As infosec pros catch their breath recovering from the WannaCry ransomware attack that crippled some 300,000 Windows machines around the world last month, three myths this week were exploded:
โIt hardly touched Canada. Wrong. According to a Malwarebytes report released Thursday, just under 11 per cent of its customers here detected the attack (although, admittedly, overall few systems here were infected than elsewhere), third in the world.
By comparison Russia was number one with nearly 29 per cent of global detections from Malwarebytes customers, the U.S. second with just over 11 per cent of detections.
In an email Adam Kujawa, director of malware intelligence for the security vendor said that as a developed country Canada had more businesses that likely had vulnerable systems. But he also acknowledged that Malwarebytes has more endpoints it monitors or are installed on here than in some of the more heavily hit countries, which could skew the results;
โThe majority of systems hit ran Windows XP. Wrong. According to a presentation at this weekโs RiskSec Toronto conference by Tom Levasseur, a vulnerability assessment and penetration specialist at Montreal-based consulting firm CGI., the overwhelming number of victim machines ran versions of Windows 7.
CISOs should note that last week RiskSense published a report saying an exploit could be developed for unpatched versions of Windows 10 November 2016 Update. โPorting the original exploit to more versions of Microsoft Windows, while difficult, is not an impossible feat,โ the report says;
โIt spread initially by email. Unlikely. According to Levasseur, WannaCry is a classic worm, which copies itself from vulnerable machine to vulnerable machine. He believes the authors first scanned the Internet, found and seeded a number of vulnerable computers, then let the worm do the rest.
Noting that the initial demand to decrypt files was a relatively modest bitcoin equivalent of US $300. Levasseur said, โIt wasnโt the most advanced attack group weโve ever seen that did this job, but it was very effective.
WannaCry is a bundle of malware including a worm, a backdoor and ransomware, assembled by a threat group.
The worm had code, dubbed โEternalBlue,โ which scans networks for systems with Microsoft Server Message Block (SBM)v1 for file sharing open on port 445. When it discovered a system that met that criteria it copied the bundle to the victim computer, then launched the ransomware.
As others have noted, Levasseur said WannaCry has its origins from code created by the Equation Group, widely believed to be associated with or directly part of the U.S. National Security Agency, the cryptanalytic body that defends American government networks and creates ways of breaking into other systems. Originally โEternalBlueโ was just a worm and backdoor for exploiting Windows.
Somehow a group calling itself the Shadow Brokers, which Levasseur suspects are allied with Russian intelligence, got hold of this and other vulnerabilities. The suspicion is the home computer of a former NSA contractor arrested and found with 50 TB of sensitive code on his machine was hacked, Levasseur said.
At any rate earlier this year the Shadow Brokers offered to sell the stolen vulnerabilities for a significant sum. When no one ponied up, it gradually lowered the price. With still no takers the code was released on April 18. Some group saw the possibilities of the โEternalBlueโ worm/backdoor, added ransomware and released the bundle which would be called WannaCry around May 12.
Meanwhile, Microsoft released a patch for the SMB v1 problem on March 16. That in theory gave CISOs a head start on fixing systems, but for some it wasnโt enough time.
These days thereโs no shortage of devices attached to the Internet, so itโs no problem to find hilarious examples of where it hit. Levasseur had a slide of a photo someone in Asia took of a huge outdoor electronic billboard displaying the ransom message, as well as one on the arrivals/departure board at a train station.
The majority of victims chose not to pay to have their systems unlocked, judging by the amount in the three bitcoin wallets associated with the attack. As of June 4, Levasseur said, there was about 337 transactions with 50 bitcoin โ worth CDN$170,000 โ deposited after almost one month.
And the coin is still sitting there. Either the creators are waiting for the value of bitcoin to rise, Levasseur speculated, or theyโre โrunning for the hillsโ because โevery law enforcement officer in the worldโ is after them.
Europe and Asia were โdensely hit,โ Levasseur noted, but not North American. He could only speculate that perhaps it spread in Asia faster because people and systems were on at a time when those in Canada and the U.S. were sleeping. Or perhaps systems in the two countries were better patched. Another possibility is that the โEternalBlueโ code avoided American IP addresses, he said.
The prime lessons from the attack are, โPatch, patch, patch,โ Levasseur said. Admittedly patching can be hard, he said, particularly in organizations that donโt know all of its assets. Other lessons are best practices including segregate networks and close ports. Last minute panic is also dangerous, he added, giving as an example the Australian hospital that inadvertently took its electronic health records system offline while installing patches after getting the WannaCry alert.
Having a threat hunting or threat intelligence team or capability is valuable as well, Levasseur said. This may be vital: Weeks before WannaCry hit, Levasseur noted, a crypto-currency mining malware called Adylkuzz was spreading. It used the same vulnerability โ Windows SMP v1. โIt didnโt make headlines,โ he complained. โWhat does that say about our industry?โ
ย