Two Weeks Before WannaCry: Surviving a Zero-Day Ransomware Attack

Written by

While the world focused on the WannaCry ransomware outbreak on Friday May 12, two weeks previous a New Jersey company had experienced the full force of the exploits seized from the NSA by the Shadow Brokers.

Golan Ben-Oni is CIO of IDT Corp, who he told Infosecurity is in “five or six major verticals so we are targeted more than others”. However, the typical type of attack that the company faces took a new turn on April 29 when a contractor PC was hit by a ransomware attack.

“We got a call from our SOC alerting us to some new ransomware and this was a rare occurrence, because we invested time and technology into our environment to be as secure as we could be,” he said. “So when we were hit with ransomware, I almost didn’t believe it and assumed our system had not been loaded with security packages.”

Golan Ben-Oni
Golan Ben-Oni

An investigation using Secdo technology enabled Ben-Oni to discover the source of the infection – an external contractor PC which had not applied the MS17-010 patch that had been issued by Microsoft earlier in the year. Claiming that IDT Corp used around six endpoint tools, once Ben-Oni was able to determine the type of attack, he asked partners and vendors if anything similar had been detected. 

“What we discovered that was unique was that it was made of two NSA exploit tools (EternalBlue and DoublePulsar) and this was very quickly after Shadow Brokers released them, we’re talking a week or two afterwards. The attacker also understood how to weaponize them, and what we saw was never seen before and it took time to understand what happened.”

Ben-Oni was keen to stress that the contractor was working remotely and the attack was launched on the Friday, at the beginning of the Jewish Sabbath so she would not be working until sundown on the Saturday. The EternalBlue exploit exploited Microsoft Server Message Block 1.0 which allows applications to read and write to files, and to request services which are on the same network. Ben-Oni said that the exploit allowed re-provisioning, and after access dropped not only was the contractor’s local computer compromised, so was her iPhone. 

“The attacker used EternalBlue to authenticate into the system and that exploit allowed non-credential access to machines, and that was the exploit over port 445”, he said. 

He went on to explain that DoublePulsar allowed an attacker to ‘hollow out’ a process, steal credentials and load the module into the memory to steal credentials, and it could steal any browser credentials that may have been cached, and then get out via an encrypted pathway. 

After the credentials were stolen, the attackers then attempted to move laterally using those credentials.

“The initial exploit was done on a machine that was not patched, but once you have the credentials you can hop from system to system and make use of the same NSA exploit tool – and that is what we saw with NotPetya,” he explained. “We were also very fortunate that there was nowhere for the attacker to go as the computer was segmented, and we saw attempts to move as none of other systems were reachable.”

After this, the attacker attempted to ‘burn the evidence’, and again using the Secdo tool they were able to detect this and what had been done so far. “Without Secdo we wouldn't know whether we needed to pay or not, and move on. We could share back with industry, and what we wanted to know is if anyone had seen anything similar in the industry, so they could tune their products.”

As well as being a fascinating story, the one thing that stuck in my mind was whether Ben-Oni felt that this was deliberately targeted? He said that while he does not like the term APT, he felt that the timing and particular target of the attack was deliberate, as “she works on a product that generates on billion dollar revenue, so they found a good target!” He also believed that the attacker’s capability to reverse engineer the NSA exploits very quickly shows that this was done by a sophisticated group, and would suggest it was targeted.

IDT Corp did report this to vendors, and wider malware analysis services such as VirusTotal, and Ben-Oni said that no one that they reported this to had seen this. “It was very dangerous using full credentials to move laterally, and the FBI was dealing with the WannaCry outbreak [by then] so my conversation was ‘I know WannaCry is bad, but this is worse’ as this can steal credentials while WannaCry just encrypts.”

Was it the case that there were limited resources to deal with two major cybersecurity threats at once? Ben-Oni said that while there are limited resources in the FBI, the number of specialists is outnumbered by the NYPD. “The FBI deals with national and international issues and as this involved Russia - and relations are not as good as they have been - I was encouraged to engage with Europol. I also encountered resistance as the attacked system was in New Jersey and Europol has no jurisdiction in the USA, and it was an open case on where the victim was.”

Ben–Oni said that those who informed about the attack "were dismayed", but it did allow IDT Corp to be prepared and protected for WannaCry, despite that ransomware being fileless.

So what did he determine to be the learning points? Ben-Oni said that there were three primary lessons:

  • You can go through the patch process, but some systems are not uniformly protected if a user works remotely – and Shadow Brokers release a new tool that your system is not ready for, and something you cannot prevent against
  • Record everything and see everything that is going on
  • Create a virtual patch to monitor behaviors, and move to a model where there is better visibility and a set of behaviors to protect the organization - and not wait for patches

He concluded by saying that he had shared a 200 MB file of information with over 100 people, vendors he does not work with, and several 1000 researchers on a closed forum. Asked if he deemed this to be a win for the industry, he said: “I’ve been beating the drum of automation since 2014, and we now realize that we need to keep up with attackers and leverage what they are using against us.”

Gil Barak
Gil Barak

Secdo, whose ‘black box’ of forensic investigation showed that the ransomware was installed after the hackers had taken all the employee credentials and that the attack had bypassed every security device, called this "an amazing example" of how this information can be used.

“By responding fast, we added the capability from working with IDT Corp that regardless how long vendors take, you can use Secdo to automatically find the attack and stop them,” said Gil Barak, co-founder and CTO of Secdo. “Rather than hoping you can react and adapt, this can reduce the time to wait for the patch.” 

As well as Golan’s learning points, there are many factors that can be gained from this experience, not least realizing how capable the attackers were. If anything, this should serve as a case to prove that preparedness enabled the investigation and discovery, and helped IDT Corp prepare for the storm two weeks later.

What’s hot on Infosecurity Magazine?