Michael Brunton-Spall     About     Archive     Feed

Malware, Cyber Attacks and the problem of patching

2017-05-13 08:06:57 +0000

According to news reports, the UK, among over 90 other countries has just been hit by a large malware campaign which has taken down various services, including a number of health based services.

It’s easy at this point to look at the details and just exclaim that the organisations affected should just patch more frequently, but the reality is much much harder than that.

The details of the infections

As I know it at the time (9am on Saturday 13th of May), the infection is a ransomware piece of malware called WCry, a variant of Wana Decryptor. You can find a technical breakdown at Talos Intelligence

For those of you who don’t know what that means, it’s a bit of code, that somebody wrote, that when run on your machine, goes and finds a number of files on your system and encrypts them using strong cryptography, and then shows a message demanding payment in the pseudonymous currency “bitcoin” to decrypt your files and put them back.

The malware gets onto the first machine through a “phishing” campaign, so essentially an email that looks legitimate, and needs you to open a document included in the email. Once you open the attachment, the malware runs and your machine is infected.

Furthermore, the malware runs some additional code while it is encrypting your files. It goes and looks on your network for any computer which is talking something called SMB, the fileshare protocol. So all of your coworkers who share their files with you, and those central servers that have the office fileshare.

If it finds a machine that is sharing files, it then uses a bug in windows, called MS17-010 (after the Microsoft security bulletin that announced it). It’s also being called EternalBlue after the codename in a dump of exploits allegedly from the NSA which revealed the bug.

This bug means that even if your computer is “secured”, the malware can copy itself onto the other computer and then run itself on there, spreading, a bit like a virus does around a school or workplace.

Furthermore, the WCry uses a “backdoor” called DoublePulsar, again from the alleged NSA dump, which enables it to move from just executing code on the machine to complete control of the machine. This combination of using multiple bugs is called a “chain” and until the last few years has only generally been in the most advanced possible hacking groups.

The killswitch

The author, presumably in order to test it, built in a killswitch to the malware. So when it first infects a machine, it attempts to access a domain on the internet which doesn’t exist.

A UK based security researcher called MalwareTech registered the domain having discovered this bit of code and this appears to have stopped new infections.

This means the risk of new infections is much lower, but it wouldn’t take much for any hacker to take a sample of the malware, modify it to use a different domain and re-release it.

What’s the impact?

Once it has gotten onto a single computer in an organisation, it is attempting to spread, so it will move around the computer network, using the bug above to spread. That means that except in cases of blind luck, or where other measures have been taken, the ransomware will spread to a central computer pretty fast and from there out to every desktop it can find.

Furthermore, in todays world, it’s not just desktops that get affected. Lots of computers run Windows, so for example I’ve seen pictures of bus display terminals in a bus terminal that are affected. I’m sure that in the coming days we’ll see some other systems like Point of Sale (like tills), window displays in shops and things like that affected.

Once infected, things are pretty rough. Security researchers are looking into the malware now, and if they are lucky, the author will have made an error in writing or using the cryptographic routines that mean that they’ll be able to build a tool to provide the decryption key. This has happened before with some other major ransomware infections, but it depends on how well the author wrote their encryption routines.

The best solution here is to format the infected computer and reinstall Windows and restore the data from backups. If organisations are using cloud based productivity applicatons such as Office 365 or the Google GSuit, then no data should be lost.

If people are saving local data to their machine, then hopefully the organisation has a good backup strategy and can restore from a backup.

Could this have been prevented?

Yes and no.

People keep saying that if you had patched the MS17-010 30 days ago, when it was released (March 14th), then people wouldn’t have been affected. That’s only true for the second stage, the spreading of the malware. People who got infected by email would still have been infected.

But if you had patched your computer, then the malware wouldn’t spread to you, and that’s part of the virality of the malware. It spreads without needing user input after the initial infection.

It’s also possible that the original infection in some systems is caused by an infection via the MS17-010 exploit. It could be that some organisations expose their file shares publicly, because there are security protections such as username and password authentication, you might find that this is a way into an organisation.

It’s also worth noting that pretty much all versions of Windows were affected by this bug, so it’s not just out of date Windows XP machines, which didn’t receive the patch, it was a bug in Windows 8, Windows 10, Windows Server 2016 as well. It was patched by Microsoft in those versions, but again, only 30 odd days ago.

It’s also the case that if you had a good UTM firewalls, and they were up to date, then the malware might never have been able to call out to get the executable code. However that would have been dependant on having the right signatures or rules in place.

Equally blocking the original phishing emails would have prevented the original infection.

However, given the extent of the SMB vulnerability, it only takes one machine to get infected and if it moved inside your network boundary, it was game over.

Patching is easy right? Download it and apply it?

For home computers, patching is pretty easy, and yet most users don’t do it. It’s the equivalent of hitting the appstore update all button on a regular basis, and I know people who don’t even do that!

The reality of a large enterprise is that the IT systems are hugely complicated.

A real, and medium sized organisation might have systems dating back to the early 90’s and banks and health organisations even older systems, all alongside the modern new windows 10 boxes.

The individual desktop of a receptionist in the organisation might need not only to do the specific functions it needs but to also run custom software that was written for windows 95, or terminal applications to enable it to talk to the back office tools and systems

Within any given enterprise it system you might be looking at tens of thousands of desktops, running hundreds of different configurations of applications. Rolling out a Microsoft patch to windows across that set of systems might not be easy because it’s really hard to test all those configurations.

And if you are say a national newspaper and the patch means that the only machine confit that doesn’t work is the specific one that does overnight layout operations, then you have to decide whether patching the machine is worth running the risk of it not working and the newspaper not getting out.

Moving to another OS doesn’t help you. The large dumps recently have shown that there are vulnerabilities in all operating systems.

Enterprise IT is a much harder problem to solve than my area, in digital systems. We should be able to patch our systems easily and fast because we have much smaller estate sprawls and configurations compared to most desktop estates.

If you want to terrify yourself, add in that many organisations now outsource various systems. So your IT helpdesk might be being run by an outsourced helpdesk provider instead. However, people don’t generally like phoning an outsourced call center, so organisations bring in the outsourced service provider into the building. They have some desktops, which you probably don’t control, but probably connect to your network. S if you get infected and it spreads to them as a managed service provider, that means that they might become an inter-organisational infection vector to their other customers.

Now add in post rooms, help desks, room booking systems, HVAC systems and more and you begin to get the idea of what a corporate network looks like. It’s terrifying.

Patch early, patch often

Enterprise systems (including the ones we’ve seen attacked already and we’ll see more, this isn’t health service specific) have an average patch time in the hundreds of days, an average of 120 days according to Infosec Magazine.

This patch was released around 30 days.

Sadly patch faster is not compatible with the way IT is done is lots of big organisations, and the challenge for us security and technology people is to make it easier to patch faster.

The goal has to be to be able to patch within hours, but that’s multiple orders of magnitude hard for a vast and colossal set of organisations.

So how could we fix this?

We need to rethink the way that we do computing and IT. Virtual desktops in the cloud might provide organisations with a Blue/Green deployment strategy for enterprise IT, enabling firms to roll out patched operating systems and roll back easily if there is a problem.

We need to see segmented networks with unidirectional firewalls. While there might need to be a centrally accessible fileshare, there’s absolutely no reason for that server to reach out to desktops on the same protocol.

Things like Google’s BeyondCorp is a good example of starting to build systems where the network doesn’t just trust every other computer on the network, but that we can start being more intelligent about what devices can access which services.

We need to ensure that email is scanned more effectively and that users aren’t shown phishing emails wherever possible. Things like DMARC can help weed out emails that are illegitimate.

We need to change the story, not just do it better. Doing patching better might get us from 120 days to 60 days or even 30 days, but it can’t create an order of magnitude change. To do that we need new practices for a new generation of IT and computing.

It’s also easy for someone to say that if only users didn’t click the original phishing link, then this wouldn’t have happened.

Blaming the user for security problems that they are ill-equipped to deal with is in vogue at the moment.

But as you can see from my Colleague Terence Eden’s excellent “Would you fall for this phishing scam”, modern phishing emails look shockingly convincing.

User training and teaching users to not click links is really hard when most of their jobs involves receiving emails and clicking links and typing their password into Google every few days because security required they get logged out.

Some of the best newest thinking on this area is coming out of Academia and the NCSC and I recommend you watch the video to understand how people are the unsung heroes of cybersecurity