Organizations across the Internet are falling victim to cyber attacks costing not only time, productivity and revenue but also immeasurable damage to reputation and client / vendor / public trust. In some cases, the attacks constitute a failure to maintain regulatory compliance (HIPAA, GLBA, FIRPA, etc.) and in all cases, the attacks confirm that the organizations aren’t identifying potential risk with regular vulnerability assessment or penetration tests. What’s worse, many of these attacks rely on well publicized vulnerabilities that have already been patched by the manufacturer or vendor, making them 100% avoidable. In most cases, a third party vulnerability assesment of the organization would identify these vulnerabilities and give the organization guidance on how to mitigate them before an attacker could exploit them.
In May 2017, the WannaCry ransomware ran rampant across the Internet encrypting systems worldwide and demanding a ransome to recover the data. The attacks made international news and reiterated the importance of maintaining an incident response plan that included a strong security posture and effective disaster recovery. In June of the same year, even after all of the excitement from the initial WannaCry outbreak, Honda announced that it was forced to shut down production at one of it’s Japanese plants because it had been hit by the same ransomeware attack that had ravaged the Internet a little more than a month before. Later again, in the same month, the [not]Petya worm leveraged the same vulnerability to spread and again made international news.
How Did It Happen?
The WannaCry and Petya attacks relied on a vulnerability in the technology used to allow Windows computers
to ‘talk’ to one another on a local network called Server Message Block or SMB. The specific version of SMB vulnerable to the attack was SMB v1. SMB v2 was released with Windows Vista in 2006 and SMB v3.1.1 was released with Windows 10 and Windows Server 2016. Both newer versions are protected against the WannaCry and Petya. In addition to being an outdated version of the technology, many of the attacks were conducted across the Internet, so SMB (again, intended for communication on a local area network) was not protected behind a firewall.
How Can It Be Prevented?
These vulnerabilies are not hard to find. According to Shodan there are still almost 1.5 million hosts connected to the Interent with SMB v1 accessible (https://www.shodan.io/search?query=port%3A445). Many of these hosts, in addition to being vulnerable to the WannaCry and Petya attacks, are are also exposing details including server name, share names and more to anyone with a web browser (https://www.shodan.io/search?query=port%3A445+shares). The purppose of a vulnerability assement is, quite simply, to identify these potential vulnerabilities in an organization. A penetration test takes the process one step further and attempts to confirm those vulnerabilities by exploiting them and, depending on the scope and rules of engagement, gain additional access to the organization. A vulnerability assessment is (or should be) part of a penetration test. The results of these tests can be used to quantify the risk that the discovered vulnerabilities present and give the organization a set of tasks to complete to mitigate that risk.
What To Do Next?
Find out if you’re vulnerable to this or other attacks and, if you are, take appropriate action (install a firewall, update your existing firewall, install patches, implement a VPN, etc.) to mitigate the vulnerabilities. Piratica is offering a free, no-obligation vulnerability scan through the end of August 2017 to help get you started. If you would like more information or would like to schedule your free scan, please fill out this form. A member of our team will reach out to confirm that you requested and schedule your free, no-obligation scan within one business day.
Misc / Erratta
- ThreatPost article on WannaCry – https://threatpost.com/leaked-nsa-exploit-spreading-ransomware-worldwide/125654
- Honda gets shut down by WannaCry – https://threatpost.com/honda-shut-down-plant-impacted-by-wannacry/126429
- Krebs article on Petya – https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global
- Microsoft update MS17-010 – https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
- Shodan.io – https://www.shodan.io