1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

WannaCry: Its Origins, and Why Future Attacks may be Worse

Discussion in 'News' started by R-T-B, May 19, 2017.

  1. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    5,942 (1.66/day)
    Thanks Received:
    5,136
    WannaCry, the Cryptographic Ransomware that encrypted entire PCs and then demanded payment via Bitcoin to unlock them, is actually not a new piece of technology. Ransomware of this type has existed nearly as long as the cryptocurrency Bitcoin has. What made headlines was the pace with which it spread and the level of damage it caused to several facilities dependent on old, seldom-updated software (Hospitals, for example). It's not a stretch to say this may be the first cyberattack directly attributable to a civilian death, though that has not been concluded yet as we are still waiting for the dust to settle. What is clear however is WHY it spread so quickly, and it's quite simple really: Many users don't have their PCs up to date.

    [​IMG]

    Indeed, the bug that WannaCry utilized to spread this rather old-school ransomware tech had been patched in Windows for about 2 months at the date of the outbreak. But many users were still not patched up. To be clear, this is not just hospital equipment and such that may be difficult to directly patch, but also end user PCs that simply aren't patched due to user ignorance or outright laziness. That as a cultural issue can be fixed relatively easily (and to some degree already is with the push of Windows 10 which handles this automatically for the user). But there is a more sinister twist to this story, one that indicates future outbreaks may be worse. The bug that enabled this to happen was leaked directly from the NSA, and had been known for much much longer than the patch for it has existed. In other words, this bug had been stockpiled by the US government for use in cyberwarfare, and its leak caused this attack.

    Let me play you a theoretical scenario, one not so farfetched I would think. What if Microsoft had NOT had a patch ready at the time of this outbreak? What if the bug (which exists in the file sharing stack and has most Windows PC vulnerable by default) was exposed and we had to wait a couple days for a patch. What can you do to protect yourself then?

    This seemingly nightmarish scenario is a good illustration of why stockpiling vulnerabilities in common software rather than reporting them is a bad practice rather than a good one. Of course, in the above situation, you could just turn your PC off until it all blows over, or turn off SMB1 file sharing in Windows (google will help you here). Or best yet, you could use a decent firewall setup that does NOT expose SMB ports to the internet (you can even block the ports in Windows Firewall, google again has the answers). But not all of us are power users. Most out there aren't, actually. A lot of users actually plug their computers directly into their modems. I know, because I've worked IT. I've seen it. And what about when someone finds a worse vulnerability, like in the TCP/IP stack? What then? Do you unplug your computer from the internet entirely? Ok, but who got infected first to tell you to do that? Someone had to take one for the team. Either way, damage has been done people.

    This is why the practice of stockpiling exploits has to stop. The US government (and others, for that matter) should report exploits, not store them as cyber weapons. As weapons of war, they are as likely to hurt us in the end as our enemies, and that makes them very bad weapons in the perspective of one of the first rules of warfare; Don't hurt your own team.

    Call me crazy, but that just seems like a weapon I'd rather not use. If a weapon hurts as many of your own team as your enemy or even close to that number, its time to retire that weapon. Of course, we aren't talking a literal injury or body count here, but the concept is the same. This is just a bad practice, and it needs to stop.
     
  2. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    5,942 (1.66/day)
    Thanks Received:
    5,136
    Notice: This is marked as an editorial, so treat it as such. This is not news and it may/may not make baby Jesus cry.
     
  3. Dj-ElectriC

    Dj-ElectriC

    Joined:
    Aug 13, 2010
    Messages:
    2,848 (1.15/day)
    Thanks Received:
    1,347
    Some people thrive on chaos. They will continue doing it
     
  4. RejZoR

    RejZoR

    Joined:
    Oct 2, 2004
    Messages:
    10,996 (2.38/day)
    Thanks Received:
    4,882
    Location:
    Europe/Slovenia
    What's funny is that people who were using any kind of worthy AV (not Windows Defender) were protected since February 2017 when most companies captured early strains.
     
    remixedcat says thanks.
    10 Year Member at TPU
  5. FordGT90Concept

    FordGT90Concept "I go fast!1!11!1!"

    Joined:
    Oct 13, 2008
    Messages:
    19,905 (6.32/day)
    Thanks Received:
    9,173
    Location:
    IA, USA
    This is why I wish John McAfee won POTUS. As the internet grows, attacks like this are going to become a near daily occurrence. Everyone needs to up their security game. More importantly, the internet itself has to change to counter cyber attacks.

    As for government finding exploits and not talking about them: remember that the NSA likely used an exploit like this (or maybe this very one) to launch a successful cyber attack against Iran's centrifuges. No one got hurt and Iran's nuclear ambitions were hugely damaged/delayed. I think NSA should adapt a policy like Google. If it finds an exploit, it gives itself some time to use it, then it notifies whomever can fix it (in this case Microsoft), and then it publishes a document detailing the exploit some time after that. NSA gets their covert tools and the holes get plugged (which helps the government too because there's a lot of Windows systems around).
     
    Crunching for Team TPU
  6. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    5,942 (1.66/day)
    Thanks Received:
    5,136
    I might agree on that front but there was something very different about that exploit: It had nothing to do with networking. It targeted offline computers and was delivered via a USB stick to an offline network.

    Obviously in that instance, care had been taken and the potential for network/internet abuse of that exploit was 0.

    However, if it was a networkable worm (unclear on this) what would've happened had that been leaked? You know the answer. The NSA isn't a vault of security as of late.

    It may not even have been an exploit for that matter. More likely, knowing that USB drivers are privileged, it was simply a modified USB stick. That's relatively trivial if you know firmware programming.
     
  7. Totally

    Joined:
    Nov 21, 2010
    Messages:
    332 (0.14/day)
    Thanks Received:
    90
    Location:
    Right where I want to be
    Also the only people who were affected were the ones who weren't up to date on patches. Pointing out choice of AV at this point is like discussing what dental dam to use after going at it raw. Pointing out which AV being used is like telling car owner who's left all their doors unlocked with the keys in the ignition and as a result had their car stolen, people who were using x security system didn't get their car stolen.
     
    Last edited: May 19, 2017
  8. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    5,942 (1.66/day)
    Thanks Received:
    5,136
    Yep, and as I noted, that's a lot more than we'd like to think.
     
  9. FordGT90Concept

    FordGT90Concept "I go fast!1!11!1!"

    Joined:
    Oct 13, 2008
    Messages:
    19,905 (6.32/day)
    Thanks Received:
    9,173
    Location:
    IA, USA
    How do you think it infiltrated the facility in the first place? It attacked Windows (USB, RPC, Printer Sharing, fake shortcuts, JMicron/Realtek signed rootkit driver), then it silently infected devices on the network until it finds Siemens Step 7 industrial control software.
     
    Crunching for Team TPU
  10. Evildead666

    Evildead666

    Joined:
    Jun 22, 2015
    Messages:
    22 (0.03/day)
    Thanks Received:
    6
    I don't think the NSA/CIA/GCHQ give a sh*t really.
    If they could do this, and point the finger at the "Russkies" (or the next "Axis of Evil"), they would.

    Its all fun and games for them (quite literally).

    edit : Microsoft still haven't patched XP have they ?
     
  11. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    5,942 (1.66/day)
    Thanks Received:
    5,136
    They have, due to outcry.

    As mentioned, it infiltrated via infected USB hardware.
     
  12. DeathtoGnomes

    DeathtoGnomes

    Joined:
    Jul 16, 2014
    Messages:
    1,013 (0.97/day)
    Thanks Received:
    539
    Location:
    SE Michigan
    actually they did, the released patch made headline news since so many were shocked that m$ put forth an effort..

    Cant say much since I'll be accused of m$ bashing...

    on second thought, I dont give a shit, if m$ receives any bashing, its prolly well deserved in one way or another, and maybe they might even step up a bit more often and fix exploits before they release them intentionally to the NSA/CIA/paying governments.
     
  13. Totally

    Joined:
    Nov 21, 2010
    Messages:
    332 (0.14/day)
    Thanks Received:
    90
    Location:
    Right where I want to be
    That's crazy talk. If they were really working with spy agencies, it be far more easier for them simply to place a backdoor somewhere or write tailor-made software that defeats the OS security.
     
    DeathtoGnomes and R-T-B say thanks.
  14. Static~Charge

    Static~Charge

    Joined:
    Nov 2, 2008
    Messages:
    690 (0.22/day)
    Thanks Received:
    361
    There is some hope:

    Proposed PATCH Act forces U.S. snoops to quit hoarding code exploits
    http://www.theregister.co.uk/2017/0...o_force_intel_agencies_to_fix_found_exploits/

    Two U.S. senators have proposed a law limiting American intelligence agencies' secret stockpiles of vulnerabilities found in products.

    The Protecting our Ability To Counter Hacking (PATCH) Act would set up a board chaired by an Department of Homeland Security (DHS) official to assess security flaws spies have found in code and hardware, and decide if manufacturers should be alerted to the bugs so they can be fixed for everyone.​

    Now all we have to do is get the pinheads in D.C. to pass the legislation into law....
     
  15. Totally

    Joined:
    Nov 21, 2010
    Messages:
    332 (0.14/day)
    Thanks Received:
    90
    Location:
    Right where I want to be
    That law doesn't protect us, it protects them. This law just absolves them of any wrongdoing should this happen again.
     
  16. Static~Charge

    Static~Charge

    Joined:
    Nov 2, 2008
    Messages:
    690 (0.22/day)
    Thanks Received:
    361
    I have to admit: Having a law is one thing; enforcing it is a different issue entirely....
     
  17. FordGT90Concept

    FordGT90Concept "I go fast!1!11!1!"

    Joined:
    Oct 13, 2008
    Messages:
    19,905 (6.32/day)
    Thanks Received:
    9,173
    Location:
    IA, USA
    I hope it passes but I'm sure people in the intelligence oversight committee are going to do everything they can to stop it. At the same time, it doesn't go far enough: manufactures should always be notified. Someone (implements inherit bias either towards notification or away from it) shouldn't be deciding which holes will deliberately be left open and which won't. Government needs a standard operating procedure where the manufacture is always notified, it's just a matter of when.
     
    remixedcat says thanks.
    Crunching for Team TPU
  18. Totally

    Joined:
    Nov 21, 2010
    Messages:
    332 (0.14/day)
    Thanks Received:
    90
    Location:
    Right where I want to be
    The way I understood the law they don't have to disclose any holes as long as they don't exceed a predetermined amount, when they do the evaluate which ones to keep and which to disclose. Kind of like a kid with too many toys and have to figure out which toys they need to send to the goodwill in order close the lid on the chest. Now what's stopping them from giving themselves a toy chest bigger than one they'll ever need?
     
  19. Caring1

    Caring1

    Joined:
    Oct 22, 2014
    Messages:
    5,142 (5.41/day)
    Thanks Received:
    3,142
    Location:
    Sunshine Coast
    They also have the ability to carry out over the air exploits on remote machines that are not connected, without physical access, so even unplugging from the net is by no means a protection.
     
    Crunching for Team TPU
  20. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    5,942 (1.66/day)
    Thanks Received:
    5,136
    Bridging air gap networks typically relies on "sneaker net" (Infected media of some type).

    That's what I was referring to.
     
    Caring1 says thanks.
  21. xkm1948

    xkm1948

    Joined:
    Mar 18, 2008
    Messages:
    1,843 (0.55/day)
    Thanks Received:
    999
    And some people still think internet of things is a good idea. Yeah right, imagine all of your appliances are now turned into bricks and constantly reminding you need to pay to have them fixed. IoT is one of the stupidest idea ever invented under the cloud computing BS. Take a look at the mother nature as our best teacher. After billions years of evolution are species happily sharing genetic information? Hell no. Each individual species have built up their defense to degrade foreign DNA as much as they can. Even your sweat contains trillions of RNAse that will degrade ANY RNA you may touch.

    Get everything into the net is a horrible horrible idea. It is just TNT waiting for a spark. Unfortunately the Wannacry situation showed as there are no shortages of such spark.
     
    Nuckles56 and R-T-B say thanks.
  22. FordGT90Concept

    FordGT90Concept "I go fast!1!11!1!"

    Joined:
    Oct 13, 2008
    Messages:
    19,905 (6.32/day)
    Thanks Received:
    9,173
    Location:
    IA, USA
    That one attack that happened recently was conducted by leveraging IoT products (like internet-connected security cameras). IoT always was and always will be a terrible idea. Manufacturers creating updates is not likely in the first place, compound that with actually installing the updates (especially on IoT products where people assume it's perfectly safe by nature) and massive attacks are going to become increasingly commonplace.

    At least there's intelligent enterprise routers out now that perform deep packet inspection to find and stop malicious activity. Systems like that need to be rolled out to all consumers stopping widespread infections before they start.
     
    remixedcat says thanks.
    Crunching for Team TPU
  23. nem..

    nem..

    Joined:
    Apr 18, 2016
    Messages:
    141 (0.35/day)
    Thanks Received:
    95
    NSA trying to destroid the Bitcoin and blaming to Nort Korea,,:pimp:
     
  24. Frick

    Frick Fishfaced Nincompoop

    Joined:
    Feb 27, 2006
    Messages:
    14,174 (3.45/day)
    Thanks Received:
    4,990
    Bash MS all you want, but be correct and coherent.

    Worth noting is how windows 10 was/is not affected by the SMB spreading exploits.
     
    remixedcat and DeathtoGnomes say thanks.
    10 Year Member at TPU
  25. R-T-B

    R-T-B

    Joined:
    Aug 20, 2007
    Messages:
    5,942 (1.66/day)
    Thanks Received:
    5,136
    Incorrect. It was affected, the patch just got auto applied ontime. If you had updates disabled and used RTM, it was most certainly vulnerable.

    Lol, no. Just no.


    Not what the bill proposes.
     
    remixedcat and DeathtoGnomes say thanks.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)