This last couple of day the headline has been the WannaCry ransomeware worm. I have seen many discussion about the technical aspects of it, about the disclosure of the vulnerability and debates of who is at fault for its widespread effect (Microsoft, NSA, Shadow Brokers ..etc). Yet the big elephant in the room remains that this is history that will repeat it self. The main reason that it will repeat it self is the gap of knowledge of those using technology and the speed at which attacks and tools can spread in the internet.
In essence the vulnerability affect the SMBv1 protocol from Microsoft that is included with all versions of Windows and it is enabled. Microsoft released a patch for the vulnerability as MS17-010 ON March 14, 2017. The patch was marked as critical, remote code execution and it affected all version of Windows with a CVSS score of 9.3. I work for a security vendor and I manage a team of reverse engineers that write the remote checks, as soon as we saw this we started working on it and where able to reach the vulnerable sections in less that a week and got a check for it out the door, we quickly new this had the potential to be as big as MS08-67. On April 7 Shadow Brokers releases a trove of tools from the NSA and they contain an exploit for this vulnerability among others called ETERNALBLUE, the tools where analyzed by researches that published tutorials on how to use the tools and expand upon them. Shortly after the release thousands of exposed boxes in the internet started to be compromised by the vulnerability.Read More