As infosec pros catch their breath recovering from the WannaCry ransomware attack that crippled some 300,000 Windows machines around the world last month, three myths this week were exploded:
—It hardly touched Canada. Wrong. According to a Malwarebytes report released Thursday, just under 11 per cent of its customers here detected the attack (although, admittedly, overall few systems here were infected than elsewhere), third in the world.
By comparison Russia was number one with nearly 29 per cent of global detections from Malwarebytes customers, the U.S. second with just over 11 per cent of detections.
In an email Adam Kujawa, director of malware intelligence for the security vendor said that as a developed country Canada had more businesses that likely had vulnerable systems. But he also acknowledged that Malwarebytes has more endpoints it monitors or are installed on here than in some of the more heavily hit countries, which could skew the results;
—The majority of systems hit ran Windows XP. Wrong. According to a presentation at this week’s RiskSec Toronto conference by Tom Levasseur, a vulnerability assessment and penetration specialist at Montreal-based consulting firm CGI., the overwhelming number of victim machines ran versions of Windows 7.
CISOs should note that last week RiskSense published a report saying an exploit could be developed for unpatched versions of Windows 10 November 2016 Update. “Porting the original exploit to more versions of Microsoft Windows, while difficult, is not an impossible feat,” the report says;
—It spread initially by email. Unlikely. According to Levasseur, WannaCry is a classic worm, which copies itself from vulnerable machine to vulnerable machine. He believes the authors first scanned the Internet, found and seeded a number of vulnerable computers, then let the worm do the rest.
Noting that the initial demand to decrypt files was a relatively modest bitcoin equivalent of US $300. Levasseur said, “It wasn’t the most advanced attack group we’ve ever seen that did this job, but it was very effective.
WannaCry is a bundle of malware including a worm, a backdoor and ransomware, assembled by a threat group.
The worm had code, dubbed ‘EternalBlue,’ which scans networks for systems with Microsoft Server Message Block (SBM)v1 for file sharing open on port 445. When it discovered a system that met that criteria it copied the bundle to the victim computer, then launched the ransomware.
As others have noted, Levasseur said WannaCry has its origins from code created by the Equation Group, widely believed to be associated with or directly part of the U.S. National Security Agency, the cryptanalytic body that defends American government networks and creates ways of breaking into other systems. Originally ‘EternalBlue’ was just a worm and backdoor for exploiting Windows.
Somehow a group calling itself the Shadow Brokers, which Levasseur suspects are allied with Russian intelligence, got hold of this and other vulnerabilities. The suspicion is the home computer of a former NSA contractor arrested and found with 50 TB of sensitive code on his machine was hacked, Levasseur said.
At any rate earlier this year the Shadow Brokers offered to sell the stolen vulnerabilities for a significant sum. When no one ponied up, it gradually lowered the price. With still no takers the code was released on April 18. Some group saw the possibilities of the ‘EternalBlue’ worm/backdoor, added ransomware and released the bundle which would be called WannaCry around May 12.
Meanwhile, Microsoft released a patch for the SMB v1 problem on March 16. That in theory gave CISOs a head start on fixing systems, but for some it wasn’t enough time.
These days there’s no shortage of devices attached to the Internet, so it’s no problem to find hilarious examples of where it hit. Levasseur had a slide of a photo someone in Asia took of a huge outdoor electronic billboard displaying the ransom message, as well as one on the arrivals/departure board at a train station.
The majority of victims chose not to pay to have their systems unlocked, judging by the amount in the three bitcoin wallets associated with the attack. As of June 4, Levasseur said, there was about 337 transactions with 50 bitcoin – worth CDN$170,000 – deposited after almost one month.
And the coin is still sitting there. Either the creators are waiting for the value of bitcoin to rise, Levasseur speculated, or they’re “running for the hills” because “every law enforcement officer in the world” is after them.
Europe and Asia were “densely hit,” Levasseur noted, but not North American. He could only speculate that perhaps it spread in Asia faster because people and systems were on at a time when those in Canada and the U.S. were sleeping. Or perhaps systems in the two countries were better patched. Another possibility is that the ‘EternalBlue’ code avoided American IP addresses, he said.
The prime lessons from the attack are, “Patch, patch, patch,” Levasseur said. Admittedly patching can be hard, he said, particularly in organizations that don’t know all of its assets. Other lessons are best practices including segregate networks and close ports. Last minute panic is also dangerous, he added, giving as an example the Australian hospital that inadvertently took its electronic health records system offline while installing patches after getting the WannaCry alert.
Having a threat hunting or threat intelligence team or capability is valuable as well, Levasseur said. This may be vital: Weeks before WannaCry hit, Levasseur noted, a crypto-currency mining malware called Adylkuzz was spreading. It used the same vulnerability – Windows SMP v1. “It didn’t make headlines,” he complained. “What does that say about our industry?”