As I have noted in the past, it is quite common for popular malware to experience various alterations by malicious coders. This could mean that the original virus code is expanded upon, or it could also mean that there are copycat viruses that mimic the original threat. Security researchers are noticing this trend with ransomware, especially with WannaCry copycats that mimic the infamous ransomware. Not only is the original WannaCry still a threat, but security divisions at major companies especially have to contend with the reality of WannaCry copycats.
The most recent example of this is an attack on LG service centers in South Korea. As Shin Ji-Hye reported in The Korea Herald, LG's “service centers were attacked by ransomware” and as a result “the firm reported the case to the state-run Korea Internet & Security Agency (KISA) that day, after halting use of the devices.”
The official statement of LG indicated that no sensitive data was compromised, nor was there any major encryption and subsequent ransom request from the attackers. What raised the concern about WannaCry copycats was the investigation carried out by the Korea Internet & Security Agency.
In a statement to Korean media, KISA stated the following:
We found that samples of the malicious code (found in LG’s kiosks) were identical to the WannaCry ransomware attack. More investigation is still needed to determine the exact cause.
Security researchers may have a place to start, however, and it lies at the feet of the corporate hierarchy of LG. What I mean by this is that, despite countless warnings to patch vulnerabilities exploited by WannaCry, LG very well may not have. As Dean Ferrando, EMEA Manager at Tripwire, stated:
Reports suggest that the company had not applied all the security updates available from Microsoft. This highlights something that we already knew — many organizations are not good at applying software security updates.
I have tried to drill this point home time and again, as have many others in the InfoSec community, but it seems that large companies especially have a hard time listening to us. Human error is, beyond all other areas, where security breaches originate more often than not.
It will be interesting to see what additional information KISA can uncover in its investigation. While the origin of the attack has not been uncovered, it is not totally impossible that the attack occurred on-site. These kiosks are self-service, and if the hacker was careful, no suspicion could have been raised. Of course remote access cannot be ruled out either, and if it was in fact a remote attack, then LG has larger problems on its hands than just securing their kiosks.
Whatever the KISA investigation turns up, it is vital that companies take note of this incident and ensure that common entry points for WannaCry copycats are secure. The biggest of these is the SMB Port 445. Beyond this, and it bears repeating since people still cannot follow the proper security protocols: patch your damn vulnerabilities!
Photo credit: Flickr / John Karakatsanis