Baltimore Encoded: RobbinHood

For the last month, the city of Baltimore has been dealing with a ransomware variant called Robbinhood. The ransomware author is asking for 100,000 dollars to decrypt the city’s files. As has been explained previously in my blog, Ransomware is a type of malware that infects systems and encrypts each file on the infected endpoint. Once it has completed the encryption process, a ransom note is left to instruct the user how to decrypt their files. If a company has not followed proper security controls and created offline backups of critical systems, all of their information could have been lost if they do not pay the ransom. Unfortunately, many targets of this type of malware have learned this the hard way.

Baltimore is not the first city to deal with this type of attack. Atlanta had a similar incident happen by the Iranian malware Sam Sam ransomware in 2018. The Baltimore attack does not appear to be from the Iranian Sam Sam group.

A recent media article insisted that Robbinhood made use of the NSA developed exploit Eternal Blue that was used in the Stuxnet attack against Iran, and to some is considered the first Cyber Weapon (More to come on this in a later blog post). Brian Krebs of “Krebs on Security” has reported that it is not likely that it uses the Eternal Blue exploit (Krebs, 2019). Because of the Media report that this exploit was used, some have argued that this attack is the fault of the NSA and the Federal Government is held responsible for the attack.

I’m going to stray away from the explanation of the ransomware for a second because I think something needs to be discussed. The eternal blue exploit was leaked by the Shadow Brokers in 2017, from there the WannaCry, and NotPetya cyberattacks were developed, and a subsequent patch was released. While the exploit was developed by discovering a vulnerability in the SMB protocol and held by the NSA for use did create the opportunity for these types of attacks to occur, it is in no way the NSA’s responsibility that a municipality would allow their systems to go unpatched from a very well-known vulnerability. We can argue the ethicality of the NSA stockpiling exploits, but that does not change the fact that Baltimore did not patch a well-known vulnerability. –End rant

Bleeping computer has a great article that I would suggest everyone if they are interested in how this ransomware works. The article is located here https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/.

Essentially the tl;dr is that Robbinhood disconnects network shares upon execution and then is likely pushed through a domain controller. The ransomware looks for an RSA encryption key in the C:\\windows\temp directory. If the key is present, it will then shut off services, such as antivirus, database, mail server, and so forth that would prevent encryption. During its preparation stage, it clears shadow copies, event logs, and disables automatic repair. Once preparation is complete, the malware begins encrypting the files on the endpoint. Once complete a message appears that explains to the user how to decrypt their data. The surprising thing to me is that the message explains Asymmetric encryption to the user.

Brian Krebs reports that this is vanilla ransomware; it is not highly sophisticated and does not seem to use any lateral movement (Krebs, 2019). Something interesting in this attack is that the code uses a text string that says Valery, which shows similarity with the GanCrab ransomware strain that the developers had just announced they had retired (Krebs, 2019). This would make me think that either one of the developers from that attack decided to start their new strain or someone is trying to frame the GanCrab developers. Krebs and other security researchers believe that the author may be marketing their malware (Krebs, 2019). If this is a marketing campaign, which would make sense with the tweets targeted toward the Mayor of Baltimore, this could mean a bigger target, or more targets are possibly next by other adversaries who will rent it out. Municipalities are known for not paying the ransoms, so it would not have been a great target except for the marketing purposes. This attack is expected to cost Baltimore, an already fledgling financially city, 18 million dollars in recovery and lost revenues.

Works Cited:

Abrams, L. (2019). A closer look at the Robbinhood Ransomware. Retrieved on June 5, 2019 from, https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/

Krebs, B. (2019). Report No Eternal blue Exploit Found in Baltimore City Ransomware. Retrieved on June 5, 2019, from https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/

Malware Minute: SQL Slammer

In this installation of Malware Minute, I decided to take it back a little old school and research and discuss a worm that infected over 75,000 computers and took out a major portion of the internet in 8.5 seconds in 2003 called SQL Slammer. This is not the first malware to attack SQL servers, nor was it the first work ever discovered, but it was a type of malware that transformed the way that vulnerabilities are reported, as well as, how Microsoft handled system patching.

Before getting into the details of this specific malware, it is very important to explain what a SQL Server is if there is anyone out there that does not know. Most applications run off of databases, which are large storage facilities for data. These databases are of a few varieties, some use a language called SQL, and these are considered SQL databases, the most common of these is Microsoft SQL Server, MySQL, and Oracle. Then there are others that do not use the SQL language but instead use another type of scripting language. These databases are called NoSQL databases. When a website or application retrieves, such as a username and password, it must connect to a server that is hosting a database and retrieve this information. As you can imagine, most of the internet is connected to a database.

SQL slammer was derived from an exploit that Security Researcher David Litchfield developed ethically in 2002 on an assignment. Litchfield developed the exploit from a tool called SQLPing that would inject a single byte packet with a value of 0x02 into UDP port 1434 on a SQL Server (Litchfield, 2010). Litchfield, like most security researchers, became interested in what would happen if he changed the byte and incremented the values. He wrote a short program and tested it out on a SQL server 2000 testing environment; this was when he discovered the exploit initially. He noticed that value 0x08 in the SQL Server had crashed the server, and became interested in what was happening, so he broke down the code and began exploring (Litchfield, 2010).

Essentially through reverse engineering and analyzing the exploit, Litchfield finds a way to own the SQL servers by finding a buffer overflow vulnerability. A buffer overflow is a condition in which a program attempts to put more data in a buffer (section of allocated memory) than it can hold, which can corrupt the data or create an area to execute malicious code. Litchfield reported this information to Microsoft, they released a patch, then allowed Litchfield to present his proof of concept at a security conference the following month (Litchfield, 2010).

While Litchfield is technically the writer of the exploit, he is not the author of the malware. Litchfield’s purpose was to alert the security community about the need to apply the patch. However, someone took his proof of concept code and developed it into a worm that would replicate itself on multiple computers. Even though a patch was created to secure the system, it was not effective when many systems had not been patched to fix the vulnerability. This created a new code of ethics per se in the security world. Exploits are now handled more responsibly, and vendors have changed how they release patches. The malware was stored in memory (RAM) and was able to be wiped off of a system through a restart. However, the malware could replicate itself and find its way back in the SQL Server system if it were not patched.

This malware shows how security researchers must be responsibly presenting their proof of concepts at security conferences as well as the importance of vendors to get patches to build, distributed, and alert their user’s when bugs are found.

Works Cited:

Litchfied, D. (2010). The Inside Story of SQL Slammer. Retrieved on April 10, 2019, from https://threatpost.com/inside-story-sql-slammer-102010/74589/

Malware Minute: Carbanak

Recently, I was listening to the podcast “Darknet Diaries,” and they had an episode on a malware campaign called Carbanak that primarily attacked banks. This attack was incredibly intriguing to me because of how organized the campaign was. I almost expected it to be an advertisement for another Oceans movie. Carbanak used tactics that seem like an organized crime unit would employ on robbing a bank. In this installation of Malware Minute, I hope to explain Carbanak and keep this post at a minute or two read.

Carbanak was a campaign targeting bank in which the adversary would remove roughly 2.5 to 10 million dollars before abandoning their victims (Kaspersky, n.d.). This malware was not advanced; it did not use any zero-day exploits or any new information. It simply used already existing patched vulnerabilities on machines that had not already installed updates to patch the vulnerabilities.

A zero-day exploit is a vulnerability that has been discovered and exploited on the same day vulnerability was discovered. On day zero a patch has not been developed, and malicious actors have a new hole to explore.

The Carbanak gang responsible for the malware targeted their victims using spear phishing emails, which is a targeted email using social engineering practices to convince someone to click on a link (Trend Micro, 2019). When the users clicked on the link in the email, it downloads a malicious file that creates a backdoor on the computer system. Once the backdoor was created, the Carbanak malware would run various commands like keystroke logging, taking screenshots and checking the software running on the machine (Trend Mircro, 2019). The attackers wanted to move around the network without being detected and attempted to familiarize themselves with the normal workflow of the victims. The attackers would move laterally through the network through remote administration tools, once the systems they were targeting were breached they would record the victims and familiarize themselves with normal workflow and use the information gathered to manipulate bank records and transfer funds (Trend Mirco, 2019).

Once the attackers gained access to the network, they were able to transfer money at will. They would hire mules to come to the bank at specific intervals and release thousands of dollars of cash, and the mules would take it and leave. Other times they would have the mules set up bank accounts and have strange amounts of money in the bank account, such as $3.33, then run an update query to transfer millions of dollars into their bank accounts and the henchmen would transfer it over the SWIFT network to the criminals’ accounts.

Kaspersky Labs points out that the initial target was Russian banks, but as time went on more countries became targets, including the United States (Kaspersky Labs, n.d.). In March 2018 the leader of the gang was arrested in Spain, but the attacks are persisting and evolving.

This attack is proof of the importance of updating software. The machines that were compromised in 2016 could have been prevented if the banks had updated the software to patch vulnerabilities found and fixed by Microsoft in 2012 (Trend Micro, 2019). Phishing emails were also used to infect the network initially; proper social engineering training is crucial to prevent this type of attack, employees should know not to open suspicious emails, and to check the email addresses to ensure they are the correct domain.

Works Cited

Carbanak APT. (n.d.). Kaspersky Lab. Retrieved on April 3, 2019 from https://usa.kaspersky.com/resource-center/threats/carbanak-apt

Carbanak Threat Details and protection using Trend Micro Products. (2019). Trend Mirco. Retrieved on April 3, 2019 from https://success.trendmicro.com/solution/1107858-carbanak-threat-details-and-protection-using-trend-micro-products#

Malware Minute: Mirai Botnet

The proliferation of IoT (Internet of Things: think Alexa) devices has brought about many complications in IT security. A scan of the types of devices presented at a consumer tradeshow would point out hundreds of devices ranging from “smart shoes” to “smart cars.” These types of devices are constantly growing, yet they have very little security in place, many of these devices cannot be patched if vulnerabilities are found. It is the sad state of technology and the best dream possible for malicious actors.

The availability of vulnerable IoT devices has created a flourishing environment for adversaries by creating many machines to carry out attacks. One incredibly famous malware that used this to their advantage was Mirai. Before getting into the specifics of what Mirai was, I think it is incredibly important to explain what a botnet is.

According to Cloudflare, a botnet is a group of computers that have been infected with malware and gives control to a malicious actor (Cloudflare, n.d.). Essentially, the owner of the computer has relinquished control of it to another person, who has ill intent. When a bunch of these devices is compromised together they make up a network of robots, under the control of a single person, hence the name botnet.

So what was the Mirai botnet? Cofounders of Protraf Solutions, Paras Jha and Josiah White created the Mirai botnet to sell DDoS attack mitigation (Cloudflare, n.d.). The creators were attacking companies then offering services to protect against their attack. A DDoS attack floods a network with requests which render them useless, sometimes taking systems down for hours, and costing businesses approximately $10,000 or more per hour of downtime. Mirai looks for other strains of malware on devices when it infects the device and wipes it clean to ensure it is the only malware that owns the device (Fruhlinger, 2018).

In 2016, a massive DDoS attack left much of the internet down along the east coast of the United States (Fruhlinger, 2018). Researchers realized that the Mirai botnet caused this. The Mirai botnet was able to compromise over 100,000 IoT devices by searching sections of the internet for IoT devices that were using default credentials (Cloudflare, n.d.). Due to the weak security of the devices, the botnet was able to own many of those machines and carry out a large DDoS attack.  

The Mirai botnet is mutating, many other and more powerful, botnets have been created using the source code from Mirai such as Reaper (Cloudflare, 2019). This type of malware and how it infects devices is more prove about the need to change default passwords and use password managers for strong, unique passwords as well as multi-factor authentication to ensure they are not infected with strains of malware. Mirai was stored in the memory of the device it infected, a simple reboot would wipe the malware from the device, however without changing the password to a stronger password the devices would likely be infected shortly thereafter (Fruhlinger, 2018).

Works Cited

What is The Mirai Botnet? (n.d.). Cloudflare. Retrieved on April 1, 2019 from https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/

Fruhlinger, J. (2018).  The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet. CSO. Retrieved on April 1, 2019, from https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html

Malware Minute: LockerGoga

Over the last two years, malware known as ransomware has grown significantly. One of the most famous of these was WannaCrypt, also notoriously known as WannCry, which used the eternalblue exploit developed by the NSA and kept secret before NSA data leaks. While WannaCry was crippled due to Marcus Hutchins’ (aka Malware Tech) discovery of a kill switch, this has not prevented other ransomware developers from continuing down the path that the original developers (possibly the Lazarus Group of Pyongyang) developed. Petya then notPetya became household names in the security world, and ransomware became a known threat to many businesses, as well as government agencies thus incentivizing operating systems and anti-virus companies to offer backup packages to subscribers.

  Since the beginning of the year, security researchers have been watching a newer strain of ransomware called LockerGoga. LockerGoga was first submitted to malware database VirusTotal on January 24, 2019 (Rashid, 2019). This specific malware targets the industrial and manufacturing industry, which is very different from other variants of ransomware such as NotPetya and WannaCry, and recently forced Norwegian aluminum manufacturer Norsk Hydro to switch to manual operations (Greenberg, 2019). Ransomware effects users by encrypting all the files on their computer’s hard drives, and delivering a ransom, to the user to pay a ransom, usually in bitcoin, to the developers to receive the encryption key that will decrypt all their files. If the ransom is not paid within a specific amount of time, the data is encrypted forever or wiped from the device. Many organizations that have fallen prey to these types of attacks would be forced to pay the ransom to continue operating unless they had proper off-site backups of their data (see SamSam ransomware and Atlanta, GA).

For the industrial and manufacturing industry ransomware can be very disruptive. According to threat researchers, this strain of malware is particularly disruptive by shutting down computers completely, locking out users, and even making it difficult to pay the ransoms (Greenberg, 2019). Researchers are still determining how LockerGoga is infecting its targets and spreading through networks, unlike similar ransomware, NotPetya and WannaCry, the malware does not have wormlike abilities (Rashid, 2019). MalewareHunterTeam has noted that that the target’s credentials seem to be known prior to initial infection, possibly through Phishing campaigns (Greenberg, 2019).

In many cases of a malware attack, like any development operation, the tools go under continual developments, refining processes and improving their capabilities. Palo Alto Networks’ security research team Unit 42 believes that the group behind LockerGoga is still refining the ransomware and are figuring out how to add command-and-control features by calling undocumented Windows APIs and manipulating dynamically linked windows libraries that handle network connections (Rashid, 2019).

LockerGoga proves the need for proper backups, security policies, and trainings of employees again. Norsk Hydro has declined to pay the ransom but will be looking at a payout in rebuilding in the upwards of 80 Million dollars, having already spent 40 Million in the last week (Rashid, 2019). The cost to recover from this type of attack is often more expensive than the attacks themselves and could easily cause a smaller organization to go bankrupt.

Works Cited

Greenberg, A. (2019). A Guide to LockerGoga, The ransomware Crippling Industrial Firms. WIRED. Retrieved on March 28, 2019, from https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/

Rashid, F. (2019). Researchers Still Unraveling LockerGoga Ransomware. Decipher. Retrieved on March 28, 2019, from https://duo.com/decipher/researchers-still-unraveling-lockergoga-ransomware