Baltimore Encoded: RobbinHood

For the last month, the city of Baltimore has been dealing with a ransomware variant called Robbinhood. The ransomware author is asking for 100,000 dollars to decrypt the city’s files. As has been explained previously in my blog, Ransomware is a type of malware that infects systems and encrypts each file on the infected endpoint. Once it has completed the encryption process, a ransom note is left to instruct the user how to decrypt their files. If a company has not followed proper security controls and created offline backups of critical systems, all of their information could have been lost if they do not pay the ransom. Unfortunately, many targets of this type of malware have learned this the hard way.

Baltimore is not the first city to deal with this type of attack. Atlanta had a similar incident happen by the Iranian malware Sam Sam ransomware in 2018. The Baltimore attack does not appear to be from the Iranian Sam Sam group.

A recent media article insisted that Robbinhood made use of the NSA developed exploit Eternal Blue that was used in the Stuxnet attack against Iran, and to some is considered the first Cyber Weapon (More to come on this in a later blog post). Brian Krebs of “Krebs on Security” has reported that it is not likely that it uses the Eternal Blue exploit (Krebs, 2019). Because of the Media report that this exploit was used, some have argued that this attack is the fault of the NSA and the Federal Government is held responsible for the attack.

I’m going to stray away from the explanation of the ransomware for a second because I think something needs to be discussed. The eternal blue exploit was leaked by the Shadow Brokers in 2017, from there the WannaCry, and NotPetya cyberattacks were developed, and a subsequent patch was released. While the exploit was developed by discovering a vulnerability in the SMB protocol and held by the NSA for use did create the opportunity for these types of attacks to occur, it is in no way the NSA’s responsibility that a municipality would allow their systems to go unpatched from a very well-known vulnerability. We can argue the ethicality of the NSA stockpiling exploits, but that does not change the fact that Baltimore did not patch a well-known vulnerability. –End rant

Bleeping computer has a great article that I would suggest everyone if they are interested in how this ransomware works. The article is located here https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/.

Essentially the tl;dr is that Robbinhood disconnects network shares upon execution and then is likely pushed through a domain controller. The ransomware looks for an RSA encryption key in the C:\\windows\temp directory. If the key is present, it will then shut off services, such as antivirus, database, mail server, and so forth that would prevent encryption. During its preparation stage, it clears shadow copies, event logs, and disables automatic repair. Once preparation is complete, the malware begins encrypting the files on the endpoint. Once complete a message appears that explains to the user how to decrypt their data. The surprising thing to me is that the message explains Asymmetric encryption to the user.

Brian Krebs reports that this is vanilla ransomware; it is not highly sophisticated and does not seem to use any lateral movement (Krebs, 2019). Something interesting in this attack is that the code uses a text string that says Valery, which shows similarity with the GanCrab ransomware strain that the developers had just announced they had retired (Krebs, 2019). This would make me think that either one of the developers from that attack decided to start their new strain or someone is trying to frame the GanCrab developers. Krebs and other security researchers believe that the author may be marketing their malware (Krebs, 2019). If this is a marketing campaign, which would make sense with the tweets targeted toward the Mayor of Baltimore, this could mean a bigger target, or more targets are possibly next by other adversaries who will rent it out. Municipalities are known for not paying the ransoms, so it would not have been a great target except for the marketing purposes. This attack is expected to cost Baltimore, an already fledgling financially city, 18 million dollars in recovery and lost revenues.

Works Cited:

Abrams, L. (2019). A closer look at the Robbinhood Ransomware. Retrieved on June 5, 2019 from, https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/

Krebs, B. (2019). Report No Eternal blue Exploit Found in Baltimore City Ransomware. Retrieved on June 5, 2019, from https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/

Bandit Walk through 3

Level 5:

This level required me to find the password stored in the inhere directory that had three properties; it had to be human readable, 1033 bytes in size, and not an executable. For this, I decided to use the find command. I knew I would need to give it a few other flags, so I started by changing the directory to the inhere directory. I constructed the command to look for the size of 1033c ensure it was readable with the readable flag and not an executable by inputting the special character for not in front of the flag for executable. This returned a directory and file; I used the cat command to read the file, notice the file has a period in front of it, so I had to use an escape character to get to it.

The password for level 6: DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6:

Level six’s password was stored somewhere on the server and had to be owned by the user bandit7 and the group bandit6 and had to be 33 bytes in size. Using the find command, I searched the entire server by inputting /. Then looked for a file type of f for file and inputted a couple of flags for size, the user and the group. Initially, when I did this it returned so much information, I got a headache. I wanted to figure out how to only return the one location that met all these parameters. I came across the Linux documentation and saw the final command in the string 2>/dev/null. This specific string returns only the correct location because it stores all the errors (stderr) I was seeing earlier into the dev/null file. Once I got that information, I was able to cat the file and receive the password.

Password for level 7: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7:

I got Occupy the Web’s book “Linux Basics for Hackers” for Christmas, when reading that book I learned a lot about grep, I had used it previously but was not very familiar with it prior. As soon as I saw this challenge I knew how to figure this one out. Level 7 stores the password in a data.txt file next to the word millionth. I know I could pipe grep millionth into a cat command call and it would return the password.

Password for level 8: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Level 8:

Level 8 had a password stored in the data.txt file, but it was the only line of text that was unique. I decided to read the file, sort it by piping the sort command, and then identify the unique line of text by using the uniq -u command. That inevitably returned the password.

Password for level 9: UsvVyFSfZZWbi6wgC7dAFyFuR6jQQUhR

The Art of Deceptive Magic

Recently I was listening to a podcast, Hacking Humans, by the team at the Cyberwire. Joe Carrigan was speaking about an article he had recently read. The article was about a study from eye movements in illusions. The specific illusion in question was an illusion where the magician throws the ball in the air several times, the last time the ball is thrown the magician catches the ball, yet pretends the ball is still being thrown. The person watching does not realize this then magically the ball disappears. When people are asked what happened to the ball or when the ball disappeared, they swear the ball was still in motion even after the ball has been laid in the lap of the magician.

Why does the audience still swear they see the ball even though it has disappeared? The article explains that the audience members are watching the eyes of the magician and not the ball, so when the magician’s eyes continue to show the movement of the ball, the audience is convinced that the ball is still in motion. However, when the audience members know the trick, they are no longer tricked.

At this point in this blog post, you, the reader, are probably wondering what this has to do with cybersecurity? Social engineering is a practice in information security in which a malicious actor uses psychology to manipulate and deceive users into revealing sensitive information. These types of attacks usually distribute malware. A social engineering attack can be carried out in multiple ways, and in many cases, have multiple layers. If you were to read Kevin Mitnick’s book, “The Art of Deception,” you would hear of many attacks that used many hacking attempts that use multiple layers of social engineering. It could be calling a company, pretending to be from another branch to get a company directory, then from there working up to get in touch with the CEO, and from there sending out an email with a malicious link and so forth. The point is there are many ways that social engineering attacks can be played out, but they all use deception.

The CIA had a guide for Trickery and Deception from the Cold-War that taught Agents how to deceive others in the field. One of the ways it taught to poison a drink was to light the other person’s cigarette and drop the poison in their drink. The reason this works is that the person will not take their eyes off of the fire. The social engineer would do the same thing; they deceive you by using fear of what is right in front of you, to exploit another hole. Social engineering attacks have the main purpose of taking your eyes off one thing, while a weak spot is exploited.

Social engineering awareness training is very important as can be seen from the example from the magician. Once the audience members understand the trick, they are never tricked again. A good trainer would know of many different ways in which social engineering attacks are carried out and would prevent them by giving explanations and testing employees. The training must be done in a way that the employees would understand the importance, and would be something that employees would want to do. Once they learn how to spot tricks, the company becomes safer.

Malware Minute: SQL Slammer

In this installation of Malware Minute, I decided to take it back a little old school and research and discuss a worm that infected over 75,000 computers and took out a major portion of the internet in 8.5 seconds in 2003 called SQL Slammer. This is not the first malware to attack SQL servers, nor was it the first work ever discovered, but it was a type of malware that transformed the way that vulnerabilities are reported, as well as, how Microsoft handled system patching.

Before getting into the details of this specific malware, it is very important to explain what a SQL Server is if there is anyone out there that does not know. Most applications run off of databases, which are large storage facilities for data. These databases are of a few varieties, some use a language called SQL, and these are considered SQL databases, the most common of these is Microsoft SQL Server, MySQL, and Oracle. Then there are others that do not use the SQL language but instead use another type of scripting language. These databases are called NoSQL databases. When a website or application retrieves, such as a username and password, it must connect to a server that is hosting a database and retrieve this information. As you can imagine, most of the internet is connected to a database.

SQL slammer was derived from an exploit that Security Researcher David Litchfield developed ethically in 2002 on an assignment. Litchfield developed the exploit from a tool called SQLPing that would inject a single byte packet with a value of 0x02 into UDP port 1434 on a SQL Server (Litchfield, 2010). Litchfield, like most security researchers, became interested in what would happen if he changed the byte and incremented the values. He wrote a short program and tested it out on a SQL server 2000 testing environment; this was when he discovered the exploit initially. He noticed that value 0x08 in the SQL Server had crashed the server, and became interested in what was happening, so he broke down the code and began exploring (Litchfield, 2010).

Essentially through reverse engineering and analyzing the exploit, Litchfield finds a way to own the SQL servers by finding a buffer overflow vulnerability. A buffer overflow is a condition in which a program attempts to put more data in a buffer (section of allocated memory) than it can hold, which can corrupt the data or create an area to execute malicious code. Litchfield reported this information to Microsoft, they released a patch, then allowed Litchfield to present his proof of concept at a security conference the following month (Litchfield, 2010).

While Litchfield is technically the writer of the exploit, he is not the author of the malware. Litchfield’s purpose was to alert the security community about the need to apply the patch. However, someone took his proof of concept code and developed it into a worm that would replicate itself on multiple computers. Even though a patch was created to secure the system, it was not effective when many systems had not been patched to fix the vulnerability. This created a new code of ethics per se in the security world. Exploits are now handled more responsibly, and vendors have changed how they release patches. The malware was stored in memory (RAM) and was able to be wiped off of a system through a restart. However, the malware could replicate itself and find its way back in the SQL Server system if it were not patched.

This malware shows how security researchers must be responsibly presenting their proof of concepts at security conferences as well as the importance of vendors to get patches to build, distributed, and alert their user’s when bugs are found.

Works Cited:

Litchfied, D. (2010). The Inside Story of SQL Slammer. Retrieved on April 10, 2019, from https://threatpost.com/inside-story-sql-slammer-102010/74589/

Malware Minute: Carbanak

Recently, I was listening to the podcast “Darknet Diaries,” and they had an episode on a malware campaign called Carbanak that primarily attacked banks. This attack was incredibly intriguing to me because of how organized the campaign was. I almost expected it to be an advertisement for another Oceans movie. Carbanak used tactics that seem like an organized crime unit would employ on robbing a bank. In this installation of Malware Minute, I hope to explain Carbanak and keep this post at a minute or two read.

Carbanak was a campaign targeting bank in which the adversary would remove roughly 2.5 to 10 million dollars before abandoning their victims (Kaspersky, n.d.). This malware was not advanced; it did not use any zero-day exploits or any new information. It simply used already existing patched vulnerabilities on machines that had not already installed updates to patch the vulnerabilities.

A zero-day exploit is a vulnerability that has been discovered and exploited on the same day vulnerability was discovered. On day zero a patch has not been developed, and malicious actors have a new hole to explore.

The Carbanak gang responsible for the malware targeted their victims using spear phishing emails, which is a targeted email using social engineering practices to convince someone to click on a link (Trend Micro, 2019). When the users clicked on the link in the email, it downloads a malicious file that creates a backdoor on the computer system. Once the backdoor was created, the Carbanak malware would run various commands like keystroke logging, taking screenshots and checking the software running on the machine (Trend Mircro, 2019). The attackers wanted to move around the network without being detected and attempted to familiarize themselves with the normal workflow of the victims. The attackers would move laterally through the network through remote administration tools, once the systems they were targeting were breached they would record the victims and familiarize themselves with normal workflow and use the information gathered to manipulate bank records and transfer funds (Trend Mirco, 2019).

Once the attackers gained access to the network, they were able to transfer money at will. They would hire mules to come to the bank at specific intervals and release thousands of dollars of cash, and the mules would take it and leave. Other times they would have the mules set up bank accounts and have strange amounts of money in the bank account, such as $3.33, then run an update query to transfer millions of dollars into their bank accounts and the henchmen would transfer it over the SWIFT network to the criminals’ accounts.

Kaspersky Labs points out that the initial target was Russian banks, but as time went on more countries became targets, including the United States (Kaspersky Labs, n.d.). In March 2018 the leader of the gang was arrested in Spain, but the attacks are persisting and evolving.

This attack is proof of the importance of updating software. The machines that were compromised in 2016 could have been prevented if the banks had updated the software to patch vulnerabilities found and fixed by Microsoft in 2012 (Trend Micro, 2019). Phishing emails were also used to infect the network initially; proper social engineering training is crucial to prevent this type of attack, employees should know not to open suspicious emails, and to check the email addresses to ensure they are the correct domain.

Works Cited

Carbanak APT. (n.d.). Kaspersky Lab. Retrieved on April 3, 2019 from https://usa.kaspersky.com/resource-center/threats/carbanak-apt

Carbanak Threat Details and protection using Trend Micro Products. (2019). Trend Mirco. Retrieved on April 3, 2019 from https://success.trendmicro.com/solution/1107858-carbanak-threat-details-and-protection-using-trend-micro-products#

Over the Wire Bandit Walk-through 2

Level 4:

This level required that I find the flag in the only human readable file in the Inhere directory. I thought about trying a few other ways of doing this, but I found out on my first attempt that what I had intended, worked, and I did not go any further. For this one, I used the cat command with an asterisk at the end of the file. The asterisk is a wildcard that searched through each of the files that start with file, no matter what is at the end. When I used this command in that sequence, it worked, and I was able to sort through just a little bit of junk to find the password.

The password for level 5 is koReBOKuIDDepwhWk7jZC0RTdopnAYKh

Level 5:

I was incredibly surprised at how easily I figured this one out. I thought it would take me a long time. However, it only took me a few minutes with a little help from google. The point behind this challenge is to find a file in the inhere directory that is human-readable, 1033 bytes in size and not executable. In this challenge, I used the find command. I knew since I had some properties that I had to follow I would have to add a few extra flags to get to the file. Using the find command, I had to use the size flag to put the size of the file we wanted to see. Since the file size was 1033 bytes, we had to add the file size as -size 1033c and add a readable as well as an executable flag. The readable flag is simply -readable, but since the property has to be not executable a ! is required before the -executable flag. This tells the shell that we do not want to find a file that is executable. After running this command the file  ./maybehere07/.file2 is returned, so I run the cat command on that and the password for level 6 is returned.

Level 6 password is DXjZPULLxYr17uwoI01bNLQbtFemEgo7

Level 6:

Level 6 offered some challenges. This challenge was very similar to the last challenge; I had to look for a file that had three properties. This had to be owned by the user bandit7 and the group bandit6 and a size of 33 bytes. This initially I thought it would be very similar to the last challenge, except I would have to search the entire drive and add the owners and it would return the value I wanted. However, I kept getting stuck on a bunch of random characters and so forth. I googled how to sort through all of the information and figured out I could redirect my output from the command to dev/null, and it would return the name of the directory. From there I could cat the file. So I searched the entire drive by using. Instead of just the period like last time, then I wanted to view a file, that was 33 bytes in size, so I used the command -type f and -size 33c. Next, the user and group needed to be given, so I used the -user and -group flags and directed it to the dev/null. Then I was given the directory and was able to cat into it.

Password for Level 7: HKBPTKQnIay4Fw76bEy8PVxKEDQRKTzs

Level 7:

Level 7 was one that I was very familiar with the commands. The challenge requirement was to find the password in the data.txt file that was next to the word millionth. I knew from previous classes, and other endeavors that grep was the perfect tool for this one. I was able to pipe grep with the words millionth with the cat command and it worked. When used grep allows the user to locate specific information in a file.

Password for level 8: cvX2JJa4CFALtqS87jk27qwqGhBM9plV

Malware Minute: Mirai Botnet

The proliferation of IoT (Internet of Things: think Alexa) devices has brought about many complications in IT security. A scan of the types of devices presented at a consumer tradeshow would point out hundreds of devices ranging from “smart shoes” to “smart cars.” These types of devices are constantly growing, yet they have very little security in place, many of these devices cannot be patched if vulnerabilities are found. It is the sad state of technology and the best dream possible for malicious actors.

The availability of vulnerable IoT devices has created a flourishing environment for adversaries by creating many machines to carry out attacks. One incredibly famous malware that used this to their advantage was Mirai. Before getting into the specifics of what Mirai was, I think it is incredibly important to explain what a botnet is.

According to Cloudflare, a botnet is a group of computers that have been infected with malware and gives control to a malicious actor (Cloudflare, n.d.). Essentially, the owner of the computer has relinquished control of it to another person, who has ill intent. When a bunch of these devices is compromised together they make up a network of robots, under the control of a single person, hence the name botnet.

So what was the Mirai botnet? Cofounders of Protraf Solutions, Paras Jha and Josiah White created the Mirai botnet to sell DDoS attack mitigation (Cloudflare, n.d.). The creators were attacking companies then offering services to protect against their attack. A DDoS attack floods a network with requests which render them useless, sometimes taking systems down for hours, and costing businesses approximately $10,000 or more per hour of downtime. Mirai looks for other strains of malware on devices when it infects the device and wipes it clean to ensure it is the only malware that owns the device (Fruhlinger, 2018).

In 2016, a massive DDoS attack left much of the internet down along the east coast of the United States (Fruhlinger, 2018). Researchers realized that the Mirai botnet caused this. The Mirai botnet was able to compromise over 100,000 IoT devices by searching sections of the internet for IoT devices that were using default credentials (Cloudflare, n.d.). Due to the weak security of the devices, the botnet was able to own many of those machines and carry out a large DDoS attack.  

The Mirai botnet is mutating, many other and more powerful, botnets have been created using the source code from Mirai such as Reaper (Cloudflare, 2019). This type of malware and how it infects devices is more prove about the need to change default passwords and use password managers for strong, unique passwords as well as multi-factor authentication to ensure they are not infected with strains of malware. Mirai was stored in the memory of the device it infected, a simple reboot would wipe the malware from the device, however without changing the password to a stronger password the devices would likely be infected shortly thereafter (Fruhlinger, 2018).

Works Cited

What is The Mirai Botnet? (n.d.). Cloudflare. Retrieved on April 1, 2019 from https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/

Fruhlinger, J. (2018).  The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet. CSO. Retrieved on April 1, 2019, from https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html