Mass ransomware attack may be exploiting unpatched Microsoft SMB MS17-010 vulnerability using NSA tools

John Leonard
Mass ransomware attack may be using unpatched Microsoft SMB MS17-010 vulnerability

Mass ransomware attack may be using unpatched Microsoft SMB MS17-010 vulnerability

WannaCry/WanaCrypt0r 2.0 attachers probably using the NSA EternalBlue exploit to hit Windows SMB vulnerability

The mass ransomware attack currently hitting hospitals, telcos, universities and other institutions worldwide using the malware WannaCry/WanaCrypt0r 2.0  may be being perpetrated by exploiting a known flaw in Microsoft Windows SMB Server, MS17-010.

This vulnerability was discovered earlier this year and has been exploited by the NSA, according to a trove of documents dumped by the hacking group Shadow Brokers. The US security agency uses malware to exploit vulnerabilities in IT systems for conducting covert operations online.

The use of the NSA EternalBlue exploit was confirmed by the respected independent malware researcher 'Kafeine'.

Cybercriminals in Russia have been looking for ways to exploit the EternalBlue exploit for some time, according to a report in Forbes.

"MS17-010 is the best candidate for this ransomware attack," said Matthew Hickey, co-founder of UK cybersecurity training hub Hacker House.

According the the Spanish authorities the following versions of Windows are at risk.

Microsoft Windows Vista SP2
Windows Server 2008 SP2 & R2 SP1
Windows 7
Windows 8.1
Windows RT 8.1
Windows Server 2012 & R2
Windows 10
Windows Server 2016

Microsoft has released patches for the vulnerability although it is thought that this does not extend to older versions of Windows such as XP, which are still in use in many organisations including the NHS which seems to have been particularly badly hit. There is currently no evidence that XP is the issue, however. 

It goes without saying that admins should patch any vulnerable systems immediately.

Security vendor Kaspersky Lab advises the following: 

  • Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
  • Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
  • Visit The No More Ransom website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
  • Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
  • Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and third party security policies in case they have direct access to the control network.
  • Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.
  • Educate your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
  • Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.

More on Government

Sharon Barber named as the co-Chair of the National Cyber Advisory Board

Sharon Barber named as co-Chair of the National Cyber Advisory Board

She presently serves as the Chief Resilience & Security Officer at Lloyd Banking Group

clock 13 May 2022 • 2 min read
The project, known as 'Wild and Stormy' is the successor to the $10 billion JEDI contract

NSA re-awards multibillion-dollar cloud contract award to AWS

Microsoft protested contract award last year, claiming that NSA misevaluated proposals

clock 29 April 2022 • 2 min read
Verify never reached the scale the Government aimed at, and is being phased out next year

Taxpayers face issues filing returns as HMRC withdraws Verify service

Tens of thousands of people have faced problems filing their tax returns since the start of the month.

clock 27 April 2022 • 2 min read