This last couple of day the headline has been the WannaCry ransomeware worm. I have seen many discussion about the technical aspects of it, about the disclosure of the vulnerability and debates of who is at fault for its widespread effect (Microsoft, NSA, Shadow Brokers ..etc). Yet the big elephant in the room remains that this is history that will repeat it self. The main reason that it will repeat it self is the gap of knowledge of those using technology and the speed at which attacks and tools can spread in the internet.
In essence the vulnerability affect the SMBv1 protocol from Microsoft that is included with all versions of Windows and it is enabled. Microsoft released a patch for the vulnerability as MS17-010 ON March 14, 2017. The patch was marked as critical, remote code execution and it affected all version of Windows with a CVSS score of 9.3. I work for a security vendor and I manage a team of reverse engineers that write the remote checks, as soon as we saw this we started working on it and where able to reach the vulnerable sections in less that a week and got a check for it out the door, we quickly new this had the potential to be as big as MS08-67. On April 7 Shadow Brokers releases a trove of tools from the NSA and they contain an exploit for this vulnerability among others called ETERNALBLUE, the tools where analyzed by researches that published tutorials on how to use the tools and expand upon them. Shortly after the release thousands of exposed boxes in the internet started to be compromised by the vulnerability.
In other words this vulnerability got a lot of attention in media in addition to it's inherited danger of the protocols, Microsoft tagging it as severe and it being exploited in the wild with a widely available tool set. Yet many organization including hospitals, banks, manufacturing and critical services among others still had not patched. In addition to this many organizations and businesses are still using Windows XP a OS that is end of support since April 8, 2014, not only that but it is a 15 yr old operating system. To add insult to injury the vulnerability was not the initial point of entry but it was an executable in a Zip file sent via email.
Yet with all of this information people argue that it is a technical issue, I disagree. The problem is an operational one mostly. Many businesses still do not manage their infrastructure with the importance they should. Many Operations teams do not have processes in place to deploy patches quickly and even more do not even know what they have in their network. All of this are problems that many have tackled before and countless blog posts, white papers, books and guides exists on system to do all of these. So the knowledge of how to do it right is available, but do to the lack of management, operational and business skills of most of those affected this risk was not averted. I know many will argue that hospitals will have MRI, Xray and other machines running very old OS that can not be upgraded. Still mitigation are possible, disable SMBv1, segmentation and filtering of networks, still many did not even looked at it, developed and plan and ran with it. Many businesses sadly do not properly staff they IT teams, other out source it to a company that even values the importance of the infrastructure to the business even less and others simply do not mange their IT infrastructures correctly do to lack of leadership.
This was a problem that was easy to mitigate, simple steps actually.
- Disable SMBv1 like MS has had in their best practice guides for years.
- Enable host firewalls and control who can communicate to the services needed like many have recommended for years both from government and private sectors.
- Prioritize and apply patches in a quick manner, is it hard at first? yes, can it be done quickly? yes, you just need to put the effort and establish the processes. MS17-010 is not the first and will not be last.
- It has been proven that one should architect the network and controls as if there will be unknown exploits so having proper controls that will alert of actions on systems. Many IOCs of the TTPs can still be detected and mitigated if best practices are in place.
Even when organizations take these steps many will not, many just do not have the budget to do it properly, hire and train the personnel, other simply will not value the base infrastructure like they should. Also at the end users will still be biggest unchangeable risk, even a properly designed security program will have gaps so operate with the assumption that a compromise will happen and containment and incident response procedures should be in place and rehearsed.
WannaCry abused ETHERNALBLUE, hope you have followed RDP best practices because ESTEEMAUDIT is still out there on all of those that have not moved away from XP and 2003.