CW Pakistan
  • Legacy
    • Legacy Editorial
    • Editor’s Note
  • Academy
  • Wired
  • Cellcos
  • PayTech
  • Business
  • Ignite
  • Digital Pakistan
  • DFDI
  • PSEB
  • PASHA
  • TechAdvisor
  • GamePro
  • Partnerships
  • PCWorld
  • Macworld
  • Infoworld
  • TechHive
  • TechAdvisor
0
0
0
0
0
Subscribe
CW Pakistan
CW Pakistan CW Pakistan
  • Legacy
    • Legacy Editorial
    • Editor’s Note
  • Academy
  • Wired
  • Cellcos
  • PayTech
  • Business
  • Ignite
  • Digital Pakistan
  • DFDI
  • PSEB
  • PASHA
  • TechAdvisor
  • GamePro
  • Partnerships
  • Business

WannaCry Attacks are only the beginning

  • May 22, 2017
Total
0
Shares
0
0
0
Share
Tweet
Share
Share
Share
Share

Researchers believe other attackers will start to exploit the same SMB flaw as the WannaCry ransomware

Thousands of organizations from around the world were caught off guard by the WannaCry ransomware attack launched Friday. As this rapidly spreading threat evolves, more cybercriminals are likely to attempt to profit from this and similar vulnerabilities.
As a ransomware program, WannaCry itself is not that special or sophisticated. In fact, an earlier version of the program was distributed in March and April and, judging by its implementation, its creators are not very skilled.

Read: Pakistan Seals the Deal with Alibaba Group Holdings

The difference between the earlier WannaCry attacks and the latest one is a worm-like component that infects other computers by exploiting a critical remote code execution vulnerability in the Windows implementation of the Server Message Block 1.0 (SMBv1) protocol.

Microsoft released a patch for this vulnerability in March and, on the heels of the attack Friday, even took the unusual step of releasing fixes for older versions of Windows that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8.

Read: Face it: Enterprise Cyberattacks are Going to Happen

The WannaCry attackers didn’t put in a lot of work to build the SMB-based infection component either, as they simply adapted an existing exploit leaked in April by a group called the Shadow Brokers. The exploit, codenamed EternalBlue, is alleged to have been part of the arsenal of the Equation, a cyberespionage group widely believed to be a team linked to the U.S. National Security Agency.

The version of WannaCry that spread through EternalBlue on Friday had a quirk: It tried to contact an unregistered domain and halted its execution when it could reach it, stopping the infection. A researcher who uses the online alias MalwareTech quickly realized thatthis could be used as a kill switch and registered the domain himself to slow down the spread of the ransomware.

Read: CSO Alerts: Colourful WhatsApp Scam

Since then researchers have discovered a couple more versions: one that tries to contact a different domain name, which researchers have also managed to register, and one that has no apparent kill switch. However, the latter version is non-functional and seems to have been a test by someone who manually patched the binary to remove the kill switch, rather than recompiling it from its original source code. This led researchers to conclude that it’s likely not the work of the original authors.

Separately, experts from the computer support forum BleepingComputer.com have seen four imitations so far. These other programs are in various stages of development and try to masquerade as WannaCry, even though some of them are not even capable of encrypting files at this point.

This does indicate that attacks, both from the WannaCry authors and other cybercriminals, will likely continue and, despite patches being available, many systems will likely remain vulnerable for some time to come.

After all, security vendors are still seeing successful exploitation attempts today for MS08-067, the Windows vulnerability that allowed the Conficker computer worm to spread nine years ago.

“It’s probably going to get worse before it gets better, as it’s going to be one of the most serious threats for the following 12 months,” Catalin Cosoi, Bitdefender’s chief security strategist, said in a blog post about the EternalBlue vulnerability and the on-going attacks.

He believes that state-sponsored cyberespionage groups could also take advantage of the SMB flaw to plant stealthy backdoors on computers while defenders are busy dealing with the much more visible ransomware attack.

Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems that have the SMB service exposed to the internet. The number is considerably higher than the 200,000 machines affected by WannaCry, so there is potential for more attacks and victims.

WannaCry’s success showed that a large number of organizations are falling behind on patches and that many have legacy systems running old versions of Windows. To some extent, this is understandable because deploying patches in environments with a large number of systems is not an easy task. Enterprises need to test patches before installing them to ensure that they don’t have compatibility issues with existing applications and break existing workflows.

In other cases, organizations might be stuck with certain systems that run unsupported Windows versions without having the financial resources to upgrade or replace them. This is the case for ATMs, medical devices, ticketing machines, electronic self-service kiosks, like those in airports, and even servers that run legacy applications that can’t easily be reengineered.

However, there are measures that can be taken to protect those systems, like isolating them on network segments where access is strictly controlled or by disabling unneeded protocols and services. Microsoft has tried to convince companies to stop using SMBv1 for some time, as it has other problems aside from this flaw.

“There are certain organizations or sectors — e.g. medical — where patching is not a simple matter,” Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. “In those cases, it’s imperative they properly understand the risks and look into workarounds to limit the threat.”

The success of WannaCry, at least as far as rapid distribution is concerned, has proved to cybercriminals there are many vulnerable systems on enterprise networks that can be targeted through old exploits. It is possible they will try to use other Equation/NSA exploits leaked by the Shadow Brokers or will be quicker to adopt exploits for future flaws that enable similar mass-scale attacks inside LANs.

“The EternalBlue exploit is part of a bigger leak called ‘Lost In Translation’ that packs multiple vulnerabilities ranging from simple annoyances to extremely severe ones,” Bogdan Botezatu, senior e-threat analyst at Bitdefender, said by email. “We expect that most of these ‘government-grade’ exploits to make it to the public domain and get merged into commercial-grade malware, as it has happened in the past.”

Meanwhile, Eiram is convinced there will be many vulnerabilities in the future that will enable similar ransomware attacks.

“I don’t doubt that for a second,” he said. “Every year we see such vulnerabilities.”

This article was originally written by Lucian Constantin for the IDG Network. 

Share
Tweet
Share
Share
Share
Related Topics
  • CSO
  • CSO Online
  • CSO Pakistan
  • Eternalblue
  • IDG Pakistan
  • Lost in Translation
  • Lucian Constantin
  • ransomware
  • tech news
  • technology news Pakistan
  • WannaCry
  • WannaCry attacks
Previous Article
  • Computerworld

E-commerce and IT need to watch out for the budget

  • May 22, 2017
Read More
Next Article
  • Technology

Winners of the Google Play 2017 Awards

  • May 22, 2017
Read More
You May Also Like
Read More
  • Business

Azerbaijan to Invest $2 Billion in Pakistan with Focus on Tech, Energy, and Infrastructure Development

  • Press Desk
  • May 28, 2025
Read More
  • Business

Government’s FY26 Budget Targets Rs. 600 Billion in Taxes on Freelancers, YouTubers, and Pensioners

  • Press Desk
  • May 23, 2025
Read More
  • Business

Systems Limited to Temporarily Suspend Trading for Stock Split Implementation at PSX

  • Press Desk
  • May 23, 2025
Read More
  • Business

IMF Sets 11 New Conditions on Pakistan’s Economy Including Budget Approval and Energy Reforms

  • Press Desk
  • May 18, 2025
Read More
  • Business

EduFi and Beaconhouse International College Launch ‘Study Now, Pay Later’ Program to Boost Affordable Education in Pakistan

  • Press Desk
  • May 14, 2025
Read More
  • Business

BankIslami and SEDF Collaborate to Enhance SME Financing and Growth in Sindh

  • Press Desk
  • May 14, 2025
Read More
  • Business

SMEDA Offers 70% Matching Grant for Pakistani SMEs Seeking International Certifications

  • Press Desk
  • May 14, 2025
Read More
  • Business

Dubizzle Group Acquires Property Monitor, Targets $1 Billion IPO in 2025

  • Press Desk
  • May 5, 2025

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Trending Posts
  • Falcon-i Secures Official Customs License to Offer Cross-Border Logistics Technology Solutions
    • May 31, 2025
  • 92 News Unveils Pakistan’s First AI News Anchor Delivering Bulletins in Urdu
    • May 31, 2025
  • PMDC Unveils Digital Licensing Portal for Medical and Dental Colleges
    • May 30, 2025
  • CERP and Princeton Launch Long-Term Energy Transition Roadmap for Pakistan
    • May 30, 2025
  • Pakistan’s Freelance Sector Generates $1.65 Billion Amid Push for Women’s Inclusion in Digital Workforce
    • May 30, 2025
about
CWPK Legacy
Launched in 1967 internationally, ComputerWorld is the oldest tech magazine/media property in the world. In Pakistan, ComputerWorld was launched in 1995. Initially providing news to IT executives only, once CIO Pakistan, its sister brand from the same family, was launched and took over the enterprise reporting domain in Pakistan, CWPK has emerged as a holistic technology media platform reporting everything tech in the country. It remains the oldest continuous IT publishing brand in the country and in 2025 is set to turn 30 years old, which will be its biggest benchmark and a legacy it hopes to continue for years to come. CWPK is part of the SPIN/IDG Wakhan media umbrella.
Read more
Explore Computerworld Sites Globally
  • computerworld.es
  • computerworld.com.pt
  • computerworld.com
  • cw.no
  • computerworldmexico.com.mx
  • computerwoche.de
  • computersweden.idg.se
  • computerworld.hu
Content from other IDG brands
  • PCWorld
  • Macworld
  • Infoworld
  • TechHive
  • TechAdvisor
CW Pakistan CW Pakistan
  • CWPK
  • CXO
  • DEMO
  • WALLET

CW Media & all its sub-brands are copyrighted to SPIN-IDG Wakhan Media Inc., the publishing arm of NCC-RP Group. This site is designed by Crunch Collective. ©️1995-2025. Read Privacy Policy.

Input your search keywords and press Enter.