With all of the concern this week regarding "WannaCry" ransomware, we decided to deviate from our standard Tips and Insights to explain what is happening and our view on the situation and it's root causes.
“WannaCry” is the security story of the moment, and, hopefully, the year. There's a lot of the year left, but this worm has already caused an impressive amount of damage. Thankfully, due to the quick actions of a malware researcher in the UK registering a kill switch domain, the worm was shut down just as it was getting started. Were it not for those quick actions combined with limited exposure of SMB shares directly to the Internet this attack could have taken off like “code red” or “slammer.”
There's no shortage of action and drama surrounding this attack. Based on the ETERNALBLUE code believed to be stolen from the NSA this worm ripped across the globe. Despite the significant amounts of damage done, the attack appears to have only netted the attackers about 70k USD, far less revenue than the damage done. At first an apparently a simple though incredibly aggressive crypto malware worm some now believe that WannaCry originates in North Korea.
Researchers investigating WannaCry have also discovered another implied threat, far less destructive and aggressive. This worm, “Adylkuzz,” infected machines and joined them into a botnet dedicated to mining cryptocurrency. Investigation shows that it has been active since at least May 2nd. Thankfully it disabled the SMB service on the machines that it compromised, thus preventing other attacks if the machine is not rebooted. Were it not for “Adylkuzz” WannaCry would have found more hosts and spread much more rapidly. There are some signs that it may be possible to decrypt Windows XP systems that were encrypted by WannaCry. Hopefully, other vulnerabilities in the application itself may be discovered over time.
With all this excitement it's easy to overlook the causes of this threat to the safety of the Internet. The NSA, as well as similar agencies in other governments and the independent contractors that support them, have vast collections of unknown and unpatched exploits that are used to infiltrate their subjects of interest. These offensive weapons stockpiles represent significant risks for Internet users, public, private and corporate.
Despite the arrogant NOBUS "NObuddy But US" terminology there are many very capable exploit hunters working for different governments and private entities. The NSA themselves are believed to have informed Microsoft of this vulnerability once they understood it was compromised. Earlier this year the CIA lost a substantial cache of documents and tools in the Vault 7 release which is still ongoing on WikiLeaks. We've written before about how to mitigate one of these attacks. Back in July 2015, the compromise of hacking software vendor hacking team leaked another a large stockpile of weaponized exploits onto the Internet. These exploits were also repurposed by malware authors shortly after that.
A far better approach would be for government departments to release exploits to vendors after a brief period of use. This would reduce the number of vulnerable systems on the Internet to everyone's benefit while still permitting government exploitation. Microsoft is asking for governments to responsibly report vulnerabilities before they are used against the public.
As Microsoft says "An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. The governments of the world should treat this attack as a wake-up call; they need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world." I couldn't agree more, the less vulnerable code and systems there are the better we all are for it. This shouldn't impede vulnerability research however, another complex subject for an even longer blog post.