Starting Friday last week, many organizations around the world, including Europe, North America, and Asia were hit by the “WCry” attack. What made this attack unique is that WCry is both a worm and ransomware. Not only the worm replicates from system to system, once it infects a system, the worm seeks and encrypts .doc, .xls, .ppt, .pst, .msg, and a wide variety of other business files.
A few of the initial victims include notable brands like the National Health Services of the UK, Telefonica, and Fedex, but soon, it had spread over to 100+ countries. The latest statistics suggest that the worm impacted roughly 200,000 organizations worldwide. By Sunday evening, China’s CCTV reported a staggering 39,730 distinct cases of infection in China.
If you are interested in a workflow view of how the worm works, read Endgame’s excellent blog and visual depiction.
In this article, I am going to explain a few things that are perhaps not clearly explained in some of the earlier articles.
What is the initial infection vector?
Unlike some of the earlier reports that claimed the initial infection had come through phishing, WCry performs direct port scanning of port 445 to determine if the machine has the MS-17-010 vulnerability. If the machine is vulnerable, WCry delivers a special crafted message/exploit to the Microsoft Server Message Block server. This exploit is similar to those constructed in this Metasploit Framework after the Shadow broker reveal.
What is the kill switch that everyone talks about?
When the worm infects a machine, the first thing it does is attempting to connect out to a non-existent URL - http://www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea. If the connection is successful, the worm exits and ceases to operate. If the connection is not successful (in most cases), the worm continues to execute next steps. This is a puzzling step; some postulate that the worm writer intended to set up that URL to control the worm propagation, but later abandoned the URL due to unforeseen reasons. Others think this is a sophisticated way to check if the worm is executing in a simulated sandbox environment.
How did a Malware researcher in UK accidentally halted the spread of the malware by activating the kill switch?
A malware researcher identified as @malwaretechblog noticed the initial beacon URL embedded in the malware pointed to a non-existent domain. He registered that domain with the intention to monitor the worm spread. However, by registering the domain, he allowed the worm to connect in the initial beacon connection thereby activating the kill switch and halted some of the further propagation.
Thanks to the kill switch, the malware spread was temporarily halted. HackerOne awarded @malwaretechblog $10,000 bug bounty. But later newer strands of the malware with a different URL or even with no kill-switch URL were released and the attack continued.
Why is this MS-17-010 vulnerability significant?
As Microsoft described in this security bulletin, “The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.”
In itself, this vulnerability is critical as it allows remote code execution, which is the way via which the worm propagates. However, this MS-17-010 vulnerability is significant for another reason - it is one of the vulnerabilities disclosed by the Shadow Broker as part of the “ETERNALBLUE” NSA hacking tool dump earlier in the year. This means that NSA had found this vulnerability but had withheld its information from Microsoft, presumably as part of their hacking arsenals to spy on others in secret.
Since the Shadow Broker stole and released the exploits used by the NSA, this vulnerability had come to light, which prompted Microsoft to issue the MS-17-010 security bulletin on March 14, 2017.
Why is this attack so prolific?
The rapid propagation of this worm/ransomware combo prompted swift global media attention. In less than 48 hours, it had spread over 100 countries and impacted over 200,000 systems. From the initial victim of NHS of UK, which led to cancellation of XRay appointments, to China Petroleum, which saw thousands of gas stations around the country unable to use its electronic payment systems due to the ransomware.
Despite its prolific nature, the techniques of this attack are relatively simple: Port scanning, Exploiting known vulnerabilities, Straightforward encryption, and Bitcoin ransom.
How much ransom has been paid out?
The malware encrypted business files as they propagate, asking for bitcoin payment to decrypt the files. So far, it was reported that the attacker had only collected roughly 29 bitcoin, worth approximately $50,000, according to Elliptic, a Uk-based company that tracks criminal activities using bitcoin. For such a prolific attack, the award it collected was relatively meager in scale.
What is your takeaway?
You may blame NSA for hoarding vulnerabilities, or blame Microsoft for not having found the vulnerability sooner, but there is no getting around the fact that many of the systems attacked are older systems - the NHS hospitals and China Petroleum were still running Windows XP - or those that run un-patched Windows servers. There is a two-month lead time between the MS-17-010 patch release by Microsoft (March 14, 2017) to the day the ransomware first appeared on the scene (May 12, 2017). Yes, even though it probably sounds like a broken record, timely patching is still one of the most effective ways of defending yourself. Patching is relatively simple too - apply the MS-17-010, take old systems like NT4, Windows 2000, and XP-2003 offline, and filter traffic to ports 445/139.
The Shadowbrokers group, who released the initial data dump of the NSA hacking arsenals, is back with a new blog post warning of new disclosures and a monthly data dump service. If they are to be believed, more vulnerabilities may make their ways into the spotlight, potentially prompting more outbreaks like the WCry worm. We might see more attack cocktails of exploits against new vulnerabilities and fresh ways of extortion (what about releasing embarrassing cellphone photos?). The best way to protect yourself? Even though it probably sounds like a broken record, timely patching is still one of the most effective way of defense. Zero-days are still relatively rare, patching and upgrading your systems to the latest is a must-have step.