Mass ransomware attack may be exploiting unpatched Microsoft SMB MS17-010 vulnerability using NSA tools

Mass ransomware attack may be exploiting unpatched Microsoft SMB MS17-010 vulnerability using NSA tools

May 15, 2017

As we all know and have heard over of the last few days, there is at present a mass ransomware attack which has targeted and hit hospitals, telecoms companies, universities and other institutions around the world using the malware WannaCry/WanaCrypt0r 2.0 which may be carried out and profiting by a known flaw in Microsoft SMB Server, MS17-010.

WannaCry/WanaCrypt0r 2.0 attackers probably using the NSA EternalBlue exploit to hit Windows SMB vulnerability.

The vulnerableness of this was uncovered earlier in the year and it has been taken advantage of by the NSA. The US security agency uses malware to exploit vulnerabilities in IT systems for conducting covert operations online, this is all according to a build- up of documents disposed of by the hacking group Shadow Brokers.

The use of the NSA EternalBlue exploit was confirmed by the respected independent malware researcher ‘Kafeine’.

According to a Forbes report, cybercriminals in Russia have been looking at ways to exploit the EternalBlue exploit for some time.

“MS17-010 is the best candidate for this ransomware attack,” said Matthew Hickey, co-founder of UK cybersecurity training hub Hacker House.

According the Spanish authorities the following versions of Windows are at risk.

Microsoft Windows Vista SP2

Windows Server 2008 SP2 & R2 SP1

Windows 7

Windows 8.1

Windows RT 8.1

Windows Server 2012 & R2

Windows 10 Windows Server 2016

Patches for the vulnerability have been released by Microsoft, however it is thought they do not extend to some of the older versions of Windows like XP, which are still being broadly used in many organisations today including the NHS which has been hit quite bad. At this time there is no evidence to show that XP is the issue, but admins should be patching any vulnerable systems Immediately.

Security vendor Kaspersky Lab advises the following:

  • Conduct proper and timely backup of your data so it can be used to restore original files after a data loss event.
  • Use a security solution with behaviour based detection technologies. These technologies can catch malware, including ransomware, by watching how it operates on the attacked system and making it possible to detect fresh and yet unknown samples of ransomware.
  • Visit The No More Ransom website, a joint initiative with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals.
  • Audit installed software, not only on endpoints, but also on all nodes and servers in the network and keep it updated.
  • Conduct a security assessment of the control network (i.e. a security audit, penetration testing, gap analysis) to identify and remove any security loopholes. Review external vendor and third party security policies in case they have direct access to the control network.
  • Request external intelligence: intelligence from reputable vendors helps organisations to predict future attacks on the company.
  • Educate your employees, paying special attention to operational and engineering staff and their awareness of recent threats and attacks.
  • Provide protection inside and outside the perimeter. A proper security strategy has to devote significant resources to attack detection and response in order to block an attack before it reaches critically important objects.