Mass ransomware attack may be using unpatched Microsoft SMB MS17-010 vulnerability
WannaCry/WanaCrypt0r 2.0 attachers probably using the NSA EternalBlue exploit to hit Windows SMB vulnerability
The mass ransomware attack currently hitting hospitals, telcos, universities and other institutions worldwide using the malware WannaCry/WanaCrypt0r 2.0 may be being perpetrated by exploiting a known flaw in Microsoft Windows SMB Server, MS17-010.
This vulnerability was discovered earlier this year and has been exploited by the NSA, according to a trove of documents dumped by the hacking group Shadow Brokers. The US security agency uses malware to exploit vulnerabilities in IT systems for conducting covert operations online.
The use of the NSA EternalBlue exploit was confirmed by the respected independent malware researcher 'Kafeine'.
WannaCry/WanaCrypt0r 2.0 is indeed triggering ET rule : 2024218 "ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response" pic.twitter.com/ynahjWxTIA
— Kafeine (@kafeine) May 12, 2017
Cybercriminals in Russia have been looking for ways to exploit the EternalBlue exploit for some time, according to a report in Forbes.
"MS17-010 is the best candidate for this ransomware attack," said Matthew Hickey, co-founder of UK cybersecurity training hub Hacker House.
According the the Spanish authorities the following versions of Windows are at risk.
Microsoft Windows Vista SP2
Windows Server 2008 SP2 & R2 SP1
Windows 7
Windows 8.1
Windows RT 8.1
Windows Server 2012 & R2
Windows 10
Windows Server 2016
Microsoft has released patches for the vulnerability although it is thought that this does not extend to older versions of Windows such as XP, which are still in use in many organisations including the NHS which seems to have been particularly badly hit. There is currently no evidence that XP is the issue, however.
It goes without saying that admins should patch any vulnerable systems immediately.
Security vendor Kaspersky Lab advises the following:
- Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
- Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
- Visit The No More Ransom website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
- Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
- Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and third party security policies in case they have direct access to the control network.
- Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.
- Educate your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
- Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.
