A short presentation on the Latest dumb of nsa tools by Shadowbroker hacker group. How to attack how to prevent the attack. Also about the new ransomware wanna cry 2.0
2. $whoami
• Certified android developer(udemy)
• 2nd year UIT RGPV student
• Member of juliar foundation
• can code in Java, python, juliar, c
• L33t at cybrary.it
3. What to expect
• Who are shadowbroker?
• What did they do?
• Brief intro to lost in translation(5th leak)
• Playing with fuzzbunch and danderspritz
• Clever ways these tools are being used now
4. Who are shadowbroker?
• A hacker group they published some National
Security Agency (NSA)'s equation group
hacking tools.
• First appeared in mid of august 2016
• However I have found reasons to believe that
its just 2 people who use to work for nsa as a
private contractor.
5. How did they do it?
1. They found creators of stuxnet , flame
kaspersky called themselves Equation Group
2. They followed Equation Group traffic
3. They found Equation Group source
4. We find many many Equation Group cyber
weapons
They explained the attack in layman's
terms -
8. Final leak “Lost in Translation”
• windows: contains Windows exploits,
implants and payloads
• swift: contains operational notes from
banking attacks, docs, excel files, ppt of some
attacks
• oddjob: is an implant builder that can deliver
exploits for Windows 2000 and later. Key
feature is that it is fully undetectable (FUD)
9. These nsa exploits can target cisco Firewalls,
Windows OS, Windows Server, Solaris boxes
running versions 6 to 10, RedHat 7.0,
15. Danderspritz
• Java-Based console from which compromised
computers can be managed.
• So Basically it’s a Remote Administration
tool(RAT).
• I have used it to make malicious dll files,
control the PeddleCheap / ExpandingPulley
implant.
19. What are we exploiting?
• The Server Message Block (SMB) protocol
• It is a network file sharing protocol(practically
used for storing configuration file of virtual
machine)
• CERTCC released information on a Server
Message Block (SMB) vulnerability affecting
Microsoft Windows
• Fuzzbunch uses this vulnerability to install
backdoor, inject dll, inject shellcode, etc
20. How we are going to do?
1. Make malicious dll with danderspritz.
2. Use eternalblue(special) to make backdoor.
3. Use doublepulsar(payload) to inject dll.
4. Use Danderspritz to listen to connections
21. For the demo we have 1 attacker machine and 1
victim
1. Windows 7 attacker
2. Windows 7 victim
23. Clever ways these exploits are used
1. Eternalblue without fuzzbunch
2. Making DoublePulsar and EternalBlue modules
Standalone like msfvenom
3. python script that uses EternalBlue to run
msfvenom output directly without ever installing
DoublePulsar
4. DoublePulsar detection script
5. Using Eternalblue in WannaCry v 2.0 ransomware
27. Wannacry ransomware
• First appeared on feb 2017
• Now there is a follow-up version which uses
the SMBv2 remote code execution
vulnerability
• Same vulnerability is used by eternalblue
• It encrypts with rsa-2048 encryption private
key is created then sent to attacker and then
gets deleted from the victim machine
30. Accidental hero finds a kill switch
• Problem with this is that attacker can change the domain
and reuse it
• So its not very effective
• However there are ways to find out the kill switch domain in
every sample
31. How to fix this issue
1. Installing security update MS17-010 windows
(best way)
2. Disable smb on your windows machine(ok way)
3. Blocking all incoming SMB traffic on port 445
4. Backup all your data in some external device
33. But they haven't given ms17-010 Security
update for some older version of windows.
So your best option is to use other 2 methods
34. 2.Disable smb on your windows
machine
• Go to control panel > Programs and features
• Go to turn ON/OFF windows features
• Uncheck the box SMB 1.0
36. • However disabling smb protocol in not
recommended
• But its safer to do it when patches are not
available
• Blocking smb can only prevent the
ransomware from speading but patching
machine will make system resistant to attack
37. 3. Blocking all incoming SMB traffic
on port 445
Different wifi routers have interface but they
offer same functionality
• Go to 192.168.1.1
• Enter username password
• And find Application filter
40. What to do if already infected?
• Wait...
• Eventually someone will find a decryption
key(you get 7 days)
• If one machine is infected then take it offline
or block incoming SMB traffic on port 445 to
stop it from spreading
41. Should you pay the ransom?
• Well most users opt to pay
• Everytime a victim pays the malware creator
gets funded
• Some of this money is reinvested making
ramsomware smarter, more effective
• This is a vicious cycle
43. • Keeping in mind that prevention is better than
cure
• Install latest updates
• Make offline backup of all your data
• And lastly use your brain lol don’t just open
every attachment you get