First Wannacry….Leave My Samba Alone.

Hello All. Well it was only a matter of time before the 7-year old Samba remote code execution vulnerability bubbled to the surface, given the craziness with Wannacry. For those of you who do not know what Samba is, it is an open-source software package that provides file and print services to SMB/CIFS clients.

This flaw, referred to by CVE-2017-7494, can be exploited if the vulnerable hosts make port TCP/445 reachable via the Internet and have configured shared files to have write privileges, and use known or guessable server paths for those files. When those requirements are met, a remote attacker could potentially upload any code of their choosing and cause the server to execute it, possibly with root privileges, depending on the vulnerable platform.

As per Ars, “When the Windows vulnerability was first disclosed in April, many security experts assumed it would be hard to exploit because few computers would expose file- and print-sharing capabilities on the Internet. The rapid spread of WCry quickly dashed those assumptions. Dan Tentler, founder of security firm Phobos Group, told Ars that more than 477,000 Samba-enabled computers exposed port 445, although it wasn’t clear how many of them were running a vulnerable version of the utility. Tentler cited figures returned by the Shodan computer search engine.

There are also clear differences between the Windows and Samba vulnerabilities. For starters, Samba isn’t as widely used as Microsoft’s implementation of SMB. Another key difference is the absence of any equivalent to “DoublePulsar,” the advanced weaponized backdoor developed by the National Security Agency and leaked by a mysterious group calling itself the Shadow Brokers. DoublePulsar made capitalizing on the Windows flaw easy for WCry.”

Rapid7 has an exploit available for Metasploit and has also provided some good stats – https://community.rapid7.com/community/infosec/blog/2017/05/25/patching-cve-2017-7494-in-samba-it-s-the-circle-of-life

Heads on a swivel everyone….heads on a swivel.

WannaCry/WannaCrypt Ransomware

Hello All. More nasty ransomware has reared its ugly head. This time, the worst to date, sending organizations in to turmoil around the globe.  As CNN reported in their headline, “WannaCrypt ransomware attack should make us wanna cry”.  On Friday, May 12, 2017, this well coordinated ransomware attack hit some 74 countries, affecting a large number or organizations globally including companies, rail operators, universities, hospitals and Internet providers.

As per The Register, “WannaCrypt is installed on vulnerable Windows computers by a worm that spreads across networks by exploiting a vulnerability in Microsoft’s SMB file-sharing services. It specifically abuses a bug designated MS17-010 that Redmond patched in March for modern versions of Windows, and today for legacy versions – all remaining un-patched systems are therefore vulnerable and can be attacked. This bug was, once upon a time, exploited by the NSA to hijack and spy on its targets. Its internal tool to do this, codenamed Eternalblue, was stolen from the agency, and leaked online in April – putting this US government cyber-weapon into the hands of any willing miscreant. Almost immediately, it was used to hijack thousands of machines on the internet. Now someone has taken that tool and strapped it to ransomware: the result is a variant of WannaCrypt, which spreads via SMB and, after landing on a computer, encrypts as many files as it can find. It charges $300 or $600 in Bitcoin to restore the documents. It is adept at bringing offices and homes to a halt by locking away their data. And it installs Doublepulsar, a backdoor that allows the machine to be remotely controlled. That’s another stolen NSA tool leaked alongside Eternalblue. The malware is also controlled via the anonymizing Tor network by connecting to hidden services to receive further commands from its masters.”

As noted, Microsoft has released the bulletin MS17-010 (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx), and suggest disabling SMBv1 to avoid potential spread of the malware. Microsoft has also released a patch to combat the SMBv1 vulnerability – https://support.microsoft.com/en-us/help/4013389/title. My suggestion is if you plan is to disable SMBv1 – be totally sure of what in your environment may be relying on this protocol (i.e. authentication, etc.) as you may break something by taking this route.

Cisco’s Talos team have done a great job breaking down the components of this malware – http://blog.talosintelligence.com/2017/05/wannacry.html as has Forcepoint Labs – https://blogs.forcepoint.com/security-labs/wannacry-ransomware-worm-targets-unpatched-systems

New Malware Can fully Compromise your Mac…

mac-virus-trojanHello All. There is some new malware out there affecting Macs. The malware has been called Backdoor.MAC.Eleanor by security researchers. It provides attackers with a backdoor into OS X systems by embedding a script into a fake file converter application that’s found on many reputable sites that sell Mac apps.

“This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the compromised system,” says Tiberius Axinte, Technical Leader, at Bitdefender Antimalware Lab. “For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices. The possibilities are endless.”

As per Cult of Mac, Bitdefender researchers found the malware in the EasyDoc Converter app which poses as a drag-and-drop file converter but actually has no functionality other than downloading the malicious script onto the machine.

Backdoor.MAC.Eleanor creates a unique Tor address on infected machines, allowing attackers to connect and fully access the complete files system, as well as capture images and videos through the web camera.

Because the app hasn’t been signed by Apple, security researchers recommend changing your Mac’s security setting to only allow apps downloaded from the Mac App Store and identified developers.

Microsoft Office 365 Hit With Ramsomware

office365logoweb_1003666Hello All. It seems that Microsoft cloud services are not immune to ransomware. Reports say that the Office 365 service was hit with the Cerber ransomware. When infected, a victim’s data files will be encrypted using AES encryption and will be told they need to pay a ransom of 1.24 bitcoins or 500 USD to get their files back. Unfortunately, at this point there is no known way to decrypt a victim’s encrypted files for free.

At this time we do not currently know how the Cerber ransomware is being distributed, but according to SenseCy, it is being offered as a service on a closed underground Russian forum.

As per SC Magazine – Steven Toole, a researcher for the cloud-security firm Avanan, blogged that his company saw the first attack roll in at 6:44 a.m. on June 22 and that at least 57 percent of all Office 365 customers on Avanan’s platform received at least one phishing attempt that contained the infected attachment and Avanan extrapolated that the same number of all Office 365 users were involved. While Avanan did not supply a specific number of those possibly hit, Microsoft reported in its first quarter 2016 earnings report that there are 18.2 million Office 365 subscribers. Toole said it took Microsoft more than 24 hours to detect the attack and start blocking the attachment.

A good analysis of Cerber can be found on Bleeping Computer – http://www.bleepingcomputer.com/news/security/the-cerber-ransomware-not-only-encrypts-your-data-but-also-speaks-to-you/

Cisco Releases Solution to TeslaCrypt Ransomware

Thank you Cisco for the helpful solution to TeslaCrypt Ransomware, specifically being able to decrypt files that Tesla has munged.

TeslaCrypt-1

Some details from the Cisco blog site:

At the first glance, the dropper appears to be related to the original CryptoLocker. The malware states that data files, such as photos, videos and documents on the victim’s computer have been encrypted with the RSA-2048 asymmetric algorithm. As we shall see, that statement is not entirely accurate.

Targeting files that users value highly makes ransomware very effective at getting users to pay the ransom. TeslaCrypt is interesting because it also targets and encrypts computer games files, such as saved games and Steam activation keys. This means that TeslaCrypt is targeting many different types of users, including PC gamers. Just like irreplaceable photos, a game save, which is the product of countless hours of gaming, is extremely valuable and hard to replace.

We have analysed two samples of TeslaCrypt, the first dated March 2015 and the second dated April 2015. Their SHA256 are:

  • 3372c1edab46837f1e973164fa2d726c5c5e17bcb888828ccd7c4dfcc234a370
  • 6c6f88ebd42e3ef5ca6c77622176183414d318845f709591bc4117704f1c95f4

Both samples implement the following hashing algorithms:

  • SHA1
  • SHA256
  • RIPEMD160
  • BASE58
  • BASE64

File encryption is performed in a dedicated thread. The code for the encryption thread takes the shifted master key, calculates its SHA256 hash and starts to enumerate all files of the victim workstation (filtering by extension type, Tesla Crypt supports over 170 different file extensions).

“EncryptFile” is the function that manages the entire file-encryption process. It:

  • generates a 16-bytes Initialization Vector for AES, using the GetAndHashOsData API function
  • reads the target file
  • initializes the AES encryption algorithm through the creation of the AES context data structure
  • finally encrypts the contents of the file using an AES CBC 256-bit algorithm implemented in the “EncryptWithCbcAes” function.

When the process is complete, the new encrypted file is created. The new file contains a small header (composed of the AES Initialization Vector in its first 16 bytes followed by the original file size in the next 4 bytes), and then the actual encrypted bytes.

Our decryption utility is a command line utility. It needs the “key.dat” file to properly recover the master key used for file encryption. Before it begins execution, it searches for “key.dat” in its original location (the user’s Application Data directory), or in the current directory. If it isn’t able to find and correctly parse the “key.dat” file, it will return an error and exit.

Click for Larger Image

To use this tool, just copy the “key.dat” file into the tool’s directory and then specify either the encrypted file or a directory containing encrypted files. That’s it! Files should be decrypted and returned to their original content.

Here is the list of command line options:

  • /help – Show the help message
  • /key – Manually specify the master key for the decryption (32 bytes/64 digits)
  • /keyfile – Specify the path of the “key.dat” file used to recover the master key.
  • /file – Decrypt an encrypted file
  • /dir – Decrypt all the “.ecc” files in the target directory and its subdirs
  • /scanEntirePc – Decrypt “.ecc” files on the entire computer
  • /KeepOriginal – Keep the original file(s) in the encryption process
  • /deleteTeslaCrypt – Automatically kill and delete the TeslaCrypt dropper (if found active in the target system)

Back up your encrypted files before you use this utility. Provided without any guarantees.

Here are the tool links: