Mass ransomware attack may be exploiting unpatched Microsoft SMB MS17-010 vulnerability using NSA tools

John Leonard
clock
Mass ransomware attack may be using unpatched Microsoft SMB MS17-010 vulnerability
Image:

Mass ransomware attack may be using unpatched Microsoft SMB MS17-010 vulnerability

WannaCry/WanaCrypt0r 2.0 attachers probably using the NSA EternalBlue exploit to hit Windows SMB vulnerability

The mass ransomware attack currently hitting hospitals, telcos, universities and other institutions worldwide using the malware WannaCry/WanaCrypt0r 2.0  may be being perpetrated by exploiting a known flaw in Microsoft Windows SMB Server, MS17-010.

This vulnerability was discovered earlier this year and has been exploited by the NSA, according to a trove of documents dumped by the hacking group Shadow Brokers. The US security agency uses malware to exploit vulnerabilities in IT systems for conducting covert operations online.

The use of the NSA EternalBlue exploit was confirmed by the respected independent malware researcher 'Kafeine'.

Cybercriminals in Russia have been looking for ways to exploit the EternalBlue exploit for some time, according to a report in Forbes.

"MS17-010 is the best candidate for this ransomware attack," said Matthew Hickey, co-founder of UK cybersecurity training hub Hacker House.

According the the Spanish authorities the following versions of Windows are at risk.

Microsoft Windows Vista SP2
Windows Server 2008 SP2 & R2 SP1
Windows 7
Windows 8.1
Windows RT 8.1
Windows Server 2012 & R2
Windows 10
Windows Server 2016

Microsoft has released patches for the vulnerability although it is thought that this does not extend to older versions of Windows such as XP, which are still in use in many organisations including the NHS which seems to have been particularly badly hit. There is currently no evidence that XP is the issue, however. 

It goes without saying that admins should patch any vulnerable systems immediately.

Security vendor Kaspersky Lab advises the following: 

  • Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
  • Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
  • Visit The No More Ransom website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
  • Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
  • Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and third party security policies in case they have direct access to the control network.
  • Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.
  • Educate your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
  • Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.

More on Security

The future of work has changed forever - how should security leaders handle it?

The future of work has changed forever - how should security leaders handle it?

Okta's Craig Hinchliffe looks at the challenges and opportunities facing security teams when it comes to protecting today's dynamic workforce

Tom Allen
clock 18 November 2021 • 1 min read
What can humans do in the age of machine-versus-machine security?

What can humans do in the age of machine-versus-machine security?

AI-driven attacks are fast, difficult to spot and launched at scale. Toby Lewis of Darktrace argues that a defensive AI is the best and only possible response

Tom Allen
clock 17 November 2021 • 1 min read
More technology is not always the answer to cybersecurity headaches

More technology is not always the answer to cybersecurity headaches

You can combat security infrastructure sprawl without blowing your budget, says Rob Brewer of Field Effect Software

Tom Allen
clock 16 November 2021 • 1 min read