• Legacy
  • Academy
  • Business
  • PayTech
  • Ignite
  • Cellcos
  • Wired
  • CovidTech
  • Library
  • Touch Base
Subscribe
CW Pakistan

Computerworld Pakistan

CW Pakistan
  • Legacy
  • Academy
  • Business
  • PayTech
  • Ignite
  • Cellcos
  • Wired
  • CovidTech
  • Library
  • Touch Base
  • Business

WannaCry Attacks are only the beginning

  • May 22, 2017
  • Content Desk
Total
0
Shares
0
0
0

Researchers believe other attackers will start to exploit the same SMB flaw as the WannaCry ransomware

Thousands of organizations from around the world were caught off guard by the WannaCry ransomware attack launched Friday. As this rapidly spreading threat evolves, more cybercriminals are likely to attempt to profit from this and similar vulnerabilities.
As a ransomware program, WannaCry itself is not that special or sophisticated. In fact, an earlier version of the program was distributed in March and April and, judging by its implementation, its creators are not very skilled.

Read: Pakistan Seals the Deal with Alibaba Group Holdings

The difference between the earlier WannaCry attacks and the latest one is a worm-like component that infects other computers by exploiting a critical remote code execution vulnerability in the Windows implementation of the Server Message Block 1.0 (SMBv1) protocol.

Microsoft released a patch for this vulnerability in March and, on the heels of the attack Friday, even took the unusual step of releasing fixes for older versions of Windows that are no longer supported, such as Windows XP, Windows Server 2013, and Windows 8.

Read: Face it: Enterprise Cyberattacks are Going to Happen

The WannaCry attackers didn’t put in a lot of work to build the SMB-based infection component either, as they simply adapted an existing exploit leaked in April by a group called the Shadow Brokers. The exploit, codenamed EternalBlue, is alleged to have been part of the arsenal of the Equation, a cyberespionage group widely believed to be a team linked to the U.S. National Security Agency.

The version of WannaCry that spread through EternalBlue on Friday had a quirk: It tried to contact an unregistered domain and halted its execution when it could reach it, stopping the infection. A researcher who uses the online alias MalwareTech quickly realized thatthis could be used as a kill switch and registered the domain himself to slow down the spread of the ransomware.

Read: CSO Alerts: Colourful WhatsApp Scam

Since then researchers have discovered a couple more versions: one that tries to contact a different domain name, which researchers have also managed to register, and one that has no apparent kill switch. However, the latter version is non-functional and seems to have been a test by someone who manually patched the binary to remove the kill switch, rather than recompiling it from its original source code. This led researchers to conclude that it’s likely not the work of the original authors.

Separately, experts from the computer support forum BleepingComputer.com have seen four imitations so far. These other programs are in various stages of development and try to masquerade as WannaCry, even though some of them are not even capable of encrypting files at this point.

This does indicate that attacks, both from the WannaCry authors and other cybercriminals, will likely continue and, despite patches being available, many systems will likely remain vulnerable for some time to come.

After all, security vendors are still seeing successful exploitation attempts today for MS08-067, the Windows vulnerability that allowed the Conficker computer worm to spread nine years ago.

“It’s probably going to get worse before it gets better, as it’s going to be one of the most serious threats for the following 12 months,” Catalin Cosoi, Bitdefender’s chief security strategist, said in a blog post about the EternalBlue vulnerability and the on-going attacks.

He believes that state-sponsored cyberespionage groups could also take advantage of the SMB flaw to plant stealthy backdoors on computers while defenders are busy dealing with the much more visible ransomware attack.

Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems that have the SMB service exposed to the internet. The number is considerably higher than the 200,000 machines affected by WannaCry, so there is potential for more attacks and victims.

WannaCry’s success showed that a large number of organizations are falling behind on patches and that many have legacy systems running old versions of Windows. To some extent, this is understandable because deploying patches in environments with a large number of systems is not an easy task. Enterprises need to test patches before installing them to ensure that they don’t have compatibility issues with existing applications and break existing workflows.

In other cases, organizations might be stuck with certain systems that run unsupported Windows versions without having the financial resources to upgrade or replace them. This is the case for ATMs, medical devices, ticketing machines, electronic self-service kiosks, like those in airports, and even servers that run legacy applications that can’t easily be reengineered.

However, there are measures that can be taken to protect those systems, like isolating them on network segments where access is strictly controlled or by disabling unneeded protocols and services. Microsoft has tried to convince companies to stop using SMBv1 for some time, as it has other problems aside from this flaw.

“There are certain organizations or sectors — e.g. medical — where patching is not a simple matter,” Carsten Eiram, chief research officer at vulnerability intelligence firm Risk Based Security, said via email. “In those cases, it’s imperative they properly understand the risks and look into workarounds to limit the threat.”

The success of WannaCry, at least as far as rapid distribution is concerned, has proved to cybercriminals there are many vulnerable systems on enterprise networks that can be targeted through old exploits. It is possible they will try to use other Equation/NSA exploits leaked by the Shadow Brokers or will be quicker to adopt exploits for future flaws that enable similar mass-scale attacks inside LANs.

“The EternalBlue exploit is part of a bigger leak called ‘Lost In Translation’ that packs multiple vulnerabilities ranging from simple annoyances to extremely severe ones,” Bogdan Botezatu, senior e-threat analyst at Bitdefender, said by email. “We expect that most of these ‘government-grade’ exploits to make it to the public domain and get merged into commercial-grade malware, as it has happened in the past.”

Meanwhile, Eiram is convinced there will be many vulnerabilities in the future that will enable similar ransomware attacks.

“I don’t doubt that for a second,” he said. “Every year we see such vulnerabilities.”

This article was originally written by Lucian Constantin for the IDG Network. 

Total
0
Shares
Share 0
Tweet 0
Pin it 0
Related Topics
  • CSO
  • CSO Online
  • CSO Pakistan
  • Eternalblue
  • IDG Pakistan
  • Lost in Translation
  • Lucian Constantin
  • ransomware
  • tech news
  • technology news Pakistan
  • WannaCry
  • WannaCry attacks
Content Desk

Previous Article
  • Computerworld

E-commerce and IT need to watch out for the budget

  • May 22, 2017
  • Content Desk
View Post
Next Article
  • Technology

Winners of the Google Play 2017 Awards

  • May 22, 2017
  • Content Desk
View Post
You May Also Like
View Post
  • Business
  • Wired

Flat-lining ICT exports

  • Sub Editor
  • January 26, 2023
View Post
  • Business
  • Wired

All You Need to Know About Pakistan’s Influencer Industry – Walee Pak Influencer Industry Insights Report 2021-22

  • Sub Editor
  • January 24, 2023
View Post
  • Business
  • Wired

The fastest growing jobs in Pakistan right now

  • Sub Editor
  • January 20, 2023
View Post
  • Business
  • Wired

SBP makes it easier for IT exporters to increase their income

  • Sub Editor
  • January 15, 2023
View Post
  • Business
  • Cellcos

Annual Report on Cybersecurity 2022 by PTA

  • Sub Editor
  • January 11, 2023
View Post
  • Business
  • PayTech

Businessmen in Islamabad want investors to turn profits into cryptocurrency assets.

  • Sub Editor
  • January 6, 2023
View Post
  • Business

Researchers developed a risky quantum decryption technique.

  • Sub Editor
  • December 23, 2022
View Post
  • Business
  • Wired

Zong 4G, Hands Pakistan Partner with Parks & Horticulture Authority to Develop Urban Forest in Multan

  • Sub Editor
  • December 13, 2022
View Post
  • Business

Jazz Signs Agreement: Garaj For Cloud Services

  • Sub Editor
  • December 3, 2022
View Post
  • Business

A Look At Karachi Qualifying Round Of Digital Pakistan Cyber Security Hackathon 2022 By Ignite

  • Sub Editor
  • December 2, 2022
View Post
  • Business

Sen. Senate: Google Will Soon Start Doing Business in Pakistan.

  • Sub Editor
  • November 24, 2022
View Post
  • Business

PTA Grants IoT Licences To Two Fresh Businesses

  • Sub Editor
  • November 10, 2022
View Post
  • Business
  • Wired

Pakistan at 75: LSE Summit in 2022

  • Sub Editor
  • October 28, 2022
View Post
  • Business

SECP Fixes Massive Data Leak Of Registered Company Information

  • webdesk
  • September 13, 2022
View Post
  • Business

Massive Data Breach The EDF Website of the Commerce Ministry

  • webdesk
  • September 1, 2022
View Post
  • Business

PTA Offers Two Local Businesses LDI Licenses

  • webdesk
  • August 2, 2022
View Post
  • Business

Permitting WeChat Service: SECP Says Go!

  • webdesk
  • August 2, 2022
View Post
  • Business

SBP Management Attends OICCI Interactive Meeting With Members To Allay Concerns

  • webdesk
  • August 2, 2022
View Post
  • Business

SECP To Introduce Companies for Digital Asset Management

  • webdesk
  • August 1, 2022
View Post
  • Business

STZA Signs Letter Of Intent with China’s SEDA To Further Technical Collaboration

  • webdesk
  • August 1, 2022

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

about
About
Launched in 1967 internationally, Computerworld Magazine is the oldest tech magazine/media property brand in the world. Today Computerworld (abbreviated as CW) is an ongoing decades old professional publication which in 2014 "went digital”. In Pakistan Computerworld was launched in 1995. Initially providing news to IT executives only, once CIO Pakistan from the same family launched, and took over the domain, CW Pakistan has slowly emerged as a holistic technology news platform reporting everything tech in the country. It remains the oldest running continuous IT media publishing platform in the country and approaching 3 decades of existence, it has been the industry’s biggest benchmark and hopes to continue for years to come.
Read more
Explore Computerworld Sites Globally
  • ComputerWorld.es
  • computerworld.com.pt
  • Computerworld.com
  • cw.no
  • computerworldmexico.com.mx
  • computerwoche.de
  • computersweden.idg.se
  • computerworld.hu
  • cwi.it
  • project.nikkeibp.co.jp
Content from other IDG brands
  • PCWorld
  • Macworld
  • Infoworld
  • TechHive
  • GameStar
  • Network world
CW Pakistan
  • CWPK
  • CXO
  • WALLET
  • Demo
CW Media & all its sub brands are copyrighted to SPIN-IDG Wakhan Media Inc., the publishing arm of NCC-RP Group. Site is designed by Crunch Collective ©️ 2022

Input your search keywords and press Enter.