Lessons Learned from WannaCry / WannaCrypt0r
A brief history…
CIT has intentionally remained silent on the events of 12 May as we felt there was already enough media hype surrounding the WannaCry attack. This blog is not intended to add to that noise. Rather, its intention is to provide useful lessons learned from this event in order to prevent such eventualities in the future.
Sometime in the early hours of Thursday, May 11, 2017 a new piece of cryptoransomware was released into the wild. This new piece of nastyware exploited a vulnerability in the way Microsoft Windows workstations and servers communicate with each other across a network. This vulnerability has been known in IT circles since mid-2015 and recognized as a significant threat from its discovery. The vulnerability had even been used in many earlier attacks – so much so that Microsoft directly asked network administrators to take action against this threat in September of 2016.
Microsoft, US-CERT, and a litany of other security firms have all commented on the inherent dangers of this protocol for nearly three years. US-CERT went so far as to foretell the WannaCry event in their January 18, 2017 security advisory. The vulnerability that made all of this commotion is one involving the use of the Server Messaging Block version 1 (SMBv1). The message has been clear for some time from security experts – Stop using SMBv1. Using exploits and hacking tools developed by the United States National Security Agency (NSA), the authors of the nastyware used this prevalent vulnerability and combined it with a back-to-basics approach of malware propagation – the worm. Remembering back to the attacks of 2003 and MS-Blaster or 2008 and Conficker, using this technique have been demonstrated and proven themselves effective.
So why is WannaCry so dangerous?
Simply, because WannaCry brought to reality a massively self-distributing piece of ransomware that utilized advanced infection and propagation techniques using a peer-to-peer strategy through a two stage worm-based infection path. Put more simply, it demonstrated the ability to spread ransomware at a massive scale using the victims to help both speed and spread the infection.
The ease of lateral movement within a victim organization (thanks to the worm) is what contributed to this event becoming so widespread so quickly. While the financial gains of the attackers were quite modest, around $40K USD, the speed at which the malware spread was impressive. Only by accident was the spread of this worm curtailed. A UK-based security researcher, MalwareTech, stumbled upon what was initially believed to be a kill-switch for the malware.
Many have asked CIT if we believe the growing speculation that the attack was a dress rehearsal for something larger. The attack surely demonstrated the fragility and ease at which a worm-based malware attack vector can spread. It also demonstrated the prevalence of poor patch management and outdated operating systems running in critical areas throughout the world. What was originally thought to be a kill-switch was ultimately determined to be an advanced malware sandbox detection and avoidance technique. Similar techniques are meant to both hinder malware researchers ability to analyze nastyware and allow it to pass through the most advanced anti-malware behavioral analysis systems undetected. It is a stealthy way that malware authors use to maximize the distribution and minimize detection of their variant of nastyware. The inclusion of these techniques reveals that the actor(s) behind WannaCry are not novice malware authors. The combination of obvious experience, leveraging once-classified NSA exploits in the attack, and devising a clever peer-to-peer propagation technique indicate that WannaCry wasn’t the last word from these cybercriminals.
Do we believe that something larger is in the works? Absolutely. There always is. Was WannaCry a dress-rehearsal for the architects of this attack? There are mixed indications of this eventuality however nothing material has yet come to light that should be acted upon by InfoSec professionals. Overall, we believe that WannaCry should serve as a wake up call for businesses running critical systems on legacy software and those which are not actively managing their systems patching.
This attack has provided a simple lesson learned which is applicable equally to business owners, executives, and technologists alike – The urgent need for a layered cybersecurity defense. This strategy must include patching, boundary defense, and maintenance of internal systems to harden against major vulnerabilities.
The Technical Lessons Learned from WannaCry
Patching matters. Period. All software has vulnerabilities and those vulnerabilities will be exploited by the bad guys. OS and application vendors release patches at a dizzying rate. Employing a centralized, structured, and managed patching program permits deploying these patches across an organization or enterprise in a manner that is traceable.
In an organization or enterprise of any size, the application of patches in a manner that is timely can be extremely difficult. The necessity for QA and testing of each patch cycle has been demonstrated many times in recent history. Ensuring that the new code introduced in the patch does not impact or alter the behavior of business critical applications is paramount. After all, what good is a fully patched computer network if the business applications cannot function across it. One “bad patch” can, and have, negatively affected many organizations abilities to function. It is important to balance the need for security against the functionality of applications and resources of the IT department.
One of the lessons learned for many of those impacted by WannaCry was the need to ensure that all devices on the network are patched. This leads to ensuring that organizational patch management is traceable and verifiable. As reported in popular media many of those affected in the UK by WannaCry believed they had in fact patched their systems against this very vulnerability. As it turned out, they were not patched and are now left cleaning the aftermath of the infection.
This is not a blog about the need for patching nor is it armchair quarterbacking of the WannaCry incident. It is about the need to implement layered defensive and detection security mechanisms throughout an organization.
Patching is difficult. Doing is properly is even more difficult. There is a reason that it’s one of the first 5 of the 20 Critical Security Controls (20CSC). Doing it correctly changes the security posture of an organization in a very large degree. Relying on the default-patching configuration of desktop and server operating systems no longer is effective for business users. That functionality was introduced to ensure that consumers – home users – were able to patch their systems in an easy and understandable way.
The take away: Implement a proper patch management strategy that takes into account QA/testing and is fully traceable.
Overlapping layers of defense are the solution for nastyware like WannaCry. In this instance, disabling a 30 year old technology that has been recognized as a security weakness and obsolete for 15 years – SMBv1. This attack vector is one that we evaluate for and remediate in all of our managed clients. With hundreds of deployment we have had issues after the change with fewer than .3% of servers. This change is simple and free. Why is it not done by default – meaning by Microsoft? Simple. Compatibility and flexibility. When Microsoft packages and distributes an operating system, they are driven by market objectives to maximize compatibility. It is their opinion that business users understand how to customize and secure the configuration of the operating system for their individual needs. Microsoft publishes very useful and helpful articles for businesses that are not so tech-savvy.
Be security minded and employ internal controls to further secure your operating systems beyond their default settings.
A strong boundary defense must also be mentioned. CIT standardizes on Fortigate UTM firewalls. We think they are amazing tech, are very reliable, and have a proven track record. NSS labs agrees with us on this point. Putting the vendor aside, employing a strong Next-Generation Firewall – or Unified Threat Management – appliance at the network boundary also goes a long way to mitigate attacks such as WannaCry. Doing a deep-dive across the managed firewall install base of CIT, we found WannaCry signatures being detected at network boundaries of our clients within 3 hours of initial in-the-wild sighting. How many made it through? Less than 1%.
Boundary defense is critical to a defense-in-depth strategy.
Lastly, and most importantly, partnership.
The landscape of corporate IT today is not what it was 5 or 10 years ago. Today it takes partners working together, each dedicated and committed to the same outcomes, and each driven to individual and collective accountability. Without these partners, an organization is alone in a sea of threats and threat actors. Some seen. Many unseen. CIT is thankful for its partners in the fight against CyberCrime and cyber criminals alike. The list is long and includes both individuals as well as distinguished organizations including many from the public sector. This includes the Department of Homeland Security, US-CERT, the Federal Bureau of Investigation, Infragard, and the National Security Business Alliance Council (NSBAC). Of course there are many private sector organizations including Microsoft, Mitre (maintainers of the Common Vulnerability and Exposures (CVE) dictionary), Fortinet Labs, Alienvault and the OTX, and a long list of others.
These partners allow organizations like CIT to be informed about the threats that exist in the wild, those that are being exploited, and those that pose most risk to business organizations. We in turn leverage that information to create client-specific action plans as well as global security policies. In the case of WannaCry, Microsoft patched the specific vulnerability in SMBv1 that WannaCry exploited in their March 2017 update cycle – Cycle MS17-10 for those keeping track. CIT performed QA testing of this patch across its client base within 1 week of its release and deployed it universally as a critical update. By the time WannaCry was released fewer than 2% of machines under our management were vulnerable to the MS17-10 vulnerability. Of those, WannaCry could affect 0% due to overlapping security controls.
The lessons learned from WannaCry are numerous. From the victim’s perspective, in addition to the fragile state of their internal systems, the urgent need for tested and verified business continuity policies and data backup. Across the rest of the industry, the shocking realization that there are still outdated/legacy/obsolete systems on production networks, that all systems are in fact vulnerable, and that business today largely does not exist without IT. While for CIT’s clients this was largely a non-issue, for many others this was a major event. One of the key differences are overlapping lines of defense and prevention that work in concert, are updated, and account for changes to relevant standards. This includes local (on-system) malware defenses, strong network segmentation, highly effective network boundary protection, and secure configuration of internal systems. CIT uses the 20 Critical Security Controls (20 CSC) as a framework from which to develop effective security controls.
Information security – or the safety of a business organization’s data – is not a destination, it’s a journey.
To learn more about CIT and how we have focused our practice on managing the security, systems, and infrastructure of small to mid-size businesses, contact us. Ensuring that you have the right partners with you for the Information Security journey is incredibly important. For over 20 years, CIT has joined forces with the most innovative and respected organizations and individuals to further the IT needs of smaller organizations. Get in touch and Let us show you how good I.T. Can be! ©