
A Cyberattack 'the World Isn’t Ready For' - darod
https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html?hp&action=click&pgtype=Homepage&clickSource=story-heading&module=second-column-region&region=top-news&WT.nav=top-news
======
throwaway91111
Technical details of DoublePulsar here:
[https://zerosum0x0.blogspot.com/2017/04/doublepulsar-
initial...](https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-
backdoor-ring.html?m=1)

------
matt_wulfeck
> _Finally, before they left, they encrypted her computer with ransomware,
> demanding $130 to unlock it, to cover up the more invasive attack on her
> computer._

Anyone having hard time swallowing this? They broke in and were totally
undetected when they planted a... rootkit (unclear from article). While
undetected they silently stole user credentials... Then to cover it all up,
they ransomware'd the computer?

It's like breaking into a house and putting a bug in the wall, and then to
cover the tracks you smash in the front door and leave the water running in
the sink.

If the attacker was completely undetected, why intentionally jeopardize that?

~~~
Quarrelsome
No it makes perfect sense. If you want to land an advanced persistent threat
but your entry is detectable a distraction is ALWAYS a great psychological
tool. The very best and long lasting victories are made when you convince the
loser that they've won.

So the premise is that they clear the ransomware and think its over. But its
not.

~~~
stedaniels
And the standard way to clear the ransomware is to re-image the machine and
restore from backups. So the infection has to be hidden above the operating
system level. BIOS/SSD/HDD firmware etc.

Unless of course you don't provision machines, or keep backups. In which case
hiding on a machine being "cleaned" would be simples.

~~~
SCHiM
If you capture user credentials it doesn't really matter because you can just
come back a month later. Especially if they had domain admin access and
created a golden ticket. Also if you infect a user as opposed to a machine
your infection will be back the moment the user logs in.

~~~
okreallywtf
Would it not also be standard procedure to update credentials after being
compromised? How long would those credentials even typically be valid for?

~~~
SCHiM
Ahh well if you only compromised passwords then it depends on the domain
policy. Often something like 90 or 180 days, but sometimes also only 1 month.
But the ticket is different. An attacker can sign and create their own ticket
and determine how long it is valid. Obviously an attacker is going for the
maximum time which I think is indefinitely for golden tickets (can't quite
recall now). Also it's hard to remove the trust in such a ticket once it's
been created, it user to be so bad that the entire Forest (with all domains
had to be rebuilt) but afaik it's easier(but not trivial) now.

~~~
NotSammyHagar
What does golden ticket mean here? Is some kind of microsoft credential? you
should be able to detect any kind of leftover account. a backdoor would seem
be better.

and on this whole area, i would not encrypt someones machine - unless you are
trying to scare someone, it would be better to have never known.

------
zyxzevn
So we are investing dollars in NSA so they make tools that bring us damage? I
think there should be a limit on how long they can keep their "secrets".
Snowden already showed that information can go outside, so any information
will be leaked at some time. The society has much more to win when the
software defects are repaired instead of used for hacking.

I think that all these NSA problems show bad management. They should be
reorganized, or maybe even abandoned. They cost more than they deliver, and
even costed us our privacy. Probably they are still breaking US and
international laws on that. Breaking up NSA can allow the FBI and (open)
security companies to take over the cybersecurity.

I suspect that we will soon have leaks of CIA tools too. But thanks to
wikileaks companies can prepare for these future problems.

We can go deeper into who got these tools and who is using them. Some may even
argue that the CIA leaked the NSA tools to weaken the NSA. Or worse, that some
in the NSA want to create cyber chaos to push for more control over the
internet in the future.

The article mentions the popular political scapegoats, and as usual this is
just speculation. To solve NSA's problem we have to request very concrete
evidence, otherwise we are just being played with.

Article: > The Shadow Brokers resurfaced last month, promising a fresh load of
N.S.A. attack tools, even offering to supply them for monthly paying
subscribers — like a wine-of-the-month club for cyberweapon enthusiasts.

This shows how we are being played with. The NSA could already have published
the security details of all leaked tools, so we could all have protected our
computer systems. We could have prevented Wannacry.

~~~
nyolfen
>This shows how we are being played with. The NSA could already have published
the security details of all leaked tools, so we could all have protected our
computer systems. We could have prevented Wannacry.

NSA did exactly what you said and went to MS months before wcry hit, once it
was clear what shadowbrokers had, in order to patch the vulnerability that
wcry exploited: [https://technet.microsoft.com/en-
us/library/security/ms17-01...](https://technet.microsoft.com/en-
us/library/security/ms17-010.aspx)

unfortunately, not everyone keeps their systems totally up to date for various
reasons.

~~~
athenot
> unfortunately, not everyone keeps their systems totally up to date for
> various reasons

Because patching requires a quick risk calculation. Should I patch to the
bleeding edge and get the latests security but risk a regression bug, or do I
wait a bit so I can run a full regression test?

On my machines, sure I like to stay on the latest and greatest. But I'm sure
there are plenty of companies that got bitten because some critical software
they rely on didn't play well with the latest OS upgrade. Blame game
notwithstanding, it comes down to a business disruption risk.

Of course, the right answer is to test the patches as they come out in a non-
production environment, and go from there based on results. But I can see
where some companies wouldn't have the resources devoted to do that on a
frequent basis, which is unfortunate.

~~~
abandonliberty
Also the security patch channel has been incredibly abused to deliver non-
patches.

~~~
cbhl
Windows 10 has tons of security patches in it. Yes, it also has some UI
changes that are less than great, but, seriously, stop using Windows XP
already.

~~~
sesqu
Windows XP is a red herring. No one uses it anymore, and WannaCry didn't even
successfully spread from that version of Windows.

Windows 7 is the new holdout, and people aren't eager to swallow 10.

~~~
PakG1
Except in countries that used XP extensively like China. Non-Microsoft parties
had to create and release patches that protected against wannacry.

~~~
sesqu
Why? The only reason XP came up was because Microsoft went out of their way to
patch it themselves.

~~~
PakG1
Because XP patches only worked on valid licenses. A ton of XP in China is
pirated. So Qihoo 360 created custom patches for all those pirated versions of
Windows. Weird Alice in Wonderland situation.

[https://www.engadget.com/2017/05/15/pirated-windows-china-
ru...](https://www.engadget.com/2017/05/15/pirated-windows-china-russia-
wannacry/)

------
harshaw
So, in summary. The NSA hordes zero day (not sure if just windows), builds
some scary tools to exploit these, and of course doesn't let MS know about
them, because zero days are incredibly valuable to the spooks. And because
perfect security is impossible these tools get out. Perhaps this was obvious
from the WannaCry episode, but this article really hammered it home for me.

Why people run any systems on windows is beyond me (not that others are more
secure, but windows is a bigger target)

~~~
josu
>Why people run any systems on windows is beyond me

Windows gets hacked because it is the most used desktop OS. If everybody
started using Linux, it would get hacked as often as Windows. Quoting your
comment again:

>because perfect security is impossible

~~~
runeks
The solution is not that everyone on Windows switch to Linux, just that some
of them do. You said it right there: Linux is more secure, right now, not
because it has fewer holes in it but because the incentive to find those holes
is much less than with Windows. Seems like a good enough reason to switch for
me, just don't expect it to last forever.

~~~
jl6
Farmers have known for centuries that diversification increases security, for
a small cost in efficiency.

~~~
donmatito
And THAT is my main objection to GMO / seed standardization

------
nulagrithom
I feel silly saying this, but I sometimes imagine a scenario in which the
attackers are not motivated by money but instead are aiming to simply cause as
much destruction as possible, like some kind of "cyberterrorism".

Imagine if the creators of WannaCry had decided to brick everything they
could, instead of _just_ holding data for ransom. What then?

Ben-Oni (from the article) says he sees it as "life-and-death". I agree. We're
simply not prepared for a well-coordinated attack. I think it will take a true
catastrophe before anyone really understands just how vulnerable the Internet
is.

~~~
blitmap
I'm imagining a future where systems have become so complex it's impossible to
isolate and deactivate a worm. Malware that may not be effective anymore, but
persists on the Internet hopping from unmaintained system to unmaintained
system forever.

[https://www.youtube.com/watch?v=jSospSmAGL4](https://www.youtube.com/watch?v=jSospSmAGL4)

~~~
eob
When alien archeologists study the third rock from Sol, they will find no life
save for IRC C&C bots chattering back and forth. Feels like the end to an
interesting sci-fi novel.

~~~
DonHopkins
That would be Stanislaw Lem's most depressing but aptly named masterpiece,
"Fiasco".

[https://en.wikipedia.org/wiki/Fiasco_(novel)](https://en.wikipedia.org/wiki/Fiasco_\(novel\))

[http://garethrees.org/2012/05/31/fiasco/](http://garethrees.org/2012/05/31/fiasco/)

2\. Radio static

A radiolocation map of the planet showed hundreds of transmitters of white
noise, which merged into shapeless blotches. Quinta was emitting noise on all
wavelengths.

In the Cold War theory: “What came to mind was an image of “radio warfare”
taken to the point of absurdity, where no one any longer transmitted anything,
because each side drowned out the other… All bands of radio waves were jammed.
The entire capacity of the channels of transmission was filled with noise. In
a fairly short period of time the race became a contest between the forces of
jamming and the forces of intelligence-gathering and command-signaling. But
this escalation, too, penetrating the noise with stronger signals and in turn
jamming the signals with stronger noise, resulted in an impasse.”

Other hypotheses considered: “The noise was either the scrambling of broadcast
signals or a kind of coded communication concealed by the semblance of chaos.”
[It’s a consequence of the Shannon–Hartley theorem that the maximum
information is transferred on a channel in the form of white noise.]

~~~
gech
Sounds like American politics on the Internet right now

------
pavement
There's something about Windows exploits that just feels like a canned hunt by
now.

With stuxnet, there developed the sense that Windows received conspicuous
attention from a special class of mysterious operators.

At this point, given the tiny cottage industry that feeds a handful of
starving security analysts, I feel it's reasonable to presume that Windows is
built to be a secure as possible, and that what's possible is mostly
intentional and understood as a known quantity for special populations.

~~~
jdc0589
> given the tiny cottage industry that feeds a handful of starving security
> analysts

you may not have enough information.

~~~
pavement
I'd almost rather not know.

------
RachelF
After nuclear weapons were first invented, the big powers spent a lot of
effort in non-proliferation, to stop smaller countries building them.

Cyber weapons are not as dangerous as nukes, but much easier to copy, and much
harder to know who attacked you.

The NSA/CIA has been very lax in allowing their weapons to be copied.

~~~
ocschwar
Cyber weapons mean that during a crisis, nuclear militaries have to consider
whether their chain of command has been compromised.

WHich means they are, in fact, as dangerous as nukes.

~~~
nickpsecurity
Launching a pile of nukes can kill tens to hundreds of millions of people.
People have been launching cyberweapons since they were invented with death
toll low enough that folks still reference THERAC in software deaths. Don't
play: the two are barely comparable in how many they kill.

~~~
dredmorbius
Past performance is no guarantee of future returns.

Global systemic risk is increasing. Masssive infrastructure and response
disruption can be devastating.

What was the worst powerplant disaster in history? What was the primary kill
mechanism?

Related: [http://www.feasta.org/2012/06/17/trade-off-financial-
system-...](http://www.feasta.org/2012/06/17/trade-off-financial-system-
supply-chain-cross-contagion-a-study-in-global-systemic-collapse/)

~~~
nickpsecurity
I totally agree. I think the root of the disagreement is subjective word
"scariest." Apparently, a nuclear disaster happening in a random place is the
scariest thing for the rest of you. For me and possibly majority of Americans,
the scariest thing is what might happen to _us_. Especially if the odds are
high with us seeing reminders in the media.

Rogue, nuclear weapon doesn't scare me. Increasingly automated cars, unpatched
cellphones, legal ID's hard go fix when stolen, or
bank/medical/government/databases compromised all worry me more since they can
impact me and happen a lot. SCADA, too, if non-nuclear given it might be my
power plant or utility.

~~~
dredmorbius
Hint: it wasn't nuclear.

[https://en.m.wikipedia.org/wiki/Banqiao_Dam](https://en.m.wikipedia.org/wiki/Banqiao_Dam)

Though I also make the argument that the book hasn't been closed on our
nuclear disasters, and won't be. For tens of thousands of years.

Banqiao, however, has been fully resolved. (It occurred in 1975.)

------
_ao789
tldr; someone got hold of NSA a pen-tool and is slowly getting it setup for a
big global attack of sorts. And a whole long life story of some other dude..

------
WalterBright
The attack surface could be greatly reduced by putting a lot of code in ROMs
(Read Only Memory) where it won't survive a reboot.

~~~
thomasahle
Putting it in ROM also makes it unpatchable, meaning it will immediately be
infected again when it boots up.

~~~
WalterBright
Current setup: I click on bad link, malware installed on my computer that
infects my disk firmware. I remove the malware from my computer. My disk
remains compromised.

Suggested setup: I click on bad link, malware installed on my computer that
infects my disk firmware. I remove the malware from my computer. My disk is no
longer compromised.

Also, I plug a USB stick into my computer. It gets compromised. I unplug it.
It gets uncompromised. No more USB spread malware.

~~~
afuchs
Your suggested setup would allow a worm to repeatedly reinfect everything.
Some forms of malware, such as one used in an attack against Kaspersky Lab,
have been designed to do so instead of persisting directly onto the targeted
devices.

------
willstrafach
This is certainly a serious issue, but a few aspects of this article are very
strange.

> Worse, the assault, which has never been reported before, was not spotted by
> some of the nation’s leading cybersecurity products, the top security
> engineers at its biggest tech companies, government intelligence analysts or
> the F.B.I., which remains consumed with the WannaCry attack.

> “The world is burning about WannaCry, but this is a nuclear bomb compared to
> WannaCry,” Mr. Ben-Oni said. “This is different. It’s a lot worse. It steals
> credentials. You can’t catch it, and it’s happening right under our noses.”

This attack and WannaCry use the same exploitation vector (EternalBlue). It
seems that his company was targeted with a custom payload, which is definitely
unfortunate, but that is not related to the exploit itself, it is just another
form of custom code being used to perform further actions (Instead of simply
encrypting files as WannaCry was doing). This is probably even easier for an
attacker since there is now even a Metasploit module for MS17-010.

> The attack on IDT went a step further with another stolen N.S.A.
> cyberweapon, called DoublePulsar. The N.S.A. used DoublePulsar to penetrate
> computer systems without tripping security alarms. It allowed N.S.A. spies
> to inject their tools into the nerve center of a target’s computer system,
> called the kernel, which manages communications between a computer’s
> hardware and its software.

This is not a "step further" though. DoublePulsar is the implant injected
EternalBlue and was certainly used in WannaCry. I am not sure why they had not
even taken the time to try to verify this, even the WannaCry Wikipedia page
states this
([https://en.wikipedia.org/wiki/WannaCry_ransomware_attack](https://en.wikipedia.org/wiki/WannaCry_ransomware_attack)).
Again, this is the same exploitation vector and same implant, but with a
modified payload to specifically target IDT it seems.

> For his part, Mr. Ben-Oni said he had rolled out Microsoft’s patches as soon
> as they became available, but attackers still managed to get in through the
> IDT contractor’s home modem.

This tells me: 1\. Even though machines internally were patched, a contractor
was allowed to connect to the network with an unpatched machine. 2\. If
machines were internally patched, how would an infected contractor be able to
do damage? I am not clear on this. They might be saying the network itself was
not attacked, but rather the attacker was able to login with the legitimate
employee's credentials and cause damage that way (In which case, something is
very wrong internally if this was possible).

I know it is not nice to victim-shame regarding security issues, and I am
trying not to do so, but it seems like the story here is phrased in a slightly
disingenuous manner. It is essentially this: An IDT contractor with an
unpatched machine and privileged network access was targeted using EternalBlue
to steal their credentials with a custom payload. It worked. After this, it is
unclear if the stated network intrusion occurred because EternalBlue spread
(Would not make sense if patched) or the contractor credentials were used
"legitimately" (Indicates poor access control and monitoring).

------
deno
I suspect this “cyberweapon” nomenclature will have serious consequences, if
it becomes popular. This is like the reverse of the usual PC language
softening, e.g. to murder is to “neutralize,” etc.

Why is NYT using this term? It’s been invented by NSA to redirect defense
funding towards their mass surveillance activity. Shouldn’t journalists point
out things like that?

~~~
mi100hael
NYT? Journalists? hah!

------
Swannie
His attack came on the 29th April - yet there were Snort signatures on the
21st April (42329, 42332, 42340) for DoublePulsar, and before that 14 March
(41978) for one of the vulnerabilities.

Despite his much lauded protection, I find it odd to believe that he's not
running Snort, and the lack of actual specifics make me believe this is really
a piece for the mentioned Israeli security company with a "blackbox" IDS.

------
conn01
The root cause is that the more convenience the more danger.

cyberattack can be easily overcome using the steps below:

1) DON'T connect your computer to the internet physically

2) if you want to use the internet, use another pc which has no credential
data

3) for bank/shop online,etc. we should use a dedicate device which couldn't be
reprogrammed.

To sacrifice a little convenience for the safe. That is it.

~~~
jdc0589
what purpose would an airgap'd computer even serve for 99% of people?

------
philanthropist
So from the article, it sounds like DoublePulsar is already patched, but due
to computers lacking the patch, it still got in. Have I got that right? Also,
what is the attack vector here? Because if, like wannacry, it was an email,
then surely the defence is the same as before, be careful what you download?

------
rjblackman
I am quite surprised no one has used an exploit for rompager yet and used to
it take down most of the internet.

------
cube00
“I don’t pursue every attacker, just the ones that piss me off,”

Why paint a target on your back saying things like this?

~~~
jacobolus
> _By Mr. Ben-Oni’s estimate, IDT experiences hundreds of attacks a day on its
> businesses, but perhaps only four each year that give him pause._

There’s not enough time to pursue hundreds of new attackers every day, most of
whom are not competent enough to be a serious threat. Presumably a big part of
Ben-Oni’s job is to figure out which attackers can safely be ignored and which
ones he needs to worry about tracking down.

------
mi100hael
_> Metasploit, an automated hacking tool, now allows anyone to carry out these
NSA attacks with the click of a button._

What a time to be alive

~~~
Kostic
Actually, that's good. Now that anyone can with ease exploit unmaintained
systems, people will need to start caring about security.

------
rqmedes
Critical infrastructure, Economic stability, nation states preparing/probing
for war/advantage?

------
microcolonel
> In the pecking order of a computer system, the kernel is at the very top,
> allowing anyone with secret access to it to take full control of a machine.
> It is also a dangerous blind spot for most security software, allowing
> attackers to do what they want and go unnoticed.

Why do journalists even try to explain things like this? Do they ever get it
right? Does it ever not just go over people's heads?

------
exabrial
Aka 'Live free or Die Hard'. Saw it. Bruce Willis runs out of bullets and
shoots a helicopter down with a car

~~~
ozzmotik
why can't i just up vote this a million times

------
bradknowles
Got a non-paywall link?

~~~
dredmorbius
Outline.com or archive.is

------
King-Aaron
So does everyone here just subscribe to the NYTimes, or am I missing something
when it comes to all these paywalled articles (other than, you know, missing
the article itself?)

~~~
thirdsun
If you don't see the article it means that you probably already read 10 other
NYTimes articles this month at which point they require a subscription.

~~~
King-Aaron
Yeah I do realise that - however so many NYT links appear in ycomb every day,
it doesn't take much to hit that limit, especially since I launch articles
through that 'Panda' chrome extension, so you don't really get much chance to
screen the links other than the small link preview in the bottom left.

I was wondering if people go through an alternative site/app to serve the
articles - bypassing the paywall - or if everyones just in the same boat as
me? Some other forums I'm with tend to make note of a paywalled link.

~~~
ekips2
If you're consuming that much of their content, maybe it's something you
should pay for?

------
natch
Now that they lost control of their napalm bombs which are now burning
innocent targets, where is the NSA?

A little bit of taking responsibility please? They could at least lead the
charge to get this stuff dealt with now.

------
droopybuns
Most companies hiring and empowering decent security people would have avoided
this bullshit, due to all the twitter signaling.

Noobs: follow @hackerfantastic

------
6stringmerc
What's the real math, a full-scope attack might do what, cripple 30% of the
Modernized World at any given time? Maybe for a week? Shit, y'all need to
catch up on nature a little bit. Sometimes a forest fire burning things to the
ground inspires new, stronger life and recovery. Also, if you think I'm being
a dick, I'm paraphrasing Tim Berners Lee about his views on the modern
Internet.

~~~
tomek_zemla
That would be nice, but the sad reality is that most likely a lot of people
would die during this 'catching up on nature' time...

~~~
glial
Messing up the global food supply chain would be no joke.

------
BatFastard
Give the NSA a break, they handle more secrets than I can imagine. And at
least they managed to hold onto the Russian Golden Shower video!

Suggesting that the USA get rid of the NSA is like saying "Crap, terrorists
got a hold of a nuclear weapon, lets unilaterally get rid of all of our
weapons and hope for the best!"

~~~
Sniffnoy
But rather than "NSA" or "no NSA", there's another alternative: Defense-only
NSA (or at least, defense-heavy NSA, where the vulnerabilities equities
process has been altered to heavily favor disclosure). Instead of unilateral
disarmament, disarming ourselves while also forcibly disarming others.

~~~
BatFastard
While I like that idea from it being the "right" thing to do. I can see why
they don't want to give up every exploit as soon as it is found.

------
qb45
> he would not stop until the attacks had been shut down and those responsible
> were behind bars.

That's cute. I wonder if he means Microsoft, people who use Microsoft products
in safety-critical systems or maybe some nuke-capable nation state hiding
behind tor, VPN, custom IoT botnet, another layer of tor and another VPN?

