The U.S. government says it has evidence that North Korea was responsible for the WannaCry ransomware outbreak that infected around 300,000 computers around the world in May, disrupting operations across thousands of organizations.
“After careful investigation, the U.S. today publicly attributes the massive ‘WannaCry’ cyberattack to North Korea,” President Trump’s Homeland Security Advisor Thomas Bossert said Tuesday in an op-ed in the Wall Street Journal. “We do not make this allegation lightly. It is based on evidence.”
The announcement comes after the U.K. government also blamed North Korea for the attack in October. In addition, several security companies found links between WannaCry and Lazarus, a North Korean hacking group that stole millions of dollars from central banks and has been responsible for other high-profile attacks over the past few years.
In a blog post Tuesday, Microsoft’s Chief Legal Officer Brad Smith announced that the company has worked with Facebook and others in recent weeks to disrupt the activities of the Lazarus group, which Microsoft tracks as ZINC. The company also concluded that the group was responsible for WannaCry.
“Among other steps, last week we helped disrupt the malware this group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection,” Smith said. “We took this action after consultation with several governments, but made the decision independently.”
Microsoft plans to provide more details about its actions in the coming months, after it analyzes the data and information it collected.
WannaCry quickly spread through enterprise networks by exploiting EternalBlue, a vulnerability in the Windows SMBv1 protocol. The ransomware hit the U.K.’s National Health Service (NHS) especially hard, with some hospitals and clinics needing a week or more to fully recover. This put patient safety at risk.
“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” Bossert said. “WannaCry was indiscriminately reckless.”
EternalBlue is one of several SMB exploits that were part of an NSA cyber arsenal leaked online earlier this year by a group called the Shadow Brokers. Those exploits are still being used in attacks today.
On Friday, researchers from F5 Networks warned about a multi-staged attack dubbed Zealot that exploits vulnerabilities in Apache Struts and DotNetNuke to gain a foothold into corporate networks and then uses the EternalBlue and EternalSynergy exploits for lateral movement. The attack has malware payloads for both Windows and Linux systems, written in PowerShell and Python, respectively.
Remote Code Execution Flaws Fixed in Trend Micro Smart Protection Server
Trend Micro released security patches for its Smart Protection Server to address several important vulnerabilities, including two issues that could result in remote code execution.
The security vendor describes Smart Protection Server as an in-the-cloud protection solution that detects security risks by using file and web reputation technologies and frees endpoints from storing a large number of malware prevention signatures and lists.
Trend Micro has released updates for the 3.3, 3.2, 3.1 and 3.0 version branches of the product, but recommends that customers upgrade to the latest 3.3 version.
The patches fix two remote code execution issues that can be exploited via cron job injection and local file inclusion, a session hijacking flaw through log file disclosure, a stored cross-site scripting vulnerability and an improper access control issue. One of the flaws is rated high severity and the rest are rated as moderate.
The vulnerabilities were found by researchers from Core Security and were reported to Trend Micro in September. Core released its own advisory with additional technical details about the flaws.