Why WannaCry portends coming surge in attacks launched via self-spreading worms

Vulnerability management more crucial than ever to stopping malware that infects computers with no user action needed

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The land­mark Wan­naCry ran­somware attack, I believe, may have been a proof of con­cept exper­i­ment that inad­ver­tent­ly spun out of con­trol after it got released prematurely.

But now that it’s out there, Wan­naCry sig­ni­fies two devel­op­ments of pro­found con­se­quence to com­pa­ny deci­sion-mak­ers mon­i­tor­ing the cyber­se­cu­ri­ty threat landscape:

• It revives the self-prop­a­gat­ing inter­net worm as a pre­ferred way to rapid­ly spread new exploits, machine to machine, with no user action required.

• It lights up the cyber under­ground like a Las Vegas strip bill­board, herald­ing a very viable style of attack. Wan­naCry already has begun to spur hack­ers to revis­it self-spread­ing worms, an old-school, high­ly inva­sive type of attack.

Relat­ed sto­ry: Health facil­i­ties must defend against cyber attacks — and also the NSA

The unfold­ing “kill switch” sub­plot sup­ports my analy­sis. First a recap: Wan­naCry is an exploit that spreads on its own, seek­ing out Win­dows lap­tops, desk­tops and servers that lack a cer­tain secu­ri­ty patch issued in March by Microsoft.

Wan­naCry first appeared on the inter­net last Fri­day morn­ing and swift­ly swept across the globe, rem­i­nis­cent of the I Love You and Code Red worms of yore. It infect­ed 200,000 Win­dows machines in 150-plus coun­tries. Hard­est hit were insti­tu­tions of the U.K.’s Nation­al Health Ser­vice, as well as Span­ish and Russ­ian util­i­ty companies.

You may recall that self-spread­ing Win­dows worms were all in vogue a decade ago. The most infa­mous prob­a­bly was Con­fick­er. I wrote exten­sive­ly about Con­fick­er for USA Today. But for all the atten­tion Con­fick­er drew, it nev­er deliv­ered any overt­ly mali­cious pay­load. It sim­ply spread.

Wan­naCry, by con­trast, is spread­ing with a pur­pose. It car­ries with it instruc­tions to encrypt each infect­ed machine’s hard dri­ve. And then it requests a $300 ran­som, payable in bit­coin, to decrypt the drive.

So why do I think Wan­naCry was released pre­ma­ture­ly? Because $300 is low for a ran­som demand, espe­cial­ly for a ran­somware attack aimed at the busi­ness sec­tor and designed to scale glob­al­ly. It makes more sense that $300 was a place­hold­er amount.

Andrew Span­gler, Nuix prin­ci­pal mal­ware analyst

This looked like a shot­gun approach to com­pro­mise as many sys­tems as quick­ly as pos­si­ble before anti-virus def­i­n­i­tions could catch up,” says Andrew Span­gler, prin­ci­pal mal­ware ana­lyst at Nuix, an intel­li­gence, ana­lyt­ics and cyber­se­cu­ri­ty solu­tions com­pa­ny. “It’s pos­si­ble the attack­ers were not even aware of how effec­tive this prop­a­ga­tion method would be.”

Kill switch discovered

On Fri­day night, a researcher going by the han­dle “Mal­ware Tech” report­ed that he had reverse engi­neered Wan­naCry and dis­cov­ered a “kill switch” sit­ting at a domain name that the author had not yet actu­al­ly registered.

A kill switch also is some­what unusu­al for ran­somware. It could have been includ­ed as a tool to give the attack­er the abil­i­ty to release the ran­somware in small dos­es, shut­ting it down to make tweaks. But WannaCry’s cre­ator neglect­ed to fol­low through and reg­is­ter his kill switch’s domain name.

That made it pos­si­ble for Mal­ware Tech to come along, dis­cov­er the unreg­is­tered domain name, reg­is­ter it, and thus take con­trol of the kill switch. He then was able to shut down the orig­i­nal ver­sion of WannaCry—by hit­ting the kill switch.

Ray Pom­pon, F5 Net­works prin­ci­pal threat researcher

Yet to no one’s sur­prise, with­in a mat­ter of hours, slight­ly tweaked vari­ants of the orig­i­nal ver­sion began cir­cu­lat­ing. “Updat­ed Wan­naCry vari­a­tions have since been released,” says Ray Pom­pon, prin­ci­pal threat researcher at F5 Net­works, an appli­ca­tion ser­vices and secu­ri­ty com­pa­ny. “The dan­ger is still real.”

Good guys, bad guys engage in cyber duel

To be spe­cif­ic, new vari­ants with a slight­ly mod­i­fied kill-switch domain are spread­ing. A very small change con­nects the malware’s kill switch to a slight­ly dif­fer­ent domain and cre­ates a viable vari­ant, says Chris Doman, threat engi­neer at Alien­Vault. “This allows Wan­naCry to con­tin­ue prop­a­gat­ing again,” Doman says.

For­tu­nate­ly, oth­er good-guy researchers have tak­en it upon them­selves to hus­tle to reg­is­ter the kill switch domains of any new vari­ant that turns up, and fol­low Mal­ware Tech’s exam­ple to kill the vari­ant when possible.

Chris Doman, Alien­Vault threat engineer

The cat-and-mouse (chase) will like­ly con­tin­ue until some­one makes a larg­er change to the mal­ware, remov­ing the kill-switch func­tion­al­i­ty com­plete­ly,” Doman says. “At that point, it will be hard­er to stop new variants.”

Secu­ri­ty patch­ing more vital than ever

The kill switch sub­plot aside, one might ask why did it took this long—nearly a decade after Conficker—for cyber crim­i­nals to incor­po­rate a Win­dows worm into an attack designed for mon­e­tary gain?

Part of the rea­son is that Microsoft has put forth a tremen­dous effort to stay on top of new­ly dis­cov­ered Win­dows vul­ner­a­bil­i­ties. Under its bug boun­ty pro­gram, it pays researchers hand­some­ly to dis­cov­er and report fresh Win­dows vul­ner­a­bil­i­ties. And it pours vast resources into issu­ing secu­ri­ty patch­es in a time­ly manner.

With respect to the spe­cif­ic Win­dows bug lever­aged by Wan­naCry, Microsoft issued a patch in March. Still, the dig­i­tal world we live in is both amazing—and amaz­ing­ly com­plex. That means imple­ment­ing secu­ri­ty patch­es across an orga­ni­za­tion of any size can be an oner­ous process.

The result is that vul­ner­a­bil­i­ty man­age­ment, and secu­ri­ty patch­ing, lags well behind in the vast major­i­ty of orga­ni­za­tions. This is true for patch­es issued by Microsoft, Ora­cle, Java, Adobe and any

Andreas Kuehlmann, Syn­op­sys senior vice president“Numerous orga­ni­za­tions have fall­en vic­tim to these attacks because they failed to apply the patch­es in a time­ly man­ner or were using lega­cy sys­tems that could not be patched,” says Andreas Kuehlmann, senior vice pres­i­dent and gen­er­al man­ag­er of the Soft­ware Integri­ty Group at Syn­op­sys.

Unin­tend­ed help from government

An X-fac­tor also came into play. It turns out that the Nation­al Secu­ri­ty Agency knew all about this par­tic­u­lar Win­dows bug and, in fact, pos­sessed a tool to take advan­tage of it. Noth­ing wrong with that. Our intel­li­gence agen­cies need to have the capa­bil­i­ty to match or exceed the cyber capa­bil­i­ties of Chi­na, Rus­sia or North Korea.

The X-fac­tor that made a dif­fer­ence was this: Hack­ers stole that infor­ma­tion from the NSA and pub­lished it online—delivering it on a sil­ver plat­ter to the cre­ator of WannaCry.

Now that weapons-grade cyber attack tools are in the wrong hands, it is clear that tools and tech­niques pre­vi­ous­ly reserved for use by nation-states are being inte­grat­ed into crime ware for prof­it,” says Josh Gomez, senior secu­ri­ty researcher at Anom­ali. “This means we can expect to see more of these exploits and tools lever­aged in future attacks, each one like­ly sur­pass­ing the pre­vi­ous in sophis­ti­ca­tion and stealth.”

Hang on to your hats, folks. Buck­le your seat belts. Com­pa­ny net­works’ defens­es sore­ly need shoring up: this we know all too well. And now attacks are all but cer­tain to ratch­et to an unprece­dent­ed lev­el of intensity.

Jonathan Sander, STEALTH­bits Tech­nol­o­gy chief tech­nol­o­gy officer

Observes Jonathan Sander, chief tech­nol­o­gy offi­cer at STEALTH­bits Tech­nol­o­gy: “This mas­sive attack is a potent mix of phish­ing to attack the human, worm to spread via unpatched Microsoft sys­tems, and ran­somware to get the bad guys their pay­day. … The rea­son for WannaCry’s suc­cess is our col­lec­tive fail­ure to do the basic secu­ri­ty block­ing and tack­ling of patch­es, user edu­ca­tion, and con­sis­tent back­ups. As long as we fail to remove vul­ner­a­bil­i­ties and watch our files, bad guys will exploit us by exploit­ing our systems.”

More sto­ries about ransomware:
Your mon­ey or your data: Ran­somware attacks leave every­one vulnerable
Steps to avoid being infect­ed by the ran­somware pandemic
Ran­somware attacks are a fact of life, so real-time detec­tion, response is critical



Posted in Featured Story