20
1 © 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. | ETERNAL BLUES WITH ETERNALBLUE Adrian Hada, Senior Security Research Engineer
1© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ETERNAL BLUES WITH ETERNALBLUEAdrian Hada, Senior Security Research Engineer
2© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHOAMI
• Senior Security Research Engineer
• Spend my time researching attacks, malware, botnets and the like
3© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
QUICK OUTLINE
• EternalBlue
• Online Scanning
• Active Threats
• Stats
4© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHAT IS ETERNALBLUE?
Photo by Ales Krivec from Pexels https://www.pexels.com/photo/camping-environment-feet-grass-558454/
5© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
WHAT IS ETERNALBLUE
E=mc2
6© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ONLINE SCANNING
7© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ACTIVE THREATS
• DoublePulsar - Shellcode+DLL
• Advanced analysis methods
• Find malware download URLs
• Download & profit
8© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ACTIVE THREATS
• Nice and shady RAT
• AV products have good detection
Gh0st RAT
9© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ACTIVE THREATS
• Fingerprints system
• Receives target
• Sends large buffers of data (port 80)
Nitol DDoS Bot
10© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ACTIVE THREATSCoin Miners
11© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ACTIVE THREATS
• Very territorial, kill other miners and harden the host
Coin Miners
12© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
ACTIVE THREATS
• No-killswitch WannaCry
• The dropped binaries do not run correctly
• No Bitcoin wallet, URLs for paymentnew.ok.ru
WannaCry & Clones
13© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STATS
0
100000
200000
300000
400000
500000
600000
700000
May June July August September October (partial)
Attack Count
Attack Count
Number of Attacks
14© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STATS
0
10000
20000
30000
40000
50000
60000
70000
80000
May June July August September October (partial)
IP Count
IP Count
Number of IP Addresses
15© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STATSGeographical Distribution of Targets
0
50000
100000
150000
200000
250000
300000
350000
400000
Asia Europe North America South America Oceania
Attack Count
Attack Count
16© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STATS
United States20%
Russia11%
Japan8%
Indonesia5%Vietnam
5%India5%
China4%
Ukraine4%
Brazil4%
Taiwan4%
Venezuela3%
Turkey2%
South Africa2%
Netherlands2%
United Kingdom2%
Republic of Lithuania1%
Thailand1%
Hong Kong1%
Other16%
Attackers
Geographical Distribution of Attackers
17© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STATS
• Conficker - Very few of the total
Types of Hosts
18© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STATS
• Residential & IoT – proxies?
Types of Hosts
19© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
STATS
• Enterprise
Types of Hosts
20© 2017 KEYSIGHT AND/OR ITS AFFILIATES. ALL RIGHTS RESERVED. |
