WannaCry's Long Tail: Setting the Stage for the Next Major Wormable Attack
On the morning of May 12, 2017, many users tried to log into their home or work computer and were greeted with a message that their files had been encrypted and a nominal Bitcoin payment would need to be made in order to unlock them. By the time a clever security researcher found a “killswitch” to stop the spread of the malware, over 300,000 computers were believe to be affected, including those belonging to the United Kingdom’s National Health Service (NHS). Outpatient clinics were closed; nonessential appointments were cancelled; lives were disrupted.
It has been just over a year since the massive cyber attack that thrusted inadequate cybersecurity into the headlines of every major news outlet and change the cyber threat landscape forever. Like traditional terrorism, cyberterrorism is also subject to the law of natural selection. All of the terrorists that make mistakes and are bad at what they do have already been killed or captured. This only leaves the most sophisticated and dangerous threat actors out there, often state sponsored. This phenomenon was viewed in practice after the WannaCry threat was mitigated with the killswitch found and activated by Marcus Hutchens. Just a month later, NotPetya was unleashed through a sophisticated and believed to be state sponsored campaign without many of the shortcomings of WannaCry. Organizations like pharmaceutical company Merck and shipper TNT suffered losses in the hundreds of millions of dollars due to NotPetya. Cyberterrorists are learning from others’ mistakes and attacks never get worse, they only get better.
Almost a year after the UK NHS got hit with WannaCry, they have finally decided to update their systems to Windows 10. The NHS famously paid a large sum of money to Microsoft in order to continue receiving support for Windows XP, which was the reason the NHS felt such a strong impact from WannaCry. Windows XP machines were especially vulnerable to WannaCry and there was a large population of their systems running an End of Life operating system. Many other organizations wised up and took patching much more seriously as well as investing heavily in security tools to mitigate and prevent these types of attacks in the future. Even with this increased security posture, security researchers still believe the next WannaCry is coming soon and that companies today are not adequately prepared to stop it.
In June 2017, the security research team at NCC Group were commissioned by an unnamed client to build NotPetya from scratch without the data wiping payload in order to simulate an attack on their systems without experiencing the consequences. NCC group did just that and called their neutered worm “EternalGlue” as a tribute to EternalBlue, the exploit which allowed WannaCry and NotPetya to spread so virulently. The EternalGlue payload was loaded with telemetry tracking information to monitor the spread of the worm. When the NCC group unleashed EternalGlue into their network, the results were astounding.
In December 2017, the unnamed client ran EternalGlue on one machine in an isolated network with no special privileges. EternalGlue found three machines on the network that were not patched against the SMBv1 exploit used in WannaCry and NotPetya. Once located, EternalGlue exploited those three unmatched machines to obtain kernel level access and infected those machines. Taking the attack to the next level, EternalGlue harvested domain credentials from those infected machines and used them to spread to all 107 hosts on the isolated network in roughly 45 minutes. The results were so shocking that the client initiated the pre-programmed kill switch before EternalGlue could jump the network or infect machines out of the scope of testing.
The data harvested from this test provided many points of evidence that the next generation of WannaCry is not only possible, it is inevitable.
- Over a year after EternalBlue was patched and three high-profile attacks leveraging this exploit, companies have still not patched
- Only a single unmatched system is required to spread through an entire network
- Weak or hard-coded credentials are still in use and can allow more lateral movement and escalation of privileges
- It just takes one careless user or one misconfigured machine to own an entire network
Going back to the notion that attacks do not get worse, they only get better, attackers will not make the mistakes of malware authors’ in the past. A more sophisticated attack such as a cryptojacker that only runs during business hours and pins the CPU at a reasonable utilization level will make detection much more difficult. Using a logic bomb to infect massive numbers of computers before any effect is noticed could also have devastating effects as seen in the ILOVEYOU virus.
Based on the research conducted by the NCC group with EternalGlue, there are several security controls that could help prevent the effects of the next WannaCry-type wormable attack. Ensuring users are trained not to click on or open anything they should not is always the first line of defense. A cloud sandbox can often assist in detecting zero day threats in malicious files that have never been seen before. Often attackers will attempt to exploit an improperly or misconfigured server connected to the internet. Using a zero trust model for internet traffic as well as lateral movement within a network can greatly assist in preventing the lateral speed and movement of wormable malware. The simplest answers are often the easiest answers, if companies patched their systems with current security updates, it would make it much more difficult for attackers to do their jobs. While there are systems that cannot be patched or updated, these machines should be kept on an airgapped network as to not have to deal with all of the attacks that originate from the internet. The next WannaCry attack is coming and the only way to prevent it is to be adequately prepared.