What Kaspersky really discovered...
Summary
TLDROn May 12, 2017, the world experienced a massive cyber attack known as WannaCry, which encrypted data on hundreds of thousands of computers globally, demanding ransom payments. This attack utilized the EternalBlue exploit, developed by the NSA and later leaked by the Shadow Brokers. Despite a patch being available, many systems remained vulnerable, leading to widespread damage and disruption, especially in the UK's National Health Service. The attack highlighted significant vulnerabilities in global cyber defenses and raised questions about the responsibility of government agencies in handling such exploits.
Takeaways
- 🖥️ On May 12, 2017, a global cyber attack known as WannaCry encrypted data on computers, demanding a ransom for decryption.
- 💰 Victims had to pay $300 within 3 days or $600 after that, with the threat of permanent data loss if no payment was made after a week.
- 🌍 WannaCry quickly spread to other devices on the network, becoming a self-replicating worm that infected over 230,000 computers in 150 countries within a day.
- 🏥 The UK's National Health Service was severely affected, with up to 70,000 devices impacted, leading to emergency patient diversions and operational disruptions.
- 🇰🇵 The United States attributed the attack to North Korea in December 2017, later indicting three North Korean officials.
- 🔒 The attack utilized the EternalBlue exploit, initially developed by the NSA and later leaked by a group called The Shadow Brokers.
- 🛠️ EternalBlue exploits a vulnerability in Microsoft's SMBv1 protocol, enabling the worm to spread across networks.
- 🔓 Despite a patch being released by Microsoft in March 2017, many systems remained unpatched, allowing WannaCry to cause widespread damage.
- 🐛 EternalBlue involves an exploit chain leveraging three bugs, causing a buffer overflow and arbitrary memory allocation.
- 🚑 Following the WannaCry attack, another significant cyber attack using NotPetya malware targeted Ukraine, causing over $10 billion in damages.
Q & A
What happened on the morning of May 12th, 2017?
-On the morning of May 12th, 2017, individuals found a prompt from a program called WannaCry informing them that their data had been encrypted and was being held for ransom.
How does the WannaCry malware spread across networks?
-WannaCry malware spreads across networks using a self-replicating mechanism, functioning as a computer worm that propagates itself without user interaction.
What was the global impact of the WannaCry attack within the first day?
-Within a single day, over 230,000 computers across 150 different countries were infected by WannaCry, causing damages ranging from hundreds of millions to billions of dollars.
Which major organization was significantly impacted by the WannaCry attack?
-The National Health Service (NHS) in the UK was significantly impacted, with up to 70,000 devices affected, leading to emergency patients being turned away and ambulances being diverted.
Who did the United States formally assert was behind the WannaCry attack?
-In December 2017, the United States formally asserted that North Korea was behind the WannaCry attack, later indicting three North Korean officials.
What was the purpose of the NotPetya malware during the 2017 Ukraine ransomware attacks?
-The NotPetya malware, initially mistaken for ransomware, was actually a disc wiper designed to cause maximum damage to its targets.
Which country did the United States claim was behind the NotPetya attack?
-The United States claimed that Russia was behind the NotPetya attack, indicting a total of six Russian officials.
What common exploit did these cyber attacks (WannaCry and NotPetya) utilize?
-Both WannaCry and NotPetya utilized the EternalBlue exploit, which targeted Microsoft's SMBv1 protocol.
What is the significance of the SMB protocol in the context of the EternalBlue exploit?
-The SMB (Server Message Block) protocol is widely used for file sharing and print services on Windows computers and servers. Its vulnerability made it an ideal target for a computer worm like EternalBlue.
How did the EternalBlue exploit become publicly available?
-The EternalBlue exploit became publicly available after a group called The Shadow Brokers stole it from the NSA and released it online in April 2017.
What is 'Heap grooming' in the context of the EternalBlue exploit?
-Heap grooming is a technique used in the EternalBlue exploit to manipulate memory allocation and create conditions for successful exploitation, such as buffer overflows.
Why was the NSA criticized regarding the EternalBlue exploit?
-The NSA was criticized for not informing Microsoft about the vulnerabilities in SMBv1 protocol and instead keeping them under wraps, which led to massive damage once the exploit was released publicly.
Outlines
💻 The Start of the WannaCry Cyber Attack
On May 12, 2017, a global cyber attack began, known as WannaCry. Victims found their data encrypted and a ransom demanded to decrypt it. The attack spread rapidly through networks via a self-replicating mechanism, making it a computer worm. Within hours, it infected thousands of devices worldwide, causing significant damage and disruptions, particularly to the UK's National Health Service.
🔒 EternalBlue and the Spread of Malware
WannaCry used the EternalBlue exploit, developed by the NSA, to spread. Despite a patch released by Microsoft, many systems remained vulnerable. EternalBlue leverages several bugs to compromise remote systems without user interaction. It manipulates SMB protocol communications, exploiting buffer overflows to gain control over target systems, making detection difficult.
📂 Technical Details of EternalBlue Exploits
EternalBlue exploits involve casting bugs in SMB protocol, causing buffer overflows in the non-paged kernel pool. By sending specially crafted packets, attackers can manipulate memory allocation and execute arbitrary code. The exploit uses an out-of-bounds write to inject malicious data, bypassing various security measures like address space layout randomization and data execution prevention.
🛡️ Understanding Buffer Overflow Protections
Buffer overflows are severe vulnerabilities, but not enough alone to compromise systems. EternalBlue combines them with sophisticated techniques to bypass protections. This section highlights the importance of proper understanding and problem-solving skills in cybersecurity, promoting Brilliant as a learning tool. The video concludes with a call to check out part two for more details on EternalBlue's mechanics.
Mindmap
Keywords
💡WannaCry
💡EternalBlue
💡Shadow Brokers
💡NSA
💡SMB Protocol
💡Ransomware
💡North Korea
💡NotPetya
💡Cybersecurity
💡Equation Group
Highlights
On May 12th, 2017, users worldwide woke up to find their computers infected with the WannaCry ransomware.
The WannaCry ransomware encrypted users' data, demanding $300 in Bitcoin within three days, doubling the amount after that period.
WannaCry spread autonomously across networks, exploiting a vulnerability in Microsoft's SMB protocol, making it a computer worm.
Within a single day, WannaCry infected over 230,000 computers in 150 countries, causing damages estimated between hundreds of millions to billions of dollars.
The UK's National Health Service was significantly impacted, with up to 70,000 devices affected, forcing the diversion of emergency patients.
The United States formally accused North Korea of orchestrating the WannaCry attack in December 2017, later indicting three North Korean officials.
Following WannaCry, the NotPetya malware caused even greater damage, initially mistaken for ransomware but later identified as a disk wiper.
NotPetya's attack in 2017 caused over $10 billion in damages, becoming one of the most devastating cyber attacks in history.
The United States blamed Russia for the NotPetya attack, indicting six Russian officials, though Russia denied involvement.
The common link between these major cyber attacks was the use of the EternalBlue exploit, developed by the NSA's Equation Group.
The NSA did not disclose the SMB vulnerability to Microsoft for years, until their own breach by the Shadow Brokers in 2016.
The Shadow Brokers released the EternalBlue exploit publicly in April 2017, making it available for various threat actors to use.
Despite a patch being released two months prior, many systems remained unpatched, leading to the widespread impact of WannaCry.
EternalBlue exploits three different bugs in SMB to achieve a buffer overflow and arbitrary memory allocation.
EternalBlue's sophisticated techniques allow it to inject payloads directly into SMB's memory space, avoiding detection by not creating new processes.
Transcripts
it's the morning of May 12th 2017 nothing seems out of the ordinary as you wake up
and start your day that is until you go to turn on your computer and are greeted with
this you find a prompt from a program called wanted a crypter informing you that all of your
data has been encrypted with the decryption Keys being held for ransom if you want your data back
you have 3 days to pay the initial Ransom of $300 at which point you'll be raised to $600
if no payments are made after a week your files will be permanently lost you just became one of
the first victims of a worldwide Cyber attack known as W cry amid the Panic unbeknown to you
monoc cry just spread to all the other devices on your network after infecting a computer it
a fully autonomous self-replicating mechanism that enables it to silently spread across
networks without requiring any user interaction this makes it a computer worm which by Design
will self- multiply and propagate itself at an exponential rate at 744 UTC the first case
was identified at a Southeast Asian ISP shortly after cases were starting to be
identified globally a mere 5 hours after the first case 72% of isps in Asia were infected
despite the discovery of a kill switch by a British security researcher the damage was already
done within a single day over 230,000 computers across 150 different countries were infected
with damages ranging from hundreds of millions to billions of dollars the National Health Service in
the UK was among the largest agency struck with up to 70,000 devices affected certain locations
had to turn away emergency patients and various ambulances had to be diverted to other hospitals
in December 2017 the United States formally asserted that North Korea was behind the attack
later indicting three North Korean officials North Korea denied any involvement as laid out
in today's indictment North Korea's operatives using keyboards rather than guns stealing digital
wallets of cryptocurrency instead of sacks of cash have become the world's leading bank
robbers as the chaos was settling about a month after the wry outbreak a series of powerful
cyber attacks using the not Pia malware were Unleashed during the 2017 Ukraine ransomware
attacks although it was mistaken for ransomware at first it was quickly realized to be a disc
wiper designed to cause maximum damage to its targets despite only having a single day to
spread damages were estimated to be over10 billion becoming one of the most devastating cyber attacks
in history the United States claimed Russia was behind the attack back indicting a total of six
Russian officials Russia denied any involvement in the coming months several other cyber attacks
arose globally the United States continued to make indictments something seemed to be tying these
together why were the most severe cyber attacks in history suddenly happening all at once and just
as importantly why were they all computer worms it turns out that they were all using the same
exploit Eternal blue surprisingly Eternal blue was developed by the National Security Agency a branch
of the United States Department of Defense within the NSA the specific unit is known as the equation
group a threat actor kaspersky describes as surpassing anything known in terms of complexity
and sophistication of techniques several years prior to the attacks Eternal blue was developed
as part of a collection of exploits known as the Eternal exploits which targeted Microsoft's SMB
V1 protocol SMB or server message block is one of the most widely used communication protocols in
the world it is primarily used for file sharing and print services on Windows computers and
servers among other devices a vulnerability in SMB lends itself perfectly to a computer worm
as it is already extensively used across home and Enterprise networks with Port 445 left open
for legitimate SMB traffic on top of this it was enabled on systems by default at the time
the NSA rather than informing Microsoft about the vulnerabilities decided to keep them under
wraps for several years this was until the NSA themselves were hacked by a group called
The Shadow brokers in 2016 the shadow broker stole a collection of exploits from the NSA
and attempted to auction them off online unsure of the legitimacy of such claims there were no bits
when the NSA realized that they were breached they ended up informing Microsoft to release a patch on
March 14th 2017 a month later on April 14th the the shadow Brokers decided to publicly release
the exploits free of charge the dump included the infamous Eternal blue exploit alongside the rest
of the Eternal exploits an exploitation framework a command and control solution
and a backdoor implant for use after an initial exploitation with all these exploits and tools now
publicly available various threat actors began to incorporate them into their own malware not even a
month later Wan cry took hold of the world despite a patch technically being released 2 months prior
the countless number of individuals and organizations that don't regularly update
their OS were left exposed now that we understand the source and significance of Eternal blue
let's take a look under the hood and see how it's actually able to fully compromise a remote system
without any user interaction rather than being a single exploit Eternal blue is an exploit chain
leveraging three different underlying bugs the first two bugs work together to induce a buffer
overflow while the third bug enables us to force a memory allocation of arbitrary size while these
bugs may seem obscure in isolation they all come together in the end during the exploitation phase
using a technique known as Heap grooming or as I like to call it Heap Fang what makes Eternal blue
especially impressive is that it injects its chosen payo directly into smb's memory space
running entirely within the SMB process on the target machine this makes it exceedingly
difficult to detect as it doesn't create any new processes but I digress to understand the exact
mechanics at the heart of Eternal blue let's start by taking a look at the SMB protocol
similar to other protocols communication within SMB takes the form of requests and responses being
exchanged between two devices the specific unit of information being exchanged is called an SMB
message also referred to as an SMB packet these packets are divisible into three parts being the
header block parameter block and data block the header block contains a field for the SMB command
which is used to specify the type of operation such as creating reading or deleting a file
when dealing with operations pertaining to files you may encounter the case where extended file
attributes or fees are used a fee is just a way to store metadata associated with a file beyond the
standard attributes defined by the file system itself each fee takes the form of a key value
pair alongside their respective sizes the exact implementation and format of these key value pairs
varies by operating system for instance os2 and the Windows NT family have different fee formats
since SMB is compatible across different operating systems it's possible to get into a case where os2
formatted fees need to be cast to NT formatted fees the first bug that Eternal blue exploits
is the wrong casting bug where a buggy casting operation is used to cast os2 fees to NT fees
which causes a buffer overflow in the non-paged kernel pool just as an aside the non-paged pool
is just a memory pool that is designated to remain on the physical RAM this is opposed to the paged
pool which can spill over from the physical RAM onto a slower page file on the disk but I digress
in order to see how this buggy casting operation is able to cause a buffer overflow we first need
to understand how these fees are represented in code os2 fees actually require the use of two
structures each individual fee is represented with an os2 fee structure multiple of these are store
together using an os2 fee list which combines them all together and stores the total size of the list
in bytes NT fees on the other hand use a structure called NTV list which are chained together backto
back in memory this approach is known as an offset based linked list each instance represents a
single fee with the next entry offset field being used to tell where the next instance is located in
memory relative to the current one to navigate the notes in the list you would keep on on adding the
offset to the current nodes memory address until you reach the end now that we know how these two
different types of fees are represented let's see what happens when we get into the case where we
need to cast an os2 fist to an NT fist the serve os2 fist to n function will be used let's take a
look inside just to be clear the purpose of this function is to create an N fist given an os2 fist
in order to do this we first need to determine the appropriate size for the student to be created to
NT fist which is done with the serve os2 fist size to NT helper function then we'll use the size that
this function returns to allocate a buffer in the non-paged pool for the new NT fist once the
allocation is made the last step is to convert and add the individual fees from the os2 Feist
to the NT Feist this is done by iterating over the individual os2 fist entries until it reaches
size of list in bytes within each iteration it can converts the os2 record to the NT format and adds
it to the NT fist it's important to note that the size of list in byes field is used to determine
how much underlying data is transferred into the NT fist now that we know that there's three
different steps let's go ahead and look at them in more detail starting with the serve os2 fist
size to NT function this function actually does two distinct things first it calculates the size
needed for the NT fist this is the return value of the function which is used to allocate the buffer
as we just saw the second thing it's going to do will only happen on a specific Edge case
in response to a malformed SMB packet because the size of list in byes field doesn't actually
restrict the SMB packet size it's possible to carefully craft a packet with some amount of
fees that actually extend past whatever value is set as the size of list in bytes this would be a
malformed packet why the function doesn't just drop these malformed packets as anyone's guess
instead what it does is it shrinks the size of list in byes value down to the nearest inbounds
fee this new value that it calculates overwrites the original size of list in bites value even
though this may seem like weird Behavior it's not inherently dangerous some fees may be lost
during the casting process but that's about it so where exactly does this bug lie recall that
under normal circumstances with an intact SMB packet nothing is modified only with a specific
Edge case with overflowing fees will size of list in bytes be shrunk let's take a look at
how it is shrunk basically size of list in bytes is defined as a u long which takes up the size
of a d-word this is a 4 byte value the function that's run to overwrite the size treats it as a
u short which takes up the size of a word this is a two byte value this mismatch is the basis of the
first bug this means that if shrinking is needed the two least significant bites will be modified
while the two most significant bites will remain untouched due to the fact that the function treats
a 4 byte dword as a two byte word this means that if size of list in bytes is less than 2 to the 16
meaning it fits entirely within the range of the two rightmost bytes known as the low dword it will
be shrunk as expected however if it is greater than 2 to the 16 and spans both the high dword
and low dword the function will only affect the low DW leaving the high dword intact because of
this depending on the exact value being used size of list in bytes may be enlarged instead of shrunk
let's see how much damage this can actually cause zooming back out to our casting process
at a high level recall that the last step in the casting process will iterate over each os2 fee in
the os2 fee list converting and appending it to the NT fee list until it reaches size of list in
bytes everything contained within this area is set to be copied over into the NTI fist buffer
when creating this carefully crafted packets the size of Liston byes field is going to be set to a
controlled value larger than 2 to the 16 in hopes of triggering the bug that mistakenly enlarges it
due to the enlargement of this field the area to be copied over is increased throughout this entire
process up until this point I left out a key piece of information about the specially crafted packet
when we created this packet we actually would have placed some unrelated attacker chosen data
directly following the fist keep it in mind that despite the size of list in bytes being
wrongfully enlarged the size for the newly created nist buffer is calculated correctly because of
the enlarged value of size of list in bytes the area to be copied over is now larger than the NT
Feist buffer size itself meaning more data will be copied over than can fit within the buffer this is
known as an outof bounce right in addition to all of the fees being copied over the arbitrary data
that we included within our malformed packet will also be copied over as well so long as it fits
within the area marked by size of list in bytes in short bug a achieves an outof bounds right
of arbitrary data past the bounds of the NT fist buffer which resides within the non-paged kernel
pool the important takeaway here is that if there was anything else directly following the NTI fist
buffer in memory it would be overwritten with this attacker injected data keep this in mind
for later in the attack so far this makes sense however you might have been wondering exactly
why a field defined as a u long is treated as a u short it's actually bug b that makes this
happen you need both bug A and B to pull off this outof bounds right successfully within SMB there's
several commands that can be used for file related operations SMBC transaction 2 and SMBC NT transact
are two relevant examples of such commands if the amount of data that needs to be transmitted
exceeds the maximum within a single SMB pack packet it may be broken up into multiple packets
each command has a corresponding subcommand ending in underscore secondary which makes it possible to
send two packets back to back with the secondary packet containing the remaining data that couldn't
fit within the primary packet it's important to note that the trans 2 request defines its fields
in word sizes whereas the NT trans request defines its fields in dword sizes bear with me on this
there is no validation enforcing that multiart transactions must be of the same type meaning
it's possible to send mismatching primary and secondary commands what we're going to do is send
an NT trans followed by a trans 2 secondary which will be traded and parsed as a valid two-part
transaction even though this will be accepted as a valid transaction we know that these two
transaction types will use different field sizes The Fault in SMB is that it doesn't take into
account that different transaction types may be used together despite having different field sizes
as a result the field size of the last transaction type will be used for parsing all of the packets
this means that the primary ENT trans packet that uses d-word sizes will be treated as if
it only uses word sizes which is what causes the incorrect parsing function to be used as
we saw in bug a just to recap bugs A and B work together to enable an outof bounds
right past the boundary of the NT fist injecting arbitrary data into the subsequent memory location
within the non-paged kernel pool if you're like me you've probably been hearing the term buffer
overflow thrown around for quite some time despite being frequently discussed and widely recognized
as a severe vulnerability buffer overflows on their own are rarely enough to compromise the
system just because an attacker is able to trigger a bug doesn't mean that they're able to use it for
anything useful how would the attacker even know what data lies outside of the buffer there's a
wide variety of buffer overflow protection and mitigation techniques standing in their way such
as address space layout randomization which breaks address space predictability and data execution
prevention which marks certain memory regions as non-executable Eternal blue pairs this buffer
overflow with more sophisticated techniques which we'll see shortly when I was researching for this
video I came across this Defcon presentation by Zer sum 0x0 which was invaluable in understanding
the types of techniques you might see at this level understanding these attacks often
requires a strong Foundation of knowledge and understanding combined with effective problem
solving skills this is where today's video sponsor comes in brilliant with brilliant you learn by
doing engaging with thousands of interactive lessons in math programming computer science
data science and AI brilliant offers lessons that are designed to instill proper principles
and teach you fundamentals from the ground up in a Hands-On environment all content on brilliant
is crafted by an award-winning team of teachers researchers and Prof professionals from schools
such as MIT and Caltech and even industry Partners such as Google and Microsoft all of their lessons
are filled with Hands-On exercises that let you play with Concepts in real time a method proven
to be more effective than simply watching lecture videos brilliant helps to build real
world critical thinking skills through problem solving not memorizing so while you're building
real knowledge on specific topics you'll also be becoming a better thinker the best part you don't
need to dedicate hours at a time to learn learning developing a daily habit of learning is going to
keep your mind sharp and your information diet rich which is invaluable for both personal and
professional growth that's why brilliant provides its lessons in manageable bite-sized pieces that
can be done whenever wherever helping you build real knowledge in just minutes a day personally
I replaced a lot of my social media scrolling with brilliant and I wouldn't look back you can
start to learn the core mechanics powering the everyday Technologies we all know and
love such as search engines neural netor works cryptocurrency or even Quantum Computing most
recently I took their course on large language models which gives you hands-on experience with
real language models you get to explore the impact that training data has on the model's
output and even spend some time learning how to tune an llm to become better suited toward
a specific task this is increasingly relevant to the age of AI assistant and with the rise of
adverse serial machine learning attacks a robust set of problemsolving skills and a wide breadth
of knowledge are often key in being able to spot patterns and piece together Solutions in the world
of cyber security to try everything brilliant has to offer for free for a full 30 days visit
brilliant.org Danel boter or click the link in the description you'll also get 20% off in annual
premium subscription this concludes part one of this two-part series to continue with the series
check out part two which will be available here once it's released thanks for watching
Посмотреть больше похожих видео
FULL Dialog - Mantan Hacker Bicara Soal Data Nasional "Down"
Dahsyatnya Serangan Siber Virus Malware Wannacry
Teknologi Sebenarnya di Balik Peretasan Pusat Data Kominfo (Enkripsi Data)
CompTIA Security+ SY0-701 Course - 2.1 Compare and Contrast Common Motivations - PART B
How Does the Israeli Unit Behind the Hezbollah Attack Function? | Vantage with Palki Sharma
Why Hacking is the Future of War
5.0 / 5 (0 votes)