Colour me unsurprised
The NORKs have been doing this for years - it's their principle source of foreign currency. They are the most sanctioned country on Earth and has anyone noticed it affecting them?
Security researchers are exploring the theory that the WannaCrypt ransomware might be the work of an infamous North Korean government-backed hacking crew. The crumb-trail-sniffing began on Monday after Neel Mehta, a security researcher from Google, posted an artefact on Twitter potentially pointing at a connection between the …
The Norks have around 1k computers, or at least externally accessible IP addresses. Considering the number of addresses world wide that is a very small attack area. And besides, even if it did affect them, how would word get out? I strongly doubt the Norks want their computer security questioned
If it was the work of private enterprise it would make you pay the ransom upfront, then fail to encrypt the files, then make you pay for an upgrade, then pay for a 'consultant' on site to encrypt them for you - then the whole project would be cancelled after running $Mn over budget and be repeated after everyone involved was given bonuses
@AC - I am not sure who the culprit behind this attack; more accurately no idea. However, there almost always seems to be a knee jerk reaction to blame either the NORKS, Russians, or Chinese based on what appears to over-glorified navel gazing by so-called 'experts'. As you implied, there are a lot of people with the skills needed to make this attack; many are as you called them 'private enterprise'.
Yeah, two things occur to me. First, from reports I've heard this thing was so hideously bungled (from a payoff perspective) that I'm more inclined to believe it was script kiddie adaptation than some "notorious" hacking collective. Second, if this was some political actor, why bother with the ransom? Just encrypt the files and watch all the phish flop on the line.
WannaCrypt software was developed by the NSA and leaked (amongst other things) in the Vault 7 leak. Included in that was also software to make attacks look like they originated from another country.
So, with that information, could it still be the North Koreans? Or could it be someone who could/would benefit from some heightened tension in the Korean peninsular?
I agree. If your reduced to using the timezone as "evidence" then you scraped your way through the bottom of the barrel a long time ago. A more plausible conspiracy theory is that the NSA have just noticed that most of the world's XP systems are in countries they don't like and later systems can be protected if MS can be persuaded to put out a patch two months before the attack. (If you want a soundbite, they've weaponised Microsoft's update policy.)
But a vastly more plausible theory still is that some normal crook decided to strap a ransomware payload on the back of a new exploit they found on the interwebs. There are *far* more crooks than there are nation states, so the odds are *always* in favour of the mundane explanation.
> If you['re] reduced to using the timezone as "evidence"...
In the same vein, I noticed that the killswitch domain name is significantly non-random, and probably chosen by keyboard mashing. Here's how a classic touch typist on a QWERTY keyboard would achieve those characters [1]:
KILLSWITCH DN: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA
TYPING HAND: RRLLLLLRLRRRLRLRRLLLRRLRLRLRRLLLLLLLLLLLL
QWERTY ROW: 11111221210122211222222121112221111112112
Note that only the top two rows of letters are used, and only once does it stray into digits; the nine is probably a near-miss for the subsequent I. It seems to me that the mashing was almost certainly done on a QWERTY keyboard. However, APTs will probably be using such keyboards anyway; all the information I can find about N. Korean PCs indicates that their layout is QWERTY, too.
Hey, I *like* it here at the bottom of the barrel!
[1] transposed to uppercase for clarity; paste somewhere in a monospaced font to make it line up.
"WannaCrypt software was developed by the NSA and leaked "
Ish. Bits of Wannacry were taken straight out of the leaked NSA tools. Other bits look like they've been written by a 16 year old with a limited grasp of infosec. For example, the 'just check if this domain has been registered' killswitch which stopped it is the kind of thing that a state-backed group would not include, full stop - whether that's the Russians, the Chinese, the Norks or the NSA/GCHQ.
This mostly seems to have been a cut-and-paste job tbh. Someone who didn't really know how to program but did know how to slam chunks of code they found on Stack Overflow together blundered onto the dark web and just cobbled together whatever they found to do what they wanted. The result was an odd combination of high-end and low-end features.
Oh my! I would never have guessed that in a million years.
I'm sorry but there is actually zero way of knowing where software came from unless you catch the person who wrote it.
What if I wrote a virus and named all the variables using decidedly British terms, like tea, chips, scones or brexit. Would people automatically assume the writer was British?
This is bollocks.
Odds are this is some script kiddies who had a play with doublepulsar and eternalblue mixed with some crappy darknet provided crypto malware. I doubt they had any idea it was going to be as successful as it was.
This is supported by the lack of any form of sophistication to the attack and the complete lack of any suitable infrastructure to accept payments.
This is not nation state actor stuff unless people really think the NORKS Cyber Ninja Army has the coding skills of a well fed hamster.
It's a nonsense. DPRK is not a rich country, but it's not so poor it's scrounging for bitcoin. If they did such a thing they would probably want information first (which you don't get if you announce ransomware) and chaos second (which could be done by changing data very very infrequently randomly, or just destroying it for example).
It's a standard ransomware thing that got out of hand, some person(s) built it on the released exploit and it was too successful.
Programmers doing "stupid stuff" mostly:
- Not following MS' guide lines (e.g. using undocumented APIs, assuming drive letters & folder locations)
- Using the flavour-of-the month framework (e.g. ActiveX for IE6, recently silverlight...)
- Assuming you are running with admin rights (lots of NT/W2K/XP era stuff)
- Assuming the machine won't have firewalls enabled (bit even MS software with XP SP3)
- If hardware is involved, then MS changes to the HAL layer, etc.
All said, simple win32 program from NT era will generally still work perfectly!
- Not following MS' guide lines (e.g. using undocumented APIs, assuming drive letters & folder locations)
I would think that I have got into more compatability issues by coding along to MS' guidelines.
And having looked at some MSDN over the decades I have wondered if they, internally, were following another set of standards, i.e. guidelines, to those that they were giving us developers who were Outside The Asylum.
All the code I have been involved in producing runs on everything from XP up to Windows 10.
There are things which can break; expecting registry keys to be in particular places, system folders to have certain names and the like, but Microsoft have done a pretty good job of making things backwards compatible when things are done in the approved manner for code targeted at XP.
MS goes to great pains to maintain backwards compatibility, even to the point of "emulating" bugs/mis-features of APIs and layout of internal data structures when old code has come to rely on it.
With rare exceptions, stuff that runs on NT 4 or even 9x will run just fine on modern systems. The only caveat being the lack of support for DOS and 16 bit Windows applications on 64 bit systems.
Unfortunately, with the amount of software actually having been written for Windows - including weird in-house stuff - those rare exceptions still add up to quite a lot.
The bigger issue for things like medical equipment is probably the drivers. If you do it properly, drivers from Windows 2000 and onwards should work on modern systems (as long as they are the same bit-ness), but there's a lot of room for not doing things properly when developing drivers.
And it's a lot harder to work around when it happens (read: often impossible without the source code to the driver or the ability to re-implement it from scratch) - no such things as application compatibility hacks for drivers.
"The bigger issue for things like medical equipment is probably the drivers."
Possibly. I don't recall seeing a "Medical" device type in Device Manager. There may be some medical devices that ship with a bespoke "interface card", particularly the really old ones that were built for DOS, but I would hope that the majority of devices written in the last couple of decades communicate with more sane options like RS232 (now carried over USB and supported by every OS on the planet) or an ethernet cable (similarly universal).
It might take time to validate any new configuration, so that you can tick the box labelled "Doesn't kill the patient", but I doubt whether device support is the blocking issue for that XP->whatever roll-out.
RS232 is too slow for a lot of things, and Ethernet too complex (and then we would be worried about people hacking that as well, not just the workstation controlling it...). Even if the gear was an entirely new design and used USB, that still required a custom kernel mode driver in XP (UMDF wasn't introduced until Vista or so).
If the gear itself is slightly older, it might very well pre-date standardized high speed low complexity interfaces altogether and then you're stuck with custom interface cards. In that case you can basically count yourself lucky if you're stuck with XP on a 10-15 year old PC, and not something like an early/mid 90s UNIX workstation, or worse (you can find spares for old SUN boxes easily, but some gear needs really specific hardware, like the rare SPARCs with VME buses).
"sane options like RS232 (now carried over USB and supported by every OS on the planet)"
Works for a lot of stuff, may not always be satisfactory. Stuff that expects to see things behave the way a 16550 UART has always behaved, especially wrt timing, may not work well when using serial over USB. For example, byte out<>byte in protocols (they do exist in a handful of cases) may go slow due to increased latencies because that's the way USB<>serial works; data sits in the receiver or the sender till its polled every few milliseconds.
And then there's the fun that people have had with 'fake' FTDI USB-serial chips and associated drivers that brick the attached device [1].
Some other relatively low-end devices have historically used a few bits of a parallel printer port as outputs and inputs, for their own non-printing purposes (e.g, cheap/nasty JTAG). Modern PCs with modern software may not have that capability - they can print to USB, but the parallel port may not exist or the bit-banging functionality may not be accessible through the OS.
Just sayin.
[1] https://www.theregister.co.uk/2016/02/10/ftdi_says_knockoff_chips_part_of_criminal_operation/
https://www.theregister.co.uk/2014/10/24/ftdi_bricking_driver_response/
Drivers.
For Vista onwards, Windows moved to a different driver framework that required things like 'keep kernel-mode drivers and user-mode drivers separate', 'don't just use the highest privileges possible by default', and 'why not try reading up on security standards before calling yourself a programmer'. All the things which had made earlier versions of Windows so unstable and fundamentally insecure, in other words, were now to be forbidden, so we could discover exciting new types of instability and insecurity rather than just bluescreening because your joystick decided to write into the kernel space for no reason.
This was basically why Vista didn't seem to work with anything initially - it demanded properly written drivers, at a point when basically no-one had bothered writing them to any decent standard. The reason Windows seemed to work with literally all the hardware in the world (to a given value of 'work', at any rate) is because prior to Vista/7 it didn't stop you from doing stupid and insecure things with your driver code. You could let the work experience kid cobble your driver together based on his Art History degree and 20 minutes of training, and companies literally did. After Vista, it did, and the immediate result was 90% of existing device drivers were suddenly forbidden from working.
Unfortunately, lots of the devices used by the NHS (think MRI scanners, X-ray machines, and other hugely expensive medical equipment designed with a 50-year lifespan) have horribly-written drivers created by companies that ceased to exist 20 years ago, and so new drivers were never created. So the NHS kept using Windows XP on the machines connected to those devices, but also hooked them into the network so they could transfer those scans around - via port 445, using SMB v1, which is precisely the protocol which this worm used to spread itself.
Which basically explains the whole situation, tbh.
I personally made a joke about this and my Russian sounding shopkeeper, only took till Tuesday. Not bad going really but not unexpected.
My next prophecy is that Trump will accidentally speak Russian in a press conference and blame the fake media for dubbing him.
It's either that or sentient chickens.
Ideal opportunity for the Norks to play havoc. Every one points the finger at them for every bad event that people will start to disbelieve they can be responsible for it all.
Then they can launch a massive attack knowing that a board population will just roll their eyes and say "not the Norks again, tinfoil hat time".
Everything I know about North Korea comes from Western media - I've never been there myself.
On the basis of what I am told they are both a threat that we should seriously consider going to war against and also a bunch of incompetents ruling a largely starving, downtrodden, pre-industrial society by fear and brainwashing.
So I guess yes is the answer. Or no. Depends whether I'm required to fear or mock them today.
Your post suggests it's mockery day but the article tells me it's fear.
How confusing.
Responsibility lies squarely with [delete as appropriate]
North Korea
ISIS
ISIL
ITIL
Brexit
Remain fifth columnists
The dog which ate it
Some big boys who later ran away
Paedos
Crabs
Cake
Thatcher
political correctness
political correctness gone mad
Devops
Other (please specify)
Bitcoin seems to have escaped any mention even though ransom payment is demanded in that form.
I do fear that a lot of the usual suspects will have been cheering in private as it will give them plenty of pretext to clamp down on all manner of things digital which they don't like because they can't control it, decode it, or prevent it.
Someone with a professionally made tin-foil hat might suggest that's exactly what the NSA leak and this attack was intended to achieve.
#PleaseSaveUsAmber
I remember after the Sony hack all the Government cyber think tanks who are paid to further the Government narratives said it was the N Koreans while independent security analysts said it was a disgruntled ex Sony employee.
The North Korean narrative is still being spun - along with 'hands up, don't shoot' Just because something is repeated ad nauseam doesn't make it true.
I don't see why this would be the Norks. For starters the US and the west would be the primary target of the attack and it wouldn't have targeted Russia or China as those countries are their closest supporters/allies. Unless of course it was a major screw up on their part a bit like their out-of-control rockets.
I doubt it was a state-sponsored group in Russia or China, because one of those groups would have presumably been very hesitant to release a worm into the wild that would infect so many pirated/unpatched Windows systems in China/Russia.
I also doubt that anyone affiliated with the 5 Eyes was behind this, since this has brought so much unfavorable attention on the 5 Eyes and the NSA in particular
But other than that, it could have been just about any hacker collective or rogue state.
The DPRK has minimal communications facilities with the outside world. The main communications links cross the Yalu River, which separates Pyongyang, DPRK, from China, carried by the tatty looking bridge which also provides road and rail communications.
There is a new bridge between the countries called the New Yalu River bridge that spans the Yalu between China's DanDong New Zone, LiaoNing Province, and North Korea's Sinuiju Province. The DPRK's end is completely devoid of any infrastructure - not even a muddy track - let alone communications.
All the DPRK's comms are routed through China which means that the lines could easily be high-jacked by the Chinese.
Any accusations are based upon the flimsiest of data and are likely just the Americans creating more hassles for their current favourite enemy.
To sum up, a semi-competent script kiddie could have pulled this off with possibly some outside support. The support most likely would come from one of the many hacker groups around. Thus, there is a very reasonable possibility this is a 'private enterprise' attack as AC called it above. Some internal indications point to someone of moderate coding ability behind this which tends to fit a script kiddie.
The possibility of a government doing this is less likely because of the scattershot nature of the attacks, obvious attempt to get small amounts of money, and general lack of polish. Most government hacking are attempts to get information not money especially the small sums being asked for. The NORKS are no different in their desire for information even if they have a ramshackle economy. However, for the media and politicians a script kiddie can not be used to whip any enthusiasm for any particular policy. Blaming the NORKS might be useful for whipping up enthusiasm for trashing them.
Thus, there is a very reasonable possibility this is a 'private enterprise' attack as AC called it above.
Hmm... you might just be on to something. Should we investigate to see if it was IBM which done it? They're strapped for cash but then there's some other companies also....
I really wish we had a tinfoil hat icon.
Because North Korea won't deny it, and even if they did, nobody will believe them.
The bigger problem security in a box companies are facing is of course that they promised to protect people from such attacks (quote from an ad: "The NHS is totally protected with Sophos") when they in fact were just peddling snake oil. In the real world, something like that would have had serious consequences. (However they could also say that it was proven decades ago, that it's impossible to automatically analyse software for certain properties, at least in the general case)
So it's convenient to have a space goat, and North Korea is the perfect one. Of course there is no evidence, but that's how attribution works. You look at some code, and speculate that it could have been X, then someone finds the same code somewhere else, and takes your first speculation as proof that it must have been X.