Blog

Why WannaCry Killed Ransomware

When WannaCry hit the affect it had on such a wide range of individuals was almost unprecedented. And the aftermath as a result has had a detrimental effect on future ransomware.

An attack on this scale not only brought a huge amount of media attention, but unlike many other virus attacks WannaCry became a house hold name. Not only was it effecting ATM machines and the NHS but other companies were forced to send staff home as they were unable to operation do to the virus.

Although the total amount paid to the attacker is still unclear, it is much less than it should have been. Due to security researchers speedy response many users effected were able to avoid paying the hefty ransom. Unfortunately for any would be cyber criminals, WannaCry appears to have killed ransomware as a viable option of attack.

Because of the publicity received by WannaCry, people were made aware of these types of attacks. And security vendors such as Bitdefender soon implemented an anti-ransomware feature into their products. This features stops unauthorised applications making changes to the computer in areas they have not been given permission to.

I personally feel that if WannaCry had not have effected so many across the globe then ransomware would still be a relatively effective method of cyber-crime. But due to people’s awareness becoming greater and security vendors taking action. There are numerous sites on the internet offering guides of how to ‘defend’ against a ransomware attack, and the most common tip is to make regular backups. This method relays on the back up remains unaffected by the virus, but ultimately would alow for the user to restore their system and avoid paying the fee.

Another solution that I have seen online is to use cloud based services such as OneDrive and Google Drive. If a users personal data is backed up to a cloud service then in the event of a ransomware attack it will agin remain unaffected.

Granted the solutions mentioned are not the best method for a larger organisation as a cloud based services could potentially be unviable depending on the size of the organisation. And to have a complete back up of every system within a large business is again not the easier thing to achieve.

While there maybe be future ransomware attacks, hopefully the number affected this time around will be significantly less than WannaCry. And my hope would be that with the increased publicity around ransomware individuals and organisation have taken the steps and precautions to protect them self and their systems from an attack of these natures.

Bureau 121 – Who are they?

The Bureau 121 took the lime light recently after accusations that they where behind the WannaCry attacks that affected multiple countries. Although it was never confirmed by the North Korean government, a number of reports have pointed towards North Korea.

They are said to have around 1,800 members that are hand-picked from university and then trained for an additional 5 years before being given their assignment. These assignments could be across the globe, as an incentive they are promised that their family’s will receive greater privileges.

They have been accused of a number of significant and high-profile cyber attacks, these include the WannaCry virus and the attack on Sony.

Just after the WannaCry virus took the world by storm I speculated that there could have been North Korean involvement. This was later confirmed by both the UK and US government. Although the North Korean government have never officially taken credit for the attack.
The hacks that affected Sony Pictures before the release of the movie The Interview were also alleged to have been carried out by North Korea. This was later backed up by security researchers who reported that some of the code used in the hack was written in Korean. Although it was again never officially confirmed it is quite easy to see the connection.

They are also said to conduct regular cyber-attacks aimed at South Korea, this has affected a number of different sectors including banking and broadcasting companies. During 2013 it was alleged that an infected smart phone application was the result of Bureau 121.

While Bureau 121 are not a hacktivist or cyber crime group, they have been causing havoc across the globe and raging cyber-warfare. I find it almost baffling that in a country with such poor human rights and such a poor quality of life that there is a division of the Korean Government who have the ability and skill set to disrupt and damage computer systems across the globe.

Source: CNN, Business Insider, The Market Mogul, BBCNews Week

Who are the Fancy Bears?

In recent years there have been a number of different Hacktivism groups that have been floating around the news and the depth of the internet.

And while everyone has their own opinion of the actions carried about by these groups, some of them appear to have more depth to them than others.

The Fancy Bear group are some what of an enigma in regard to Hacktivism. Although their manifesto appears to offer a very clear and somewhat understandable objective.

“Greetings citizens of the world. Allow us to introduce ourselves… We are Fancy Bears’ international hack team. We stand for fair play and clean sport. ”
Source: www.fancybear.net

From the initial outset the Fancy Bear group appears to be only after one thing, and that is making sport clean and fair. And in recent years a huge amount of doping in sports has been in the tabloids. Making their objectives relatable and arguably, in the public interest.

But why would a group that appears to want to make sport clean and fair, have alleged ties to the Russian Government. And why have they been accused of a number of hacks that do not appear to related to sports in the slightest.

The list below is attacks carried out by the Fancy Bear group that appear to have much greater political motivation than a group who just want to clean up sports.

  • German Attack (2014)
    • The Fancy Bear group are alleged to have carried out a 6 month cyber-attack on the German parlement that began in December 2015.
    • There is also further speculation that the Fancy Bears are also responsible for a spear phishing campaign that targeted members of the German Parlement.
    • There was a perceived threat to the coming 2017 German election as the information acquired during the attacks might have led to manipulation of the general publics options before the vote.
  • French Television Hack (April 2015)
    • In  april 2015 there was a large-scale cyber-attack aimed at a French TV network TV5Monde. While initially the attack appeared to have been carried out by a group connected to the Islamic State.
      But these claims where soon dismissed by the French cyber-agency. They believed the attack had been carried out by the APT 28 group, other wise know as the Fancy Bears.
  • R00t9B Report (May 2015)
    • In May 2015 a Cyber Security Firm Root9B published a report on the Fancy Bears. The report stated that they had discovered targeted spear phishing attacks targeting financial institutions.
      United Bank for Africa, Bank of America, TD Bank and the UAE Bank were all targeted. Although security journalist Brian Krebs argued that the attacks may have come from Nigerian phishers.
  • EEF spoof, White House and NATO attack (August 2015)
    • The Fancy Bears are also known to have used a number of zero-day exploits in 2015. Their attacks initially targeted the Electronic Frontier Foundation and then the White House and NATO. Again a spear phishing campaign was also used to direct emails to a fake URL.
  • Democratic National Committee (2016)
    • The Fancy Bears also carried out yet another spear phishing attack, this time on the Democratic National Committee in early 2016. The attack was carried out by phishing emails from 2008. Once the older accounts had been compromised the group was able to retrieve an up to date contact list with current members email addresses.
    • It was CrowdStrike that reported the Fancy Bears involvement in the attack. Although a sole actor then came forward to take credit for the entire attack.
  • Ukrainian Artillery (2014-2016)
    • A report from CrowdStrike also presumes that between 2014 and 2016 the Fancy Bears launched a cyber-attack on the Ukrainian military. The attack was carried out using Malware on Android devices.
    • The Malware was a compromised versions of an app used to control the targeting for the D-30 Howitzer artillery. They used the X-Agent spyware.
  • Windows zero-day (October 2016)
    • In 2016 Google’s Threat Analysis Group released a zero-day vulnerability in Microsoft Windows. This was later acknowledged by Microsoft Executive Vice President of the Windows Device Group Terry Myerson. The published a blog post acknowledged that the vulnerability had effected Adobe Flash and down-level Windows Kernal. It was Microsoft that suggested the Fancy Bears had been responsible for the attack. This was referenced by the use of Microsoft’s in-house name for the Fancy Bears ‘STRONTIUM’.
  • Dutch Ministries (February 2017)
    • More recently in February of 2017 the Dutch Security Services stated that the Fancy Bears had attempted several attacks, with the goal of gaining access to te Dutch ministries.
  • German and French Elections (2016-2017)
    • A group of researchers from the group Trend Micro published a report in 2017, it contained information regarding attempts made by the Fancy Bear group to phish people associated with both the German and French elections. They carried out the attack by creating fake email servers and then sending phishing emails with links to malware.

Source: Wikipedia, BBC News

Although the 9 attacks listed above are not all of the attacks that have been carried out by the Fancy Bears. They are the attacks that have no association with the world of sports and doping.

And while the hacks relating to sports could be seen as something of a cover to dismiss some of the accusations that the Fancy Bears Report to the Kremlin. This has been floating round for a while, and when you think about a couple of the names the group have previously gone by, Threat Group-4127 sounds not only military but very aggressive.

Could it be that as with a number of elections that appear to have been tampered with that the Russian Government are also attempting to control sports. Or could it be to get back at being banned from global events such as the Olympic games.

Could that have been the trigger for the Fancy Bears to go after the rest of the world in an attempt to fight the system so to speak. I personally belive this to be the case, and although the Russians may not want to be directly associated with the Fancy Bears it is hard to ignore their choice of targets.

 

What is a Keylogger?

Anyone using a decent anti-virus program and has contracted a virus may have seen a keyloger. But what are they and how can they affect your daily life?

The origins of keylogger applications where within a business environment to monitor staff, the method of keylogging was also used by law enforcement to monitor criminals activities.
There are a large number of keyloggers online that can be used in this way to alow for business to monitor their employees (Invasion of privacy or not some companies will monitor their staff and it very likely that it will have been written into their contracts.)

But as with many elements within the digital domain, it wasnt long after the conception of these application a criminal entities saw the use and benefits of keyloggers. I mean what could be better than being able to monitor a targets keystorkes from an external location.
Think about the amount of personal information you type into your system everyday, passwords, user names and credit card numbers. By combining all of these bits of data there are numarous amount of crime that can be committed.

The methods for attack can range from a simple hardware based keylogger that can be incredibly difficult to find and detect unless you know what you are doing. The image below show 2 of the hardware based keyloggers than can be used to monitor your keystrokes. These little devices get connected between the keyboard and the compter. In some instances these devices can detect the keystrokes even before the operating system.
Some of these devices require the attacker to go and physically collect the device in order to retrieve the data.
Some of the more sophisticated device of this nature alow for remote connection, meaning that the attacker can collect and almost unlimited amount of data.

hardware-keylogger
2 hardware based keyloggers (On the right is a PS2 connection & On the left a USB connection)

Software based keyloggers are a much more favored method of attack as it requires no physical access to the target system and can be deployed across and almost unlimited number of devices at no cost to the attacker.
They can be deployed via any number of methods to deploy malware. From downloading a malicious file and it being executed from there.
Much in the same way a hardware keylogger sends the recorded keystorkes to an external server, software based keyloggers can also be used to send data to a remote location.

While it might seem like a complex and daunting task to develop and build an application of this nature it is actually much easier that one would initially think. After a simple google you can find 100’s of tutorials and examples of code online.

Meaning that anyone from a casual script kiddie to a experienced programmer can develop a keylogger. Granted the methods used to develop the applcation would vary on the skill set of the attacker, the end result would ultimitly be the same.