NSA exploits ported to all versions of Windows, Cryptomining becomes the payload of choice

Email update, 6 February 2018

Before we get into the security news, I wanted to make brief mention of the SpaceX Falcon Heavy launch, which is scheduled for 1:30pm US Eastern Time today (2 hours from now). That’s a convenient 7:30pm in Stockholm, but 5am Adelaide time - so I imagine most of you will be waking up to the news rather than watching it live.

Given that I have a degree in Aerospace Engineering I have a keen interest in the SpaceX launches. Back in December of 2015 I was lucky enough to be able to watch the first Falcon landing live. A few months later I woke up at 6am to watch them land another one on a floating platform out at sea.

Landing the first stage of a rocket in this way was considered to be impossible, and only two years later we almost treat it as routine. The first landing remains one of my favourite videos on YouTube, and it’s worth a watch if you haven’t seen it.

Anyway, I wish them the best of luck. For those of you who are keen to watch it live, the stream will be posted here: http://www.spacex.com/webcast

NSA ‘Eternal’ exploits now script-kiddy friendly

The NSA-designed Windows exploits ‘EternalRomance’, ‘EternalSynergy’, and ‘EternalChampion’ have been ported to all Windows versions since Windows 2000, and turned into a convenient Metasploit module which is much more reliable than the existing EternalBlue module (exploit/windows/smb/ms17_010_eternalblue). For those of you who saw my Qliro presentation, that EternalBlue module is the one I used in the first demo.

NSA Exploits Ported to Work on All Windows Versions Released Since Windows 2000

Several exploits and hacking tools were released in the April 2017 Shadow Brokers dump, the most famous being EternalBlue, the exploit used in the WannaCry, NotPetya, and Bad Rabbit ransomware outbreaks.

While EternalBlue became a favorite tool among malware authors, the Shadow Brokers dump also contained many lesser-known exploits. The reason many of these didn’t become popular was that they only worked a small number of Windows versions, and did not support recent Windows distributions.

Now, RiskSense security researcher Sean Dillon (@zerosum0x0) has modified the source code for some of these lesser-known exploits so they would be able to work and run SYSTEM-level code on a wide variety of Windows OS versions.

What this means in practical terms is that it’s now trivial for anyone with a copy of Metasploit to completely own any Windows system which hasn’t been patched with the MS17-010 security update from last March. This was already true with the existing EternalBlue module, but that one is notoriously fickle, only works on particular versions of Windows, and only with certain payloads. The new module is much more reliable, and uses command injection rather than shellcode injection (a meaningless distinction, if you’re the victim).

This is unlikely to be a problem for systems running Windows 7, 8 or 10 (they’re probably patched already), but Windows XP, 2000, and 2003 Server are now even easier targets than they already were. Some of you may laugh at this, but these versions still pop up in a lot of corporate networks.

Also keep in mind that, contrary to initial reporting, it wasn’t Windows XP which was targeted by WannaCry last year (the victims were nearly all Windows 7 and Server 2012) so companies with large legacy footprints might have dodged a bullet. Expect that bullet to return now that this Metasploit module is available, though the consequences are likely to be less noticeable because…

Cryptocurrency Miners are quickly becoming the payload of choice

We’ve covered this in previous emails, but research from Cisco Talos has confirmed it: the payload of choice for many criminal groups is switching from ransomware to cryptocurrency mining:

Ransom Where? Malicious Cryptocurrency Miners Takeover, Generating Millions

The threat landscape is constantly changing; over the last few years malware threat vectors, methods and payloads have rapidly evolved. Recently, as cryptocurrency values have exploded, mining related attacks have emerged as a primary interest for many attackers who are beginning to recognize that they can realize all of the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks. […]

In this new business model, attackers are no longer penalizing victims for opening an attachment, or running a malicious script by taking systems hostage and demanding a ransom. Now attackers are actively leveraging the resources of infected systems for cryptocurrency mining. In these cases the better the performance and computing power of the targeted system, the better for the attacker from a revenue generation perspective. IoT devices, with their lack of monitoring and lack of day to day user engagement, are fast becoming an attractive target for these attackers, as they offer processing power without direct victim oversight. While the computing resources within most IoT devices are generally limited, the number of exposed devices that are vulnerable to publicly available exploits is high which may make them attractive to cyber criminals moving forward.

This is unequivocally good news for all of us: it’s still not fun to have your systems owned by criminals and used to mine Monero, but it’s a hell of a lot better than having them hosed by ransomware. It’s a case of “everybody wins”.

It will be interesting to see the attack vectors shift during this process, as criminal groups will now have to focus on stealth and persistence. As Talos notes in their article, it’s likely that we’ll see a lot more IoT devices as targets, because these systems are often designed to be left alone for long periods with minimal monitoring - and that monitoring doesn’t typically include CPU usage or temperature.

There’s a good chance that you could mine Monero from an entire city network of CCTV cameras without anyone noticing, and - bonus! - you can also use them for DDoS attacks whenever you feel like changing business models. Clearly, we’re all in the wrong line of work.