from the shadow-brokers-strike-back dept.
NSA-created cyber tool spawns global ransomware attacks
Leaked alleged NSA hacking tools appear to be behind a massive cyberattack disrupting hospitals and companies across Europe, Asia and the U.S., with Russia among the hardest-hit countries.
The unique malware causing the attacks - which has spread to tens of thousands of companies in 99 countries, according to the cyber firm Avast - have forced some hospitals to stop admitting new patients with serious medical conditions and driven other companies to shut down their networks, leaving valuable files unavailable.
The source of the world-wide digital assault seems to be a version of an apparent NSA-created hacking tool that was dumped online in April by a group calling itself the Shadow Brokers. The tool, a type of ransomware, locks up a company's networks and holds files and data hostage until a fee is paid. Researchers said the malware is exploiting a Microsoft software flaw.
One or more anti-virus companies may have been hacked prior to WannaCrypt infecting 75000 Microsoft Windows computers in 99 countries. First, anti-virus software like Avast fails to make HTTP connections. Second, five million of ransomware emails are rapidly sent. Although many centralized email servers were able to stem the onslaught, many instances of anti-virus software had outdated virus definitions and were defenseless against the attack. Indeed, successful attacks were above 1%. Of these, more than 1% have already paid the ransom. Although various governments have rules (or laws) against paying ransom, it is possible that ransoms have been paid to regain access to some systems.
Also, file scrambling ransomware has similarities to REAMDE by Neal Stephenson. Although the book is extremely badly written, its scenarios (offline and online) seem to come true with forceful regularity.
Telefónica reportedly affected. NHS failed to patch computers which affected US hospitals in 2016. 16 divisions of the UK's NHS taken offline with aid of NSA Fuzzbunch exploit. The fun of a public blockchain is that ransom payments of £415,000 have been confirmed. Cancellation of heart surgery confirmed. Doctors unable to check allergies or prescribe medication. Patient access to emergency treatment denied in part due to hospital telephone exchange being offline.
It also appears that one of the affected parties refused to answer a Freedom of Information request in Nov 2016 about cyber-security due to impact on crime detection. Similar parties provided responses to the same request.
UK National Health Service Paralysed by Windows Ransomware Attack
The Guardian and the BBC report respectively about a large-scale ransomware attack on its Microsoft Windows computer systems in England and Scotland. This particular piece of malware is called "WanaCryp0r 2.0" or WannaCry and encrypts the PC's hard disk and demands bitcoin to decrypt it.
About 40 hospitals, GP surgeries and other NHS organisations are affected. Patients have had operations cancelled, ambulances have been diverted and wards have been closed.
From one of the Guardian reports:
According to one junior doctor who works in a London hospital, the attack left hospitals struggling to care for people. "However much they pretend patient safety is unaffected, it's not true. At my hospital we are literally unable to do any x-rays, which are an essential component of emergency medicine."
The NHS has stressed that patients' electronic medical records have not been compromised.
A major ransomware attack has been reported, with targets including banks and NHS Trusts all being hit.
According to Russia Today, a number of NHS employees have been reported as being hit by the ransomware, while one user posted on Twitter a screenshot of the ransomware which asks for "$300 worth of Bitcoin".
Australian Brodcast Corporation reports:
'Biggest ransomware outbreak in history' hits nearly 100 countries with data held for ransom
A global cyberattack has hit international shipper FedEx, disrupted Britain's health system and infected computers in nearly 100 countries.
The ransomware attack hit Britain's health service, forcing affected hospitals to close wards and emergency rooms with related attacks also reported in Spain, Portugal and Russia. [...] [the attack] is believed to have exploited a vulnerability purportedly identified for use by the US National Security Agency (NSA) and later leaked to the internet. [...] Private security firms identified the ransomware as a new variant of "WannaCry"[pt] that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft's Windows operating system.
[...] Leading international shipper FedEx Corp said it was one of the companies whose system was infected with the malware that security firms said was delivered via spam emails.
[...] Only a small number of US-headquartered organisations were infected because the hackers appear to have begun the campaign by targeting organisations in Europe, a research manager with security software maker Symantec said. By the time they turned their attention to US organisations, spam filters had identified the new threat and flagged the ransomware-laden emails as malicious, Vikram Thakur said.
Also at WLTX: Massive, Fast-moving Cyberattack Hits 74 Countries
Shadow Brokers Flaw Used in Ransomware
The Los Angeles Times reports that a security bug in Microsoft Windows, made public when the Shadow Brokers released exploits claimed to have been taken from the NSA, is being used in ransomware. According to the story, a patch for the bug was released by Microsoft in March.
The Spanish government said several companies, including Telefonica, were targeted [...] a message that was purportedly sent to workers at Telefonica carried a subject line referencing a wire transfer and asked them to check a website for more details. That link — when launched on a Windows computer suffering from the vulnerability discovered by the NSA — unleashed the program that rendered files inaccessible.
As recently as last week, about 1.7 million computers connected to the Internet were susceptible to such an attack [...]
Among the organisations compromised by the ransomware were the UK's National Health Service and Russia's Interior Ministry.
Related: Windows Servers at Risk [UPDATED]
"Shadow Brokers" Release the Rest of Their NSA Hacking Tools
Former NSA Contractor May Have Stolen 75% of TAO's Elite Hacking Tools
The Shadow Brokers Identify Hundreds of Targets Allegedly Hacked by the NSA
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's `Mistake'
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
NSA `Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
"The Shadow Brokers" Claim to Have Hacked NSA
A group is claiming that they hacked the NSA and obtained advanced malware and hacking tools (such as Stuxnet):
A mysterious hacker or hackers going by the name "The Shadow Brokers" claims to have hacked a group linked to the NSA and dumped a bunch of its hacking tools. In a bizarre twist, the hackers are also asking for 1 million bitcoin (around $568 million) in an auction to release more files.
"Attention government sponsors of cyber warfare and those who profit from it!!!!" the hackers wrote in a manifesto posted on Pastebin, on GitHub, and on a dedicated Tumblr. "How much you pay for enemies cyber weapons? [...] We find cyber weapons made by creators of stuxnet, duqu, flame."
The hackers referred to their victims as the Equation Group, a codename for a government hacking group widely believed to be the NSA.
Also at Computerworld:
The whole episode screams elaborate SCAM, but maybe it is legit as Twitter chatter by some security experts seem to lean toward believing it. On the flipside, it doesn't appear as if many trust it enough yet to have coughed up bitcoins. Other hackers are suggesting the auction is made up of really old vulnerabilities; this is partially based on the "free" files being offered by Shadow Broker as proof of hacking the Equation Group. Or it could be a mix, old and new, to keep everyone off-balance. Another oddity, pointed out in a Pwn All The Things tweet, is that the "free sample" file size is actually larger than the auction file size.
Yet security pro Matt Suiche dived into the free files offered by Shadow Broker, then took to Medium to say, "Most of the code appears to be batch scripts and poorly coded Python scripts. Nonetheless, this appears to be legitimate code." Suiche said the main targets in the dump he reviewed "appeared to be Fortigate, TopSec, Cisco and Juniper firewalls." He described some of the codenamed-exploits such as Eligible Bachelor, Extra Bacon and Banana Glee. The latter, he pointed out, is "particularly interesting because it allows references to the JETPLOW explanation from the 2014 NSA's Tailored Access Operations (TAO) catalog."
This review contains spoilers.
I thought I'd got a remaindered, 1000 page, hardback book, from a prominent author, at an absolute bargain price because the publisher made a typo on the cover. Unfortunately, that typo is deliberate. It was made by one of the characters in the book and gets propagated widely in malware.
I read this book to the end so that I could provide a fair review for SoylentNews but I really wish that I hadn't. At around the 75% mark, I wanted to abandon the book. Around the 95% mark, I was more interested in my bookmark than the book itself. The problem is that the book is too detailed and yet not detailed enough. The plot flips from a semi-autobiographical character to a dodgy Scottish accountant for the Russian Mafia to a needlessly exotic Black, Welsh, lesser-known contemporary of Osama bin Laden. Internal motive is rarely explained and therefore Welsh's Islamic subjugation of another needlessly exotic character makes her seem like a really irritating Mary Sue when it should have been a highly researched study of cultural belief.
Until reading What ISIS Really Wants, I thought the book would have benefited highly from Mary Sue being killed in the first half. Either way, it may be beneficial to read this book while referring to an atlas. It certainly seems to be written that way.
"It's certainly possible that an NSA [National Security Agency] hacker goofed massively and left files in the wrong place at the wrong time. Human error can never be ruled out. Russian cybersleuths carefully watch for possible NSA operations online—just as we look for theirs—and even a single slip-up with Top Secret hacking tools could invite a disastrous compromise.
However, it's far more likely that this information was stolen by an insider. There's something fishy about the official story here. It's far-fetched to think a small group of unknown hackers could infiltrate NSA. Furthermore, explained a former agency scientist, the set-up implied in the account given by The Shadow Brokers makes little sense: "No one puts their exploits on a [command-and-control] server...That's not a thing." In other words, there was no "hack" here at all.
It's much more plausible that NSA has a Kremlin mole (or moles) lurking in its ranks who stole this information and passed it to Russian intelligence for later use. This isn't surprising, since NSA has known since at least 2010 of one or more Russian moles in its ranks and agency counterintelligence has yet to expose them."
Cisco Systems has started releasing security patches for a critical flaw in Adaptive Security Appliance (ASA) firewalls targeted by an exploit linked to the U.S. National Security Agency. The exploit, dubbed ExtraBacon, is one of the tools used by a group that the security industry calls the Equation, believed to be a cyberespionage team tied to the NSA.
ExtraBacon was released earlier this month together with other exploits by one or more individuals who use the name Shadow Brokers. The files were provided as a sample of a larger Equation group toolset the Shadow Brokers outfit has put up for auction.
[...] There is a second Equation exploit in the Shadow Brokers leak that targets ASA software. It is called EpicBanana and exploits a vulnerability that Cisco claims was patched back in 2011 in version 8.4(3). Nevertheless, the company published a new advisory for the flaw in order to increase its visibility. A third exploit, BenignCertain, affects legacy Cisco PIX firewalls that are no longer supported. Cisco investigated the exploit and said only versions 6.x and earlier of the PIX software are affected. Users who still have such devices on their networks should make sure they're running software versions 7.0 and later, which are not affected.
There is speculation that the hacks are actually leaks from a "second (third?) Snowden". A linguistic analysis of the "broken English" used by the Shadow Brokers determined that the text was written by someone pretending to not know English.
Arthur T Knackerbracket has found the following story:
The tools, which enable hackers to exploit software flaws in computer and communications systems from vendors such as Cisco Systems and Fortinet Inc, were dumped onto public websites last month by a group calling itself Shadow Brokers.
The public release of the tools coincided with U.S. officials saying they had concluded that Russia or its proxies were responsible for hacking political party organizations in the run-up to the Nov. 8 presidential election. On Thursday, lawmakers accused Russia of being responsible.
Various explanations have been floated by officials in Washington as to how the tools were stolen. Some feared it was the work of a leaker similar to former agency contractor Edward Snowden, while others suspected the Russians might have hacked into NSA headquarters in Fort Meade, Maryland.
But officials heading the FBI-led investigation now discount both of those scenarios, the people said in separate interviews.
NSA officials have told investigators that an employee or contractor made the mistake about three years ago during an operation that used the tools, the people said.
That person acknowledged the error shortly afterward, they said. But the NSA did not inform the companies of the danger when it first discovered the exposure of the tools, the sources said. Since the public release of the tools, the companies involved have issued patches in the systems to protect them.
Investigators have not ruled out the possibility that the former NSA person, who has since departed the agency for other reasons, left the tools exposed deliberately. Another possibility, two of the sources said, is that more than one person at the headquarters or a remote location made similar mistakes or compounded each other's missteps.
Representatives of the NSA, the Federal Bureau of Investigation and the office of the Director of National Intelligence all declined to comment.
Federal prosecutors have charged former NSA contractor Harold T. Martin III under the Espionage Act:
Harold T. Martin III is expected to appear at a federal courthouse in Baltimore on Friday for a hearing to consider whether he should remain in U.S. custody, as prosecutors announced in a court filing that they plan to file Espionage Act charges against him.
The FBI is investigating whether Martin may have transferred six bankers boxes' worth of paper documents and 50,000 gigabytes of electronic materials to anyone else, according to documents filed Thursday. So far, investigators said they have not found any connection to a foreign power. Martin's public defenders, James Wyda and Deborah Boardman, have said that he presents no flight risk and that "there's no evidence he intended to betray his country."
Martin, a former Navy reservist, has been in federal custody since late August. That's when FBI agents executed search warrants at his suburban Maryland home, uncovering what they describe as "overwhelming" proof he mishandled classified information. Among the materials they found: the personal information of government employees and a top-secret document "regarding specific operational plans against a known enemy of the United States and its allies," according to the court filing.
The trove of information reportedly includes hacking tools that were recently offered for sale by a group that calls itself The Shadow Brokers.
12-page court filing: United States of America v. Harold T. Martin, III
"TheShadowBrokers is having special trick or treat for Amerikanskis tonight," said the Monday morning post, which was signed by the same encryption key used in the August posts. "Many missions into your networks is/was coming from these ip addresses." Monday's leak came as former NSA contractor Harold Thomas Martin III remains in federal custody on charges that he hoarded an astounding 50 terabytes of data in his suburban Maryland home. Much of the data included highly classified information such as the names of US intelligence officers and highly sensitive methods behind intelligence operations. Martin came to the attention of investigators looking into the Shadow Brokers' August leak. Anonymous people with knowledge of the investigation say they don't know what connection, if any, Martin has to the group or the leaks.
[...] According to analyses from researchers here and here, Monday's dump contains 352 distinct IP addresses and 306 domain names that purportedly have been hacked by the NSA. The timestamps included in the leak indicate that the servers were targeted between August 22, 2000 and August 18, 2010. The addresses include 32 .edu domains and nine .gov domains. In all, the targets were located in 49 countries, with the top 10 being China, Japan, Korea, Spain, Germany, India, Taiwan, Mexico, Italy, and Russia. Vitali Kremez, a senior intelligence analyst at security firm Flashpoint, also provides useful analysis here. [...] Other purported NSA tools discussed in Monday's dump have names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK, AND STOCSURGEON. Little is immediately known about the tools, but the specter that they may be implants or exploits belonging to the NSA is understandably generating intrigue in both security and intelligence circles.
"The Shadow Brokers" Claim to Have Hacked NSA
NSA 'Shadow Brokers' Hack Shows SpyWar With Kremlin is Turning Hot
Cisco Begins Patching an NSA Exploit Released by the Shadow Brokers
Probe of Leaked U.S. NSA Hacking Tools Examines Operative's 'Mistake'
NSA Contractor Harold Martin III Arrested
NSA Contractor Accused of "Stealing" Terabytes of Information, Charged Under Espionage Act
On Monday, The Washington Post reported one of the most stunning breaches of security ever. A former NSA contractor, the paper said, stole more than 50 terabytes of highly sensitive data. According to one source, that includes more than 75 percent of the hacking tools belonging to the Tailored Access Operations. TAO is an elite hacking unit that develops and deploys some of the world's most sophisticated software exploits.
Attorneys representing Harold T. Martin III have previously portrayed the former NSA contractor as a patriot who took NSA materials home so that he could become better at his job. Meanwhile, investigators who have combed through his home in Glen Burnie, Maryland, remain concerned that he passed the weaponized hacking tools to enemies. The theft came to light during the investigation of a series of NSA-developed exploits that were mysteriously published online by a group calling itself Shadow Brokers.
[...] An unnamed US official told the paper that Martin allegedly hoarded more than 75 percent of the TAO's library of hacking tools. It's hard to envision a scenario under which a theft of that much classified material by a single individual would be possible.
Last August, an unknown group called the Shadow Brokers released a bunch of NSA tools to the public. The common guesses were that the tools were discovered on an external staging server, and that the hack and release was the work of the Russians (back then, that wasn't controversial). This was me:
Okay, so let's think about the game theory here. Some group stole all of this data in 2013 and kept it secret for three years. Now they want the world to know it was stolen. Which governments might behave this way? The obvious list is short: China and Russia. Were I betting, I would bet Russia, and that it's a signal to the Obama Administration: "Before you even think of sanctioning us for the DNC hack, know where we've been and what we can do to you."
They published a second, encrypted, file. My speculation:
They claim to be auctioning off the rest of the data to the highest bidder. I think that's PR nonsense. More likely, that second file is random nonsense, and this is all we're going to get. It's a lot, though.
EQGRP-Auction-Files is CrDj"(;Va.*NdlnzB9M?@K2)#>deB7mN
-- submitted from IRC
[UPDATED 2017-04-17] Ars Technica reports that Mysterious Microsoft patch killed 0days released by NSA-leaking Shadow Brokers — Microsoft fixed critical vulnerabilities in uncredited update released in March.:
Contrary to what Ars and the rest of the world reported Friday, none of the published exploits stolen from the National Security Agency work against currently supported Microsoft products. This is according to a Microsoft blog post published late Friday night.
That's because the critical vulnerabilities for four exploits previously believed to be zerodays were patched in March, exactly one month before a group called Shadow Brokers published Friday's latest installment of weapons-grade attacks. Those updates—which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-0147—make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn't unprecedented, but it's uncommon, and it's generating speculation that the reporters were tied to the NSA. In a vaguely worded statement issued Friday, Microsoft seemed to say it had had no contact with NSA officials concerning any of the exploits contained in Friday's leak.
Original story follows:
The "Shadow Brokers" released files that purport to expose vulnerabilities in Windows and especially in Windows Server.
Numerous Windows hacking tools are also among the new batch of files the Shadow Brokers dumped Friday. In recent months, the mysterious group has been releasing hacking tools allegedly taken from the NSA, and security researchers say they actually work.
Marcus Hutchins, the 23-year-old British security researcher who was credited with stopping the WannaCry outbreak in its tracks by discovering a hidden "kill switch" for the malware, has been arrested by the FBI over his alleged involvement in another malicious software targeting bank accounts.
According to an indictment released by the US Department of Justice on Thursday, Hutchins is accused of having helped to create, spread and maintain the banking trojan Kronos between 2014 and 2015.
The Kronos malware was spread through emails with malicious attachments such as compromised Microsoft word documents, and hijacks credentials like internet banking passwords to let its user steal money with ease.
[...] Hutchins, better known online by his handle MalwareTech, had been in Las Vegas for the annual Def Con hacking conference, the largest of its kind in the world. He was at the airport preparing to leave the country when he was arrested, after more than a week in the the city without incident.
Also covered by the BBC: NHS cyber-defender Marcus Hutchins charged in US.
Cybersecurity researchers at Symantec Corp. and FireEye Inc. have uncovered more evidence tying this month's WannaCry global ransomware attacks to North Korea.
The cyberattack that infected hundreds of thousands of computers worldwide was "highly likely" to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report late Monday. FireEye on Tuesday agreed WannaCry shared unique code with malware previously linked to North Korea. "The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators," Ben Read, a FireEye analyst, said in an emailed statement.
[...] The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn't or didn't download a security patch released in March labeled "critical."
Here's a screenshot of Wana Decrypt0r 2.0. Note the Wikipedia licensing section.
Previously: Security In 2017: Ransomware Will Remain King
"Biggest Ransomware Attack in History" Hits Around 100 Countries, Disrupts UK's NHS
WannaCrypt Ransomware Variant -- Lacking Kill Switch -- Seen in Wild [Updated]
Decryption Utility for WannaCry is Released
[Update at 20170515_022452 UTC: Instructions for what to do on each affected version of Windows can be found at: https://www.askwoody.com/2017/how-to-make-sure-you-wont-get-hit-by-wannacrywannacrypt/ -- I've had excellent luck in the past following his advice on when and how to update Windows. Clear, hands-on instructions are a big win in my book. --martyb]
tl;dr: If you have not already patched your Windows computer(s), you may be at risk from a new variant of the WannaCrypt ransomware worm which lacks a kill switch and was seen over the weekend. Sysadmins are preparing for a busy Monday when countless other users return to work and boot up their PC.
WannaCrypt (aka WCry), is a ransomware worm that wreaked havoc across the internet this past weekend. It disabled Windows computers at hospitals, telecoms, FedEx, and banks (among many others). Files on user's machines were encrypted and the worm demanded $300 or $600 worth of Bitcoin to decrypt (depending on how quickly you responded). Reports first surfaced Friday night and were stopped only because a researcher discovered a domain name in the code, which when registered, caused the malware to stop infecting new machines.
We're not out of the woods on this one. Not surprisingly, a variant has been seen in the wild over the weekend which has removed the domain check. Just because you may not have been hit in the initial wave of attacks does not necessarily mean you are immune.
Back in March, Microsoft released updates to Windows to patch vaguely-described vulnerabilities. Approximately one month later, a dump of purported NSA (National Security Agency) hacking tools were posted to the web. The WannaCrypt ransomware appears to be based on one of those tools. Surprisingly, the Microsoft patches blocked the vulnerability that was employed by WannaCrypt.
In a surprising move, Microsoft has just released emergency patches for out-of-mainstream-support versions of Windows (XP, 8, and Server 2003) to address this vulnerability.
Sources: Our previous coverage linked above as well as reports from the BBC Ransomware cyber-attack threat escalating - Europol, Motherboard Round Two: WannaCrypt Ransomware That Struck the Globe Is Back, and Ars Technica WCry is so mean Microsoft issues patch for 3 unsupported Windows versions.
What actions, if any, have you taken to protect your Windows machine(s) from this threat? How up-to-date are your backups? Have you tested them? If you are a sysadmin, how concerned are you about what you will be facing at work on Monday?
Various news outlets report the release of
Wannakey, a decryption utility for files encrypted by the WannaCry ransomware. According to the author of the software, it "has only been tested and known to work under Windows XP."
From the Wired article noted below:
Now one French researcher says he's found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet's claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft's operating system, which analysts believe accounts for some portion of the WannaCry plague.
[...] Guinet says he's successfully used the decryption tool several times on test XP machines he's infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.