Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wana Decryptor Ransomware Using NSA Exploit Leaked By Shadow Brokers To Spread Ransomware Worldwide (threatpost.com)

Posted by BeauHD on from the never-before-seen dept.

msm1267 quotes a report from Threatpost: A ransomware attack running rampant through Europe today is spreading via an exploit leaked in the most recent Shadow Brokers dump. Researchers said the attackers behind today's outbreak of WannaCry ransomware are using EternalBlue, an exploit made public by the mysterious group in possession of offensive hacking tools allegedly developed by the NSA. Most of the attacks are concentrated in Russia, but machines in 74 countries have been infected; researchers at Kaspersky Lab said they've recorded more than 45,000 infections so far on their sensors, and expect that number to climb. Sixteen National Health Service (NHS) organizations in the U.K., several large telecommunications companies and utilities in Spain, and other business throughout Europe have been infected. Critical services are being interrupted at hospitals across England, and in other locations, businesses are shutting down IT systems. An anonymous Slashdot reader adds: Ransomware scum are using an SMB exploit leaked by the Shadow Brokers last month to fuel a massive ransomware outbreak that exploded online today, making victims all over the world in huge numbers. The ransomware's name is Wana Decrypt0r, but is also referenced online under various names, such as WannaCry, WannaCrypt0r, WannaCrypt, or WCry. The ransomware is using the ETERNALBLUE exploit, which uses a vulnerability in the SMBv1 protocol to infect vulnerable computers left exposed online. Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it. Until now, the ransomware has laid waste to many Spanish companies, healthcare organizations in the UK, Chinese universities, and Russian government agencies. According to security researchers, the scale of this ransomware outbreak is massive and never-before-seen.
UPDATE: The Guardian reports that "An 'accidental hero' has halted the global spread of the WannaCry ransomware" by discovering a kill switch involving "a very long nonsensical domain name that the malware makes a request to." By registering that domain, the spread of the ransomware was effectively halted.

29 of 197 comments (clear)

  1. Say "thanks" to your "security"-agency... by ffkom · · Score: 5, Insightful

    who chose to weaponize security holes rather than having them fixed for some actual security.

    1. Re:Say "thanks" to your "security"-agency... by Anonymous Coward · · Score: 5, Insightful

      No. Say thanks to Micro$oft for making people extremely gunshy after their concerted efforts to force Windows 10 down everyone's throats.

      It's bad enough to worry that an update to a bad driver will brick your machine without the problem of waking up to find Windows 10 on your machine.

      I'm sure there's enough blame to go around here, but don't forget that the update paranoia around Windows OS's was brought to you by none other than Micro$oft themselves.

    2. Re:Say "thanks" to your "security"-agency... by saloomy · · Score: 4, Insightful

      But this isn't a zero-day. "Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it."
       
      Blame lax IT policies and ineffective management for leaving exposed machines to the internet unmatched. Of course your going to get hosed. Most know to put a firewall, enable the machine's firewall, or air-gap their systems.

    3. Re:Say "thanks" to your "security"-agency... by dbIII · · Score: 5, Insightful

      But this isn't a zero-day. "Microsoft issued a patch for this vulnerability last March, but there are already 36,000 Wana Decrypt0r victims all over the globe, due to the fact they failed to install it."

      Since there were so many people that turned off updates to avoid getting MS Windows 10 unasked I don't think blaming the victims is a useful approach.

  2. Tally by burtosis · · Score: 2

    Successful NSA exploits used: maybe a handful
    Number of affected worldwide when it leaks: Tens of thousands to potentially millions

  3. Obscurity is not security. by Gravis+Zero · · Score: 5, Insightful

    I've said it before but it bears repeating.

    When you create an exploit, you create a weapon but when you submit a fix, you make that weapon ineffective. So now instead of having the world's best armor, we have an absurd cache of weapons and those weapons have been stolen. The moral isn't to protect your weapons better, it's that you should be making better armor.

    --
    Anons need not reply. Questions end with a question mark.
  4. It hit the NHS hard by Anonymous Coward · · Score: 5, Interesting

    I'm a doctor in the NHS. It hit my hospital hard. The bosses triggered the MAJAX protocols meaning everyone off work was called to come in and help. Computers are used for everything, so blood tests, admissions, scan requests, referrals, all had to be done by hand. The public were asked to keep away from A+E because hundreds of people were waiting. It was terrifying how little failsafe infrastructure there was. The hospital just stopped working.

    1. Re:It hit the NHS hard by Anonymous Coward · · Score: 4, Insightful

      And you use unpatched computers in a hospital WHY? How the hell is it that the PC my kid plays Minecraft on is patched, but the ones you use for MEDICAL CARE are not!? WTF!?

    2. Re:It hit the NHS hard by Anonymous Coward · · Score: 5, Informative

      They may remain unpatched because of a fear that the patch could cause serious errors in the same systems. Most large organizations don't immediately apply patches throughout their infrastructure. They test the patches extensively before deciding to deploy them. In many cases there are laws and regulations in place that say systems have to be certified before they are deployed. Getting the certification for a patched systems, even when the unpatched system is certified, can be a huge and expensive task which may involve hiring specialized firms to run extensive tests.

      Some organizations are just negligent and risk problems by not patching while others are super vigilant and risk different problems by delaying patches.

    3. Re:It hit the NHS hard by Anonymous Coward · · Score: 3, Informative

      Due to microsoft's continuous fuckery with win10, telemetry, updates which break shit and now rolled up updates which makes vetting them(*) an order of magnitude harder and more time consuming the last time my win 7 install was updated was sept 2016 and even that was a due to more fuckery by microsoft.
      I left my machine set to 'check for updates but don't install' yet it suddenly flips to install updates automatically after several years without any warning or change by myself - suspicious eh? Since then i have the service stopped and set to never check.

      I can't blame ANYBODY for not having a fully patched machine when microsoft tries to make it as painful an experience as possible.

      (*) due to a series of botched kernel updates they released a few years ago i ALWAYS wait at least 1 week after patch release then google every single KB before installing to ensure it isn't going to be an issue

    4. Re:It hit the NHS hard by TroII · · Score: 4, Insightful

      And you use unpatched computers in a hospital WHY?

      Because patches are often broken. Imagine these hospitals had applied the patch when Microsoft released it, but the patch was faulty in some way, and all of the hospital computers went down as a result. Instead of complaining the hospitals were running unpatched, you and/or many people like you would be bitching and moaning that they were negligent to install the patch too soon.

      Updates from Microsoft frequently include at least one broken patch. There was one update last year that broke millions of peoples' webcams. There have been several updates that interfered with settings and reverted them back to default configurations, and several more updates that seemingly deleted group policy objects that had been configured by the domain administrator. There was a patch around the new year that inadvertently disabled the DHCP service, despite the update itself having nothing to do with DHCP. (Things that make you go hmmm.) This particular fuck-up rendered a lot of machines not only broken, but totally irreparable without manual human intervention, i.e. dispatching someone clueful to each of your premises to clean up the mess.

      Patch deployment in any enterprise environment requires extensive testing. You have to coordinate with your software vendors to make sure their applications are compatible with the update. If you install Patch XYZ without first getting approval from Vendor123, you wind up invalidating your support contracts with them. All of this takes time. In 2016, there were several months in a row where Microsoft had to un-issue, repair, supersede, and re-release a broken patch they'd pushed out. Put yourself in the shoes of an admin team who got burned by Windows Update breaking your systems, especially repeatedly. Are you going to be in any hurry to patch? If you were bitten by the DHCP bug, do you trust that the "critical SMB patch" really only touches SMBv1, and isn't going to inexplicably corrupt Office or remove IPV4 connectivity on every computer it touches?

      If the PC your kid plays Minecraft on gets hosed by a broken patch, it's not that big of a deal. The business world is a different story.

      --
      "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
  5. Say "thanks" to leakers by mi · · Score: 2

    chose to weaponize security holes

    Like any weapon, this one is dangerous (deadly!) in the wrong hands. It was not the NSA, who placed it into the wrong hands, however.

    --
    In Soviet Washington the swamp drains you.
    1. Re:Say "thanks" to leakers by LT218 · · Score: 2

      It was the NSA who failed to properly secure and protect their "weapon" that could wreak havoc globally if it got into the wrong hands. It was and is their responsibility.

    2. Re:Say "thanks" to leakers by ffkom · · Score: 2

      There could have hardly been any more "wrong" hands than those of the NSA, obviously. The "right" hands would have acted in favor of mankind, not like a villain stockpiling doomsday devices in a garden locker for any petty thiev to steal.

    3. Re:Say "thanks" to leakers by mi · · Score: 2, Interesting
      Whatever, dude. But I still think, the blame ought to be distributed in the following order:
      1. Those, who unleashed the stolen weapon.
      2. Those, who stole the weapon.
      3. Microsoft.
      4. NSA.
      --
      In Soviet Washington the swamp drains you.
  6. What boggles my mind by guruevi · · Score: 3, Informative

    Is that there are still 45k Windows machine that are directly connected to the Internet.

    Any Windows machine I manage (mostly very specific medical software and medical machines) are either VM (and thus behind a firewall and any service proxied to a BSD or Linux host) or airgapped.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:What boggles my mind by RandySmith6424 · · Score: 3, Interesting

      They don't have to be directly connected to the internet. They just have to have a shitty network admin that didnt close 445 on the firewall and didnt patch windows.

    2. Re:What boggles my mind by xvan · · Score: 2

      Here, "one persons carelessness", translates to the somebody plugging his laptop at multiple places because he's doing real work. You can't push the blame to the users.

  7. National Insecurity Agency by TiggertheMad · · Score: 4, Informative

    The NSA (and other ABC agencies that are undoubtedly running the same game plan) are doing what they are tasked with, finding ways to protect America and America's interests. Using hacking as a tool to this end is (relatively) new in the old game pf spycraft, so there are going to be a few epic disasters like this before the black ops people start to figure out all the types of blow back they can experience. The US was really big on foreign covert action in the 50's, and it took the bay of pigs to make people realize that there were ways that things could go horribly wrong. That didn't stop covert action from being used, but I think it was employed more carefully afterwards. Having all their shiny hacking toys stolen and having this happen is the hacking version of the 'Bay of Pigs'.

    Also, while the NSA seems to have compiled a formidable array of exploits and tools to compromise enemy systems, that doesn't mean that everyone else isn't playing the exact same game. The only difference between the NSA and EVERY other state intelligence agency on the planet is that they seem to be able to properly secure their black ops toys. Being one of the largest agencies of this sort, there are going to be a lot of people in the know. And the more people involved, the harder it is to keep a secret.

    Mind you, that doesn't make this any less tragic or regrettable. I sort of hope the CIA decides that it is in the US interest to find and vanish anyone connected with this ransomware to make an example of them. Alas, that sort of thing only happens in implausible Hollywood scripts.

    --

    HA! I just wasted some of your bandwidth with a frivolous sig!
    1. Re:National Insecurity Agency by ancientt · · Score: 2

      Remotely exploitable network vulnerabilities shouldn't happen, but there seems no practical hope that they'll stop anytime soon. It would be negligent of legitimate spy agencies to fail to search for them and arguably be able to take advantage of them. Imagine you're trying to find out when an ISIS group is planning a bombing and you discover they're running a messageboard on a Windows machine with an SMB exploit, do you tell Microsoft to patch the exploit?

      You never know which of the vulnerabilities you'll be able to use, but if you dedicate sufficient resources to finding them and building exploits for them, then there is a good chance you'll be able to spy on whichever bad guy your agency needs to spy on when the need arises. Getting all the vendors to patch the exploits you find does limit your own agency's ability to spy but you have to assume it doesn't impair your enemies as significantly since the enemy doubtless will have exploits you don't have.

      What's the best solution? I suspect the best thing to do is build force-patch worms for every exploit. If you write an exploit, you should also dedicate resources to the task of writing a version of the exploit which pressures the owner of the exploited system to fix the problem. So in this instance, as soon as the attacks started being seen in the wild, the NSA servers should have launched a MASSIVE attack against any and all systems with the vulnerability which would disable the vulnerable systems in the least painful ways along with alerting the owners of the need to update their systems. Instead of getting "your files are encrypted and give hackers bitcoin to recover" messages, the people with exploitable systems should be seeing warnings like "Your system has been temporarily patched by the NSA for your own protection, please secure or update your device to protect it from malicious actors."

      The Hajime botnet may actually already be just the thing I'm describing. I'd prefer to see the NSA take public responsibility, and I'm doubtful the NSA is actually responsible for that one, but it is an example of how it could be done.

      If I have a vulnerable system, I'd much prefer to see it hacked by the NSA instead of some ransomware writer. Do I wish it wasn't hackable? Of course, but I accept that anything plugged into a network might be hackable. I do what I can to protect it from everyone, including the NSA. It's not that I'm worried about the NSA (because they have the resources to gain physical access if they really want it) but if I do my best to build secure systems, then it's less likely I'll wake up to a ransomware message some morning.

      --
      B) Eliminate all the stupid users. This is frowned upon by society.
  8. Re:The NSA should Compensate.... by Gravis+Zero · · Score: 4, Insightful

    EVERY Person, and EVERY Business, that this will do damage to. Its their tool, POORLY secured, that caused this ENTIRE MESS!

    You got it all wrong. The entity to blame is Microsoft. Their operating system is poorly secured which is the root cause of this entire mess.

    --
    Anons need not reply. Questions end with a question mark.
  9. Re:That only happened to idiots. by Man+On+Pink+Corner · · Score: 3, Insightful

    Microsoft told lie after lie after lie about their intentions. There was absolutely no reason to believe that setting your update threshold to "Critical Only" would save you from an unsolicited Windows 10 installation.

    The only rational course of action for those who didn't want Windows 10 was to turn off Windows Update entirely. Deny this all you want, but be prepared for justified accusations of victim-blaming.

  10. and microsoft isnt fixing winbdows 7 by Anonymous Coward · · Score: 2

    they stopped helping 50% of windows users

    ergo windows 7

    get ready cause to be infected "the im not migrating to crap spyware that the nsa has more holes in then swiss cheese is now swiss cheese too"
    thank microsoft too whom helps them

    btw waving from

  11. The eternal issue is one of blame. by Neo-Rio-101 · · Score: 2

    IT admins: Let's patch this box
    IT management: NO. You can't do that! We need a stable operating environment. Sorry you don't have a maintenance window until 6 months from now.
    IT admins: But we'll get hacked!
    IT management: Then we'll blame the hackers! It won't be our fault that the system has downtime. We'll keep our jobs!
    IT admins: Oh I get it. If we bring servers down for maintenance, that will be our fault and we'll get fired.... but if we get hacked - it's not our fault.
    IT management: YES! and then we can blame Microsoft and point the finger at all our vendors.

    --
    READY.
    PRINT ""+-0
  12. inside of a bureaucracy... by Anonymous Coward · · Score: 2, Insightful

    common sense tends to get driven out by a business MBA who is an expert in efficiency.

    proprietary software created by a vendor that is 4 guys in an office somewhere on the other side of the planet, who just got bought out by megacorp which then spun off as dildicorp and fired all the original creators... does not have a flying clue about why your Blobnatz75 driver doesn't work on Windows 10, nor are they going to get an answer anytime soon.

  13. That is not how it infects by dbIII · · Score: 4, Informative

    Certainly they should have blocked SMB shares from the internet.

    That's not how it it gets on a network, even a large one like that. Somebody gets tricked into installing the malware from an email attachment or link via a vunerablity in IE or MS Office (Outlook not so good) and then it spreads across a local network via a weakness in an SMB implementation. Multiple levels of "fail" but not at the firewall, and not a lot that Microsoft's customers can do about it especially in a tight budget situation with IT as a very low priority.

    Your suggestion (while a good one that would have already been done since it's so obvious) would not have helped.

  14. Re:Exactly. Precisely spot-on. by BlueStrat · · Score: 2

    Pain is what makes the lesson sink in. The world's pain will motivate it to demand that our Intelligence agencies disclose vulnerabilities rather than sit on them, and further will demand enough transparency that they can prove they are doing this.

    It won't happen immediately. But as hospital deaths roll in, and the seriousness of this failure starts to sink in, claims that this is all the fault of those who leaked the exploit will fall on some very deaf ears.

    That's not what will happen at all. Nobody in government (that matters) will be held accountable for these attacks using their own leaked tools. They will not change, they will change the rules as in no more general purpose computers.

    Governments will simply push for the elimination of general-purpose computers owned by the general public at large. One will have to show cause to own a GP computer and it will be licensed and registered with government, as will any device allowed to connect to the internet.

    Strat

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  15. Munich government not affected by TheNarrator · · Score: 2

    Remember how Munich switched to Linux? Yup, not affected.

  16. Re: That only happened to idiots. by HiThere · · Score: 2

    Actually, I think many of them were primarily used by people who didn't even know they were using a computer. They thought they were using an XRay machine or some such. And that those people had no authority to tamper with the software.

    I'll grant that there were lots of other infected groups, but many of them had good reason to not update their systems. The problem is those machines should never have been connected to the net, and THAT is at least 2/3 on the manufacturers. But MS doesn't deserve any denial of blame, nor does NSA. There's lots of groups that you can point to who were doing short-sighted ego-centric optimization. I can't think of even ONE in a position of power that either primarily acted for social benefit, or appears to have had that as their motive.

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.