WannaCrypt 2.0 aka WannaCry infected business networks around the globe and while the ransomware infections seem to have slowed, there is still a lesson to be learned here.
In this episode, Defrag This host, Greg Mooney, is joined by cyber security expert and CEO of Protinuum, Scott Foote. They discuss the implications of the fast moving malware and how companies can respond in the wake of WannaCry.
Greg: Welcome to today's episode of Defrag This. I'm your host Greg Mooney. It's been a week since WannaCrypt 2.0 AKA WannaCry infected business networks around the world. And while the ransomware infection seemed to have slowed, there are still lessons to be learned here. WannaCry essentially should have never been a thing.
There is proof from how this worm has enfolded and it was basically, there were simple kill switches. Even a young security expert was easily able to find out just by pinging a URL that was found in the code. It leaves us asking the question, "If this attack had been done by a more sophisticated cyber criminal, what would have been the consequences?"
I'm joined on the phone today with Scott Foote, the CEO and founder of Protinuum, a cyber security company. Scott has an impressive track record with over 30 years of experience in cyber security and the software industry. Some of his technical experience includes OS kernel technologies and network engineering. Thanks so much for joining us today, Scott.
Scott: Thanks for having me Greg.
Greg: Yeah, so Scott, before we get into WannaCry, can you give us a little more background on what it is that Protinuum does in regards to cyber security?
Scott: Sure. So the short answer is that Protinuum's trying to bring order to the chaos of today's security operations environment, so that the team that is defending an organization's important information. We're doing that by bringing timely decision, quality information to their group of stakeholders, but also the broader business. Folks that are involved in the decisions that need to be made often in real-time.
So that when they're confronted with cyber attacks, like what we've seen with WannaCry this past week, they have fast, informed decisions unfolding. And context is everything. What we've seen historically in this space is a lack of context. And what Protinuum's single mission is, is to improve that context. So the decisions are made faster and the decisions themselves produce much more effective results.
Greg: Interesting. And yeah, just kinda speak more to that topic. Obviously you're talking about, again, C-suite involved in these actual discussions and I know there's a lotta misinformation out there, especially out in the the main media, if you talk about like CNN or MSNBC, how they talk about cyber attacks is very generalized. So I bet C-suite executives have to relearn a lot of this.
Scott: That's very true, yes. They're getting to the point where they're inundated with information, and I won't call it false information, but much of it is inaccurate and based on perceptions. And what we've seen with WannaCry has been serious, but it's been reported as the single biggest cyber attack in history, and things like that just aren't true. What the C team is really looking for from the cyber security executive of Seeso [SP] is some interpretation, quickly, about what does this mean to our business? Are we exposed? Have we been infected? And if we have been, what does it mean? Are we shutting down a particular system or a major part of the business? Should we expect an outage? And then if so, what's the mitigation strategy? So ultimately they're looking for concrete representation of risk, not just flashy headlines.
Greg: Have you had a chance to dive into what actually causes malware outbreak, and what types of clues do we have now on how this worm actually came to be?
Scott: So yeah, I spent a lotta time almost nonstop since Friday evening when it was first brought to my attention by some of our customers. And there's several vectors to look at, to begin with. The first initial outbreak, just because of the timing of when the encryption screen was set up to, you know, pop up in front of the users, we first began seeing that in Asia. In fact, the exposure there, although it was very quiet, was in places like: Thailand, Vietnam, certainly China has begun to report on it and across Russia. So there was quite a bit of activity that was being seen in those environments, but it wasn't making the press initially. It started to hit the press later in the day on Friday, when across Europe we had outages in places like Deutsche Bahn in Germany, Telefonica in Spain, as you mentioned, the national healthcare system there in the U.K., where literally dozens of hospitals in Scotland and in England were having to turn away patients. So that's...that was the first vector, was as it began to expose itself and ransom.
Greg: And as we know, based on what happened with NHS, that this was actually a matter of life and death situations happening in the U.K. So this type attack cannot be taken lightly.
Scott: It truly did become life and death. And so we have those situations unfolding, and it continued as following the sun, so to speak, all the way here into the U.S. But before we'd even seen it in the U.K., there were malware reverse engineers analysts looking at it in Asia. So they began to tear it apart, to look at truly where it had come from, right, how do we know how this was all put together? And there was a couple of observations that the press has talked about a lot, but I think it's worthy just reviewing them.
The first observation is this...is that this particular attack was a combination of components, three basically. The first was a weaponized PDF file. That hasn't been confirmed, we're still looking for people who have samples of that PDF file. But it appears that a PDF file was being distributed as part of a phishing campaign. Now that PDF, once it was opened, actually introduced the propagation component. This is the piece that people are bending about all kinds of rumors. It's essentially a weakness in Microsoft's number one protocol, which is an older version of that file sharing protocol. The weakness itself has been exploited by something in the wild called Internal Blu [SP]. Many folks attribute that to the equation group or the NFA. That's still all speculation. But that's the second major piece, and that's actually a worm. What it does is when it affects the one machine that's attacked by phishing, it begins to look for those ports and protocols on other systems on the network and it uses that to move laterally. Unusual, but this particular weakness, this is the first time that we've seen the exploitation live in...out on the internet. The third major piece was the actual exploit itself. Once it gets in situ, once the propagation piece brings in the software via dropper, it begins to install the encryptor, the ransomware component, and then of course starts digging for the files that thinks are gonna be most valuable, and it unpacks itself there. So those...that combination is a combination that I won't say we've never seen it before, but certainly not on this scale.
The second major observation would be that the code construction, and I know this has been in the press quite a bit, code construction itself was, let's say, less than disciplined. So the analysts, not just in Asia but really across Europe and North America, have all been sharing their observations about the lack of proper structure in a way these pieces were cobbled together. So this isn't one particular nation state actor, it has treasure trove of these tools and has spent time integrating, [SP] and this looks like it was a crime of opportunity, where somebody pulled the pieces together and literary just turned it loose.
Greg: Yeah. What's interesting to me, and I think whoever created it or started this attack originally, it seems like... I remember there was a fairly young cyber security expert who found a kill switch with the...it was basically trying to get a...go to a URL before they, like, ping it, reach out to a URL for...before the encryption process would begin and if it could resolve that URL, it would act as a kill switch. And from what I've read, they found that, but immediately I hear hackers were able to, you know, create another version of this right after that that basically fixed the kill switch issue.
Scott: That's exactly how things have enfolded, Greg. Yes, the initial guy, I won't say his name, but he's Malware Tech, is his handle...Twitter handle's MalwareTechBlog, he was the one that did trip over that. He found the URL in...basically embedded in the executables. It wasn't obfuscated or encrypted, he just happened to trip over it and he decided to go look at it. When he saw it wasn't there, he registered the name to basically provide a sink hole, to see what communication would come to that name. So he's been watching that. That has helped him to figure out... It's not just one URL by the way, they were a few. But he's been watching that URL to see which systems or which organizations are actively infected. That's how they've been counting. And yes, there were, I mean, the malware authors that are out there pick up and those types of things very quickly. But the fact that that kind of a kill switch existed showed the lack of experience of the author, that was unpacking the pieces and beginning to set up on...the code in the...in a compromised environment. A telltale sign of a lack of experience.
Greg: What was most concerning to this...to me at least, is, you know, this was preventable. I believe Microsoft patched this actual security flaw back in February, after the NSA leak actually came out.
Scott: That is correct, yeah. The patch that contained their fixes came out in March. So it was available to folks that have a proper computer hygiene regimen, they woulda been installing these fixes. So there's a couple of complications there and probably the biggest one is what resulted in such a large-scale infection, and that is that those patches were not provided on unsupported versions of the operating system. Older, right? The first would be older versions. The second is a subtlety, but there are a lotta versions of Windows out there in the wild and the internet that are pirated versions. We see this especially across Asia, which explains why the vast majority of the infections that have been beaconing to those URLs initially were from countries in Asia. So whether it's an older version of the operating system, or whether it's a newer version, say, Windows 10 but it's pirated, those operating systems, there wasn't a patch available. So even if they had a hygiene program, they weren't going to get the patch at all.
Greg: Yeah. And I believe Microsoft's actually released an emergency patch for XP systems for instant and Windows 7 at this point. But...
Scott: They did exactly...
Scott: They did exactly that. And I'll tell you, the vast majority of the machines that had been effected were Windows 7 machines. The vast majority. The second were Windows XP and then a few of the other earlier versions of server [SP].
Greg: Yeah. So now, let's talk a little bit about legacy systems here, because this is extremely concerning. And I think there...obviously there're some trends that we're seeing, you know, in industries such as healthcare and aviation for instance, those are the things that immediately come to mind because they're notably the industries that tend to have more legacy systems. People...a lotta people in the tech community right now are saying there's absolutely no excuse for having a computer on your network using Windows XP. What I'm seeing is that's usually from industries that have like low profit margins. So IT budgets are usually the first thing to get cut when money's short. So how do you combat this if you have no IT budget?
Scott: That's part of it. But before we tackle the IT budget, let's look at kind of the hidden part of the IT community, which are mission critical systems. Now there are... I've worked with a number of customers over the years that deploy not purely embedded systems, but certainly they are single purpose systems. I've seen in the last few years, mission critical, let's just refer to them loosely as systems, that were based on Windows 95, believe it or not. So here's why. It's deployed in an operational environment where there isn't a general user. There isn't someone there, as you say, because of the IT budget, to do the general maintenance. But because it's single purpose, they don't wanna make any changes. The machine has been deployed, it's been tested, it actually supports high availability with Windows elements, it's not typically five nines, but certainly three or four nines of availability. So this machine's only being restarted a few times a year. And they're reluctant to making patches because the patches could break the software. The environments I've been in, some of the software was built by companies that don't even exist anymore. But they have a working component, they just don't wanna touch it. And if it works...
Greg: The costs of actually replacing these systems is probably monumental.
Scott: That's exactly right. To actually start over again requires an entire new program to go and build the replacement component. And to what end, if that doesn't increase their revenues or increase somehow the profit margin, or yield, or effectiveness, then it's a sum cost to replace that equipment. So they're reluctant to do that. Then there's the other side of the tracks, which are the folks who just don't have the IT budget. And that's alarming in the 21st Century. I understand running a company, and this is my fourth. The bottom line is making your profit. But when a company is inherently dependent upon its information, as almost every business is today, you need to step back and think about it as an executive team, as an owner or a shareholder, you need to look at that dependency and not think about technology, not think about the investment in the information technology itself, but think about the fact that that is the lifeblood of your business. And if you're not protecting it, it's what legally folks describe as willful negligence. You're ignoring that lifeblood.
So without an IT budget, you're really surrendering that information to the greater internet. And the bar has been dropped so low in today's environment, that a high school kid coulda pulled off something like what we've seen with [inaudible 00:15:16]. Almost literally. And I think that's a boardroom level discussion that needs to be had. One doesn't talk about their phone system in the boardroom, they talk about the ability for their company to communicate internally and externally with their customers, and they make a commensurate investment in that critical dependency. And I think it's time every boardroom gets to the recognition that information itself is the lifeblood of what they do on a daily basis.
Greg: Yeah. And as an executive, which you are, do you have any tips on how like, you know, the IT team could have a discussion with your executive team on the latest trends and get them actually involved in the discussion?
Scott: I'm glad you brought it up because I had that conversation with Seeso at least two or three times a week. These are folks that are highly technical, they've risen through the ranks, they don't spend a lotta time in boardrooms looking at balance sheets or evaluating business cases. Their job is to maintain that infrastructure, and in today's world, defend it. So when they are called into the C team to brief them on the latest event like this, they show up with metrics, they show up with a technical description, they explain process hollowing or, you know, how the lateral movement was affected. These aren't the details that the boardroom needs. The boardroom needs the risk to be cast in terms of the business. So if I were to go into the boardroom as a CISO today, I would go in and explain that someone has ransom. They've encrypted the disk drive underneath our customer relationship management system. So we've lost all that, the customer records online. And hopefully I would have in my back pocket the mitigations, offline backup, for example, like recovering from some distributed site. So that's the bottom line for the Seeso, is they need the ability to communicate to the executive team and to their board what the impact is to the mission of the company and what the risk is to the business that can't be just technical details, it needs to be cascading orders of impact through the company to the bottom line.
Greg: Yeah. That makes sense. So just a...you know, this isn't really a question, it's more of an observation, and it kinda touches upon a point you made earlier about, you know, how this was done by an amateur. In a way, I know a lotta people were affected by this. So, you know, this was kind of...it was a bit of disaster, but we kinda dodged the bullet because this coulda been much worse if somebody who actually was a far more sophisticated cyber criminal had actually gone about, you know, creating this worm.
Scott: This is very true, yes. And what was demonstrated here was fairly unsophisticated, and if this particular author truly is as unsophisticated as what it appears, it's very telling that a nation state adversary or a large criminal organization could be much more effective did something very similar.
Greg: All right. Well that's all the time we have today. But I wanna thank you Scott for coming in today. This was really insightful and I love what your company's doing, spreading awareness and trying to fix this very difficult and critical situation that we're dealing with, and it's just gonna become more to forefront in the media and world news today. So I wanna thank you for coming in today. I really appreciate it.
Scott: Thank you Greg, I appreciate it as well.
Greg: You can check out Protinuum at www.protinuum.com or you can also search them on LinkedIn. Until next time, stay safe out there.