Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware

[Karlston]

Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware

For almost the past month, key computer systems serving the government of Baltimore, Md. have been held hostage by a ransomware strain known as “Robbinhood.” Media publications have cited sources saying the Robbinhood version that hit Baltimore city computers was powered by “Eternal Blue,” a hacking tool developed by the U.S. National Security Agency (NSA) and leaked online in 2017. But new analysis suggests that while Eternal Blue could have been used to spread the infection, the Robbinhood malware itself contains no traces of it.

 

On May 25, The New York Times cited unnamed security experts briefed on the attack who blamed the ransomware’s spread on the Eternal Blue exploit, which was linked to the global WannaCry ransomware outbreak in May 2017.

 

That story prompted a denial from the NSA that Eternal Blue was somehow used in the Baltimore attack. It also moved Baltimore City Council President Brandon Scott to write the Maryland governor asking for federal disaster assistance and reimbursement as a result.

 

But according to Joe Stewart, a seasoned malware analyst now consulting with security firm Armor, the malicious software used in the Baltimore attack does not contain any Eternal Blue exploit code. Stewart said he obtained a sample of the malware that he was able to confirm was connected to the Baltimore incident.

“We took a look at it and found a pretty vanilla ransomware binary,” Stewart said. “It doesn’t even have any means of spreading across networks on its own.”

“We took a look at it and found a pretty vanilla ransomware binary,” Stewart said. “It doesn’t even have any means of spreading across networks on its own.”

 

Stewart said while it’s still possible that the Eternal Blue exploit was somehow used to propagate the Robbinhood ransomware, it’s not terribly likely. Stewart said in a typical breach that leads to a ransomware outbreak, the intruders will attempt to leverage a single infection and use it as a jumping-off point to compromise critical systems on the breached network that would allow the malware to be installed on a large number of systems simultaneously.

 

“It certainly wouldn’t be the go-to exploit if your objective was to identify critical systems and then only when you’re ready launch the attack so you can do it all at once,” Stewart said. “At this point, Eternal Blue is probably going to be detected by internal [security] systems, or the target might already be patched for it.”

 

It is not known who is behind the Baltimore ransomware attack, but Armor said it was confident that the bad actor(s) in this case were the same individual(s) using the now-suspended twitter account @Robihkjn (Robbinhood). Until it was suspended at around 3:00 p.m. ET today (June 3), the @Robihkjn account had been taunting the mayor of Baltimore and city council members, who have refused to pay the ransom demand of 13 bitcoin — approximately $100,000.

 

In several of those tweets, the Twitter account could be seen posting links to documents allegedly stolen from Baltimore city government systems, ostensibly to both prove that those behind the Twitter account were responsible for the attack, and possibly to suggest what may happen to more of those documents if the city refuses to pay up by the payment deadline set by the extortionists — currently June 7, 2019 (the attackers postponed that deadline once already).

Some of @robihkjn’s tweets taunting Baltimore city leaders over non-payment of the $100,000 ransomware demand. The tweets included links to images of documents allegedly stolen by the intruders.

Over the past few days, however, the tweets from @Robinhkjn have grown more frequent and profanity-laced, directed at Baltimore’s leaders. The account also began tagging dozens of reporters and news organizations on Twitter.

 

Stewart said the @Robinhkjn Twitter account may be part of an ongoing campaign by the attackers to promote their own Robbinhood ransomware-as-a-service offering. According to Armor’s analysis, Robbinhood comes with multiple HTML templates that can be used to substitute different variables of the ransom demand, such as the ransom amount and the .onion address that victims can use to negotiate with the extortionists or pay a ransom demand.

 

“We’ve come to the conclusion Robbinhood was set up to be a multi-tenant ransomware-as-a-service offering,” Stewart said. “And we’re wondering if maybe this is all an effort to raise the name recognition of the malware so the authors can then go on the Dark Web and advertise it.”

 

This redacted message is present on the Dark Web panel set up by the extortionists to accept payment for the Baltimore ransomware incident and to field inquiries or pleas from them. The message repeats the last tweet from the @robihkjn Twitter account and conclusively ties that account to the attackers. Image: Armor.

There was one other potential — albeit likely intentional — clue that Stewart said he found in his analysis of the malware: Its code included the text string “Valery.” While this detail by itself is not particularly interesting, Stewart said an earlier version of the GandCrab ransomware strain would place a photo of a Russian man named Valery Sinyaev in every existing folder where it would encrypt files. PCRisk.com, the company that blogged about this connection to the GandCrab variant, asserts Mr. Sinyaev is a respectable finance professional who has nothing to do with GandCrab.

 

The timing of the GandCrab connection is notable because just last week, the creators of GandCrab announced they were shutting down their ransomware-as-a-service product, allegedly after earning more than $2 billion in ransom payments.

 

Finally, since we’re on the subject of major ransomware attacks and scary exploits, it’s a good time to remind readers about the importance of applying the latest security updates from Microsoft, which last month took the unusual step of releasing security updates for unsupported but still widely-used Windows operating systems like XP and Windows 2003. Microsoft did this to head off another WannaCry-like outbreak from mass-exploitation of a newly discovered flaw that Redmond called imminently “wormable.”

 

That vulnerability exists in Windows XP, Windows 2003, Windows 7, Windows Server 2008 R2, and Windows Server 2008. In a reminder about the urgency of patching this bug, Microsoft on May 30 published a post saying while it hasn’t seen any widespread exploitation of the flaw yet, it took about two months after Microsoft released a fix for the Eternal Blue exploit in March 2017 for WannaCry to surface.

 

“Almost two months passed between the release of fixes for the EternalBlue vulnerability and when ransomware attacks began,” Microsoft warned. “Despite having nearly 60 days to patch their systems, many customers had not. A significant number of these customers were infected by the ransomware.”

 

Source: Report: No ‘Eternal Blue’ Exploit Found in Baltimore City Ransomware (Krebs on Security - Brian Krebs)

[Karlston]

Baltimore ransomware perp pinky-swears he didn’t use NSA exploit

Twitter account shut down after final, expletive-laced warning to mayor.

Enlarge / Oh, Baltimore.

Alex Wroblewski/Getty Images

Over the past few weeks, a Twitter account that has since been confirmed by researchers to be that of the operator of the ransomware that took down Baltimore City's networks May 4 has posted taunts of Baltimore City officials and documents demonstrating that at least some data was stolen from a city server. Those documents were posted in response to interactions I had with the ransomware operator in an attempt to confirm that the account was not a prank.

 

In their last post before the account was suspended by Twitter yesterday, the operator of the Robbinhood account (@robihkjn) answered my question, "Hey, so did you use EternalBlue or not?":

absolutely not my friend

The account was shut down after its operator posted a profanity and racist-tinged final warning to Baltimore City Mayor Bernard "Jack" Young that he had until June 7 to pay for keys to decrypt files on city computers. "In 7 Jun 2019 that's your dead line," the post stated. "We'll remove all of things we've had about your city and you can tell other [expletives] to help you for getting back... That's final dead line." The same messages have been posted to the Web "panel" associated with the Baltimore ransomware, according to Joe Stewart, independent security consultant working on behalf of the cloud security firm Armor, and Eric Sifford, security researcher with Armor’s Threat Resistance Unit (TRU).

Proof of compromise

 

The Robbinhood account's initial post included extremely low-resolution images to prove that the individual or group behind the account had access to Baltimore City's network prior to the ransomware being triggered. That image included passwords to a shared network directory for use in installing an older version of Symantec Endpoint Protection, an image of a faxed subpoena for a lawsuit against the mayor's office, and what appears to be lists of user names and hashed passwords for a number of city employee accounts.

 

But the age of the documents and their resolution led some (including me) to question their authenticity. I replied to the post, stating those doubts.

 

On May 28, the person or persons behind the Robbinhood account responded by posting another file to a file sharing site and sharing the link. That file, downloaded by researchers at Armor, was a PDF of a faxed document related to another lawsuit against the city, dated May 3. The PDF's metadata indicated that it was created by a networked Xerox fax machine on Baltimore City's network. Another document posted on June 3 was a cover sheet from a fax regarding a workman's compensation claim sent to the mayor's office the week before.

 

The final confirmation that the Twitter account was linked to the ransomware attack was provided when the operators posted a link to the Twitter account along with the same final warning to the Tor-based Web panel set up for communications with the city, shown above. (The "you" in the conversation is either a city employee or security researcher.)

 

Ransomware samples analyzed by researchers and by Ars don't offer any hints of how they were distributed. The ransomware sample from Baltimore is virtually identical to previous versions of Robbinhood obtained by researchers—a 2.9MB Windows executable written in the Go language and compiled as a Windows executable—does not include any code used to seek other vulnerable machines, and it fails to run if a public key hasn't been deposited in the right location on the targeted computer. While the ransomware uses RSA encryption, it includes functions from the entire Go cryptography library. Artifacts within the code show it was compiled from source by someone with a Windows user name of "valery."

Honor among thieves

The statement by Robbinhood's operator that EternalBlue was not used to spread the ransomware within Baltimore City's networks is obviously not hard evidence that the NSA exploit exposed by Shadow Brokers wasn't used in the attack. There are a number of reasons the attacker would lie about it—including boosting their marketing message. Stewart and Sifford said that they believe the attacker is likely using the attack on Baltimore as a way to get publicity for offering Robbinhood as a ransomware-as-a-service offering, allowing others to rent the ransomware to extort others. Revealing the exploits used to spread the ransomware would be, in that case, a horrible business move.

 

Making such a big publicity play over a ransomware target is rare in such attacks, as is posting proof of compromised files, because that is generally bad for business. Organizations that pay ransomware demands usually do so to avoid publicity and do so under the assumption that none of their data was stolen. But government targets are less likely to pay, and seeking publicity may be a way to build political pressure on the target to pay up.

 

There's another possible explanation of the behavior of the Robbinhood attacker: they may have been in Baltimore's network for some time and released the ransomware only after extracting whatever value they could from network access. In that case, there's no telling what other data was taken from the city's network.

 

Source: Baltimore ransomware perp pinky-swears he didn’t use NSA exploit (Ars Technica)

 

(To view the article's image gallery, please visit the above link)

[DKT27]

Which is even more concerning. Does that mean a different exploit, unaware to most, was made or used in it.