This week’s attacks leveraging the WannaCry ransomware were the first time we have seen an attack combine worm tactics along with the business model of ransomware. The weaponisation of the EternalBlue exploit made public weeks ago, and unpatched MS-17-010 Windows OS vulnerabilities by the thousands enabled WannaCry to infect hundreds of thousands of computers, across industries, across continents, and within just a day. Furthermore, these attacks accomplished all this with little or no human involvement, as is typically the case in other ransomware campaigns.
WannaCry’s success comes down to its ability to amplify one attack through the vulnerabilities of many machines on the network. The impact of the attack is much greater than what we have seen from traditional data ransomware attacks.
Almost all of the ransomware we see in the wild today attack individual users typically through spear-phishing, meaning victims receive an email that appears to be coming from a legitimate source, it lures the victim into clicking on a link or opening an attachment that downloads or executes malicious code on his or her system. But it only impacts that victim’s one computer.
If you think back to the late 1990s and early 2000s, when we had Code Red, NIMDA and SQL Slammer, those worms spread really rapidly because they did not require a human to take any action in order to activate the malware on the machine. This week’s attacks did something very similar.
We are still working to determine how a patient zero machine became infected, but, once it was, if other machines had not received the MS-17-010 vulnerability patch, they were infected over their network.
Instead of stealing data or damaging other machines, the malware executed a classic ransomware attack, encrypting files and demanding a ransom payment. The attack essentially combined two techniques to produce something that was highly impactful.
With WannaCry, if the configuration of machines within an organisation possessed the Microsoft vulnerability, addressed by Microsoft in March, the ransomware could infect one machine and then move very rapidly to spread and impact many other machines that still had not been patched.
What we have typically seen with cybercrime is that when any technique is shown to be effective, there are almost always copycats. Given that this appears to have been quite an effective attack, it would be very reasonable for other attackers to look for other opportunities. One of the things that makes that difficult is you need to have a vulnerability in software that has characteristics that enable worm-like behavior.
What is unique here is that there is a critical vulnerability that Microsoft has patched, and an active exploit that ended up in the public domain, both which created the opportunity and blueprint for the attacker to be able to create this type of malicious ransomware worm capability.
In the late 1990s, it was common practice to leave all sorts of software running on machines even if it was not used. For instance, one of the worms in the 1990s took advantage of a vulnerability in a print server which was by default included on all servers even if there was not a printer attached to the configuration of systems. That could enable a worm to connect to that printer port on all of the servers on a network, creating a worm propagation scenario that infected system after system.
A common practice for addressing this since those days is a best practice known as least privilege, which allows an application or service to run only the things on a machine or network that that entity needs to complete a task or function specific to its particular role. Least privilege has reduced the chances of the traditional worm scenario, but unpatched vulnerabilities mimic this open element available for exploit, particularly if such vulnerabilities enable things such as file transfer or sharing across systems.
It would be difficult to orchestrate attacks such as the WannaCry campaign, without all the unpatched vulnerabilities, the publicly released exploit, and a set of proven ransomware technologies and tactics at the attacker’s disposal.
WannaCry should remind IT of the criticality to apply patches quickly. Part of the reason IT organisations hesitate to patch or run an internal quality assurance process is to ensure that there are not software incompatibility issues. One way I like to think about this is that whenever a patch must be applied, there is a risk to applying a patch, and a risk to not applying a patch. Part of what IT managers need to understand and assess is what those two risks mean to their organisations.
By delaying deployment of a patch, they can mitigate risk related to application compatibility. By delaying a patch, they are increasing the risk of being compromised by a threat exploiting a vulnerability. IT teams need to understand for each patch, what those levels of risk are, and then make a decision that minimises risk for an organisation.
Events such as WannaCry have the potential to shift the calculus of this analysis. One of the problems we often see in security is that the lack of an attack is sometimes interpreted as having a good defense. Companies that have become lax in applying patches may have not experienced any attacks that take advantage of those vulnerabilities. This can reinforce the behavior that it is okay to delay patching. This episode should remind organisations that they really do need an aggressive patching plan in order to mitigate the vulnerabilities in their environment.
Hospitals fall into a category I think of as soft targets, meaning hospitals generally focus on patient care as their top priority, as opposed to having the best cyber defenders on staff and best cyber defense technologies in place.
The reason for this is that, traditionally, there was very little incentive for cybercriminals to attack a hospital. They could potentially steal patient records or other data, but the total value of data from a hospital would typically be less than that of the bulk data stolen from other industries such as financial services.
What ransomware has done as a criminal business model is provide an incentive to attack any organisation. Given that criminals are demanding a ransom, it is far easier to exploit an organisation with weaker cyber defenses than an organisation with stronger cyber defenses, which is why we have seen hospitals, schools, municipal police departments, and universities become victims of ransomware over the last year. While we are now starting to see the targeting of harder organisations as well, at least for now, there are a lot of opportunities for criminals to continue to target these soft target organisations.
Although this attack is something new, and something we need to be thoughtful of, when we see such a vulnerability occur in the wild, and an exploit published that could be used by cybercriminals, we should always expect and be prepared for this kind of attack, and many more copy-cat attacks following soon after.
Steve Grobman at McAfee explains how the publicly announced Eternal Blue vulnerability and the slow response to apply the released Microsoft patch have wreaked global havoc.
Key takeaways
- By delaying deployment of a patch, they can mitigate risk related to application compatibility
- By delaying a patch, they are increasing the risk of being compromised by a threat exploiting a vulnerability
- Companies that have become lax in applying patches may have not experienced any attacks that take advantage of vulnerabilities
- Events such as WannaCry have the potential to shift the calculus of this analysis
- For now, there are a lot of opportunities for criminals to continue to target soft target organisations
- Given that criminals are demanding a ransom it is far easier to exploit an organisation with weaker cyber defenses
- IT organisations hesitate to patch is to ensure there are no software incompatibility issues
- It would be difficult to orchestrate attacks such as the WannaCry campaign without unpatched vulnerabilities, publicly released exploit, and proven ransomware technologies
- IT teams need to understand for each patch what those levels of risk are, and then make a decision that minimises risk for an organisation
- Least privilege has reduced the chances of the traditional worm scenario
- One of the problems we see in security is that lack of an attack is interpreted as having good defense
- The attack essentially combined two techniques to produce something that was highly impactful
- There is a critical vulnerability Microsoft has patched, an active exploit in the public domain, both created the blueprint for the attacker
- This should remind organisations that they really do need an aggressive patching plan in order to mitigate vulnerabilities
- WannaCry’s success comes down to its ability to amplify one attack through the vulnerabilities of many machines on the network
- Whenever a patch must be applied there is a risk to applying a patch and a risk to not applying a patch
- What we have typically seen with cybercrime is that when any technique is shown to be effective there are almost always copycats
“The morning of Friday, May 12th, multiple sources in Spain began reporting an outbreak of the ransomware now identified as WannaCry. Upon learning of these incidents, McAfee quickly began working to analyse samples of the ransomware and develop mitigation guidance and detection updates for its customers. McAfee has subsequently provided DAT updates to all its customers and provided them and the public further analysis on the attacks. McAfee urges all its customers to ensure these DAT updates have been applied, and furthermore ensure that security updates are applied for all the software solutions they use.”
WannaCry and the Eternal Blue exploit
Over the course of Friday the 12th of May McAfee received multiple reports of organisations across multiple verticals being victim to a ransomware attack. Once infected, the encrypted files contain the file extension .WNCRYT. Victim computers then proceed to display the below message with a demand for $300 to decrypt the files.
The malware is using the MS17-010 exploit to distribute itself. This is a SMB vulnerability with remote code execution options, details:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
Exploit-code is available on multiple site including this example:
https://github.com/RiskSense-Ops/MS17-010/blob/master/exploits/eternalblue/ms17_010_eternalblue.rb
This exploit is also known as the Equation Group’s Eternal Blue exploit, part of the FuzzBunch toolkit released by Shadow Brokers a couple of weeks ago. With MS17-010, the attacker can use just one exploit to get remote access with system privileges, meaning both steps Remote Code Execution + Local Privilege Escalation combined, are using just one bug in SMB protocol. Analysing the exploit-code in Metasploit, a famous tool used for hacking, the exploit uses KI_USER_SHARED_DATA, which has a fixed memory address 0xffdff000 on 32 bit Windows, to copy payload to and transfer control to it later.
By remotely gaining control over victim PC with system privileges without any user action, the attacker can spray this malware in local network by having control over one system inside this network, get control over all systems which is not fixed and affected by this vulnerability, and that one system will spread the ransomware in this case all over the Windows systems vulnerable and not patched to MS17-010.
By using command-line commands, the Volume Shadow copies and backups are removed:
Cmd /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
File-size of the ransomware is 3.4 MB (3514368 bytes)
Authors called the ransomware “WANNACRY” – string hardcoded in samples.
Ransomware is writing itself into a random character folder in the ‘ProgramData folder with the file name of “tasksche.exe’ or in C:\Windows\ folder with the file-name ‘mssecsvc.exe’ and ‘tasksche.exe’.
Raj Samani, Christiaan Beek, Charles McFarland at McAfee give an overview of how WannaCry ransomware works.
Microsoft’s response on 14 April to Shadow Brokers release
Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.
When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center kicks off an immediate and thorough investigation. Microsoft works to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed. Once validated, engineering teams prioritise fixing the reported issue as soon as possible, taking into consideration the time to fix it across any impacted product or service, as well as versions, the potential threat to customers, and the likelihood of exploitation.
Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update.
Code Name >> Solution
- EternalBlue >> Addressed by MS17-010
- EmeraldThread >> Addressed by MS10-061
- EternalChampion >> Addressed by CVE-2017-0146 & CVE-2017-0147
- ErraticGopher >> Addressed prior to the release of Windows Vista
- EsikmoRoll >> Addressed by MS14-068
- EternalRomance >> Addressed by MS17-010
- EducatedScholar >> Addressed by MS09-050
- EternalSynergy >> Addressed by MS17-010
- EclipsedWing >> Addressed by MS08-067
Of the three remaining exploits, EnglishmanDentist, EsteemAudit, and ExplodingCan, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.