bit-tech.net

WannaCry malware downs systems worldwide

WannaCry malware downs systems worldwide

Microsoft has released an emergency patch to fix a vulnerability in Windows exploited by the WannaCry ransomware to devastating effect this weekend.

Microsoft has issued emergency patches for its Windows operating systems, including OS-that-wouldn't-die Windows XP, in the wake of an ongoing malware infestation which is affecting thousands of systems across the globe including numerous NHS facilities in the UK.

The latest entry in the growing pantheon of so-called ransomware packages, which silently encrypt a user's files in the background before popping up with a demand for payment in order to release the decryption key, WannaCry - also known as WannaCrypt or Wanna Decryptor - is on the face of it nothing special. Like its predecessors, the malware spreads like a worm through unpatched vulnerabilities in the host operating system; it uses public-key cryptography to lock selected file types against being opened; it demands payment, which began at $300 per infection before a revised version upped the fee to $600, paid in Bitcoin in order to release the private key and decrypt the files.

Where WannaCry differs from its predecessors is in efficacy: attacking a flaw in Microsoft's Windows operating systems from Windows XP through to the latest Windows 10 - prior to a Windows 10 patch released in March, that is, which closed the hole - WannaCry has become one of the most successful malware strains in history, taking down thousands of systems from NHS computers still running Windows XP to government platforms which have not yet received the March patch.

As for where WannaCry's anonymous author - or authors - discovered the vulnerability, that one's clear: The flaw exploited by the system was discovered some considerable time ago by the US National Security Agency (NSA) but never disclosed to Microsoft for repair. When the NSA itself was attacked and its cache of vulnerabilities stolen and published, the flaw became public knowledge and, it seems, the basis for the WannaCry attack.

'The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers,' explained Microsoft's president and chief legal officer Brad Smith in a blog post analysing the attack. 'While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.

'We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident. This included a decision to take additional steps to assist users with older systems that are no longer supported.'

That assistance includes a reset of the clock on the long-running Windows XP. Semi-affectionately known as the operating system that just won't die, XP was originally scheduled to enter end-of-life (EOL) status in 2008 before receiving multiple stays of execution through to April 2014 - though even then it received a post-EOL patch for a security flaw and some of its embedded variants continue to receive updates. Now, three years since the last public update, Windows XP has again been patched to close the WannaCry vulnerability.

Smith was clear that his company holds the NSA responsible for the efficacy of WannaCry's infection vector. 'This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,' he claimed in the announcement. 'This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

'The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.'

During the weekend, it looks liked WannaCry had been defused when a security researcher discovered a domain in its code which had not been registered. Once registered, the domain acted as a kill-switch that prevented the malware's worm component from spreading further. Sadly, it didn't take long for the WannaCry author to modify the code and release an updated version which no longer listens to the kill-switch domain.

Those running Windows - or, realistically, any other operating system - are advised to ensure they are running the latest security patches available, have anti-malware software installed and activated, and have up-to-date backups which are stored offline, the latter being by far the best defence against ransomware attacks such as WannaCry and its predecessors.

27 Comments

Discuss in the forums Reply
Pookie 15th May 2017, 11:13 Quote
I'm sorry but the buck stops with Microsoft, they built the OS and it's their job to insure that it's secure. Maybe they need to invest in more time researching vulnerabilities rather than messing about with crappy stuff like Cortana.
Mr_Mistoffelees 15th May 2017, 11:16 Quote
Quote:
Originally Posted by Pookie
I'm sorry but the buck stops with Microsoft, they built the OS and it's their job to insure that it's secure. Maybe they need to invest in more time researching vulnerabilities rather than messing about with crappy stuff like Cortana.

No it doesn't, Microsoft have made secure (against this vulnerability) OS software available to everyone who wants it. It is the end user's responsibility to update. It is not Microsoft's fault that much of the NHS and many other organisations, are still running a 16 year old OS.
Broadwater06 15th May 2017, 11:17 Quote
But why should they keep supporting XP, they told us very clearly when the support end, they even extended the support more than any other Windows.
tonyd223 15th May 2017, 11:19 Quote
Why didn't the NSA tell Microsoft? Because it was using the vulnerabilities for itself?
Gareth Halfacree 15th May 2017, 11:26 Quote
Quote:
Originally Posted by tonyd223
Why didn't the NSA tell Microsoft? Because it was using the vulnerabilities for itself?
Yes, exactly that. Which, incidentally, goes directly against the Vulnerability Equities Process (VEP) introduced by the Obama administration which requires all government agencies to share discovered vulnerabilities with vendors unless they can successfully argue for a temporary stay (such as "we're actively using this in an ongoing investigation which is due to wrap up on the 15th of November," rather than "we might need this in the future so we're keeping it to ourselves.")
fix-the-spade 15th May 2017, 11:39 Quote
So if Microsoft is officially blaming the NSA both for discovering the vulnerability, withholding knowledge from Microsoft of it and for failing to keep the information secure, where does this leave the rest of the world legally?

I can see lawyers round the world rubbing their hands with glee at the thought of suing the US government. Hoarding security flaws to carry out (presumably) surveillance without warrants and/or outside of their jurisdiction and then allowing those security flaws to fall into the hands of organised crime. That could be quite the damages claim.
MLyons@BOXFX 15th May 2017, 11:47 Quote
I'm curious who the blame would legally fall on if a death had been the result of this. Does it go to the person that started the attack, the NHS, the NSA or Microsoft. It also seems like the person(s) behind this didn't get that much of a pay day based on the amount seen going into the wallets.
Corky42 15th May 2017, 12:42 Quote
Quote:
Originally Posted by MLyons@BOXFX
I'm curious who the blame would legally fall on if a death had been the result of this.

INAL so I'm probably wrong but I'd say it lies with the NSA as they're the ones who discovered the vulnerability and did nothing to strengthen the worlds defenses against it.

Frankly i find it ridiculous that when it comes to chemical, biological, radiological and nuclear weapons we have a plethora of international agreements governing there use but when it comes to 'cyber space' the rules seem so lax.

We wouldn't allow a government agency to use anthrax or ebola for anything other than researching ways to defend against them but when it comes to vulnerabilities in software it seems fine to weaponise those.
jrs77 15th May 2017, 12:59 Quote
Another excellent reason to drop Windows and go with Linux. MacOS would be another better option as it has all the professional software available.

Let's face it. Microsoft is the target #1 for any attacks like this. It's used by 90+ percent of all PC users including business and most of the users are too stoopid to prevent things like that from happening, be it by not updating, not running antivirus, clicking on every link without thinking twice, etc, etc

Sure, the NSA is partly to blame in this particular scenario, if they withheld critical information about this specific issue and they should be held accountable in part, but the main-reason for this issue is that Microsoft doesn't have any competition and is too lazy to write a better and more secure OS. Instead Microsoft forces more and more ridiculous crap onto their users.
RedFlames 15th May 2017, 19:51 Quote
Quote:
Originally Posted by Mr_Mistoffelees
It is the end user's responsibility to update.

It is not Microsoft's fault that much of the NHS and many other organisations, are still running a 16 year old OS and/or didn't install the patch.

And people wonder why MS forced automatic updates on everyone.
N17 dizzi 15th May 2017, 20:05 Quote
Quote:
Originally Posted by Gareth Halfacree
Yes, exactly that. Which, incidentally, goes directly against the Vulnerability Equities Process (VEP) introduced by the Obama administration which requires all government agencies to share discovered vulnerabilities with vendors unless they can successfully argue for a temporary stay (such as "we're actively using this in an ongoing investigation which is due to wrap up on the 15th of November," rather than "we might need this in the future so we're keeping it to ourselves.")

What repercussions will the NSA face? My guess would be none, except measures to keep the vulnerabilities the staff are employed to find more secure.
Chicken76 15th May 2017, 20:38 Quote
Is there a tool I can point at my machines to see which are vulnerable through the network?
wolfticket 15th May 2017, 23:11 Quote
Air gap your backups people.
jrs77 16th May 2017, 07:58 Quote
Quote:
Originally Posted by wolfticket
Air gap your backups people.

Who doesn't?
DriftCarl 16th May 2017, 08:01 Quote
Well the good news is I freed up loads of room on my virtual image backup server, since I could argue that it would be a pain to patch them all up and we dont really need them anymore, so they are deleted and I have now freed up a few TB of space :)
Corky42 16th May 2017, 08:43 Quote
Quote:
Originally Posted by RedFlames
And people wonder why MS forced automatic updates on everyone.

Not everyone, only home users really as most other versions allow the deference of updates.

Oddly enough it seems home users were the least effected or probably the least reported.
N17 dizzi 16th May 2017, 12:07 Quote
Quote:
Originally Posted by wolfticket
Air gap your backups people.

You mean backups that are isolated from your system, or levitate them using high powered fans? I do both anyway, who doesn't.
MLyons@BOXFX 16th May 2017, 16:14 Quote
Quote:
Originally Posted by Chicken76
Is there a tool I can point at my machines to see which are vulnerable through the network?

I believe there is a script for nmap and a module for metasploit.
MLyons@BOXFX 16th May 2017, 16:15 Quote
Quote:
Originally Posted by jrs77
Who doesn't?

Anfield 17th May 2017, 19:18 Quote
Quote:
More NSA secrets are going to leak this summer, claim The Shadow Brokers. The hacking group says more tools from the US spy agency have been stolen and it's going to set up a monthly subscription model for accessing security exploits.

The group is known for its recent role in the WannaCrypt ransomware situation. Although it doesn't appear responsible for spreading the malware, it did publish the exploit that enabled it.

Among the things The Shadow Brokers will offer are banking data from SWIFT, newer Windows 10 exploits, and even network data from "Russian, Chinese, Iranian or North Korean" nuclear and missile programs.

http://www.nextpowerup.com/news/36028/the-shadow-brokers-claim-more-leaks-are-coming/
supermuchurios 17th May 2017, 20:08 Quote
Quote:
Originally Posted by jrs77
Another excellent reason to drop Windows and go with Linux. MacOS would be another better option as it has all the professional software available.

Let's face it. Microsoft is the target #1 for any attacks like this. It's used by 90+ percent of all PC users including business and most of the users are too stoopid to prevent things like that from happening, be it by not updating, not running antivirus, clicking on every link without thinking twice, etc, etc

Sure, the NSA is partly to blame in this particular scenario, if they withheld critical information about this specific issue and they should be held accountable in part, but the main-reason for this issue is that Microsoft doesn't have any competition and is too lazy to write a better and more secure OS. Instead Microsoft forces more and more ridiculous crap onto their users.

But Linux is a ballache to use and is not compatible with Planet Earth.
jrs77 17th May 2017, 20:47 Quote
Quote:
Originally Posted by supermuchurios
But Linux is a ballache to use and is not compatible with Planet Earth.

Linux is totally fine for 95% of the people and how they use their PCs. Surfing the web, consuming media, doing office stuff, some photo manipulation... all possible on all major Linux distributions out of the box.

However, the biggest problem, which I'm not getting tired of stating is it's lack of professional software. All the industry-standards in graphics, audio and video are not available for Linux and that's the actual reason why it'll never see widespread use. Not to forget about most of the games not being released for Linux aswell.

But it's not at all a ballache to use. It's actually a very good experience nowadays.
liratheal 17th May 2017, 23:15 Quote
Sooo..

Has anyone looked at the exploits already dumped by TSB?

Theres linux stuff in there too. Mac OS isn't going to be far behind. Its a fallacy to suggest that any one OS is intrinsically more secure than another, or that security through obscurity is in any way a good thing.

The decision to cease the support contract is what made the NHS vulnerable to this, its precisely the fault of that decision that their vast XP network was un patched. I suspect replacing XP isn't financially viable, I'd wager that communication with their scanning equipment (xray, ct, mri) is involved. Replacing a pc is likely doable. Replacing an MRI machine, probably not as much.
wolfticket 18th May 2017, 02:55 Quote
I would suspect the really clever/ugly/dark/dangerous stuff the NSA et al have come up with ignores Windows altogether. Attacking out of date Windows PCs is (relatively speaking) like shooting fish in a barrel.
Nuclear Centrifuges don't run XP.
If other things like that are in the wild I wouldn't get too comfortable just because one runs Linux.
liratheal 18th May 2017, 08:05 Quote
Basically, if the NSA's targets use it, there's likely to be an exploit for it somewhere in these toolsets.

If TSB aren't bullshitting, their next releases may cover mobile devices, current OS versions, and so on. Basically, batten down the hatches, it's probably going to get worse.
Corky42 18th May 2017, 08:12 Quote
Quote:
Originally Posted by Anfield
Quote:
and even network data from "Russian, Chinese, Iranian or North Korean" nuclear and missile programs.

North Korea seems an odd one as there's speculation TSB are North Korean and based on their use of the English language such speculation seems plausible.
liratheal 18th May 2017, 12:32 Quote
Quote:
Originally Posted by Corky42
North Korea seems an odd one as there's speculation TSB are North Korean and based on their use of the English language such speculation seems plausible.

From what I've seen of their posts, I'm not sure the shitty grammar isn't deliberate. Even accidentally they should get more right than they do.
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums