[BreachExchange] WannaCry Hack Ported to Infect Windows 10

Destry Winant destry at riskbasedsecurity.com
Wed Jun 7 22:11:15 EDT 2017


http://news.softpedia.com/news/wannacry-hack-ported-to-infect-windows-10-516264.shtml

Supported Windows versions, and Windows 10 in particular, were all secure
against the WannaCry ransomware that attacked Microsoft's operating system
last month, all thanks to a dedicated patch that the Redmond-based software
giant released in March this year.

A team of researchers at RiskSense, however, managed to port the WannaCry
exploit to infect Windows 10 as well, though it's worth mentioning from the
very beginning that no specifics have been made public and users of
Microsoft's operating system remain protected if the most recent patches
are installed.

The WannaCry ransomware is based on EternalBlue, an exploit stolen by the
Shadow Brokers hacking group from the NSA last summer and published online
earlier this year.

In order to port EternalBlue to compromise Windows 10 as well, the
RiskSense security researchers built a Metasploit module that could bypass
security features and mitigations implemented by Microsoft in its latest
operating system, including Data Execution Prevention (DEP) and Address
Space Layout Randomization (ASLR).

Additional tweaks were also implemented, including the removal of the
DoublePulsar backdoor, which the researchers say isn't needed for the
exploit to work. And because this was pulled, the exploit was also
developed to install an Asynchronous Procedure Call (APC) payload, which
allowed execution without a backdoor.

Windows 10 fully secure

RiskSense experts explain that the idea of this project was to help prevent
similar attacks in the future, and not to provide hackers with information
into how to compromise Windows 10. Details are secret anyway, so attacking
Windows 10 is very unlikely to succeed.

“We’ve omitted certain details of the exploit chain that would only be
useful to attackers and not so much for building defences. The research is
for the white-hat information security industry in order to increase the
understanding and awareness of these exploits so that new techniques can be
developed that prevent this and future attacks. This helps defenders better
understand the exploit chain so that they can build defences for the
exploit rather than the payload,” researchers explain in a paper
<http://risksense.com/download/datasets/4353/EternalBlue_RiskSense%20Exploit%20Analysis%20and%20Port%20to%20Microsoft%20Windows%2010_v1_2.pdf>
.

The new exploit was built to work against Windows 10 x64 version 1511
(November Update), still supported by Microsoft as part of the Current
Branch for Business.

Windows users are again recommended to keep their systems fully up to date
and to make sure that the MS17-010 update provided by Microsoft in March is
running on their computers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170607/a6d48277/attachment.html>


More information about the BreachExchange mailing list