By Dino Londis
To be clear, the WannaCry malware did not exploit a Windows vulnerability. WannaCry was installed by a vulnerability that EternalBlue exploited. WannaCry is an encryption malware that was deployed because EternalBlue took advantage of Windows computers that did not have the March patch MS17-010 installed. In May global attack of Windows, the payload could have been anything. It just happened to be ransomware.
In fact a full month before the attack, in April, Wired had already reported a different attack that leveraged EternalBlue. It said hundreds of thousands of computers were infected with malware called DoublePulsar, which “can be used to distribute malware, send spam, and launch attacks on other computers.” Experts who were advising computer users to dodge WannaCry by saving their important information to the cloud weren’t speaking to the bigger problem, that PCs could be used as a bot to mine Bitcoin, or join in massive DDoS attacks.
It’s already underway. Wired reported later in May that hackers are trying to “reignite WannaCry with nonstop botnet attacks.” You may have heard of the 22-year-old tech hero (MalwareTech) who found the killswitch for WannaCry. The killswitch was an unregistered website and as part of its execution, WannaCry would check the website and it wasn’t there, it would move on to the next PC. Well, the tech simply registered the site and that stopped the malware from spreading.
Hackers are now slamming that website with one DDoS attack after another. If they succeed, then WannaCry will continue to spread as it had on May 12th. And that’s only exploiting the existing installations on WannaCry. Hackers will inevitably couple new tools with EternalBlue to exploit the vulnerability.
Even After WannaCry Windows Won’t Get Patched Regularly
The EternalBlue hack exploited a Windows vulnerability and administrators who regularly patch their networks were untouched. But the pace that the malware spread revealed an open secret among patch admins. Systems are not patched immediately and often go long stretches without it.
So while network admins scrambled to patch their systems on word that the WannaCry malware was spreading globally, there are still a lot of forces in place that will prevent them from patching immediately.
Admins have always been reluctant to immediately deploy updates — to Windows or any other software for that matter — for fear of breaking something. And Microsoft is partly to blame for that, as Patch Tuesday has sometimes led to Recall Thursday with various patches breaking Office or creating system-wide failures. In August 2014 MS14-045 caused Windows 7 64 bit PCs to boot up to only a blue screen. Only a system restore would fix it. Those who waited were rewarded with a stable network. In the back of the admins’ minds is that it’s safer to wait for the all clear to implement changes.
And for better or worse Microsoft is now bundling its security updates. Since October 2016, the company has bundled the patch Tuesday fixes to the kernel in a single patch. For example, patch MS17-010 — the vulnerability EternalBlue exploited — was actually bundled in a “Security Only Quality Update” SB17-002, which had a dozen separate updates. In years past, a patch administrator could uninstall a specific patch if it was breaking something. For example, If MS17-013 — also part of SB17-002 — was breaking a XenApp display driver, an administrator could simply pull that single patch. Since October, if MS17-013 is breaking XenApp, the admin has to essentially pull all 12 patches and would invariably open his network to attack.
And this problem exists in just Windows that Microsoft currently supports. It doesn’t speak to the millions of XP machines that are still in the wild. As of April 2014, Microsoft stopped supporting XP, and except in few circumstances, it doesn’t deploy patches to the old OS. This is a huge problem because globally millions of computers — seven percent — are still running it. (To be fair, the company quickly released a patch for the vulnerability that caused the ransomware outbreak.)
There are also millions of bootlegged versions of XP and Windows 7 in China and elsewhere which will never get patched. These PCs are sitting ducks for hackers.
Finally, after WannaCry fades from the headlines (and it will) and business resumes regular operations, it will settle into its familiar pattern that created the space for May’s global attack. Next time it may be MS17-010 or it may be something else.
One thing is certain. There will be a next time.