Security Bulletin #111 – 23 May 2017
Keys for Crysis released, as decryption efforts of WannaCryptor files continue
While the entire cybersecurity world is focusing on WannaCryptor ransomware and ways to help its victims, someone has released 200 master keys for the latest variants of another notorious ransomware family (detected by our systems as Win32/Filecoder.Crysis) – namely those that add the .wallet and .onion extension to the affected files. Based on this information, experts have been able to prepare an ESET Crysis decrypting tool. Victims who still have their encrypted files can now download the decryptor from the utilities page. The cybersecurity community is trying to find a way to decrypt files hit by Win32/WannaCryptor.D ransomware. And there have been some advances in this field, namely thanks to Adrien Guinet, who published a tool called wannakey, which is able to perform RSA key recovery on some of the Windows XP machines. This has led to the creation of another tool named wanakiwi, which works for some users with newer versions of Microsoft OS going up to Windows 7. However, there is one condition for this to work: the machines must not have been rebooted after being infected. Without a reboot and with some luck, the prime numbers used to generate a WannaCryptor secret key might still be stored in the memory.
At least 3 different groups have been leveraging the NSA EternalBlue exploit weeks before the WannaCry attacks
In the last days, security experts discovered numerous attacks that have been leveraging the same EternalBlue exploit used by the notorious WannaCry ransomware. The Shadow Brokers hacker group revealed the exploit for the SMB vulnerability in April, but according to malware researchers, other threats used it such as the Adylkuzz botnet that is active since April 24. Security experts at Cyphort found evidence on a honeypot server that threat actors in the wild were already exploiting the SMB flaw in early May to deliver a stealth Remote Access Trojan (RAT) instead of ransomware. Once infected a system, the malicious code closes the port 445 to prevent other malware from abusing the same SMB flaw. This aspect suggests the attacker was aware of the EternalBlue vulnerability. Secdo claims to have found evidence of ransomware abusing EternalBlue flaw weeks before WannaCry emerged. Recently experts at Heimdal discovered the UIWIX ransomware, a fileless malware exploiting the EternalBlue vulnerability. Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue. In late April, The experts at Secdo also discovered another attack exploiting the EthernalBlue vulnerability, it was associated with a Chinese threat actor that used a botnet to distribute a backdoor. Summarizing, at least 3 different groups have been leveraging the NSA exploit weeks before the WannaCry, this means a significant portion of the security community failed to monitor the threat or that failed to share the information about the attacks they have observed. The success of EternalBlue attacks are the failure of our current model of cyber security.
Experts discovered that the Terror Exploit Kit (EK) now includes fingerprinting capabilities
According to Talos researchers, recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time. The Terror Exploit Kit first appeared in the threat landscape in January 2017, in April experts observed a significant increase of hacking campaigns leveraging the exploit kit. The terror Exploit Kit was improved with new exploits and implemented fingerprinting abilities. These latter features allow the EK to determine what exploit would be used in order to compromise the target system. The new variant of the Terror Exploit Kit is able to determine the specific OS running on the victim’s PC, the browser version, installed security patches and plugins.
Current Alerts CERTFR-2017-ALE-008 : Multiples vulnérabilités dans Microsoft Windows XP et Windows Server 2003 (15 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-008.pdf CERTFR-2017-ALE-011 : Campagne de messages électroniques non sollicités de type Jaff (14 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-011.pdf CERTFR-2017-ALE-010 : Propagation d’un rançongiciel exploitant les vulnérabilités MS17-010 (12 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-ALE-010.pdf Patches CERTFR-2017-AVI-162 : Multiples vulnérabilités dans le noyau Linux de SUSE (22 mai 2017) Link: http://cert.ssi.gouv.fr/site/CERTFR-2017-AVI-162.pdf