Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    WannaCry Ransomware Worm Risk Continues As Exploit Lands in Metasploit

    By
    SEAN MICHAEL KERNER
    -
    May 18, 2017
    Share
    Facebook
    Twitter
    Linkedin
      WannaCry Ransomware

      The WannaCry ransomware worm that first struck organizations around the world on May 12 continues to be a threat to IT systems as new variants emerge and the underlying exploit is now freely available in the open-source Metasploit penetration testing framework.

      Security firm Symantec reported that as of May 15, it had blocked approximately 22 million WannaCry infection attempts across 300,000 endpoints. The initial WannaCry malware attack included a ‘kill switch’, that has already been triggered. With the kill switch, the WannaCry ransomware is supposed to stop encrypting data, if it is able to connect to a specific domain. 

      The worm has also been modified in multiple ways since May 12, with different versions emerging. Security firm Cylance reported on May 17 that it has seen at least 27 unique hashes for WannaCry malware.

      The amount of ransom paid to the original group of WannaCry attackers has also risen over the course of the week. As of 8 AM ET on May 18, 279 payments totalling approximately $83,000 have been made to the three Bitcoin wallets associated with WannaCry, up from $50,000 on May 15.

      On a positive note, the global media attention on WannaCry may well have encouraged organizations to patch their systems and configure servers more securely to limit the risk.  The WannaCry attack is based on an exploit that Microsoft patched with its MS17-010 advisory on March 14 in the Server Message Block (SMB) service that enables file and folder sharing. The flaw was publicly released by a hacker group known as the ShadowBrokers on April 14, allegedly stolen from the U.S. National Security Agency (NSA).

      Security firm Rapid7 runs a pair of scanning efforts that aim to monitor global internet activity, including Project Sonar and Project Heisenberg. Rapid7’s scans on May 17 found that there were more than 1 million internet-connected devices openly exposing SMB on port 445. An open SMB port is one that potentially could be attacked by WannaCry and used to spread the ransomware.

      WannaCry specifically exploits a flaw in the SMBv1 protocol and it’s not entirely clear how many of the open SMB ports scanned by Rapid7 were running that version of SMB. That said, there is an indication of some positive actions taken by organizations over the course of the last week to limit WannaCry risks.

      “When comparing our May 12 scan with May 17, we see 100,000 fewer Windows devices with port 445,” Lee Weiner, Chief Product Officer at Rapid7, told eWEEK. “While we can’t definitively say these machines are running SMBv1, the downward trend may be a good sign those most at-risk systems are being addressed.”

      Metasploit

      To date, attribution for the WannaCry attack is not definite, though some media reports have alleged a North Korea connection. The underlying exploit, known as ‘EternalBlue’ that enables WannaCry however is now publicly available to anyone who wants it, as part of the open-source Metasploit penetration testing framework.

      Metasploit is intended to be used by security researchers to help test and improve defences. There has been some criticism in the past from those that argue that Metasploit also helps enable malicious hackers redevelop vulnerabilty exploits. Among the incidents was a 2005 Windows zero-day exploit that was available in Metasploit before any patch was publicly release by Microsoft.

      Rapid7 is now the lead commercial sponsor behind Metasploit and Weiner emphasized that there is a difference between what is in the Metasploit module and what WannaCry is doing.

      “The critical difference between WannaCry and the EternalBlue Metasploit module, authored by zerosum0x0, is that WannaCry is specifically engineered for malicious purposes, spreading a ‘ransomworm’ so the attackers behind it can force victims to pay them,” Weiner said. “By contrast, the Metasploit module is designed to enable security professionals to test their organization’s susceptibility to attack via MS17-010.”

      Weiner added that the EternalBlue exploit in Metasploit is entirely reverse engineered and recreated from the NSA leak and it doesn’t actually use any of the NSA code or tools. As a result of the reverse engineering  process, Weiner said that any potential side effects that may have come from running an NSA tool have been eliminated.

      “Metasploit is built on the belief that security professionals need to understand what they are up against in order to defend against attackers,” Weiner said. “That belief has not wavered in the face of WannaCry or the availability of the EternalBlue module now available in Metasploit.”

      “The only way to level the playing field is to arm security professionals with the same tools that attackers are using in the wild,” he added.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×