The globe was recently hit by a massive ransomware campaign that stretched across 150 countries and infected tens of thousands of systems. The Russian Interior Ministry was affected, certain NHS hospitals were turning patients away and a few manufactures had to cease operations. Needless to say, this was a really big deal. Companies were left scrambling on Friday afternoon in attempts to make sure they weren’t the latest victim of the WannaCryptor 2.0, also known as WannaCry, malware from wreaking havoc in their network. This is the second iteration of this malware and it uses exploits previously found within leaked NSA hacking tools (ETERNALBLUE) that takes advantage of a bug within Windows SMBv1 protocol.
There has been a lot of debate in the security community as to what the initial delivery method is, but as of right now it’s assumed this malware was either sent via a spam/phishing campaign, or it infects systems exposed to the internet with SMB (more on this later). Once infected, the malware used worm like capabilities to spread within the network, encrypting systems, and holding the data for ransom. While this was occurring, mostly in Europe, a malware researcher @malwaretechblog noticed an unregistered domain in the code of WannaCry and promptly registered it. Unbeknownst to him this domain was the killswitch for the malware and once registered stopped the malware from propagating if it could reach it.
Also, during this weekend we saw a lot of bad reporting on WannaCry. Many journalists and vendors were rushing to be the first to report on the news and ended up causing additional havoc during a very stressful time. We actually held this article back purposely, because the news and research on the malware was too fluid. For instance there were false reports stating that WannaCry effected SMBv2 as well as SMBv1, that the killswitch domain was the C2 and should be blocked (which by doing so allowed the malware to spread), that attackers were requesting 300 bitcoin for each infection (which is over $500K) which in reality they only asked for $300 (which after checking the threat actors Bitcoin wallets only seem to have made around 30k for this attack), etc. During these times it best to keep calm and get back to the basics of incident response. Everyone has agendas during a crisis and it’s hard to determine what to believe. In many of these situations, as you’ll see, it’s really the same remediation.
The How and The Why of WannaCry
A hacking group named “The Shadow Brokers” has leaked stolen NSA tools and exploits to the internet over the past couple months. Within one of these leaks was an exploit developed by the NSA named ETERNALBLUE. The ETERNALBLUE exploit takes advantage of a bug in Microsoft Windows SMBv1 that allows remote code execution. This is also the exploit the worm used to propagate throughout a network after a system was initially infected. It’s also possible, this is yet to be determined and I won’t say for sure, that it was the initial infection vector. We’re unsure of how the malware was delivered as of right now, but it’s plausible that it hit systems with SMB exposed to the internet and then spread internally. I know this sounds impossible, but independent scans of the internet show anywhere between 2 – 3 million devices publically exposing SMB to the world. If this was the threat vector they had plenty of targets. The other likely initial delivery was phishing/spam, but many mail gateway providers didn’t see a flood of malware come through their filters leading many others to question how this happened. It’s also very possible that this was spear phishing campaign, which allowed attackers the advantage of sending a smaller number of phishing emails due to the way the malware spread after initial infection. Take these with a grain of salt, we don’t want to encourage any more drama.
The exploit ENTERNALBLUE is used to attack an unpatched Windows system running without the MS17-010 patch. This vulnerability was patched by Microsoft on March 14th 2017 as a response to the ETERNALBLUE exploit going public. This gave businesses over two months to have this patched installed on supported operating systems (supported being the key work here). Those systems that weren’t patched, or were running legacy systems (like XP or Windows 2003) were left vulnerable to this attack. This was such a nasty vulnerability that the US-CERT released an alert on it to notify the public of its existence. Still, the WannaCry malware spread like wildfire until the killswitch was accidentally initiated halting its propagation due to patches not being installed or having legacy operating systems still in use. Due to the rate at which it spread and the vast amount of targets it could continue to infect, Microsoft released an emergency update for its unsupported legacy operating systems (Windows XP and Windows 2003 server) to assist with easing the pain and giving those without an upgrade path the ability to protect themselves from future attacks and variants.
Live to See Another Day or Back to Basics
As long as there’s someone willing to pay the price there will always be ransomware. This malware just picked up a known exploit and weaponized it for malicious gain. This wasn’t the first time this exploit was used, since it was found in an NSA hacking kit, and most likely not the last. As of this writing there have already been a few reported variants of the malware seen in the wild using the same exploit. Honestly, I’m kinda surprised we didn’t see this happen earlier and very concerned that it was so widely exploited. A few months ago I wrote an article on the dangers of SMBv1 and how to disable it after the US-CERT warning and MS17-010 patch came out. Not only that, the legacy OS’s of XP and Windows 2003 are obviously still in heavy use AND we’re seeing SMB being exposed to the internet! Using this malware was like shooting fish in a barrel. I wouldn’t say it was the code that made this malware so prevalent, but the ripe attack surface which paved the way for its success.
Good security patch/config management, security awareness and supply chain security (many companies were affected due to VPN connections they had with others that were breached) are still the best methods to control future outbreaks. After this outbreak every security vendor has been pitching how their tool would have stopped this from occurring, when in reality good security hygiene and governance would have been just fine. This was a very dangerous outbreak that caused tremendous damage, but in hindsight it was all due to hackers preying off the same weaknesses in our security posture we’ve always had. The exploit was new, yes, but the remediation was the same! Getting our hands on basics of these three disciplines will increase the security of our organization and help keep others safe. As we saw with the DYNDNS DDoS a few months back, the malware used unpatched and vulnerable IoT devices to launch attacks, the security hygiene of your network can affect more than just your systems. Adding security tools to help with the prevention is recommended, but it should come only after you’ve laid down proper security. We need to think of security in layers and it’s highly recommended to run tools as part of your security architecture, but not as a silver bullet.
For those that can’t patch your systems, even with the new patch being released to legacy operating systems, you need to take an approach of segmentation today. If there are systems in your network that are unable to be patched for whatever reason (healthcare and finance might have applications that rely on a particular patch level) a plan to start segmentation and additional monitoring of these systems should start right away. These systems need to be isolated from the rest of your network as a compensating control to protect yourself from, well, yourself.
The WannaCryptor 2.0 has stopped spreading and we’re seeing reports of smaller variants trying to pick up where it left off, but for the time being this strain seems to be dead. It might not be ransomware next time, but the exploit will still be the same, MS17-010 SMBv1, if left unpatched or unsegmented will come back to haunt you. Now that we’ve seen the damage, which can be done, I’m hoping this spurs everyone to patch this vulnerability, clean up your configs, continue your security awareness and hopefully have the ability to move away from unsupported systems. It’s in everyone’s best interest to remember the basics.
Author Bio: Matthew Pascucci is a Security Architect, Privacy Advocate and Security Blogger. He holds multiple information security certificates and has had the opportunity to write and speak about cyber security for the past decade. He’s the founder of www.frontlinesentinel.com and can be contacted via his blog, on Twitter @matthewpascucci, or via email email@example.com.
Matthew Pascucci is a guest blogger, all opinions are his own.