igor - Fotolia

WannaCry’s EternalBlue exploit still a threat

A year after the global WannaCry attacks, the EternalBlue exploit that was a key enabler for the malware is still a threat to many organisations, and many UK firms have not taken action, security researchers warn

WannaCry is no longer wreaking havoc in the business world, but a year after the malware crippled business operations around the world, a key element of the attack still remains a threat, and few organisations have taken steps to improve their defences, research has revealed.

The exploit that enabled the rapid spread of WannaCry, known as EternalBlue, is still threatening unpatched and unprotected systems, according to telemetry data from security firm Eset.

The company’s researchers warn that EternalBlue’s popularity has been growing over the past few months, and a spike in April 2018 even surpassed the greatest peaks from 2017.

The Eset data shows that EternalBlue had a calmer period immediately after the 2017 WannaCry campaign, with attempts to use the EternalBlue exploit dropping to “only” hundreds of detections daily.

Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.

The EternalBlue exploit targets a vulnerability in an obsolete version of Microsoft’s implementation of the server message block (SMB) protocol, via port 445, and gave WannaCry its worm-like ability to spread across networks. 

In an attack, cyber criminals and other threat actors scan the internet for exposed SMB ports, and if found, launch the exploit code and malware payload of choice.

According to security researchers, exploits of Microsoft’s SMB protocol have been an “unmitigated” success for malware writers, with EternalBlue being a key component of destructive global NotPetya attacks in June 2017. It was used by the Sednit (aka APT28, Fancy Bear and Sofacy) cyber espionage group to attack Wi-Fi networks in European hotels.

The exploit has also been identified as one of the spreading mechanisms for malicious cryptominers. More recently, it was deployed to distribute the Satan ransomware campaign, described only a few days after Eset’s telemetry detected the mid-April 2018 EternalBlue peak.

The EternalBlue exploit was allegedly stolen from the National Security Agency (NSA) probably in 2016 and leaked online on April 14, 2017 by a group dubbed Shadow Brokers.

“Microsoft issued updates that fixed the SMB vulnerability on 14 March 2017, but to this day, there are many unpatched machines in the wild,” said Ondrej Kubovič, security evangelist at Eset.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching, as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” he said in a blog post.

UK businesses struggling with patching

Another study has revealed that UK firms are still struggling to take action a year after WannaCry, with 40% of 500 IT security workers polled saying their organisation is more exposed than it was a year ago.

Just over a third of respondents admitted there was panic immediately after the WannaCry attack, but nothing has changed since, according to the survey by security firm Tanium.

The survey also shows only 31% of respondents said their organisation has invested in a new security system since WannaCry, despite their boards claiming to have placed more importance on IT security since the attack.

According to the findings, although UK firms responded immediately after the attack, reviewing existing security systems (62%) and redefining the process for reacting to security incidents (38%), businesses are still struggling with basic systems management tasks, such as patching, which are critical to preventing future attacks.

According to the study, two-thirds of respondents admitted that they have not improved their patch management process since the WannaCry attack, with 14% saying the need to innovate quickly is causing them to compromise on their security practices. Almost a quarter (23%) cited a lack of budget as a factor holding them back from implementing new cyber security technology and policies.

Almost half (42%) of the frontline IT workers surveyed believe their senior leadership team fails to realise how exposed their companies are to cyber threats, and 43% said they struggle to get funding for urgent cyber security projects.

One in 10 frontline IT workers admit they are not confident their organisation could immediately respond to or recover from another WannaCry-style attack.

Unpatched systems the ‘Swiss cheese’ of security

According to security firm Avast, 29% of Windows-based PCs globally are still running with the SMB vulnerability in place, while Juniper Networks puts the number of exposed devices at 2.3 million.

According to Mounir Hahad, head of Juniper Threat Labs, most of the devices still running vulnerable versions of SMB are located in the United Arab Emirates, US, Russia, Taiwan and Japan.

“As we continue to see successful ransomware attacks, it begs the question: why don’t people have backups of their critical data? Every board of directors should be asking its CISO about the company’s backup strategy,” he said.

“A ransomware attack should be a blip on the radar that wastes people’s time to restore from backups, not a week-long debacle of trying to restore service and deciding whether to pay the ransom or not,” he said.

In August 2017, Chris Wysopal, cofounder and chief technology officer at security firm Veracode, told Computer Weekly that EternalBlue had been shown to be extremely effective at spreading malware infections to other unpatched Microsoft systems.

“It is imperative that IT teams from all businesses across all industries ensure that the version of Windows that they are using is not vulnerable to EternalBlue and, if so, take the necessary steps to remediate it,” he said.

Read more about software exploits

Wysopal said cyber criminals are likely to continue using EternalBlue until devices are patched and it is no longer an effective vector for them to spread malware.

Rob Greer, chief product officer and senior vice-president at security firm ForeScout, said unpatched systems are the “Swiss cheese” of cyber security.

“And while a properly patched system may not be impervious to attack, proper IT hygiene can stop many bad actors dead in their tracks. If the systems cannot be patched for operational reasons, the best means of protecting them is to place them in separate network segments,” he said.  

“While there’s no silver bullet in cyber security, the majority of ransomware attacks can be prevented through simple, yet effective security management and IT hygiene best practices.”

Avoid complacency and plan ahead, says expert

Ken Spinner, vice-president of field engineering at security firm Varonis, said WannaCry served as a cyber security wake-up call for many organisations that were falling behind in their routine IT responsibilities.

“Companies should be making it as difficult as possible for attackers to be successful at their job. It takes time, talent and resources to keep attackers at bay. The NSA exploits have been in the wild for some time now and attackers are hard at work on new variants,” he said.

“Security is a C-level issue and a boardroom issue, and IT and CISOs should be at the table. Companies need to heed the call, understand their risk and place security at the top of the agenda – the alternative could be lost productively and costs as companies scramble to return to business as usual after an attack.

“It’s human nature to address immediate concerns and fall back into old patterns. But companies can’t let their guard down. You’ve got to avoid a sense of complacency and plan ahead to tackle the newest threats. Attackers will think of something new that renders some preventative IT measures obsolete,” he said.

Juniper Networks: Tips on mitigating the impact of ransomware attacks

  • Patch your systems quickly after a security vulnerability is disclosed and fixed.
  • Backup your critical data and test your backups regularly.
  • Segment your network and make sure access to different segments is on a business need.
  • Do not give admin privileges to all users if not needed.
  • Mount remote file systems on a system only if needed.
  • Disable SMBv1 and make sure SMBv2 is not exposed to the internet.
  • Invest in an advanced persistent threat detection capability which has lateral movement visibility.

Read more on Hackers and cybercrime prevention