Shulou(Shulou.com)06/03 Report--

The "context" of the WannaCry blackmail virus incident

Jackzhai

1. Background:

May 12, 2017 was a quiet day, and everyone happily packed up and went home for the weekend. However, since the afternoon, cyber security companies have been receiving calls for help from users, more and more users have been attacked by computer viruses, and computers are encrypted and locked. Late at night on the weekend, the company's lights are lit one after another, after-sales engineers are recalled, R & D managers are recalled, testers are recalled, pre-sales engineers are recalled, and sales are recalled. A large-scale and global computer virus event has come quietly. The ATM cash machines of the banks have gone on strike, the computers of the gas stations have been "closed", the papers of the students who are about to reply have been encrypted, the screen of the airport warning of the arrival of the plane has been "red screen", the computers in the entry and exit hall have been "rested", and the service hall of the DMV has posted a notice of failure.

This is the screen! Let a lot of people panic, see it, it means that your data is very difficult to find, everything starts all over again when you buy a new machine.

The story goes like this: NSA (NationalSecurity Agency), the US National Security Agency, under the US Department of Defense, is the largest intelligence agency in the US government, which is responsible for collecting and analyzing foreign and domestic communications. NSA experts have developed a number of cyber weapons, some of which were stolen by a self-proclaimed "Shadow Breakers" group around June 2013. People in this organization want to use these "arms" for some money, so they start to sell them on the black market, hoping to get a good price, but what is "infuriating" is that no one is willing to pay a large price (1 million bitcoin). Ammunition becomes "scrap" when it doesn't turn into money, which makes people who are not good at doing business very angry. They simply publish some of these weapons on the Internet and give them away for free. It can also be regarded as an advertisement to tempt everyone and show the power of these weapons. Of course, the purpose is to find buyers. One of the announced weapons is called "Eternal Blue" (Eternal Blue), which is aimed at Microsoft's operating system. The vulnerability exploited by the weapon is "0DAY", which is a vulnerability of SMB. Microsoft named it MS17-010. In March this year, Microsoft released a patch specifically for this loophole. On April 16, China's CNCERT issued a "Bulletin on strengthening the Prevention of the risk of vulnerabilities in the Windows operating system and related Software". It reported the situation of a number of vulnerabilities related to the SMB service of the Windows operating system disclosed by Shadow Brothers "Shadow Brokers", and warned of the possible large-scale vulnerabilities. But everyone did not attract enough attention, but it is just a small virus, just kill it, at the worst, use special killing tools.

However, this time things are a little different. Let me go back to the history of blackmail software viruses.

In 1989, the AIDS*** virus, produced by Joseph Popp, spread through floppy disks and encrypted the files on the disk, requiring the victim to pay $189 to unlock it, so it was called the blackmail software virus. In 2008, the virus appeared new variants and upgraded, using 1024-bit RSA encryption, so that the victims could not crack the encryption themselves, and there was no way out if they did not pay. The US government is also using this intensity encryption algorithm. Do you think it can be easily cracked? In 2013, in order to get the money without being discovered by the police, operators of the encryption extortion virus began to use the popular "Bitcoin exchange platform" to extort withdrawals, that is, money laundering through bitcoin transactions, with remarkable success, just between December 15 and 18 at the end of the year. Use Bitcoin to extract $27 million from victims.

Something unfortunate has finally happened. In February 2017, the developers of the blackmail virus took a fancy to Eternal Blue, a weapon leaked by NSA, changed Eternal Blue into a worm called WannaCry, and then put the encrypted blackmail code into the worm. Use the power of Eternal Blue to quickly infect a large number of computers, activate the blackmail section, encrypt user data, and wait for the victim to deliver money at home. This is how the WannaCry blackmail worm was born. Unlike in the past, Eternal Blue gives it a strong ability to spread, cyber weapons are very professional, and its power is instantly understood by netizens all over the world.

In this way, Eternal Blue, what a beautiful cyber weapon name, has now become synonymous with the infamous blackmail virus WannaCry.

In the past, most viruses needed to induce users to actively click on attachments with virus * * code, or related * * links to get caught. The terrible thing about WannaCry virus is that there is no need for users to do anything. As long as the Windows device that opens the 445 file sharing port is on the Internet, it can spread and replicate between computers in the same network, forming a chain of spread. Malicious programs such as ransomware, remote control and virtual currency excavators can be implanted into computers and servers.

What is more troublesome is that in the past, most of the viruses blocked the network and the blue screen crashed, which was nothing more than adding chaos; this time they were encrypted files in exchange for money. If you don't give the money, the security manufacturers seem to have no solution; if you give the money, you don't know who the other party is and where it is. If the money is given out, will it be able to solve it? Although the virus operators vowed to do so, they were basically resigned to fate. It is said that the 2048-bit RSA algorithm is used to encrypt the blackmail virus (I have not confirmed it). The cost after poisoning is so high that users who look at a loss can't sit still at all.

Finally, the final result is good. Although the virus spreads widely and infects many machines, it mainly infects computers that do not upgrade patches and poor security management. In addition, after the outbreak of the virus, security companies promptly launched various patches and protective measures to urge unrecruited users to upgrade in time, and began to deal with large-scale network security incidents on Monday, and the trend of the continued spread of the virus has been basically stopped today.

It is said that the people who blackmailed the virus did not get much money either.

Second, the thing behind the virus is even more frightening.

In any case, WannaCry is just a worm, and the incident will soon pass, and users will soon forget. However, there are many things behind this incident that deserve our attention, and the "shadow brokers" have not received the money, and the operators of the WannaCry virus have not gained much. What will happen next, it always feels that the matter is far from over.

Here are a few of my questions, and I hope to dig into the terrible things behind this virus incident:

1. How many such terrible cyber weapons are there in the hands of the organization?

In the WannaCry worm incident, the "shadow broker" did a "live Lei Feng". He didn't do any good, and it was estimated that they were very upset. It is said that Formula NSA uses 10 cyber weapons that most easily affect Windows individual users, including Eternal Blue, Eternal King, Eternal Romance, Eternal collaboration, Emerald Fiber, eccentric hamsters, Eskimo Scrolls, elegant Scholars, solar eclipse Wings and respect censorship. The cyber weapons include exploiting tools that can remotely exploit about 70%Windows machines around the world.

Shadow Brokers has just issued a statement saying that it will continue to release more 0Day vulnerabilities-cyber weapons from June 2017, feeling that this is the opening of a "powder depot" and what will detonate next. I dare not imagine.

2. Why is the black market of loophole trading getting hotter and hotter?

"where there is demand, there are businessmen to make profits." The black market of loophole trading has been very active, this time "Eternal Blue" let it stand in front of the public, how do you feel?

Eternal Blue takes advantage of advanced vulnerabilities in the Windows system as a cyber weapon for NSA, and it is clear that this vulnerability will not be discovered for a short time. However, the vulnerability was not made public until the weapon was leaked and released, and Microsoft did not provide a patch until 2017. In other words: maybe Microsoft didn't know about this vulnerability before 2017, or thought it couldn't be exploited (no exploitable code was found). In short, for those with Eternal Blue, Windows is a simple and easy thing.

This reminds me that at present, so many network security enthusiasts on the Internet are digging loopholes, there are black hats digging loopholes for profit, white hats digging loopholes for honor, and national cyber troops digging loopholes for work. Where are so many loopholes? How many have been announced? How many% of the patches can be modified by the manufacturer? More vulnerabilities are traded on the "black market" (it is rumored that an advanced Windows vulnerability is worth a sports car), no matter who it is traded to, it may not be good news for the majority of users.

What users want to ask is: how many vulnerabilities have been traded before they are released, how many organizations have mastered them, and how long have they been using them? This is a question that many people have the answer, but no one dares to answer. We still remember that there seemed to be such rumors about the "heart dripping blood" loophole in previous years.

3. Is the bitcoin platform an accomplice to blackmail?

When the blackmail virus chooses to pay in bitcoin, it takes a fancy to the concealment of the bitcoin exchange platform, that is, the payer does not interact with the payer, and you cannot track where and who the payer is. Bitcoin is a virtual coin, after it was invented, it has become a tool for transnational investment. Because of its transnational and hidden nature, Bitcoin has also become one of the best tools for money laundering. I remember that the United States has a Tor system, which is a platform for intelligence transactions and arms transactions for spies, and its most important feature is that it is impossible to track who the money collector is.

The operator of the WannaCry worm is obviously illegal blackmail, it is easy to expose himself by collecting money publicly, and choosing bitcoin trading protects himself in disguise. Objectively, it can be said that the bitcoin exchange platform has become an accomplice to extortion by the WannaCry worm manipulators.

The Bitcoin platform has the obligation to support the rights protection of victims extorted by the WannaCry worm in various countries, and to support countries in legally inspecting and tracking blackmailers.

4. Where will our security be directed?

There is no absolute security, depending on what level of opponent you encounter. Ordinary users, ordinary enterprises, to deal with the national background of the network, the probability of blocking the network will not be very high. In particular, to deal with these 0Day vulnerabilities, advanced cyber weapons, which has a term in the cyber security community-advanced threats. APT***, is not mentioned here because most people think that APT*** is aimed at the government and national goals, but now, the weapons used by the people are the same, they are all of the same level, but they are dealing with ordinary netizens.

If you want to withstand the blow, you must first strengthen yourself. Relying on building walls is not long, the Internet is worldwide, no matter whether it has national boundaries or not, where the national boundaries are, the network will connect every corner of the world, which is the general trend.

The WannaCry worm event once again reminds us that the boundary guarantee idea based on "network boundary isolation + access control policy" is out of date, and the era of security mechanism management guarantee with "dynamic monitoring + situation awareness, identity authorization + behavior audit" as the core is coming. In other words: the network security defense center has shifted from border inspection to internal monitoring.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.