Forget Ransomware–Windows Vulnerabilities Can Drive DDoS Attacks

WannyCry is still in the news. In fact, it may be a springboard for more exploits as reported in a CIO article, “Expect hackers to build off of WannaCry, Nyetya in 2018.”

When it comes to Windows, to be clear, the WannaCry malware did not exploit a Windows vulnerability. WannaCry was installed by a vulnerability that EternalBlue exploited. WannaCry is encryption malware that was deployed because EternalBlue took advantage of Windows computers that did not have the March patch MS17-010 installed. In the May 2017 global attack of Windows, the payload could have been anything. It just happens to be ransomware.

In fact a full month before the attack, in April, Wired reported a different attack that leveraged EternalBlue. It said hundreds of thousands of computers were infected with malware called DoublePulsar, which “can be used to distribute malware, send spam, and launch attacks on other computers.”  Experts who were advising computer users to dodge WannaCry by saving their important information to the cloud weren’t speaking to the bigger problem–that PCs could be used as a bot to mine bitcoin or join in massive DDoS attacks.

It’s already underway. Wired reported that hackers are trying to “reignite WannaCry with nonstop botnet attacks.” You may have heard of the 22-year-old tech hero who found the “kill switch” for WannaCry. The kill switch was an unregistered website and as part of its execution, WannaCry would check for the website and it it wasn’t there, it would move on to the next PC. Well, the tech simply registered the site and that stopped the spread.

Even After WannaCry Windows Won’t Get Patched Regularly

The EternalBlue hack exploited a Windows vulnerability and administrators who regularly patch their networks were untouched. But the pace that the malware spread revealed an open secret among patch admins. Systems are not patched immediately and often go long stretches without it.

So while network admins scrambled to patch their systems when word got around that malware was spreading globally, there are still a lot of reasons that prevent them from patching immediately.

For one, admins have always been reluctant to immediately deploy updates–to Windows or any other software for that matter–for fear of breaking something. And Microsoft is partly to blame for that, as patch Tuesday has sometimes led to Recall Thursday with various patches breaking Office or creating system-wide failures. In August 2014 MS14-045 caused Windows 7 64 bit PCs to boot up to only a blue screen. Only a system restore would fix it. Those who waited were rewarded with a stable network. The thinking for some admins is that it’s safer to wait for the all clear. 

And for better or worse Microsoft is now bundling its security updates. Since October 2016, the company has bundled the patch Tuesday fixes to the kernel in a single patch. For example, patch MS17-010–the vulnerability EternalBlue exploited–was actually bundled in a “Security Only Quality Update” SB17-002, which had a dozen separate updates.

In years past, a patch administrator could uninstall a specific patch if it was breaking something. For example, If MS17-013–also part of SB17-002–was breaking a XenApp display driver, an administrator could simply pull that single patch. Since October, if MS17-013 is breaking XenApp, the admin has to essentially pull all 12 patches and would invariably open his network to attack.

And this problem exists just for Windows versions that Microsoft currently supports. It doesn’t’ speak to the millions of XP machines that are still in the wild. As of April 2014, Microsoft stopped supporting XP, and except in few circumstances, it doesn’t deploy patches to the old OS. This is a huge problem because globally millions of computers–seven percent–are still running it. (To be fair, the company quickly released a patch for the vulnerability that caused the ransomware outbreak.)

There are also millions of bootlegged versions of XP and Windows 7 globally which will never get patched. These PCs are sitting ducks for hackers.

Finally, after WannaCry fades from the headlines (and it will) and business resumes regular operations, it will settle into its familiar pattern that created the space for the last WannaCry global attack. Next time it may be MS17-010 or it may be something else.

One thing is certain. There will be a next time.

Thanks for sharing!

Leave a Reply

Your email address will not be published. Required fields are marked *