iboss: Where Do We Go from Here with WannaCry?

June 13, 2017 - 3 minutes read

nsa

Since the WannaCry malware infection that began in late April, there has been a lot of activity on both the attack and defense sides of things. Defenders have figured out one of its encryption methods, and security researcher Adrien Guinet came up with this decryptor so you don’t need to pay the ransom.

And other reports have been published, such as this piece in ITWorld that state the ransomware component is so poorly designed that no one should actually pay the ransom. The culprits can only restore users’ systems by manually sending the decryption key to each affected computer, which probably will never happen. The other problem is that WannaCry has no mechanism to determine who paid what and which computer should be released.

Perhaps the best result from WannaCry has been better education of IT staff about SMB-based attack vectors, which is one of the main ways that the infection spread around the world. Microsoft has three different versions of this protocol, and the first version has the least security and should be disabled. The two later versions should not be disabled permanently, since they are used by a variety of network-based activities, such as file encryptions and messages. Microsoft posted some solid information on their support blog that goes into specifics. If you are still uncertain if you have patched and upgraded your systems, you should read these suggestions carefully and implement them as soon as possible.

Perhaps the most worrisome is that there have been new attacks. The first was discovered by Miroslav Stampar, a member of the Croatian Government CERT. According to Bleeping Computer, it uses a more sophisticated SMB attack. Proofpoint discovered malware called Adylkuzz, which uses some of the same underlying technology as WannaCry, only in the Bitcoin space. “Within 20 minutes of exposing a vulnerable machine to the open web, it was enrolled in an Adylkuzz mining botnet,” says the researchers. What is interesting about this exploit is that it predates the beginning of WannaCry by several days.

And researchers revealed yet another new attack vector which uses movie subtitle files. By inserting malware into these files, attackers can take complete control over any type of device using various streaming media players including VLC, Kodi (XBMC) and Popcorn-Time. Clearly, the criminal world has latched on to WannaCry and will be developing other exploits using its features in the future.

Clearly, there will be other attacks using these stolen NSA hacking tools in the future. The best advice I can give is make sure you have found and patched all of your Windows machines and updated your SMB protocols as per the Microsoft bulletin. And if you are using any of the network protection tools, make sure that they have added support for preventing WannaCry across your network.

You can read the original article, here.

Powered by WPeMatico