Let’s take a moment to collect what we know about WannaCry (W32/WCry) and what we can learn from it.
When looked at from a technical perspective, WCry (in its two binary components) has the following properties.
All in all, writing the above makes me feel like it’s 2003 rather than 2017. In a perfect world, this malware outbreak should not have been able to happen. And the fact that the outbreak wasn’t even worse is thanks to the diligence of IT admins everywhere applying patches and keeping up firewall configurations. Without their work the outbreak would have been far worse. For example, a low ball estimate for computers infected by the W32/Blaster worm was 8 million computers and could have been as high as 16 million.
With the exception of the ransomware payload, the worm is very similar to the W32/Blaster worm from 2003, which attacked a vulnerability in RPC/DCOM, but otherwise was very similar to WCry. All in all the attackers were not exactly super hackers. It is it rather obvious that the attackers did not know what they were dealing with when they created the worm, just used an exploit they found, and were not expecting this kind of massive distribution and attention. It feels like somebody using a sledgehammer for a fly swatter. It is very likely that the attackers are running for the hills right now, as law enforcement around the world are definitely going to coordinate to hunt them down.
The answer to why WCry’s outbreak was able to happen is most likely the same as why e-mail based attacks first died back in 2008-2010 and are now again a prevalent vector. Security systems that do not get challenged are not seen as critical and thus tend to atrophy. Major internet and local network worms have not been a problem for several years, and thus organizations have neglected firewall configuration maintenance. Also, often host firewall configuration is done lazily, SMB port 445 is needed as outbound from workstation to file server and often administrators allow it to be bi-directional just in case.
The initial run of WCry is now on the decline, but the vulnerable systems remain, so it is important to reflect back on the measures that killed past network worms over time.
And the most important thing that killed network worms was the host firewall configurations that were done according to recommended best practices.
Which shortly put are…
This means that workstations should have inbound ports 135, 137, 138, and 445 blocked from everything but sources that are supposed to use those services for maintenance purposes. And servers obviously need to have those ports open for which they need for providing service, but even as inbound traffic is allowed outbound should be blocked.
With this kind of configuration, even if there would be a host infected with a network worm, it is unable to infect other workstations, and even as it would be able to infect a server, this server cannot pass the infection back to other workstations. This configuration also makes it difficult for an APT attacker to do lateral movement, especially if you block Windows Remote management ports 5985 and 5986 from anything but administration workstations.
Of course there are special cases such as certain hospital MRI machines which have Windows XP which cannot be patched and is running SMB server for access to the MRI images. And as these systems cannot be touched, it is critical to make sure that every system that is allowed to connect to such a resource is well protected. If all systems that can connect to such an MRI device have been protected by their own firewalls, they cannot be infected by WCry or other copy-cat attacks, and thus cannot pass infection to a device that cannot be protected.
WCry, WannaCry, Wana Decrypt0r. I’m sure at this point you’ve heard something about what the industry has dubbed the largest crypto ransomware outbreak in history. Following its debut yesterday afternoon, a lot of facts have been flying around. Here’s what we know, and don’t know.
WCry has currently made a measly $25,000
The spread of WCry was slowed by the actions of an “accidental hero” who registered a “killswitch” domain name he found in the code.
But, it only takes a small edit of that code, and a re-release to get the thing spreading like wildfire again.
It’s been featured in many public places, such as a train station in Frankfurt…
…in high street stores…
…and in academia.
It is reportedly super-easy to reverse engineer.
Microsoft has released a patch for Windows XP because of this malware…
…to the relief of many…
…including the guys running the Trident program.
Even Microsoft haven’t figured out the initial entry vector.
In case you were wondering, yes, F-Secure’s products block the WCry ransomware trojan. In fact, we block multiple mechanisms in the infection vector. Here are the WCry-associated detection names our systems have reported so far:
Here’s where we’ve been blocking it.
As a final note, the usual advice still applies. Patch your systems. Don’t run XP. And don’t click “enable content”.
You can also check out our other blog post about this outbreak.
As I mentioned in a previous post, I’m writing scripts designed to analyze patterns in Twitter streams. One of the goals of my research is to follow Twitter activity around a newsworthy event, such as an election. For example, last weekend France went to the polls to vote for a new president. And so I tuned the parameters of my scripts to see what I could find.
The script in question receives a stream of Tweets based on a list of search parameters. Here are the parameters I gave it:
[‘macron’, ‘lepen’, ‘presidentielle2017’, ‘presidentielles2017’, ‘MarineLePen’, ‘Marine2017’, ‘ ElectionPresidentielle2017’ ‘enmarche’, ‘aunomdupeuple’, ‘jevote’, ’emmanuelmacron’, ‘choisirlafrance’, ‘MLP’, ‘debat2017’, ‘debatpresidentiel’, ‘jevotepour’]
I kicked the script off on the afternoon of Friday May 5th, just before 14:00 French time, and terminated it at 22:00 on Sunday May 7th, a few hours after election results had been called. The script received a stream of Twitter status objects matching the search terms above. The number of Tweets per hour varied from about 18,000 (in the middle of the night, French time) to as much as 79,000 (in the last few hours before the polls closed). Processing involved extracting metadata such as tweet language, hashtags, URLs, and mentions to a set of output files.
Quite quickly after starting the script it became apparent that there were a fair number of URLS pointing to English language political opinion pieces being shared on the stream. As the weekend went on, it was obvious that a majority of them were positive of Le Pen and negative of Macron. Here are some examples of the sort of headlines that were being shared:
One article, who’s headline read “Macron Whistleblower Dies Under Suspicious Circumstances”, insinuated that a member of the Macron campaign had been assassinated using a “heart-attack gun”. Here’s a quote from that story:
“Intelligence agencies have been using ‘heart-attack gun’ technology for years, according to a Congressional testimony video filmed in 1975. Could it be that Corinne Erhel was the victim of such technology?”
Right. Anyway, moving on…
Regardless of the configured search terms, my scripts tend to always pick up a fair amount of URLS pointing to non-authoritative opinion pieces. This stuff is usually “background noise”, but last weekend, the volume had definitely been turned up. It wasn’t until late Sunday evening that stories in French, by French publications started to show up in the URL feed.
Since I was monitoring data about the French elections, I figured it would be interesting to see how many Tweets were in French as opposed to English. On the whole, there were more Tweets flagged as ‘fr’ by Twitter than those flagged as ‘en’. One particular moment during the weekend caught my eye, though. Have a look at this graph that depicts Tweets by language between the afternoon of Saturday May 6th and the afternoon of Sunday May 7th.
The orange line is clearly what we’d expect – after midnight on the 6th of May, the number of Tweets in French start to drop off as people presumably went to sleep. That number then picks up again on the morning of Sunday May 7th, as people began their day. The blue line shows Tweets in English, which spike at 01:00 French time. I don’t know what caused this spike, but the time zone lines up with early evening on the American continent.
Interesting patterns were also observed with regards to hashtags. When I started the script up, and for the first few hours, top hashtags included #Macron, #LePen and #Presidentielle2017. Later in the evening of Friday May 5ht, the #MacronGate hashtag started showing up. DFR Lab wrote a great article explaining the mechanisms behind this phenomenon. I highly recommend reading it. (tl;dr Bots!) The data I collected also points to patterns indicating the use of automation to push this hashtag. For instance, take a look at the following graph.
The above graph shows the number of times my script saw one of the four hashtags during each hour between 03:00 and 11:00 French time on May 7th, 2017. What you’ll notice is that the #Macron, #LePen, and #Presidentielle2017 hashtags were low-volume during the night (again, as expected, since everyone was probably asleep), and picked up as folks woke up. However, the #MacronLeaks hashtag maintained a fairly steady volume across this entire time-slice. In fact, the #Macron hashtag remained at the same steady volume all the way from it’s introduction on Friday evening until the election results were called. It then dropped like a stone to less than 5% of it’s previous volume during that hour, as the bot infrastructure was shut off.
Both the URLs and #MacronLeaks hashtags were predominantly shared by “American Alt-Right” Twitter accounts. In some cases, these accounts even tweeted/retweeted in French. At the end of the whole weekend, the most shared URL was a link to a YouTube video entitled “The Truth About Macron”. Next was the pastebin page containing links to the stolen Macron data. Seven out of the ten top shared URLs were links to non-authoritative news sources. Luckily, DFR Labs’ article made it into sixth position.
While the above analysis looks to be pretty doom and gloom, things really aren’t as bad as you might think. A vast majority of Twitter users probably wouldn’t have noticed the URL and hashtag flooding going on at all. Why? Well, performing a search in Twitter provides “Top” results by default, which ranks Tweets using an algorithm. And that algorithm appears to filter by some sort of quality (that tends to separate the wheat from the chaff). All that spamming by bot accounts going on in the background doesn’t appear to register. The same also goes for the “News” tab and the list of top 10 trending hashtags. The only place you’ll readily see the background noise is in the “Latest” tab.
So, if all that noise no longer generates much signal, why even still create it in the first place? The answer lies in the fact that the press and the media do spend the effort to dig into raw data looking for a story to run. When they find this otherwise “hidden” data, they run with it. In effect, the press are doing the bots’ jobs for them.
The French presidential election was an ideal moment for me to refine the scripts I’ve been writing to find the usage patterns associated with “active measures” in upcoming elections and world events. The UK general election is in just a few weeks, so I’ll get to see how well my changes work. I’m sure I’ll have sometime interesting to report on after that event happens!
There is a variant of phishing attack that nowadays is receiving much attention in the security community. It’s called IDN homograph attack and it takes advantage of the fact that many different Unicode characters look alike. The use of Unicode in domain names makes it easier to spoof websites as the visual representation of an internationalized domain name in a web browser may appear indistinguishable to the legitimate site. For example, Unicode character U+0117 which is Latin small letter E with dot above, looks similar to Latin small letter E in ASCII. Hence it is possible to register domain such as labsblog.xn--f-secur-z8a.com which is equivalent to labsblog.f-securė.com.
This topic has already been thoroughly discussed. Security researchers have had been warning about it for over a decade, but it has only relatively recently gained more attention – also from the bad guys. To trace this dangerous trend, we’re going to use a combination of DNS reconnaissance tool dnstwist (which I created some time ago) as well as some command line kung fu to gather and analyze all the information we find.
We will start by pulling a list of the most popular websites worldwide published by Alexa Internet. This seems to be a good representative group because the very top of them should be a tempting target for phishing attacks.
The ZIP file contains a million of domain names so we’ll just narrow that down to a reasonable scope of 100. This will give us something that looks like this.
We will use dnstwist which provides a convenient way for generating domain name variations using a range of techniques including Unicode homograph attack. The idea is quite straightforward. The tool will use previously prepared list of 100 domains as a seed, generate a list of potential phishing domains and then query WHOIS servers for registration dates.
An hour later we have 100 files named with the corresponding domain names. Since we’re focusing on Unicode domains we need to filter out domain names which when encoded with Punycode start with xn-- string. This data is comma delimited so we cut out the column with registration date. Finally we group it by year and count the number of occurrences in order to plot a nice graph.
The data collected clearly shows that attackers have been using Unicode-based domains for a long time.
The top three phishing targets are Google, Facebook and Amazon.
Due to the fact that the life span of a phishing domain is rather short and the lack of data from a wider period it is difficult to demonstrate a clear upward trend. However, given the recent interest in the subject, it can be assumed that attacks of this nature will occur more often.
At the time of conducting this research, we inadvertently discovered a domain running an active phishing site that seems to target Facebook users in China. We have notified Facebook’s security team about this incident.
I use Macs both at home and at work, and as a nerd, I enjoy using interesting stand-alone tools and apps to keep my environment secure. Some of my favorites are knockknock, ransomwhere?, and taskexplorer, from the objective-see website. I’ve also been recently playing around with (and enjoying) Monitor.app from FireEye.
When I heard that Little Flocker had been acquired by F-Secure, I paid a visit to our Mac team to find out more about it. The first thing I learned: Little Flocker has been renamed F-Secure XFENCE.
Our Mac developer tasked with this project described XFENCE as a “firewall for files.” I think that sums it up pretty well.
Here’s how it works. After an initial install and reboot, the tool goes into “learning mode”. While in this mode, XFENCE builds rules based on process behaviors and file accesses it sees, so it’s wise to do the stuff you’d usually do on your system – launch applications, access common files, and that sort of thing. Upon exiting learning mode, XFENCE saves the rules it collected, and then enters protection mode, where it prompts on any “out of the ordinary” behavior (i.e., anything it didn’t create a rule for during learning mode). Interacting with XFENCE prompts will cause new rules to be created.
We’ve had behavioral blocking mechanisms on the Windows side for ages already. Integrating XFENCE/Little Flocker’s technologies into our Mac products will finally bring that security layer to macOS. However, as you might guess from my description, XFENCE is pretty much a power-user tool at the moment. Every prompt presents the owner of the system with a decision that can only be answered correctly if the user has enough knowledge of what wanted and unwanted behavior looks like. In order to make this technology friendly for non-power-users, we’ll be turning to cloud lookups.
Our security components (on all platforms) perform reputation lookups for objects such as URLs, files, and certificates. Client-side decision logic factors in the results of these queries when deciding whether to allow an executable to run or whether a website should be blocked. In a similar vein, we’ll be building mechanisms into XFENCE to allow it to query behavioral patterns. In the future, if XFENCE sees a Microsoft Word document attempting to run an executable, it’ll prevent that from happening by default, without prompting the user (in the same way that our DeepGuard component on Windows works right now). Because launching an executable from a word document is pretty much never legit behavior.
Well, almost. An analyst on our Threat Intelligence team recently recently discovered a sample in-the-wild in which an IT guy (presumably) was attempting to deploy updates to computers in his organization by emailing employees with Word docs containing embedded executables. Our product would prevent such “update mechanisms” from working. And we recommended approaching such tasks in a different (and more sane) manner. 🙂
We’ve started up a beta program for folks who would like to help us test XFENCE, and use it for free (as in beer). And we plan to add features such as the cloud lookup mechanisms I detailed here. We’re very keen on getting feedback! You can find the beta program for XFENCE here.
We’ve published a White Paper today titled: The Callisto Group.
And who/what is the Callisto Group? A good question, here’s the paper’s summary.
Heavy use of spear phishing, and malicious attachments sent via legitimate, but compromised, email accounts.
Don’t click “OK”.
I’ve just started experimenting with Tweepy to write a series of scripts attempting to identify Twitter bots and sockpuppet rings. It’s been a while since I last played around with this kind of stuff, so I decided to start by writing a couple of small test scripts. In order to properly test it, I needed to point towards an active account. So, I opted for @realDonaldTrump.
After collecting data from the past 12 months, Sean and I realized that it should be broken into four separate sets to provide context. Here’s how we’ve broken it down.
The following diagram shows activity based on time and day, broken down by the four time periods defined above. As you can see, the highest Twitter activity has always occurred between early and mid-afternoon. Note the almost complete lack of activity between 08:00 and 12:00. Anybody developing Twitter bots for trading purposes might want to flag any activity on this account during that time-slot as “out of band”, and worthy of closer attention.
Here’s the time of day data graphed. Notice that Trump’s daily Twitter activity pattern didn’t really change across this data set.
Notice the last graph? This is the change of behavior I alluded to earlier. Prior to March 7th, 2017, Tweets posted via “Twitter for Android” were always in the overwhelming majority. The only other data set that shows significant iPhone usage is the election campaign period. And those Tweets can be most likely attributed to campaign staff.
So, how much did @realDonaldTrump Tweet before and after becoming POTUS?
During the run up to the 2016 elections, @realDonaldTrump’s account posted about twice as many Tweets per week as in the following months. The above graph also nicely illustrated the switch from Android to iPhone on week 10 of 2017. Here’s another graph that illustrates it.
Well, why did @realDonaldTrump’s account suddenly shift from Android to iPhone? It could have been something that was in the works (for security reasons). Or… it might have something to do with this Tweet.
Whatever the reason, the “schedule” remains more or less the same.
Perhaps we’ll build a bot of our own. It’s a work in progress, and I’ll post on this more in the future.
This operation is what’s known as an upstream attack, a method of compromise that we detailed in our State of Cyber Security 2017 report.
A stand-alone version of the (very informative) upstream attack article is now also available: The Weakest Link.
Yesterday, between 9:00 and midnight GMT, we observed three massive malware spam runs. The magnitude clearly stood out the average daily amount of spam with attachments. The campaigns were largely sent to accounts with email address in the co.uk TLD.
The first run, with subject lines such as “Your Booking 938721” (numbers vary) started at 8:30 GMT, with a very lengthy booking confirmation text body stating that the attached document needs to be printed out. See below.
The attachment is a .zip file, containing a compressed file, either in .zip or .rar format. The doubly compressed item is either a vbs-script for downloading and executing the Dridex banking trojan loader binary, or a Quant loader binary for downloading the same Dridex binary.
The second campaign started around 13:30 GMT and had a similar theme as the first one with subject lines such as “uk_confirmation_ph948261563.pdf” (numbers vary). The attached file is also a double zip-compressed file, but contained the Dridex loader binary without any intermediate downloader malware. And a text file with instructions (which if followed, results in compromise).
The third spam run began just before 18:00 GMT, and had subject lines such as “Emailing: P2993995.JPG” (numbers vary), and had a double compressed zip-file attachment. The body of the mail gave the impression that it was a bounce message from a mail server. The compressed items were similar to the second run, comprising of a Dridex binary and a short text file stating the binary needs to be executed.
This campaign of the Dridex banking trojan (campaign ID 7200) is targeting customers of multiple commercial banks in the UK, such as Barclays, Lloyds, and Santander.
The loader phones home to:
7f4aec2a738d13f4e0882ae917578f9176aab05d 32b442717c22a1e84d6eafbb20d794f781db4f05 694266450ffedf4008f0cf0e5573c63c56f2e5d0 e815d6b25675629a85d64a1f2d450da02c8cc579 299cd2cd9f4942b143c51e6d1e10ea240edcd65a 4379ab1633143b855e553d507366104c9d51b20d 5f9f46f34fdaceb6b2bb74043eb6cbbd2657fe16 7e3b81248835d59cfa780a315836694950fbc88c 9baf8662843220f52d0d5797efc70f886e60138f 9bddc3695c7272f3d848afe7a763d61497e518ab d4ea89cfd13794c8c79625e74e6f4e44be9bfa27 176e33b265829b7c1922be76652ec254148eb278 4f60ec876a7b59d547c01977bb13aba95114290b baf1d46ffeae15faffc6a905a2b6797bf06d0734 71792564c59392c6f875c18bb62b7f501ba48a5d feebdfc11a48fb72497683aa9a3447256ea04fb2 1f98860ad4fd5b8e59069a069735864f5756bc70 2fc7a8b3fabc1c4824fd5eebd9150a7f6efce740 637d81336b0734b43fe724c7b5411bb428dec54a e13fbb78710f6b3fa1981b9e958494b1f6de6d16 f2592c565e0e3483e7aae18863e3f0558a78ba1f 539af507be8ca297ce0aa14054b31a93a5998c0e 9a418586f2741f47e7e827e67d83d6ff7ca45ab0 cc5a97d500161cd80eec1cab210583cdff003c2c 155863bcd4ea677986beb13b1e519f3f71cf2183 hxxp://solucionesfenix[.]net/33f3v3.exe hxxp://nzhat[.]net/9jgtyft6
We detect these threats with detections such as:
Google announced on Wednesday that it will soon add real-time location sharing to Google Maps. The feature set appears to be very reminiscent of Google Latitude, which was introduced (way back) in 2009. Location sharing will undoubtedly be a popular option for many, but, it may come with OPSEC considerations for others. Here’s what I wrote about […]2017-03-23
A Turkish hacking group is reportedly attempting to extort Apple over a compromised cache of iCloud account data. This activity is on the heels of last week’s Turkish related Twitter account hacks via a service called Twitter Counter. And that brings to mind this article (by Andy)… OVER THE PAST FEW YEARS, you’ve probably heard […]2017-03-22
We’ve been asked numerous questions about WikiLeaks’ March 7th CIA document dump. Did the news surprise you? No. Spies spy. And that spies use hacking tools… is expected. (“Q” does cyber these days.) Does this mean that the CIA will have to start over and rebuild a completely new set of tools? Does it need […]2017-03-09
Apple and Google have issued statements to the media regarding WikiLeaks’ March 7th publication of CIA documents. Here’s Apple’s statement via BuzzFeed News. According to Apple, its “products and software are designed to quickly get security updates” to its customers. So, just how well does that statement hold up to what we see in-the-wild? Well, […]2017-03-09
AV-Test has awarded F-Secure Client Security with Best Protection 2016! And as tradition dictates, we took it on a tour of Helsinki. As a reminder, AV-Test’s Best Protection award is based on continuous real-world testing, over the entire year, against the most reliable and well-trusted endpoint protection vendors on the market. We’re proud to have, once […]2017-03-03
Jarkko Turkulainen, a Senior Researcher on our Threat Intelligence team, has (today!) publicly released a research tool called Reflash. It’s a proof-of-concept framework for analyzing Adobe Flash files. It produces an SQL database of Flash VM stack trace by injecting dynamically generated instrumentation to Flash files. The SQL database can later be analyzed with various […]2017-02-23
In January 2017, I began tracking the “customer portal” of an innovative new family of crypto-ransomware called Spora. Among its innovations are a dedicated domain (spora.biz, spora.bz, et cetera) running a Tor web proxy, HTTPS support, an initially lower extortion demand, and tiered pricing with options to unencrypt individual files (up to 25Mb in size) […]2017-02-22
For more than 10 years, we’ve released an annual report/summary featuring observations, research, and malware trends. And in past years, this publication has included the word “threat” in its title. But no more! There are rather significant changes this year in our… State of Cyber Security. The new title reflects a change in the type […]2017-02-15
On June 2nd 2015, F-Secure announced via a press release its acquisition of the Danish Cyber Security firm, nSense. That press release contained the following snippet: “the combined portfolio will allow F-Secure to provide top-tier incident response and forensic expertise, comprehensive vulnerability assessment, and threat intelligence and security management services to enterprises and businesses with […]2017-02-08
Confirmation bias, according to Google, is “the tendency to interpret new evidence as confirmation of one’s existing beliefs or theories.” Technology… potentially opens up a vast new realm of evidence, and that, if not very carefully analyzed, risks feeding confirmation bias. Last Friday, Journal News reported that a man from Middletown, Ohio was charged with […]2017-02-01