WannaCry – What was old is new again
Last Friday, the world saw an outbreak of one of the most extensive malware breaches in a while. This malware, called variously WannaCrypt0r, WannaCry or WCry, managed to infect tens of thousands of computers globally in the matter of hours. While new types of malware come and go on a regular basis, it was the nature of this particular piece of malware that took the world by surprise.
WannaCry is a ransomware attached to a worm. These are a type of malware that has the capability to self-propagate without human interaction. In other words, they can infect a target system by autonomously crawling through a network by exploiting vulnerabilities in operating systems and other programs.
Worms are nothing new. Some of us may still remember names like “Love Letter”, “Blaster” and “Conficker” from the 2000’s, when a number of the then novel fast spreading internet worms were making headlines.
And indeed, the spreading mechanism of WannaCry is very familiar from those predecessors. To a point where you might wonder why all the fuzz. How come are we not able to stop it, when the basic mechanism has been known for a decade?
Proper network hygiene forgotten?
One answer may lie in the fact that we have not seen massive worm attacks in years. With the software vendors getting more prudent in blocking “wormable” vulnerabilities, and the firewalling techniques improving, worms have not been a present threat as of late. This may have caused many system and security administrators to forget some of the good practices learned the hard way in the past.
To refresh the memory, the spreading of relatively primitive worms like WannaCry can be effectively curbed simply by following proper networking hygiene. The kind that stipulates you should only have ports open where there is a real need for them to be open. Or only allowing connections from/to hosts and/or applications that actually need to be connected.
In the case of WannaCry, there is normally no need to have the SMB protocol open network-wide in workstations. Nevertheless, it is often left open bi-directionally. Just in case. In this case, however, the sloppy practise leaves the door open for worms.
While the main purpose of WannaCry appears to be to drop the ransomware, there is essentially nothing preventing a similar, maybe stealthier, malware from performing other tasks as well. For example, the self propagating properties might become handy for automatically finding and exfiltrating large amounts of information from an organisation in a highly unpredictable way. Such a malware would clearly cause big issues for example to an organisation striving for GDPR compliance.
Detection and protection
As of late, the detection and blocking of intra-network anomalies has been mostly discussed in conjunction to the so-called advanced persistent threats (APTs). This type of attack is by definition much stealthier than a relatively noisy worm like WannaCry, which by its nature makes itself known.
While there are specific solutions available to combat the sometimes very tricky APTs, protection from the simpler forms of self-propagating malware can be achieved with solutions such as next generation firewalls and advanced endpoint protection. Connected to a 24/7 security operations center for fast detection and response, these are well suited to detecting and blocking many types of network-borne anomalies on multiple levels, allowing policies to be implemented to offer a good level of security, while minimising the impact on business flexibility.
The situation with WannaCry, at the time I’m writing this, is that the whole world is busy patching their Windows systems to block the vulnerability used by WannaCry. And rightfully so. Ensuring that these patches are promptly applied should at the moment be at the top of every system admin’s priority list.
However, patching will only disable the worm from self-propagating using this particular exploit. The ransomware function of WannaCry as well as any potential future worm-borne malware can best be blocked by having the necessary security controls including proper system configurations, advanced endpoint protection and next generation firewalls in place. In fact, WannaCry was actually quite easy to block pro-actively.