Friday, April 27, 2018

Mr. Pompeo: It's the US--not Russia or N. Korea--that has given every hacker in the world access to lethal cyber weapons. NSA's EternalBlue was centerpiece of May 2017 WannaCry global cyber attacks. Due to NSA negligence, its elite hacking tool EternalBlue is now "in every hacker's toolbox" and will be "go-to tool for attackers for years to come"-Wired, 3/18/18

.
NSA’s EternalBlue is “in every hacker’s toolbox." EternalBlue...a sophisticated, top-secret US cyber espionage tool, is now the people’s crowbar. It is also frequently used by an array of nation state hackers

networks. It will be years before enough computers are patched against EternalBlue.”...EternalBlue can hide or give false clues about geographic location of the hacker. 

3/7/18, The Leaked NSA Spy Tool That Hacked the World,Wired, Lily Hay Herman 

Leaked to the public not quite a year ago, EternalBlue has joined a long line of reliable hacker favorites. The Conficker Windows worm infected millions of computers in 2008, and the Welchia remote code execution worm wreaked havoc 2003.

EternalBlue is certainly continuing that tradition—and by all indications it’s not going anywhere. If anything, security analysts only see use of the exploit diversifying as attackers develop new, clever applications, or simply discover how easy it is to deploy…. 

EternalBlue is the name of both a software vulnerability in Microsoft’s Windows operating system and an exploit the National Security Agency developed to weaponize the bug. In April 2017, the exploit leaked to the public, part of the fifth release of alleged NSA tools by the still mysterious group known as the Shadow Brokers. 

Unsurprisingly, the agency has never confirmed that it created EternalBlue, or anything else in the Shadow Brokers releases, but numerous reports corroborate its origin—and even Microsoft has publicly attributed its existence to the NSA. 

The tool exploits a vulnerability in the Windows Server Message Block, a transport protocol that allows Windows machines to communicate with each other and other devices for things like remote services and file and printer sharing. Attackers manipulate flaws in how SMB handles certain packets to remotely execute any code they want. Once they have that foothold into that initial target device, they can then fan out across a network.

Microsoft released its EternalBlue patches on March 14 of last year [2017]. But security update adoption is spotty, especially on corporate and institutional networks. Within two months, EternalBlue was the centerpiece of the worldwide WannaCry ransomware attacks….As WannaCry hit, Microsoft even took the “highly unusual step” of issuing patches for the still popular, but long-unsupported Windows XP and Windows Server 2003 operating systems. 

In the aftermath of WannaCry, Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen. EternalBlue can also be used in concert with other NSA exploits released by the Shadow Brokers, like the kernel backdoor known as DarkPulsar, which burrows deep into the trusted core of a computer where it can often lurk undetected. 

The versatility of the tool has made it an appealing workhorse for hackers. And though WannaCry raised EternalBlue’s profile, many attackers had already realized the exploit’s potential by then.
 
Within days of the Shadow Brokers release, security analysts say that they began to see bad actors using EternalBlue to extract passwords from browsers, and to install malicious cryptocurrency miners on target devices. “WannaCry was a big splash and made all the news because it was ransomware, but before that attackers had actually used the same EternalBlue exploit to infect machines and run miners on them,” says Jérôme Segura, lead malware intelligence analyst at the security firm Malwarebytes. “There are definitely a lot of machines that are exposed in some capacity.”

Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day. “EternalBlue will be a go-to tool for attackers for years to come,” says Jake Williams, founder of the security firm Rendition Infosec, who formerly worked at the NSA. “Particularly in air-gapped and industrial networks, patching takes a lot of time and machines get missed.

There are many XP and Server 2003 machines that were taken off of patching programs before the patch for EternalBlue was backported to these now-unsupported platforms.” 

At this point, EternalBlue has fully transitioned into one of the ubiquitous, name-brand instruments in every hacker’s toolboxmuch like the password extraction tool Mimikatz. But EternalBlue’s widespread use is tinged with the added irony that a sophisticated, top-secret US cyber espionage tool is now the people’s crowbar. It is also frequently used by an array of nation state hackers including those in Russia’s Fancy Bear group, who started deploying EternalBlue last year as part of targeted attacks to gather passwords and other sensitive data on hotel Wi-Fi networks. 

New examples of EternalBlue’s use in the wild still crop up frequently. In February, more attackers leveraged EternalBlue to install cryptocurrency-mining software on victim computers and servers, refining the techniques to make the attacks more reliable and effective. “EternalBlue is ideal for many attackers because it leaves very few event logs,” or digital traces, Rendition Infosec’s Williams notes. “Third-party software is required to see the exploitation attempts.”

And just last week, security researchers at Symantec published findings on the Iran-based hacking group Chafer, which has used EternalBlue as part of its expanded operations. In the past year, Chafer has attacked targets around the Middle East, focusing on transportation groups like airlines, aircraft services, industry technology firms, and telecoms. 

“It’s incredible that a tool which was used by intelligence services is now publicly available and so widely used amongst malicious actors, says Vikram Thakur, technical director of Symantec’s security response. “To [a hacker] it’s just a tool to make their lives easier in spreading across a network. Plus they use these tools in trying to evade attribution. It makes it harder for us to determine whether the attacker was sitting in country one or two or three. 

It will be years before enough computers are patched against EternalBlue that hackers retire it from their arsenals. At least by now security experts know to watch for it—and to appreciate the clever innovations hackers come up with to use the exploit in more and more types of attacks.”
……………………
.............................

Added: Re: US city of Atlanta, Georgia is a US location that was attacked by US elite hacking weapons in May 2017 global WannaCry disaster, per cyber security firm Rendition Infosec. WannaCry was made possible by NSA tools which appeared on the internet in 2016 and 2017: 

3/28/18, Atlanta, hit by ransomware attack, also fell victim to leaked NSA exploits, ZDNet, Zack Whittaker

“According to one security firm, last week’s cyberattack was not a surprise because the city had fallen victim to leaked government exploits used in the [2017] WannaCry outbreak [which used leaked hacking tools developed by the National Security Agency.]

New data provided by Augusta, Ga.-based cybersecurity firm Rendition Infosec, seen by ZDNet, shows that the city’s network was silently infected last year [2017] with leaked exploits developed by the National Security Agency. 

The cybersecurity firm’s founder Jake Williams said at least five internet-facing city servers were infected with the NSA-developed DoublePulsar backdoor in late April to early May 2017.

That was more than a month after Microsoft released critical patches for the exploits and urged users to install. 

The NSA exploits were stolen in 2016 in one of the biggest breaches of classified files since the Edward Snowden disclosures.

The [alleged] hackers [described as “leakers” in headline and elsewhere in this article] who stole the exploits, known as the Shadow Brokers, attempted to auction off the files but failed. 

Microsoft learned of the theft of these tools and, fearing that they would be used or publicly released, the company quietly released security patches for the exploit in March. Weeks later, the tools were dumped online for anyone to use. 

According to Williams, the city’s networks were left unpatched for weeks making them vulnerable to ransomware attacks.

“Based on our data, we can say for an organization of its size, the city of Atlanta had a substandard security posture in April 2017, making the scope of the ransomware attack far from surprising,” Williams told ZDNet.

Williams also wrote up his findings Tuesday in a detailed blog post. 

Just two weeks later, the WannaCry ransomware attack hit.

The attack was the biggest of its kind — spreading throughout several countries, infecting hundreds of thousands of computers. The ransomware used the leaked NSA exploit dubbed EternalBlue, which attacks a flaw in Windows SMB, and drops the DoublePulsar backdoor and waits. It’s that DoublePulsar backdoor that allows an attacker to remotely execute a malicious payload — such as ransomware.

Williams said his firm detected 148,000 infected machines at its peak — machines that were directly connected to the internet.

But that doesn’t account for the vast number of machines connected to those infected servers — likely putting the final number of machines at risk significantly higher. 

Williams stopped scanning for infected servers only by chance before the WannaCry attack, because as security patches were applied, the number of vulnerable systems was going down. 

It’s not known if Atlanta patched its network during that two week period before the WannaCry attack.

When reached, a spokesperson for the City of Atlanta was unable to comment on specific questions we had. 

Williams confirmed that as of Monday, none of Atlanta’s systems are still infected by the NSA exploits –– though, he said, it’s not known if the clean-up is a response to Thursday’s cyberattack or not.

Atlanta’s recovery efforts continue “around the clock,” said Bottoms.

CSO security reporter Steve Ragan reported earlier Tuesday that the portal used to pay the ransom — if the city decides to do so — has been pulled offline by the ransomware attacker. A screenshot of a city employee’s computer, which included the dark-web address used to access the payment portal, was publicized by local media. 

Although some of the city’s machines are slowly coming back online, many systems remain locked. For now, it’s not known when — or even if — the city will get fully back up and running.
..............

No comments: