From my friends at Good Harbor Security Risk Management (@ghsrm)
- A short primer on WannaCry that may be helpful in discussing WannaCry with colleagues in your organization.
- Good Harbor Chairman Richard Clarke’s op-ed, “WannaCry: Whom to Blame?” with four key take-aways from WannaCry.
- A few additional resources for further reading.
- A primer on WannaCry
On Friday, May 12, a new strain of ransomware, which encrypts critical files on targeted desktops and servers, called WannaCry, was released into the wild. WannaCry, with its worm-like ability to propagate quickly within and between networks, spread globally, impacting large organizations worldwide including NHS hospitals in the United Kingdom, FedEx in the United States, Telefonica in Spain, and Peru’s LATAM Airlines.
The exploit used in the attacks, nicknamed EternalBlue, was drawn from National Security Agency (NSA) exploits that had been stolen and posted online in a dump of hacking tools by a group calling itself The Shadow Brokers. The Shadow Brokers are believed by many security experts to be a front for Russian intelligence, although no formal attribution has been made publicly by the US government. EternalBlue exploits a vulnerability in Microsoft’s Server Message Block (SMB) protocol, which allows an attacker to take full control of a targeted system and, in this case, hold it for ransom.
Following the Shadow Brokers dump, on March 14 Microsoft issued a patch for the exploited vulnerability, but many organizations have been slow to apply the patch. Also, older, legacy systems like Windows XP are no longer directly supported by Microsoft, leaving them vulnerable from 14 March to the outbreak of WannaCry. Microsoft has since issued patches for systems that are beyond end-of-life support.
Luckily, the original WannaCry ransomware included code that “checked back” to an Internet domain, and a security researcher was able to register that domain as his own and use that control as a “kill switch” to stop the malware from propagating further.
Experts fear that criminals or hackers will jump on the success of WannaCry and learn from the original malware’s mistake, perhaps developing and releasing “WannaCry 2.0” without the discovered “kill switch.”
The ongoing WannaCry incident raises important questions about the difficulties of timely patching within major organizations, the challenge of unsupported legacy IT, the ability of intelligence agencies to keep their own tools secure, and how and when intelligence agencies should disclose dangerous vulnerabilities to vendors.
Good Harbor Chairman and CEO Richard Clarke penned the following op-ed to examine the four key take-aways from the WannaCry episode so far.
Below the op-ed are three additional resources to understand the issues raised by WannaCry.
- Richard A. Clarke, “WannaCry: Whom to Blame?”
The extensive damage done by the WannaCry cyberattack reveals persistent problems that governments and companies have failed to address despite repeated warnings.
There are four big takeaways:
First, America’s own National Security Agency (NSA) found the vulnerability in Microsoft Windows that would permit a hacker to gain control of a device. When the agency found that vulnerability, it should have told Microsoft right away, so that the error could have been fixed as part of the regular monthly “patching” program without calling attention to it.
As a member of the President Barack Obama’s Review Group on Intelligence and Technology, I recommended (see: The NSA Report, Recommendation 30) a policy of telling software makers about vulnerabilities in 2013. I came to the conclusion that the costs to our corporations and governments of having these vulnerabilities used against us far outweighed the benefit of having NSA secretly using them to collect intelligence. WannaCry proves that point.
The Obama Administration said it accepted that policy recommendation, but clearly there was a problem in its implementation which needs to be rectified.
Second, this would not have happened if NSA had been able to protect its own software. The attack tool used in the WannaCry attack was developed by NSA and then was somehow stolen and posted on the Internet for all to see and some to use.
Despite the lessons learned from the Snowden affair, the NSA’s repeated inability to protect itself from the theft of its internal documents and tools is placing the networked world at risk. This problem must now be addressed urgently by the Director of National Intelligence and the White House.
Third, many companies and government agencies are still running software (Windows XP for example) that is no longer supported by Microsoft and is riddled with vulnerabilities that hackers can use. In the U.S., most companies have the more modern, more secure versions, but many U.S. government agencies are still running software from the 20th century.
It is time for a complete refresh of government software similar to the effort in 1999 to prevent the “Y2K” software vulnerability from disrupting networks at the turn of the millennium. That effort was expensive and a new refresh now will be even more costly, but it is equally necessary.
Fourth, companies and government agencies ignored Microsoft’s clear warning to fix the vulnerability that WannaCry exploited. The software maker issued a critical “patch” two months ago. Many network administrators want to test a patch before they deploy it and that delays implementation, but it should never delay it by more than a few weeks. In the case of a critical patch, it should be a matter of days.
CEOs and board members do not like to get into the weeds of their networks’ management, but they need to understand issues like “patch” policy. They need to know when their systems are at risk and for how long.
Whoever sent WannaCry into cyberspace may not have done it for the money. Thus far, they have collected relatively little money, far less than they have cost companies and governments. The attackers may have done it to teach us some lessons like the four points above. Do you think we will learn those lessons this time? Past experience suggests we will not.
- Microsoft’s President and Chief Legal Officer Brad Smith on lessons from WannaCry: https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.0001nuez5iz27d0avup13vtui3vu6
- Lily Hay Newman, “The Ransomware Meltdown Experts Warned About is Here”: https://www.wired.com/2017/05/ransomware-meltdown-experts-warned/
- MalwareTech, “How I Accidentally Stopped a Global WannaCry Decryptor Ransomware Attack”: https://arstechnica.com/information-technology/2017/05/wanna-decryptor-kill-switch-analysis/
Emilian Papadopoulos | President | m +1.202.256.0828 | o +1.703.812.9199 | @ghsrm