Hang Down Your Head And (Wanna)Cry

WannaCry took the world by storm starting on Friday, and everyone blogged about it. A ransomware that spread not by phishing, but via an internet worm compared to worms of old including Sasser, Slammer and Conficker. Specifically, leveraging the ‘DoublePulsar/ETERNALBLUE’ exploit from the NSA stash that ShadowBrokers released several weeks ago, to install a backdoor and then execute the ransomware automatically.

You can read a full technical breakdown on the Talos Blog, as well as MalwareBytes (who has also been tracking the infection, and Endgame Security.

Interestingly, it looks like this was exploited earlier by a botnet to infect users with cryptocurrency miners, which may have actually limited some of the damage since this malware closed the vulnerable port to prevent additional infections.

Microsoft is pissed off at the NSA for stockpiling exploits. While Microsoft quickly patched against this problem 2 months ago, the fact that there are still so many victims is unfortunate. It certainly doesn’t help that certain users are disabling Windows Auto-update, making it that much more likely for someone to be a victim of an exploit like this, or the fact that pirated versions of Windows are prevalent and don’t necessarily receive software updates.

The EFF talks up this patching problem, pointing out that Microsoft eventually felt the need to upgrade EOL versions of Windows (XP and Windows Server 2003 received emergency patches) as a large number of organizations still rely on these versions, including medical systems with specialized software. They then furthered it by pointing out all the un-upgradable software present in IoT devices, as well as mobile phones as older versions of Android are still in use with manufacturers not updating for older devices.

WannaCry wasn’t without its bugs. One bug failed to create unique bitcoin wallets for each victim, allowing payments to be tracked easily. And then, of course, was the kill switch, which was accidentally activated when a malware researcher tried to sinkhole communications. However, this is not the end, with a number of copycats emerging from the woodwork.

The ShadowBrokers have left commentary in the wake of WannaCry, suggesting that they are going to start providing zero day dumps as a service for exploits that were not part of April’s massive leak, including additional Windows 10 vulnerabilities.

Written on May 17, 2017