Thursday, May 18th 2017

WannaCry: Its Origins, and Why Future Attacks may be Worse

WannaCry, the Cryptographic Ransomware that encrypted entire PCs and then demanded payment via Bitcoin to unlock them, is actually not a new piece of technology. Ransomware of this type has existed nearly as long as the cryptocurrency Bitcoin has. What made headlines was the pace with which it spread and the level of damage it caused to several facilities dependent on old, seldom-updated software (Hospitals, for example). It's not a stretch to say this may be the first cyberattack directly attributable to a civilian death, though that has not been concluded yet as we are still waiting for the dust to settle. What is clear however is WHY it spread so quickly, and it's quite simple really: Many users don't have their PCs up to date.
Indeed, the bug that WannaCry utilized to spread this rather old-school ransomware tech had been patched in Windows for about 2 months at the date of the outbreak. But many users were still not patched up. To be clear, this is not just hospital equipment and such that may be difficult to directly patch, but also end user PCs that simply aren't patched due to user ignorance or outright laziness. That as a cultural issue can be fixed relatively easily (and to some degree already is with the push of Windows 10 which handles this automatically for the user). But there is a more sinister twist to this story, one that indicates future outbreaks may be worse. The bug that enabled this to happen was leaked directly from the NSA, and had been known for much much longer than the patch for it has existed. In other words, this bug had been stockpiled by the US government for use in cyberwarfare, and its leak caused this attack.

Let me play you a theoretical scenario, one not so farfetched I would think. What if Microsoft had NOT had a patch ready at the time of this outbreak? What if the bug (which exists in the file sharing stack and has most Windows PC vulnerable by default) was exposed and we had to wait a couple days for a patch. What can you do to protect yourself then?

This seemingly nightmarish scenario is a good illustration of why stockpiling vulnerabilities in common software rather than reporting them is a bad practice rather than a good one. Of course, in the above situation, you could just turn your PC off until it all blows over, or turn off SMB1 file sharing in Windows (google will help you here). Or best yet, you could use a decent firewall setup that does NOT expose SMB ports to the internet (you can even block the ports in Windows Firewall, google again has the answers). But not all of us are power users. Most out there aren't, actually. A lot of users actually plug their computers directly into their modems. I know, because I've worked IT. I've seen it. And what about when someone finds a worse vulnerability, like in the TCP/IP stack? What then? Do you unplug your computer from the internet entirely? Ok, but who got infected first to tell you to do that? Someone had to take one for the team. Either way, damage has been done people.

This is why the practice of stockpiling exploits has to stop. The US government (and others, for that matter) should report exploits, not store them as cyber weapons. As weapons of war, they are as likely to hurt us in the end as our enemies, and that makes them very bad weapons in the perspective of one of the first rules of warfare; Don't hurt your own team.

Call me crazy, but that just seems like a weapon I'd rather not use. If a weapon hurts as many of your own team as your enemy or even close to that number, its time to retire that weapon. Of course, we aren't talking a literal injury or body count here, but the concept is the same. This is just a bad practice, and it needs to stop.
Add your own comment

57 Comments on WannaCry: Its Origins, and Why Future Attacks may be Worse

#1
R-T-B
Notice: This is marked as an editorial, so treat it as such. This is not news and it may/may not make baby Jesus cry.
Posted on Reply
#2
Dj-ElectriC
Some people thrive on chaos. They will continue doing it
Posted on Reply
#3
RejZoR
What's funny is that people who were using any kind of worthy AV (not Windows Defender) were protected since February 2017 when most companies captured early strains.
Posted on Reply
#4
FordGT90Concept
"I go fast!1!11!1!"
This is why I wish John McAfee won POTUS. As the internet grows, attacks like this are going to become a near daily occurrence. Everyone needs to up their security game. More importantly, the internet itself has to change to counter cyber attacks.

As for government finding exploits and not talking about them: remember that the NSA likely used an exploit like this (or maybe this very one) to launch a successful cyber attack against Iran's centrifuges. No one got hurt and Iran's nuclear ambitions were hugely damaged/delayed. I think NSA should adapt a policy like Google. If it finds an exploit, it gives itself some time to use it, then it notifies whomever can fix it (in this case Microsoft), and then it publishes a document detailing the exploit some time after that. NSA gets their covert tools and the holes get plugged (which helps the government too because there's a lot of Windows systems around).
Posted on Reply
#5
R-T-B
FordGT90Concept said:
As for government finding exploits and not talking about them: remember that the NSA likely used an exploit like this (or maybe this very one) to launch a successful cyber attack against Iran's centrifuges.
I might agree on that front but there was something very different about that exploit: It had nothing to do with networking. It targeted offline computers and was delivered via a USB stick to an offline network.

Obviously in that instance, care had been taken and the potential for network/internet abuse of that exploit was 0.

However, if it was a networkable worm (unclear on this) what would've happened had that been leaked? You know the answer. The NSA isn't a vault of security as of late.

It may not even have been an exploit for that matter. More likely, knowing that USB drivers are privileged, it was simply a modified USB stick. That's relatively trivial if you know firmware programming.
Posted on Reply
#6
Totally
RejZoR said:
What's funny is that people who were using any kind of worthy AV (not Windows Defender) were protected since February 2017 when most companies captured early strains.
Also the only people who were affected were the ones who weren't up to date on patches. Pointing out choice of AV at this point is like discussing what dental dam to use after going at it raw. Pointing out which AV being used is like telling car owner who's left all their doors unlocked with the keys in the ignition and as a result had their car stolen, people who were using x security system didn't get their car stolen.
Posted on Reply
#7
R-T-B
Totally said:
Also the only people who were affected were the ones who weren't up to date on patches.
Yep, and as I noted, that's a lot more than we'd like to think.
Posted on Reply
#8
FordGT90Concept
"I go fast!1!11!1!"
R-T-B said:
I might agree on that front but there was something very different about that exploit: It had nothing to do with networking. It targeted offline computers and was delivered via a USB stick to an offline network.

Obviously in that instance, care had been taken and the potential for network/internet abuse of that exploit was 0.

However, if it was a networkable worm (unclear on this) what would've happened had that been leaked? You know the answer. The NSA isn't a vault of security as of late.

It may not even have been an exploit for that matter. More likely, knowing that USB drivers are privileged, it was simply a modified USB stick. That's relatively trivial if you know firmware programming.
How do you think it infiltrated the facility in the first place? It attacked Windows (USB, RPC, Printer Sharing, fake shortcuts, JMicron/Realtek signed rootkit driver), then it silently infected devices on the network until it finds Siemens Step 7 industrial control software.
Posted on Reply
#9
Evildead666
I don't think the NSA/CIA/GCHQ give a sh*t really.
If they could do this, and point the finger at the "Russkies" (or the next "Axis of Evil"), they would.

Its all fun and games for them (quite literally).

edit : Microsoft still haven't patched XP have they ?
Posted on Reply
#10
R-T-B
Evildead666 said:
Microsoft still haven't patched XP have they ?
They have, due to outcry.

FordGT90Concept said:
How do you think it infiltrated the facility in the first place? It attacked Windows (USB, RPC, Printer Sharing, fake shortcuts, JMicron/Realtek signed rootkit driver), then it silently infected devices on the network until it finds Siemens Step 7 industrial control software.
As mentioned, it infiltrated via infected USB hardware.
Posted on Reply
#11
DeathtoGnomes
Evildead666 said:
I don't think the NSA/CIA/GCHQ give a sh*t really.
If they could do this, and point the finger at the "Russkies" (or the next "Axis of Evil"), they would.

Its all fun and games for them (quite literally).

edit : Microsoft still haven't patched XP have they ?
actually they did, the released patch made headline news since so many were shocked that m$ put forth an effort..

Cant say much since I'll be accused of m$ bashing...

on second thought, I dont give a shit, if m$ receives any bashing, its prolly well deserved in one way or another, and maybe they might even step up a bit more often and fix exploits before they release them intentionally to the NSA/CIA/paying governments.
Posted on Reply
#12
Totally
DeathtoGnomes said:
actually they did, the released patch made headline news since so many were shocked that m$ put forth an effort..

Cant say much since I'll be accused of m$ bashing...

on second thought, I dont give a shit, if m$ receives any bashing, its prolly well deserved in one way or another, and maybe they might even step up a bit more often and fix exploits before they release them intentionally to the NSA/CIA/paying governments.
That's crazy talk. If they were really working with spy agencies, it be far more easier for them simply to place a backdoor somewhere or write tailor-made software that defeats the OS security.
Posted on Reply
#13
Static~Charge
There is some hope:

Proposed PATCH Act forces U.S. snoops to quit hoarding code exploits
http://www.theregister.co.uk/2017/05/18/senate_introduces_patch_act_to_force_intel_agencies_to_fix_found_exploits/

Two U.S. senators have proposed a law limiting American intelligence agencies' secret stockpiles of vulnerabilities found in products.

The Protecting our Ability To Counter Hacking (PATCH) Act would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code and hardware, and decide if manufacturers should be alerted to the bugs so they can be fixed for everyone.

Now all we have to do is get the pinheads in D.C. to pass the legislation into law....
Posted on Reply
#14
Totally
That law doesn't protect us, it protects them. This law just absolves them of any wrongdoing should this happen again.
Posted on Reply
#15
Static~Charge
I have to admit: Having a law is one thing; enforcing it is a different issue entirely....
Posted on Reply
#16
FordGT90Concept
"I go fast!1!11!1!"
Static~Charge said:
There is some hope:

Proposed PATCH Act forces U.S. snoops to quit hoarding code exploits
http://www.theregister.co.uk/2017/05/18/senate_introduces_patch_act_to_force_intel_agencies_to_fix_found_exploits/

Two U.S. senators have proposed a law limiting American intelligence agencies' secret stockpiles of vulnerabilities found in products.

The Protecting our Ability To Counter Hacking (PATCH) Act would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code and hardware, and decide if manufacturers should be alerted to the bugs so they can be fixed for everyone.

Now all we have to do is get the pinheads in D.C. to pass the legislation into law....
I hope it passes but I'm sure people in the intelligence oversight committee are going to do everything they can to stop it. At the same time, it doesn't go far enough: manufactures should always be notified. Someone (implements inherit bias either towards notification or away from it) shouldn't be deciding which holes will deliberately be left open and which won't. Government needs a standard operating procedure where the manufacture is always notified, it's just a matter of when.
Posted on Reply
#17
Totally
FordGT90Concept said:
I hope it passes but I'm sure people in the intelligence oversight committee are going to do everything they can to stop it. At the same time, it doesn't go far enough: manufactures should always be notified. Someone (implements inherit bias either towards notification or away from it) shouldn't be deciding which holes will deliberately be left open and which won't. Government needs a standard operating procedure where the manufacture is always notified, it's just a matter of when.
The way I understood the law they don't have to disclose any holes as long as they don't exceed a predetermined amount, when they do the evaluate which ones to keep and which to disclose. Kind of like a kid with too many toys and have to figure out which toys they need to send to the goodwill in order close the lid on the chest. Now what's stopping them from giving themselves a toy chest bigger than one they'll ever need?
Posted on Reply
#18
Caring1
R-T-B said:
As mentioned, it infiltrated via infected USB hardware.
They also have the ability to carry out over the air exploits on remote machines that are not connected, without physical access, so even unplugging from the net is by no means a protection.
Posted on Reply
#19
R-T-B
Caring1 said:
They also have the ability to carry out over the air exploits on remote machines that are not connected, without physical access, so even unplugging from the net is by no means a protection.
Bridging air gap networks typically relies on "sneaker net" (Infected media of some type).

That's what I was referring to.
Posted on Reply
#20
xkm1948
And some people still think internet of things is a good idea. Yeah right, imagine all of your appliances are now turned into bricks and constantly reminding you need to pay to have them fixed. IoT is one of the stupidest idea ever invented under the cloud computing BS. Take a look at the mother nature as our best teacher. After billions years of evolution are species happily sharing genetic information? Hell no. Each individual species have built up their defense to degrade foreign DNA as much as they can. Even your sweat contains trillions of RNAse that will degrade ANY RNA you may touch.

Get everything into the net is a horrible horrible idea. It is just TNT waiting for a spark. Unfortunately the Wannacry situation showed as there are no shortages of such spark.
Posted on Reply
#21
FordGT90Concept
"I go fast!1!11!1!"
That one attack that happened recently was conducted by leveraging IoT products (like internet-connected security cameras). IoT always was and always will be a terrible idea. Manufacturers creating updates is not likely in the first place, compound that with actually installing the updates (especially on IoT products where people assume it's perfectly safe by nature) and massive attacks are going to become increasingly commonplace.

At least there's intelligent enterprise routers out now that perform deep packet inspection to find and stop malicious activity. Systems like that need to be rolled out to all consumers stopping widespread infections before they start.
Posted on Reply
#22
nem..
NSA trying to destroid the Bitcoin and blaming to Nort Korea,,:pimp:
Posted on Reply
#23
Frick
Fishfaced Nincompoop
DeathtoGnomes said:
actually they did, the released patch made headline news since so many were shocked that m$ put forth an effort..

Cant say much since I'll be accused of m$ bashing...

on second thought, I dont give a shit, if m$ receives any bashing, its prolly well deserved in one way or another, and maybe they might even step up a bit more often and fix exploits before they release them intentionally to the NSA/CIA/paying governments.
Bash MS all you want, but be correct and coherent.

Worth noting is how windows 10 was/is not affected by the SMB spreading exploits.
Posted on Reply
#24
R-T-B
Frick said:
Worth noting is how windows 10 was/is not affected by the SMB spreading exploits.
Incorrect. It was affected, the patch just got auto applied ontime. If you had updates disabled and used RTM, it was most certainly vulnerable.

nem.. said:
NSA trying to destroid the Bitcoin and blaming to Nort Korea,,:pimp:
Lol, no. Just no.


Totally said:
This law just absolves them of any wrongdoing should this happen again.
Not what the bill proposes.
Posted on Reply
Add your own comment