WannaCry—the most damaging cyberattack of 2017—continues unabated, with at least 3,500 successful attacks per hour, globally, according to research published by security firm Armis on Wednesday.
The research estimates that 145,000 devices worldwide continue to be infected, noting that “a single WannaCry infected device can be used by hackers to breach your entire network.”
The primary reason WannaCry persists is an abundance of unpatched Windows versions across healthcare, manufacturing, and retail sectors— a “large number of older or unmanaged devices which are difficult to patch due to operational complexities,” Ben Seri, research vice president at Armis, wrote in a blog post. The number of active Windows 7 (and older) installations across those sectors exceeds 60%,
This is in large part a vendor issue, because these industries rely on third-party hardware with poor lifetime support. There are operational reasons to hold on to old and unsupported Windows devices. Manufacturing facilities rely on the HMI (Human-Machine-Interface) devices that control the factory’s production lines. HMI devices run on custom built hardware, or use outdated software, that hasn’t been adopted to the latest Windows.
In healthcare organizations, many of the medical devices themselves are based on outdated Windows versions, and cannot be updated without complete remodeling.
In retail environments, the Point-of-Sale devices are the weak-link, based on custom hardware, which is late to receive updates if at all.
This is a particularly pressing issue, with the pending end-of-support for Windows 7 in January 2020. This which will serve to further complicate the security posture of many enterprises, especially as other “wormable” vulnerabilities are discovered, such as BlueKeep, which prompted Microsoft to provide patches for Windows XP and Server 2003 due to the potential risk the vulnerability posed.
The WannaCry attack had the potential of being much more damaging than it could have been, though for affected organizations, the damages were quite severe—the NHS reported losses of £92 million ($116 million).
Security researcher Marcus Hutchins, discovered a kill switch domain name in the program that was unregistered by the authors. When WannaCry executes, if the domain resolves, the program exits. While this bought additional time for defenses, WannaCry was reported as “stopped,” which may have lowered concern about the attack. Days later, a variant lacking a kill switch was discovered.
An analysis by GCHQ’s cybersecurity division identified the authors of WannaCry as the Lazarus Group, a North Korea state-sponsored threat actor, also responsible for the 2014 Sony Pictures hack. The US, Australia, New Zealand, Canada, and Japan have criticized North Korea for their involvement in the attack, according to ZDNet.
WannaCry is built on top of a pair of exploits called EternalBlue and DoublePulsar, which were released by an organization called The Shadow Brokers on April 14, 2017. The exploits were originally developed by the NSA Office of Tailored Access Operations and CIA Information Operations Center. The weaponization—rather than responsible disclosure—of those underlying exploits created an opportunity for the WannaCry attack to be waged.
, Microsoft president and chief legal officer Brad Smith condemned the “stockpiling of vulnerabilities by governments,” noting that “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” and “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
To reduce potential risks from WannaCry patch your devices. That requires IT professionals to know that the devices exist. “Without the proper control and monitoring of devices and networks, organizations are bound to lose track of both,you must maintain a continuous asset inventory of all devices, and monitor your network for unknown, suspicious, or misplaced devices connected to it.”
