If there was ever a malware attack that we should have been ready for, it’s the WannaCry ransomware attack that started attacking European organizations May 12.
This malware uses an exploit revealed by the hacking group ShadowBrokers more than a year ago that employs a remote code execution vulnerability in the Windows Server Message Block version SMBv1 that Microsoft patched in March.
Anyone any individual or organization that has deployed the latest Windows Update will have a fix in place. Since then, Microsoft has issued new updates specifically for the WannaCry attacks and copycat attacks. Microsoft even released a security update for Windows XP machines, which are no longer supported.
The WannaCry ransomware was first seen in the UK’s National Health Service, but it has since spread to networks globally, hitting Europe, Russia and China especially hard. The U.S. has had some malware infections from WannaCry, but the effect has been limited.
It appears that the malware doesn’t attack Windows 10 machines, and it may also be sparing Windows XP machines. The reason appears to be related to the fact that the original exploit was based on machines that came out before Windows 10. It’s not clear why Windows XP machines may have been skipped.
“I’m surprised that it took this long for someone to use the ShadowBrokers leak,” said Georgia Weidman, founder and CTO of the Shevirah cyber-security company, who noted that the malware exploit a vulnerability in Windows that’s existed for nearly a decade. She said that Microsoft has been trying to get people to update Windows to eliminate that vulnerability for a while now.
“You see it a lot on penetration tests because people don’t patch when they should,” she said. Weidman said that the malware spread so quickly because of its ability to perform remote code execution and because it was deployed as a worm. “We haven’t seen many ransomware worms,” she said.
The key to preventing an attack by the WannaCry ransomware is to keep your copy of Windows updated. You can also install an antimalware package, such as Malwarebytes, or deploy an anti-ransomware package such as the one from security software company Cybereason, which is currently offering the software for free, at least initially, for new customers.
Malwarebytes detects malware, including ransomware, using a variety of methods, including behavior. Cybereason watches for the start of encryption activity and immediately stops it.
Unfortunately, not everyone can update their versions of Windows. In some cases, the Windows is running on machines with legacy applications that won’t run on an updated system. In other cases, Windows is running as an embedded application, and simply can’t be updated.
The problem shows up when one of those embedded applications or other computers running a version of SMBv1 that hasn’t been updated appears on the internet. Weidman said that she found over a million internet facing devices on the morning of May 15, three days after the WannaCry attacks began, using the Shodan browser.
Weidman pointed out that there are a number of reasons why those vulnerable devices are out there. For example, there’s medical equipment that uses Windows in its control computer, but can't be updated. The same problem exists with industrial equipment and devices that are part of the critical infrastructure.
Researchers at CyberX Labs, which specializes in industrial cyber-security, say that they’ve found a long list of vulnerable critical infrastructure ranging from power plants to hospitals, all with open SMBv1 ports showing up on Shodan.
David Atch, CyberX Labs' vice president for research, said he believes some of the sites he’s found are especially vulnerable because utilities tend to run older systems that can't updated or patched.
While those utilities can be found using Shodan, Atch said that he didn’t feel comfortable revealing their names or locations. As he said, there’s no point in providing a pointer to potential hackers.
Weidman said that the best way to protect industrial systems that can’t be updated is to place them on isolated network segments that don’t have direct access to the Internet. She pointed out that while internal users may need access to the data on those devices, someone on the internet shouldn’t. Those isolated segments can be protected by internal firewalls or default-deny routers.
Meanwhile, it appears the initial wave of WannaCry malware attacks is subsiding. A security researcher in the UK who goes by the handle MalwareTech found that when the WannaCry malware is starting up, it searches for an oddly named domain on the internet. The researcher registered the name, and at that point the malware infection slowed.
However, just because the initial attacks may be ending, that doesn’t mean it’s all clear. Other malware writers are recompiling WannaCry without the search for the internet site. That means that there’s no effective kill switch. This means updating or isolating vulnerable systems is as important as ever.