I don't know. I haven't done the research.
On Fri, Jun 23, 2017 at 4:13 AM, Kent, Larry J CTR USARMY 93 SIG BDE
(US) <[email protected]> wrote:
> CLASSIFICATION: UNCLASSIFIED
>
> Interesting article, but is there a fix for this?
>
> -----Original Message-----
> From: [email protected] [mailto:[email protected]]
> On Behalf Of Kurt Buff
> Sent: Thursday, June 22, 2017 11:02 PM
> To: ntsysadm <[email protected]>
> Subject: [Non-DoD Source] [NTSysADM] Thank you, NSA...
>
> All active links contained in this email were disabled. Please verify the
> identity of the sender, and confirm the authenticity of all links contained
> within the message prior to copying and pasting the address to a Web browser.
>
>
>
>
> ----
>
> Caution-https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html
>
> A Cyberattack ‘the World Isn’t Ready For’
>
> NEWARK — There have been times over the last two months when Golan Ben-Oni
> has felt like a voice in the wilderness.
>
> On April 29, someone hit his employer, IDT Corporation, with two cyberweapons
> that had been stolen from the National Security Agency.
> Mr. Ben-Oni, the global chief information officer at IDT, was able to fend
> them off, but the attack left him distraught.
>
> In 22 years of dealing with hackers of every sort, he had never seen anything
> like it. Who was behind it? How did they evade all of his defenses? How many
> others had been attacked but did not know it?
>
> Since then, Mr. Ben-Oni has been sounding alarm bells, calling anyone who
> will listen at the White House, the Federal Bureau of Investigation, the New
> Jersey attorney general’s office and the top cybersecurity companies in the
> country to warn them about an attack that may still be invisibly striking
> victims undetected around the world.
>
> And he is determined to track down whoever did it.
>
> “I don’t pursue every attacker, just the ones that piss me off,” Mr.
> Ben-Oni told me recently over lentils in his office, which was strewn with
> empty Red Bull cans. “This pissed me off and, more importantly, it pissed my
> wife off, which is the real litmus test.”
>
> Two weeks after IDT was hit, the cyberattack known as WannaCry ravaged
> computers at hospitals in England, universities in China, rail systems in
> Germany, even auto plants in Japan. No doubt it was destructive.
> But what Mr. Ben-Oni had witnessed was much worse, and with all eyes on the
> WannaCry destruction, few seemed to be paying attention to the attack on
> IDT’s systems — and most likely others around the world.
>
> The strike on IDT, a conglomerate with headquarters in a nondescript gray
> building here with views of the Manhattan skyline 15 miles away, was similar
> to WannaCry in one way: Hackers locked up IDT data and demanded a ransom to
> unlock it.
>
> But the ransom demand was just a smoke screen for a far more invasive attack
> that stole employee credentials. With those credentials in hand, hackers
> could have run free through the company’s computer network, taking
> confidential information or destroying machines.
>
> Worse, the assault, which has never been reported before, was not spotted by
> some of the nation’s leading cybersecurity products, the top security
> engineers at its biggest tech companies, government intelligence analysts or
> the F.B.I., which remains consumed with the WannaCry attack.
>
> Were it not for a digital black box that recorded everything on IDT’s
> network, along with Mr. Ben-Oni’s tenacity, the attack might have gone
> unnoticed.
>
> Scans for the two hacking tools used against IDT indicate that the company is
> not alone. In fact, tens of thousands of computer systems all over the world
> have been “backdoored” by the same N.S.A. weapons.
> Mr. Ben-Oni and other security researchers worry that many of those other
> infected computers are connected to transportation networks, hospitals, water
> treatment plants and other utilities.
>
> An attack on those systems, they warn, could put lives at risk. And Mr.
> Ben-Oni, fortified with adrenaline, Red Bull and the house beats of Deadmau5,
> the Canadian record producer, said he would not stop until the attacks had
> been shut down and those responsible were behind bars.
>
> “The world is burning about WannaCry, but this is a nuclear bomb compared to
> WannaCry,” Mr. Ben-Oni said. “This is different. It’s a lot worse. It steals
> credentials. You can’t catch it, and it’s happening right under our noses.”
>
> And, he added, “The world isn’t ready for this.”
>
> Targeting the Nerve Center
>
> Mr. Ben-Oni, 43, a Hasidic Jew, is a slight man with smiling eyes, a thick
> beard and a hacker’s penchant for mischief. He grew up in the hills of
> Berkeley, Calif., the son of Israeli immigrants.
>
> Even as a toddler, Mr. Ben-Oni’s mother said, he was not interested in toys.
> She had to take him to the local junkyard to scour for typewriters that he
> would eventually dismantle on the living room floor. As a teenager, he
> aspired to become a rabbi but spent most of his free time hacking computers
> at the University of California, Berkeley, where his exploits once
> accidentally took down Belgium’s entire phone system for 15 minutes.
>
> To his parents’ horror, he dropped out of college to pursue his love of
> hacking full time, starting a security company to help the city of Berkeley
> and two nearby communities, Alameda and Novato, set up secure computer
> networks.
>
> He had a knack for the technical work, but not the marketing, and found it
> difficult to get new clients. So at age 19, he crossed the country and took a
> job at IDT, back when the company was a low-profile long-distance service
> provider.
>
> As IDT started acquiring and spinning off an eclectic list of ventures, Mr.
> Ben-Oni found himself responsible for securing shale oil projects in Mongolia
> and the Golan Heights, a “Star Trek” comic books company, a project to cure
> cancer, a yeshiva university that trains underprivileged students in
> cybersecurity, and a small mobile company that Verizon recently acquired for
> $3.1 billion.
>
> Which is to say he has encountered hundreds of thousands of hackers of every
> stripe, motivation and skill level. He eventually started a security
> business, IOSecurity, under IDT, to share some of the technical tools he had
> developed to keep IDT’s many businesses secure.
> By Mr. Ben-Oni’s estimate, IDT experiences hundreds of attacks a day on its
> businesses, but perhaps only four each year that give him pause.
>
> Nothing compared to the attack that struck in April. Like the WannaCry attack
> in May, the assault on IDT relied on cyberweapons developed by the N.S.A.
> that were leaked online in April by a mysterious group of hackers calling
> themselves the Shadow Brokers — alternately believed to be Russia-backed
> cybercriminals, an N.S.A. mole, or both.
>
> The WannaCry attack — which the N.S.A. and security researchers have tied to
> North Korea — employed one N.S.A. cyberweapon; the IDT assault used two.
>
> Both WannaCry and the IDT attack used a hacking tool the agency had
> code-named EternalBlue. The tool took advantage of unpatched Microsoft
> servers to automatically spread malware from one server to another, so that
> within 24 hours North Korea’s hackers had spread their ransomware to more
> than 200,000 servers around the globe.
>
> The attack on IDT went a step further with another stolen N.S.A.
> cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate
> computer systems without tripping security alarms. It allowed N.S.A. spies to
> inject their tools into the nerve center of a target’s computer system,
> called the kernel, which manages communications between a computer’s hardware
> and its software.
>
> In the pecking order of a computer system, the kernel is at the very top,
> allowing anyone with secret access to it to take full control of a machine.
> It is also a dangerous blind spot for most security software, allowing
> attackers to do what they want and go unnoticed. In IDT’s case, attackers
> used DoublePulsar to steal an IDT contractor’s credentials. Then they
> deployed ransomware in what appears to be a cover for their real motive:
> broader access to IDT’s businesses.
>
> The N.S.A. campus in Fort Meade, Md. Tens of thousands of computer systems,
> some of which could be connected to public utilities, have been “backdoored”
> using the agency’s stolen cyberweapons. Patrick Semansky/Associated Press
>
> Mr. Ben-Oni learned of the attack only when a contractor, working from home,
> switched on her computer to find that all her data had been encrypted and
> that attackers were demanding a ransom to unlock it. He might have assumed
> that this was a simple case of ransomware.
>
> But the attack struck Mr. Ben-Oni as unique. For one thing, it was timed
> perfectly to the Sabbath. Attackers entered IDT’s network at 6 p.m. on
> Saturday on the dot, two and a half hours before the Sabbath would end and
> when most of IDT’s employees — 40 percent of whom identify as Orthodox Jews —
> would be off the clock. For another, the attackers compromised the
> contractor’s computer through her home modem — strange.
>
> The black box of sorts, a network recording device made by the Israeli
> security company Secdo, shows that the ransomware was installed after the
> attackers had made off with the contractor’s credentials. And they managed to
> bypass every major security detection mechanism along the way. Finally,
> before they left, they encrypted her computer with ransomware, demanding $130
> to unlock it, to cover up the more invasive attack on her computer.
>
> Mr. Ben-Oni estimates that he has spoken to 107 security experts and
> researchers about the attack, including the chief executives of nearly every
> major security company and the heads of threat intelligence at Google,
> Microsoft and Amazon.
>
> With the exception of Amazon, which found that some of its customers’
> computers had been scanned by the same computer that hit IDT, no one had seen
> any trace of the attack before Mr. Ben-Oni notified them. The New York Times
> confirmed Mr. Ben-Oni’s account via written summaries provided by Palo Alto
> Networks, Intel’s McAfee and other security firms he used and asked to
> investigate the attack.
>
> “I started to get the sense that we were the canary,” he said. “But we
> recorded it.”
>
> Since IDT was hit, Mr. Ben-Oni has contacted everyone in his Rolodex to warn
> them of an attack that could still be worming its way, undetected, through
> victims’ systems.
>
> “Time is burning,” Mr. Ben-Oni said. “Understand, this is really a war — with
> offense on one side, and institutions, organizations and schools on the
> other, defending against an unknown adversary.”
>
> ‘No One Is Running Point’
>
> Since the Shadow Brokers leaked dozens of coveted attack tools in April,
> hospitals, schools, cities, police departments and companies around the world
> have largely been left to fend for themselves against weapons developed by
> the world’s most sophisticated attacker: the N.S.A.
>
> A month earlier, Microsoft had issued a software patch to defend against the
> N.S.A. hacking tools — suggesting that the agency tipped the company off to
> what was coming. Microsoft regularly credits those who point out
> vulnerabilities in its products, but in this case the company made no mention
> of the tipster. Later, when the WannaCry attack hit hundreds of thousands of
> Microsoft customers, Microsoft’s president, Brad Smith, slammed the
> government in a blog post for hoarding and stockpiling security
> vulnerabilities.
>
> For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches as soon
> as they became available, but attackers still managed to get in through the
> IDT contractor’s home modem.
>
> Six years ago, Mr. Ben-Oni had a chance meeting with an N.S.A.
> employee at a conference and asked him how to defend against modern-day
> cyberthreats. The N.S.A. employee advised him to “run three of everything”:
> three firewalls, three antivirus solutions, three intrusion detection
> systems. And so he did.
>
> But in this case, modern-day detection systems created by Cylance, McAfee and
> Microsoft and patching systems by Tanium did not catch the attack on IDT. Nor
> did any of the 128 publicly available threat intelligence feeds that IDT
> subscribes to. Even the 10 threat intelligence feeds that his organization
> spends a half-million dollars on annually for urgent information failed to
> report it. He has since threatened to return their products.
>
> “Our industry likes to work on known problems,” Mr. Ben-Oni said.
> “This is an unknown problem. We’re not ready for this.”
>
> No one he has spoken to knows whether they have been hit, but just this
> month, restaurants across the United States reported being hit with similar
> attacks that were undetected by antivirus systems. There are now YouTube
> videos showing criminals how to attack systems using the very same N.S.A.
> tools used against IDT, and Metasploit, an automated hacking tool, now allows
> anyone to carry out these attacks with the click of a button.
>
> Worse still, Mr. Ben-Oni said, “No one is running point on this.”
>
> Last month, he personally briefed the F.B.I. analyst in charge of
> investigating the WannaCry attack. He was told that the agency had been
> specifically tasked with WannaCry, and that even though the attack on his
> company was more invasive and sophisticated, it was still technically
> something else, and therefore the F.B.I. could not take on his case.
>
> The F.B.I. did not respond to requests for comment.
>
> So Mr. Ben-Oni has largely pursued the case himself. His team at IDT was able
> to trace part of the attack to a personal Android phone in Russia and has
> been feeding its findings to Europol, the European law enforcement agency
> based in The Hague.
>
> The chances that IDT was the only victim of this attack are slim. Sean
> Dillon, a senior analyst at RiskSense, a New Mexico security company, was
> among the first security researchers to scan the internet for the N.S.A.’s
> DoublePulsar tool. He found tens of thousands of host computers are infected
> with the tool, which attackers can use at will.
>
> “Once DoublePulsar is on the machine, there’s nothing stopping anyone else
> from coming along and using the back door,” Mr. Dillon said.
>
> More distressing, Mr. Dillon tested all the major antivirus products against
> the DoublePulsar infection and a demoralizing 99 percent failed to detect it.
>
> “We’ve seen the same computers infected with DoublePulsar for two months and
> there is no telling how much malware is on those systems,”
> Mr. Dillon said. “Right now we have no idea what’s gotten into these
> organizations.”
>
> In the worst case, Mr. Dillon said, attackers could use those back doors to
> unleash destructive malware into critical infrastructure, tying up rail
> systems, shutting down hospitals or even paralyzing electrical utilities.
>
> Could that attack be coming? The Shadow Brokers resurfaced last month,
> promising a fresh load of N.S.A. attack tools, even offering to supply them
> for monthly paying subscribers — like a wine-of-the-month club for
> cyberweapon enthusiasts.
>
> In a hint that the industry is taking the group’s threats seriously,
> Microsoft issued a new set of patches to defend against such attacks.
> The company noted in an ominously worded message that the patches were
> critical, citing an “elevated risk for destructive cyberattacks.”
>
> Mr. Ben-Oni is convinced that IDT is not the only victim, and that these
> tools can and will be used to do far worse.
>
> “I look at this as a life-or-death situation,” he said. “Today it’s us, but
> tomorrow it might be someone else.”
>
>
> CLASSIFICATION: UNCLASSIFIED
