After a weekend filled with headlines attempting to outdo one another in terrifying the general public in their descriptions of the cyber apocalypse, a depressingly familiar story is emerging.
The WanaCrypt0r (more appropriately shortened to WannaCry) ransomware “attack” has been efficiently doing exactly what it was designed to do, encrypting hard drives and displaying an incongruously jolly splash screen to let the unfortunate user know where to send their bitcoins in exchange for getting their data back.
So far, so normal. As we all know, Ransomware is a persistent (in the sense that it’s unlikely to go away all the time it’s so easy to use), pest and not a day passes without hundreds of machines in homes and offices up and down the country displaying a variation of the dreaded “your money or your data” screen, leading to the inevitable calls to the support desk, or to me if you happen to be my dad, who, of course, “didn’t click on anything, or open any emails”.
The thing that makes this version of Ransomware particularly nasty is that it comes packaged with a free gift – the EternalBlue exploit, originally developed by the NSA and released into the wild by the Shadow Brokers hacker group in April this year.
EternalBlue, once it gets inside a Windows network (the protocol it uses, SMB, is not routable on the internet), exploits a vulnerability in the Windows OS to copy itself between machines. Luckily Microsoft released a patch for the exploit in March this year. Unluckily, many people have not applied the patch, or are running obsolete versions of Windows (Vista, XP), which no longer receive security updates.
At time of writing, Microsoft have taken the very unusual step of releasing an XP patch to protect those machines still running the ancient OS, and, more importantly, to stop the propagation of the malware to current Operating Systems.
Similarly, Anti-Virus and application aware firewall vendors have been scrambling to analyse the malware and release signatures to block it, with the majority of systems now able to do so at the perimeter.
It’s a problem which would not have happened if Windows systems had been patched prior to the malware being released into the wild (and by “released” I mean attached to emails as disguised code or hidden at the end of a dodgy URL), and it’s easy to point the finger at slow-moving corporates and unaware home users ignoring prompts to apply patches and reboot, but it’s not as simple as that.
I spent many years working in teams whose job it was to make sure the infrastructure at our company was up to date with vendor patches and running the latest versions of AV with current signatures. I must admit that we never achieved it. Production systems can’t just be taken down or rebooted – change windows can be far and few between and when there is a choice between losing uptime, and therefore probably money, and doing what the guys in IT tell you to, it’s rarely the sysadmins who win. Similarly, it’s easy, in my business, to roll our eyes at people still running Windows XP – the implication being that they deserve everything they get. Do we really believe that those people want to be running an obsolete, unsupported version of an OS? Of course they don’t – they are using it because they can’t migrate away. Perhaps they have bespoke software which they have never had the time or money to change, or more likely the provider hasn’t replaced with a modern version, or maybe it’s an embedded system which simply can’t be upgraded without replacing the associated very expensive lump of industrial machinery it’s attached to.
I was part of a response team in 2003 when the SQL Slammer worm hit companies throughout the world, long before Ransomware was a thing – it was a denial of service attack which brought LANs and WANs to a standstill, with SQL servers and PCs running MSDE compromised by a buffer overflow and turning into packet-spewing zombies. Guess what? Microsoft had released a patch to close the vulnerability in Windows more than 6 months earlier. That didn’t stop tens of thousands of machines getting rendered unusable and me and my team spending 72 hours flying around the country with boot disks re-imaging every machine in the company.
I would have loved to have been up to date on my patches, believe me, but a combination of elongated notice periods for production changes, regression testing and the required lab work meant that it just wasn’t possible, and even when we got the go-ahead to take the systems down and do some maintenance, it would often be cancelled at the last minute due to a batch over-run or a critical business requirement.
You may remember that Windows 10 was launched without the ability to turn off critical patch updates. Microsoft came under so much pressure and suffered such an outcry from businesses who said they simply wouldn’t adopt the new OS unless they could turn updates off, that they capitulated, and now we can have a nice unpatched version of Windows 10 just like we wanted.
Following the Slammer debacle, which, compared to the WannaCry damage, was trivial, a lot of navel gazing ensued and the company I was at, and those my colleagues and friends supported, all agreed that this couldn’t happen again, and IT security patches must be given dedicated change windows and the full support of the business. I recall it took about 3 months for the first cancellation of a maintenance window due to business priorities, and a year later we were 6 months behind again.
As always, then, this is not simply a technical problem. We must address the people, process AND technology elements of modern malware challenges and get teams, priorities and business drivers aligned. We need to make sure that senior managers are appraised, in business terms, of the risks they face by not prioritising systems patching, and this isn’t a technical conversation – it’s a business conversation.
Every time a large cyber incident happens, I hope that we will all truly learn the lessons, and perhaps the scale and press coverage of WannaCry is exactly what we needed to focus everyone’s attention and truly try and do it differently from now on.
In the meantime, and this is pure speculation on my part, I suspect that somewhere in the world a couple of very scared teenagers are waiting for their mum to call them to the door to talk to the army of policemen who “want a word”. I don’t imagine they set out to launch a “worldwide cyber attack”, but they did, at least, remind us again of just how vulnerable we are.
By: Ade Taylor, Technical Director, SecureLink UK