The Shadow Internet

thaddeus t. grugq on 2017-10-26

A maze of shadow network links company intranets

Yet Another Worm eveNt (YAWN) is spawning a flurry of infosec marketing blog posts. There’s the technical analysis, the “how to block the last attack” posts, the “why are we still failing?” self-flagellation, and the transparent “how our product would have blocked the last attack.” This analysis is not a technical deep dive, a basic security guide, or any of the other predictable post-incident blogs. I want to look at the bigger lesson that the last three big worms (WannaCry, NotPetya, BadRabbit) have vividly exposed, and yet has been essentially overlooked. The lesson is:

Compromise local, infect global — using only lateral traversal techniques — using the Shadow Internet

The Worms of the Age of Worms

The three autonomous malicious agents share one major significant feature — propagation via lateral traversal techniques — and a similar payload, however they differ in other aspects. Importantly, each worm appears to have been developed to different operational requirements and released with different intent, resulting in divergent implicit targeting scope. Despite having different targeting goals, they all managed to achieve the same result — global infection.

  1. WannaCry: pure ransomware spread via the patched MS17–010 SMB bug, it targeted both internet and intranet systems and briefly spread at an astonishing rate. Leaping from “Patient Zero” across borders, continents, and oceans in hours.
  2. NotPetya: a wiper masquerading as ransomware that propagated using multiple lateral traversal techniques including: stolen credentials, remote administration tools, and falling back to the (very patched) MS17–010 SMB bug. It was released in Ukraine and targeted only the subnets it was connected to plus whatever IPs were found in the ARP cache. Although it appears to have been carefully designed to restrict it’s spread to just Ukraine, within hours it had spread globally.
  3. BadRabbit: apparently ransomware that spreads using lateral traversal tools extremely similar to NotPetya (mimikatz, WMIC, SMB bug, etc.), it also included a short hardcoded list of usernames and passwords to bruteforce credentials. The target enumeration was conservative, attacking only known reachable addresses. Detected initially in Russia, and targeting Turkey, Bulgaria and Japan, within a day infections where global.

The threat actors behind the worms appear to be different (WannaCry was linked to Lazarus group, NotPetya/BadRabbit to BlackEnergy), and the motivation for releasing the worms appear to differ:

Critically though, each worm used only lateral traversal methods, and the latter two restricted themselves to only accessible targets. Despite these limitations on mobility, which objectively should seem to limit the victims to intranet targets within the confines of a network perimeter, these worms became global epidemics. This empirically demonstrates that there is a Shadow Internet of linked networks that provides pathways to compromise targets globally without targeting public facing Internet systems.

The artificial conceptual idea of a private bounded intranet, and a public Internet is mostly fantasy. Cold reality is that alongside the public Internet, there is a private Shadow Internet which connects intranets to each other in unpredictable ways. The Home Depot breach revealed deliberate exploitation of this Shadow Internet (attackers gained access to a trusted supplier and then used their private connection to reach Home Depot’s network).

The porous nature of perimeter defences is nothing new, nor is attacker abuse of trust relationships, these worms merely reveal the global reach of these problems. Aggressive autonomous malware has demonstrated, repeatedly, just how many private networks are connected to each other. A sort of infosec “six degrees of separation.”

Entry Vector

The worms all used different initial entry vectors to gain a foothold compromise before beginning their autonomous sideways trek through the dark and twisty maze of the Shadow Internet.

Target Enumeration

The worms have shown that threat actors are not only incorporating lessons learned from previous events (tactical diffusion), but are also innovating and trying out new techniques.

12 May 2017 — WannaCry 28 June 2017 — NotPetya 24 October 2017 — BadRabbit

BadRabbit target enumeration is the same as NotPetya including bugfixes such as below.

Comparison of the routines initiating lateral movements in BadRabbit & NotPetya.


The connections traversed by these malicious agents reveal unmapped, poorly explored, and extremely dangerous portals link diverse organisations into a Shadow Internet. Not only are many networks one 0day away from total compromise, but they are just a few twisty dark passages away from a network that’s one 0lday away from compromise. The Shadow Internet is a serious problem — risk is transitive.