WannaCry—the most damaging cyberattack of 2017—continues unabated, with at least 3,500 successful attacks per hour, globally, according to research published by security firm Armis on Wednesday.
The research estimates that 145,000 devices worldwide continue to be infected, noting that “a single WannaCry infected device can be used by hackers to breach your entire network.”

The primary reason WannaCry persists is an abundance of unpatched Windows versions across healthcare, manufacturing, and retail sectors— a “large number of older or unmanaged devices which are difficult to patch due to operational complexities,” Ben Seri, research vice president at Armis, wrote in a blog post. The number of active Windows 7 (and older) installations across those sectors exceeds 60%,

This is in large part a vendor issue, because these industries rely on third-party hardware with poor lifetime support. There are operational reasons to hold on to old and unsupported Windows devices. Manufacturing facilities rely on the HMI (Human-Machine-Interface) devices that control the factory’s production lines. HMI devices run on custom built hardware, or use outdated software, that hasn’t been adopted to the latest Windows.

In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling.

In retail environments, the Point-of-Sale devices are the weak-link, based on custom hardware, which is late to receive updates if at all.

This is a particularly pressing issue, with the pending end-of-support for Windows 7 in January 2020. This which will serve to further complicate the security posture of many enterprises, especially as other “wormable” vulnerabilities are discovered, such as BlueKeep, which prompted Microsoft to provide patches for Windows XP and Server 2003 due to the potential risk the vulnerability posed.

The WannaCry attack had the potential of being much more damaging than it could have been, though for affected organizations, the damages were quite severe—the NHS reported losses of £92 million ($116 million).

Security researcher Marcus Hutchins, discovered a kill switch domain name in the program that was unregistered by the authors. When WannaCry executes, if the domain resolves, the program exits. While this bought additional time for defenses, WannaCry was reported as “stopped,” which may have lowered concern about the attack. Days later, a variant lacking a kill switch was discovered.

An analysis by GCHQ’s cybersecurity division identified the authors of WannaCry as the Lazarus Group, a North Korea state-sponsored threat actor, also responsible for the 2014 Sony Pictures hack. The US, Australia, New Zealand, Canada, and Japan have criticized North Korea for their involvement in the attack, according to ZDNet.

WannaCry is built on top of a pair of exploits called EternalBlue and DoublePulsar, which were released by an organization called The Shadow Brokers on April 14, 2017. The exploits were originally developed by the NSA Office of Tailored Access Operations and CIA Information Operations Center. The weaponization—rather than responsible disclosure—of those underlying exploits created an opportunity for the WannaCry attack to be waged.

, Microsoft president and chief legal officer Brad Smith condemned the “stockpiling of vulnerabilities by governments,” noting that “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” and “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

To reduce potential risks from WannaCry patch your devices. That requires IT professionals to know that the devices exist. “Without the proper control and monitoring of devices and networks, organizations are bound to lose track of both,you must maintain a continuous asset inventory of all devices, and monitor your network for unknown, suspicious, or misplaced devices connected to it.”

To address a novel set of side-channel attacks that allow microarchitecture data sampling (MDS).
this week Intel released a set of processor microcode fixes, for operating system and hypervisor patches from vendors like Microsoft and those distributing Linux and BSD code

These side-channel holes can be potentially exploited extract information, such as passwords and other secrets, from memory it is not allowed to touch. Browser histories can be sniffed, virtual machines snooped on, disk encryption keys stolen, and so on.

MDS can expose sensitive data held in a processor’s internal buffers: store buffers, fill buffers, and load buffers. MDS samples snippets of data as opposed to grabbing it all at once – more like eavesdropping on privileged communications than breaking in. It’s not easy to target specific data or to differentiate valuable information from background noise. Chipzilla maintains the vulnerabilities are difficult to exploit outside of a laboratory environment.

However Tech Republic commented “MDS attacks are as pernicious a threat as Spectre and Meltdown, and like those security vulnerabilities, the extent to which devices are vulnerable depends on vendor (i.e., Intel vs. AMD) and product generation. These vulnerabilities also affect cloud computing services, as they can be leveraged by attackers to escape software containers, hypervisors, paravirtualized systems, and virtual machines.”

To make such attacks more efficient, an attacker might seek to have a targeted app running on the same physical core. on an adjacent thread from the malware so as to run load and flush operations repeatedly

Speculative execution is a shortcut used by modern processors to execute software instructions before they’re needed. That boosts performance but creates vulnerabilities – however those appear to be limited to Intel hardware; and have not been replicated on Arm or AMD-designed processors.
.
The researchers who identified the flaws argue that hardware fixes for the Meltdown vulnerability implemented in Whiskey Lake and Coffee Lake CPUs are not enough and that software-based isolation of user and kernel space – which comes with a performance hit – need to be enabled even on current processors.

Intel acknowledges there may be a performance hit due to the microcode fixes in some circumstances for some workloads.

– Whiskey Lake and Coffee Lake CPUs have mitigations built in
– Earlier processors need to install microcode fixes.
– Operating systems and hypervisors need to be updated to work with the microcode updates to ensure those function properly.

Patches are rolling out today from Microsoft, Apple, Google, Linux distributions, and others.

The store buffer is a microarchitecture element that turns a stream of store operations into serialized data and masks the latency from writing the values to memory. It stores data asynchronously so the CPU can do out-of-order execution. The operations for reassembling everything in the right order make Meltdown-like unauthorized memory reads possible.A technique called Data Bounce can access supposedly inaccessible kernel addresses and break KASLR (Kernel address space layout randomization), reveal the address space of Intel SGX enclaves, and even break ASLR (address space layout randomization) from JavaScript.Data Bounce is also invisible to the operating system- it doesn’t involve a syscall and it doesn’t trigger an exception.

Intel disagrees about the need to disable hyperthreading, and says it plans to add additional hardware defenses to address these vulnerabilities into future processors.

Security threats continue to haunt us.

Systems at a number of Baltimore’s city government departments were taken offline on May 7 by a ransomware attack. As of 9:00am today, email and other services remain offline. Police, fire, and emergency response systems have not been affected by the attack, but nearly every other department of the city government has been affected in some way.

Calls to the city’s Office of Information Technology are being answered by a recording stating, “We are aware that systems are currently down. We are working to resolve the issue as quickly as possible.”

Meanwhile this post on identify theft https://www.schneier.com/blog/archives/2019/05/protecting_your_2.html
and this one on credit card skimming on vulnerable e commerce sites make sobering reading https://arstechnica.com/information-technology/2019/05/more-than-100-commerce-sites-infected-with-code-that-steals-payment-card-data/