This Week In Security: NotPetya For Cash Money; Got Gox’d?
« Back to Blog

This Week In Security: NotPetya For Cash Money; Got Gox’d?

By Cylance Research and Intelligence Team

NotPetya Bungling Authors Provide Evidence of Master Key in Efforts to Possibly Maybe Get Some Cash Money

The authors of the NotPetya/ EternalPetya malware, which brought thousands of businesses to a crippling halt last month, have resurfaced in order to demonstrate the possibility of actually having a master key to decrypt files. The authors have stated on pastebin they are willing to sell this master key for 100 bitcoins (approximately $236,000 USD at time of writing).

Cybersecurity experts have come to an agreement that NotPetya is actually a wiper malware and its ransom capabilities were very much secondary after effects to its destabilization and disruption to targeted systems.

Within hours of the malware’s first infection, the email address associated with the ransom note distributed by NotPetya was taken down by the email provider, which made it impossible for payments to be accrued and collected by the malware’s authors. The recent resurfacing of the authors seems to indicate that this could be the only way for them to recuperate their financial losses over their initial grave mistake of not selecting a shadier email provider.

Vice News employees recently got in contact with the reported authors using dark web communication methods. They asked the authors to prove that they are, indeed, the actual authors and can indeed decrypt files from victims affected by the malware. After providing them with an encrypted MSWord document, the authors sent back the file successfully decrypted within two and a half hours.

The plot thickens, as the file used to demonstrate decryption capabilities was only approximately 200K in size and due to errors in the use of the encryption algorithm in the malware, many security experts now believe the authors cannot decrypt files greater than 1MB in size.

Prior to shutting down the dark web chat room and closing communications, the authors stated that several firms had shown interest in purchasing the master key and that they would only discuss further details with individuals providing real offers. The claims of possible buyers could not be confirmed by any sources, and as per usual, many cybersecurity experts and organizations have staunchly condemned any source from paying ransom demands.

Many experts are still wondering if making money was the original goal of the malware authors at this stage, after demonstrating an extremely sophisticated infiltration and distribution system into MeDoc servers (which was used to distribute the malware), and then failing epically to collect payments.

Regardless of the outcome of the NotPetya master key saga, it is very likely that many future attackers will take into consideration the pitfalls that plagued the seemingly amateurish payment planning operation held by the NotPetya authors, and likely improve their infrastructure and payment coordination options in order to stay profitable.

W3C Approves DRM for HTML5 Despite Unanswered Privacy and Security Questions

Much to the chagrin of the EFF and many security researchers, the World Wide Web Consortium (W3C) has approved the platform for web-based DRM delivery systems. The recommended system, which has been in development since 2013, integrates a new technology called Encrypted Media Extensions (EME).

This proposed subsystem will live within browsers and applications which use HTML and JavaScript, and does not depend on plugins or third party applications to encrypt and protect media content. EME itself will act as a bridge for scripting code to easily handle encryption keys provided by DRM modules, thus making the implementation of the new DRM system extremely easy, modular, and convenient.

However, as always, whenever DRM is involved there is always a fiery debate following it. With strong support from MPAA, Netflix, and similar companies who depend on streaming content for business, the implications of web-based DRM immediately triggered opposing groups such as the EFF, Defective By Design, and many other privacy and information freedom activists.

Ever since its initial announcement four years ago, several campaigns that have been held to increase awareness and prevent what many see as a turning point for the future of the open web.

In the latest burning trash fire that is the never-ending battle between pro-DRM and its opposition, the W3C decided to blatantly deny several requests to help ensure the security of its implementation. Due to the Digital Millennium Copyright Act, it has been illegal for any individual to provide any circumvention for DRM and any subsystem connected to it.

The EFF proposed that in order to ensure a balance of security and privacy, as well as still allowing DRM to function, security researchers should be able to analyze and inspect DRM modules built alongside EME for flaws.

The W3C rejected this, and EFF attempted to counter with a proposal to offer researchers protection from not being sued; this was also rejected. In fact, the W3C members were so at odds with offering any sort of protection or future security evaluation of their code that the members weren’t even asked to come to a consensus.

If that weren’t bad enough, the W3C also voted against any measures to restrict legal implications against DRM bypassing or circumvention at any level. This was a proposal to only target pirates who were distributing ripped content, however, W3C and DRM supporters felt that any individual who performed any DRM bypass or circumvention at any time should be subjected to litigation.

As it stands now, the legal process for analyzing these modules and reporting vulnerabilities in EME is a very gray zone. It seems that the future of DRM vulnerabilities and security issues will have to be publicly and anonymously dropped zero-day style complete with fair use chiptunes and free as beer graphics.

US Department of The Painfully Obvious Issues Amber Alerts Over Power Plant Phishing 8 Years Too Late

In efforts that can only be described as “too little too late”, the Department of Homeland Security and the FBI issued a joint report describing details of malware sent to employees of nuclear power plants and other critical infrastructure facilities. Details of the attacks, which originated in May and were sent to senior employees disguised as resumes, were finally shared with the public last week, and as expected, many people went from zero to thermonuclear in the overreaction scale following the news.

Seen as more fuel to this year’s biggest blockbuster hit of “Russian hackers are definitely infiltrating and crippling US power plants with their crazy hacking skills,” many individuals immediately jumped to conclusions that the malware distributed in this attack was instantly swag-tastic and of APT ‘Fancy Bear’ status. The shouts from the rooftops that imminent catastrophe and failure of power plants due to these phishing malware is fortunately a far cry from the actual level of sophistication, planning, and opsec required to carry out Stuxnet 2.0.

The first thing to note about these attacks is that there is absolutely no evidence to suggest these attacks were highly sophisticated nor targeting actual SCADA or PLC networks which operate the nuclear facility. The amber alert issued for the attack goes on to state that it was the employees’ personal computers, and not their work computers that were targeted in the attack.

Attackers using this method are highly unlikely to gain any foothold on any power plant system due to the vast amounts of security restrictions put in place in such facilities and enforced by NERC. Even if an attacker were somehow able to infiltrate an employee’s personal machine and then compromise their work machine due to an employee checking their personal email at work – the machine compromised would not be physically connected to any critical networks or SCADA devices due to their strictly enforced air-gap status.

A reality check on the current status of U.S. nuclear plants conducted in 2015 by Chatam House did find multiple security issues and a lack of policy enforcement. However, since this report, NERC Compliance Guidance Policy has been heavily updated and stricter guidelines and penalties have been enforced.

Furthermore, it has been proven over and over again that power plant’s worst enemies and the most detrimental attacks are from squirrels and sometimes birds, snakes, and even the rare jellyfish - long before humans or cyberattacks.

Got Gox’d? Trial for CEO of Mt. Gox Starts A Whole New Chapter for BitCoin

In what might be one of the most pivotal court cases in the last 20 years, the rise and fall of Mt. Gox has been a never-ending source of drama, intrigue, scandals, and cover-ups; not unlike the current presidency.

The charges of embezzlement over multiple millions of stolen bitcoin (BTC) have been long pinned on the former Mt. Gox CEO, Mark Karpeles, as he stands trial in Japan. Pleading innocent, Karpeles is attempting to convince the court and the world that the disappearance of all of its clients’ bitcoins (worth approximately $340M at the time) had absolutely nothing to do with his lavish lifestyle, which included a $11,000 a month penthouse (complete with a $48,000 bed), and being a VIP customer to multiple venues dealing with sexual services. His current defense: He found some cold storage with 200,000 bitcoins in it that he happened to misplace and the Mt. Gox business was compromised by hackers who stole the money.

The trial has also revealed some long-suspected inconsistences with Mt. Gox business practices, such as confirmation of the existence of the Willy Bot. This bot was long suspected by Gox’d victims to exist due to peak exchange activity, and has been heavily scrutinized as fraudulent bot trading in order to artificially inflate exchange rates and the value of BTC.

In the following days, it is expected that the defense will supply physical evidence of hacking activity directed at Mt. Gox and explain details their compromise. Bitcoin, which stumbled for many years until recently, has been steadily climbing reaching record points this year.

Since the trial proceeded, the price for BTC has fluctuated between $2.6k and $2.25k per coin, making investors extremely nervous. As the trial continues, investors and BTC traders alike are holding their breath for compensation, closure, and a new beginning for cryptocurrencies.

With BTC gaining traction in most of the world’s markets, the efforts to mine for bitcoin and other cryptocurrencies has been reaching new heights. With the introduction to the latest GPUs that have been designed for this purpose, the revival of BTC mining is coming out in full force.

A testament to this revival can be seen in a beautiful photographic piece by Chinese photographer Liu Xingzhe. In what can only be described as an incredibly cyberpunk dystopian future, Xingzhe photographed a cryptocurrency mining operation in the Sichuan province that implements cheap hydroelectric power to harvest the thousands of mining rigs and their round-the-clock employees.

About the Cylance Research and Intelligence Team

The Cylance Research and Intelligence team explores the boundaries of the information security field identifying emerging threats and remaining at the fore front of attacks. With insights gained from these endeavors, Cylance stays ahead of the threats. 

Tags: