[BreachExchange] WannaCry Wakeup Call Not Heard?
Inga Goddijn
inga at riskbasedsecurity.com
Tue Jun 27 13:36:58 EDT 2017
https://www.riskbasedsecurity.com/2017/06/wannacry-wakeup-call-not-heard/
t has been reported that Petya is spreading
<https://www.wired.com/story/petya-ransomware-outbreak-eternal-blue/> by
using a code execution vulnerability in Microsoft Office and WordPad
(CVE-2017-0199) and then taking advantage of EternalBlue (CVE-2017-0145),
which is the same vulnerability exploited by WannaCry.
Most people would agree that WannaCry was a pretty big event, and it should
have served as a big wake-up call as to the risks and importance of
patching or – if not possible – apply proper workarounds to mitigate risk.
Unfortunately, the fast spread of Petya makes it pretty clear that
regardless of the reasons for not updating systems were valid or not, many
companies were unable to properly address things the first time around.
Neither of the vulnerabilities exploited by Petya are new. The
vulnerability in Microsoft Office and WordPad, which exploits how OLE 2
Link objects in documents are permitted to request and execute HTA code, is
known to have been exploited as far back as October of 2016 to deliver
FINSPY spyware Finspy and later the Dridex banking trojan. This
vulnerability was patched April 2017. EternalBlue, as we know, was also
previously disclosed via NSA leaks and exploited by WannaCry. Microsoft
provided a solution in March 2017 and even released special fixes for
older, unsupported OS (Windows XP, Windows 8, and Windows Server 2003) in
May 2017.
There have been a lot of conversations recently concerning the ability to
patch for many organizations, and how it is not always possible. No matter
where you stand in this debate, if your organization is running unpatched
software you are at serious risk and not only to these ransomware events.
It is critical that all organizations, which are able, apply patches for
these known vulnerabilities. If there is some legit reason for this not
being possible, it is imperative to take other precautions and implement
compensation controls to protect their systems and mitigate the risk. One
such approach would be to stop using antiquated protocols such as SMBv1. It
is 30 years old and even Microsoft have been warning against using it for a
while – well before WannaCry.
More information will continue to be published by researchers and security
firms as this event unfolds including additional, what appears to be other
techniques Petya is using for lateral movement
<https://twitter.com/HackingDave/status/879738542276186114>. But to be
clear, this is not the first and will not be the last systemic ransomware
event to occur, and we should all expect the next one to be an improvement
of previous versions. Make sure that you are prepared!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170627/cbd89660/attachment.html>
More information about the BreachExchange
mailing list