Wannacry: Everything you still need to know because there were so many unanswered Qs

How it first spread, Win XP wasn't actually hit, and more


Vid It has been a week since the Wannacry ransomware burst onto the world's computers – and security researchers think they have figured out how it all started.

Many assumed the nasty code made its way into organizations via email – either spammed out, or tailored for specific individuals – using infected attachments. Once accidentally opened, Wannacry would be installed, its worm features would kick in, and it would start the spread via SMB file sharing on the internal network.

However, the first iteration of the malware – the one that got into the railways, telcos, universities, the UK's NHS, and so on – required no such interaction. According to research by boffins at Malwarebytes, email attachments weren't used. Instead, the malware's operators searched the public internet for systems running vulnerable SMB services, and infected them using the NSA's leaked EternalBlue and DoublePulsar cyber-weapons. Once on those machines, Wannacry could be installed and move through internal networks of computers, again using EternalBlue and DoublePulsar, scrambling files as it went and demanding ransoms.

"Our research shows this nasty worm was spread via an operation that hunts down vulnerable public facing SMB ports and then uses the alleged NSA-leaked EternalBlue exploit to get on the network and then the (also NSA alleged) DoublePulsar exploit to establish persistence and allow for the installation of the WannaCry Ransomware," said Adam McNeil, a malware intelligence analyst at Malwarebytes.

The NSA's EternalBlue exploit and its various clones attack a programming bug present in SMB code in Windows XP to pre-Windows 10. The Wannacry masterminds, exploiting the same flaw, scanned for computers with SMB port 445 open on the 'net, and injected their code into the vulnerable systems via a classic buffer overflow.

Youtube Video

Many assumed Wannacry could infect any pre-Windows 10 systems, however it mostly infected Windows 7 computers that hadn't pick up Microsoft's March security patch for the SMB bug. That's because the malware's implementation of EternalBlue is ineffective on Windows XP and Windows Server 2003: it simply wouldn't work reliably. In other words, contrary to popular belief, the outbreak didn't hit very many WinXP and similarly aging boxes at all – it was mostly unpatched Win7 and Server 2008 machines in enterprises and other large organizations that were slow to apply Microsoft's fixes earlier this year, while most Windows 10 users were automatically patched.

So in summary, the outfits infected by Wannacry were most likely pwned using EternalBlue via an external SMBv1 service – pro tip: never use SMBv1, never expose your file servers to the internet – and then the DoublePulsar backdoor was deployed to take full control of the box and allow it to be remotely controlled. From that foothold, Wannacry could be deployed, using both cyber-weapons to move through the organization's Windows 7 and Server 2008 computers.

"The easiest route would be if an attacker had already compromised the system and installed DoublePulsar. In these cases WannaCry would just leverage that to infect the system," Nick Biasini, Cisco Talos outreach team manager, told The Reg.

So, if you have a Wannacry outbreak on your systems, it's going to be vital to get the DoublePulsar element ripped out as well as cleaning out the ransomware and shutting down vulnerable SMB ports.

Hype

For all the buzz Wannacry created, it seems the malware's operators haven't had much of a payday given the number of computers infiltrated. An analysis of the Bitcoin addresses from the ransomware shows they have reaped just over $90,000 for their efforts. While that's not bad for a week's work, it's still not worth it. The masterminds have managed to enrage Russian, UK, and US authorities, and caused infections in over a hundred countries. That leaves very limited places to hide and the Feds are keen to make a collar as soon as possible.

As for where the software nasty came from and how it was grown from leaked NSA tools, opinion is still divided. However, there has been some interesting research detailed by Professor Alan Woodward from the University of Surrey's department of computing. It suggests a security researcher called ZeroSum0x0 published an implementation of EternalBlue's exploit in Ruby on Github shortly before Wannacry began to spread – this code, designed to work with penetration-testing tool Metasploit, may have been used as a blueprint by the Wannacry developers.

"The post on GitHub was six days ago and that places it before the malware started to make the rounds," he wrote. "Maybe the exploit was cribbed by the malware cabal to use EternalBlue.

"Did someone fuck up and place code on the net for research that in turn was used by the adversaries to make Wannacry work and launch it into the wild? I ask this because of the time table here and the events since that lead me to believe this is the case. I cannot say for sure because no one has given me any information to counter this belief."

The hunt for the malware's source code and its coders continues. ®

Broader topics


Other stories you might like

  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Datacenter networks: You'll manage them from the cloud, eventually, claims Cisco
    Nexus portfolio undergoes cloudy Software-as-a-Service revamp

    Cisco's Nexus Cloud will eventually allow customers to manage their datacenter networks entirely from the cloud, says the networking giant.

    The company unveiled the latest addition to its datacenter-focused Nexus portfolio at Cisco Live this week, where the product set got a software-as-a-service (SaaS) revamp.

    "It's targeted at network operations teams that need to manage, or want to manage, their Nexus infrastructure as well as their public-cloud network infrastructure in one spot," Cisco's Thomas Scheibe – VP product management, cloud networking for Nexus & ACI product lines – told The Register.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • If you're using older, vulnerable Cisco small biz routers, throw them out
    Severe security flaw won't be fixed – as patches released this week for other bugs

    If you thought you were over the hump with Patch Tuesday then perhaps think again: Cisco has just released fixes for a bunch of flaws, two of which are not great.

    First on the priority list should be a critical vulnerability in its enterprise security appliances, and the second concerns another critical bug in some of its outdated small business routers that it's not going to fix. In other words, junk your kit or somehow mitigate the risk.

    Both of these received a CVSS score of 9.8 out of 10 in severity. The IT giant urged customers to patch affected security appliances ASAP if possible, and upgrade to newer hardware if you're still using an end-of-life, buggy router. We note that miscreants aren't actively exploiting either of these vulnerabilities — yet.

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • Cisco dials back on hiring, cool winds blow through economy
    'I think it is a time for everyone to be prudent' says networking giant's CFO

    Networking kingpin Cisco is hiring more cautiously to indicate that it, like many peers, is taking note of macroeconomic red flags.

    "It's a time to be prudent," Richard Scott Herren, Cisco senior veep and chief financial officer told the Nasdaq Investor Conference. "I think it is a time for everyone to be prudent… so we're doing the same."

    The hot spots – or the "highest priority items for us" – including security, will continue to see investments in headcount, he said.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading

Biting the hand that feeds IT © 1998–2022