mathers told me:
Four years ago, investigators were pursuing roughly 16 variants of ransomware that were predominantly being used on victims in Eastern Europe. Now there are dozens of types of ransomware, all turn-key, simple to use.
I was on the DarkWeb all weekend following the new “ransomware as a service” – a clever play on the Silicon Valley jargon “software as a service” which describes the delivery of software over the internet. There is an entire underground “support” industry out there.
And let’s lay some blame on intelligence policy
As I noted above, the malware unleashed on Friday appears to be spreading by exploiting a bug codenamed ETERNALBLUE that was discovered by, hoarded by and eventually stolen from the NSA.
This event happened due to issues that have developed over many years in the intelligence and security communities. It’s complex, not easily simplified. But one big “thing” is how governments understand the term “cyber warfare” – a term that has spread rapidly throughout government … much like a virus … over the past 20 years. No, not the last 5 years. More like 20 years. Read John Hughes-Wilson’s On Intelligence and you’ll get the history, some perspective – pretty much all you need to establish a base to understanding all of this.
When I did my short stint in the Marine Corps I was fortunate that part of it was in Naval Intelligence. We did not talk about “cyber” way back then (the early 1970s). We talked about basic asymmetry, the very key to the concept of war: the side with the better weapons, defences and tactics should normally win.
The big problem is that cyber warfare is totally different to normal warfare, in fact it’s so different that calling it warfare at all is meaningless. Yet governments still talk about it as if it was the same. In regular warfare you can build up your own defenses without improving your opponent’s defenses, and you can develop new weapons that your opponents will not have.
But cyber warfare doesn’t work like that. Because everyone uses the same software infrastructure, and the “weapons” are nothing more than weaknesses in that global infrastructure, building up your own defenses by fixing problems inherently builds up your opponents defenses too. And developing new “weapons” is only possible if your opponents are able to develop the very same weapons for themselves, by exploiting the very same vulnerabilities in your country that you are exploiting in theirs.
Successful spying is invisible and undetected. The infiltration of critical national infrastructure by enemies of the state happens quietly and without anyone realizing until it’s too late. A successful penetration of someone else’s infrastructure yields an unforgettable intelligence report that makes the government feel successful and in control. A successful penetration of your infrastructure yields nothing visible at all.
The NSA found a security hole in Microsoft software and rather than doing the decent thing and contacting Microsoft they kept it to themselves and exploited it for the purposes of spying. Then they themselves got hacked.
In all likelihood, NSA headquarters was not hacked, but rather one of the computers the agency uses to plan and execute attacks was compromised. One cyber contact told me that the NSA often lurks on systems that are supposed to be controlled by others, and it’s possible someone at the agency took control of a server and failed to clean up after themselves. A regime, hacker group, or intelligence agency could have seized the files. And the opportunity to embarrass the agency.
It’s because the NSA outsources to private companies – “intelligence professionals” – the bulk of its actual analytical and targeting work.
NOTE: those of you on our job listserv for cyber positions have noted the phrase “experience with a Forte Meade customer” as a necessary skill. The Forte Meade customer is the NSA.
The reason for all of this outsourcing is that the NSA can’t build or find the skills inside. As one of my cyber contacts said:
If you want to have a good cyber offensive capability you need a new arsenal of exploits. You need a fresh supply of weaponised exploits, which builds a demand in the market. A lack of skilled cyber security professionals is an ongoing concern within both the European and U.S. IC communities. So you need to go outside.
And security at many of these private firms is not – shall we say – “robust”.
For the U.S., the situation can only get worse. No country has even come close to harnessing the power of computer networks to create and share knowledge, produce economic goods, intermesh private and government computing infrastructure including telecommunications and wireless networks, using all manner of technologies to carry data and multimedia communications, and control all manner of systems for our power energy distribution, transportation, manufacturing, etc. – and so left the U.S. as the most vulnerable technology ecosystem to those who can steal, corrupt, harm, and destroy public and private assets, at a pace often found unfathomable.