Software Contract Solutions

WannaCry’s EternalBlue exploit still a threat

A year after the global WannaCry attacks, the EternalBlue exploit that was a key enabler for the malware is still a threat to many organisations, and many firms have not taken action, security researchers warn.

WannaCry is no longer wreaking havoc in the business world, but a year after the malware crippled business operations around the world, a key element of the attack still remains a threat, and few organisations have taken steps to improve their defences, research has revealed.

The exploit that enabled the rapid spread of WannaCry, known as EternalBlue, is still threatening unpatched and unprotected systems, according to telemetry data from security firm Eset.

The company’s researchers warn that EternalBlue’s popularity has been growing over the past few months, and a spike in April 2018 even surpassed the greatest peaks from 2017.

The Eset data shows that EternalBlue had a calmer period immediately after the 2017 WannaCry campaign, with attempts to use the EternalBlue exploit dropping to “only” hundreds of detections daily.

Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.

The EternalBlue exploit targets a vulnerability in an obsolete version of Microsoft’s implementation of the server message block (SMB) protocol, via port 445, and gave WannaCry its worm-like ability to spread across networks.

In an attack, cyber criminals and other threat actors scan the internet for exposed SMB ports, and if found, launch the exploit code and malware payload of choice.

According to security researchers, exploits of Microsoft’s SMB protocol have been an “unmitigated” success for malware writers, with EternalBlue being a key component of destructive global NotPetya attacks in June 2017. It was used by the Sednit (aka APT28, Fancy Bear and Sofacy) cyber espionage group to attack Wi-Fi networks in European hotels.

The exploit has also been identified as one of the spreading mechanisms for malicious cryptominers. More recently, it was deployed to distribute the Satan ransomware campaign, described only a few days after Eset’s telemetry detected the mid-April 2018 EternalBlue peak.

The EternalBlue exploit was allegedly stolen from the National Security Agency (NSA) probably in 2016 and leaked online on April 14, 2017 by a group dubbed Shadow Brokers.

“Microsoft issued updates that fixed the SMB vulnerability on 14 March 2017, but to this day, there are many unpatched machines in the wild,” said Ondrej Kubovič, security evangelist at Eset.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching, as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” he said in a blog post.

 

Unpatched systems the ‘Swiss cheese’ of security

According to security firm Avast, 29% of Windows-based PCs globally are still running with the SMB vulnerability in place, while Juniper Networks puts the number of exposed devices at 2.3 million.

According to Mounir Hahad, head of Juniper Threat Labs, most of the devices still running vulnerable versions of SMB are located in the United Arab Emirates, US, Russia, Taiwan and Japan.

“As we continue to see successful ransomware attacks, it begs the question: why don’t people have backups of their critical data? Every board of directors should be asking its CISO about the company’s backup strategy,” he said.

“A ransomware attack should be a blip on the radar that wastes people’s time to restore from backups, not a week-long debacle of trying to restore service and deciding whether to pay the ransom or not,” he said.

In August 2017, Chris Wysopal, cofounder and chief technology officer at security firm Veracode, told Computer Weekly that EternalBlue had been shown to be extremely effective at spreading malware infections to other unpatched Microsoft systems.

“It is imperative that IT teams from all businesses across all industries ensure that the version of Windows that they are using is not vulnerable to EternalBlue and, if so, take the necessary steps to remediate it,” he said.

Wysopal said cyber criminals are likely to continue using EternalBlue until devices are patched and it is no longer an effective vector for them to spread malware.Rob Greer, chief product officer and senior vice-president at security firm ForeScout, said unpatched systems are the “Swiss cheese” of cyber security.

“And while a properly patched system may not be impervious to attack, proper IT hygiene can stop many bad actors dead in their tracks. If the systems cannot be patched for operational reasons, the best means of protecting them is to place them in separate network segments,” he said.

“While there’s no silver bullet in cyber security, the majority of ransomware attacks can be prevented through simple, yet effective security management and IT hygiene best practices.”

Avoid complacency and plan ahead, says expert

Ken Spinner, vice-president of field engineering at security firm Varonis, said WannaCry served as a cyber security wake-up call for many organisations that were falling behind in their routine IT responsibilities.

“Companies should be making it as difficult as possible for attackers to be successful at their job. It takes time, talent and resources to keep attackers at bay. The NSA exploits have been in the wild for some time now and attackers are hard at work on new variants,” he said.

“Security is a C-level issue and a boardroom issue, and IT and CISOs should be at the table. Companies need to heed the call, understand their risk and place security at the top of the agenda – the alternative could be lost productively and costs as companies scramble to return to business as usual after an attack.

“It’s human nature to address immediate concerns and fall back into old patterns. But companies can’t let their guard down. You’ve got to avoid a sense of complacency and plan ahead to tackle the newest threats. Attackers will think of something new that renders some preventative IT measures obsolete,” he said.

 

 

This article originally appeared on ComputerWeekly.

Share