Why Does EternalBlue-Targeting WannaCry Remain at Large?'The Most Widely Successful Wormable Malware Becomes Almost a Permanent Hangover'
Where were you on May 12, 2017? For many cybersecurity professionals, the answer is "trying to contain the fallout from WannaCry," the ransomware that on that day began hitting organizations worldwide.
See Also: You've Got BEC!
WannaCry spread quickly because it included an exploit for a widespread flaw in Windows Server Message Block version 1, aka EternalBlue. The flaw, CVE-2017-0143, was long ago patched by Microsoft - in fact, shortly before WannaCry appeared - via its MS17-010 security update.
"If we leave such types of vulnerabilities unpatched for too long, what else are we doing?"
So it's concerning that as security firms in recent weeks have been recapping top trends from 2020, one particular strain of malware and one particular vulnerability continue to loom large: WannaCry and EternalBlue.
Security firm Trend Micro, for example, reports that the most common type of malware family detected last year was WannaCry, followed by cryptocurrency miners and Emotet, which was recently disrupted by police.
Nearly four years after WannaCry hit the world, infecting hundreds of organizations, why does it remain so prevalent?
"The one thing that really keeps WannaCry prevalent and active is the fact that it is wormable ransomware," says Rik Ferguson, vice president of security research at Trend Micro. "Couple that with the fact that Shodan showed me just now that there remain 9,131 internet-facing machines vulnerable to MS17-010 and you quickly begin to understand why it continues to propagate."
EternalBlue appears to have begun life at the National Security Agency, which apparently built the exploit for the SMB_v1 flaw. That exploit subsequently leaked or got stolen and was subsequently obtained and leaked by the Shadow Brokers group in 2017. The NSA appears to have given Microsoft a heads-up, because the technology giant released a patch for the flaw on March 14, 2017, exactly one month before Shadow Brokers leaked EternalBlue.
The EternalBlue-targeting version of WannaCry appeared two months later, with many experts saying it appeared to have been developed by North Korean hackers, who may then have lost control of it. Malware researcher Marcus Hutchins identified a kill switch in the malware, thanks to it searching for a specific URL and only attempting to encrypt a system if it could not reach that address. Hutchins registered the URL, which had the effect of shutting down the version of WannaCry then circulating in the wild.
"Many of the versions we see spreading in the wild today are modified versions of the original, and they do not have - or else they bypass - the kill switch, which contributes to the spread," Ferguson tells me. "But the vast majority of these detections have a broken encryption module, meaning they still spread but do not encrypt - and thus go unnoticed."
That's a reminder that while WannaCry may be the most detected malware, it doesn't mean it's the most damaging or even infects the most systems. Not every such piece of code in circulation gets past security software, and even if it does, that's no guarantee of success.
Flaws Slowly Fade Away
While that's all positive, that WannaCry continues to circulate means it is still continuing to infect at least some unpatched systems.
Unfortunately, some unpatched systems fade away asymptotically, declining in number but never reaching zero (see: Eternally Blue? Scanner Finds EternalBlue Still Widespread).
In 2020, for example, the 15th-most-seen piece of malware by Trend Micro was Conficker - a malware family that was first spotted hitting a Microsoft Server vulnerability in 2008. "Other variants after the first Conficker worm spread to other machines by dropping copies of itself in removable drives and network shares," according to Trend Micro. And the malware, which includes the ability to try and spread itself to a number of randomly generated URLs, continues to spread.
"Just as we saw with Conficker, the most widely successful wormable malware becomes almost a permanent hangover," Ferguson says.
From a profitability perspective, attackers wielding crypto-locking malware for targeted attacks are continuing to have a heyday, racking up nearly $370 million in known profits last year, blockchain analysis firm Chainalysis reports. That figure represented a 336% increase over known 2019 earnings.
While ransomware profits may be surging, from a quantitative standpoint, when it comes to the most-seen malware in the wild, little has changed in recent years.
Finnish security firm F-Secure, for example, reports that 2020's top malicious code attacks were network exploits and file-handling errors. And the most-seen type of attempted exploit continues to be against the SMB_v1 flaw known as EternalBlue.
"There are three different threat detections that contributed to this: Rycon, WannaCry and Vools," Christine Bejerasco, vice president of security firm F-Secure's Tactical Defense Unit, tells me.
Some of the other most prevalent types of attacks in the wild last year utilized LNKs, which are Windows shortcut files "used by different types of malware in order to point to the different implants that they have, and then execute those," Bejerasco said in a recent F-Secure webcast.
Unpatched Windows Flaws: Never a Good Sign
Ferguson says he's not at all surprised that WannaCry hasn't died.
"So what is the biggest lesson and how much should we worry? The biggest lesson is that there are still far too many machines not patched against even 3-year-old vulnerabilities - and older - on both public-facing and private networks and that fact, rather than the survival of WannaCry, should be the biggest concern," he says.
Odds are that if an organization has a system vulnerable to old malware, there are many more sins present, too.
"We need to be a little bit more religious than this when it comes to elevating our security posture, because if we leave such types of vulnerabilities unpatched for too long, what else are we doing?" says Bejerasco.