Vulnerabilities and Exploits Flashcards
ETERNAL BLUE
The EternalBlue exploit is a computer vulnerability that was discovered in Microsoft Windows operating systems. It was originally developed by the United States National Security Agency (NSA) and leaked by a hacking group called the Shadow Brokers in 2017. The vulnerability is tracked by the Common Vulnerabilities and Exposures (CVE) identifier CVE-2017-0144 and has a CVSS (Common Vulnerability Scoring System) score of 9.3, indicating its critical severity.
EternalBlue takes advantage of a flaw in the Windows Server Message Block (SMB) protocol, which is used for file and printer sharing on local networks and the internet. The exploit allows an attacker to remotely execute malicious code on a vulnerable Windows system without user interaction. This means that an attacker could propagate malware, such as ransomware or worms, across a network by exploiting the vulnerability.
The exploit works by targeting a buffer overflow vulnerability in the SMBv1 protocol. When successfully exploited, it grants the attacker the ability to execute arbitrary code on the target system, potentially leading to unauthorized access, data theft, or the spread of malware. The WannaCry ransomware attack in 2017 was one of the most notable incidents that utilized the EternalBlue exploit, infecting hundreds of thousands of computers worldwide and causing significant disruption.
Microsoft released security patches to address the vulnerability and advised users to update their systems to protect against potential attacks. This incident highlighted the importance of promptly applying software updates and patches to safeguard against known vulnerabilities.
https://www.avast.com/c-eternalblue
https://www.newnettechnologies.com/e
WANNACRY
Name of Threat Actor: The WannaCry ransomware attack is often attributed to the North Korean hacking group known as Lazarus Group (also known as Hidden Cobra). This group has been associated with various cybercriminal activities, including cyber espionage and financial theft.
Impact: The WannaCry ransomware attack had widespread and significant impacts on a global scale. It affected over 200,000 computers across more than 150 countries. Some of the notable impacts include:
Data Encryption: WannaCry encrypted files on infected computers, making them inaccessible to users. This included personal files, business documents, and critical system files.
Disruption: Numerous organizations, including healthcare institutions and government agencies, experienced disruptions in their operations. Some medical facilities had to cancel appointments and surgeries due to compromised computer systems.
Financial Losses: The attack resulted in substantial financial losses due to lost productivity, ransom payments, and the cost of recovering or replacing infected systems.
Public Awareness: The attack garnered significant media attention, raising public awareness about the importance of cybersecurity and the potential impact of ransomware attacks.
Method: The WannaCry attack utilized the EternalBlue exploit, which was originally developed by the NSA and later leaked by a hacking group called the Shadow Brokers. The exploit targeted a vulnerability in the Windows Server Message Block (SMB) protocol, allowing the ransomware to spread quickly within networks. The attack method involved the following steps:
Initial Infection: WannaCry was often spread through phishing emails containing malicious attachments or links. When a user clicked on the attachment or link, the ransomware gained a foothold on the system.
Propagation: Once inside a network, WannaCry used the EternalBlue exploit to search for and infect other vulnerable computers on the same network. This self-propagation mechanism allowed the ransomware to rapidly spread within organizations.
File Encryption: Upon infecting a system, WannaCry encrypted the user’s files, rendering them inaccessible. A ransom note appeared on the victim’s screen, demanding a ransom payment in Bitcoin in exchange for the decryption key.
Ransom Payment: Victims were instructed to make a ransom payment to a specific Bitcoin address. However, even if victims paid the ransom, there was no guarantee that they would receive the decryption key.
The WannaCry attack highlighted the importance of promptly applying security patches and updates, as well as maintaining strong cybersecurity practices to defend against both known and emerging threats.
MELISSA VIRUS
Name of Threat Actor: The Melissa virus was created by David L. Smith, a computer programmer and hacker. He was arrested and sentenced for his involvement in creating and distributing the virus.
**Motivation of Threat Actor: **David L. Smith, the creator of the Melissa virus, stated that his motivation behind creating and releasing the virus was a combination of curiosity and a desire to disrupt and cause chaos within computer systems. He wanted to see the virus spread rapidly and observe its effects on email systems and networks. Smith was not driven by financial gain, as was the case with some other malware creators. Instead, he seemed to be interested in the technical challenge and the notoriety that would come from his actions.
Origins of the Name “Melissa”: The name “Melissa” has its origins in a Florida stripper whom David L. Smith had encountered. He chose the name for the virus to add a personal touch and to give it a seemingly innocuous and non-threatening identity. This choice of name, while unrelated to the virus’s functionality, was likely an attempt to disarm potential victims and make them more likely to open the infected attachments. The contrast between the seemingly harmless name and the destructive nature of the virus added to its initial success in spreading rapidly through email systems.
**Impact: **The Melissa virus, also known as “MailMacro,” was one of the most notorious email-borne viruses of its time and had a significant impact on computer systems and networks. Some of the key impacts include:
Email Disruption: Melissa spread rapidly through email, causing email servers and networks to become overloaded with traffic. This led to email slowdowns, server crashes, and disruptions in communication for many individuals and organizations.
Document Corruption: The virus infected Microsoft Word documents, altering the documents’ content and potentially causing data loss or corruption when users opened the infected files.
Economic Impact: The widespread disruption caused by Melissa resulted in productivity losses for businesses and organizations. The need to clean and recover infected systems also incurred additional costs.
Awareness and Response: The Melissa virus raised awareness about the vulnerability of email systems to viruses and the importance of implementing strong cybersecurity measures.
**Method: **The Melissa virus was primarily distributed via email and relied on social engineering to propagate. The attack method involved the following steps:
**‘1. Infected Email Attachment: **The attack started with an infected email attachment, often labeled with enticing subject lines like “Important Message from [Name]” or “Here is that document you asked for… don’t show anyone else ;-).” The attachment was typically a Microsoft Word document.
**2. Macros Exploitation: **When users opened the infected Word document, the virus used a macro (a sequence of instructions) to replicate itself. The macro would then access the user’s Outlook email application and send the virus to the first 50 contacts in the user’s address book.
3. Rapid Spread: Due to the viral nature of the email propagation, the Melissa virus spread quickly across email systems and networks. Within a short period, it infected a large number of computers and caused significant disruption.
Payload and Content Change: In addition to replication, the virus also inserted a quote from the television show “The Simpsons” into the infected document. This alteration was a way for the virus author to showcase his identity and demonstrate the successful infection.
The Melissa virus demonstrated the potential damage that could be caused by a self-propagating email-borne virus and highlighted the importance of educating users about safe email practices, such as not opening suspicious attachments or clicking on links from unknown sources. It also emphasized the need for strong email filtering and security measures to mitigate the risk of such attacks.
Smith’s decision to name the virus “Melissa” highlights the psychological tactics that malware creators sometimes employ to manipulate users into taking actions that are detrimental to their own cybersecurity. It also underscores the importance of skepticism and caution when interacting with digital content, especially from unknown or unexpected sources
https://www.fbi.gov/news/stories/melissa-virus-20th-anniversary-032519
STUXNET
