As the Petya/NotPetya/Petwrap/GoldenEye/ExPetr onslaught ripped its way through countless endpoints all over Europe on 27 June, a short, sharp realisation may have dawned on its victims.
It was only last month that WannaCry ransomware attacked over 200,000 endpoints in 150 countries. The campaign caught Renault factories, the Russian interior ministry and 48 UK National Health Service trusts in its grip, bringing public utilities and multinationals to their knees.
While commentators didn't think much of the ransomware itself, what really impressed them was the propagating mechanism, EternalBlue, which allowed the ransomware-worm to spread as far, as wide and as quickly as it did. It may have come as a shock to some that those events could be repeated, with the help of the same NSA-built exploit, just over a month later.
Many of the affected machines ran older, long-unsupported OS' such as Windows XP, which Microsoft quickly rolled out a patch for in light of the WannaCry attacks. But Microsoft had issued a fix for the vulnerability in March, months before even the WannaCry attacks. If the victims had an excuse after WannaCry, it was looking far weaker by Wednesday.
As Chris Wysopal, co-founder and CTO at Veracode told SC Media UK, “The easiest and best way to prevent the EternalBlue exploit from working is to run Windows Update.”
Data from Avast's Wi-Fi inspector, which can detect if an Avast PC, or one on the same network, is vulnerable to EternalBlue showed that 38 million PCs were still unpatched. Avast's Threat Lab team leader Jakub Kroustek told SC, “The actual number of vulnerable PCs is probably much higher.”
Patching is a simple process, and many say it should be religiously routine. Still, organisations don't seem to be taking heed of these well publicised and wide ranging raids on some of the world's largest companies and governments. Why?
“The publicity around WannaCry couldn't have been larger, probably eclipsing Heartbleed,” said Gavin Millard, technical director at Tenable Network Security, “Yet if this is the same attack vector, it demonstrates a distinct lack of taking threats like this seriously.”
Attention spans can be short, added Chris Wysopal. “Because the WannaCry kill switch worked, the pain stopped, and many orgs did not complete patching their Windows. This shows the day-to-day fire drill that many IT teams work under and the reality that patching in many organisations is hard. Once they heard that WannaCry was stopped they moved on to other more pressing work.”
“WannaCry should have been a wake-up call – it clearly wasn't,” Graham Mann, managing director of the Encode Group UK, told SC. “Microsoft released a patch some time ago for the EternalBlue vulnerability but many of the organisations will not have deployed it yet for various reasons: they may be still testing the patch, they may be using ‘antiquated' versions of Microsoft operating system or simply have a policy of not applying patches to certain systems to avoid destabilisation.”
The concern of destabilisation is an important one. The NHS is one of the largest employers in the world, with a workforce that rivals the Chinese People's Liberation Army. When 48 NHS trusts were ensnared by WannaCry ransomware in May, plenty of people asked why one of the UK's most important pieces of infrastructure was so vulnerable. Then again, when is the right time to halt the massive 24-7 frontline service IT infrastructure for a spot of patching?
“Patching is often difficult,” Phil Montgomery, VP of marketing at Pulse Secure, told SC Media UK. Systems are often distributed and networks, from the company's point of view, are often sprawling morasses with plenty of dark spots and vague, undefined borders.
Were they to do this effectively, organisations would need better visibility over their networks, which are commonly filled with question marks and unknown quantities: “The only answer is to use a solution that scans the device for compliance, and if not up to date, can put into a quarantine network where patching can occur, but not connect to the main network and allow malware to propagate.”
The ransomware used a number of attack vectors. Perhaps most notable, was its disguise as an update to a popular Ukrainian accounting software – one of only two authorised by the government – M.E. Doc. When the targeted organisations opened their computers, they found themselves the patient zeros of an international attack. Another attack vector involved the hacking of the Ukrainian government website for the Bakhmut region, which was then used as a watering hole, helping to distribute malware.
Brian Chappell, an architecture and security consultant, said that organisations are often not well prepared for such creative thinking: “We can only suppose that many thought their perimeter would be secure enough to prevent the WannaCry attack.”
Although no externally facing systems were susceptible, “They hadn't counted on the cyber-criminals using another vector.”
Once inside their walls, EternalBlue was used to move laterally and the ransomware was free to roam and spread across unpatched systems: “It's unlikely we will stop someone getting into our networks, but we can make it next to impossible to move around it.”
Organisations should have patched, eliminated common shared accounts with their passwords and then removed direct access to privileged accounts: “Those three steps would have prevented much of the impact for this second wave of ransomware. Anyone not taking those steps seriously will undoubtedly find themselves in the headlines in the next and subsequent waves.”
People will often not account for the fact that attackers attempt to get in through the most vulnerable parts of their organisation, leaving them with a network composed of 99.9 percent super-hardened endpoints and one box running Windows XP.
Many of Petya/NotPetya/ Petwrap /GoldenEye/ExPetr's victims could have only patched their critical assets, such as servers, or believed that segmented networks or embedded systems will keep them safe, Morey J. Haber, vice president of technology at BeyondTrust told SC.
He added, “Cyber-security programmes still have not mastered the basics of vulnerability assessments and patch management for ALL assets.”