Something Old, Something New, Something (Eternal) Blue - The story, the lessons, and how not be the next victim of a cyber attack
Something Old: Hackers Techniques
The global WannaCry cyber-attack stirs memories of other successful computer worms such as Code Red, Slammer and Conficker. Despite being almost ten years old, Conficker remains the most detected infection on the planet.
Something New: WannaCry
The latest attack leveraged patching and ports process weaknesses that have been a problem for as long as I’ve been in information security (over 15 years). The common reoccurring problem with them is that they are not kept up to date and perimeters are not sufficiently secured.
Failing to maintain basic security combined with the automated nature of the ransomware is why the attack was as prolific as it was.
Technical notes: MS17-010 is two months old. Blocking ports (hardening the service) by disabling SMBv1
Something Eternal Blue
It is suspected that the Shadow Brokers were behind the Equation Group’s leak of private hacking tools, including EternalBlue and DoublePulsar, which were used in conjunction with the WannaCry (WannaCryptor) ransomware tool.
This allowed the worm to gain a foothold in systems, increase its privileges and encrypt a wide range of file types. It was also able to look for other systems to target and compromise.
Shadow Brokers – an infamous group of hackers
Equation Group - A sophisticated threat actor believed to have ties with the United States National Security Agency
WannaCry: The Accidental Hero
Fortunately, the attack was prevented from spreading further by a modest 22-year-old security researcher, Marcus Hutchins, known by the name of @MalwareTechBlog. Modest in that he believes he stopped the spread by accident.
Within the ransomware’s code, Hutchins noticed a reference to a website and found the domain name wasn’t registered. His original intention was to understand the scale of the problem, so he quickly registered the domain and switched on a webserver.
This inadvertent action caused the malware code to halt its movements, as the authors of the code had implemented a ‘kill switch’ when it detected a response from the website. It didn’t fix the systems already hit, but it did stop the problem from getting worse – at least for the time being.
However, the infections are still rising. Why is this? One reason could be that the ransomware malware code is not ‘proxy’ aware. Some organisations (sometimes for security reasons) use a middleman system called a proxy for web browsing traffic.
The code does not appear to be able to detect and utilise a proxy, so may not get a response from the website switched on by Hutchins, meaning that the ransomware could continue to run and spread within that organisation.
Kill switch – a software mitigation to disable or stop malware
Ransomware: Impacts for the immediate future
Worryingly but unsurprisingly, researchers who have analysed the code have discovered it can be easily modified and improved to make much it harder to stop.
New variants have already been spotted. Some with new switches (which have already been ‘killed’) and some without. Expect more attacks utilising the same techniques in the next few days and weeks.
Where did WannaCry start?
Neither the initial attack vector, nor ‘patient zero’ have been found yet.
However, the source of the outbreak is believed to be from unpatched systems exposing the vulnerable services directly on the Internet, or through a phishing attack, where several people have either clicked on a malicious link or opened an attachment they shouldn’t have.
What can businesses learn from the WannaCry Ransomware?
What can we learn from the rather inaccurately titled NHS Cyber Attack? How can we prevent or, rather more easily, reduce the impact of such attacks in the future?
What Would Have Prevented WannaCry?
Timely patching would have prevented this attack. We appreciate there are some systems that can’t be patched straight away, or indeed at all, due to legacy software issues.
It is all too easy to say patch ALL systems, but the reality is it’s not always straightforward. We can all feel for the NHS as they are stuck between a rock and a hard place. Everyone, (including the government) tells them to upgrade outdated systems and patch regularly but doesn’t provide the resources to do so.
Kudos to Microsoft for producing a patch for a system they no longer support – a goal for other software vendors to aspire to.
Segregating more vulnerable systems from other more open networks could also have reduced the risk of the systems being compromised; something for the network architects to consider.
When penetration testing, we encounter this issue all too often, which unnecessarily widens the attack surface.
The Priority: Securing systems (on top of the out of the box configuration)
Hardening systems, i.e. following security best practices to configure systems and services by removing weak settings and features, should be a priority.
Disabling SMBv1, which was used in this attack, has been the advice of penetration testers for years. The protocol is over 30 years old and even Microsoft says not to use it!
While signature based anti-malware tools are thought to be largely useless these days, they do stop simple attacks.
A small number of anti-malware providers already had the signatures for the initial vulnerability and did prevent the ransomware from spreading further.
Unfortunately, the anti-malware products provided by Microsoft were not in that small list to start with. Many people rely on Microsoft’s anti-malware tools, primarily because they are free in some Microsoft Windows versions.
Cyber Attack Incident Response Plan
Within our security team at IT Lab, we feel that the NHS - and the other people helping them, have done a great job managing the incident. They had a plan - Silver Command - and executed it well. At the time of writing, they’ve identified the issue, contained it (somewhat with the help of external factors – thanks @MalwareTechBlog), and are well on the way to eradicating the issue. Of the 48 trusts affected, it was down to 6 within 48 hours of detection.
No one can rest on their laurels, it is going to happen again. Do you know what you would do if you were next? Get a plan in place, and test it. This attack is a perfect scenario to test against as it was untargeted and could affect anyone.
Cyber Attacks: The Importance of Backups
For ransomware attacks and other attacks that destroy information or render it unreadable, having a proven backup strategy is key. We don’t mean just taking backups; you need to be 100% confident the backups work by restoring them regularly.
Identify key data and implement an appropriate backup frequency and process around it.
Cyber-Security: User Awareness
Finally, training your people to be more vigilant in recognising attacks, such as phishing, and the dangers that could manifest as a result of their actions is crucial as a prevention tactic. Test your people through regular simulated phishing attacks to bring the message home and keep the issue near the top of people’s minds.