Exploits
Download as PPTX, PDF0 likes116 views
This document summarizes malware activity from 2016-2018, including the Jaff and Necurs botnets, WannaCry and Petya ransomware worms, and the emerging VPNFilter botnet. It describes their payloads and infection methods, such as exploiting the EternalBlue SMB vulnerability and using Mimikatz to extract credentials. The document also discusses techniques used by cybercriminals, such as hiding on bullet proof hosting, using anonymous tools and cryptocurrency, and targeting Ukraine for attacks. It provides recommendations like patching SMB vulnerabilities, disabling unnecessary ports, and submitting samples to analysis services.
Exploits
- 1. Jaff spambot Necurs spam bot • 2016 Q2 • Spammer Botnet • Malicious spam pushing Jaff (a worm) • Necur spambot automated server WannaCry Ransomware+Worm Petya Ransomware +Worm • Q1 2017 Worldwide attack x2 • increase in platform level malware with worm functionality • beacon to command and control server for malware fetch • PuPs that block security protocols NotPetya+WannaCryRansom wareworm DoublePulsar VPNFilter Botnet immerging from fallout • 2017 Q2-2018 • Used stolen ransomware and modified it • Infection_iinstall_ki llswitch_seek • repeat • developers used WannaCry • families coming from same creators?
- 2. All Windows OS except XP not effected because NETBIOS was removed. VPNFilter currently comprimising SOHO routers to push botnet. Nmap common port numbers (SMB) TCP port 445 direct UDP port 137, 138 & TCP 137,139 VpN Filter PenTrap examines IPs in/out Mimikatz 2.0 Kerberos Golden Ticket autonomized memory extraction tool assume domain admin rights anytime Eternalblue SMB Exploit • Green and Red Petya (2016) • +Mishya • +GoldenEye (bootlocker+files) • WannaCry Auto Lateral Movement (PSExec and WMIC) Auto Scans subnets for devices and hosts DeepFreeze is a WinOS terminal hijacker Necurs botnet pushed Jaff at 5 million m.p.h from social media sites Comprimised SOHO routers by VPNFilter Trojan:Win32/Necurs with registry change for bootup (like Netcat)
- 3. • Notpetya: In less then 20 minutes it; 1) Rewrites Master Boot Registry (MBR) to boot to malware. 2) Encrypt NTFS file system using AES-128bit encryption key and 3) Spreads internally --on a that timer.
- 4. Hiding Online is Easy! Bullet Proof Hosting and VPNs Proxy Servers and anonymous comm tools Untraceable email accounts Decentralized Digital Currency
- 5. Offensive Security: - any change in darknet traffic is key Beware of calling cards: "Sandworm" or "Telebots" "The ShadowBrokers" "Equation Group" Ukraine is a creation and testing hub for attacks due to cultural and historical Russian forced statehood and indocternation. Patch (CVE-2017-0144) and disable SMBv1 Utilize Open Source Intelligence (OSINT): share, validate, and contextualize. Recorded Future (Click me) Block outside access to ports 137, 138, 139, and 445. Buy/report any call-out domains instantly- No admin gets carte blanche over the network--limit to domain admins sudo rule-update malware-traffic-net Submit pCap logs to Virus Total automated vulnerability scanner like open-vas Creating read-only file C:Windowsperfc.dat this will not prevent spread but will prevent host MBR encryption Key released! download decryptors from Malwarebytes ISO Live CD and the Windows Executable