WannaCry ran somewhere....
Sat May 13 14:04:14 EDT 2017
Yesterday there was a widespread RansomWare attack outbreak that largely shut down many hospitals in the UK and affected many telecom services and other companies, mostly in Europe. The attack exploited a known vulnerability in MS Windows. The preventive defense was installing the available patches, i.e. simple. This attack did not spread via email or use human engineering to trick people into clicking links; it did not exploit gullible users. It needed one click in an email by one clueless employee to get into an organization, but after that it could spread on its own. So the first systemic failure was not keeping the computers patched.
But there's a 2nd failure here. The code to exploit this vulnerability was written by (or for) the NSA (National Security Agency), and it was (somehow) obtained by hackers. This code was developed for potential use as a cyber weapon, a tool that could be used to compromise our adversaries' computers. If you're going to be developing/building weapons, you've got to control their distribution/proliferation. If your "weapons" are software, you've got to have your own systems patched and secured. WE, the US, are to blame for this attack, since it was based on our code.
I don't like calling this an "attack". Attacks have targets. The "target" here is anyone running Windows without recent patches. These are merely targets of opportunity. This calls into question the weapons value of the exploit. A weapon that can't be targeted is of limited value, and might even affect the attacker. (U.S. companies were also hit by this.)The attacks are being blamed on a piece of malware called WCry, WannaCry or Wana Decryptor, alleged to have been stolen from the National Security Agency, as the Bleeping Computer site reports. It was reportedly distributed by the Shadow Brokers, which claimed to have hacked an NSA-linked team of hackers last August. The Shadow Brokers group, which is suspected of having ties to Russia, posted Windows hacking tools last month.
Wana Decryptor exploits a Windows flaw that was patched in Microsoft's Security Bulletin MS17-010 in March. But on machines that haven't been updated or patched, the malicious code encrypts all of an infected machine's files - and then spreads itself.
The ransomware's progress has been halted by the accidental discovery late Friday of a "kill switch" hidden within the code by a security researcher.... The ransomware was designed to repeatedly contact an unregistered domain listed in its code. The security researcher ... registered that domain to collect the ransomware traffic for analysis and to track infections. "Later we found out that the domain was supposed to be unregistered and the malware was counting on this, thus by registering it we inadvertently stopped any subsequent infections...."
However, a hacker could change the code to remove the domain and try the ransomware attack again.
Also, the kill switch won't help anyone whose computer was already infected.
If your computer has been affected, there's no guarantee that paying the ransom will restore it....
Any organization still running the older Windows XP were at particularly high risk because until 13 May, no security patches had been released since April 2014. .... Microsoft has created security patches for its now unsupported versions of Windows including Windows XP, Windows 8 and Windows Server 2003.
The NSA is responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes.... NSA is concurrently charged with protection of U.S. government communications and information systems against penetration and network warfare.
SO, have you been doing regular backups of your computers? If you can wipe your computer, do a clean OS re-install (with patches), and restore your files from your backups, you don't need to pay a ransom to get (or perhaps not get) your data back.
The biggest target - MS Windows - is still the favorite target. You might want to consider other operating systems. They're not immune from attack, but they're not targeted as much.
And you probably should enable automatic patching (or, at least, update notices). Patches occasionally (rarely) break things. But it's looking like the intentional damage (from persons unknown) is becoming more severe and more likely. If there are problems from patching, you can expect some kind of patch-fix fairly soon. (And you can always turn to the backups you should be doing.) I seem to be getting at least 2 updates every week for Ubuntu Linux. I usually let them install right away unless they're for the browser (which takes a long time to restart); I'm also reluctant to reboot (which some patches require) until I'm done with the browser for a while.
One of the reasons I switched from Macs to Linux was that the newer OS versions could not be installed on older hardware, and older OS versions were not getting security patches. (I think this applies to Windows, too; there are a lot of old PCs out there that don't have the CPU power or RAM to run recent OS versions. And upgrading Windows is expensive!) Linux also has a cut-off for patching older releases, but new releases can be installed on older hardware.
I expect patching is going to get a lot attention at my workplace. Windows patching can happen any weekend (to the great inconvenience of those of us who are using our Windows desktops to do weekend maintenance on other systems), and any weeknight for urgent vulnerabilities. Many other servers are patched quarterly - which might not have been sufficient for an event like this, 2 months after its patch was released. Assuming that many more organizations/people will patch more promptly after WannaCry, the perps are going to have to get their exploits out faster. These servers aren't as exposed (in terms of users' actions, e.g. no email, no browsers; no data coming in from unknown sources), but the ideal attack isn't going to need a human vector.
I know I was just complaining about how soon we do patches after they are released. It's going to be management's call about how soon to patch, weighing the chances of patches breaking things, known/public vulnerabilities, zero-day exploits, and availability lost to maintenance. Patching is going to get more priority.
I realize that with my DW/LJ posting backlog it might be years before anyone (else) sees this. But guess what? Patching and Backups will still be good advice.
Saturday 17:13
Russia was hit particularly hard by this event. Russia has a lot of pirated copies of Windows. Pirated software tends go unpatched. Sometimes updates aren't available for unlicensed software. Whether that's good or bad can be debated. It will discourage some people from using pirated software. It will also make for a lot of computers that can't be patched, which will be more and more vulnerable and exploitable as more and more defects are found. (A growing unvaccinated population, ripe for an epidemic.)
Monday 01:06
Unsurprisingly, there are new variants of WannaCry in circulation, without the "kill-switch" of the original version. It will be hard to have sympathy for anyone who didn't install the patch over the weekend.
On the NSA's role in this: There's no reason to think that other countries (and hacker-collectives) aren't finding vulnerabilities and keeping them to themselves. And "weaponizing" the vulnerabilities they find by writing exploits, and keeping those to themselves. What's different in this case is that the NSA's "product" was somehow stolen into the hacker-verse.
But before we rebuke the NSA, we should remember that there is a patch for WannaCry. (Perhaps those unpatched, pirated copies of Windows in Russia would have been the intended targets of an "authorized" deployment.)
[This entry was originally posted as https://syntonic-comma.dreamwidth.org/888596.html on Dreamwidth (where there are
comments).]
Yesterday there was a widespread RansomWare attack outbreak that largely shut down many hospitals in the UK and affected many telecom services and other companies, mostly in Europe. The attack exploited a known vulnerability in MS Windows. The preventive defense was installing the available patches, i.e. simple. This attack did not spread via email or use human engineering to trick people into clicking links; it did not exploit gullible users. It needed one click in an email by one clueless employee to get into an organization, but after that it could spread on its own. So the first systemic failure was not keeping the computers patched.
But there's a 2nd failure here. The code to exploit this vulnerability was written by (or for) the NSA (National Security Agency), and it was (somehow) obtained by hackers. This code was developed for potential use as a cyber weapon, a tool that could be used to compromise our adversaries' computers. If you're going to be developing/building weapons, you've got to control their distribution/proliferation. If your "weapons" are software, you've got to have your own systems patched and secured. WE, the US, are to blame for this attack, since it was based on our code.
I don't like calling this an "attack". Attacks have targets. The "target" here is anyone running Windows without recent patches. These are merely targets of opportunity. This calls into question the weapons value of the exploit. A weapon that can't be targeted is of limited value, and might even affect the attacker. (U.S. companies were also hit by this.)The attacks are being blamed on a piece of malware called WCry, WannaCry or Wana Decryptor, alleged to have been stolen from the National Security Agency, as the Bleeping Computer site reports. It was reportedly distributed by the Shadow Brokers, which claimed to have hacked an NSA-linked team of hackers last August. The Shadow Brokers group, which is suspected of having ties to Russia, posted Windows hacking tools last month.
Wana Decryptor exploits a Windows flaw that was patched in Microsoft's Security Bulletin MS17-010 in March. But on machines that haven't been updated or patched, the malicious code encrypts all of an infected machine's files - and then spreads itself.
The ransomware's progress has been halted by the accidental discovery late Friday of a "kill switch" hidden within the code by a security researcher.... The ransomware was designed to repeatedly contact an unregistered domain listed in its code. The security researcher ... registered that domain to collect the ransomware traffic for analysis and to track infections. "Later we found out that the domain was supposed to be unregistered and the malware was counting on this, thus by registering it we inadvertently stopped any subsequent infections...."
However, a hacker could change the code to remove the domain and try the ransomware attack again.
Also, the kill switch won't help anyone whose computer was already infected.
If your computer has been affected, there's no guarantee that paying the ransom will restore it....
Any organization still running the older Windows XP were at particularly high risk because until 13 May, no security patches had been released since April 2014. .... Microsoft has created security patches for its now unsupported versions of Windows including Windows XP, Windows 8 and Windows Server 2003.
The NSA is responsible for global monitoring, collection, and processing of information and data for foreign intelligence and counterintelligence purposes.... NSA is concurrently charged with protection of U.S. government communications and information systems against penetration and network warfare.
SO, have you been doing regular backups of your computers? If you can wipe your computer, do a clean OS re-install (with patches), and restore your files from your backups, you don't need to pay a ransom to get (or perhaps not get) your data back.
The biggest target - MS Windows - is still the favorite target. You might want to consider other operating systems. They're not immune from attack, but they're not targeted as much.
And you probably should enable automatic patching (or, at least, update notices). Patches occasionally (rarely) break things. But it's looking like the intentional damage (from persons unknown) is becoming more severe and more likely. If there are problems from patching, you can expect some kind of patch-fix fairly soon. (And you can always turn to the backups you should be doing.) I seem to be getting at least 2 updates every week for Ubuntu Linux. I usually let them install right away unless they're for the browser (which takes a long time to restart); I'm also reluctant to reboot (which some patches require) until I'm done with the browser for a while.
One of the reasons I switched from Macs to Linux was that the newer OS versions could not be installed on older hardware, and older OS versions were not getting security patches. (I think this applies to Windows, too; there are a lot of old PCs out there that don't have the CPU power or RAM to run recent OS versions. And upgrading Windows is expensive!) Linux also has a cut-off for patching older releases, but new releases can be installed on older hardware.
I expect patching is going to get a lot attention at my workplace. Windows patching can happen any weekend (to the great inconvenience of those of us who are using our Windows desktops to do weekend maintenance on other systems), and any weeknight for urgent vulnerabilities. Many other servers are patched quarterly - which might not have been sufficient for an event like this, 2 months after its patch was released. Assuming that many more organizations/people will patch more promptly after WannaCry, the perps are going to have to get their exploits out faster. These servers aren't as exposed (in terms of users' actions, e.g. no email, no browsers; no data coming in from unknown sources), but the ideal attack isn't going to need a human vector.
I know I was just complaining about how soon we do patches after they are released. It's going to be management's call about how soon to patch, weighing the chances of patches breaking things, known/public vulnerabilities, zero-day exploits, and availability lost to maintenance. Patching is going to get more priority.
I realize that with my DW/LJ posting backlog it might be years before anyone (else) sees this. But guess what? Patching and Backups will still be good advice.
Saturday 17:13
Russia was hit particularly hard by this event. Russia has a lot of pirated copies of Windows. Pirated software tends go unpatched. Sometimes updates aren't available for unlicensed software. Whether that's good or bad can be debated. It will discourage some people from using pirated software. It will also make for a lot of computers that can't be patched, which will be more and more vulnerable and exploitable as more and more defects are found. (A growing unvaccinated population, ripe for an epidemic.)
Monday 01:06
Unsurprisingly, there are new variants of WannaCry in circulation, without the "kill-switch" of the original version. It will be hard to have sympathy for anyone who didn't install the patch over the weekend.
On the NSA's role in this: There's no reason to think that other countries (and hacker-collectives) aren't finding vulnerabilities and keeping them to themselves. And "weaponizing" the vulnerabilities they find by writing exploits, and keeping those to themselves. What's different in this case is that the NSA's "product" was somehow stolen into the hacker-verse.
But before we rebuke the NSA, we should remember that there is a patch for WannaCry. (Perhaps those unpatched, pirated copies of Windows in Russia would have been the intended targets of an "authorized" deployment.)
[This entry was originally posted as https://syntonic-comma.dreamwidth.org/888596.html on Dreamwidth (where there are
comments).]