Ransomware attack may have a North Korean link, say security researchers

[CrAKeN]

 

WannaCrypt/WannaCry ransomware has affected Windows XP systems across the globe. - Image: Cisco Talos

 

Could the hackers thought to be behind the 2014 Sony Pictures breach be responsible for the WannaCry ransomware?

 

The hunt is on to find the cyberattackers behind the massive ransomware campaign which has claimed more than 200,000 victims in over 150 countries, including the UK's National Health Service, and businesses and government institutions in Russia, China, and the US.

 

Law enforcement agencies across the world are collaborating on an effort to identify those behind WannaCry, but are unwilling to speculate on the identities of any perpetrators at this time.

 

Cybersecurity researchers, however, have tentatively linked the WannaCry ransomware campaign to the Lazarus group, a hacking operation which is believed to have links to North Korea.

 

A well-resourced operation, the Lazarus group has been connected to a number of high-profile cyberattacks in recent years. They include the $80m Bangladeshi cyber bank heist, as well as attacks against financial institutions, banks, casinos, and systems used by software developers for investment companies around the world.

 

It's thought that the group might also have been behind the 2014 Sony Pictures hack, which supposedly was carried out in response to a comedy film about North Korea, although Pyongyang has never admitted any involvement.

 

Speculation that Lazarus might be in involved with the recent Wannacry outbreak started when Google researcher Neel Mehta posted a mysterious string of characters in a tweet alongside the hashtag #WannaCryptAttribution'.

 

The string is two samples of code which share similarities: one is from a WannaCry encryptor example from February this year, and the other is a Lazarus APT group sample from February 2015.

 

Cybersecurity researchers at Kaspersky have posted an image of the code comparison in a blog post and suggest that the two pieces of code share a common author.

 

 

Comparison of the code behind Lazarus and WannaCry - Image: Kaspersky Lab

 

"We strongly believe the February 2017 sample was compiled by the same people, or by people with access to the same sourcecode as the May 2017 Wannacry encryptor used in the May 11th wave of attacks," said Kaspersky researchers, adding how Mehta's discovery "is the most significant clue to date regarding the origins of Wannacry".

 

Researchers at Symantec have also noted similarities in the shared code between known Lazarus tools and the WannaCry ransomware, noting the SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen in Lazarus and WannaCry malicious software.

 

While these links don't definitively prove anything, Symantec researchers said: "We believe that there are sufficient connections to warrant further investigation."

 

Kaspersky researchers added that "in theory anything is possible". For example, the code might have somehow been stolen or copied from the Lazarus group. Nonetheless, they say the idea of this being a false flag -- that is, an attempt to trick investigators -- is "although possible, improbable".

 

When machines become infected by Wannacry ransomware, their users are issued with a ransom of $300 in Bitcoin for unencrypting their files. That doubles to $600 if the demand isn't met within three days, and if a week goes by without payment, the victims are threatened with permanent deletion of their files.

 

However, while over 200,000 victims were infected by the ransomware worm, just 233 ransoms totalling $64,472 had been paid as of Tuesday morning, according to a Twitter bot monitoring the bitcoin wallets tied to WannaCry.

 

Source

[SPECTRUM]

Lazarus and WannaCry both are from USA according to compilers, not from NK.

 

and it was designed specially to attack USA enemies, such as Russia, China, NK and few others.

 

[steven36]

34 minutes ago, SPECTRUM said:

Lazarus and WannaCry both are from USA according to compilers, not from NK.

 

and it was designed specially to attack USA enemies, such as Russia, China, NK and few others.

 

Were do you get you're news from the moon? that's not what they Kaspersky and Symantec said at all they  it was to early to tell if  the Shadow Brokers was from NK.

 

as far as Lazarus Kaspersky and others said  they had IPs from NK

Quote

One of the most interesting discoveries about Lazarus/Bluenoroff came from one of our research partners who completed a forensic analysis of a C2 server in Europe used by the group. Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2. Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.

 

Source Kaspersky:

https://securelist.com/blog/sas/77908/lazarus-under-the-hood/

 

[steven36]

 

Quote

 

Who's Behind The Ransomware Pandemic? One Small Clue Points To North Korea

 

 

As law enforcement and security experts from across the world start investigating who was behind the massive outbreak of the WannaCry ransomware, one clue has got them salivating. It points to North Korea.

 

The clue lies in the code. Google security researcher Neel Mehta posted a mysterious tweet linking to two samples of malware: one was WannaCry, the other a creation of a gang of hackers called the Lazarus Group, which has been linked to the catastrophic 2014 hack of Sony and attacks on the SWIFT banking system that resulted in a record $81 million cyber theft from a Bangladeshi bank. Lazarus was also said to be North Korean, according to previous analyses by numerous security firms.

 

After Mehta's post, Kaspersky Lab probed the code, as did Proofpoint security researcher Darien Huss and founder of Comae Technologies Matthieu Suiche. All have been actively investigating and defending the web against WannaCry and were intrigued at the possible link to North Korea.

 

All believe that Mehta's find could provide a clue as to the possible creators of WannaCry, which borrowed from an NSA hacking tool to infect as many as 200,000 systems, causing serious delays and downtime at hospitals in the U.K. and taking out Nissan and Renault car factories, amongst other issues. But, they all note, it could be a false flag purposefully lodged in the code to lead everyone down the wrong path.

 

What code was copied?

Mehta and the researchers who pounced on her find said that a chunk of WannaCry was 100 per cent the same as a slice of Contopee, the malware used by the Lazarus Group. WannaCry was from February 2017, Contopee from the same month in 2015. The apparently copied code was used in both malware samples for a random code generation feature; it would generate a random number between 0 and 75. That would be used to encode data, putting some obfuscation around the malware's operation to help it avoid detection by security tools.

 

Based solely on the copied code, Kaspesky Lab said it was "the most significant clue to date regarding the origins of WannaCry." Director of the global research and analysis team at Kaspersky Lab, Costin Raiu, told Forbes the malware Mehta was investigating appeared to be the same as that found by BAE Systems, linking the Bangladesh bank heist group with Lazarus. "Of course, more research is required at this time, but Neel might have found the WannaCry Rosetta Stone," Raiu added.

 

Suiche agreed: "It would also subscribe to the Lazarus Group narrative... They are known for targeting financial institutions like banks. The fact they did ransomware to steal money over cryptocurrency would subscribe to the same modus operandi."

 

What makes the clue especially intriguing is that the code might be unique, linked only to Lazarus and no one else. One researcher, who asked to remain anonymous, said there were very few matches when comparing the code to malware in a vast virus repository he had access to. It appeared likely the WannaCry hackers borrowed from a very limited set of tools used by the Lazarus Group alone and no other malicious actors, he said, making it a little more likely the two were associated.

 

Security giant Symantec, which has tracked the Lazarus Group over recent years, said it had found some interesting links too. Its researchers found earlier versions of WannaCry in April and early May that weren't widely distributed, but were uncovered on systems shortly after being hacked with known Lazarus tools. "However, we have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems," the firm qualified. WannaCry also used forms of web encryption "that historically was unique to Lazarus tools."

 

Vikram Thakur, technical director at Symantec, said his team had been investigating possible links to major cyber groups since Friday. He also noted some slightly odd behavior from those behind WannaCry, in particular their use of shared Bitcoin wallets to cash out. By including those in the malware code, it'll be easy to follow the money if they ever decide to draw out. This left Thakur wondering: were the attackers just trying to cause global damage rather than make money? From the Sony attacks and destructive hacks on South Korea that have been linked to Lazarus, it wouldn't be out of the question for the crew to be involved in the massively troublesome malware outbreak that led to possibly life-threatening situations in British hospitals.

 

Far from definite

All of this should be taken with a sizeable pinch of salt, however. The clue is far from clear and the information could have been planted to mislead researchers and law enforcement as they investigate, security experts said.

 

The anonymous researcher said he had looked at the code for hours and was "not sold." "There is overlap but the functionality doesn't appear unique."

Similarities in code do not mean they're owned by the same hacker. As noted by Huss, the Lazarus Group is known to create tools based on open source code. "My main concern is that the overlapping function in question may have been ripped from some code somewhere," he added. "We should be cautious as there's a real possibility that this is just some code overlap from something that was copied by two different groups."

 

Hackers all too regularly borrow code. Indeed, it could also be that a group found the Lazarus Group's tools and re-used them. Or, as Thakur noted, there could be 2,000 malware samples that have been kept secret on some underground forum where criminals are sharing tools.

But in a case with few leads, where the $60,000 in Bitcoin stolen from WannaCry victims hasn't been traced back to any perpetrator, it's at least something.

 

https://www.forbes.com/sites/thomasbrewster/2017/05/15/whos-behind-the-ransomware-pandemic-one-small-clue-points-to-north-korea/#636c5ed37d3a

 

[SPECTRUM]

2 hours ago, steven36 said:

Were do you get you're news from the moon?

 

no, just personal investigation.

 

2 hours ago, steven36 said:

as far as Lazarus Kaspersky and others said  they had IPs from NK

 

yes and no, IPs are from many countries because it use some TOR nodes, which are located in different countries, but that does not means that these countries are involved in the creation of it.

 

 

[steven36]

36 minutes ago, SPECTRUM said:

 

no, just personal investigation.

 

 

yes and no, IPs are from many countries because it use some TOR nodes, which are located in different countries, but that does not means that these countries are involved in the creation of it.

 

 

There are no TOR IPs for NK lol it;s closed country . any one  who says stuff like that without  proof / posting any links to back them up  i have my doubts they investigated  at all

 

Here you can see  nodes with the flag "Guard".

https://atlas.torproject.org/#search/flag:Guard

You get use Advanced Onion Router  and see they don't have no ips as well on TOR a lot of countries don't have any.

 

Last reported they only have like a had a total of 1024 ips between a couple thousand users - only accessible by government and foreign dignitaries.

 Even the Pyonyang University for Science and Technology only gets one IP.

A peek into North Korea's Internet

http://money.cnn.com/2014/12/22/technology/security/north-korean-internet/

 

 

 

[tao]

3 Security Firms Say WannaCry Ransomware Shares Code with North Korean Malware

 

While initially, we thought this would be a silly and unsubstantiated discovery, the number of security firms claiming they've identified and confirmed connections between the WannaCry ransomware and malware used by the Lazarus Group has now gone up to three.

 

These somewhat crazy rumors started on Monday when Google security researcher Neel Mehta tweeted the MD5 hashes of two malware samples.

9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution

— Neel Mehta (@neelmehta) May 15, 2017

The hashes were for a sample of the WannaCry ransomware (early beta, released in February 2017) and the Contopee backdoor, previously attributed to the Lazarus Group.

 

If the name sounds familiar it's because this is the codename given to a group of hackers responsible for the Sony hack, the SWIFT bank attacks, and the hacks of various other financial institutions across the world. Experts believe the group is based on North Korea and associated with the official government, mainly because of its historical focus on attacking South Korean organizations and state agencies.

Links between WannaCry and Lazarus Group malware

Two days later after Mehta's tweet, security firms such as Kaspersky Lab, Symantec, and BAE Systems, have now put their full backing into claims that there might be a connection between North Korea's Lazarus Group and the WannaCry outbreak.

 

These companies make these connections based on some very skimpy claims, so they should not be taken as universal or conclusive proof that North Korea developed and released WannaCry.

 

According to the three companies, here are on what they base their claims on:

 

⍟ 2015 Contopee backdoor sample and February 2017 WannaCry sample use an identical random buffer generator function
⍟ Contopee and WannaCry were written in C++ and compiled using Visual Studio 6.0
⍟ the usage of leet speak inside the code

 

Some of these similarities are just ridiculous, as there is plenty of malware authors that write their code in C++, compile in Visual Studio 6.0, and use leet speak.

 

On the other hand, the code overlap between the Contopee and WannaCry samples is quite interesting.

 

"The implementation of this [random buffer generator] function is very unique," says Sergei Shevchenko and Adrian Nish, BAE Systems experts, "- it cannot be found in any legitimate software."

 

Symantec takes this explanation further.

 

"Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tool," the company explains, also revealing they found a similar SSL implementation in the Brambul backdoor, another of Lazarus Group's hacking tools.

Are these valid claims?

Not really. The Contopee and Brambul samples have been discovered and analyzed years before, in 2015. It is not unheard of for malware authors to grab code from other malware samples when piecing together new tools. This actually happens more often than most people think.

If you're worried someone will trace your malware, just wait ten minutes. Inevitably someone will attribute it to a nation state.

— Matthew Green (@matthew_d_green) May 16, 2017

The WannaCry ransomware — also known as WCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r — looks like the work of an unsophisticated group, which also explains why we've seen at least three to four versions in the past three months without the SMB self-spreading component.

 

All clues point to the fact the group was slowly building their ransomware up until they added the SMB self-spreading worm component, at which point the authors couldn't contain it anymore, and the ransomware spread to over 215,000 computers worldwide.

 

Most experts believe WannaCry was an in-dev ransomware at the moment it broke into an outbreak, on Friday, because current samples aren't even obfuscated and have a bug that prevents WannaCry from using unique Bitcoin addresses for each victim.

#WannaCry has code to provide unique bitcoin address for each victim but defaults to hardcoded addresses as a result of race condition bug

— Security Response (@threatintel) May 16, 2017

Possibility remains

On the other hand, we can't exclude WannaCry being the work of North Korean hackers. Symantec has gone on record saying they've found other Lazarus Group malware on computers that were previously infected with earlier versions of the WannaCry ransomware (without the SMB module).

 

In recent months, it has become a trend for cyber-espionage outfits to deploy ransomware on the computers they've compromised, as a way to disguise their presence.

 

Cyber-espionage groups operate on the presumption that hacked victims would see the ransom notes and restore from backups or reinstall their OS from scratch, deleting logs and other evidence of their presence along the way.

 

For example, cyber-espionage-grade malware such as KillDisk and Shamoon have recently added ransomware modules that they deploy after stealing data from their targets, as a way to disguise a hack's true purpose.

 

Either way, for the time being, the theory that North Korea created and deployed WannaCry as a way to wreak havoc across the world still stands, as absurd as it sounds.

This looks more and more like an op designed to create political turmoil. https://t.co/dsiqZS345l

— Stefan Esser (@i0n1c) May 15, 2017

More details, and even wild theories, will surface in the following weeks or months, as security firms break apart each line of code in the WannaCry ransomware.

 

[DKT27]

Without going too political, I strongly believe there has to be come sort of Vienna Convention against cyber warfare by any nation and it should be signed by each and every country, it's high time we do this.

 

Another thing, one of the biggest people hit, atleast socially were the British, something we should not forget I think.

[dufus]

Five Eyes Intelligence Meeting In New Zealand

http://malaysianaccess.com/five-eyes-meeting-security-new-zealand/