ransomware and the nation states - heanet · •educatedscholar is a smb exploit (ms09-050)...
TRANSCRIPT
![Page 1: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/1.jpg)
1
RANSOMWARE AND THE NATION STATES
![Page 2: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/2.jpg)
2
Ransomware – A Growing Issue
![Page 3: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/3.jpg)
3
The Story of the
Shadow Brokers
![Page 4: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/4.jpg)
4
The Story of the
Shadow Brokers
![Page 5: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/5.jpg)
5
Nation State Hacking Tools
In the hands of Anyone…
![Page 6: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/6.jpg)
6
Exploits•EARLYSHOVEL RedHat 7.0 - 7.1 Sendmail 8.11.x exploit
•EBBISLAND (EBBSHAVE) root RCE via RPC XDR overflow in Solaris 6, 7, 8,
9 & 10 (possibly newer) both SPARC and x86.
•ECHOWRECKER remote Samba 3.0.x Linux exploit.
•EASYBEE appears to be an MDaemon email server vulnerability
•EASYFUN EasyFun 2.2.0 Exploit for WDaemon / IIS MDaemon/WorldClient
pre 9.5.6
•EASYPI is an IBM Lotus Notes exploit that gets detected as Stuxnet
•EWOKFRENZY is an exploit for IBM Lotus Domino 6.5.4 & 7.0.2
•EXPLODINGCAN is an IIS 6.0 exploit that creates a remote backdoor
•ETERNALROMANCE is a SMB1 exploit over TCP port 445 which targets XP,
2003, Vista, 7, Windows 8, 2008, 2008 R2, and gives SYSTEM privileges
(MS17-010)
•EDUCATEDSCHOLAR is a SMB exploit (MS09-050)
•EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003
(MS10-061)
•EMPHASISMINE is a remote IMAP exploit for IBM Lotus Domino 6.6.4 to
8.5.2
•ENGLISHMANSDENTIST sets Outlook Exchange WebAccess rules to trigger
executable code on the client's side to send an email to other users
•EPICHERO 0-day exploit (RCE) for Avaya Call Server
•ERRATICGOPHER is a SMBv1 exploit targeting Windows XP and Server
2003
•ETERNALSYNERGY is a SMBv3 remote code execution flaw for Windows 8
and Server 2012 SP0 (MS17-010)
•ETERNALBLUE is a SMBv2 exploit for Windows 7 SP1 (MS17-010)
•ETERNALCHAMPION is a SMBv1 exploit
•ESKIMOROLL is a Kerberos exploit targeting 2000, 2003, 2008 and 2008 R2
domain controllers
•ESTEEMAUDIT is an RDP exploit and backdoor for Windows Server 2003
•ECLIPSEDWING is an RCE exploit for the Server service in Windows Server
2008 and later (MS08-067)
•ETRE is an exploit for IMail 8.10 to 8.22
•ETCETERABLUE is an exploit for IMail 7.04 to 8.05
•FUZZBUNCH is an exploit framework, similar to MetaSploit
•ODDJOB is an implant builder and C&C server that can deliver exploits for
Windows 2000 and later, also not detected by any AV vendors
•EXPIREDPAYCHECK IIS6 exploit
•EAGERLEVER NBT/SMB exploit for Windows NT4.0, 2000, XP SP1 & SP2,
2003 SP1 & Base Release
•EASYFUN WordClient / IIS6.0 exploit
•ESSAYKEYNOTE
•EVADEFRED
Utilities
•PASSFREELY utility which "Bypasses authentication for Oracle servers"
•SMBTOUCH check if the target is vulnerable to samba exploits like
ETERNALSYNERGY, ETERNALBLUE, ETERNALROMANCE
•ERRATICGOPHERTOUCH Check if the target is running some RPC
•IISTOUCH check if the running IIS version is vulnerable
•RPCOUTCH get info about windows via RPC
•DOPU used to connect to machines exploited by ETERNALCHAMPIONS
•NAMEDPIPETOUCH Utility to test for a predefined list of named pipes, mostly
AV detection. User can add checks for custom named pipes.
![Page 7: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/7.jpg)
How Bad Can it be?
![Page 8: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/8.jpg)
8
![Page 9: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/9.jpg)
9
![Page 11: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/11.jpg)
11
Lazarus Group
![Page 12: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/12.jpg)
From Russia with Love
![Page 13: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/13.jpg)
13
Petya
![Page 14: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/14.jpg)
14
NotPetya – NotRansomware!
![Page 15: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/15.jpg)
15
NotPetya – NotRansomware!
![Page 16: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/16.jpg)
16
Fancy Bear
![Page 17: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/17.jpg)
17
Back from the Shadows
![Page 18: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/18.jpg)
18
Bad Rabbit
![Page 19: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/19.jpg)
19
THE FUTUREOF CYBERCRIME
![Page 20: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/20.jpg)
20
Hackers Breached the Hotel’s door systems and caused the
room doors to lock.
The Hotel ended up having to pay about $1,800 in Bitcoins to
regain control of the system.
“We were at maximum capacity with 180 guests and decided that
it was better to give in” Managing Director, Christoph Brandstaetter
![Page 21: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/21.jpg)
21
Nayana, a South Korean web hosting firm, was hit
hard by a ransomware attack earlier this month
which hit over 153 of its Linux servers, and
impacting over 3,400 websites the company hosts
for its business customers.
Nayana’s systems are thought to have been hit by
a Linux variant of the Erebus ransomware,
designed to encrypt files on web servers and
demand a payment for the data’s safe return. In
all, Erebus hunts for 433 different file types on
web servers – including documents, databases,
images and videos.
Two weeks later, Nayana is still attempting to
recover normal operations for its customers and
has been posting updates on its forum detailing
its progress.
![Page 22: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/22.jpg)
22
![Page 23: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/23.jpg)
23
![Page 24: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/24.jpg)
24
WHAT CANWE DO?
![Page 25: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/25.jpg)
25
What can we do?
Get Bitcoins
Know where to find Decryptors
BackupManage Privilege and Control Access, Disable Macros
![Page 26: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/26.jpg)
26
What can we do?
Manage Vulnerabilities
and Configurations
Segment to Stop Propagation Consider Critical Data and
Processes
![Page 27: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/27.jpg)
27
THE SPEED OF AUTOMATION
![Page 28: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/28.jpg)
28
![Page 29: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/29.jpg)
29
Advanced Threat
Intelligence
Access
Client Cloud
Partner API
NOC/SOC
Network
Application
BROAD
POWERFUL
AUTOMATED
OPEN
Integrated Security Everywhere
![Page 30: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/30.jpg)
30
Fortinet Co-ordinated Security Fabric
Known threats on
web/messaging traffic
blocked on the NGFW,
Secure Email Gateway
and the End Point
Unknown URLs and Files
submission to FortiSandbox
FortiSandbox to deliver
URL and AV DB
updates for malicious
or suspicious detection.
![Page 31: Ransomware and The Nation States - HEAnet · •EDUCATEDSCHOLAR is a SMB exploit (MS09-050) •EMERALDTHREAD is a SMB exploit for Windows XP and Server 2003 (MS10-061) •EMPHASISMINE](https://reader036.vdocument.in/reader036/viewer/2022062605/5fdda532dcb4856cdc276397/html5/thumbnails/31.jpg)