Introduction to Sabotage Trojans and Ransomeware

CIH virus Stuxnet Cryptolocker Trojan (Win32/Crilock.A) Wanna Cry -- a combination of ransomware and netwrok worm  

Introduction

Attempts to destroy information on computers were known from the time of DOS viruses. There were several viruses which encrypted the harddrives. If the virus was removed the information became non-accessible/ 

The first mass epidemic if sabotage virus was CIH, also known as Chernobyl. It is a Microsoft Windows computer virus which first emerged in 1998. It used the fact that the capability to update firmware was present on many motherboards and using it is can corrupt the system BIOS making the PC unbootable.  The virus was created by Chen Ing-hau who at the time was a student at Tatung University in Taiwan. 60 million computers were believed to be infected by the virus internationally, resulting in an estimated $1 billion US dollars in commercial damages.

But the most famous case of sabotage Trojans was probably Stuxnet, which attacked SCADA Vulnerabilities and was designed to target the Iran uranium enrichment program by destroying centrifuges. It did success in destroying something about 1000 centrifuges which is not a very impressive number taking into account the size of blowback and the new threats it created and first of all in Western countries as they used computerized equipment more widely and it is more often is connected to various networks including sometimes to Internet.

Stuxnet is interesting not only because of unprecedented complexity and targeted attack on industrial systems, but also because it clearly demonstrated that governments are behind the efforts to develop malware:

Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran’s nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet’s many striking features.

Attacks on SCADA Vulnerabilities

The author is not an expert in SCADA and generally left the security field around year 2003,  so information below is mainly of general nature.  SCADA systems have  last a long time anywhere from 15 to 30 years, so there is always a set of older systems that are available with multiple vulnerabilities in the underling OS and software. Because of the steady stream of new technology, most systems tend to be less then 10 years old.  In any case many of those systems are very old and often use long discontinued version of OS such as NT 4.

One important threat to SCADA system is growing connectivity of internal networks that deploy SCADA systems. Virus epidemics indirectly affecting SCADA systems started with the first network worms and some enterprise reacted by installing local firewalls controlling ports and IPs from which SCADA system are accessible. That that proved to be insufficient for sophisticated malware which was reveled in

Timeline: 

Stuxnet raised important political and even cultural issues. The first issue is that it made the term "cyberwarfare" real and launched a spiral of  development of "militarized" Trojans. US government was the first and probably started to pay attention to this problem around 2006. See Federal security rules fueling energy company anxiety September 28, 2006

The nation’s energy companies are scrambling to meet government regulations going into effect as soon as January that in part are designed to safeguard the computer-based control systems for electricity and gas distribution from cyberattacks.

Top energy IT officials say they are challenged to meet the new rules because the massive systems control and data acquisition (SCADA) systems used to manage their resources increasingly are based on Windows and Unix but weren’t really designed with network security in mind. The systems often don’t work easily with antivirus software and can be tough to patch, they say.

In addition, the SCADA systems increasingly share the same corporate network as other business applications, but the people running the SCADA and voice/data networks are on separate teams. “In companies I’ve seen, they choose to be separate," said Evon Salle, senior information systems auditor at OGE Energy, in Oklahoma City, and a forum participant at the IT Security World Conference here.

Congress took up the cause of greater SCADA security after a massive power blackout in the summer of 2003, passing legislation that has led to the creation of nine Critical Infrastructure Protection (CIP) rules.

Related Content These were devised under the aegis of the North American Electric Reliability Council (NERC), the trade group recently chosen by the Federal Energy Regulatory Commission to set mandatory security standards for the energy sector. NERC also is expected to be in charge of rules enforcement, which could include dishing out million-dollar fines for noncompliance.

The CIP rules cover areas such as reporting sabotage, ensuring physical security, monitoring and running antivirus controls, and doing patch updates on all critical assets, including control centers, substations and SCADA systems.

Energy companies say they’re prodding SCADA operations groups to work with the corporate IT departments to impose firewalls, access control, encryption and antivirus controls if they weren’t there before. But technical challenges remain.

“A lot of times you won’t have virus protection in a SCADA environment," Salle said.

“Virus software, such as from McAfee and Symantec, thinks the SCADA system is a virus and that’s why you can’t run it."

The biggest risk is “SCADA not having a firewall, while also having Internet access," she added.

Energy companies acknowledge that their SCADA systems haven’t been immune to virus outbreaks.

“We’ve had viruses hit one of our plants," said Charles Simons, manager of firewall integrity management at BP Global. The company immediately firewalled off its process-control networks and put corporate IT security in control of industrial systems.

Complying with the CIP guidelines to cordon off SCADA and apply a battery of security controls is proving difficult for some.

“It’s quite a culture change for us, especially for substations and generators," said Sharon Edwards, project manager for implementing the cybersecurity guidelines at Duke Energy. So far, Duke Energy hasn’t been able to identify vendors that would help in implementing the enormous log collection and management and other requirements dictated by CIP.

“We may have to develop one ourselves," Edwards said.

That will involve combining expertise in the IT and SCADA groups, she said. “But in SCADA, we haven’t gotten to the place of having good communications," she said, adding, “I don’t think we’re unique in that."

Edwards noted that one idea under discussion for achieving CIP compliance would entail equipping employees with two PCs on their desktop, one for access for secure accounts and the other for e-mail and Internet access.

Several energy companies said they are prodding SCADA vendors, such as Honeywell, Foxboro and Wonderware, to meet the security challenges brought by CIP.

“SCADA systems manage valves and pressures," said Jay White, global architect for information protection, policies and standards, at Chevron’s IT division. “They’re mission-critical. If you lose control over them, you could have an irreversible environmental impact."

Upgrading SCADA systems, often designed to last more than a decade and traditionally proprietary in their underlying software, could prove expensive and energy company customers could wind up footing much of the bill.

“The electric companies will have to pay to implement the standards and it will reflect in the rates," predicted Robert Schainker, technical executive for strategic planning in the office of innovation at Electric Power Research Institute, a nonprofit organization in Palo Alto for research on energy and the environment.

Enforcing the rules

One of the biggest uncertainties about the new security regime is how NERC will carry out its newly acquired mission in network security.

“NERC is no longer a volunteer organization, it’s a regulatory organization," Schainker said, adding that this is appropriate because the industry will benefit from improved network security. “There will be hackers out there, and more terrorists, and we have to be ready to meet these challenges."

Several industry insiders last week acknowledged that SCADA systems, some now Web-based, are known to be open enough to be fairly easily hackable, whether by insiders or outsiders. While some hacking-based disruptions have occurred in SCADA systems, no major cyberattack has occurred.

Schainker predicts that when NERC begins imposing fines for noncompliance, there will be an eruption of lawsuits. In the end, court decisions will probably guide how this new cybersecurity regulation evolves.

Some corporations, including Duke Energy, acknowledge they have fought the imposition of CIP. Their reluctance stems in part from the fact that the Department of Homeland Security is pushing them to supply detailed proprietary information about how they operate.

“There’s a lot of push-back from industry on this," Edwards said.

Meanwhile, the Department of Defense has long worked under a strict regimen for SCADA systems, which exist on Navy ships, said Herbert Armstrong, IT security director at the Navy’s Warfare Training Center in Ingleside, Texas.

Click to see: SCADA timeline

“The SCADA systems are subject to review, and we separate them from the rest of the network," Armstrong said. Strong authentication, including the Defense Department's Common Access Card and biometrics, are needed to prove identity to access SCADA systems. “We’re most concerned about the insider threat," he said.

Stuxnet changes the rules of the game and  helped to improve the security SCADA systems worldwide, as it become clear that devastating attacks are possible by reprogramming controllers.  Later it became clear that the USA created 13 "cyberattack" teams:(Pentagon’s 13 Offensive ‘Cyberattack’ Teams to Strike Across the World

General Touts New 'Cyber Cadre's' Attack Capabilities

by Jason Ditz, March 13, 2013

Cyber Command chief General Keith Alexander has unveiled some new information about the nation’s cyberwarfare policy, revealing in a Senate hearing the creation of 13 “cyberattack” teams, which he dubbed part of the “cyber cadre,” that are authorized to engage in preemptive cyberwarfare across the planet.

Alexander sought to downplay the seriousness of this revelation after the fact, insisting that they are “offensive” units, but are aimed primarily at deterrence, and are “analogous to battalions in the Army and Marine Corps.”

Except that the Army and Marine Corps don’t try to build deterrence credibility by launching unilateral attacks on other nations, or at least to the extent that they do, it is unquestionably an act of war, and done publicly.

The Pentagon has repeatedly made it clear they would view such cyberattacks by other nations as no different than any other military attack, but at the same time their own cyberwarfare units are treating offensive operations as a matter of course. Officials have repeatedly complained that such attacks are on the rise from hackers in other nations, but the US seems to be looking not to defend against such attacks, but rather to get in on the fun. 

Ransomware

Adapted from Ransomware - Wikipedia

Ransomware is a type of malicious software that carries out the cryptoviral extortion attack from cryptovirology that blocks access to data until a ransom is paid and displays a message requesting payment to unlock it. Simple ransomware may lock the system in a way which is not difficult for a knowledgeable person to reverse. More advanced malware encrypts the victim's files, making them inaccessible, and demands a ransom payment to decrypt them.[1] The ransomware may also encrypt the computer's Master File Table (MFT)[2][3] or the entire hard drive.[4] Thus, ransomware is a denial-of-access attack that prevents computer users from accessing files[5] since it is intractable to decrypt the files without the decryption key. Ransomware attacks are typically carried out using a Trojan that has a payload disguised as a legitimate file.

While initially popular in Russia, the use of ransomware scams has grown internationally;[6][7][8] in June 2013, security software vendor McAfee released data showing that it had collected over 250,000 unique samples of ransomware in the first quarter of 2013, more than double the number it had obtained in the first quarter of 2012.[9] Wide-ranging attacks involving encryption-based ransomware began to increase through Trojans such as CryptoLocker, which had procured an estimated US$3 million before it was taken down by authorities,[10] and CryptoWall, which was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over $18m by June 2015.[11]

Ransomware attacks are typically carried out using a Trojan, entering a system through, for example, a downloaded file or a vulnerability in a network service. The program then runs a payload, which locks the system in some fashion, or claims to lock the system but does not (e.g., a scareware program). Payloads may display a fake warning purportedly by an entity such as a law enforcement agency, falsely claiming that the system has been used for illegal activities, contains content such as pornography and "pirated" media.[13][14][15]

Some payloads consist simply of an application designed to lock or restrict the system until payment is made, typically by setting the Windows Shell to itself,[16] or even modifying the master boot record and/or partition table to prevent the operating system from booting until it is repaired.[17] The most sophisticated payloads encrypt files, with many using strong encryption to encrypt the victim's files in such a way that only the malware author has the needed decryption key.[12][18][19]

Payment is virtually always the goal, and the victim is coerced into paying for the ransomware to be removed—which may or may not actually occur—either by supplying a program that can decrypt the files, or by sending an unlock code that undoes the payload's changes. A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. A range of such payment methods have been used, including wire transfers, premium-rate text messages,[20] pre-paid voucher services such as Paysafecard,[6][21][22] and the digital currency Bitcoin.[23][24][25] A 2016 census commissioned by Citrix revealed that larger business are holding bitcoin as contingency plans.[26]

Encrypting ransomware

The first known malware extortion attack, the "AIDS Trojan" written by Joseph Popp in 1989, had a design failure so severe it was not necessary to pay the extortionist at all. Its payload hid the files on the hard drive and encrypted only their names, and displayed a message claiming that the user's license to use a certain piece of software had expired. The user was asked to pay US$189 to "PC Cyborg Corporation" in order to obtain a repair tool even though the decryption key could be extracted from the code of the Trojan. The Trojan was also known as "PC Cyborg". Popp was declared mentally unfit to stand trial for his actions, but he promised to donate the profits from the malware to fund AIDS research.[27]

The notion of using public key cryptography for ransom attacks was introduced in 1996 by Adam L. Young and Moti Yung. Young and Yung critiqued the failed AIDS Information Trojan that relied on symmetric cryptography alone, the fatal flaw being that the decryption key could be extracted from the Trojan, and implemented an experimental proof-of-concept cryptovirus on a Macintosh SE/30 that used RSA and the Tiny Encryption Algorithm (TEA) to hybrid encrypt the victim's data. Since public key crypto is used, the cryptovirus only contains the encryption key. The attacker keeps the corresponding private decryption key private. Young and Yung's original experimental cryptovirus had the victim send the asymmetric ciphertext to the attacker who deciphers it and returns the symmetric decryption key it contains to the victim for a fee. Long before electronic money existed Young and Yung proposed that electronic money could be extorted through encryption as well, stating that "the virus writer can effectively hold all of the money ransom until half of it is given to him. Even if the e-money was previously encrypted by the user, it is of no use to the user if it gets encrypted by a cryptovirus".[12] They referred to these attacks as being "cryptoviral extortion", an overt attack that is part of a larger class of attacks in a field called cryptovirology, which encompasses both overt and covert attacks.[12]

Examples of extortionate ransomware became prominent in May 2005.[28] By mid-2006, Trojans such as Gpcode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, and MayArchive began utilizing more sophisticated RSA encryption schemes, with ever-increasing key-sizes. Gpcode.AG, which was detected in June 2006, was encrypted with a 660-bit RSA public key.[29] In June 2008, a variant known as Gpcode.AK was detected. Using a 1024-bit RSA key, it was believed large enough to be computationally infeasible to break without a concerted distributed effort.[30][31][32][33]

Encrypting ransomware returned to prominence in late 2013 with the propagation of CryptoLocker—using the Bitcoin digital currency platform to collect ransom money. In December 2013, ZDNet estimated based on Bitcoin transaction information that between 15 October and 18 December, the operators of CryptoLocker had procured about US$27 million from infected users.[34] The CryptoLocker technique was widely copied in the months following, including CryptoLocker 2.0 (though not to be related to CryptoLocker), CryptoDefense (which initially contained a major design flaw that stored the private key on the infected system in a user-retrievable location, due to its use of Windows' built-in encryption APIs),[24][35][36][37] and the August 2014 discovery of a Trojan specifically targeting network-attached storage devices produced by Synology.[38] In January 2015, it was reported that ransomware-styled attacks have occurred against individual websites via hacking, and through ransomware designed to target Linux-based web servers.[39][40][41]

Some ransomware strains have used proxies tied to Tor hidden services to connect to their command and control servers, increasing the difficulty of tracing the exact location of the criminals.[42][43] Furthermore, dark web vendors have increasingly started to offer the technology as a service.[43][44][45]

Symantec has classified ransomware to be the most dangerous cyber threat.[46]

Non-encrypting ransomware

In August 2010, Russian authorities arrested nine individuals connected to a ransomware Trojan known as WinLock. Unlike the previous Gpcode Trojan, WinLock did not use encryption. Instead, WinLock trivially restricted access to the system by displaying pornographic images, and asked users to send a premium-rate SMS (costing around US$10) to receive a code that could be used to unlock their machines. The scam hit numerous users across Russia and neighboring countries—reportedly earning the group over US$16 million.[15][47]

In 2011, a ransomware Trojan surfaced that imitated the Windows Product Activation notice, and informed users that a system's Windows installation had to be re-activated due to "[being a] victim of fraud". An online activation option was offered (like the actual Windows activation process), but was unavailable, requiring the user to call one of six international numbers to input a 6-digit code. While the malware claimed that this call would be free, it was routed through a rogue operator in a country with high international phone rates, who placed the call on hold, causing the user to incur large international long distance charges.[13]

In February 2013, a ransomware Trojan based on the Stamp.EK exploit kit surfaced; the malware was distributed via sites hosted on the project hosting services SourceForge and GitHub that claimed to offer "fake nude pics" of celebrities.[48] In July 2013, an OS X-specific ransomware Trojan surfaced, which displays a web page that accuses the user of downloading pornography. Unlike its Windows-based counterparts, it does not block the entire computer, but simply exploits the behavior of the web browser itself to frustrate attempts to close the page through normal means.[49]

In July 2013, a 21-year-old man from Virginia, whose computer coincidentally did contain pornographic photographs of underaged girls with whom he had conducted sexualized communications, turned himself in to police after receiving and being deceived by ransomware purporting to be an FBI message accusing him of possessing child pornography. An investigation discovered the incriminating files, and the man was charged with child sexual abuse and possession of child pornography.[50]

Leakware (also called Doxware)

The converse of ransomware is a cryptovirology attack that threatens to publish stolen information from the victim's computer system rather than deny the victim access to it.[51] In a leakware attack, malware exfiltrates sensitive host data either to the attacker or alternatively, to remote instances of the malware, and the attacker threatens to publish the victim's data unless a ransom is paid. The attack was presented at West Point in 2003 and was summarized in the book Malicious Cryptography as follows, "The attack differs from the extortion attack in the following way. In the extortion attack, the victim is denied access to its own valuable information and has to pay to get it back, where in the attack that is presented here the victim retains access to the information but its disclosure is at the discretion of the computer virus".[52] The attack is rooted in game theory and was originally dubbed "non-zero sum games and survivable malware". The attack can yield monetary gain in cases where the malware acquires access to information that may damage the victim user or organization, e.g., reputational damage that could result from publishing proof that the attack itself was a success.

Mobile ransomware

With the increased popularity of ransomware on PC platforms, ransomware targeting mobile operating systems have also proliferated. Typically, mobile ransomware payloads are blockers, as there is little incentive to encrypt data since it can be easily restored via online synchronization.[53] Mobile ransomware typically targets the Android platform, as it allows applications to be installed from third-party sources.[53][54] The payload is typically distributed as an APK file installed by an unsuspecting user; it may attempt to display a blocking message over top of all other applications,[54] while another used a form of clickjacking to cause the user to give it "device administrator" privileges to achieve deeper access to the system.[55]

Different tactics have been used on iOS devices, such as exploiting iCloud accounts and using the Find My iPhone system to lock access to the device.[56] On iOS 10.3, Apple patched a bug in the handling of JavaScript pop-up windows in Safari that had been exploited by ransomware websites.[57]

Notable examples

Reveton

A Reveton payload, fraudulently claiming that the user must pay a fine to the Metropolitan Police Service

In 2012, a major ransomware Trojan known as Reveton began to spread. Based on the Citadel Trojan (which itself, is based on the Zeus Trojan), its payload displays a warning purportedly from a law enforcement agency claiming that the computer has been used for illegal activities, such as downloading unlicensed software or child pornography. Due to this behaviour, it is commonly referred to as the "Police Trojan".[58][59][60] The warning informs the user that to unlock their system, they would have to pay a fine using a voucher from an anonymous prepaid cash service such as Ukash or Paysafecard. To increase the illusion that the computer is being tracked by law enforcement, the screen also displays the computer's IP address, while some versions display footage from a victim's webcam to give the illusion that the user is being recorded.[6][61]

Reveton initially began spreading in various European countries in early 2012.[6] Variants were localized with templates branded with the logos of different law enforcement organizations based on the user's country; for example, variants used in the United Kingdom contained the branding of organizations such as the Metropolitan Police Service and the Police National E-Crime Unit. Another version contained the logo of the royalty collection society PRS for Music, which specifically accused the user of illegally downloading music.[62] In a statement warning the public about the malware, the Metropolitan Police clarified that they would never lock a computer in such a way as part of an investigation.[6][14]

In May 2012, Trend Micro threat researchers discovered templates for variations for the United States and Canada, suggesting that its authors may have been planning to target users in North America.[63] By August 2012, a new variant of Reveton began to spread in the United States, claiming to require the payment of a $200 fine to the FBI using a MoneyPak card.[7][8][61] In February 2013, a Russian citizen was arrested in Dubai by Spanish authorities for his connection to a crime ring that had been using Reveton; ten other individuals were arrested on money laundering charges.[64] In August 2014, Avast Software reported that it had found new variants of Reveton that also distribute password stealing malware as part of its payload.[65]

CryptoLocker

Main article: CryptoLocker

Encrypting ransomware reappeared in September 2013 with a Trojan known as CryptoLocker, which generated a 2048-bit RSA key pair and uploaded in turn to a command-and-control server, and used to encrypt files using a whitelist of specific file extensions. The malware threatened to delete the private key if a payment of Bitcoin or a pre-paid cash voucher was not made within 3 days of the infection. Due to the extremely large key size it uses, analysts and those affected by the Trojan considered CryptoLocker extremely difficult to repair.[23][66][67][68] Even after the deadline passed, the private key could still be obtained using an online tool, but the price would increase to 10 BTC—which cost approximately US$2300 as of November 2013.[69][70]

CryptoLocker was isolated by the seizure of the Gameover ZeuS botnet as part of Operation Tovar, as officially announced by the U.S. Department of Justice on 2 June 2014. The Department of Justice also publicly issued an indictment against the Russian hacker Evgeniy Bogachev for his alleged involvement in the botnet.[71][72] It was estimated that at least US$3 million was extorted with the malware before the shutdown.[10]

CryptoLocker.F and TorrentLocker

In September 2014, a wave of ransomware Trojans surfaced that first targeted users in Australia, under the names CryptoWall and CryptoLocker (which is, as with CryptoLocker 2.0, unrelated to the original CryptoLocker). The Trojans spread via fraudulent e-mails claiming to be failed parcel delivery notices from Australia Post; to evade detection by automatic e-mail scanners that follow all links on a page to scan for malware, this variant was designed to require users to visit a web page and enter a CAPTCHA code before the payload is actually downloaded, preventing such automated processes from being able to scan the payload. Symantec determined that these new variants, which it identified as CryptoLocker.F, were again, unrelated to the original CryptoLocker due to differences in their operation.[73][74] A notable victim of the Trojans was the Australian Broadcasting Corporation; live programming on its television news channel ABC News 24 was disrupted for half an hour and shifted to Melbourne studios due to a CryptoWall infection on computers at its Sydney studio.[75][76][77]

Another Trojan in this wave, TorrentLocker, initially contained a design flaw comparable to CryptoDefense; it used the same keystream for every infected computer, making the encryption trivial to overcome. However, this flaw was later fixed.[35] By late-November 2014, it was estimated that over 9,000 users had been infected by TorrentLocker in Australia alone, trailing only Turkey with 11,700 infections.[78]

CryptoWall

Another major ransomware Trojan targeting Windows, CryptoWall, first appeared in 2014. One strain of CryptoWall was distributed as part of a malvertising campaign on the Zedo ad network in late-September 2014 that targeted several major websites; the ads redirected to rogue websites that used browser plugin exploits to download the payload. A Barracuda Networks researcher also noted that the payload was signed with a digital signature in an effort to appear trustworthy to security software.[79] CryptoWall 3.0 used a payload written in JavaScript as part of an email attachment, which downloads executables disguised as JPG images. To further evade detection, the malware creates new instances of explorer.exe and svchost.exe to communicate with its servers. When encrypting files, the malware also deletes volume shadow copies, and installs spyware that steals passwords and Bitcoin wallets.[80]

The FBI reported in June 2015 that nearly 1,000 victims had contacted the bureau's Internet Crime Complaint Center to report CryptoWall infections, and estimated losses of at least $18 million.[11]

The most recent version, CryptoWall 4.0, enhanced its code to avoid antivirus detection, and encrypts not only the data in files but also the file names.[81]

Fusob

Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomwares was Fusob.[82]

Like a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom.[83] The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well.

In order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob.[84]

When Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively.

Fusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.

WannaCry

Main article: WannaCry ransomware attack

In May 2017, the WannaCry ransomware attack spread through the Internet, using an exploit vector that Microsoft had issued a "Critical" patch for (MS17-010) two months before on March 14, 2017.

The purported infection vector, EternalBlue, was released by the hacker group The Shadow Brokers on 14 April 2017,[22][23] along with other tools apparently leaked from Equation Group, which is believed to be part of the United States National Security Agency.[24][25]

On 12 May 2017, WannaCry began affecting computers worldwide.The attack affected Telefónica and several other large companies in Spain, as well as parts of the British National Health Service (NHS), where at least 16 hospitals had to turn away patients or cancel scheduled operations,[85] FedEx, Deutsche Bahn, as well as the Russian Interior Ministry and Russian telecom MegaFon.[

 

The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack. When executed, the malware first checks the "kill switch" website. If it is not found, then the ransomware encrypts the computer's hard disk drive, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and "laterally" to computers on the same Local Area Network (LAN). As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of $300 in bitcoin within three days.

The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017, nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows. Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers. Any organization still running the older Windows XP] was at particularly high risk because until 13 May, no security patches had been released since April 2014. Following the attack, Microsoft released a security patch for Windows XP

Although another ransomware was spread through messages from a bank about a money transfer around the same time,

On 12 May 2017, WannaCry began affecting computers worldwide.[30] The initial infection might have been either through a vulnerability in the network defenses or a very well-crafted spear phishing attack.[31] When executed, the malware first checks the "kill switch" website. If it is not found, then the ransomware encrypts the computer's hard disk drive,[32][33] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[34] and "laterally" to computers on the same Local Area Network (LAN).[35] As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of $300 in bitcoin within three days.

The Windows vulnerability is not a zero-day flaw, but one for which Microsoft had made available a security patch on 14 March 2017,[18] nearly two months before the attack. The patch was to the Server Message Block (SMB) protocol used by Windows.[36][37] Organizations that lacked this security patch were affected for this reason, although there is so far no evidence that any were specifically targeted by the ransomware developers.[36] Any organization still running the older Windows XP[38] was at particularly high risk because until 13 May,[2] no security patches had been released since April 2014.[39] Following the attack, Microsoft released a security patch for Windows XP.[2]

Although another ransomware was spread through messages from a bank about a money transfer around the same time, no evidence for an initial email phishing campaign has been found in this case.

 

Mitigation

As with other forms of malware, security software might not detect a ransomware payload, or, especially in the case of encrypting payloads, only after encryption is under way or complete, particularly if a new version unknown to the protective software is distributed.[87] If an attack is suspected or detected in its early stages, it takes some time for encryption to take place; immediate removal of the malware (a relatively simple process) before it has completed would stop further damage to data, without salvaging any already lost.[88][89]

Alternately, new categories of security software, specifically deception technology, can detect ransomware without using a signature-based approach. Deception technology utilizes fake SMB shares which surround real IT assets. These fake SMB data shares deceive ransomware, tie the ransomware up encrypting these false SMB data shares, alert and notify cyber security teams which can then shut down the attack and return the organization to normal operations. There are multiple vendors[90] that support this capability with multiple announcements in 2016.[91]

Security experts have suggested precautionary measures for dealing with ransomware. Using software or other security policies to block known payloads from launching will help to prevent infection, but will not protect against all attacks. Keeping "offline" backups of data stored in locations inaccessible to the infected computer, such as external storage drives, prevents them from being accessed by the ransomware, thus accelerating data restoration.[23][92]

There are a number of tools intended specifically to decrypt files locked by ransomware, although successful recovery may not be possible.[2][93] If the same encryption key is used for all files, decryption tools use files for which there are both uncorrupted backups and encrypted copies (a known-plaintext attack in the jargon of cryptanalysis); recovery of the key, if it is possible, may take several days.[94]

 


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Oct 02, 2013] Hackers Courted by Government for Cyber Security Jobs

The article is mostly PR, but some tidbits are interesting. The author is incompetent and uses phrases like "agencies were compromised by a Distributed Denial of Service Attack"
Rolling Stone

So far, the truth about the extent of the U.S.’s offensive attacks against other countries has been shadowy at best. There’s Stuxnet, which has yet to be officially attributed to the U.S. (or Israel), and NSA leaker Edward Snowden’s recent claim the U.S. has launched widespread cyberattacks against China. Beyond that, the closest we’ve come was Hillary Clinton’s admission last year of a State Department attack on an Al Qaeda propaganda site in Yemen.

Related: Julian Assange Opens Up About Wikileaks Battle, House Arrest and the Future of Journalism

The tensions around this topic are partly because the laws governing cyberwar are still being determined. As Rear Adm. Margaret Klein, chief of staff of Cyber Command, the Ft. Meade-based defense center for U.S. military networks, put it last year,

“Attorneys and scholars face a variety of complex legal issues arising around the use of this new technology.”

But experts are pushing for more offensive measures regardless. The Commission on the Theft of American Intellectual Property concluded that “new options need to be considered.” It seems our government is already heeding the call.

A June leak of a presidential directive from Obama, which had been issued in October, reveals that the U.S. is, at the very least, getting its cyberwarriors in line. In addition to calling for a list of international targets, the directive argued that

“Offensive Cyber Effects Operations... can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”

But while the government remains quiet about the existence or extent of their offensive measures, hackers and contractors I spoke with are, albeit cautiously, more forthcoming.

... ... ...

But the government hires private contractors to do such attacks on its behalf as well. The cyberwar underworld is rife with contractors who fashion themselves to be “the Blackwater of the Internet,” as Heid puts it, “information mercenaries…private sector guys who are going on the offensive, but you don’t hear about it.” At least not usually.

[Jun 28, 2013] Retired U.S. General Is Focus of Inquiry Over Iran Leak -

June 28, 2013 | NYTimes.com

The former second-ranking officer in the United States military, retired Gen. James E. Cartwright of the Marines, is a target of an investigation into the leak of classified information about American cyberattacks on Iran’s nuclear program, a person familiar with the investigation confirmed Thursday night.

The leak investigation, being carried out by the United States attorney for Maryland, Rod J. Rosenstein, was announced by Attorney General Eric H. Holder Jr. after articles in The New York Times described an ambitious series of cyberattacks under the code name Olympic Games that were intended to slow Iran’s progress toward a nuclear bomb. That General Cartwright is a focus of the leak inquiry was first reported by NBC News.

The general, 63, who served as vice chairman of the Joint Chiefs of Staff from 2007 to 2011, became a favorite adviser of President Obama and was considered an influential voice in the White House on security matters.

A lawyer for General Cartwright, Gregory B. Craig, who served as White House counsel early in the Obama administration, declined to comment.

Marcia Murphy, a spokeswoman for Mr. Rosenstein, declined to confirm or deny whether General Cartwright was being investigated. “We don’t have any comment at all,” Ms. Murphy said.

Since his retirement in 2011, General Cartwright has joined the Center for Strategic and International Studies and has spoken in favor of major cuts in nuclear weapons and warned of possible “blowback” from the use of drone aircraft by the United States in Pakistan and Yemen.

Asked about the NBC News report, Jill Abramson, executive editor of The New York Times, said, “We don’t comment on our confidential sources.”

Since President Obama took office in 2009, seven current or former government officials or contractors have been charged under the Espionage Act with leaking classified information, compared with three under all previous presidents. The seventh person charged was Edward J. Snowden, the former National Security Agency contractor who has acknowledged giving classified documents to The Guardian and The Washington Post.

Press advocates have criticized the unprecedented crackdown on leaks, in which F.B.I. investigators have used e-mail and telephone records to track exchanges between reporters and sources, saying it endangers reporting on national security. But Mr. Obama and Mr. Holder have said that leaks can put American security at risk.

www.cert.be (Attacks on SCADA-systems

Given the many reports circulating about a new type of malware that uses the .lnk vulnerability in Microsoft Windows and Siemens SCADA systems, we provide a short overview of what is known, at the moment, about these targeted attacks. A list of suggested information sources to consult is included.

This sophisticated new type of malware [1], targeting command-and-control software installed in certain critical infrastructures and production environments throughout the world uses a known default password that the software maker, Siemens, hard-coded into its systems. Coding a password into software makes that third-parties can retrieve it by analyzing the code, though obfuscation techniques can make this task more difficult. The password has been available since at least 2008. It was at that time posted to a product forum in Germany [2]. The password itself appeared to be deleted from this Siemens Technical Forum by a Siemens moderator soon after. This didn't prevent however the fact that the password has been published on a Russian-language Siemens forum [3] where it would remain for two years. The password is used by the system to connect to its MS-SQL database. Some of the forum posts claim that a password change would cause the system to stop working.

The password should protect the database being used in Siemens' Simatic WinCC SCADA system [4]. SCADA stands for Supervisory Control and Data Acquisition. A SCADA system is generally an industrial control system installed in utilities and manufacturing facilities. It's a system monitoring and controlling a certain process. These SCADA systems have been the focus of much controversy lately for being potentially vulnerable to e.g. remote attacks by malicious outsiders, trying to get in control of the processes for purposes of f.e. espionage and sabotage, as these systems are mostly critical. A good read on how to protect these systems is from the UK Centre for the Protection of National Infrastructure (CPNI). They provide some good practice guidelines for SCADA systems [5].

A German Security Expert, Frank Boldewin, found the hard-coded password in a new and sophisticated piece of malware [6]. The malware is designed to be spread through a USB thumb drive to attack the Siemens SCADA system. It exploits a new vulnerability in all versions of Windows [7], more specific in the part where it handles shortcut files (.lnk-files). The code would be launched by itself when a file-manager (e.g. Windows Explorer) is used to view the contents of the stick (or any infected drive, including network shares).

This malware was first reported by security blogger Brian Krebs [8] who says that a security firm in Belarus, VirusBlokAda [9], had discovered it somewhere in June. His analysis of the malware shows that when a system gets infected, it first searches the presence of Simatic WinCC. If found, it uses the hard-coded password, to access the database. If Simatic WinCC isn't present, e.g. on a home user system, the malware shouldn't harm the system much. This doesn't mean it will stay harmless. The backdoor provided by the malware will be used for other malicious purposes by hackers eventually. This is actually already going on. According to Eset, two new malware families, exploiting the same .lnk vulnerability, have been detected.

Siemens is said to have assembled a team of experts to evaluate the problem. They have also devoted a portion of their support website to this specific problem [10]. The security issue is a big problem for critical infrastructures but the vulnerability that the malware exploits is of a much greater immediate concern for the average user.

Microsoft issued a mitigation workaround to address the vulnerability. The users should modify their Windows registry to disable the WebClient service and should disable the display of shortcut icons. Some security experts have criticized Microsoft for these suggestions, noting that these workarounds are not easy to do in some environments and that disabling the WebClient would possibly break other services. Microsoft provides a 'fix me' download which can be executed [11].

A trusted source from Microsoft indicates that the use of Microsoft RDP (Remote Desktop Protocol) to fix a remote server doesn't have any impact on the machine being used as a start for the RDP session. It seems the .lnk files are being transmitted as bitmaps to the starting machine and in doing so they can not impact it. Strange or unexpected icon behaviour (again) using RDP to check the treated remote server after the mandatory reboot is more than likely due to caching mechanisms. This may not be the case with other remote desktop solutions. Basically this is a result of the way links are presented. In Microsoft RDP the links are presented by bitmaps, this way they don't trigger the vulnerability.

An interesting article is one from M-unition [13]. It describes the way the malware was signed by a legitimate certificate. The first problematic driver was one from RealTek. A new variant of Stuxnet is already seen where a compromised driver for JMicron is used. Verisign did already revoke the certificates but this doesn't seem to prevent the malware from infecting systems.

New variants have already been spotted. Organizations that are victim of a related malware should contact their anti-virus malware for assistance to guarantee the continuity of the organizations' processes after the cleanup.

Related or not, according to the Dutch security website Security.nl [14] a well known Dutch dairy cooperative got attacked too. The attackers tried to infiltrate into the SCADA-systems but a network protection appliance detected the targeted attack. This happened whilst the cooperative tried to get a ISA-99 certification [15] for security of systems in a production environment.

Apparently, the firmware update (also) contained an adapted version of the well known Conficker worm [16].

Possible motives for this attack could be a competitor trying to get hold of sensitive information or to disrupt the production.

More profound information can be read on the original blog article [14].

For more info about Stuxnet one could read the posts from Kaspersky Lab Expert Costin Raiu. He also provided some FAQs about Stuxnet [17]. The Microsoft Malware Protection Center blogpost should also be seen as a good reference about Stuxnet [18].

[1] http://www.wired.com/threatlevel/2010/07/siemens-scada/
[2] http://www.automation.siemens.com/forum/guests/PostShow.aspx?PostID=1612...
[3] http://iadt.siemens.ru/forum/viewtopic.php?p=2974&sid=58cedcf3a0fc7a0b6c...
[4] http://nl.wikipedia.org/wiki/Supervisory_control_and_data_acquisition
[5] http://www.cpni.gov.uk/ProtectingYourAssets/scada.aspx
[6] http://www.wilderssecurity.com/showthread.php?p=1712146
[7] http://www.microsoft.com/technet/security/advisory/2286198.mspx
[8] http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-...
[9] http://www.anti-virus.by/en/index.shtml
[10] http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&l...
[11] http://support.microsoft.com/kb/2286198
[12] http://blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-wit...
[13] http://blog.mandiant.com/archives/1236
[14] http://www.security.nl/artikel/33906/Gerichte_hackeraanval_op_zuivelco%C...
[15] http://www.isa-99.com/
[16] http://www.confickerworkinggroup.org/
[17] http://www.securelist.com/en/blog/2236/Stuxnet_signed_certificates_frequ...
[18] http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx

Federal security rules fueling energy company anxiety

The nation’s energy companies are scrambling to meet government regulations going into effect as soon as January that in part are designed to safeguard the computer-based control systems for electricity and gas distribution from cyberattacks.

Top energy IT officials say they are challenged to meet the new rules because the massive systems control and data acquisition (SCADA) systems used to manage their resources increasingly are based on Windows and Unix but weren’t really designed with network security in mind. The systems often don’t work easily with antivirus software and can be tough to patch, they say.

In addition, the SCADA systems increasingly share the same corporate network as other business applications, but the people running the SCADA and voice/data networks are on separate teams. “In companies I’ve seen, they choose to be separate," said Evon Salle, senior information systems auditor at OGE Energy, in Oklahoma City, and a forum participant at the IT Security World Conference here.

Congress took up the cause of greater SCADA security after a massive power blackout in the summer of 2003, passing legislation that has led to the creation of nine Critical Infrastructure Protection (CIP) rules.

Related Content

These were devised under the aegis of the North American Electric Reliability Council (NERC), the trade group recently chosen by the Federal Energy Regulatory Commission to set mandatory security standards for the energy sector. NERC also is expected to be in charge of rules enforcement, which could include dishing out million-dollar fines for noncompliance.

The CIP rules cover areas such as reporting sabotage, ensuring physical security, monitoring and running antivirus controls, and doing patch updates on all critical assets, including control centers, substations and SCADA systems.

Energy companies say they’re prodding SCADA operations groups to work with the corporate IT departments to impose firewalls, access control, encryption and antivirus controls if they weren’t there before. But technical challenges remain.

“A lot of times you won’t have virus protection in a SCADA environment," Salle said.

“Virus software, such as from McAfee and Symantec, thinks the SCADA system is a virus and that’s why you can’t run it."

The biggest risk is “SCADA not having a firewall, while also having Internet access," she added.

Energy companies acknowledge that their SCADA systems haven’t been immune to virus outbreaks.

“We’ve had viruses hit one of our plants," said Charles Simons, manager of firewall integrity management at BP Global. The company immediately firewalled off its process-control networks and put corporate IT security in control of industrial systems.

Complying with the CIP guidelines to cordon off SCADA and apply a battery of security controls is proving difficult for some.

“It’s quite a culture change for us, especially for substations and generators," said Sharon Edwards, project manager for implementing the cybersecurity guidelines at Duke Energy. So far, Duke Energy hasn’t been able to identify vendors that would help in implementing the enormous log collection and management and other requirements dictated by CIP.

Attack Code for SCADA Vulnerabilities Released Online Threat Level Wired.com By Kim Zetter

03.22.11

The security of critical infrastructure is in the spotlight again this week after a researcher released attack code that can exploit several vulnerabilities found in systems used at oil-, gas- and water-management facilities, as well as factories, around the world.

The 34 exploits were published by a researcher on a computer security mailing list on Monday and target seven vulnerabilities in SCADA systems made by Siemens, Iconics, 7-Technologies and DATAC.

Computer security experts who examined the code say the vulnerabilities are not highly dangerous on their own, because they would mostly just allow an attacker to crash a system or siphon sensitive data, and are targeted at operator viewing platforms, not the backend systems that directly control critical processes. But experts caution that the vulnerabilities could still allow an attacker to gain a foothold on a system to find additional security holes that could affect core processes.

SCADA, or Supervisory Control and Data Acquisition, systems are used in automated factories and in critical infrastructures. They came under increased scrutiny last year after the Stuxnet worm infected more than 100,000 computers in Iran and elsewhere.

The worm was designed to target a specific component known as a programmable logic controller, or PLC, used with a specific Siemens SCADA system. It was widely believed to be aimed at a PLC controlling centrifuges at the Natanz uranium-enrichment plant in Iran.

The exploit codes released this week were posted to the Bugtraq mailing list on Monday by security researcher Luigi Auriemma who wrote that he knew nothing about SCADA before uncovering the vulnerabilities in a series of tests. Auriemma told the Register that he published the vulnerabilities and attack codes to draw attention to security problems with SCADA systems.

His move got the attention of U.S. ICS-CERT, or Industrial Control Systems–Computer Emergency Response Team, which subsequently published advisories for the vulnerabilities.

The systems that are affected include Siemens Tecnomatix FactoryLink, Iconics, Genesis32 and Genesis64, DATAC RealWin, and 7-Technologies IGSS.

The Iconics and DATAC systems are most heavily used in the United States, according to Joel Langill, a control-systems security specialist. Langill says the Iconics systems are used in the oil and gas industry in North America, and the DATAC system is often found in municipal wastewater management facilities. He is not aware of any of the programs being used at important nuclear facilities.

“Most of these don’t tend to be high-reliability products,” he said. “And in nuclear you need high reliability.”

Of the 34 attacks Auriemma published, seven of them target three buffer-overflow vulnerabilities in the Siemens system, an old legacy system that Siemens plans to stop supporting next year. One of the attacks against the Siemens system would simply result in a denial-of-service, but the other two would allow an attacker to remote-copy files into the file systems, according to Langill.

“As a proof of concept, that could actually be very dangerous, because it would allow you to drop in a malicious payload,” he said. “I would want to patch that fairly fast.”

The Iconics system involves 13 attacks — all targeting one vulnerable process. Langill said these were the least-developed attack codes Auriemma released. None of them would allow an intruder to execute code on the system.

The 7-Technologies IGSS attack involves eight different exploits targeting two vulnerabilities in that system. Langill considered these the most impressive, noting that at least one of the attacks would allow remote execution of malicious code on the system.

“It was very easy to drop files onto the host,” he said about his test of the code.

The DATACS system involves seven attack codes targeting one vulnerability.

Although the attacks don’t target programmable logic controllers directly, they would allow an attacker to mask what an operator sees on his monitor, by changing data that appears on his screen. Therefore, if an attacker can find and attack vulnerabilities in a PLC connected to these systems, he could make it appear to the operator that everything is functioning on the PLC correctly.

“I could download operator graphics to my system, modify them and then upload those modified graphics to the operator,” Langill said. “Idaho National Labs has shown that to be a very effective attack vector to fake out the operator.”

Langill said, however, that the likelihood that any of these vulnerabilities would be attacked remotely is low, because such systems are generally not connected to the internet.

But the bottom line, Langill says, is that Auriemme showed that even someone with no knowledge of SCADA could, in a very short time, take SCADA software that is easily obtained by anyone and generate exploits that could reasonably impact operations.

“He’s done the hard part to give someone a way into the system,” Langill said. “Someone else who knows the system can now go in and find a way around in it, to launch the malicious act.”

UPDATE: Story updated to correct the misspelling of Langill’s name.



Recommended Links

Softpanorama hot topic of the month

Softpanorama Recommended

SCADA - Wikipedia, the free encyclopedia

2006 rewamp of SCADE security in the USA

Stixnet attack