Article form April 2017

Everyone in “cyber” and “security” is now talking about how they could have stopped WannaCry and ransomware in general. Depending on which companies posts, updates and documents you read to this specific type of ransomware the reality is that MalwareHunterTeam (@malwrhunterteam) discovered and (@MalwareTechBlog) stopped WannaCry by accident (btw,awesome work guys!).

After the last post I did that addresses some key issues and challenges 90%+ of companies actually face (this is based on) the fact that we do research and also projects that implement SOC, NOC, SIEMs and all other kinds of security event reporting and monitoring solutions since these can use our risk intelligence solution CyberNsight / NeedleStack.

Its always easy to blame customers and partners for breaches, however I don’t really think this is productive nor does it lead to those organizations implementing someone’s product or getting better. If you sell based on blame, FUD, and fear then I would not wonder if those companies actually do nothing or tell that salesperson or company to take a hike. Granted, there are always going to be companies that don’t see the value of security or implementing product x,y,z and to be honest they are very often right.

This “cyber attack” which it wasn’t btw (I’ll explain later) shows us that we need a more proactive and 180 degree way of training, designing and implementing security operations and solutions. It also shows us that many companies just don’t have the right partners selling them yet another AV (AntiVirus, UTM, Firewall, SIEM) while these are absolutely components of secure operations they are not a singular solution to WannaCry or any other ransomware infection. I have been a big fan of a few things I teach i every training (wether MOC or any other engagement):

  1. Proactive Security Teams
  2. Actionable Intelligence (also a principle we created and has been copied by many companies)
  3. Predictive Risk Intelligence Approach (CyberNsight)
  4. Our Risk Intelligence Training System (NeedleStack)
  5. Scoring returned results (some say proprietary, we say Bayesian, Neural or Probabilistic Analysis)

Proactive Security Teams

The Principle we created way back when in the 90s (MiGo Tech) was very simple. Hacking is a great way to do forensics, analysis and threat modeling. These teams tend to have a more proactive approach to Risk Management, Threats and also Security.

Teams have active members that breach internal systems in order to assume or predict possible entry points into a network or the companies systems and while these sounds costly in reality it is not. If you calculate the costs for buying all the “security stuff” you currently have and evaluate the value of those things, do you see a trend in reduced attacks that are successful?

Do you see that risks are mitigated as a result of those solutions or products? Does it help you find new risks or new types of information and intelligence that is really useful to you, the team and the company? These are some important questions to ask for any investment into a suspected silver bullet solution or “SSB’s” as I like to call them. The difference (I believe) in finding threats is also understanding how they are used or exploited.

This knowledge combined with research tools, and modified forensics principles can speed up the process of finding the “un-findable” is the basis for my research and CyberNsight. I realized that spending so much money on services like Shodan and Threat Feeds did not actually help in the Pre-Attack phase or in identifying where the next attacks were going to come from.

This prediction required a lot of manual research which companies did not see the value in paying for or had the awareness, skills or capability of building up. If we add the fact that many threat feeds are actually free (and this had me wondering many nights why “cyber” companies charged 300k+ for them) then the question quickly becomes how these really add value to prediction and then detection. Both components need people, processes and procedures to work correctly and efficiently. Lastly we have the factor time, resources and skills. All are vital to finding those needles in haystacks.

Threat Types have evolved with the times! In the picture below we see that threats have evolved with electronic weapons and attacks. These iterations in attacks lead to new threats that then require new skills to detect, analyze and stop. Each time a new type of attack shows up, teams must understand the details of those newt attacks and adapt their training, analysis and detection for new indicators of compromise (IOCs).

One thing to note is that new attacks do not always mean completely new vectors, in the case of MitM and SQLi, these attack vectors as well as Phishing have become more targeted based on OSINT and Intelligence information that an attacker or the attackers teams collect from targets, industries or countries.

Evolving threats also leverage specific areas initially than then also evolve with new attacks to “exploit” other human or organizational weaknesses that previous attacks may have identified as lessons learned from previously unsuccessful and successful attack vectors.

Actionable Intelligence 

This concept should not be new to anyone that has been in the military and will also likely be logical in that we assume that any intelligence, data or component that we use to collect intelligence needs to be trustworthy, available and timely.

When a solution or product does not seem easy to use (relevancy to the process itself) then the question becomes how is the data we collect, process or store even relevant to operations, security and the company or customer’s customers?
We collect data for a reason, usually it is to build awareness and then create defenses and detection rules and actions in case of an attack and if successful, detecting the attack was successful.

Predictive Risk Intelligence Approach (CyberNsight)

In predictive risk intelligence, our objective is to learn from what we collect quickly in order to predict or calculate were the next threats or risks really are. This is a part of the classical intelligence phase in military and intelligence agencies use to “scope out” a HVT (High Value Target).

When a nationstate or hacker group wants to find out about a target in its campaign, it looks for risks that can be threats, threats that can be exploited and exploited systems that can lead to the “motherlode” or goal, data, etc. What predictive risk intelligence and analytics really does is help you map risks, compare with evidence and then use that really early information to test theories, probe systems and see who is collecting what and how your risk exposure really is to the world at large.

Being predictive takes a new approach to threat and risk detection and deterrence. There is no fanciness to this, its hard work and takes time. This is were we come in, after implementing all kinds of SIEM, IDS, IPS, UTM and whatever they call the technologies of AntiVirus and Threat Intelligence Feeds today, they are not predictive in nature.

Even if “sandboxing” is sold as the next best things, risks are not detectible if they don’t have some type of signature or behavior pattern that can be matched with a database. This is why being predictive makes the most sense, if you can see threats and risks as they are being created and tested, you are way ahead of the game here.

Our solution in this case speeds up analysis of risks by up to 90%, leaving the last ca. 10% already analyzed so that teams and partners can concentrate on the highest likelihood of potential risks based on the multiple types of data we collect via our own sensors and technology as well as OSINT tools that we obviously don’t charge for because they are open source…
What we do charge for is pre-analysis, data collection standardization, push API and proactive search technology and engines.

Our Risk Intelligence Training System (NeedleStack)

Our specific training system leverages the unique approach and our solution to predictive risk intelligence, showing users, companies and entities how they can use our platform to speed up the process of risk identification and then  export those findings to any system like SIEM, Log Management, GRC or any other type of console or systems the customer may have.

There are also pre tested scripts, queries and areas that we recommend to look at in order to find new and evolving attack groups, campaigns and software that may be relevant. Lastly we show customers how to build searches that result in analyzed and scored results that provide tangible results to potential risks and attacks before they actually happen.

Some components that we look at are:

  1. Social Media Analysis
  2. Open Web Analysis
  3. Other OSINT sources of information and data
  4. Specific or custom analysis using results from other systems or unstructured data

Scoring returned results (some say proprietary, we say Bayesian, Neural or Probabilistic Analysis)

After using our patented and copyrighted approach (HDN, M.Goedeker 2017) we then use all the information and analysis options that we have to score results and find out probabilities of results being relevant to the customer or team.

We have our own solution that enables detailed analysis, flexible scoring and reports as well as exported findings via API and other file types to any solution that can read those file types. The possibilities are endless when you consider that the entire system is open to various types of data, analysis and scoring can be dynamic or customized. We believe this is the worlds first predictive risk intelligence engine (PRIE).

Details on how WannaCry works

The picture which is taken from the user @CyberAppy shows some details on how the specific initial version of WannaCry works and is executed.

My initial Scan of Ransomware before WannaCry

I did multiple talks last week before WannaCry actually happened to show people how you would go about looking for Ransomware risks and the search (1level) took about 1-2 seconds to come back with results.

Keep in mind that you will want to look on the DarkWeb for potential threats as on the normal net you will find may “hits” that are marketing and not necessarily relevant for your search and analysis. The reason for this is that groups that really know what they are doing will “typically” not want you to find them and their work before its released or sold to the highest bidder.

Related to this hacking into multiple social media accounts is another item you can find very easily on the Darknet.

If you like what you have seen and understand the value of this powerful solution, lets have a discussion and figure out how to implement NGSD (next generation security defense).

(so thats it for this post, if the stuff was interesting and adds value please let me know and email us at [email protected])

(As always this post, the information, our solution pictures and website are subject to copyright 2017 Hakdefnet) Other pictures are copyright their respective authors.

Update, one of the folks that sinkholed the domain that caused WannaCry saw an attempt via China to steal the domain. Wether this means China is behind it is still way to early to say but its certainly an interesting piece of info. The pastebin link from @MalwareTech is here: https://pastebin.com/r5fh2GxL

The link to IP info is here: http://ipinfo.io/106.121.2.55

Looking at the details of the IP in net craft we see the following information:

As you can tell, there really isn’t much data to go on but the resource that attempted the domain takeover was in fact from a China IP. More detailed analysis would be great to see if this IP turns up in other attacks and currently we did not have any hits previously in other attacks that we have seen. The network is however very active and similar IPs did show up in other ransom ware attacks, what this means, not conclusive yet….

In addition there is also a Bot on twitter (@ransomtracker) that looks at payments to the wallet associated to the WannaCry ransom ware:

We are providing a free social media followers list of the ransom tracker bot so that you can see who is following the bot. If there is a user you associate with the ransom ware please let us know and we can do a detailed analysis.

namefollowers_countfriends_countstatuses_count
_Ambr_9953525
S4nta_730163
PCDUE1104108390374
TinyTarrasque13014211002
andremattosamr1587558
baldengineering41429
Castromuff130867287
mbaines3371763120
JeanFMascari2526150
Eng_HishamAdel610279425967
oskahenri02411
agotthardsson10587
britesense1452508302
Antonio75449285102275
oNFNFo1353191088
LorenAgostini75230
nasrulseven8125138
NotGoxed1884301236
AFoletti91166212
MPhilDG34316117
ionstorm86622231607
neil7nove238534313
thijstriemstra2714873931
EthanKesner478503561
BrezaTZg0150
brianhalliday73392238
ChristianStich183114
zergless2797994920
runsecbit43205238
neutrinoguy3944054
joaquinpr8110413
rdasm42719412044
JosephRaleigh44421486
ivarivano86913905737
DarenSlick8476
evankaloudis1346281911544
deejmon10252361871
DeanKashlan7490
suqdiq1118428630223
devknob4505092862
tomtom277012858
Jobeyond2414913
rafaybaloch134063464848
fazio_antonino3283
sergioayalat130319108
FarhoudSalimi13361
sukren911064242
JeSuisBilly45383579
cplbrennanm1810023
MarcoDaino119397286
ValhallaSec1475412
KBHR5705051808
tentativestate48197270
SlackenerlyT010
CarloZanutto324942
lucianocantaro132339679
p13t40070
nioanto297174491
GanetheGreat2617374147
eclissedomar22142346
cristi_vic8359773398
vittoriov812594845
Lelecottero783734262
BlakeBaysinger14234972600
aocsym220412560
AndreaSvizzero25316476683
franctarallo41316106
ParisMaik165786365
continimarco6392263278196302
nonmipare11125463
magicbaconman161096
NoCryptolocker70235991
TaleGigi1585604024
aj_charbonneau10654
emy77944131156
eMediaIan10124237
fncraffa2413589
boucherhayes42898109122115
boxtoscana530365876
ayaz_khan39919719109
tribal_sec48012592322
BinaryBandit181882
The_Haiku9058541093
raphaelcockx88672539112
carlocapuani3010060
ILiedAboutCake4101491370
TGambart321440
_lmcy2553249125
pierellozzo134782912
jefferyluce114482662
christoph0825767
IsohanniJuho1430
xraul22044017087
montecarru01421
cerebro84766106135048
bkpap27050014774
a_sure_seany44836619778
zanicla2913443
jameshooker3436534117
A_Roqi9074531676
henriksmoller174759
flowestack50918762
Danny_Murphy_TA78359176
mludwiszewski225286253
giox069375377
honoki4138175119
MrBadGuy198150180715
fabiomast5071850
CyberElite71941030583
ORARiccardo467247517875
daymon061792449
dasderi333141061
saverioraz5716872
r73lio931861053
scricciolo2107132
dariofio7172
sudo_f979321809
wisekhan80103102
felmoltor4316649476
WearsTheFoxHat_520222523560
emohawk1606514501
irlionel235958440
ruskin147169607488450883
ThAOSteen42204354159310
botfrei10765434481
shonaghosh4362289821747
s_vvoorst21339976
ofehrmedia4966667477
infoturbekeskus515098
dalessandrini9331540
queitsch2559858265
danielsolisagea67314323805
GabyRasters1620235819717
ArildThorsby35014161358
louissschang284238826
HaOz_Ong165123
HSCyberSec2285071764
VictorPetrescu13377315
booloki107386889
UnderNews_fr5558100321227
AritzBi45289036329
ChrisJangita4904471538
RositaRijtano10752109807
TomReichhart758816793739
dcarlisle081563571132
LloydDavis5469214531959
olemoudi9444782378
darrena092175918
spoonzy_128693780
Rockcena531776786
alsajir51520
akilsrin19930175
0n1r1k081384571
FelixWeis587393111
2funky4060240
hayzeebaby3410
rrrhys465537381
TheCryptoconomy64142156
Buy2HamsUofA64149286
GabBurnett32900
_nicopalavecino2699453
jstruhar64129718
KryptykHex6561688
BrightBoxPC5894224
minstermanw33172531
LazyGuyOnABike65228109
easternpa2133561352
_SKlahr_56265506
StevePrediletto4329051451
_hegarty3977062920
AMERICANADRENAL6352170
tommywatson6182244
spencergolden210752109
RhysLoaney4833573
storm0light1423978
Bwya7713854986003
SirJSDThompson6005543091
technocoma10719713
LeesKoreaBlog10450963610
bdcravens3853203025
judentum18149
justinghendrix912696
MuchBitcoin102118110798
RealBenDundee2526495282
mpmcsweeney78116166709
woooshtrader5771493825
BitConsultants362527751
TracyFirm527919519246
bitcoinvsfiat257174973
therealmyownman1205774
Edson_VQ68330293
jtl9992316526522
flaurita178364205
Ginsberg515082821094552
Dunne368322482311
GianniAvella6834
btcArtGallery37964594530
dbotossi161424
imiragde53821543445
TheDokument2003913378
cstutts1370471183
0daydorpher35914843725
HenkvanRoest167835815346
Moritz30MC37201359
radi_v70189561
Ralara0774212285
oscardaniel72203071054
SuomenSuurloosi165131
mikko15409877737174
wzulfikar6274336
leomangueira44522321728
Teledhil4187154
Chocoprada38911703459
issuemakerslab13041662780
fritzfs1483411226
flyshuffle2655803876
jadastra12584
kkc_balaji449863
odoudin28609745155
mecampbellsoup53011231701
realdeerf77340381
iv_machiavelli2433342332
monkeychief3164241825
giuseppegalano7927740
benjamindean3182211689
RobKeesler1043650
Melgorfte11301
fel1x525244761
UlrikUhreBrink3757279060
therealvdw86202362
brnocrist51416525081
MiKontio18163222
TugdualNICOLAS72042131533
IDunWannaCry371775
DrStache_421376
Rhyzhm74115024312
boh71738234575
FreshHotelEU253332716446
Problem_Ios6537164108
samsancho1231615334
_jawelin412102883
MoHaMmAd_MaNA3211478546
MarkusOlss30169100
dsign_space774732062
penispencil2076192091
ekoivune18656826107
iCryptoHuMan262410391
pr0xy100kup39610
talgya52812655690
TuurDemeester1967461816143
krvax1398297028476
Snyke113785693
dominikstraub44413297
evanricafort14427812493
redaellimatteo1881071685
lonestarcoder1046321403
CiaranmaK225231208455
PranavVenkatS8565611177
kevin_bissett3520351256
mikispag52888213170

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.