The virulent strain of ransomware dubbed WannaCry that swept the globe on Friday affected no federal IT systems, according to President Donald Trump’s Homeland Security Advisor Tom Bossert.
In the White House daily press briefing Monday, Bossert noted the WannaCry ransomware outbreak was estimated to have affected approximately 300,000 victims in 150 countries to date.
North Korea Connection?
On Monday, Google Security Researcher Neel Mehta tweeted a cryptic message, hinting at similarities between WannaCry’s code and code used in 2015 by North Korea-linked Lazarus Group.
Kaspersky Lab made a blog post explaining the similarity, but it also cautioned of the possibility of misdirection. “In theory anything is possible,” Kaspersky researchers wrote. “We believe [in] theory a false flag, although possible, is improbable.” The researchers credited Mehta with discovering “the most significant clue to date regarding the origins of WannaCry.”
Later in the day, Kaspersky researcher J.A. Guerrero-Saade tweeted another similarity between the code used in WannaCry and Lazarus Group code.
Cybersecurity company Symantec also highlighted code similarities.
Kaspersky’s and Symantec’s prior research, carried out independently, uncovered Lazarus Group’s growing interest in financial profit, as covered in April by Fifth Domain.
As of Monday afternoon, U.S. and U.K. officials were not publicly disclosing suspected threat actors.
In the White House briefing, Bossert said, “[WannaCry] was a tool developed by culpable parties, potentially criminals of foreign nation states, that was put together in such a way so to deliver it with phishing emails, put it into embedded documents and cause an infection in encryption and locking.”
Asked directly who was behind WannaCry, Bossert replied, “We don’t know. … I don’t want to say we have no clues. As I stand here today, I feel that the best and brightest are working on that.”
Reminiscent of Past Internet Worms
The scale of WannaCry’s infection and the speed of its spread on Friday reminded some of the infamous internet worms of the 1990s and early 2000s, such as ILOVEYOU, Code Red and Nimda.
WannaCry spread by exploiting a security vulnerability in Microsoft’s Server Message Block (SMB) Version 1. SMB is a protocol that allows computers running Microsoft Windows operating systems and applications to share access to local resources, such as printers. WannaCry’s rapid spread was partly enabled by its self-propagation – a distinguishing feature of worms – across networks of devices with the vulnerable SMB protocol enabled.
SMB has long been considered by cybersecurity professionals to be a suspect, if not insecure, protocol.
Cybersecurity experts began warning over the weekend that new variants of WannaCry were likely to emerge. Researchers noted that new variants may not include a “kill switch” like the first version, which allowed a 22-year-old security researcher to stop its spread on Friday.
Rich Barger, director of threat research at security company Splunk, noted that the kill switch “stunted” the initial version’s spread. “However, another wave from a copycat could avoid some of the mistakes observed within the first wave,” Barger added.
Back to Basics: The Importance of Patching
Following disclosure of the SMB vulnerability by Shadow Brokers earlier this year, Microsoft issued a patch (MS 17-010) in March for currently supported Windows operating systems.
At least part of WannaCry’s spread was hastened by organizations failing to implement the existing security patch in a timely manner.
Barger urged organizations to apply the patch for all Windows systems as soon as possible, warning, “There is still a risk until organizations are no longer vulnerable to the SMB exploit that is being leveraged.”
On Monday, Sen. Mark Warner, D-Va., co-founder of the Senate Cybersecurity Caucus, sent a letter to DHS Security John Kelly and Office of Management and Budget Director Mick Mulvaney asking what steps the government has taken to ensure that federal agencies and contractors had installed the required security patches to defend against WannaCry.
“Patch management is a complex undertaking, particularly for large organizations and enterprises,” Warner wrote. “Both within the federal government and across critical infrastructure sectors, IT security has too often been either, at best, addressed as an afterthought in the product development cycle or, worse, simply neglected.”
But patching current systems is just part of the problem.
According to a recent survey of federal IT professionals conducted by cybersecurity company BeyondTrust, 47 percent of federal agencies still use the Windows XP operating system in some capacity. Windows XP reached its end of life on April 8, 2014, which is when Microsoft stopped issuing regular security patches. In response to WannaCry, Microsoft released its first free security patch for XP and its other operating systems since their end of life.
Michael Daniel, president of the Cyber Threat Alliance and former cybersecurity adviser to President Barack Obama, noted, “Businesses need to recalculate the benefit/cost ratio for patching/updating to newest operating system. They may be underweighting the cost of not patching, potentially leading to situations like this.”
The WannaCry outbreak occurred a day after Trump signed a long-anticipated cybersecurity executive order, which urged federal agencies to adopt a broad definition risk management, including regularly applying security patches and modernizing hardware and software. Trump’s EO requires a report on modernizing legacy federal IT infrastructure from federal executives within 90 days.
Reignited Debate about Vulnerability Disclosure
WannaCry’s outbreak reignited a long-running debate about the U.S. intelligence community’s responsibility (or not) to disclose discovered security vulnerabilities to technology makers.
The specific SMB vulnerability that WannaCry exploits was made known to the public earlier this year, when the mysterious Shadow Brokers group released it along with a raft of other information allegedly stolen from the NSA in a 2016 hack.
The Shadow Brokers’ release preceded the start of WikiLeaks’ ongoing publication of Vault 7, which contains information on security vulnerabilities allegedly developed and operationalized by the CIA. WikiLeaks began releasing the Vault 7 information in April. The Shadow Brokers and WikiLeaks disclosures continue a trend begun with the 2013 leak of NSA classified information by former security contractor Edward Snowden.
The U.S. intelligence community’s continued practice of keeping security vulnerabilities a secret so that they can be exploited during intelligence-gathering operations has drawn sharp criticism from a range of cybersecurity experts.
The issue was highlighted again during the White House briefing on Monday, when a reporter asked Bossert about the NSA’s culpability for the WannaCry attack.
“I’d like to instead point out that this was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government,” Bossert said. “So this was not a tool developed by the NSA to hold ransom data. … So the problem – and I think I said [this] this morning – of the underlying vulnerability is something that is a little bit less of a direct point for me.”
The WannaCry cyberattack prompted Microsoft’s Brad Smith to write a blog post criticizing governments for a practice that makes everyone less safe.
Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.
The criticism from Smith and others prompted Daniel to respond, “It’s important to note that the U.S. government is not hoarding zero-days. On the contrary, it has strong incentives in most cases to disclose vulnerabilities to vendors.”
However, Daniel conceded that the process of classifying and disclosing security vulnerabilities could be improved. “We still don’t have a good rating system for vulnerabilities in terms of their severity,” Daniel noted. “Not all zero-days are created equal. We need to develop a more refined severity schema for vulnerabilities so we know how to react and at what speed. It’ll never be perfect, but we can do better.”