Nyetya: Sanctions and Taxes

/8 Comments/in /by

In my first post on the Nyetya/NotPetya attack launched in Ukraine last week, I suggested the attack looked a lot like a digital sanctions regime and pointed out that the malware had been compiled not long after the US Senate tried to pass new sanctions.

On June 14, the Senate passed some harsh new sanctions on Russia, ostensibly just for Russia’s Ukrainian and Syrian related actions, not for its tampering in last year’s US election. The House mucked up that bill, but the Senate will continue to try to impose new sanctions. Trump might well veto the sanctions, but that will cause him a great deal of political trouble amid the Russian investigation.

The Petya/NotPetya malware was compiled on June 18.

Update: I should add that Treasury added a bunch of people to its Ukraine-related sanctions list on June 20.

In her first post on it, Rayne focused on how the loss of MEDoc’s tax software might effect payments in Ukraine (though she remained open about other attackers besides Russia).

But the US wasn’t the only country that has moved towards imposing new sanctions on Russia. Ukraine did so too, back on May 15. Petro Poroshenko targeted a number of Russian tech brands — most spectacularly, VK, mail.ru, and Yandex, which are among the most popular sites in Ukraine. The Ukrainian president also banned Kaspersky, as American politicians are moving closer to doing. Most interestingly, Poroshenko banned 1C, maybe the equivalent of Microsoft’s Office suite.

A decree by Poroshenko posted late on Monday expanded sanctions adopted over Russia’s annexation of Crimea and backing of separatists in eastern Ukraine to include 468 companies and 1,228 people. Among them were the Russian social networks VK and Odnoklassniki, the email service Mail.ru and the search engine company Yandex, all four of which are in the top 10 most popular sites in Ukraine, according to the web traffic data company Alexa. The decree requires internet providers to block access to the sites for three years.

Poroshenko’s decree also blocked the site of the Russian cybersecurity giant Kaspersky Labs and will ban several major Russian television channels and banks, as well as the popular business software developer 1C.

In a post on his official page on VK, Poroshenko said he had tried to use Russian social networks to fight Russia’s “hybrid war” and propaganda.

1C is a competitor to MEDoc, the patient zero of the attack. (h/t Jeff Vader)

After Poroshenko imposed sanctions, Putin’s spox warned Ukraine had forgotten the principle of reciprocity.

Vladimir Putin’s spokesman told journalists that he wasn’t prepared to say but that Russia had not “forgotten about the principle of reciprocity”.

Now consider these other details.

It turns out that MEDoc had already sent out several malicious updates which backdoored the software and collected the unique business identifier of the victims, as well as credentials.

During our research, we identified a very stealthy and cunning backdoor that was injected by attackers into one of M.E.Doc’s legitimate modules. It seems very unlikely that attackers could do this without access to M.E.Doc’s source code.

The backdoored module has the filename ZvitPublishedObjects.dll. This was written using the .NET Framework. It is a 5MB file and contains a lot of legitimate code that can be called by other components, including the main M.E.Doc executable ezvit.exe.

We examined all M.E.Doc updates that were released during 2017, and found that there are at least three updates that contained the backdoored module:

  • 01.175-10.01.176, released on 14th of April 2017
  • 01.180-10.01.181, released on 15th of May 2017
  • 01.188-10.01.189, released on 22nd of June 2017

The incident with Win32/Filecoder.AESNI.C happened three days after the 10.01.180-10.01.181 update and the DiskCoder.C outbreak happened five days after the 10.01.188-10.01.189 update. Interestingly, four updates from April 24th 2017, through to May 10th 2017, and seven software updates from May 17th 2017, through to June 21st 2017, didn’t contain the backdoored module.

Since the May 15th update did contain the backdoored module and the May 17th update didn’t, here is a hypothesis that could explain low infection Win32/Filecoder.AESNI.C ratio: the release of the May 17th update was an unexpected event for the attackers. They pushed the ransomware on May 18th, but the majority of M.E.Doc users no longer had the backdoored module as they had updated already.

[snip]

Each organization that does business in Ukraine has a unique legal entity identifier called the EDRPOU number (Код ЄДРПОУ). This is extremely important for the attackers: having the EDRPOU number, they could identify the exact organization that is now using the backdoored M.E.Doc. Once such an organization is identified, attackers could then use various tactics against the computer network of the organization, depending on the attackers’ goal(s).

[snip]

Along with the EDRPOU numbers, the backdoor collects proxy and email settings, including usernames and passwords, from the M.E.Doc application.

Note, that May 15 attack was actually earlier in the day, before Poroshenko announced the sanctions against Russia.

Talos used logs it obtained from MEDoc to confirm that it backdoored the victims, collecting data from targeted machines.

But then it makes what I consider a logical jump (albeit an interesting one): invoking something similar that happened with Blackenergy, it argues that the hacker that had backdoored MEDoc has lost the intelligence functionality of the MEDoc back door, so it must have a replacement at the ready. As a result, Talos basically suggests that businesses should treat anything touching Ukraine as if it has or soon will have digital cooties.

In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software.  This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.

Based on this, Talos is advising that any organization with ties to Ukraine treat software like M.E.Doc and systems in Ukraine with extra caution since they have been shown to be targeted by advanced threat actors.  This includes providing them a separate network architecture, increased monitoring and hunting activities in those at-risk systems and networks and allowing only the level of access absolutely necessary to conduct business.  Patching and upgrades should be prioritized on these systems and customers should move to transition these systems to Windows 10, following the guidance from Microsoft on securing those systems.  Additional guidance for network security baselining is available from Cisco as well.  Network IPS should be deployed on connections between international organizations and their Ukrainian branches and endpoint protection should be installed immediately on all Ukrainian systems.

That may be right. But I’m not sure this analysis considers Rayne’s point: that by basically taking out crucial tax software used by 80% of the Ukrainian market (indeed, Ukrainian authorities raided the company in a showy SWAT raid today), you will presumably have some effect on the collection of taxes in Ukraine, something AP’s reporter reporting from Ukraine, Raphael Satter, says he has seen anecdotal evidence of already.

So, sure, the MEDoc attacker lost the back door into 80% of the companies doing business in Ukraine. But the attacker may have hurt Ukraine’s ability to collect taxes, even while destroying the Ukrainian competitor to one of the companies targeted in May, imposing tremendous costs on doing business in Ukraine, and leading security advisors to recommend treating Ukraine like it has cooties going forward.

As with my first post on this, I’m still really just spit balling.

But one thing we know about Russia: it wants to find a way to end the sanctions regimes against it, and helping Donald Trump get elected thus far hasn’t done the trick.

Update: Malware Tech, the guy who sinkholed WannaCry, points to his data showing declining WannaCry infections in Ukraine and Russia, which he says shows the effect of the Nyetya infections replacing WannaCry ones. That suggests the impact in Russia is real, contrary to some public comments.

Update: Bleeping Computers describes victims installing old versions of MEDoc because it is so central to their business operations.

With the M.E.Doc servers down, Bleeping Computer was told that most Ukrainian companies are now sharing older versions of the M.E.Doc software via Google Drive links. The software provided by Intellect Service is so crucial to Ukrainian companies that even after the NotPetya outbreak, many businesses cannot manage their finances without it, despite the looming danger of another incident.

Because of the way the software is currently shared between some usrs, Ukrainian companies are now exposing themselves to even more dangerous threats, such as installing boobytrapped M.E.Doc versions from unofficial sources like Dropbox or Google Drive.

NotPetya: Why Would Russia Target Kaspersky AV?

/14 Comments/in /by

With the backing of a bunch of security companies, both the US and Ukraine are getting closer to formally blaming Russia for the NotPetya attack last week on the same hackers that brought down the power grid in 2015.

But there are skeptics. Rob Graham suggests this analysis all suffers from survivorship bias. And Jonathan Nichols argues the attack was so easy pretty low level hackers could have pulled it off.

Nichols also raises a point that has been puzzling me. The attack does extra damage if it detects the Kaspersky Antivirus.

Much has been made about the fact that the NotPetya virus appears to have been designed as a wiper, and not as a genuine piece of ransomware. The virus also checks for avp.exe (Kaspersky Antivirus) and then wipes the bootsector of any device with the file present.

[snip]

Further, the specific targeting of Kaspersky Antivirus harkens back to the vindictive nature of low level cyber criminals, such as those which famously write hate messages to Kaspersky and Brian Krebs regularly.

There may be a good reason to do this (such as, if Kaspersky dominates the AV market in Ukraine, it would provide an additional way to target Ukraine specifically, though that would seem to also implicate Russian companies, like Rosneft, that were hit by NotPetya as well). But absent such a reason, why would Russia selectively do more damage to victims running Kaspersky, especially at a moment with the US is so aggressively trying to taint Kaspersky as a Russian front?

As a reminder, back in January when Shadow Brokers claimed to be disappearing forever, they called out Kaspersky specifically in a dump of dated Windows files (SB trolled Kaspersky even more on Twitter, though deleted all those old tweets last week).

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

So not just cybercriminals with a grudge against Kaspersky for cooperating with western law enforcement, but the source of some of the exploits used in this attack, has targeted Kaspersky in the past.

I don’t know the answer. But it’s one counterargument to the rush to blame Russia that, in my opinion, needs some answers.

Does Maersk Count as US Critical Infrastructure?

/18 Comments/in /by

I Back when Sony Pictures got hacked after Sony Everything Else had been hacked serially over the course of 15 years, the US government declared that multinational studio owned by a Japanese parent US critical infrastructure entitled to heightened cybersecurity protection. That’s one of the bases for which the US imposed sanctions on North Korea. The designation also ramped up the ways in which FBI could help Sony.

The listing of a multinational movie studio as critical infrastructure led many people to understand just how broad the definition of CI is in the US, including (in the same Commercial Facilities Sector) a bunch of things that might better be called soft targets.

  • Entertainment and Media (e.g., motion picture studios, broadcast media).
  • Gaming (e.g., casinos).
  • Lodging (e.g., hotels, motels, conference centers).
  • Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
  • Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
  • Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
  • Retail (e.g., retail centers and districts, shopping malls).
  • Sports Leagues (e.g., professional sports leagues and federations).

That’s when I learned that DHS was on the hook for protecting Yogi Bear Jellystone and KOA campground facilities around the country from cyberattack.

Since 2014, DHS belatedly added one thing to its critical infrastructure designation: elections. Though DHS doesn’t appear to have updated the website to reflect that designation yet (though maybe I’m missing it; I’ll call tomorrow to ask them where it is).

Anyway, the global impact of the NotPetya (which I’ll henceforth call Nyetna, because that’s my favorite name for it) attack, particularly its impact on Danish shipping giant Maersk, has me wondering whether anything Nyetna affected counts as would count as critical infrastructure. The impact on Maersk has had significant effect at several ports in the US.

Danish shipping giant A.P. Moller-Maersk, one of the global companies hardest hit by the malware, said Thursday that most of its terminals are now operational, though some terminals are “operating slower than usual or with limited functionality.”

Problems have been reported across the shippers’ global business, from Mobile, Alabama, to Mumbai in India. When The Associated Press visited the latter city’s Jawaharlal Nehru Port Trust on Thursday, for example, it witnessed several hundred containers piled up at just two yards, out of more than a dozen yards surrounding the port.

“The vessels are coming, the ships are coming, but they are not able to take the container because all the systems are down,” trading and clearing agent Rajeshree Verma told the AP. “The port authorities, they are not able to reply (to) us. The shipping companies they also don’t know what to do. … We are actually in a fix because of all this.”

Probably the most important impact was on Maersk’s terminal in LA.

A cyberattack that infected computers across Europe and then spread into the United States halted operations at the Port of Los Angeles’ largest terminal Tuesday — and raised worries that destructive software could ricochet around the world and disrupt the critical supply chain.

APM Terminals — where Danish shipping carrier A.P. Moller-Maersk operates — turned truckers away all day, as did their terminals in Rotterdam, New York and New Jersey.

So does Maersk, and the 18% of global container shipping business it carries, count as US critical infrastructure?

Given that Maersk, not the several ports affected, is the victim, it’s not clear. Here’s how DHS defines the CI aspect of maritime shipping.

  • Maritime Transportation System consists of about 95,000 miles of coastline, 361 ports, more than 25,000 miles of waterways, and intermodal landside connections that allow the various modes of transportation to move people and goods to, from, and on the water.

But if Sony can count as US CI, it seems Maersk (or any comparable shipping giant) should as well.

It may not matter, as the Executive Branch seems to be hiding even further under their bed than they were after the WannaCry attack, with this being the one mention of the hack from the White House.

SECRETARY PERRY:  So let’s get over on the grid.  Obviously, the Department of Energy has a both scientific, they have a historic reason to be involved with that.  One is that, at one of our national labs, we have a test grid of which we are able to go out — one of the reasons that the Department of Homeland Security and DOE is involved with grid security is that DOE operates a substantial grid — a test grid, if you will — where we can go out and actually break things.  We can infest it with different viruses and what have you to be able to analyze how we’re going to harden our grid so that Americans can know that our country is doing everything that it can to protect, defend this country against either cyberattacks that would affect our electrical security or otherwise.

So the ability for us to be able to continue to lead the world — I think we all know the challenges.  We saw the reports as late as today of what’s going on in Ukraine.  And so protecting this country, its grid against not just cyber, but also against physical attacks, against attacks that may come from Mother Nature, weather-related events — all of that is a very important part of what DOE, DHS is doing together.

DHS is preoccupied rolling out Muslim Ban 3.0 and other flight restrictions.

By all appearances, Nyetna primarily targeted Ukraine. But in hitting Ukraine, it significantly disabled one of the key cogs to the global economy, the world’s biggest container shipping company. Does that count as an attack on the US, or at least its critical infrastructure?

Update: I’ve confirmed that “shipping lines” are included in Maritime Transportation. So Maersk would seem to count as critical infrastructure.

 

Minority Report: An Alternative Look at NotPetya

/6 Comments/in /by

NB: Before reading:

1) Check the byline — this is NotMarcy;

2) Some of this content is speculative;

3) This is a minority report; I’m not on the same paragraph and perhaps not the same page with Marcy.

Tuesday’s ‘Petya/Petna/NotPetya’ malware attacks generated a lot of misleading information and rapid assumptions. Some of the fog can be rightfully blamed on the speed and breadth of infection. Some of it can also be blamed on the combined effect of information security professionals discussing in-flight attacks in full view of the public who make too many assumptions.

There’s also the possibility that some of the confusing information may have been deliberately generated to thwart too-early intervention. If this isn’t criminal hacking but cyber warfare, propaganda should be expected as in all other forms of warfare. Flawed assumptions, too, can be weaponized.

A key assumption worth re-examining is that Ukraine was NotPetya’s primary target rather than collateral damage.

After the malware completed its installation and rebooted an infected machine, a message indicated files had been encrypted and payment could be offered for decryption.

Thousands of dollars were paid $300 at a time in cryptocurrency but a decryption key wouldn’t be forthcoming. Users who tried to pay the ransom found the contact email address hosted by Posteo.net had been terminated. The email service company was unhelpful bordering on outright hostile in its refusal to assist users contacting the email account holder. It looked like a ransom scam gone very wrong.

As Marcy noted in her earlier post on NotPetyna, information security expert Matt Suiche posted that NotPetya was a wiper and not ransomware. The inability of affected users to obtain decryption code suddenly made perfect sense. ‘Encrypted’ files are never going to be opened again.

It’s important to think about the affected persons and organizations and how they likely responded to the infection. If they didn’t already have a policy in place for dealing with ransomware, they may have had impromptu meetings about their approach; they had to buy cryptocurrency, which may have required a crash DIY course in how to acquire it and how to make a payment — scrambling under the assumption they were dealing with ransomware.

It all began sometime after 10:30 UTC/GMT — 11:30 a.m. London (BDT), 1:30 p.m. Kyiv and Moscow local time, even later in points across Russia farther east.

(And 4:30 a.m. EDT — well ahead of the U.S. stock market, early enough for certain morning Twitter users to tweet about the attack before America’s work day began.)

The world’s largest shipping line, Maersk, and Russia’s largest taxpayer and oil producer Rosneft tweeted about the attack less than two hours after it began.

By the end of the normal work day in Ukraine time, staff would only have just begun to deal with the ugly truth that the ransom may have been handed off and no decryption key was coming.

As Marcy noted, June 28th is a public holiday in Ukraine — Constitution Day. I hope IT folks there didn’t have a full backup scheduled to run going into the holiday evening — one that might overwrite a previous full backup.

The infection’s spread rate suggested early on that email was not the only means of transmission, if it had been spread at all by spearfishing. But many information security folks advocated not opening any links in email. A false sense of security may have aided the malware’s dispersion; users may have thought, “I’m not clicking on anything, I can’t get it!” while their local area network was being compromised.

And then it hit them. While affected users sat at their machines reading fake messages displayed by the malware, scrambling to get cryptocurrency for the ransom, NotPetya continued to encrypt files under their noses and spread across business’s local area networks. Here’s where Microsoft’s postmortem is particularly interesting; it not only gives a tick-tock of the malware’s attack on a system, but it lists the file formats encrypted.

Virtually everything a business would use day to day was encrypted, from Office files to maps, website files to emails, zip archives and backups.

Oh, and Oracle files. Remember Oracle pushed a 299 vulnerability mega-patch on April 19, days after ShadowBrokers dumped some NSA tools? Convenient, that; these vulnerabilities were no longer a line of attack except through file encryption.

While information security experts have done a fine job tackling a many-headed hydra ravaging businesses, they made some rather broad assumptions about the reason for the attack. Kaspersky concluded the target was Ukraine since ~60% of infected devices were located there though 30% were located in Russia. But the malware’s aim may not have been the machines or even the businesses affected in Ukraine.

What did those businesses do? What they did required tax application software MEDoc. If the taxes to be calculated were based on business’s profits — (how much did they make) X (tax rate) — they hardly needed tax software. A simple spreadsheet would suffice, or the calculation would be built into accounting software.

No, the businesses affected by the malware pushed at 10:30 GMT via MEDoc update would be those which sold goods or services frequently, on which sales tax would have been required for each transaction.

What happens when a business’s sales can’t be documented? What happens when their purchases can’t be documented, either?

Which brings me to the affected Russian businesses, specifically Rosneft. There’s not much news published in English detailing the impact on Rosneft; we’ve only got Kaspersky’s word that 30% of infections affected Russian machines.

But if Rosneft is the largest public oil company in the world, Russia’s largest taxpayer as Rosneft says on their Twitter profile, it may not take very many infections to wreak considerable damage on the Russian economy. Consider the ratio of one machine invoicing the shipment of entire ocean tanker of oil versus many machines billing heating oil in household-sized quantities.

And if Rosneft oil was bought by Ukraine and resold to the EU, Ukraine’s infected machines would cause a delay of settlements to Russia especially when Rosneft must restore its own machines to make claims on Ukrainian customers.

The other interesting detail in this malware story is that the largest container line in the world, Maersk, was also affected. You may have seen shipping containers on trucks, trains, in shipyards and on ships marked in bold block letters, MAERSK. What you probably haven’t seen is Maersk’s energy transport business.

This includes shipping oil.

It’s not Ukraine’s oil Maersk ships; most of what Ukraine sells is through pipelines running from Russia in the east and mostly toward EU nations in the west.

It’s Russian oil, probably Rosneft’s, shipping overseas. If it’s not in Maersk container vessels, it may be moving through Maersk-run terminal facilities. And if Maersk has no idea what is shipping, where it’s located, when it will arrive, it will have a difficult time settling up with Rosneft.

Maersk also does oil drilling — it’s probably not Ukraine to whom Maersk may lease equipment or contract its services.

Give the potential damage to Russia’s financial interests, it seems odd that Ukraine is perceived as the primary target.

 

NotPetya’s attack didn’t happen in a vacuum, either.

A report in Germany’s Die Welt reported the assassination of Ukraine’s chief of intelligence by car bomb. The explosion happened about the same time that Ukraine’s central bank reported it had been affected by NotPetya — probably a couple hours after 10:30 a.m. GMT.

On Monday, privately-owned Russian conglomerate Sistema had a sizable chunk of assets “arrested” — not seized, but halted from sale or trading — due to a dispute with Rosneft over $2.8 billion dollars. Rosneft claims Sistema owes it money from the acquisition of oil producer Bashneft, owned by Sistema until 2014. Some of the assets seized included part of mobile communications company MTS. It’s likely this court case Rosneft referred to in its first tweet related to NotPetya.

The assassination’s timing makes the cyber attack look more like NotPetya was a Russian offensive, but why would Russia damage its largest sources of income and mess with its cash flow? The lawsuit against Sistema makes Rosneft appear itchy for income — Bashneft had been sold to the state in 2014, then Rosneft bought it from the state last year. Does Rosneft need this cash after the sale (or transfer) of a 19.5% stake worth $10.2 billion last year?

Worth noting here that Qatar’s sovereign wealth fund financed the bulk of the deal; commodities trader Glencore only financed 300 million euros of this transaction. How does the rift between other Middle Eastern oil states and Qatar affect the value of its sovereign wealth fund?

In her previous post, Marcy spitballed about digital sanctions — would they look like NotPetya? I think so. I can’t help recall this bit at the end of the Washington Post’s opus on Russian election interference published last week on June 23:

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

[…]

The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

I’m sure it’s just a coincidence that NotPetya launched Tuesday this week. This bit reported in Fortune is surely a coincidence, too:

The timing and initial target of the attack, MeDoc, is sure to provoke speculation that an adversary of Ukraine might be to blame. The ransomware hid undetected for five days before being triggered a day before a public Ukrainian holiday that celebrates the nation’s ratification of a new constitution in 1996.

“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s (CSCO, +1.07%) Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware.” [boldface mine]

Indeed.

Two more things before this post wraps: did anybody notice there has been little discussion about attribution due to characters, keyboards, language construction in NotPetya’s code? Are hackers getting better at producing code without tell-tale hints?

Did the previous attacks based on tools released by the Shadow Brokers have secondary — possibly even primary — purposes apart from disruption and extortion? Were they intended to inoculate enterprise and individual users before a destructive weapon like NotPetya was released? Were there other purposes not obvious to information security professionals?

What Would a Digital Sanctions Regime Relying on Malware Look Like?

/4 Comments/in , /by

A day ago, the second ransomware based on NSA tools leaked by Shadow Brokers hit. The attack was focused on Ukraine, in large part because “patient zero” appears to be a tax software update for a Ukrainian company M.E.Doc. But global giants include Maersk and Merck were also affected. Russian oil giant Rosneft was affected too, though there are conflicting claims about how badly it was disabled.

A day in, folks still can’t get a grasp on this attack, even down to the name (it started as Petya until security folks determined it’s not the ransomware of the same name, leading to the use of NotPetya).

While using far more attack vectors (and more toys from Shadow Brokers), this attack bears two similarities with last month’s WannaCry attack: the ransom requested $300 to decrypt locked data, and the ransom function was never really designed to work properly.

There is mounting evidence that the #GoldenEye / #Petya ransomware campaign might not have targeted financial gains but rather data destruction.

  • The choice of a regular, non-bulletproof e-mail service provider to act as a communication channel was obviously a wrong decision in terms of business.
  • The lack of automation in the payment & key retrieval process makes it really difficult for the attacking party to honor their end of the promise.
  • There is a total lack of usability in the payment confirmation: the user has to manually type an extremely long, mixed case “personal installation key” + “wallet” is prone to typos.

Update 6/28 06.00 GMT+3

The email address that was used by the threat actors to get payment confirmations has been suspended by Posteo. This means that all payments made overnight will be unable to get validated, and therefore will surely not receive the decryption key. Not that we have ever advised otherwise, but if you’re planning to pay the ransom, stop now. You’ll lose your data anyway, but you’ll contribute in funding the development of new malware. Even so, there have been 15 payments made after the suspension of the e-mail address. The wallet now totals 3.64053686 BTC out of 40 payments, with a net worth of $US 9,000.

Indeed, Matt Suiche argues the attack is better thought of as a wiper attack, designed to destroy rather than lock data, than a ransomware attack.

It will take some time to understand what the attack really is, particularly given the degree to which it appears to masquerade as things it’s not. But for the moment, I want to consider how a similar attack might be used as a counter to sanctions regimes. As far as we currently know, this attack made doing business with Ukraine a very expensive business proposition, as doing business with, say, some oligarchs in Russia is made costly for those subject to US sanctions because have to bank in the US. The attack served as a self-executing investigative method to identify just who had business tax dealing in Ukraine, and imposed an immediate cost. So whether or not that’s what this is, such an attack could be used to counteract sanctions imposed by the international banking community.

Again, I’m just spitballing.

But some dates are of interest.

On June 14, the Senate passed some harsh new sanctions on Russia, ostensibly just for Russia’s Ukrainian and Syrian related actions, not for its tampering in last year’s US election. The House mucked up that bill, but the Senate will continue to try to impose new sanctions. Trump might well veto the sanctions, but that will cause him a great deal of political trouble amid the Russian investigation.

The Petya/NotPetya malware was compiled on June 18.

Microsoft dates the attack to June 27 at 10:30 GMT.

We observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.

Today, June 28, is a public holiday in Ukraine, making it more difficult to deal with the attack.

Again, I’m not saying that’s what NotPetya is. I am saying that if you wanted to design a counter to financial sanctions using malware, NotPetya is close to what it’d look like.

Penetrated: Today’s Senate Intelligence Committee Hearing on Russian Interference in the 2016 U.S. Elections

/43 Comments/in , , , /by

If you didn’t catch the Senate Intelligence Committee hearing on Russian influence on 2016 U.S. election on live stream, you should try to catch a replay online. I missed the first panel but caught the second when University of Michigan Prof. J. Alex Halderman began his testimony with his opening statement.

The same Halderman who questioned the 2016 election could have been hacked based on his expertise.

The same Halderman who hacked a voting machine to play Pac Man.

When asked if it was possible Russia could change votes, Halderman told the SIC that he and a team of students demonstrated they were able to hack DC’s voting system, change votes, and do so undetected in under 48 hours. Conveniently, Fox News interviewed Halderman last September; Halderman explained the DC hack demonstration at that time (see embedded video); the interview fit well with Trump’s months-long narrative that the election was ‘rigged’.

If you aren’t at least mildly panicked after watching the second panel’s testimony and reading Halderman’s statement, you’re asleep or dead, or you just plain don’t care about the U.S.’ democratic system.

Contrast and compare this Senate hearing to the House Intelligence Committee’s hearing with former DHS Secretary Jeh Johnson as a witness. Johnson sent out numerous messages last year expressing his concerns about election integrity, but after listening to the second Senate panel, Johnson should have been hair-on-fire (it’s figure of speech, go with it). But the Obama administration erred out of some twisted sense of heightened sensibility about appropriateness (which would have been better suited to its policies on drone use and domestic surveillance). The excess of caution feels more like foot dragging when viewed through the lens of time and Johnson’s testimony.

Early in the hearing, Johnson as well as DHS witnesses Jeanette Manfra and Samuel Liles said there was no evidence votes were changed. It’s important to note, though, that Johnson later clarifies in a round about way there was no way to be certain of hacking at that time (about 1:36:00-1:41:00 in hearing). I find it incredibly annoying Johnson didn’t simply defer to information security experts about the possibility there may never be evidence even if there were hacks; it’s simply not within in his skill set or experience then or now to say with absolute certainty based on forensic audit there was no evidence of votes changed. Gathering that evidence never happened because federal and state laws do not provide adequately for standardized full forensic audits before, during, or after an election.

Halderman’s SIC testimony today, in contrast, makes it clear our election system was highly vulnerable in many different ways last November.

Based on the additional testimony of a representative of National Association of State Election Directors, the President-Elect of National Association of Secretaries of State (NASS) & Secretary of State, Executive Director of Illinois State Board of Elections Illinois — whose combined testimony revealed lapses in communication between federal, state, and local government combined with gaps in information security education — the election system remains as vulnerable today as it was last autumn.

Nothing in either of these two hearings changed the fact we’ve been penetrated somewhere between 21 and 39 times. Was it good for you?

The Outdated XP Testimony on WannaCry to Congress

/12 Comments/in , /by

The Oversight Committee had a hearing on WannaCry last week. I won’t have time to watch the hearing for a few days, but I did read the testimony with some alarm. That’s because two of the four witnesses appear to have misstated one detail about the attack.

First, Symantec CTO Hugh Thompson suggested that the spread of the ransomware was due to Microsoft not releasing a patch for XP when it had released EternalBlue patches for other systems in March.

WannaCry spread to unpatched computers. Microsoft released a patch for the SMB vulnerability for Windows 7 and newer operating systems in March, but unpatched systems and systems running XP or older operating systems were unprotected. After the WannaCry outbreak began, Microsoft released a patch for XP and earlier platforms. Four days after the initial outbreak these patches were widely applied and new infections slowed to a trickle.

The implication here is that the ransomware primarily affected XP, and only because there hadn’t been a patch available.

Retired General Touhill suggested this outdated system was actually Windows 95 — and claimed that Microsoft had released that patch in March, along with the supported system patches.

Systems using unpatched versions of the Windows 95 operating system have been highlighted as exemplar victims of the Wannacry attack. Microsoft who, after a long and very public notification process, discontinued support to the Windows 95 operating system in 2014, about 19 years after its initial release. However, in light of the warnings and their own research, in March of this year Microsoft issued a rare emergency patch to Windows 95, nearly three years after they had discontinued support of the software. Despite these extraordinary actions, many organizations still did not heed the warnings and properly patch and configure their systems. As a result, they fell victim to Wannacry.

In fact, XP (to say nothing of Windows 95) was not the problem. Windows 7 was. Kaspersky Lab (which Congress has spent time of late demonizing as potential Russian spies) first pointed this out on May 19.

Chief among the revelations: more than 97 percent of infections hit computers running Windows 7, according to attacks seen by antivirus provider Kaspersky Lab. By contrast, infected Windows XP machines were practically non-existent, and those XP PCs that were compromised were likely manually infected by their owners for testing purposes. That’s according to Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team, who spoke to Ars.

While the estimates are based only on computers that run Kaspersky software, as opposed to all computers on the Internet, there’s little question Windows 7 was overwhelmingly affected by WCry, which is also known as “WannaCry” and “WannaCrypt.” Security ratings firm BitSight found that 67 percent of infections hit Windows 7, Reuters reported.

The figures challenge the widely repeated perception that the outbreak was largely the result of end users who continued to deploy Windows XP, a Windows version Microsoft decommissioned three years ago. In fact, researchers now say, XP was largely untouched by last week’s worm because PCs crashed before WCry could take hold. Instead, it now appears, the leading contributor to the virally spreading infection were Windows 7 machines that hadn’t installed a critical security patch Microsoft issued in March

Days later Sophos confirmed that analysis.

Though the lack of patching and exposure of port 445 were easily identified problems, the reasons why Windows 7 was an easier target than XP remain somewhat clouded.

During testing, SophosLabs found that XP wasn’t the effective conduit for infection via the EternalBlue SMB exploit that many thought it was, while Windows 7 was easily infected. The research showed that WannaCry ransomware can affect XP computers – but not via the SMB worm mechanism, which was the major propagation vector for WannaCry.

[snip]

Various security companies arrived at a similar conclusion, putting the infection rate among Windows 7 computers at between 65% and 95%. SophosLabs puts that number even higher: our analysis of endpoint data for the three days that followed the outbreak shows that Windows 7 accounted for nearly 98% of infected computers.

It’s still a question of whether a victim patched their computer or not, but Microsoft did make a patch available for Windows 7 along with other supported systems. Though, as Sophos notes, unless users were paying extra for support, they might not have noticed the patch was there.

Microsoft had addressed the issue in its MS17-010 bulletin in March, but companies using older, no-longer-supported versions of the operating system wouldn’t have seen it unless they were signed up for custom support, ie Microsoft’s special extended – and paid-for – support.

That suggests one problem with the patching wasn’t the timeliness, but the secrecy. But, Congress might not learn that detail given the testimony they got last week.

Three days after the attack started, Homeland Security Czar Tom Bossert was still claiming WannaCry was spread via phishing. Now Congress is getting other debunked reporting.

We might respond better to these threats if the government was getting information that was at least as accurate as that information available to lowly hippie bloggers.

If We Have to Have FISA, Can We at Least Not Give It to Contractors?

/22 Comments/in , /by

In very close succession today, the Intercept published a story on Russia’s efforts to hack election-related officials and the government arrested the apparent source for that story, a woman named Reality Winner.

The story — which reports GRU attempted to phish some officials — is most interesting for the dates included in the leaked document accompanying the story. The document — dated May 5 but covering events from last fall — describes phishing attempts starting as early as a month before the election up to October 31 or November 1.

That latest date (on a report published six months later) is interesting because we know President Obama used the cyber “red phone” to contact Vladimir Putin on October 31, for the first time in his presidency, to complain about election-related hacking. The dates here at least suggest that there were no more phishing attempts initiated after that call.

Of course, now Russia knows more details about how granularly, and on what schedule, NSA might learn such details.

The other big part of this incident, however, is the revelation that contractors well outside the known entities (like Booz Allen Hamilton) have access to FISA information — as indicated by the classification stamp — and that even people without a need to know that information can access it.

This leak was discovered because another of Intercept’s sources alerted the NSA. But had that not happened (or had the Intercept not showed the NSA a folded document), then it’s not clear this would have been discovered.

I get why we need to disseminate such information widely. But even if this information merely reports on stuff that had already been reported (to the WaPo, long ago), it nevertheless is testament to the degree to which adding contractors adds the likelihood of leaks.

Or let’s put it this way: we’re sharing FISA information with contractors who don’t have a need to know. But we’re not sharing it with defendants whose freedom depends on contesting it. Maybe those priorities are screwy?

 

WannaCry Attribution: Missing the Sarcasm Tag

/8 Comments/in , , /by

Parts of the security community have decided that Lazarus, a hacking group associated with North Korea, is behind WannaCry, including the global ransomware attack from a few weeks back. That’s based on significant reuse of code from earlier Lazarus activities.

But to explain certain aspects of the attack — notably, why Lazarus would become incompetent at ransomware after having been perfectly competent at it in the past — proponents of this theory are adopting some curious theories. For example, this — in Symantec’s report on the code reuse — doesn’t make any sense at all.

The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cyber crime groups. This provides further evidence that both versions of WannaCry were operated by a single group.

It’s effectively the equivalent of saying, “using just three bitcoin wallets doesn’t make sense [it doesn’t, if your goal is actual ransomware], so we’ll just claim that’s further proof that there must be few people involved.” In interviews, Symantec’s technical director has explained away other inconsistencies in this story by hackers working for a brutal dictator with a penchant for executing those who cross them by suggesting they were moonlighting when they blew up Lazarus’ ransomware by misdeploying it with Eternal Blue.

At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives in this case, said Vikram Thakur, Symantec’s security response technical director.

“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview.

But he added: “We don’t think that this is an operation run by a nation-state.”

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

Krypt3ia has a post making fun of the nonsense theories out there.

  • LAZARUS code snippets found in WANNACRY samples
  • LAZARUS has been active in stealing large sums of money from banks, as this attack was about ransom and money… well… UNDERPANTS GNOMES AND PROFIT!
  • LAZARUS aka Un, would likely love to sow terror by unleashing the digital hounds with malware attacks like this to prove a point, that they are out there and to be afraid.
  • LAZARUS aka Un, might have done this not only to sow fear but also to say to President CRAZYPANTS (Official USSS code name btw) “FEAR US AND OUR CYBER PROWESS
  • LAZARUS aka Un, is poor and needs funds so ransoming hospitals and in the end gathering about $100k is so gonna fill the coffers!
  • LAZARUS aka UNIT 108 players are “Freelancing” and using TTP’s from work to make MO’ MONEY MO’ MONEY MO’ MONEY (No! Someone actually really floated that idea!)
  • LAZARUS is a top flight spooky as shit hacking group that needed to STEAL code from RiskSense (lookit that IPC$ from the pcap yo) to make their shit work.. Huh?

Note the last bullet is a reference to another post he did, where he showed another piece of code in WannaCry was taken from folks working to reverse engineer Eternal Blue for Metasploit. That piece of borrowed code doesn’t permit you to blame the Evil Hermit Kingdom, though, so no one is talking about it.

Perhaps the oddest piece of evidence presented relating the claim North Korea did WannaCry comes from CNBC.

Analysts have been weighing in with various theories on the identity of those behind WannaCry, and some early evidence had pointed to North Korea. The Shadow Brokers endorsed that theory, perhaps to take heat off their own government backers for the disaster.

CNBC must be referring to this passage from Shadow Brokers’ latest screed.

In May, No dumps, theshadowbrokers is eating popcorn and watching “Your Fired” and WannaCry. Is being very strange behavior for crimeware? Killswitch? Crimeware is caring about target country? The oracle is telling theshadowbrokers North Korea is being responsible for the global cyber attack Wanna Cry. Nukes and cyber attacks, America has to go to war, no other choices! (Sarcasm) No new ZeroDays.

As part of a narrative of how reasonable it was to release all these files after they’ve been patched (all the while threatening far more damaging leaks), Shadow Brokers comments on WannaCry. Importantly, it lays out one detail — the kill switches — that doesn’t make sense if the goal was true ransomware, as well as another detail — “caring about target country”? — that I don’t understand. (Russia was hit badly in the attack, the US very lightly, and there were reports that Arabic speaking countries weren’t hard hit, which I find interesting since it is the one Microsoft supported language that for which a ransomware note was not included.)

But the part that CNBC has read to mean Shadow Brokers endorsed this theory instead does nothing of the sort; if anything, it does the opposite. I read it as a comment about how quickly we go from dodgy attribution to calling for war. And it comes with a sarcasm tag!

Moreover, why would you take Shadow Brokers’ endorsement for anything? Either they did WannaCry (which actually seems to be what CNBC suggests; Krypt3ia makes fun of that possibility, too), in which case any endorsement might be disinformation, or they didn’t do it, and they’d have no more clue who did than the rest of us.

The entire exercise in attribution with WannaCry is particularly odd given the assumptions that it is what it looks like, traditional ransomware, in spite of all the evidence to suggest it is not. And so we’ll just ignore obvious tags, like a “sarcasm” tag, because accounting for such details gets very confusing.

Were Shitty SAIC Systems the Cause of the CIA’s China Disaster?

/15 Comments/in , /by

The NYT has a story about how China started rolling up CIA’s spy network in 2010, the cause of which (the story says) still has not been solved. One possible cause is that a Chinese-American exposed America’s spies to the Chinese. But the government was never able to establish enough proof that he was the Chinese mole to arrest him, not even when they lured him back to the US to try to bust him.

The mole hunt eventually zeroed in on a former agency operative who had worked in the C.I.A.’s division overseeing China, believing he was most likely responsible for the crippling disclosures. But efforts to gather enough evidence to arrest him failed, and he is now living in another Asian country, current and former officials said.

[snip]

As investigators narrowed the list of suspects with access to the information, they started focusing on a Chinese-American who had left the C.I.A. shortly before the intelligence losses began. Some investigators believed he had become disgruntled and had begun spying for China. One official said the man had access to the identities of C.I.A. informants and fit all the indicators on a matrix used to identify espionage threats.

After leaving the C.I.A., the man decided to remain in Asia with his family and pursue a business opportunity, which some officials suspect that Chinese intelligence agents had arranged.

Officials said the F.B.I. and the C.I.A. lured the man back to the United States around 2012 with a ruse about a possible contract with the agency, an arrangement common among former officers. Agents questioned the man, asking why he had decided to stay in Asia, concerned that he possessed a number of secrets that would be valuable to the Chinese. It’s not clear whether agents confronted the man about whether he had spied for China.

The man defended his reasons for living in Asia and did not admit any wrongdoing, an official said. He then returned to Asia.

A second possibility is that bad tradecraft allowed China to discover America’s spies.

Those who rejected the mole theory attributed the losses to sloppy American tradecraft at a time when the Chinese were becoming better at monitoring American espionage activities in the country. Some F.B.I. agents became convinced that C.I.A. handlers in Beijing too often traveled the same routes to the same meeting points, which would have helped China’s vast surveillance network identify the spies in its midst.

Some officers met their sources at a restaurant where Chinese agents had planted listening devices, former officials said, and even the waiters worked for Chinese intelligence.

A third possibility — which the NYT doesn’t examine at length and which it ties to the poor tradecraft — is that China hacked the CIA’s method of communicating with assets.

Others believed that the Chinese had hacked the covert system the C.I.A. used to communicate with its foreign sources.

[snip]

Some investigators believed the Chinese had cracked the encrypted method that the C.I.A. used to communicate with its assets.

[snip]

This carelessness, coupled with the possibility that the Chinese had hacked the covert communications channel, would explain many, if not all, of the disappearances and deaths, some former officials said.

I lay these three possibilities out because the timing of the moment the exposure became critical — 2010 and 2011 — and the allusions to a hacked covert communication channel sound a lot like what CIA whistleblower John Reidy complained about seeing his employer, SAIC, oversee starting in 2005. While his complaint is heavily redacted, it sounded like he accused SAIC of providing inadequate security for a system serving the intersection of human assets and electronic reporting.

[H]is heavily redacted appeal at least appears to suggest his complaint was very serious and should have been a timely way to limit the compromise of CIA assets and officers.

Reidy describes playing three roles in 2005: facilitating the dissemination of intelligence reporting to the Intelligence Community, identifying Human Intelligence (HUMINT) targets of interest for exploitation, and (because of resource shortages) handling the daily administrative functions of running a human asset. In the second of those three roles, he was “assigned the telecommunications and information operations account” (which is not surprising, because that’s the kind of service SAIC provides to the intelligence community). In other words, he seems to have worked at the intersection of human assets and electronic reporting on those assets.

Whatever role he played, he described what by 2010 had become a “catastrophic intelligence failure[]” in which “upwards of 70% of our operations had been compromised.” The problem appears to have arisen because “the US communications infrastructure was under siege,” which sounds like CIA may have gotten hacked. At least by 2007, he had warned that several of the CIA’s operations had been compromised, with some sources stopping all communications suddenly and others providing reports that were clearly false, or “atmospherics” submitted as solid reporting to fluff reporting numbers. By 2011 the government had appointed a Task Force to deal with the problem he had identified years earlier, though some on that Task Force didn’t even know how long the problem had existed or that Reidy had tried to alert the CIA and Congress to the problem. [my emphasis]

All that seems to point to the possibility that tech contractors had set up a reporting system that had been compromised by adversaries, a guess that is reinforced by his stated desire to bring a “qui tam lawsuit brought against CIA contractors for providing products whose maintenance and design are inherently flawed and yet they are still charging the government for the products.”

The task force described in Reidy’s complaint coincides with the “Honey Badger” investigation described in the NYT, and the scale of the losses — 70% of operations compromised — sounds the same too. Reidy complained that those working on the task force didn’t learn how long he had been calling attention to the problem. And as he was appealing his complaint, he was being spied on by the intelligence community.

Of course, Reidy’s complaints were especially easy to silence because he was a contractor that the intelligence contractor community basically blacklisted.

I’m checking with the NYT reporters to see if this sounds like their story. But either the CIA had two catastrophic intelligence failures at the same time in 2010, or this sounds like the Chinese compromise.

In which case the fourth possibility to explain the compromise is that shitty intelligence contractors created the problem and then covered it up.