The Cranky Admin
The Fallout and Lessons from WannaCry
No, it's not cyber Armageddon. But it does point to serious flaws in the system.
On May 12, 2017, a new strain of ransomware called WannaCry began circling the globe. This ransomware attack has proven to be efficient and effective, earning WannaCry worldwide media coverage. Unfortunately, attempts to explain the details of the attack have not always been accurate.
My touchstone for discussing media inaccuracies is The New York Times article "Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool." In this article, The New York Times tries to convey the complexity of the WannaCry ransomware event to a non-technical audience.
The New York Times is one of the most important publications in the world. What it writes matters, and it helps set the tone for media reporting around the world. I feel that there are nuances missed in the reporting that are important, especially if we are to finally engage in the global discussion about IT security that we've needed to have for more than a decade.
The most important thing to understand about the WannaCry ransomware is that little about it is novel. WannaCry is not some technological terror lovingly crafted by a mad genius. Instead, it is an assemblage of parts, each of which are reasonably mundane, simple and well-tested.
The WannaCry ransomware incorporates numerous elements to assist its spread. The fact that it's largely built of previously tested components has allowed its authors to regularly adapt the ransomware to overcome efforts to eliminate it. This sort of cat-and-mouse game is a normal and everyday part of the IT security world.
For ransomware to work, three basic elements are required. First, there must be a mechanism of initial infection. Second, there must be an encryption mechanism that prevents users from accessing their files. Third, there must be a demand for payment along with a means of making payment. Traditionally, ransomware authors will decrypt files if payment is made; however, in recent months there have been increasing strains of ransomware where payment does not result in decryption of files.
WannaCry adds a fourth element to the traditional ransomware cocktail: It uses a Windows vulnerability to spread beyond the initial infected computer. The result of this is that on improperly designed or improperly secured networks, one infected computer can infect many others.
WannaCry Detection and Prevention
WannaCry's mechanism of initial infection relies on what's known as phishing. In essence, these are scam e-mails that either contain a file that can infect your computer or entice you to click on links in the e-mail to take you to a Web site that will infect your computer. The most common versions of WannaCry are reported to use an encrypted file contained in a phishing e-mail.
Some media reports claim that the use of encrypted files makes WannaCry undetectable. This is false. Encrypted files of this nature are detectable, even with freely available e-mail filtering applications such as the eFa project's Email Filter Appliance (hence, eFa).
These sorts of e-mail filters can be set to block all mail with encrypted files, block it only from likely spam sources or only allow encrypted mail from known trusted sources. These scanners can also be configured to allow end users to access the encrypted files, but only after reading a warning about the potential dangers. They can also be configured to send this type of mail to a systems administrator for assessment before release.
While open source solutions like the one made available by the eFa Project are somewhat cumbersome to deploy and use, commercially supported e-mail filters exist that are far more friendly. Many of today's e-mail filtering solutions are perfectly capable of blocking even unknown threats.
That WannaCry malware even made it into user mailboxes to be opened means that e-mail administrators made a choice to allow these types of files through without adequate protections. Alternately, e-mail administrators were inadequately resourced and relying on e-mail filtering technologies that are years -- or even decades -- old.
Solutions also exist to ensure that malicious e-mails, once opened, cannot infect vulnerable computers. Bromium is considered the industry leader in this area, and had its technology been deployed on relevant networks, WannaCry wouldn't have made headlines.
Modern IT security procedures and solutions, including network microsegmentation, core resource isolation and automated incident response, could each have been used to prevent the spread of infection. Had networks been properly designed, resourced and secured, any systems that did manage to become infected would only have been able to infect a limited number of others.
The technologies needed to prevent, detect and contain these outbreaks are new, but they're no longer the bleeding edge. They are well within the capabilities of health care, government and enterprise IT departments.
Media reports typically focus on the patching of OSes and applications. Blame is laid on patching regimens because WannaCry used a previously patched Windows vulnerability to spread once established on a network. This is placing the blame where it doesn't belong.
Even if an organization were to be keep all computers fully patched, this would not make those computers secure. While patching is important, perpetuating the idea that it will somehow save us is dangerous. There are dozens, if not hundreds, of unpatched vulnerabilities in the Windows OS alone. That doesn't include the various applications that run on top of Windows.
Governments and hackers alike hoard these "zero-day" vulnerabilities for use in espionage and cyber warfare. Zero-day vulnerabilities are considered precious, expensive knowledge and are used sparingly, but every now and again they find their way into some bit of malware and infect everyday systems.
Proper IT security no longer relies solely on patching computers in order to keep networks safe. "Eggshell security," in which a network has a relatively well-defended perimeter but is undefended inside that barrier, hasn't been considered adequate for more than a decade.
Systems administrators have been encouraged for years to consider every single computer on a network as unpatched and vulnerable, and design their network accordingly. WannaCry isn't the first piece of malware to spread from one initial point of infection across a network, and it won’t be the last.
Patching Things Up
Some media outlets have reported that large-scale patching against WannaCry isn't possible. This is false. Patching computers in an automated fashion isn't only possible, it's considered one of the most basic activities a systems administrator engages in.
Windows computers can have their patches managed with Windows Server Update Services
, a free feature in modern Windows Server OSes. Paid options made available by Microsoft include System Center Configuration Manager
for larger deployments and Intune
for smaller deployments.
Patch management isn't limited to Windows. Linux has numerous patch management options, with Red Hat's Satellite being the most popular. For those with mixed environments, an entire industry called "endpoint management" has emerged around patching and securing computers. There are hundreds of vendors selling products to patch and manage Windows, Linux and smartphones.
Patching, however, isn't straightforward. There's a lot of oversimplification occurring in media reporting regarding the WannaCry ransomware attack. Systems administrators who hadn't yet patched their systems had not necessarily ignored patches or warnings from Microsoft. Nor were they necessarily running unsupported software, even where Windows XP was still in use.
Patches themselves can -- and sometimes do -- cause computers to malfunction. A computer may work fine for years, but when a patch is applied some critical component of either the OS or an application ceases to function. Microsoft has had a number of these over the years, with several in the past several months affecting large enough numbers of people to gain media attention.
Systems administrators, especially those guarding life-critical IT, must test patches before deployment to ensure that patches don't break anything. Unfortunately, Microsoft has jettisoned its traditional Security Bulletins, and has made it increasingly difficult to learn what patches are supposed to do.
Microsoft's change to "cumulative updates" has also changed patching. Before cumulative updates, a single bad patch could be isolated and removed while all other patches were allowed to go through. With cumulative updates, systems administrators no longer have this option: you apply all patches, or none. Avoiding a damaging patch can mean being out-of-date for months or even years while waiting for Microsoft to release a patch for the broken patch. This leaves systems administrators with the choice of running potentially vulnerable, unpatched systems or trying to work around the issue.
The NSA Connection
Workarounds can involve business-process changes or even abandoning existing software due to incompatibility. Either option can be expensive or lead to increased errors as business processes that were automated now have to rely increasingly on human inputs.
The vulnerability used by WannaCry to spread from the initial point of infection to other computers on the network is said to be the same as that used by alleged NSA compromise tool EternalBlue, known to IT practitioners as vulnerability CVE-2017-0144
. CERT warnings about isolating Windows SMB related to CVE-2017-0144 went out in January
CVE-2017-0144 exploits a vulnerability in the SMB file sharing component of Windows OSes. This component is present in both server and end-user OSes. A patch for CVE-2017-0144 was released on March 14, 2017, covering all currently supported Microsoft OSes. After the outbreak of WannaCry, Microsoft took the extraordinary step of releasing a patch for Windows XP and Windows Server 2003, OSes no longer officially supported.
EternalBlue's use by the WannaCry authors can most likely be traced to a cache of vulnerabilities released by the hacking group Shadow Brokers. Shadow Brokers compromised a server run by Equation Group, generally believed to be hackers in the employ of the NSA.
None of this is in serious dispute, but media characterisation of the theft is important if we're to have productive discussions on how this happened, and how to avoid a recurrence. Media reporting often states that EternalBlue was stolen from the NSA, frequently implying that a super-secret NSA cyber weapons vault was ransacked by top-notch digital thieves. The truth is more mundane.
The Equation Group information stolen by Shadow Brokers was most likely outdated data on an abandoned server. If we accept that the Equation Group is a tentacle of the NSA, then far from a daring cyber heist, the Shadow Brokers cache -- and by extension the entire WannaCry ransomware attack -- is simply the result of the NSA not picking up their toys when they were done.
This is important because most IT security experts agree that Shadow Brokers never got access to "the good stuff." It's no secret that the NSA, along with signals intelligence agencies and top hacker groups worldwide, are sitting on numerous zero-day vulnerabilities at least as bad as CVE-2017-0144, and they have been for ages. It is, quite simply, how the game is played these days.
It also means that WannaCry was built on top of a vulnerability that the NSA knew had been compromised for at least 10 months, and that the rest of the world has known about almost as long. The NSA is guilty of a very human negligence that led us to this point. By the same token, warnings have been issued for the better part of a year without apparent affect.
Cyber Weapon Hysteria
Perhaps the most damning element of WannaCry media characterization is the hyperbole of calling WannaCry a cyber weapon. The CVE-2017-0144 vulnerability is not a cyber weapon. Even the Eternal Blue software only barely qualifies.
A vulnerability like CVE-2017-0144 is, at best, a blueprint. It is a look at how a weapon might be constructed. Eternal Blue was a prototype. A demonstration tool that allowed some testing.
WannaCry attaches a payload to the vulnerability and legitimately weaponized CVE-2017-0144. But WannaCry isn't "the atom bomb of ransomware"; it isn't even a hand grenade.
WannaCry is a rusty prison shiv. It's a crude weapon welded together from mismatched parts that gets the job done, if and only if the job you're looking to accomplish is small in scale and lacking in subtlety.
A cyber nuclear bomb would look much, much different than WannaCry. For starters, it would infect a lot more than Windows. Infecting Windows might be a quick and cheap way to spread far and wide, but if you want to do real damage you need to infect other OSes.
A proper cyber nuclear bomb would be much harder to detect. It wouldn't use a battering ram in the form of a mass-mailed phishing e-mail with an encrypted file. It would use far subtler means to achieve initial infection and work much harder to go undetected.
Instead of ransoming a few systems for some chump change, a cyber nuclear bomb would wait until infection had reached critical mass; then, having infected everything from routers to servers to cell phones, it would hold entire nations hostage by shutting down systems by the billions. That is a cyber nuclear bomb. That is what true cyber warfare looks like.
No Easy Answers
WannaCry is just the next natural evolution in a long line of ransomware precursors. It is successful through a combination of inadequate resourcing of IT departments, the inability or unwillingness of IT departments to change, and vendors using patching as a stick.
Human nature caused WannaCry. Greed, short-sightedness and simply not cleaning up after ourselves all played a part. It will happen again, and keep happening for the foreseeable future: as a general rule, it’s easier to claim "it won't/can't happen to me" than to learn from the mistakes of others.
Cloud computing will not save us from the WannaCry ransomwares of the future. Cumulative updates aren't a social engineering panacea for our cyber ills. There are no magic bullets and no easy answers. Industry, government and individuals must work together, and the question, as always, will boil down to "who pays for it."
We, collectively, just got owned by a street thug with a shiv. It's no wonder that media outlets and experts alike rush to inflate WannaCry into something more grandiose and superlative than it really is. But those of us who work in the IT industry must remain grounded. Cyber nukes do exist, and like it or not, our job is to prepare for the day when they will be used.