Two years plus and counting and companies are still being impacted by WannaCry. Here are the four main reasons why an old exploit and ransomware is still an issue.
Since it’s first release in 1985, Microsoft Windows has gone through nine major releases and has grown in popularity, effectively dominating the desktop, laptop and server market, despite competing operating systems from Apple, Google and a variety of Linux-based distros. This popularity, more than any other factor, made it an ideal target for hackers, with WannaCry (a ransomware attack that targeted and spread globally through unpatched systems on May 12, 2017) aimed at the Windows OS but specifically the Microsoft SMBv1 aka SMB1 server protocol running on port 445.
Commonly used when filesharing is enabled and on network printers, this protocol is used by other equipment. Alerts from Siemens and Bayer clearly demonstrate that the medical and industrial industries, for example, are vulnerable to attacks affecting more than just desktops or servers. Of course, I’m unaware of any attacks where hackers use medical equipment to harm anyone but it’s enough to know the threat is there…
WannaCry Should Have Been Blocked
Ignoring that the propagation tools used (which allowed infected machines to infect others) were allegedly developed by the NSA, the Eternalblue exploit was in fact known to Microsoft. Supported operating systems received a security update (Microsoft Security Bulletin MS17-010) in March, some two months before the major attack took place.
For three months, Microsoft provided solutions and directions to protect from WannaCry in its security updates, even for operating systems that were no longer supported. Recommendations to make SMB1 obsolete became common, with Microsoft themselves advocating for its demise years before the WannaCry attacks and creating a list of vulnerable products that require an upgrade or are limited to SMBv1. Default installation of SMB1 (deprecated by Microsoft in 2014) was removed in April 2018’s Windows 10 Update and Samba (allows filesharing in Linux) also took the same approach from version 4.11.
Why WannaCry Remains A Threat
Kind of beating a drum here but the message is clear. SMB1 sucks. Don’t use it. Security experts say so and the original developer agrees. What’s the problem, then? The problem is that despite security updates before and after the WannaCry attacks in May 2017, more than two years later there are almost a million devices vulnerable, with hundreds of thousands of attacks taking place daily. Ironically enough, given the alleged source of Eternalblue, more than 400,000 of these devices are U.S.-based.
So… what’s wrong with the device owners? Have they been living under a rock or been in a comatose state when WannaCry occurred? Why haven’t they patched devices?
For what it’s worth, I don’t believe it’s an IT issue as IT pros are not that dumb. What we sometimes lack in social skills, we make up for in technical knowledge and it’s not best practice to ignore security patches. Therefore, I believe the remaining million vulnerable devices are still vulnerable for reasons, in no particular order, that include or are not limited to:
1. Illegal Software
Perhaps some users are using unpatched versions of Windows that they obtained illegally from download sites. No shortage of options here. Just search for your desired OS and add the keyword ‘torrent’. Such users are understandably paranoid about downloading patches and updates from the vendor but have no problem assuming that the cracked versions they use are free from exploits, vulnerabilities, keyloggers and other tools designed to compromise the device.
2. Lack Of IT Support
Smaller companies in areas unrelated to IT may not have the expertise in-house to ensure their network and connected devices are up to date. In addition, they have not outsourced IT. This is the ‘if it’s not broken, no action is necessary’ attitude common to several industries including legal, manufacturing and healthcare.
This is proven by research from Forescout, which highlighted that ‘71 percent of Windows devices within these healthcare deployments are running Windows 7, Windows 2008 or Windows Mobile, with Microsoft support planned to expire on January 14, 2020. Running unsupported operating systems poses a risk that may expose vulnerabilities and has the potential to impact regulatory compliance.’
3. Reluctance To Change
As a long-term Windows user, I must admit I resent forced OS upgrades when the one I use has served me well and meets all my requirements. I made the change from XP only when I had to (end of official support) but I held out to the bitter end. Ditto, Windows 7. My reasons were simple, I have never purchased a branded system, prefer custom builds and an OS upgrade is rarely a seamless exercise. Each successor requires more RAM, driver and software updates (if you’re lucky, they’re available). Of course, your existing software may not be compatible with the new OS, requiring new licenses as well. Big deal, poor me, you might say.
However, in a business situation when multiple machines and software are involved, the costs in upgrading an OS will amount to a substantial investment. It’s especially annoying when you consider that the existing OS is still doing what’s needed.
To summarize, I guess I can understand why companies hold out as long as possible before upgrading to a new OS as it can be disruptive (it takes time to perform a company-wide upgrade) and lead to other costs. The fact that both hardware and software industries drive the requirement for new operating systems and related upgrades is a pet peeve. We do know what’s going on; companies need to generate ongoing revenue and supporting older products long-term goes against that premise.
Still, Microsoft continue to provide updates for major security threats for end-of-life OSes, as failure to do so would look bad, wouldn’t it? If you’re a company without the budget to upgrade to a supported OS, what choice do you have? Linux, perhaps?
4. Old Hardware
Whether it’s printers, routers, NAS, medical imaging devices or other devices that use the SMB1 protocol, if you cannot apply the necessary WannaCry patch (via driver or firmware update), then you’re stuck. You accept the risk or you purchase new hardware.
In conclusion, whether you’re sticking it to the Man by not upgrading, lack the necessary budget or using unlicensed software (have no sympathies here), there is no excuse for continuing to use the SMB1 protocol. Disable it and solve the resulting problems as identified. The fact that this vulnerability was identified more than two years ago makes it a… priority? Not really, it’s way past the priority stage but immediate action is necessary as WannaCry is just one of the risks possible.
When Eternalblue exploits SMB1, payloads can be altered from ransomware to cryptomining or who knows what else. With any luck, a harmless variant may launch screensavers that can only be unlocked with the password ‘installthepatch’, with instructions displayed as part of the screensaver. There’s a message in there somewhere.
Given that such attacks exploit known vulnerabilities without any action from the device users (no social engineering), can you or your company really afford to ignore the potential threat?