The mass ransomware attack currently hitting hospitals, telcos, universities and other institutions worldwide using the malware WannaCry/WanaCrypt0r 2.0 may be being perpetrated by exploiting a known flaw in Microsoft Windows SMB Server, MS17-010.
This vulnerability was discovered earlier this year and has been exploited by the NSA, according to a trove of documents dumped by the hacking group Shadow Brokers. The US security agency uses malware to exploit vulnerabilities in IT systems for conducting covert operations online.
The use of the NSA EternalBlue exploit was confirmed by the respected independent malware researcher 'Kafeine'.
WannaCry/WanaCrypt0r 2.0 is indeed triggering ET rule : 2024218 "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response" pic.twitter.com/ynahjWxTIA— Kafeine (@kafeine) May 12, 2017
Cybercriminals in Russia have been looking for ways to exploit the EternalBlue exploit for some time, according to a report in Forbes.
"MS17-010 is the best candidate for this ransomware attack," said Matthew Hickey, co-founder of UK cybersecurity training hub Hacker House.
According the the Spanish authorities the following versions of Windows are at risk.
Microsoft Windows Vista SP2
Windows Server 2008 SP2 & R2 SP1
Windows RT 8.1
Windows Server 2012 & R2
Windows Server 2016
Microsoft has released patches for the vulnerability although it is thought that this does not extend to older versions of Windows such as XP, which are still in use in many organisations including the NHS which seems to have been particularly badly hit. There is currently no evidence that XP is the issue, however.
It goes without saying that admins should patch any vulnerable systems immediately.
Security vendor Kaspersky Lab advises the following:
- Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
- Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
- Visit The No More Ransom website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
- Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
- Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and third party security policies in case they have direct access to the control network.
- Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.
- Educate your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.
GCHQ has committed to using AI in a 'fair and transparent' way
The APT31 group cloned a cyber-offensive tool developed by the NSA to create Jian, which was then used against a US target
Criminals are targeting hundreds of thousands of individuals for as little as £10, reasoning that such thefts are less likely to be reported
But so far the new attack does...nothing
'Credential spills are like an oil spill: once leaked, they are very hard to clean up'