Researchers believe other attackers will start to exploit the same SMB flaw as the WannaCry ransomware
The difference between the earlier WannaCry attacks and the latest one is a worm-like component that infects other computers by exploiting a critical remote code execution vulnerability in the Windows implementation of the Server Message Block 1.0 (SMBv1) protocol.
Microsoft released a patch for this vulnerability in March and, on the heels of the attack Friday, even took the unusual step of releasing fixes for older versions of Windows that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8.
The WannaCry attackers didn’t put in a lot of work to build the SMB-based infection component either, as they simply adapted an existing exploit leaked in April by a group called the Shadow Brokers. The exploit, codenamed EternalBlue, is alleged to have been part of the arsenal of the Equation, a cyberespionage group widely believed to be a team linked to the U.S. National Security Agency.
The version of WannaCry that spread through EternalBlue on Friday had a quirk: It tried to contact an unregistered domain and halted its execution when it could reach it, stopping the infection. A researcher who uses the online alias MalwareTech quickly realized thatthis could be used as a kill switch and registered the domain himself to slow down the spread of the ransomware.
Since then researchers have discovered a couple more versions: one that tries to contact a different domain name, which researchers have also managed to register, and one that has no apparent kill switch. However, the latter version is non-functional and seems to have been a test by someone who manually patched the binary to remove the kill switch, rather than recompiling it from its original source code. This led researchers to conclude that it’s likely not the work of the original authors.
Separately, experts from the computer support forum BleepingComputer.com have seen four imitations so far. These other programs are in various stages of development and try to masquerade as WannaCry, even though some of them are not even capable of encrypting files at this point.
This does indicate that attacks, both from the WannaCry authors and other cybercriminals, will likely continue and, despite patches being available, many systems will likely remain vulnerable for some time to come.
After all, security vendors are still seeing successful exploitation attempts today for MS08-067, the Windows vulnerability that allowed the Conficker computer worm to spread nine years ago.
“It’s probably going to get worse before it gets better, as it’s going to be one of the most serious threats for the following 12 months,” Catalin Cosoi, Bitdefender’s chief security strategist, said in a blog post about the EternalBlue vulnerability and the on-going attacks.
He believes that state-sponsored cyberespionage groups could also take advantage of the SMB flaw to plant stealthy backdoors on computers while defenders are busy dealing with the much more visible ransomware attack.
Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems that have the SMB service exposed to the internet. The number is considerably higher than the 200,000 machines affected by WannaCry, so there is potential for more attacks and victims.
WannaCry’s success showed that a large number of organizations are falling behind on patches and that many have legacy systems running old versions of Windows. To some extent, this is understandable because deploying patches in environments with a large number of systems is not an easy task. Enterprises need to test patches before installing them to ensure that they don’t have compatibility issues with existing applications and break existing workflows.
In other cases, organizations might be stuck with certain systems that run unsupported Windows versions without having the financial resources to upgrade or replace them. This is the case for ATMs, medical devices, ticketing machines, electronic self-service kiosks, like those in airports, and even servers that run legacy applications that can’t easily be reengineered.
However, there are measures that can be taken to protect those systems, like isolating them on network segments where access is strictly controlled or by disabling unneeded protocols and services. Microsoft has tried to convince companies to stop using SMBv1 for some time, as it has other problems aside from this flaw.
“There are certain organizations or sectors — e.g. medical — where patching is not a simple matter,” Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. “In those cases, it’s imperative they properly understand the risks and look into workarounds to limit the threat.”
The success of WannaCry, at least as far as rapid distribution is concerned, has proved to cybercriminals there are many vulnerable systems on enterprise networks that can be targeted through old exploits. It is possible they will try to use other Equation/NSA exploits leaked by the Shadow Brokers or will be quicker to adopt exploits for future flaws that enable similar mass-scale attacks inside LANs.
“The EternalBlue exploit is part of a bigger leak called ‘Lost In Translation’ that packs multiple vulnerabilities ranging from simple annoyances to extremely severe ones,” Bogdan Botezatu, senior e-threat analyst at Bitdefender, said by email. “We expect that most of these ‘government-grade’ exploits to make it to the public domain and get merged into commercial-grade malware, as it has happened in the past.”
Meanwhile, Eiram is convinced there will be many vulnerabilities in the future that will enable similar ransomware attacks.
“I don’t doubt that for a second,” he said. “Every year we see such vulnerabilities.”