WannaCry’s Kill Switch won’t work for proxy users. Patch now.

Posted by:

News reports published this Monday morning claim the WannaCry ransomware worm managed to spread to 150 countries, with 200,000 computers successfully attacked.

The attackers, according to their Bitcoin accounts, seemed to have raked in  an initial fee of $300 to decrypt the files being held for ransom, but that is set to double in three days. 

Whatever they end up with (and here’s hoping it’s a criminal record) it seems like a measly return considering the impact this ransomware worm had.

Organizations who were suffered at the hands of WannaCry include at least 16 hospitals in the United Kingdom that needed to diverting patients and rescheduling proceduresTelefonica in Spain who demanded employees turn off their computers to stem the spread, and FedEx said they suffered “interferrence” (I am sure they did!).

It has been a long time since we’ve seen such a disruptive threat spread with such fierce speed – a reminder of Conficker, SQL Slammer and The Love Bug.

Microsoft, who issued a patch that rendered this threat harmless almost *two* months prior to this last weekend’s outbreak, did the responsible thing when WannaCry reared up and created patches for retired no-longer supported systems like Windows XP in order to protect those running older systems.

In this Microsoft blog post, Brad Smith, Microsoft Chief Legal Officer writes “WannaCrypt attack is a wake-up call for all of us.”

We agree. But let’s step back a bit.

Many of you want to know what makes this WannaCry ransomware such a big deal? It comes down to how it spreads. Its main deployment vector is Microsoft’s MS17-010 vulnerability in SMB. The exploits used in the WannaCrypt attack were “drawn from the exploits stolen” from the NSA, according to Microsoft, during the NSA theft in April.

Here’s how it works. Once a host computer is infected and in the process of having zillions of its files encrypted, the malware scans the local network for other machines with SMB connections available, and attempts to exploit the vulnerability and launch a copy of itself of each on new system encountered.

WannaCry also spawns a number of processes which start probing the internet, trying random IP addresses in hopes of finding more vulnerable systems and spreading to them too. This is why it spread so darn quickly. 

Another hot issue is around the “so-called” kill switch. Many people think that this means the threat is gone. They are wrong.

The kill switch could have been intended by the authors as a way for them to disable the malware at will, but it seems more likely to me that it was designed to defeat simple analysis by malware-hunters.

Updated 5/15: Multiple security researchers have claimed that there are more samples of WannaCry out there, with different ‘kill-switch’ domains and without any kill-switch function, continuing to infect unpatched computers worldwide.

Security researchers regularly make use of secure systems with a “bogus” internet connection to monitor and analyze malware samples – such systems are often designed to respond to requests for any web address, whether or not it exists on the real internet.

However, the activation of the “kill switch” does NOT mean that WannaCry is no longer a danger.  Didier Stevens quickly spotted that the attempt to visit the URL will fail if the compromised machine accesses the internet via a proxy. Most computers inside a business network connect via a proxy, so those behind a proxy can still get infected.

On top of that, security researchers around the world have their eyes peeled for new variants of this worm

TBG Security advice

We urge all organisations to ensure that Microsoft Security Bulletin MS17-010 patch is installed across the networks and have proper and accessible back up procedures. For updates, refer to US-CERT Alert TA-17-132A.

All Windows computers that have not installed the Critical Microsoft Security Bulletin MS17-010, issued in March 2017, are vulnerable. Now, most Windows home users have auto-update enabled by default, which means they would not be vulnerable to this WannaCry ransomware threat.

However, organizations that had not yet installed the patch on their Windows network were acutely vulnerable to it, even after the kill switch was inadvertently triggered.

Firewalls blocking SMB traffic on port 445 should provide protection against the main known infection method, but it’s likely that other methods (such as spam and phishing campaigns) are involved. Once a single machine inside the network is compromised, WannaCry will attempt to spread the infection internally. Besides, it not a great idea to open SMB connections accessible from outside the network. While perhaps more convenient in some instances, it permit threats like WannaCry to gain a foothold in a network.

So patch those systems, folks. And, as Brad Smith of Microsoft says, let this be a wake up call, but we direct it to those organizations who’re working with too little IT security resources. Regular system monitoring, penetration testing and patching is a necessity when it comes to lowering your risk posture. If you don’t have a CISO on staff, consider getting a CISO on demand.  If you stretch your IT resources too thinly, patching can be one of the first tasks to be put in the back burner. What is increasingly needed is an offensive approach, like that of our Red Team Services, to cybersecurity. 

This is a great time to plan your security review to ensure your organization doesn’t fall victim to these nasty attacks. TBG Security are here to help if you get stuck or need some expert advice.

 

0
  Related Posts