U.S. Officially Accuses North Korea for WannaCry Attack

The U.S. government says it has evidence that North Korea was responsible for the WannaCry ransomware outbreak that infected around 300,000 computers around the world in May, disrupting operations across thousands of organizations.

“After careful investigation, the U.S. today publicly attributes the massive ‘WannaCry’ cyberattack to North Korea,” President Trump’s Homeland Security Advisor Thomas Bossert said Tuesday in an op-ed in the Wall Street Journal. “We do not make this allegation lightly. It is based on evidence.”

The announcement comes after the U.K. government also blamed North Korea for the attack in October. In addition, several security companies found links between WannaCry and Lazarus, a North Korean hacking group that stole millions of dollars from central banks and has been responsible for other high-profile attacks over the past few years.

In a blog post Tuesday, Microsoft’s Chief Legal Officer Brad Smith announced that the company has worked with Facebook and others in recent weeks to disrupt the activities of the Lazarus group, which Microsoft tracks as ZINC. The company also concluded that the group was responsible for WannaCry.

“Among other steps, last week we helped disrupt the malware this group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection,” Smith said. “We took this action after consultation with several governments, but made the decision independently.”

Microsoft plans to provide more details about its actions in the coming months, after it analyzes the data and information it collected.

WannaCry quickly spread through enterprise networks by exploiting EternalBlue, a vulnerability in the Windows SMBv1 protocol. The ransomware hit the U.K.’s National Health Service (NHS) especially hard, with some hospitals and clinics needing a week or more to fully recover. This put patient safety at risk.

“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” Bossert said. “WannaCry was indiscriminately reckless.”

EternalBlue is one of several SMB exploits that were part of an NSA cyber arsenal leaked online earlier this year by a group called the Shadow Brokers. Those exploits are still being used in attacks today.

On Friday, researchers from F5 Networks warned about a multi-staged attack dubbed Zealot that exploits vulnerabilities in Apache Struts and DotNetNuke to gain a foothold into corporate networks and then uses the EternalBlue and EternalSynergy exploits for lateral movement. The attack has malware payloads for both Windows and Linux systems, written in PowerShell and Python, respectively.

Remote Code Execution Flaws Fixed in Trend Micro Smart Protection Server

Trend Micro released security patches for its Smart Protection Server to address several important vulnerabilities, including two issues that could result in remote code execution.

The security vendor describes Smart Protection Server as an in-the-cloud protection solution that detects security risks by using file and web reputation technologies and frees endpoints from storing a large number of malware prevention signatures and lists.

Trend Micro has released updates for the 3.3, 3.2, 3.1 and 3.0 version branches of the product, but recommends that customers upgrade to the latest 3.3 version.

The patches fix two remote code execution issues that can be exploited via cron job injection and local file inclusion, a session hijacking flaw through log file disclosure, a stored cross-site scripting vulnerability and an improper access control issue. One of the flaws is rated high severity and the rest are rated as moderate.

The vulnerabilities were found by researchers from Core Security and were reported to Trend Micro in September. Core released its own advisory with additional technical details about the flaws.

Sponsored Content
Upcoming Webinar
2018 - The Year Ahead in Cybersecurity

2018 – The Year Ahead in Cybersecurity

Once again cybersecurity rose to the top of the news in 2017. Unfortunately, 2018 doesn’t seem to hold any change in news of breaches and security incidents abating. But there are technologies on the horizon that could change the equation. What will 2018 look like from a cyber perspective? We ... Read More
February 22, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 99 posts and counting.See all posts by lucian-constantin