jack: (Default)
[personal profile] jack
I feel confused by the news of Friday's ransomware worm. I've tried to piece together the pieces.

It spread by both email (requiring people to clink a link or open an attachment?) and across local networks to windows computers that were not up to date with patches (ie. all xp and win7/8 which haven't got security updates in the last two months )[1] using one or more particular vulnerabilities. Is that right?

This vulnerability applied to some networking thing called Windows SMB, version 1, which was outdated, but mostly still enabled on any computers which used SMB at all, which was mostly organisation networks, not home computers. Is that right?

Some time ago, the NSA discovered this particular vulnerability. As far as I can tell there's no suggestion they *created* it? Even though that's the sort of thing they WOULD do. Lots of news articles are saying "the nsa vulnerability" but that's just hype, right? But they did find it, and (apparently) not report it, just keep it for internal use.

They assembled some of these vulnerabilities into a suite of hacking tools.

Some time more than two months ago, there was a leak. Probably an insider of some sort? Someone got hold of those tools. cf. https://en.wikipedia.org/wiki/EternalBlue

About two months ago, maybe immediately, maybe after a delay, the NSA tipped off microsoft. Microsoft released a patch in the normal security updates. I think Microsoft mostly confirmed this recently, even though at the time the patch didn't say anything about it (it was somewhat suspicious it didn't say who found the vulnerability).

One month ago, a shadowy hacker group who named themselves after a shadowy hacker group in Mass Effect 3, tried to auction some of those leaked tools with mixed success. This sounds weird, but AFAICT is fairly certain, is that right?

They could be anyone, but people suspect they may be sponsored by Russia, as propaganda to say, "see what the NSA do, don't get into an open, cyber or propaganda war with us, you have a lot to lose too".

If the malware had been released *before* the patch, it could have been a lot worse, it could have infected many other networks as well, even completely up to date computers. As it happened, it only applied to older computers of which there were still many, but it made the auction less notable.

By Friday, someone had used that vulnerability to create (an updated version of?) that worm aka WannaCry and released it. It infected many many major organisations including most of NHS.

I don't know how the clean-up is going. Will large organisations pay ransom? Probably not? Will they be able to restore computers? How much data is permanently lost? I've no idea.

Someone registered a domain name referenced in the worm which accidentally or deliberately acted as a kill switch.

Microsoft released a one-off patch for windows xp and some other older operating systems (?) to fix this specific exploit.

We have no idea who "someone" was in this case, if they were affiliated with any of the previous groups or not.

Speculation

This is just a feeling, but it feels like this particular worm was a bit of a rush job by someone who didn't expect it to do this well.

Misconceptions

As far as I can tell, this worm was based on the same exploit the NSA found, but I've not heard anything concrete whether (a) they reverse engineered the microsoft patch (b) they got the vulnerability from the leaked NSA tool or (c) they re-used some of the code in the leaked NSA tool.

I assume the NSA didn't actually write this worm? Like, they would have done something more targeted?

But the news keeps saying things like "the tool used in this current attack had been developed by the US National Security Agency and was stolen by hackers". As far as I can tell, they just didn't understand the difference between "using" and "based on", right? I don't understand how they could know "using" without citing a security researcher or something, and I've not seen anything like that. Am I missing something?

What we should do

Give up the idea that unpatched OSes are "good enough". Make sure you're getting updates if you can.

Backup.

Worry about the NHS being underfunded, and having a fucked-up tender process that ensures their IT infrastructure is always supplied by the sort of company that was cutting edge when security updates came out on a scale of a decade, not a day.

Worry about the NSA stockpiling vulnerabilities.

Remember that it could be a lot worse. Sooner or later things will line up and a vulnerability gets discovered and *not* patched, and basically infects every computer running a particular operating system, and is paired with something even worse than ransomware eg. a botnet consisting of 75% of the windows computers on the planet. People are working on this and we've got a lot better, but it's a struggle to make security good enough.

Postscript

That's my attempt at a summary. Mostly based on the news and SwiftOnSecurity. Can people who actually know more fill in the details, especially the bits that don't quite seem to track?

Footnotes

1. No idea if anyone's using vista.

Date: 2017-05-15 05:31 pm (UTC)
andrewducker: (Default)
From: [personal profile] andrewducker
SMB is the Windows file sharing protocol. (i.e. how you access files and folders over the network)

Other than that, all looks about right to me.

Date: 2017-05-15 05:35 pm (UTC)
hilarita: trefoil carving (Default)
From: [personal profile] hilarita
You needed email (with eeevil attachments) to spread to one computer within an organisation that has SMB (which then easily let it spread to every other connected unpatched Windows machine in the organisation).
Vulnerable machines were (afaict):
Win 7 boxes that weren't patched after March 2017 (when Microsoft knew about the exploit, and developed a patch
Win XP and 8 boxes that weren't subscribed to extended security updates
Win XP and 8 boxes that were subscribed to the extended security updates plan *and which had applied their updates*, and Win 10 machines, were all OK AIUI.

The NSA found an exploit. And then didn't report it. This was leaked (along with a bunch of other stuff) earlier this year, which allowed MicroSoft to find out about it, and release a patch.

Paying up doesn't guaranteeably recover your data - it guaranteeably means you don't have $300 any more. It should be fine, provided regular backups were taken, and you've applied the security updates.

Lots of the NHS was funted because the govt refused to pay a few million quid to continue to have security support for XP while we still have a huuuuge number of networked NHS machines that run XP. (Though there were probably some unpatched Win 7 boxes there, because applying patches to complex networks is so much fun...)

Krebs on Security has reasonable summaries, as does LightBlueTouchPaper.

Date: 2017-05-15 06:40 pm (UTC)
ewx: (geek)
From: [personal profile] ewx
> I've not heard anything concrete whether (a) they reverse engineered the microsoft patch (b) they got the vulnerability from the leaked NSA tool or (c) they re-used some of the code in the leaked NSA tool.

Object code for the vulnerability is at https://github.com/misterch0c/shadowbroker/tree/master/windows/specials (exercise your virus scanner by trying to download it l-).

I've not found much analysis of ETERNALBLUE (evidently MS must have done some to fix it, but they won't be publishing). The Metasploit module I found for it just uses the executable from the link above. More below on this point.

> I assume the NSA didn't actually write this worm?

That seems a fairly safe assumption, their budget is big enough that they should not need to supplement it with ransomware l-)

> As far as I can tell, they just didn't understand the difference between "using" and "based on", right?

Probably although, per the remark about Metasploit above, it could (in principle) literally be 'using'. But again, see below.

> I don't understand how they could know "using" without citing a security researcher or something, and I've not seen anything like that.

https://blog.malwarebytes.com/threat-analysis/2017/05/the-worm-that-spreads-wanacrypt0r/

The decompiled code fragments don't include ETERNALBLUE itself but it does look like it's transmitting the payload directly rather than calling out to the pre-cooked executable from above, i.e. they're doing something marginally more sophisticated than blindly taking a shrink-wrapped exploit.

But it needn't be very sophisticated, if it's a simple buffer overrun (which I suspect it is) then you don't necessarily need much cleverness - running the executable and capturing network traffic might be quicker and easier than disassembling it.

Date: 2017-05-16 05:45 pm (UTC)
ewx: (Default)
From: [personal profile] ewx
And here's the Metasploit module done the hard way: https://github.com/rapid7/metasploit-framework/issues/8269#issuecomment-301302687 - sounds like it was a lot more effort than I guessed in the last para above.

Date: 2017-05-17 08:08 am (UTC)
ewx: (Default)
From: [personal profile] ewx
Like many people I had assumed that there was an email component to the spread too. But it looks like the evidence for this is lacking - it may well a single-vector worm.

https://nakedsecurity.sophos.com/2017/05/17/wannacry-the-ransomware-worm-that-didnt-arrive-on-a-phishing-hook/

Date: 2017-05-17 10:06 pm (UTC)
ewx: (Default)
From: [personal profile] ewx
It scans random internet addresses (which probably quickly reached the point of scanning all IPv4 addresses) as well as focusing on the locally attached network.

There's lots of ways a worm of this kind could get into a hypothetical organizational network:
- Poor perimeter security, i.e. totally inadequate firewall. Probably fairly rare by 2017.
- Legitimate gaps in perimeter security, i.e. holes left open for partner organizations, remote-working users, etc.
- End-runs around perimeter security; historically this meant staff attaching modems to their PCs, today I assume they use VPNs for the same use cases.
- Mobile equipment carrying the infection, i.e. someone's laptop gets infected outside work and then they connect it to the work network (by opening the lid in the range of the wifi).

Date: 2017-05-16 07:47 am (UTC)
ewx: (Default)
From: [personal profile] ewx
> Will large organisations pay ransom? Probably not? Will they be able to restore computers? How much data is permanently lost? I've no idea.

I would not expect large organizations to lose much, on average; at scale, computer failures are a fact of life, including ransomware for some years now. Responses and mitigations are likely to be in place already.

Individuals and small organizations are another matter; most people seem to learn about data security (including availability) through loss, and not all of them learn at all. (In the long run cloud provision of applications and storage may improve matters.)
Edited Date: 2017-05-16 07:47 am (UTC)

Date: 2017-05-21 08:08 pm (UTC)
bens_dad: (Default)
From: [personal profile] bens_dad
The guy who hit the kill switch blogged about it here: ttps://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
I can't see his name, but he works in the UK for an anti-malware company.