Unless you’ve had your head buried firmly in the sand for the past few days, you’ll already have heard of WannaCry, the latest in an ongoing deluge of ransomware strains.
Since the attack started last Friday over 230,000 computers have been infected across 150 countries, with high profile victims including Telefónica, Britain’s National Health Service (NHS), FedEx, Deutsche Bahn, and LATAM Airlines.
And if you’ve been following the story, you’ll know all sorts of people have been getting involved. With slightly confusing (and sometimes contradictory) reports surfacing in news outlets all over the world, we thought we’d take a few moments to explain what is (and isn’t) currently known about WannaCry, and what you can do to minimize your organization’s risk of infection.
Let’s Go Back to the Beginning
To understand how WannaCry was able to cause havoc in such a short space of time, we’ll need to set our sights back a month.
On April 14th this year, a group known as The Shadow Brokers leaked a series of cyber attack ‘tools’ that had been stolen from Equation Group, a highly sophisticated threat actor group widely believed to have ties with the United States National Security Agency (NSA). In the context of the WannaCry attack, two of those leaked tools are of interest to us.
The first, known as EternalBlue, exploits a vulnerability (MS17-010) in Microsoft’s Server Message Block (SMB) protocol to identify vulnerable computers on a target network and laterally spread malicious payloads. The second, a sophisticated backdoor called DoublePulsar, enables attackers to inject and execute malicious code.
Now, it’s important to realize that vulnerability MS17-010 isn’t a zero day threat. In fact, Microsoft had identified and issued a patch for the vulnerability, along with a critical advisory, back on March 14th of this year.
But there were two problems. First, despite the warnings, many organizations failed to patch their vulnerable machines. Second, and in many ways even worse, many organizations are still using legacy operating systems such as Windows XP, which are no longer supported by Microsoft.
After the attack started last Friday, Microsoft quickly developed and released a Windows XP version of their patch for MS17-010, but were quick to criticize the NSA for hoarding exploits instead of responsibly reporting them to software vendors.
With the background out of the way, it becomes much easier to understand how WannaCry was able to spread so quickly.
In the past, most ransomware trojans have been spread using predominantly social engineering-based attack vectors, such as phishing, vishing, and malvertising. Unlike previous ransomware strains, though, WannaCry was able to self-propagate in a manner similar to so-called ‘worms’ such as Nimda and Conficker.
If you’re a keen follower of cyber security news, you may recall that last April Cisco Talos predicted precisely this evolution in ransomware trojans. If you’d like to really spoil your day, take a look at what else they predicted.
Once an initial infection has taken place, WannaCry scans for connected machines over TCP port 445. When a target is identified, the WannaCry trojan searches to see whether the DoublePulsar backdoor already exists on that machine. If it does, happy days, but if it doesn’t that’s when the EternalBlue exploit will be used to initiate a new infection.
Either way, the result is that both the DoublePulsar backdoor and the WannaCry trojan will quickly be installed on every unpatched machine in the target network. And when that happens, it won’t be long until users start seeing windows like this one:
But How Did All This Start?
If you’ve been paying attention, chances are there’s a little nagging question in the back of your mind. The ransomware spreads by exploiting an SMB vulnerability, but how did the initial infection occur?
Unfortunately, at least for now, nobody is entirely sure. Because the ransomware spread so quickly on its own, without the need for separate organizations to be attacked independently, it’s very difficult to know how the first round of infections were enacted. Analysts throughout the cyber security industry, including members of our own R.A.I.D. team, have been unable to pinpoint the precise attack vector used.
As of this morning, speculation in the industry suggests the threat actors responsible may have simply used Shodan (or a similar search engine) to identify target machines that had port 445 open to the Internet, and used the SMB vulnerability to distribute the WannaCry installer.
But, in many ways, how this attack started isn’t the interesting question. Far more interesting is how it will start next time.
A careful review of the evidence suggests the threat actors behind WannaCry were, to put it charitably, not very sophisticated. Even so, using the SMB exploits they were able to infect hundreds of thousands of vulnerable machines within just a few days.
In the coming weeks, organizations all over the world will be working hard to ensure all Internet-facing systems are patched as a priority. But equally, many more sophisticated threat actors will see the opportunity presented by EternalBlue and DoublePulsar, and start using them in a far more targeted manner.
These threat actors are highly likely to use sophisticated social engineering tactics such as spear phishing in order to gain an initial infection within target networks, and rely on the SMB vulnerability to spread the infection throughout the target network.
So How Can I Secure My Organization?
Well, the first thing you can do is to pay attention to Microsoft’s security updates, and stop using unsupported versions of Windows. As we’ve already mentioned, vulnerability MS17-010 had been patched weeks before the WannaCry attack took place, so security-savvy organizations had every opportunity to protect themselves.
But in many ways, we were lucky this time. It just so happened that Microsoft independently identified and patched MS17-010 a few weeks before The Shadow Brokers leaked EternalBlue and DoublePulsar, among other NSA cyber attack tools. If that hadn’t happened, there’s a good chance an enterprising threat actor group could have put out a ransomware strain similar to WannaCry before anybody had a chance to react.
Clearly, that would have been bad news for everybody.
If you really want to secure your organization, you’ll have to do a lot more than maintain a strong patch management program. Even network segmentation techniques, which we’d strongly advise using, would only minimize the impact of a WannaCry (or other advanced ransomware) infection, rather than preventing it altogether.
To truly secure your organization against future ransomware attacks, you’ll need to tackle the primary infection vectors, and that means training your users to identify and report social engineering attacks.
Whether it’s malicious email (phishing and spear phishing), voicemail (vishing), SMS, social media, instant messaging, or malvertising, the overwhelming majority of ransomware attacks start with an attempt to trick your users.
To find out more about how you can implement a security awareness training program that actually works, check out this post.
For the time being, there seems to have been a lull in WannaCry infections. Where some industry experts had anticipated a second wave, so far it has not been forthcoming.
But it’s not all sunshine and rainbows from here on out. Despite an independent malware analyst stumbling upon the so-called WannaCry ‘killswitch’ late last week, other ransomware families utilizing SMB exploits are already in circulation. A new ransomware variant, which goes by the name Uiwix, does not include a killswitch domain, but exploits the same SMB vulnerability.
In the coming days we’ll all no doubt hear more about WannaCry offshoot and copycats, as threat actor groups all over the world attempt to exploit the leaked NSA tools before the remaining vulnerable organizations are able to fully patch their Windows machines.
In the mean time, if anything changes, we’ll keep you posted.
This is a Security Bloggers Network syndicated blog post authored by Joseph Opacki. Read the original post at: The PhishLabs Blog