In a twist of irony, the global spread of WannaCry, the malware that recently attacked the NHS, was caused by spying tools leaked from the US’ National Security Agency (NSA).
Highly infectious, WannaCry (also known as WannaCryptor and WCry) spread to at least 150 countries within a few hours. According to antivirus company, Avast, it took less than 24 hours to infect more than 100,000 Windows systems, 57% of them in Russia. Besides the NHS, its other high-profile victims included Telefonica, Santander, FedEx, Vodafone and Renault.
Many organisations were forced to shut down systems and even production sites to prevent the spread of the virus, and the NHS was virtually paralysed by the attack, postponing operations and cancelling thousands of appointments at over 48 hospitals, medical centres and GP surgeries. Six hospitals were still experiencing difficulties the following day and diverting emergencies as a result.
Exploiting Windows SMB Vulnerabilities
WannaCry infects systems which operate on a vulnerable Windows Server and SMB (Server Message Block). It is spread using software the NSA had developed to spy with and which was stolen by a hacking group called the Shadow Brokers who then leaked it on the internet.
It uses the same basic methods as most other ransomware, by getting users to open an attachment in an email, e.g. a Word document, PDF, image, etc. Once opened, the malware installs itself and a ransom request is shown on the screen asking for around £230 in Bitcoins to restore access.
Because of the success of WannaCry, it is believed that other ransomware, such as the infamous Locky, will use the same leaked technology to improve their ability to infect and spread on a larger scale.
The Mechanics of the Infection
The programs developed by the NSA to exploit the vulnerabilities in SMB are known as EternalBlue, EternalChampion, EternalSynergy and EternalRomance. Together, they are known as the FuzzBunch kit. These programs load a backdoor implant tool, called DoublePulsar, on to a compromised system, enabling attackers to load other malware.
WannaCry’s authors have obviously used this mechanism to accelerate the spread of their strain. The infection uses EternalBlue and DoublePulsar to execute remote commands through Samba (SMB) in order to distribute ransomware to other machines on the same network.
WannaCry Preying on Windows XP
It is no surprise that cybercriminals are finding a use for these government developed, ultra-advanced hacking tools. According to Recorded Future, a US company specialising in threat intelligence, Chinese and Russian hackers had begun studying the malware leaked by Shadow Brokers with a particular interest in exploits that targeted SMB vulnerabilities.
“We’re talking about very sophisticated techniques and tools that are generally beyond the reach of the underground community”, said Levi Gundert, Vice President of Intelligence and Strategy at Recorded Future
Microsoft had already patched the vulnerabilities exploited by these tools in March 2017. However, according to Recorded Future, Chinese hackers were not totally convinced of the solidity of these patches. Attack still remains a possibility against non-patched systems and against OS versions that are no longer supported by Microsoft.
This is a problem for the NHS, where 5% of their machines still use Windows XP. They are not the only ones at risk, however: many media industry organisations and a multitude of others all rely on applications which need this legacy OS to run. The problem is that XP is so old that it no longer supported by Microsoft and so doesn’t get patches or updates.
WannaCry stopped … by a stroke of luck
In response to the WannaCry emergency, Microsoft took the unusual step of releasing patches for SMB flaws on Windows XP (including embedded version of SP3), Windows Server 2003 and Windows 8. In this attack, Windows 10 has remained unscathed, however, Microsoft expects that the threat will evolve and eventually bypass Windows 10’s first line of defence. It, therefore, recommends disabling SMB on the network, if possible.
Thanks to a stroke of luck, WannaCry is in temporary decline. A security researcher, known only as MalwareTech, accidentally stopped the malware spreading by registering a domain appearing in its code. This blocked the execution of WannaCry and stopped its broadcast. According to MalwareTech, the domain he registered was a security feature devised WannaCry’s developers to prevent it being analysed by security systems.
Unfortunately, malware developers can easily modify WannaCry to get around this pitfall. In fact, within 24 hours of the first attack ending, Costin Raiu, Director of research and analysis team at Kaspersky Lab, identified the release of new versions no longer hampered by MalwareTech operations. The WannaCry threat is, therefore, back out in cyberspace and looking for its next set of victims.
All Clear at eUKhost
At eUKhost, we found no evidence of infection on any of our Windows servers. However, we remain fully vigilant and have taken the preemptive step of patching all managed servers that are potentially vulnerable, in order to protect them from this exploit.
If you manage your own servers and use Windows OS, we strongly recommend that you check and make sure you have the latest Windows patches installed.
We urge all of you the check your desktop / laptop operating system to make sure that they are also patched and fully up to date.
For further information please read the following status update:
If you have any questions, please don’t hesitate to contact our 24x 7 support team.