Companies that have been hit by WannaCry may be cursing their bad luck – but the attack could have been much worse had hackers bundled the exploit with malicious malware or other attacks, an ex-military cybersecurity responder has warned amidst industry warnings that the threat from the exploit is far from over.
The WannaCry ransomware – which leveraged the NSA-developed EternalBlue exploit for the SMB networking functionality as implemented in Microsoft Windows operating systems – disrupted hundreds of thousands of businesses over the past week and has significantly upped the ante for security practitioners that have been less than rigorous in ensuring they keep their systems patched.
The fact that the exploit leveraged a Windows exploit that was patched back in March, but had not been applied to victim companies, was “somewhat fascinating” given that CSOs had effectively made rods for their own backs, SecureWorks chief threat intel officer Barry Hensley told CSO Australia.
“These vulnerabilities have been known for a long time and there were lots of opportunities for them to not have lost their weekends,” he said. “But based on the number of phone calls we received from clients and prospects, who were trying to understand the potential impact to them – and running to do a bunch of patching, segmentation or disabling of SMBv1 – it still happened.”
In February Microsoft delayed updating a number of known vulnerabilities to its March Patch Tuesday, when it published Security Bulletin MS17-010 and noted that the vulnerability was “critical for all supported releases of Microsoft Windows”. The exploit was so potentially problematic that the company took the unusual step of even releasing a patch for Windows XP and other out-of-support operating systems.
Having had two months’ lead time, Hensley said, “there was somewhat of an expectation that by this stage of understanding the vulnerability, people would have taken action by now. Anyone who works in IT knows that sysadmins and network admins want to patch their stuff; the problem comes in getting the support, time, and resources needed to deploy patches in a timely fashion.”
While the ransomware was a nuisance for victims, it also proved the viability of an even bigger potential threat if the same cybercriminals – or others following their lead – had chosen malicious rather than financial objectives for their attack. Bundling malware with the exploit would have potentially wiped files, exfiltrated sensitive data, or given attackers control over critical corporate systems in open-ended attacks that would be a nightmare to resolve.
“If cybercriminals were to bolt together a few different vulnerabilities and exploits, more than just the UK National Health Service are going to have a bad day,” Hensley said as SecureWorks released its analysis of the attack and its effects. “It makes you think a bit, because it was so successful.”
Another attack based on EternalBlue has already emerged, according to security firm BitDefender, which warned about a cryptocurrency miner called Adykluzz that also exploits EternalBlue and runs stealthily on users’ systems without affecting any of their files.
“This is yet another confirmation that cybercriminals are building a new generation of malware on the EternalBlue exploit,” the company said in a statement. “This is the ‘new normal’.”
Other residual effects of the WannaCry attack are still being felt – not the least from companies whose normal operations were disrupted, creating backlogs of services that had to be made up in subsequent days. Global package carrier FedEx, for example, was rushing to make up lost ground after WannaCry impacted some of its key systems.
A week after the attack, the initial 7-day period for paying the ransom is set to run out and WannaCry’s authors have warned that after that time, “you won’t be able to recover your files forever” – although they have promised “free events” in 6 months’ time for those users that can’t afford the escalating ransom.