WannaCry ransomware slipped in through slow patching

IT teams have a gap of several weeks between when patches are released and deployed, giving criminals time to make WannaCry a reality

WannaCry ransomware slipped in through slow patching
Thinkstock

The plain truth about security updates is that enterprises will always have a lag time between when patches are released and when they're deployed. Even so, too many organizations are taking too long to test and schedule, and they're paying the price.

As reported earlier, a new ransomware attack called Wanna Decryptor (WannaCry) struck tens of thousands of systems in more than a dozen countries around the world, including hospitals at the United Kingdom's National Health Service, KPMG, Spain's telecommunications company Telefonica, and banks BBVA and Santander. The ransomware has wormlike properties, as it spreads through network file shares, possibly using the vulnerability in the Windows SMB (Server Message Block) protocol (MS17-010) that Microsoft patched in March. The flaw is used by the EternalBlue exploit, which was part of the cache of hacking tools allegedly developed by the NSA and dumped by the Shadow Brokers group.

Microsoft initially patched the vulnerability only for currently supported operating systems, leaving older ones, such as Windows Server 2003, at risk. After the outbreak, Microsoft bent its policy and released updates for older versions. Though Windows Server 2003 has already reached end-of-life, many organizations hung onto older systems long past the expiration date. Health care organizations in particular are at risk because many of their custom applications cannot be updated to work on newer systems.

While some systems compromised by WannaCry were running outdated OSes that couldn't be fixed, it's likely that many PCs were new enough to be patched, but the IT teams hadn't gotten around to doing so. Security experts say it takes more than 100 days to patch critical vulnerabilities, especially in larger organizations. The criminals were able to take advantage of this window to their financial gain.

Ransomware + worm = scary

More worrying, in the case of WannaCry, the criminals were able to quickly combine the EternalBlue code into ransomware to create a dangerous worm. While a lot of security headlines are about sophisticated targeted attacks utilizing zero-day vulnerabilities, network administrators worry more about internet worms and other malware that can spread rapidly. Internet worms propagate by infecting a machine, then looking for vulnerable hosts on the same network or randomly scanning the internet looking for other machines to infect. Only one machine needs to be compromised to spread the malware through the network.

Network administrators who remember the CodeRed worms and similar outbreaks in the early 2000s know exactly how bad a "ransomworm" can get.

"This is the second time in two weeks that we've seen nefarious activities propagating in a wormlike fashion, which may be a sign of things to come," Rohyt Belani, co-founder and CEO of antiphishing training company PhishMe, referencing the fake Google Docs app that abused OAUTH late last week.

Patch, respond, mitigate

Enterprises can't always roll out updates the day they're available since they need to test the changes and make sure they won't break anything in their environment. IT teams need to schedule the update window for shared resources like file servers without interrupting business operations, but that means working smarter, not slower. One solution is to build redundancy into the infrastructure, so one system can be down for patching and have a different system handle the load during that time.

Business continuity and incident response playbooks should also consider how IT can quickly patch vulnerabilities during an outbreak, or how to isolate systems to slow down infection while trying to recover. If there are compelling business reasons why critical operations have to run on older systems, there should be controls and safeguards to protect the systems and make them harder to compromise.

In the current case, IT teams should consider disabling or blocking SMB v1 service to prevent the ransomware from spreading, and monitoring for scan behavior on TCP/445 to find any infected machines looking vulnerable machines. Security company Barkly recommends also blocking RDP (Remote Desktop Protocol) to be on the safe side. Organizations should consider compartmentalizing and self-containing until they can report 100 percent patching compliance.

More worms to come?

A lot of critical vulnerabilities have been patched recently, and odds are high that IT teams have not gotten around to applying the patches. Considering that WannaCry is using a Shadow Brokers implant, it's clear criminal organizations are digging through the dump and figuring out how to use the tools for themselves.

Another potentially dangerous exploit from this dump, PassFreely, can be used to bypass Oracle database authentication. The exploit patches the Oracle process (oracle.exe, oracle80.exe and oracle73.exe) in-memory to allow unauthenticated sessions to Oracle instance, said Kapil Khot, of security company Qualys. The company's researchers were able to use the exploit to compromise Oracle version 11.2.0.1.0 64-bit on Windows Server 2008 R2 and access the database.

PassFreely can potentially become a big headache for IT teams because the target server first needs to be compromised using EternalBlue, the same SMB backdoor that WannaCry is suspected of using. Consider that for a moment. If any of the machines that had been compromised by WannaCry also had a vulnerable Oracle database running, then ransomware won't be the worst thing to happen.

IT teams must have a plan to prioritize security updates or put in safeguards for those that can't be patched. The WannaCry ransomware is the clearest indication yet that criminals are quite prompt in adapting exploit tools for their operations.