Eternally Blue : Baltimore City Leaders Blame NSA for Ransomware Attack

upnorth · May 29, 2019

The mayor and city council president of Baltimore are pushing for the ransomware attack that brought Baltimore's city government to a standstill to be designated a disaster, and officials are seeking federal aid to help pay for the cleanup from the RobbinHood malware's damage. This call came after a New York Times report that the ransomware used the EternalBlue exploit developed by the National Security Agency to spread across the city's network.

EternalBlue was part of a set of tools developed for the NSA's Tailored Access Operations (TAO) group that were leaked by Shadow Brokers in 2017. The tool was then used two months later as part of WannaCry, the destructive cryptographic worm that affected thousands of computers worldwide. Shadow Brokers has been linked by some security experts to a Russian intelligence agency; WannaCry has been attributed to North Korea's military. After being alerted by the NSA. Microsoft issued a security patch for the vulnerability exploited by EternalBlue (among others) in March of 2017, even issuing patches for Windows Vista (which was at the time just about to be dropped from long-term paid support) and Windows XP (which had already dropped out of support).

The WannaCry malware attack arrived as many companies were still testing the patch for deployment. Now two years later, the protocol exploited by EternalBlue, WannaCry, and the NotPetya ransomware worm (Server Message Block version 1, or SMB v.1) is still visibly in use by more than 1 million Internet-connected computers worldwide, according to data from the security search engine Shodan. As Ars recently reported, thousands of those computers are part of the networks of US school districts; many more belong to local governments, law enforcement organizations, state universities, community colleges, and other public institutions. Even more of these vulnerable machines run inside similar organizations' networks, concealed from scans by firewall filters but still vulnerable to the exploit if an attacker gains access through another means. In Baltimore's case, several sources have told Ars that the ransomware arrived via a phishing attack against a city employee. It is not clear if the phishing attack was targeted. Once the initial foothold was established by RobbinHood's operators, the ransomware was spread across the network—at least in part by using code cut-and-pasted from the EternalBlue tool leaked by ShadowBrokers.

plat · May 29, 2019

Baltimore City is rather poor in terms of funding, but at the risk of sounding insensitive, doesn't the fault ultimately lie with the administrators of the network? Warnings were clearly out there to patch and/or upgrade. Employees should have been educated on phishing in-house--who on earth is going to go out at his/her expense and do this for an entire city network at no charge?

Leave your sense of entitlement at the curb, own it and move on. Ridiculous.

plat · Jun 1, 2019

Here is something relevant and interesting, posted at Wilders:

Your threat model is wrong

Your threat model is wrong May 29, 2019 https://blog.erratasec.com/2019/05/your-threat-model-is-wrong.html Several subjects have come up with the past...

www.wilderssecurity.com

OK, so don't enable regular, untrained employees to open emails, then. Ransomware is a fact of life.

upnorth · Jun 5, 2019

Over the past few weeks, a Twitter account that has since been confirmed by researchers to be that of the operator of the ransomware that took down Baltimore City's networks May 4 has posted taunts of Baltimore City officials and documents demonstrating that at least some data was stolen from a city server. Those documents were posted in response to interactions I had with the ransomware operator in an attempt to confirm that the account was not a prank. In their last post before the account was suspended by Twitter yesterday, the operator of the Robbinhood account (@robihkjn) answered my question, "Hey, so did you use EternalBlue or not?": absolutely not my friend

The account was shut down after its operator posted a profanity and racist-tinged final warning to Baltimore City Mayor Bernard "Jack" Young that he had until June 7 to pay for keys to decrypt files on city computers. "In 7 Jun 2019 that's your dead line," the post stated. "We'll remove all of things we've had about your city and you can tell other [expletives] to help you for getting back... That's final dead line."

The Robbinhood account's initial post included extremely low-resolution images to prove that the individual or group behind the account had access to Baltimore City's network prior to the ransomware being triggered. That image included passwords to a shared network directory for use in installing an older version of Symantec Endpoint Protection, an image of a faxed subpoena for a lawsuit against the mayor's office, and what appears to be lists of user names and hashed passwords for a number of city employee accounts.

The statement by Robbinhood's operator that EternalBlue was not used to spread the ransomware within Baltimore City's networks is obviously not hard evidence that the NSA exploit exposed by Shadow Brokers wasn't used in the attack. There are a number of reasons the attacker would lie about it—including boosting their marketing message. Stewart and Sifford said that they believe the attacker is likely using the attack on Baltimore as a way to get publicity for offering Robbinhood as a ransomware-as-a-service offering, allowing others to rent the ransomware to extort others. Revealing the exploits used to spread the ransomware would be, in that case, a horrible business move. Making such a big publicity play over a ransomware target is rare in such attacks, as is posting proof of compromised files, because that is generally bad for business. Organizations that pay ransomware demands usually do so to avoid publicity and do so under the assumption that none of their data was stolen. But government targets are less likely to pay, and seeking publicity may be a way to build political pressure on the target to pay up. There's another possible explanation of the behavior of the Robbinhood attacker: they may have been in Baltimore's network for some time and released the ransomware only after extracting whatever value they could from network access.

Baltimore ransomware perp pinky-swears he didn’t use NSA exploit

Twitter account shut down after final, expletive-laced warning to mayor.

arstechnica.com

[correlate] · Jun 5, 2019

upnorth said:

The blame is also placed on protection companies that limit the right of protection to companies only that they do not provide protection programs dedicated to ransom attacks
They want to make profits only

upnorth · Jul 1, 2019

Missed out on this. It was shared on the 4th of June.

Dave Russo · Jul 1, 2019

upnorth said:
Missed out on this. It was shared on the 4th of June.

Do you know which Ransomware got through there defense,Don"t they have secure backups, why is it so hard to trace the origin of these attacks?,what program, endpoint I guess got breached?Upnorth they should really consider hiring someone like you or some other from this site.Thanks for another great read

DeepWeb · Jul 1, 2019

Switch to Linux, upgrade to Windows 10. There are so many ways to solve this. Computer illiteracy is the real problem. Why are government computers running on outdated software??

upnorth · Jul 2, 2019

Dave Russo said:
Do you know which Ransomware got through there defense,Don"t they have secure backups, why is it so hard to trace the origin of these attacks?,what program, endpoint I guess got breached?

The Ransomware.

A Closer Look at the RobbinHood Ransomware

The RobbinHood Ransomware is the latest player in the ransomware scene that is targeting companies and the computers on their network. This ransomware is not being distributed through spam but rather through other methods, which could include hacked remote desktop services or other Trojans that...

www.bleepingcomputer.com

Robbinhood Malware Analysis with Radare2

Learn how to reverse engineer golang malware using Radare2. This article will explain how the gopclntab works and how we can use it to extract function names. This process is explained using the Robbinhood Ransomware that attacked Baltimore.

goggleheadedhacker.com

Information about Baltimores IT infrastructure ( backups, software and endpoints used etc ) is pretty hard to come by. I was able to find this general information, but it dosen't say when it was posted. Probably before the attack occurred. It does though give a bit of insight.

The City lacks consistency in virtually every area of technology development: application development, hardware platforms, software, networking, and procurement. By developing appropriate standards for technology and procurement, not only could data sharing and interoperability issues be minimized, but IT-related costs could be better managed.

A particular bias towards developing custom software rather than using commercially available packages was observed in the studied departments. Not only is custom software more expensive to develop, but it often impedes process improvements because the software is designed to reflect the processes in place at the time of development (reinforcing inefficient processes) and is often not flexible enough to change easily. Requests for custom application development must be thoroughly scrutinized and only approved if it can be demonstrated that there exist no viable commercially available alternatives.

The Greater Baltimore Committee - Greater Baltimore Committee

Greater Baltimore Committee improves the business climate of the Greater Baltimore region by organizing its leadership to develop solutions to the problems that affect the region’s competitiveness & viability

gbc.org

Baltimore’s new mayor, Bernard “Jack” Young.

"There is a backup system with the IT department," he said, "but we can't just go and restore because we don’t know how far back the virus goes. So I don’t want people to think that Baltimore doesn’t have a backup."

“RobbinHood” ransomware takes down Baltimore City government networks

A year after 911 system hit, most of city’s networks are down.

arstechnica.com

The city's legal department was the first to move to a cloud-based model. But the ransomware attack has accelerated OIT's plans to push more services into the cloud; email services, which still have not been restored, have already been redirected to a Microsoft-hosted service.

Quote from main article in this thread. Glad to see Baltimore finally started to wake up.

plat · Jul 30, 2019

Reportedly, it has taken Baltimore a month just to stir toward a waking state. I used to live there, the Inner City is very poor and crime-ridden. Nothing much has changed since I left there, except a rapid decline in its population. Recently, the US President called it a "rat infested mess."

Cybersecurity officials warn state and local agencies (again) to fend off ransomware

Three Louisiana school districts, Georgia agency part of the latest round of victims.

arstechnica.com

There is a mental block to be pro-active in these matters that affect many thousands of people. So criminally slack and greedy. I'm more concerned for the security of municipal infrastructure, a thousand times more than I am for the security of this puny little machine.

Edit: A South African city's power supplier was knocked offline by ransomware, causing power outage. This has lethal potential during heatwaves.

upnorth · Aug 1, 2019

plat1098 said:
A South African city's power supplier was knocked offline by ransomware, causing power outage. This has lethal potential during heatwaves.

Very true and also when it hits hospitals, fire departments etc. Key infrastructure.

Burrito · Aug 1, 2019

plat1098 said:
Reportedly, it has taken Baltimore a month just to stir toward a waking state. I used to live there, the Inner City is very poor and crime-ridden. Nothing much has changed since I left there, except a rapid decline in its population. Recently, the US President called it a "rat infested mess."

Cybersecurity officials warn state and local agencies (again) to fend off ransomware

Three Louisiana school districts, Georgia agency part of the latest round of victims.

arstechnica.com

There is a mental block to be pro-active in these matters that affect many thousands of people. So criminally slack and greedy. I'm more concerned for the security of municipal infrastructure, a thousand times more than I am for the security of this puny little machine.

Edit: A South African city's power supplier was knocked offline by ransomware, causing power outage. This has lethal potential during heatwaves.

Baltimore's city and county government have had bad reputations for a long time. It seems to be a time-honored tradition that officials are put out for incompetence and/or malfeasance of one sort or another..

And yeah, there are parts of Baltimore that are pretty bad..

But I really enjoy going to Baltimore... to the Inner Harbor, Fells Point... eating and drinking. The nice parts are... nice, and the feel is much more down-to-earth and genuine than DC. Some really good brewpubs have opened..

I just don't go to the bad parts...

Search

Eternally Blue : Baltimore City Leaders Blame NSA for Ransomware Attack

upnorth

Level 68

plat

Level 29

plat

Level 29

Your threat model is wrong

upnorth

Level 68

Baltimore ransomware perp pinky-swears he didn’t use NSA exploit

[correlate]

Level 18

upnorth

Level 68

Dave Russo

Level 22

DeepWeb

Level 25

upnorth

Level 68

A Closer Look at the RobbinHood Ransomware

Robbinhood Malware Analysis with Radare2

The Greater Baltimore Committee - Greater Baltimore Committee

“RobbinHood” ransomware takes down Baltimore City government networks

plat

Level 29

Cybersecurity officials warn state and local agencies (again) to fend off ransomware

upnorth

Level 68

Burrito

Level 24

Cybersecurity officials warn state and local agencies (again) to fend off ransomware

Similar threads