Dump-ster Fire as a Subscription
Undeterred by the failure of their blind bitcoin auction, the Shadow Brokers have pivoted into a monthly subscription model for the low low price of 100 Zcash (approximately $23,000), promising to deliver a dump full of unknown goodies. Call it a grab-bag of badness. For a group calling themselves “brokers,” they’re not very good at selling their warez.
Security researchers launched a crowdfunding campaign to raise money to purchase the Shadow Brokers dump in an attempt to fend off the next destructive worm, but have since removed the campaign. We were pleased to see this, as we believed it was misguided from the start. The money raised, we think, would have been better spent on an advertising campaign to educate users on the hazards of not patching, rather than on purchasing badness directly from the Shadow Brokers and handing them money to reward them. Apparently, their lawyers agreed.
There is no guarantee the Shadow Brokers will deliver on their promises and the NSA did, in fact, alert Microsoft about the vulnerabilities prior to the previous Shadow Brokers dump. The MS17-010 patch was available for almost two full months prior to WannaCry’s outbreak. But early access to the vulnerabilities and exploits isn’t enough to prevent the outbreak of a worm if users aren’t updating their devices.
While all this InfoSec drama plays out, just keep your devices updated, block any unnecessary ports at your firewall, and keep regular backups. You know, stuff you should be doing all the time. Per usual, ‘back to the basics’ security fends off a whole lot of lazy bad guys.
Citizen Lab released an outstanding report on a sophisticated information warfare campaign attributed to the Russian government, whereby hackers phished over 200 unique targets to gain access to their emails. Once inside, the attackers downloaded documents and manipulated them to support a political agenda, then leaked them to the public and media.
As always, be vigilant when entering your login credentials and be wary of any links sent to you over email or broadcasted over social media. Think of them as the bait that they so often are. Enable two-factor authentication (2FA) where available to mitigate the damage caused by inadvertently entering your password on a phishing site.
Ransom All The Things
Apparently, server message block (SMB) vulnerabilities are the new rage once again as Linux joins the party with an SMB-based vulnerability, CVE-2017-7494, which could lead to another ransomware worm like WannaCry. (Please, no more WannaCry.) Samba is the Unix/Linux alternative for implementing file and print sharing interoperability with Windows machines. Samba is commonly used by network attached storage (NAS) devices which allow users to store their data on network devices.
Rapid7’s Project Sonar revealed over 100,000 devices on the Internet running vulnerable versions of Samba. There are likely countless more running behind firewalls and network address translation (NAT) appliances. Even worse, 90% of those devices are running unsupported versions of Samba, for which there is no patch available. Alas, we can’t just tell you to patch your systems to stay secure.
It’s only a matter of time until an unscrupulous actor decides to package up both the MS17-010 vulnerabilities found in WannaCry and CVE-2017-7494 into a single multi-platform worm to deliver ransomware - so keep your devices updated, keep an offline backup of your data, and pressure your vendors for timely software updates.
If a patch is unavailable, you can at least protect yourself by disabling nt pipe support in your Samba config: nt pipe support = no
So, see? Not all is lost.
About the Cylance Research and Intelligence Team
The Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the fore front of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats.