Rob Joyce was previously head of the NSA’s Tailored Access Operations (TAO), and is now a member of White House National Security Council. He is now President Donald Trump’s cybersecurity coordinator. Rob is someone well known to us here at Cyber-Shadow.
In 2016 Rob, came out of the shadows and presented “Disrupting Nation State Hackers” during the USENIX Enigma conference in San Francisco. Rob refers to NSA’s TAO organization as a nation-state exploiter, responsible for breaking into foreign adversaries. During the event, he provided insights into strategies nation-state actors (such as the NSA) use to “own” systems.
Although, this is not new information but are insights on five commonly known cybersecurity strategies, attacks, and exploits.
At Cyber-shadow we have extensive experience of these strategies that we think of as reconnaissance, initial exploitation, establishing persistence, installing tools, moving laterally, and finally collecting, exfiltrating and exploiting.
WannaCry uses an exploit that was publicly released by the group calling itself Shadow Brokers. It is also known as “WanaCrypt0r”, “WeCry”, “WanaCrypt” or “WeCrypt0r”
Our analysis indicates the exploit is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit has been made available on the internet through the Shadowbrokers dump on April 14th, 2017 and patched by Microsoft on March 14.
We support the findings, of Google security researcher Neel Mehta who pointed out in a tweet, that code used in WannaCry bore similarities to code used by the Lazarus Group. This group consists of a cadre of cybercriminals believed to be responsible for the 2014 Sony hack and a recent $81 million heist of the Bangladeshi central bank.
Although it is true that a killswitch has been activated, our intelligence cell has already seen a version without the killswitch starting to spread. We strongly recommend anyone running old versions of windows (XP, 7) to install the Microsoft patch and/or shut down smb shares. In fact all operating systems should be kept updated and patched, preferably automatically or as regularly as possible
If you have been affected, we recommend against paying the "ransom". These criminal gangs rarely decrypt files or release ransomed content, instead trying to get more money from you. In this case, there is so much international attention on the surprisingly small number of target bitcoin wallets that anyone trying to extract money will most likely be noticed. We also note that remote decryption is not necessarily possible upon payment.
Our cell tells us that criminals are now able to pay a "monthly subscription" for exploits from the same source, meaning that attacks like this are likely to be more common in the future. This ransomware cyber attack shows how vulnerable data is, and why we need to protect it. We are here to help prepare for the next attack, contact us today for a personalized service.
There are a number of defences anyone can take such as staying up to date with operating systems and patches, but there are some less well known techniques we can apply to defend you.
At cyber shadow, we are always here to help. We recommend the following advice to mitigate your exposure to malware and ransomware:
- Keep your PC up to date via Windows Update. WannaCry doesn't even try to attack Windows 10, choosing instead Windows XP and other older Windows operating systems.
- Ensure you have an active firewall and antimalware solution in place. Windows Firewall and Windows Defender are barely adequate, a good third-party antimalware solution is far better. WannaCry patches are already available, even for Windows 8 and Windows XP.
- Don’t rely on anti-malware and virus scanners to save you. Antivirus companies are only just getting around to addressing ransomware, and their protection isn’t guaranteed.
- Ensure that Adobe Flash is turned off, or surf with a browser, like Google Chrome, that turns it off by default.
- Turn off Office macros, if they’re enabled.
- Don’t open questionable links, either on a webpage or especially in an email. The most common way you’ll encounter ransomware is by clicking on a bad link.
- Likewise, avoid untrusted areas of Internet. A bad advert on a legitimate site can still inject malware if you’re not careful, but the risks increase if you’re surfing where you shouldn't.
- Keep offline backups of important data.
Contact us for tailored and specific services for your personal circumstances.
Talk Talk's cyber security advice to customers is very worrying. Many UK customes have DSL-3780 routers which Talk Talk preconfigure to allow remote administration (using TR069). Although in theory this allows the routers to be maintained by Talk Talk remotely this tool has been exploited to steal information from home users including router passwords, MAC addresses (network IDs) and SSIDs (wifi network names).
Together this information can be used by cyber attackers to take control of users home networks. There is enough information to effectively steal identities, hack personal computers, steal cloud credentials, photos and videos. More worryingly attackers can use this information to set up fake websites (such as a copy of your bank) that look identical to your normal website, allowing attackers into your bank accounts. For high profile people, this is a particularly worrying time.
Talk Talk's advice is to not worry, and not change your passwords. This isn't good enough.
Cyber-Shadow can help, but even if you can't afford our services we offer the following advice: