DI­ARY OF THE WAN­NACRY AT­TACK

HOWITUNFOLDED

PC & Tech Authority - - FEATURE -

CRIP­PLED PCS AROUND MAY’S RAN­SOMWARE AT­TACK CAN BE TRACED BACK TO THE WORLD, BUT ITS ORI­GINS IN­VES­TI­GATES HOW ONE LAST AU­GUST. BARRY COLLINS UN­FOLDED OF THE WORLD’S BIG­GEST CY­BER­AT­TACKS

“I’ve been shaved down the front be­cause they were go­ing to open me up. Nil by mouth since this morn­ing. And then at half past one the sur­geon turned up and said un­for­tu­nately we’ve been hacked and there’s noth­ing we can do, we can’t op­er­ate on you to­day.”

The an­gry heart pa­tient who vented his anger at the me­dia was far from the only vic­tim of the cy­ber­at­tack that took place on Fri­day 12 May. No fewer than 61 NHS trusts were hit by the Wan­naCry at­tack, forc­ing hos­pi­tals to can­cel op­er­a­tions, turn away A&E pa­tients and switch off all com­puter equip­ment.

It rapidly es­ca­lated into a na­tional cri­sis, but it wasn’t only a na­tional health ser­vice that was un­der at­tack – or­gan­i­sa­tions across the globe were switch­ing on com­put­ers to dis­cover a ran­som note de­mand­ing US$300 to de­crypt their files.

In the end, the at­tack was largely halted by the re­mark­able ac­tions of one man. But how did it start in the first place? How were the Amer­i­can se­cu­rity ser­vices in­volved? And how did one guy work­ing from home bring it all to an end? Here’s the blow-by-blow ac­count of one of the world’s big­gest cy­ber­at­tacks.

TUES­DAY 14 MARCH 2017

Sysad­mins ev­ery­where heave a deep sigh, as Mi­crosoft re­leases its monthly Patch Tues­day batch of up­dates. There are no fewer than 18 sep­a­rate bul­letins and patches to ap­ply, seven of which carry the com­pany’s high­est state of alert: crit­i­cal.

Amongst them is the in­nocu­ously ti­tled bul­letin MS17010, Se­cu­rity Up­date for Mi­crosoft Win­dows SMB Server (4013389). “This se­cu­rity up­date re­solves vul­ner­a­bil­i­ties in Mi­crosoft Win­dows,” read Mi­crosoft’s bul­letin, in its typ­i­cally dead­pan style. “The most se­vere of the vul­ner­a­bil­i­ties could al­low re­mote code ex­e­cu­tion if an at­tacker sends spe­cially crafted mes­sages to a Mi­crosoft Server Mes­sage Block 1.0 (SMBv1) server.”

The patch is wide-rang­ing, plug­ging holes in Win­dows Vista, 7, 8.1 and Win­dows 10,and ev­ery ver­sion of Win­dows Server since 2008. Mi­crosoft pub­licly tips its hat to se­cu­rity re­searchers who dis­cover vul­ner­a­bil­i­ties in its OSes, pub­lish­ing ac­knowl­edge­ments along with its se­cu­rity bul­letins. Al­most ev­ery other bul­letin in that bumper March pack is cred­ited to some se­cu­rity re­searcher or other: Ma­teusz Jur­czyk at Google, Haifei Li of In­tel Se­cu­rity, Qiang Liu from McAfee. The dis­cov­ery of vul­ner­a­bil­ity MS17-010 re­mains cu­ri­ously unattributed. Who found the hole?

SAT­UR­DAY 8 APRIL 2017

The an­swer ap­pears to be the US se­cu­rity ser­vices. In Au­gust 2016, a group known as TheShad­owBro­kers emerges, claim­ing to have stolen dozens of hack­ing tools that had been de­vel­oped by the US Na­tional Se­cu­rity Agency (NSA) for its own hack­ing pur­poses. They in­clude a bunch of ex­ploits tar­get­ing Win­dows.

TheShad­owBro­kers ini­tially make a ham-fisted ef­fort to auc­tion the hack­ing tools on the in­ter­net, at­tempt­ing to sell the NSA-grade ex­ploits to the high­est bid­der. But no­body’s bit­ing. Buy­ing ex­ploits over the in­ter­net is one thing; buy­ing tools that the NSA would des­per­ately be at­tempt­ing to trace is a whole new level of risk.

TheShad­owBro­kers’ be­hav­iour be­comes in­creas­ingly er­ratic. On 8 April, the group re­leases a bizarre di­a­tribe ad­dressed to Don­ald Trump, urg­ing him to “bring Amer­ica to the world”, to as­sert “white priv­i­lege” and of­fer­ing its ser­vices to the ad­min­is­tra­tion. “TheShad­owBro­kers wishes we could be do­ing more, but rev­o­lu­tions/civil wars tak­ing money, time, and peo­ple,” the mes­sage reads. “TheShad­owBro­kers has is hav­ing [sic] lit­tle of each as our auc­tion was an ap­par­ent fail­ure. Be con­sid­er­ing this our form of protest.”

It then pub­lishes a pass­word for an en­crypted cache of tools, con­tained within which is an ex­ploit called Eter­nalBlue that tar­gets vul­ner­a­bil­ity MS17-010 – the one Mi­crosoft patched in March’s se­cu­rity up­date, but which of course won’t yet have been ap­plied to all vul­ner­a­ble ma­chines. Not to men­tion the size­able mi­nor­ity of sys­tems still run­ning the un­sup­ported Win­dows XP and Win­dows Server 2003, which Mi­crosoft didn’t patch in the first place.

“Please do not at­tend A&E un­less it’s an emer­gency”

Se­cu­rity firms start crawl­ing over the re­leased mal­ware code and dis­cover a spe­cific im­ple­men­ta­tion of an en­cryp­tion al­go­rithm that was only pre­vi­ously found in ex­ploits cre­ated by the so-called Equa­tion Group, an out­fit that the Rus­sian se­cu­rity firm Kasper­sky Labs has linked to the NSA. Other se­cu­rity ex­perts, such as Bruce Sch­neier, claim TheShad­owBro­kers are highly likely to be Rus­sian. We have our­selves a ball game.

THURS­DAY 11 MAY 2017

In­ter­net se­cu­rity com­pa­nies get wind of a new ran­somware at­tack. They’ve seen plenty be­fore, of course, but this one’s a bit dif­fer­ent. The ex­ploit doesn’t seem to re­quire any user in­ter­ven­tion – it’s not goad­ing peo­ple to click on at­tach­ments or run ex­e­cuta­bles, but spread­ing all by it­self over TCP port 445.

“Our in­ter­net fac­ing sen­sors reg­is­tered an uptick in port 445 con­nec­tions on Thurs­day May 11th, one day be­fore the ma­jor out­break noted on Fri­day,” a spokesper­son for Kasper­sky told PC&TA. “This means it’s pos­si­ble the worm was re­leased on Thurs­day, pos­si­bly even late Wed­nes­day evening.”

FRI­DAY 12 MAY 2017

As peo­ple start switch­ing on their PCs in of­fices around the world, it quickly be­comes ap­par­ent that some­thing huge is oc­cur­ring.

Early morn­ing re­ports emerge from Spain of an at­tack on the mo­bile op­er­a­tor Tele­fon­ica, while in the UK, ini­tial re­ports sug­gest that the NHS has been the tar­get of a “hack”, with prob­lems be­ing re­ported at sev­eral hos­pi­tals and doc­tors’ surg­eries.

The BBC quotes a doc­tor from Ne­wham in East Lon­don who re­ports that “from 2pm there were prob­lems and the com­put­ers were shut­ting on and off. Staff now can’t turn the com­put­ers on at all.” Mean­while, a nurse texts the BBC, writ­ing: “We were told to dis­con­nect all com­put­ers, which we did, we’ve also been told our door en­try and heat­ing sys­tems may also not work. Ket­tle still work­ing, so we’ll be OK!”

Sur­pris­ingly, the news re­ports are the first place se­cu­rity firm Sy­man­tec hears of the at­tack, too. “We first be­came aware of it through the me­dia,” said Dick O’Brien, a se­nior in­for­ma­tion de­vel­oper from Sy­man­tec’s threat re­search team. “Ini­tially, we didn’t get a flood of cus­tomer queries be­cause our prod­ucts were fairly ef­fec­tive at block­ing Wan­naCry.” In­deed, the com­pany had first spot­ted a vari­ant of the ran­somware back in April when TheShad­owBro­kers’ ex­ploits were leaked, and so was on guard for a re­peat at­tack.

The same can’t be said of the NHS. Hos­pi­tals in Black­burn, Not­ting­ham, Cum­bria and Hert­ford­shire all be­gin re­port­ing prob­lems, with screen­shots of the ran­som pop-up start­ing to spread across Twit­ter. “Ooops, your files have been en­crypted!” reads a clum­sily worded mes­sage, de­mand­ing $300 worth of bit­coins be sent to a spec­i­fied ad­dress within three days, or else “your files will be deleted”. A Hol­ly­wood-style count­down clock on the left-hand side of the screen rams home how long vic­tims have got to save their files.

Be­fore long, hos­pi­tals are start­ing to turn pa­tients away. “We’re aware of an IT is­sue af­fect­ing NHS com­puter sys­tems,” tweets the Mid-Es­sex Clin­i­cal Com­mis­sion­ing Group at 3.43pm. “Please do not at­tend A&E un­less it’s an emer­gency.” The mes­sage spreads across other trusts as quickly as the ran­somware.

Mean­while, heart pa­tients are be­ing in­ter­viewed by TV crews out­side hos­pi­tals, hav­ing had their op­er­a­tions can­celled; new­born ba­bies at the Royal Lon­don Hos­pi­tal aren’t be­ing tagged be­cause the PC con­nected to the prin­ter has been crip­pled; ma­trons are re­port­edly run­ning around wards in York­shire yelling at staff to switch off their PCs.

The memo clearly hasn’t reached GCHQ, whose so­cial me­dia mavens tweet out a twee mes­sage in sup­port of Na­tional Lim­er­ick Day. “It’s a good job we’re bet­ter at keep­ing Bri­tain safe than writ­ing lim­er­icks…” Un­like the ran­somware, the post is swiftly deleted.

By mid-af­ter­noon, the NHS is­sues a state­ment on its web­site claim­ing 16 NHS or­gan­i­sa­tions had re­ported that they were be­ing af­fected by the ran­somware, but by now it’s clear this isn’t an at­tack di­rected at the NHS alone. Re­ports are emerg­ing of sim­i­lar at­tacks in busi­nesses world­wide: car-maker Re­nault in France, the US de­liv­ery firm FedEx and the Span­ish power firm Iber­drola are among count­less other vic­tims.

“It was a few hours later, when the re­ports came in from or­gan­i­sa­tions that were heav­ily af­fected through re­ports in the me­dia, that we re­alised the scale of the prob­lem,” Sy­man­tec’s Dick O’Brien told us. “Af­ter that, it was a case of all hands on deck to try and an­a­lyse the ran­somware and en­sure our pro­tec­tions were as good as pos­si­ble. So, it was late Fri­day evening that the scale of the prob­lem be­came ap­par­ent, and there was an aw­ful lot of ef­fort to re­verse engi­neer the mal­ware and also on the com­mu­ni­ca­tions side, to in­form our cus­tomers what’s go­ing on and if they were pro­tected and what they could do to pro­tect them­selves.”

Whilst Sy­man­tec’s se­cu­rity an­a­lysts are scour­ing the mal­ware code, a lesser known se­cu­rity ex­pert is • one step ahead of them.

Mar­cus Hutchins is at home in North Devon, en­joy­ing a week off work from Los An­ge­les-based cy­ber­se­cu­rity firm Kryp­tos Logic, when he starts read­ing re­ports of a ran­somware at­tack. “I woke up at around 10am and checked onto [sic] the UK cy­ber threat shar­ing plat­form where I had been fol­low­ing the spread of the Emotet bank­ing mal­ware,” Hutchins writes in a post on his blog (mal­waretech.com). “There were a few of your usual posts about various or­gan­i­sa­tions be­ing hit with ran­somware, but noth­ing sig­nif­i­cant…yet. I ended up go­ing out to lunch with a friend.” He re­turns home at around 2.30pm to find the mal­ware fo­rum be­sieged with posts about the NHS at­tack. “I picked a hell of a f***ing week to take off work,” he tweets shortly af­ter.

With the help of a fel­low re­searcher, he down­loads a sam­ple of the mal­ware and quickly spots some­thing cu­ri­ous in the code: “I in­stantly no­ticed it queried an un­reg­is­tered do­main, which I promptly reg­is­tered.”

Reg­is­ter­ing the do­main isn’t a ran­dom punt. Part of Hutchins’ job is to take down mal­ware con­trol server do­mains – he’d reg­is­tered sev­eral thou­sand of them in the past year alone. But he doesn’t im­me­di­ately re­alise how sig­nif­i­cant reg­is­ter­ing that par­tic­u­lar do­main will be. In­stead, his im­me­di­ate fo­cus is mak­ing sure the “sink­hole server” he’s pointed the do­main at doesn’t col­lapse un­der the weight of traf­fic. “At this point we still didn’t know much about what the do­main I reg­is­tered was for, just that any­one in­fected with this mal­ware would con­nect to the do­main we now own, al­low­ing us to track the spread of the in­fec­tion,” he writes.

At around 6.20pm a col­league mes­sages Hutchins to tell him he’s eval­u­ated the mal­ware code and that it doesn’t pe­ri­od­i­cally change the con­trol server do­main, like some mal­ware does. But then they panic. “Af­ter about five min­utes the em­ployee came back with the news that the reg­is­tra­tion of the do­main had trig­gered the ran­somware mean­ing we’d en­crypted ev­ery­one’s files,” he writes.

It soon tran­spires that’s not the case – quite the op­po­site in fact. They’d ac­tu­ally found the kill switch. “You prob­a­bly can’t pic­ture a grown man jump­ing around with the ex­cite­ment of hav­ing just been ran­somwared, but this was me,” Hutchins writes.

How – tem­po­rar­ily, at least – did reg­is­ter­ing the do­main put a stop to the ran­somware? The ran­somware writ­ers know that as soon as their code is re­leased, ex­perts such as Hutchins will be pick­ing through the code, at­tempt­ing to re­verse engi­neer it. Mal­ware anal­y­sis is nor­mally con­ducted on sand­boxed ma­chines that aren’t con­nected to the in­ter­net to pre­vent spread­ing the mal­ware fur­ther. As Hutchins ex­plains: “In cer­tain sand­box en­vi­ron­ments traf­fic is in­ter­cepted by re­ply­ing to all URL lookups with an IP ad­dress be­long­ing to the sand­box, rather than the real IP ad­dress the URL points to.” In other words, the sand­box is at­tempt­ing to fool the mal­ware into think­ing its run­ning on a live ma­chine.

“I be­lieve they were try­ing to query an in­ten­tion­ally un­reg­is­tered do­main which would ap­pear reg­is­tered in cer­tain sand­box en­vi­ron­ments, then once they see the do­main re­spond­ing, they know they’re in a sand­box [and] the mal­ware ex­its to pre­vent fur­ther anal­y­sis,” writes Hutchins. “How­ever, be­cause Wan­naCrypt used a sin­gle hard­coded do­main, my reg­is­tra­tion of it caused all in­fec­tions glob­ally to be­lieve they were in­side a sand­box and exit… thus we ini­tially, un­in­ten­tion­ally pre­vented the spread and fur­ther ran­som­ing of com­put­ers in­fected with this mal­ware.”

SAT­UR­DAY 13 • MAY 2017

The gov­ern­ment is in full dam­age-lim­i­ta­tion mode. We’re in the midst of a gen­eral elec­tion cam­paign – this at­tack doesn’t fol­low the “strong and sta­ble” nar­ra­tive. The prime min­is­ter ap­pears in front of TV cam­eras, stat­ing “this was not tar­geted at the NHS, it’s an in­ter­na­tional at­tack” – pos­si­bly the first time a Bri­tish prime min­is­ter has been drawn to com­ment on a spe­cific cy­ber­at­tack. De­fence min­is­ters are wheeled out to re­fute claims the gov­ern­ment’s not spend­ing enough on cy­ber­se­cu­rity; Home Sec­re­tary Am­ber Rudd is talk­ing to peo­ple who un­der­stand the nec­es­sary hash­tags…

In the mean­time, Mi­crosoft does some­thing truly ex­tra­or­di­nary: it pro­vides a patch for Win­dows XP, Server 2003 and the orig­i­nal Win­dows 8, op­er­at­ing sys­tems that are no longer of­fi­cially sup­ported. “See­ing busi­nesses and in­di­vid­u­als af­fected by cy­ber­at­tacks, such as the ones re­ported to­day, was painful,” writes Phillip Mis­ner, prin­ci­pal se­cu­rity group man­ager at the Mi­crosoft Se­cu­rity Re­sponse Cen­ter. “This de­ci­sion was made based on an as­sess­ment of this sit­u­a­tion, with the prin­ci­ple of pro­tect­ing our cus­tomer ecosys­tem over­all, firmly in mind.” It later up­dates the Mi­crosoft Ma­li­cious Soft­ware Re­moval Tool to rid in­fected ma­chines of the ran­somware.

SUN­DAY 14 MAY 2017

Hav­ing been widely lauded as the “ac­ci­den­tal hero” of the ran­somware at­tack, Mar­cus Hutchins is be­gin­ning to suf­fer the con­se­quences of his 15 min­utes of fame. “I woke up to some­one ring­ing me to say my pic is on the front page of the Daily Mail,” he tweets.

Tabloid jour­nal­ists aren’t the only ones who are giv­ing Hutchins a hard time. The mal­ware writ­ers want to take his sink­hole servers down to get the ran­somware up and run­ning again by the time of­fice work­ers re­turn to switch on their PCs on Mon­day morn­ing. “Looks like some­one in China at­tempted to steal the do­main,” Hutchins tweets late on Sun­day, link­ing to an email from a Chi­nese do­main regis­trar that has ap­plied for a trans­fer. Oth­ers are flood­ing the do­main with de­nial-of-ser­vice at­tacks. Con­se­quently, the sink­hole server is hav­ing to be mon­i­tored around the clock. “Thanks to @2sec4u who stayed up all night mon­i­tor­ing our sink­holes so

“The group is strongly sus­pected to op­er­ate from North Korea”

that I could get some sleep af­ter 48h of be­ing awake,” an ex­hausted Hutchins tweets.

MON­DAY 15 MAY 2017

The morn­ing me­dia head­lines are dom­i­nated by fears of a fur­ther melt­down as peo­ple re­turn to work and switch on their PCs, but the dreaded resur­gence doesn’t hap­pen.

In­stead, at­ten­tion turns to work­ing out who’s re­spon­si­ble for the at­tack, with sev­eral likely sus­pects – the Rus­sians, North Korea, bored teenagers – al­ready be­ing fin­gered in the main­stream me­dia. How­ever, oth­ers take a more foren­sic ap­proach. Google re­searcher Neel Mehta posts a cryp­tic tweet: 9c7c7149387a1c79679a87d­d1­ba755bc @ 0x402560, 0x40F598 ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4 #Wan­naCryp­tAt­tri­bu­tion

He is, ac­cord­ing to Kasper­sky Lab’s Global Re­search and An­a­lyst team, high­light­ing a sim­i­lar­ity be­tween two dif­fer­ent mal­ware sam­ples with shared code. The first is an early vari­ant of the Wan­naCry ran­somware, the sec­ond is a sam­ple of mal­ware code writ­ten by the Lazarus Group.

The Lazarus Group is one of the most no­to­ri­ous ac­tive hacker groups, made fa­mous by its 2014 hack on Sony Pic­tures that leaked con­fi­den­tial emails from the stu­dio re­veal­ing de­tails of stars’ salaries and un­re­leased films. The group is strongly sus­pected to op­er­ate from North Korea, but is it pos­si­ble that an­other group has just stolen its code, per­haps to pin the at­tack on the rogue state? “In the­ory any­thing is pos­si­ble,” writes Kasper­sky’s ex­perts, but they dis­miss the chances of such a “false flag” as “im­prob­a­ble”.

Sy­man­tec’s Dick O’Brien is pre­pared to go fur­ther, as­sert­ing the com­pany is “100% cer­tain” Lazarus was be­hind the at­tack. “The rea­son we say that is be­cause the early at­tacks we saw in­volved an aw­ful lot of tools that Lazarus have used in the past,” he told us. “There was ini­tially a few links and we’ve built it up and built it up to the ex­tent that there’s very lit­tle doubt that Lazarus are be­hind it.”

Oth­ers are less cer­tain. Pro­fes­sor Alan Wood­ward from the De­part­ment of Com­puter Sci­ence at the Uni­ver­sity of Sur­rey says mis­takes such as the kill switch that Hutchins flicked are un­likely to have been made by an ex­pe­ri­enced hack­ing col­lec­tive. “As­sum­ing these are not de­lib­er­ate mis­takes, which seems un­likely, the way in which the May Wan­naCry code was as­sem­bled ap­pears in­con­sis­tent with the qual­ity of the ex­ploits that have been pre­vi­ously as­so­ci­ated with the Lazarus Group,” he wrote on his blog.

“It may have been some group of script kid­dies who tried to cob­ble to­gether the Wan­naCry pay­load with the Eter­nalBlue worm and ended up with some­thing far more vir­u­lent than they ever imag­ined.”

EPILOGUE

In­evitably, we’ve seen sev­eral vari­ants of the Wan­naCry ran­somware re­leased since that first dev­as­tat­ing batch, some with a new kill­switch do­main hard­coded into the mal­ware, oth­ers re­mov­ing the kill switch al­to­gether, but none ap­pear to have had any­where near the im­pact that the 12 May at­tack did.

The mo­ti­va­tion for this first at­tack is still some­thing of a mys­tery. It cer­tainly doesn’t ap­pear to be fi­nan­cial gain. “The money that went into the bit­coin wal­lets used has still not been moved out,” ex­plained Sy­man­tec’s Dick O’Brien, speak­ing to us to­wards the end of May. “It’s un­clear what they were try­ing to do. Whether they were try­ing to make some money and it got out of hand, or whether they were just in­tent on cre­at­ing havoc.”

While the at­tack­ers re­main at large, one per­son who’s had his life turned up­side down by the episode is the man who pre­vented the at­tack from be­com­ing far worse: Mar­cus Hutchins. He’s been prac­ti­cally forced to leave his home, af­ter the tabloid press printed pho­tos of his house. “I knew 5 min­utes of fame would be hor­ri­ble but hon­estly I mis­judge [sic] just how hor­ri­ble,” he tweeted. “The tabloids are su­per in­va­sive.”

“For the record, I don’t fear for my safety,” he added in an­other tweet. “I’m just un­happy with try­ing to help clear up Fri­day’s mess with the door­bell [sic] go­ing con­stantly.”

And spu­ri­ous al­le­ga­tions that Hutchins was seek­ing per­sonal gain from the at­tack were quickly de­stroyed when he was awarded a US$10,000 prize for dis­cov­er­ing the kill switch by an eth­i­cal hack­ing group, and he promptly do­nated the lot to char­ity.

Ran­somware writ­ers might also be count­ing the cost of the Wan­naCry at­tack. Not only are com­pa­nies around the world now beef­ing up their de­fences against such at­tacks, but the en­tire busi­ness model of the crime has been un­der­mined by the fact that pay­ing the Wan­naCry ran­som didn’t un­lock vic­tims’ files, be­cause – un­usu­ally – there was no means of link­ing pay­ments to in­fected com­put­ers.

“The busi­ness model has been es­tab­lished for some time and some­body has come along and done some­thing quite dif­fer­ent that’s had a big im­pact,” said Sy­man­tec’s O’Brien. “They’re not the first group who have let down the peo­ple who paid the ran­som, we’ve seen it hap­pen a lot in the past.” But they’re cer­tainly the high­est pro­file. Ran­somware won’t go away, but it might be a less ef­fec­tive means of ex­tor­tion from now on.

On 12 May, NHS hos­pi­tals were con­fronted with a clumsy ran­som note ask­ing for US$300 in bit­coins within three days

From his house Mar­cus Hutchins stymied the mal­ware by quickly reg­is­ter­ing the key do­main

ABOVE & LEFT Wan­naCry caused hos­pi­tals to can­cel op­er­a­tions and turn away A&E pa­tients – even new­born ba­bies weren’t tagged due to the PC fail­ures

It wasn’t just the NHS that fell vic­tim to the mal­ware – many firms around the world were also af­fected, in­clud­ing Re­nault and FedEx

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.