I was watching with interest today how the media reported this story, the dramatisation of the story manifested in statements put out on national news would lead you to believe that there is some international conspiracy somehow linked to the NSA, it certainly makes better headlines than the truth, because the truth is less like an intricate James Bond movie plot and much more like a scene from the IT Crowd!
We are a cloud company so cyber security attacks are always of great interest, as soon as the story was first reported we were already looking past the movie in the news at the details, primarily because we must identify any risk or exposure we ourselves might have. For those of you that want a less exciting version of the dramatic mass media reports, this is what is happening.
What is it?
A short time ago security firms identified a back-door Trojan which exploits a known vulnerability in Microsoft Windows SMB networking protocol to install an implant by injecting malicious code into the operating systems DLL calls. This is reported to have originated (and possibly even stolen) from the NSA. The implant is known as DOUBLEPULSAR is a back door which is implanted using a an exploit in the Winfows SMB software, this exploit is know as ETERNALBLUE, and it works using quite advanced kernel DLL injection techniques to implant itself into the fabric of the operating system creating a back door allowing remote network calls to execute programs on the compromised computer. This is not going to cause any direct problem but once deployed it can sit there undetected until someone decides to use the backdoor. Compromised computers can be identified by malicious programs by issuing a special type of ping request to its IP address.
Now while DOUBLEPULSAR is the tool being used, it is not the actual attack. The specific attack being reported is known as a ‘ransomware’ attack dubbed WannaCrypt. Ransomware is a simple program that once executed on a computer will encrypt data files it can find, leaving you instructions on your desktop requesting payment (a ransom) to decrypt the files again. The problem with this type of attack is it is not just limited to the infected computer – if the computer is networked and has access to files on other computers via a network share then the data on these computers can also be encrypted, even of that computer has already been patched and its self is not vulnerable.
What computers are compromised?
The injection technique used is specific to the Windows operating system and requires SMB networking to be enabled. Microsoft published a patch on March 14th MS17-010 which patches pretty much all Windows versions including Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016 and Server Core. Windows XP and Server 2003 versions are also vulnerable but Microsoft has not provided a patch for these operating systems, this I expect has more to do with Microsoft’s desire to drive operating system updates rather than a technical inability to provide a patch.
Who is affected?
It made prime time news here in the UK for the NHS because the response to this compromise by the NHS was to turn off all computers which left the NHS apparently only “coping” with delivering healthcare services. A computer getting infected by a virus is boring and not a great headline, but a nation not getting adequate healthcare because of a sinister cyber-attack is a great headline. The truth is though any organisation that have either failed to patch for this or are using XP or server 2003 are vulnerable and may already be compromised just waiting for the next exploit to take advantage. The NHS like many other public sector organisations here in the UK are stuck with old operating system versions, citing things like cost and compatibility with other systems as reasons not to keep things updated. Just because the NHS made the news today, the truth is many more organisations are probably already vulnerable.
[EDIT] So significant was the impact of this problem Microsoft today have been forces to respond with patches for XP and Server 2003. You can read more about this and get links for the download here
How can you prevent being compromised?
It is sad to say that this apparent national panic could have been easily avoided if compromised organisations simply follow common-sense best practice approach to their IT strategy.
- Make sure all operating system versions are always patched. Stop trying to “manage” patching yourself, if you have chosen Microsoft operating systems, leave the patching to Microsoft, they provide the service, its automatic and its free, all too often “enterprise” likes to be in control of this – trust me when I tell you that the best way to deal with security patching is to let Microsoft do it, and likewise if you are using Apple OSX computers, let Apple patch and update the OS.
- If you are using an OS version such as XP or Windows 2003, just stop… or isolate the computer from any network and stop people from using it (the current NHS panic strategy).
- Configure your networking properly, only grant the minimum access rights required to each user.
- Backup your data properly, if your data is important and you lose that data because your backup strategy is bad you cannot really point the finger anywhere else.
How is Hornbill affected?
We use Windows on our internal networks but we keep everything patched and we do not have any unsupported operating system version in use that cannot be patched. In addition, for Windows computers we also have aggressive anti-virus controls in place. For the most part our cloud services run on a Linux based software stack and our other operating systems like OSX are not vulnerable to compromise from this attack.
I hope that the IT teams in the NHS organisations around the country get on top of this quickly and I wish them well in their endeavours over the coming days. I also hope that the budget holders learn from this. If you have chosen to work with Microsoft for your OS needs, listen to them when they tell you that the OS you are using is no longer supported, by ignoring this you are making yourself vulnerable to exactly this sort of problem – I imagine the cost of running around to sort this now will be significantly greater to your organisation than taking preventative measures would have been – false economy?