2018 Year in Review: Old Known Security Vulnerabilities Still Wreak Havoc
In 2018, publicly known security vulnerabilities continued to be exploited by cyber criminals. One of these known security vulnerabilities is WannaCry, a malicious software (malware) thought to be “old news”, but still continues to hunt for its next victim.
What Is WannaCry?
WannaCry is known for infecting more than 300,000 computers in 150 countries in less than 24 hours on May 12, 2017.
WannaCry attackers infiltrated these hundreds of thousands of computers by using EternalBlue – referring to both the software vulnerability in Microsoft’s Windows operating system and the exploit believed to be developed by the U.S. National Security Agency (NSA).
Just a few days before the May 16thWannaCry attack, that is, on April 14, 2017, the EternalBlue exploit was publicly leaked by the malicious hacker group called “Shadow Brokers”.
EternalBlue exploits the flaw in Microsoft’s Server Message Block (SMB) – a protocol that allows users to share files. This SMB flaw could allow remote code execution on vulnerable Windows operating system. Remote code execution enables an attacker to access someone else’s computing device and make changes, regardless where the device is geographically located.
In the case of WannaCry, once a computer is infected, the files within are encrypted or locked, preventing users to access these files and a message demanding a ransom payment to decrypt or unlock the files is then displayed on the computer screen.
Even though the WannaCry ransom notice says that files will be decrypted, that is, decryption key will be given to unlock the encrypted files upon payment of the ransom, paying the attackers ransom is a futile exercise as the source code of this malware was written in such a way that even the attackers can’t determine who paid the ransom and who didn’t.
On March 14, 2017, a month before Shadow Brokers publicly leaked EternalBlue, Microsoftreleased a security update fixing the security vulnerability that’s targeted by EternalBlue. WannaCry, which uses EternalBlue, was able to infect hundreds of thousands of computers on May 12, 2017 as many computer owners failed to install Microsoft’s March 14, 2017 security update. The fact that WannaCry also exhibits a worm capability, that is, the ability to spread itself within networks without user interaction, makes it as one of the most dangerous malware.
WannaCry Killswitch
Jamie Hankins, Head of Security and Threat Intelligence Research at Kryptos Logic, said that while WannaCry is considered as “old news”, the WannaCry malware continues to attack vulnerable computers – those that haven’t installed Microsoft’s March 14, 2017 security update.
Hankins said that on December 21, this year, over the course of 24 hours, 2,713,752 connection attempts to the WannaCry killswitch URL came from 220,648 unique IP addresses from 184 different countries; and over the course of one week, 17,088,121 connection attempts to the WannaCry killswitch URL came from 639,507 unique IP addresses from 194 countries.
These hundreds of thousands of connection attempts to the WannaCry killswitch URL means that even though 18 months had passed since the major WannaCry attack, hundreds of thousands of Windows operating systems still haven’t installed Microsoft’s March 14, 2017 security update and are infected by the WannaCry malware.
When the major WannaCry infection was unleashed on May 12, 2017, the mass infection was halted after security researcher Marcus Hutchins of Kryptos Logic discovered a URL that turns out to be the killswitch for WannaCry.
The source code of WannaCry was written in such a way that once it infects a certain computer, it routinely tries to access the killswitch URL. Once the malware accesses the URL and finds it active, the malware shuts down. On the hand, if the malware can’t access the URL, it proceeds to encrypt the files in the infected computer, preventing the user to access the encrypted files, and a ransom notice is then displayed on the computer monitor.
“No one cares about WannaCry anymore, it’s ‘old news’ but for us the killswitch remains of upmost importance,” Hankins said. “The amount of damage that would take place if there was an outage.”
The WannaCry killswitch URL plays an important role in routinely shutting down this malware. As such, this killswitch URL is carefully guarded by the cyber security community from attacks, including distributed denial-of-service (DDoS) attacks.
Other Reported Cases of WannaCry Infection in 2018
In March, this year, computers at Boeing’s North Charleston, South Carolina production plant were infected with the WannaCry malware.
“The vulnerability was limited to a few machines,” Linda Mills, head of communications for Boeing Commercial Airplanes, said in a statement. “We deployed software patches. There was no interruption to the 777 jet program or any of our programs.”
In August, this year, WannaCry hits again, this time infecting the computers of Taiwan Semiconductor Manufacturing Co Ltd (TSMC), the world’s largest contract chipmaker. The WannaCry malware that hit TSMC very much acted like the other previous attacks, that is, infecting Windows operating systems that didn’t install Microsoft’s March 14, 2017 security update.
TSMC said the initial infection of the malware came from an unnamed supplier who connected a computer laden with WannaCry to TSMC’s internal network. The malware then spread swiftly to the company’s internal network, infecting the computers in the company’s manufacturing plants in Tainan, Hsinchu and Taichung – plants that produce chips for Apple.
Cyber Security Best Practice
The only way to stop WannaCry is to install Microsoft’s March 14, 2017 security update.
The following Windows operating systems are vulnerable to WannaCry attack: Microsoft Windows XP, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7, Windows 8.1, Windows RT 8.1, Windows Server 2012 and R2, Windows 10 and Windows Server 2016.
Contact ustoday if you need assistance in keeping your server operating system (OS) up-to-date.