What I cannot get over is 7 years ago.
https://isc.sans.edu/forums/diary/Cyber+Security+Awareness+Month+Day+1+Port+445+SMB+over+TCP/7210/
NHS computer systems hacked!?
- Thread starter Tone1979
- Start date
What I cannot get over is 7 years ago.
https://isc.sans.edu/forums/diary/Cyber+Security+Awareness+Month+Day+1+Port+445+SMB+over+TCP/7210/
So essentially, one PC in each organisation has been infected manually by someone being silly, and then all the internal PCs have been exploited using the vulnerability in SMB. That's way more effective than the other CryptoLocker variants exploiting file shares. Although it doesn't explain how the smaller GPs within the trusts of the NHS were infected as well. I can't believe that every single one of these had a member of staff that was silly enough to open an email. It had to have circumvented firewalls too!
I'm starting to really doubt this - unless the infection had sat dormant, maybe inside another wrapper/package, for a few weeks somehow undetected on many corporate networks waiting to a trigger after getting in through infected attachments - or there is some other widely open or much deeper vulnerability that is far worse than has been admitted or something else going on.
Its possible it was the recent vulnerability discovered with scanning attachments but I'm starting to think that maybe the Intel AMT vulnerabilities are far bigger than has been admitted and if so things are about to get really ugly.
like i said before i personally believe it was a time bomb that had an earlier infection date.
i mean look at some of the interactive infection maps for the 24 hours, way too organised imo.
i reckon at least 1 machine per organisation was infected at some point in the past and something triggered it friday. the NHS had more of an issue because of the nationwide interconnected sites.
just my personal opinion and speculation though.
It does come across to me like that.
Well the trigger is that domain not being there anymore. But how that would work I couldn't say. I didn't think you could just get rid of a domain overnight.
You've understood the domain kill switch incorrectly - the domain existing prevents the malware from doing anything when it is executed. It wasn't registered until a researcher registered it to see what sort of requests were being made to it.
As caged says is seems the other way around - it was a poor attempt by whoever packaged it up to detect if someone was trying to analyse it or maybe a failsafe for their own testing to prevent them accidentally infecting themselves and someone registering that domain has for now temporarily stalled the payload (the infection is still there).
This is what I read:
That specifically states that if it can connect to this domain, it stops execution, doesn't spread and does nothing. That to me indicates that when this domain is no longer there, every machine that has this dropper on can then call itself to action, infecting everything. The fact that the domain was there to be registered the other day suggested to me that it had done its job.
Its possible but I don't think there are any domain records for iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com before the malwaretech guy registered it. Date of first creation shows 12th May 2017.
Well something sure as hell was an activation signal because everything went wrong at the same time for many networks across the world. Hence the thought that the domain had something to do with it as a trigger. I find it really hard to believe that the dropper wasn't already on machines for a while prior to this happening. If that wasn't the case, then it had to have been a massive botnet broadcast targeting specific IP ranges and the SMB ports on these IP ranges.
Whatever happened, we don't have anywhere near the full story yet and that's quite scary tbh.
Cisco (http://blog.talosintelligence.com/2017/05/wannacry.html) didn't see DNS queries to the domain until Friday, so if it was sitting dormant and waiting to launch it wasn't using the domain to do so.
The domain history only has 2 entries - both which are more recent than the first sighting of the malware - so even though potentially it could be used as a trigger it isn't the case this time.
this is why i think it was timebombed.
Here's the scenario that I immediately envisaged when I read mention of the domain kill switch. I've never considered the killswitch as being there to stop the malware later. I've always seen it as being there to initiate the payload:
The hacker group responsible for this malware registers the domain for a year lease. Throughout this year, the malware dropper package is slowly but surely distributed throughout systems across the world via email and other drive-by-attacks via websites. Because it exploits SMB and is a simple program in itself, it goes undetected, and all it needs is a single person within each organisation to infect one machine accidentally for it to then have the ability to attack all other computers on the network that are vulnerable to the SMB exploit. After all, there are reports that EternalBlue has been known about for a long while now, but not to the knowledge of MS. They only became aware of this issue in March 2017.
All this time, the malware is monitoring for the domain, and then eventually this domain is no longer registered and it disappears off of the Internet, and the malware kicks itself into action at this point. I initially thought that this was Friday. When this happens, the payload is delivered, huge amounts of systems are encrypted because they've all been compromised silently by the dropper, and we're where we are today.
Sure, it may seem a far-fetched idea but crazier things have happened.
The hacker group responsible for this malware registers the domain for a year lease. Throughout this year, the malware dropper package is slowly but surely distributed throughout systems across the world via email and other drive-by-attacks via websites. Because it exploits SMB and is a simple program in itself, it goes undetected, and all it needs is a single person within each organisation to infect one machine accidentally for it to then have the ability to attack all other computers on the network that are vulnerable to the SMB exploit. After all, there are reports that EternalBlue has been known about for a long while now, but not to the knowledge of MS. They only became aware of this issue in March 2017.
All this time, the malware is monitoring for the domain, and then eventually this domain is no longer registered and it disappears off of the Internet, and the malware kicks itself into action at this point. I initially thought that this was Friday. When this happens, the payload is delivered, huge amounts of systems are encrypted because they've all been compromised silently by the dropper, and we're where we are today.
Sure, it may seem a far-fetched idea but crazier things have happened.
I'm aware I keep saying it because I said it. I was explaining my initial thinking because it made me wonder why there's a kill switch in the first place. Don't you question why it's there? If not using it as a trigger, what use is it to the creators? And how do you know what I'm saying is incorrect? Do you have some intimate knowledge of this malware that we aren't being told about? Nobody discussing it seems to know an awful lot about how it got started so who can say anything for sure? We're all just speculating here and I'm providing my thought process for others to see here. You just keep posting back saying how wrong I am when, to be fair, how can you honestly know one way or the other? As I said, so far we're just speculating, and to a large degree from the reporting and coverage I've seen so far, so are the experts.