While infosec pros in Canada are scanning their systems to ensure Windows and anti-malware systems are fully patched to deal with the WannaCry ransomware that quickly spread around the world over the weekend, there are worries a new release of alleged CIA-created vulnerabilities from WikiLeaks will shortly lead to more attacks.
So far there are few public reports of IT systems in this country being victimized by WannaCry, which uses techniques of a worm to spread to computers in 150 countries. Researchers estimate some 300,000 systems were hit.
None of the 15 large Canadian enterprises who are members of the Canadian Cyber Threat Exchange have reported being successfully attacked by this particular malware, said executive director Robert Gordon. “I’d like to interpret it as because companies have been doing the updates that Microsoft put out — that would be the optimistic side of me. The more pessimistic side of me is saying companies are paying the ransom and not reporting it.”
(Meanwhile, other ransomware attacks continue. Gordon said a Canadian company that’s not a member of the CCTX this morning reported being hit by the so-called Onion ransomware.)
Infosec pros should note that WannaCry is not being spread by phishing but by exploiting a hole in Windows the U.S. National Security Agency (NSA) found but was leaked to the world. Organizations and individuals who have patched systems with Microsoft’s MS17-010 fix issued in March are protected. Sean Dillon, a senior security analyst at RiskSense, said in an interview this morning that the ransomware itself is “off the shelf” malware, but the attackers bolted on the NSA exploit.
The WannaCry infection prompted Satyamoorthy Kabilan, director of national security and forensic foresight at the Conference Board of Canada to warn in a blog of how vital patching is to a mature enterprise cyber security strategy.
“There can be issues and costs that come with patching and particularly with updating systems,” he writes, “which can lead to a reluctance to move in this direction. But this incident makes clear once again that we need to get the basics right when it comes to cyber security – and patching and updating are one of those basics.”
Microsoft’s MS17-010 patch in March covered Windows Vista, Windows Server 2008 and later versions of Windows. On Friday in response to the rapid spread of WannaCry it released a patch for older versions of Windows including Windows XP and Windows Server 2003.
Similarly, McAfee CTO Steve Grobman said the WannaCry attack “should remind IT of the criticality to apply patches quickly. Part of the reason IT organizations hesitate to patch or run an internal quality assurance process is to ensure that there aren’t software incompatibility issues. One way I like to think about this is that whenever a patch must be applied, there is a risk to applying a patch, and a risk to not applying a patch. Part of what IT managers need to understand and assess is what those two risks mean to their organizations.”
He also warned CISOs the incident is a reminder that whenever a vulnerability is reported and an exploit published that could by used by criminals, we should always expect and be prepared for this kind of attack, and many more copycat attacks following soon after.
To that end, note that on Friday WikiLeaks published the eighth in its “Vault 7” series of tools it has gotten hold that that allegedly were manufactured by the CIA to exploit holes in Windows. This release includes user guides and other material which could guide attackers to exploiting the holes.
The tools are:
- AfterMidnight, which allegedly allows operators to dynamically load and execute malware payloads on a target machine. The main controller disguises as a self-persisting Windows Service DLL and provides secure execution of an app via a HTTPS based Listening Post (LP) system. Once installed on a target machine the app will call back to a configured LP on a configurable schedule, checking to see if there is a new plan for it to execute.
- Assassin” is an automated implant that provides a simple collection platform on remote computers running Windows operating system. Once the tool is installed on the target, the implant is run within a Windows service process. It will then periodically beacon to its configured listening post(s) to request tasking and deliver results. Communication occurs over one or more transport protocols as configured before or during deployment.
U.S. intelligence agencies, not surprisingly, look for vulnerabilities in software and hardware they can exploit on the systems of targets. However, many software companies are demanding the CIA and the U.S. National Security Agency (NSA) and others to tell them of holes so they can be plugged before nation states or cyber criminals take advantage of them.
The WannaCry attack prompted Microsoft president Brad Smith on Sunday to issue a blog demanding governments stop stockpiling vulnerabilities.
“The governments of the world should treat this attack as a wake-up call,” he wrote. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention‘ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality.”
As Cisco Systems’ Talos threat intelligence service notes, WannaCry doesn’t rely on the traditional vector for ransomware, email phishing attacks. Instead, it spreads like a worm from infected system to infected system by scanning heavily over TCP port 445 (Server Message Block/SMB), then encrypting files.
“It is important to note that this is not a threat that simply scans internal ranges to identify where to spread, it is also capable of spreading based on vulnerabilities it finds in other externally facing hosts across the Internet,” says Talos.
“Additionally, Talos has observed WannaCry samples making use of DoublePulsar which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of [Server Message Block] vulnerabilities addressed [in March] as part of Microsoft Security Bulletin MS17-010.”
RiskSenses’ Sean Dillon, who reverse engineered the DoublePulsar exploit leaked in April by the Shadow Brokers, said in an interview this morning that by now the weekend’s WannaCry splurge gaining entry to unpatched systems is largely exhausted. “Pretty much any machine that could be infected has been.”
However, he noted copycats are active. For example, the original malware that first started spreading had a “kill switch.” After infection, it tried contacting an unregistered website, that killed the attack on an infected machine if the site didn’t respond correctly. A threat researcher spotted that, and quickly registered the site, effectively putting it out of commission. However, new strains emerged Saturday without the kill switch. They also changed the Bitcoin addresses victims have to send money to.
He also noted that the WannaCry attack is somewhat “blatant,” in that it victims will know they have been hit — a ransomware notice pops up on screen. CISOs have to be wary that attackers will bolt NSA/CIA discovered vulnerabilities onto more silent malware, such as banking spyware that injects code into web browsers that can steal passwords.