The proliferation of unpatched systems in manufacturing and healthcare settings allows the North Korean state-sponsored malware to persist.
WannaCry—the most damaging cyberattack of 2017—continues effectively unabated, with at least 3,500 successful attacks per hour, globally, according to research published by security firm Armis on Wednesday. The research estimates that 145,000 devices worldwide continue to be infected, noting that « a single WannaCry infected device can be used by hackers to breach your entire network. »
The primary reason WannaCry persists is an abundance of unpatched Windows versions across healthcare, manufacturing, and retail sectors—typically finding a « large number of older or unmanaged devices which are difficult to patch due to operational complexities, » Ben Seri, research vice president at Armis, wrote in a blog post. The number of active Windows 7 (and older) installations across those sectors exceeds 60%, compared to less than 30% among technology companies, the research found.
This is in large part a vendor issue, as these industries rely on third-party hardware with poor lifetime support, according to Seri:
There are operational reasons to hold on to old and unsupported Windows devices. Manufacturing facilities rely on the HMI (Human-Machine-Interface) devices that control the factory’s production lines. HMI devices run on custom built hardware, or use outdated software, that hasn’t been adopted to the latest Windows. In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling. And in retail environments, the Point-of-Sale devices are the weak-link, based on custom hardware, which is late to receive updates if at all.
This is a particularly pressing issue, with the pending end-of-support for Windows 7 in January 2020. This which will serve to further complicate the security posture of many enterprises, especially as other « wormable » vulnerabilities are discovered, such as BlueKeep, which prompted Microsoft to provide patches for Windows XP and Server 2003 due to the potential risk the vulnerability posed.
The difficulty of patching WannaCry
The WannaCry saga is a peculiar one. The attack had the potential of being much more damaging than it could have been, though for affected organizations, the damages were quite severe—the NHS reported losses of £92 million ($116 million).
While the initial WannaCry outbreak started on May 12, 2017, security researcher Marcus Hutchins, also known as MalwareTech, discovered a kill switch domain name in the program that was unregistered by the authors. When WannaCry executes, if the domain resolves, the program exits. While this bought additional time for defenses, WannaCry was reported as « stopped, » which may have lowered concern about the attack. Days later, a variant lacking a kill switch was discovered.
Who is responsible for developing WannaCry?
An analysis by GCHQ’s cybersecurity division identified the authors of WannaCry as the Lazarus Group, a North Korea state-sponsored threat actor, also responsible for the 2014 Sony Pictures hack. The US, Australia, New Zealand, Canada, and Japan have criticized North Korea for their involvement in the attack, according to ZDNet.
That said, WannaCry is built on top of a pair of exploits called EternalBlue and DoublePulsar, which were released by an organization called The Shadow Brokers on April 14, 2017. The exploits were originally developed by the NSA Office of Tailored Access Operations and CIA Information Operations Center. The weaponization—rather than responsible disclosure—of those underlying exploits created an opportunity for the WannaCry attack to be waged.
In the wake of the WannaCry attack, Microsoft president and chief legal officer Brad Smith condemned the « stockpiling of vulnerabilities by governments, » noting that « We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage, » and « We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. »
Addressing WannaCry risks in your organization
Naturally, the first step to addressing potential risks from WannaCry is to patch your devices, according to Armis. Patching devices, however, requires IT professionals to know that the devices exist, which is a higher-order problem. « Without the proper control and monitoring of devices and networks, organizations are bound to lose track of both, » Seri noted in the post, « you must maintain a continuous asset inventory of all devices, and monitor your network for unknown, suspicious, or misplaced devices connected to it. »
For more, check out « South Korean government planning Linux migration as Windows 7 support ends, » and « 71% of medical devices still run on Windows 7, Windows 2008, and Windows mobile » on TechRepublic, and « Why WannaCry ransomware is still a threat to your PC » on ZDNet.