Thank you. On Jun 23, 2017 7:27 PM, "Kurt Buff" <[email protected]> wrote:
> There are some scripts/services that can scan machines for infection: > > https://github.com/countercept/doublepulsar-detection-script <<< python > script > > https://doublepulsar.below0day.com/ <<< scan public addresses from a > web site, which seems to use the above script > > Kurt > > > On Fri, Jun 23, 2017 at 3:44 PM, Richard Stovall <[email protected]> > wrote: > > What I want to know is how to find a machine already infected with double > > pulsar. > > > > On Jun 23, 2017 4:49 PM, "Kurt Buff" <[email protected]> wrote: > >> > >> I know that EternalBlue was fixed in the March round of patches, and > >> my quick googling indidates that DoublePulsar was covered in MS17-010 > >> > >> Kurt > >> > >> On Fri, Jun 23, 2017 at 12:43 PM, Ed Ziots <[email protected]> wrote: > >> > U need to patch.. I believe the 0 days are fixed in last round of m$ > >> > patches > >> > > >> > On Jun 23, 2017 7:19 AM, "Kent, Larry J CTR USARMY 93 SIG BDE (US)" > >> > <[email protected]> wrote: > >> >> > >> >> CLASSIFICATION: UNCLASSIFIED > >> >> > >> >> Interesting article, but is there a fix for this? > >> >> > >> >> -----Original Message----- > >> >> From: [email protected] > >> >> [mailto:[email protected]] On Behalf Of Kurt Buff > >> >> Sent: Thursday, June 22, 2017 11:02 PM > >> >> To: ntsysadm <[email protected]> > >> >> Subject: [Non-DoD Source] [NTSysADM] Thank you, NSA... > >> >> > >> >> All active links contained in this email were disabled. Please > verify > >> >> the > >> >> identity of the sender, and confirm the authenticity of all links > >> >> contained > >> >> within the message prior to copying and pasting the address to a Web > >> >> browser. > >> >> > >> >> > >> >> > >> >> > >> >> ---- > >> >> > >> >> > >> >> > >> >> Caution-https://www.nytimes.com/2017/06/22/technology/ > ransomware-attack-nsa-cyberweapons.html > >> >> > >> >> A Cyberattack ‘the World Isn’t Ready For’ > >> >> > >> >> NEWARK — There have been times over the last two months when Golan > >> >> Ben-Oni > >> >> has felt like a voice in the wilderness. > >> >> > >> >> On April 29, someone hit his employer, IDT Corporation, with two > >> >> cyberweapons that had been stolen from the National Security Agency. > >> >> Mr. Ben-Oni, the global chief information officer at IDT, was able to > >> >> fend > >> >> them off, but the attack left him distraught. > >> >> > >> >> In 22 years of dealing with hackers of every sort, he had never seen > >> >> anything like it. Who was behind it? How did they evade all of his > >> >> defenses? > >> >> How many others had been attacked but did not know it? > >> >> > >> >> Since then, Mr. Ben-Oni has been sounding alarm bells, calling anyone > >> >> who > >> >> will listen at the White House, the Federal Bureau of Investigation, > >> >> the New > >> >> Jersey attorney general’s office and the top cybersecurity companies > in > >> >> the > >> >> country to warn them about an attack that may still be invisibly > >> >> striking > >> >> victims undetected around the world. > >> >> > >> >> And he is determined to track down whoever did it. > >> >> > >> >> “I don’t pursue every attacker, just the ones that piss me off,” Mr. > >> >> Ben-Oni told me recently over lentils in his office, which was strewn > >> >> with > >> >> empty Red Bull cans. “This pissed me off and, more importantly, it > >> >> pissed my > >> >> wife off, which is the real litmus test.” > >> >> > >> >> Two weeks after IDT was hit, the cyberattack known as WannaCry > ravaged > >> >> computers at hospitals in England, universities in China, rail > systems > >> >> in > >> >> Germany, even auto plants in Japan. No doubt it was destructive. > >> >> But what Mr. Ben-Oni had witnessed was much worse, and with all eyes > on > >> >> the WannaCry destruction, few seemed to be paying attention to the > >> >> attack on > >> >> IDT’s systems — and most likely others around the world. > >> >> > >> >> The strike on IDT, a conglomerate with headquarters in a nondescript > >> >> gray > >> >> building here with views of the Manhattan skyline 15 miles away, was > >> >> similar > >> >> to WannaCry in one way: Hackers locked up IDT data and demanded a > >> >> ransom to > >> >> unlock it. > >> >> > >> >> But the ransom demand was just a smoke screen for a far more invasive > >> >> attack that stole employee credentials. With those credentials in > hand, > >> >> hackers could have run free through the company’s computer network, > >> >> taking > >> >> confidential information or destroying machines. > >> >> > >> >> Worse, the assault, which has never been reported before, was not > >> >> spotted > >> >> by some of the nation’s leading cybersecurity products, the top > >> >> security > >> >> engineers at its biggest tech companies, government intelligence > >> >> analysts or > >> >> the F.B.I., which remains consumed with the WannaCry attack. > >> >> > >> >> Were it not for a digital black box that recorded everything on IDT’s > >> >> network, along with Mr. Ben-Oni’s tenacity, the attack might have > gone > >> >> unnoticed. > >> >> > >> >> Scans for the two hacking tools used against IDT indicate that the > >> >> company > >> >> is not alone. In fact, tens of thousands of computer systems all over > >> >> the > >> >> world have been “backdoored” by the same N.S.A. weapons. > >> >> Mr. Ben-Oni and other security researchers worry that many of those > >> >> other > >> >> infected computers are connected to transportation networks, > hospitals, > >> >> water treatment plants and other utilities. > >> >> > >> >> An attack on those systems, they warn, could put lives at risk. And > Mr. > >> >> Ben-Oni, fortified with adrenaline, Red Bull and the house beats of > >> >> Deadmau5, the Canadian record producer, said he would not stop until > >> >> the > >> >> attacks had been shut down and those responsible were behind bars. > >> >> > >> >> “The world is burning about WannaCry, but this is a nuclear bomb > >> >> compared > >> >> to WannaCry,” Mr. Ben-Oni said. “This is different. It’s a lot worse. > >> >> It > >> >> steals credentials. You can’t catch it, and it’s happening right > under > >> >> our > >> >> noses.” > >> >> > >> >> And, he added, “The world isn’t ready for this.” > >> >> > >> >> Targeting the Nerve Center > >> >> > >> >> Mr. Ben-Oni, 43, a Hasidic Jew, is a slight man with smiling eyes, a > >> >> thick > >> >> beard and a hacker’s penchant for mischief. He grew up in the hills > of > >> >> Berkeley, Calif., the son of Israeli immigrants. > >> >> > >> >> Even as a toddler, Mr. Ben-Oni’s mother said, he was not interested > in > >> >> toys. She had to take him to the local junkyard to scour for > >> >> typewriters > >> >> that he would eventually dismantle on the living room floor. As a > >> >> teenager, > >> >> he aspired to become a rabbi but spent most of his free time hacking > >> >> computers at the University of California, Berkeley, where his > exploits > >> >> once > >> >> accidentally took down Belgium’s entire phone system for 15 minutes. > >> >> > >> >> To his parents’ horror, he dropped out of college to pursue his love > of > >> >> hacking full time, starting a security company to help the city of > >> >> Berkeley > >> >> and two nearby communities, Alameda and Novato, set up secure > computer > >> >> networks. > >> >> > >> >> He had a knack for the technical work, but not the marketing, and > found > >> >> it > >> >> difficult to get new clients. So at age 19, he crossed the country > and > >> >> took > >> >> a job at IDT, back when the company was a low-profile long-distance > >> >> service > >> >> provider. > >> >> > >> >> As IDT started acquiring and spinning off an eclectic list of > ventures, > >> >> Mr. Ben-Oni found himself responsible for securing shale oil projects > >> >> in > >> >> Mongolia and the Golan Heights, a “Star Trek” comic books company, a > >> >> project > >> >> to cure cancer, a yeshiva university that trains underprivileged > >> >> students in > >> >> cybersecurity, and a small mobile company that Verizon recently > >> >> acquired for > >> >> $3.1 billion. > >> >> > >> >> Which is to say he has encountered hundreds of thousands of hackers > of > >> >> every stripe, motivation and skill level. He eventually started a > >> >> security > >> >> business, IOSecurity, under IDT, to share some of the technical tools > >> >> he had > >> >> developed to keep IDT’s many businesses secure. > >> >> By Mr. Ben-Oni’s estimate, IDT experiences hundreds of attacks a day > on > >> >> its businesses, but perhaps only four each year that give him pause. > >> >> > >> >> Nothing compared to the attack that struck in April. Like the > WannaCry > >> >> attack in May, the assault on IDT relied on cyberweapons developed by > >> >> the > >> >> N.S.A. that were leaked online in April by a mysterious group of > >> >> hackers > >> >> calling themselves the Shadow Brokers — alternately believed to be > >> >> Russia-backed cybercriminals, an N.S.A. mole, or both. > >> >> > >> >> The WannaCry attack — which the N.S.A. and security researchers have > >> >> tied > >> >> to North Korea — employed one N.S.A. cyberweapon; the IDT assault > used > >> >> two. > >> >> > >> >> Both WannaCry and the IDT attack used a hacking tool the agency had > >> >> code-named EternalBlue. The tool took advantage of unpatched > Microsoft > >> >> servers to automatically spread malware from one server to another, > so > >> >> that > >> >> within 24 hours North Korea’s hackers had spread their ransomware to > >> >> more > >> >> than 200,000 servers around the globe. > >> >> > >> >> The attack on IDT went a step further with another stolen N.S.A. > >> >> cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to > >> >> penetrate computer systems without tripping security alarms. It > allowed > >> >> N.S.A. spies to inject their tools into the nerve center of a > target’s > >> >> computer system, called the kernel, which manages communications > >> >> between a > >> >> computer’s hardware and its software. > >> >> > >> >> In the pecking order of a computer system, the kernel is at the very > >> >> top, > >> >> allowing anyone with secret access to it to take full control of a > >> >> machine. > >> >> It is also a dangerous blind spot for most security software, > allowing > >> >> attackers to do what they want and go unnoticed. In IDT’s case, > >> >> attackers > >> >> used DoublePulsar to steal an IDT contractor’s credentials. Then they > >> >> deployed ransomware in what appears to be a cover for their real > >> >> motive: > >> >> broader access to IDT’s businesses. > >> >> > >> >> The N.S.A. campus in Fort Meade, Md. Tens of thousands of computer > >> >> systems, some of which could be connected to public utilities, have > >> >> been > >> >> “backdoored” using the agency’s stolen cyberweapons. Patrick > >> >> Semansky/Associated Press > >> >> > >> >> Mr. Ben-Oni learned of the attack only when a contractor, working > from > >> >> home, switched on her computer to find that all her data had been > >> >> encrypted > >> >> and that attackers were demanding a ransom to unlock it. He might > have > >> >> assumed that this was a simple case of ransomware. > >> >> > >> >> But the attack struck Mr. Ben-Oni as unique. For one thing, it was > >> >> timed > >> >> perfectly to the Sabbath. Attackers entered IDT’s network at 6 p.m. > on > >> >> Saturday on the dot, two and a half hours before the Sabbath would > end > >> >> and > >> >> when most of IDT’s employees — 40 percent of whom identify as > Orthodox > >> >> Jews > >> >> — would be off the clock. For another, the attackers compromised the > >> >> contractor’s computer through her home modem — strange. > >> >> > >> >> The black box of sorts, a network recording device made by the > Israeli > >> >> security company Secdo, shows that the ransomware was installed after > >> >> the > >> >> attackers had made off with the contractor’s credentials. And they > >> >> managed > >> >> to bypass every major security detection mechanism along the way. > >> >> Finally, > >> >> before they left, they encrypted her computer with ransomware, > >> >> demanding > >> >> $130 to unlock it, to cover up the more invasive attack on her > >> >> computer. > >> >> > >> >> Mr. Ben-Oni estimates that he has spoken to 107 security experts and > >> >> researchers about the attack, including the chief executives of > nearly > >> >> every > >> >> major security company and the heads of threat intelligence at > Google, > >> >> Microsoft and Amazon. > >> >> > >> >> With the exception of Amazon, which found that some of its customers’ > >> >> computers had been scanned by the same computer that hit IDT, no one > >> >> had > >> >> seen any trace of the attack before Mr. Ben-Oni notified them. The > New > >> >> York > >> >> Times confirmed Mr. Ben-Oni’s account via written summaries provided > by > >> >> Palo > >> >> Alto Networks, Intel’s McAfee and other security firms he used and > >> >> asked to > >> >> investigate the attack. > >> >> > >> >> “I started to get the sense that we were the canary,” he said. “But > we > >> >> recorded it.” > >> >> > >> >> Since IDT was hit, Mr. Ben-Oni has contacted everyone in his Rolodex > to > >> >> warn them of an attack that could still be worming its way, > undetected, > >> >> through victims’ systems. > >> >> > >> >> “Time is burning,” Mr. Ben-Oni said. “Understand, this is really a > war > >> >> — > >> >> with offense on one side, and institutions, organizations and schools > >> >> on the > >> >> other, defending against an unknown adversary.” > >> >> > >> >> ‘No One Is Running Point’ > >> >> > >> >> Since the Shadow Brokers leaked dozens of coveted attack tools in > >> >> April, > >> >> hospitals, schools, cities, police departments and companies around > the > >> >> world have largely been left to fend for themselves against weapons > >> >> developed by the world’s most sophisticated attacker: the N.S.A. > >> >> > >> >> A month earlier, Microsoft had issued a software patch to defend > >> >> against > >> >> the N.S.A. hacking tools — suggesting that the agency tipped the > >> >> company off > >> >> to what was coming. Microsoft regularly credits those who point out > >> >> vulnerabilities in its products, but in this case the company made no > >> >> mention of the tipster. Later, when the WannaCry attack hit hundreds > of > >> >> thousands of Microsoft customers, Microsoft’s president, Brad Smith, > >> >> slammed > >> >> the government in a blog post for hoarding and stockpiling security > >> >> vulnerabilities. > >> >> > >> >> For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches > as > >> >> soon as they became available, but attackers still managed to get in > >> >> through > >> >> the IDT contractor’s home modem. > >> >> > >> >> Six years ago, Mr. Ben-Oni had a chance meeting with an N.S.A. > >> >> employee at a conference and asked him how to defend against > modern-day > >> >> cyberthreats. The N.S.A. employee advised him to “run three of > >> >> everything”: > >> >> three firewalls, three antivirus solutions, three intrusion detection > >> >> systems. And so he did. > >> >> > >> >> But in this case, modern-day detection systems created by Cylance, > >> >> McAfee > >> >> and Microsoft and patching systems by Tanium did not catch the attack > >> >> on > >> >> IDT. Nor did any of the 128 publicly available threat intelligence > >> >> feeds > >> >> that IDT subscribes to. Even the 10 threat intelligence feeds that > his > >> >> organization spends a half-million dollars on annually for urgent > >> >> information failed to report it. He has since threatened to return > >> >> their > >> >> products. > >> >> > >> >> “Our industry likes to work on known problems,” Mr. Ben-Oni said. > >> >> “This is an unknown problem. We’re not ready for this.” > >> >> > >> >> No one he has spoken to knows whether they have been hit, but just > this > >> >> month, restaurants across the United States reported being hit with > >> >> similar > >> >> attacks that were undetected by antivirus systems. There are now > >> >> YouTube > >> >> videos showing criminals how to attack systems using the very same > >> >> N.S.A. > >> >> tools used against IDT, and Metasploit, an automated hacking tool, > now > >> >> allows anyone to carry out these attacks with the click of a button. > >> >> > >> >> Worse still, Mr. Ben-Oni said, “No one is running point on this.” > >> >> > >> >> Last month, he personally briefed the F.B.I. analyst in charge of > >> >> investigating the WannaCry attack. He was told that the agency had > been > >> >> specifically tasked with WannaCry, and that even though the attack on > >> >> his > >> >> company was more invasive and sophisticated, it was still technically > >> >> something else, and therefore the F.B.I. could not take on his case. > >> >> > >> >> The F.B.I. did not respond to requests for comment. > >> >> > >> >> So Mr. Ben-Oni has largely pursued the case himself. His team at IDT > >> >> was > >> >> able to trace part of the attack to a personal Android phone in > Russia > >> >> and > >> >> has been feeding its findings to Europol, the European law > enforcement > >> >> agency based in The Hague. > >> >> > >> >> The chances that IDT was the only victim of this attack are slim. > Sean > >> >> Dillon, a senior analyst at RiskSense, a New Mexico security company, > >> >> was > >> >> among the first security researchers to scan the internet for the > >> >> N.S.A.’s > >> >> DoublePulsar tool. He found tens of thousands of host computers are > >> >> infected > >> >> with the tool, which attackers can use at will. > >> >> > >> >> “Once DoublePulsar is on the machine, there’s nothing stopping anyone > >> >> else > >> >> from coming along and using the back door,” Mr. Dillon said. > >> >> > >> >> More distressing, Mr. Dillon tested all the major antivirus products > >> >> against the DoublePulsar infection and a demoralizing 99 percent > failed > >> >> to > >> >> detect it. > >> >> > >> >> “We’ve seen the same computers infected with DoublePulsar for two > >> >> months > >> >> and there is no telling how much malware is on those systems,” > >> >> Mr. Dillon said. “Right now we have no idea what’s gotten into these > >> >> organizations.” > >> >> > >> >> In the worst case, Mr. Dillon said, attackers could use those back > >> >> doors > >> >> to unleash destructive malware into critical infrastructure, tying up > >> >> rail > >> >> systems, shutting down hospitals or even paralyzing electrical > >> >> utilities. > >> >> > >> >> Could that attack be coming? The Shadow Brokers resurfaced last > month, > >> >> promising a fresh load of N.S.A. attack tools, even offering to > supply > >> >> them > >> >> for monthly paying subscribers — like a wine-of-the-month club for > >> >> cyberweapon enthusiasts. > >> >> > >> >> In a hint that the industry is taking the group’s threats seriously, > >> >> Microsoft issued a new set of patches to defend against such attacks. > >> >> The company noted in an ominously worded message that the patches > were > >> >> critical, citing an “elevated risk for destructive cyberattacks.” > >> >> > >> >> Mr. Ben-Oni is convinced that IDT is not the only victim, and that > >> >> these > >> >> tools can and will be used to do far worse. > >> >> > >> >> “I look at this as a life-or-death situation,” he said. “Today it’s > us, > >> >> but tomorrow it might be someone else.” > >> >> > >> >> > >> >> CLASSIFICATION: UNCLASSIFIED > >> > >> > > > > >
