Well, here we are as all members InfoSec community warned. The perfect storm of conditions has led to the largest ransomware attack in history. Over the weekend, according to The Hacker News, 99 countries and 200,000+ machines came under attack from WannaCry (as well as offshoots of it like WanaCrypt0r 2.0). This ransomware is based on the code in the leaked NSA malware I reported on and did an extensive interview on TechGenix Xtreme discussing it.
WannaCry utilizes the DoublePulsar malware to download the EternalBlue exploit (patched a month ago) which enters a system via an exploit in the SMB port 445. Upon infection, WannaCry acts as a worm virus as it quickly tunnels into the machine and subsequently infects any other vulnerable devices in the network. Upon the locking of the machine, the hackers (possibly based in Russia but proxy servers make it difficult to pinpoint definitive locations) demanded, according to Threatpost, roughly $600 worth of Bitcoin ransom to unlock the machine.
As this was the largest ransomware incident to date, the media went insane and proceeded to report with frantic updates. Cybersecurity firms did their best to help the infected and Microsoft released an emergency patch for Windows XP and Windows 8 (the most affected OS), as well as Server 2003 and 2008, that somewhat stopped the bleeding.
Per the patch report, Microsoft states:
“Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers… we are taking the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only”
The major points to take away from the incident are frustrating ones, as they were all a result of preventable issues.
The NHS, for example, was hit hard as they were still running an archaic operating system (Windows XP) that was not patched. The U.K. government chose to ignore countless reports of the dangers of this, reports such as my own, and instead left patients in their system’s care at risk due to admins being locked out of vital patient data.
Tying into this, the vast amount of systems that still ran archaic Microsoft systems were a testament to how ill-informed businesses and the general public are with regards to updates. As I stated in my NHS article, the amount of attack vectors that can be leveraged by hackers in an old OS like XP is beyond description. An obsolete OS, no matter what part of the globe or what industry it is deployed in, is bound to come under attack with ease. An unpatched old OS is a hacker’s playground, it is what black hats live for and what white hats dread.
This was no ordinary ransomware attack, however, as this was ransomware developed with malicious code found in leaked NSA malware. The NSA, in addition to previously hoarding exploits (much like the CIA) instead of telling companies about them, decided to create powerful malware that allowed them access to any system around the world. The NSA’s recklessness is, without a doubt, the most defiant display of arrogance. To think that they are above the laws of cybersecurity, and as such, able to endanger the entire world to nation-state and criminal threats alike is reprehensible.
Also reprehensible is other government agencies like the U.K.’s GCHQ who sought exploits from their American allies. Really the world governments, through allowing dangerous malware development, as well as not protecting their vital systems via OS updates and public education on InfoSec, should bear the brunt of this blame. If it were not for them, opportunistic ransomware developers would not have been able to spread powerful malicious code on the Dark Web. Black hats looking to turn a quick profit, no matter if actual lives were endangered (as was the case with the NHS infection), went on to obtain and create WannaCry (which has now been updated in response to the most recent patches).
Since these attacks have garnered so much attention from the media, more than any ransomware attack in the past, it is more important than ever that the InfoSec community makes its voice heard. We have to make sure, more than ever, that we get the news out about patches, vulnerabilities, and other security issues so that it isn’t just the IT world that knows about it. We have to push for major media outlets to report on these issues more efficiently and much more frequently. WannaCry can be a wake-up call to the global community that they have not taken cybersecurity as seriously as they should have. We must make it our mission more than ever before, especially since The Hacker News reports “even after WannaCry made headlines all over the Internet and media, there are still hundreds of thousands of unpatched systems easily available open to the Internet.”
This is only one part, as I have been alluding to throughout this article that world governments, especially Western nations with powerful reconnaissance programs, are endangering the world. This is no surprise if you look at the history of these organizations, from their proxy wars and coups, to rigging elections and performing extrajudicial assassinations. Now they (NSA, CIA, and many more) have moved their dangerous actions to the cyber battlefield. I realize that many in the InfoSec world have dealings with governments, and they pay us for bug bounties and penetration tests. This cannot deter us from our mission as cybersecurity professionals; that mission is to protect the global populous from security breaches.
We must make it our goal to force the hand of nation-state entities to comply with the same laws civilians are required to, and call for independent judicial entities to punish all who violate such laws. Those that lead us must work for the people, and protect the people, not endanger us. The time for political neutrality is over. This is our rallying cry, this is our line in the sand.
The mass media-induced panic that resulted from WannaCry was not helpful, and it led people away from calmly realizing how to respond and realize how we got to this point. Now that things have somewhat calmed, although there have been reports of WannaCry 2.0 being a threat (it is immune to the “killswitch” that slowed version 1.0), it seems that many are still in the dark of how to defend against this infection and how to prevent similar attacks in the future.
This time, we cannot sit on the sidelines and allow it to happen again.
Photo credit: Christoph Scholz/flickr