Does WannaCry Mark a New Era of Global, Distributed Cybercrime?
Skybox Blog Team May 15, 2017
It reads like a chapter straight out of Girl With the Dragon Tattoo. WannaCry’s estimated impact (so far) is huge: more than 150 countries have been affected, with 200,000 detections showing up across industries, governmental agencies and more.
WannaCry spread with lightning speed because it’s a combination of ransomware and malware that only needed to be downloaded to one machine, after which it could spread throughout a system on its own. To make matters worse, the exploit that was used to deliver WannaCry — EternalBlue — is reportedly among the U.S. National Security Agency (NSA) exploits that were leaked by Shadow Brokers in April. It targets a group of Microsoft Windows vulnerabilities in computers and servers known collectively as MS17-010.
Microsoft delivered a patch for supported systems affected by MS17-010 on March 14, 2017. Some systems affected are no longer supported by Microsoft, and there were no patches available for Microsoft Windows XP, Windows Server 2003 and Windows 8 in the March 14, 2017, update. After the WannaCry outbreak, however, Microsoft issued patches for these systems on May 13, 2017.
What’s obvious is that many organizations didn’t prioritize the need to patch or mitigate MS17-010 back in March, and so became victims. The spread of WannaCry may have been slowed (see story on British researcher known as “MalwareTech”), but there have been reports of a new version of the malware. And there are warnings of a second wave of the attack from variants.
Skybox’s Research Lab has also identified at least two other exploits that target MS17-010, EternalRomance and EnternalSynergy. Marina Kidron, who heads up the Lab, reported just last week on three major trends they’ve been following. Included among those is a prediction that hackers would continue throughout 2017 to target specific vulnerabilities used in exploits released by the Shadow Brokers — and that we can expect more exploit dumps in the near future.
In other words: this ain’t going away anytime soon.
The spread of WannaCry is an example of distributed cybercrime, a new business model for cybercriminals that Skybox has been warning about. A recent article by Skybox CTO Tal Sheffer, published in DataBreach Today, brought attention the global threat distributed cybercrime poses:
Ransomware and banking Trojans dominate the cybercrime mainstream today, and their technical operations are heavily analyzed. But little attention has been given the business model which plays a large role in dictating their behavior, targets and tactics.
A revolutionary concept in cybercrime is what I call “distributed cybercrime,” a business model in which cybercriminals attack many victims in the same campaign. Like many other inventions now common in modern life, distributed cybercrime may seem trivial today. But this concept emerged little more than a decade ago and has already dominated the threat landscape.
Improved ROI and the support of a newly erected “dark industry” has made distributed cybercrime the hottest trend in cybercrime. Most of the professional cybercriminal groups today develop malware with a distributed business model, then use professional platforms, distribution services and infection experts to attack the world. They don’t know who their victims are nor do they care. They’re not looking to get points on style. They’re just businessmen who built the perfect, automated money-making machine.
For us at Skybox, the WannaCry outbreak further emphasizes the need for organizations everywhere to change their approach to managing and prioritizing vulnerabilities, if they want to stay ahead of increasingly organized and sophisticated hackers.
Security teams need to go from an exercise of trying to patch everything all the time (which is simply impossible) to focused, intelligent action that considers what exploits and other tools hackers are actually using in the real world. In other words, they need to go from simple vulnerability management to threat-centric vulnerability management. This means correlating multiple factors — in and outside your environment — to determine the risk a vulnerability poses, including:
- Intelligence on vulnerabilities being exploited in the wild (such as MS17-010 being targeted by the EternalBlue exploit)
- And, the context of an organization’s environment, such as: potential attack paths and security controls in place, each asset’s exposure and importance to the business, and details of existing vulnerabilities
Using this information, security teams can narrow the huge volume of “known” vulnerabilities that are potential threats down to a small, manageable number of vulnerabilities that are identified as imminent threats — exposed vulnerabilities known to be exploited in the wild.
Back in March, Skybox Security published details on MS17-010, including tagging it as a “critical vulnerability.” In April, we updated those details to include new information that MS17-010 had three exploits available in the wild:
“Protecting an organization from this type of attack requires securing both the endpoint layer and network layer,” says Ravid Circus, VP of Products for Skybox. “If the network layer was secured, the impact of infection would have been significantly lower and vice versa. In other words, the risk associated with this attack and potential impact is directly related to the sum of all the exposures on an organization’s attack surface. Unfortunately, most organizations simply don’t know all those exposures.”
To accurately prioritize vulnerability patching and/or mitigation — and protect against an attack like WannaCry in the future — organizations need to take a more holistic approach to security, which includes the following:
- Gaining comprehensive attack surface visibility
- Ensuring they have a complete understanding of ALL the exposures on their attack surface, including on endpoint and network layers
- Correlating that information to real-time intelligence on vulnerabilities being targeted by exploits in the wild
Skybox’s solutions for Threat and Vulnerability Management give security teams these tools, enabling them to quickly discover, prioritize, remediate and track vulnerabilities. This includes identifying all the devices that include contain the MS17-010 vulnerabilities in your systems. Read more about threat-centric vulnerability management with Skybox here.
Should your organization become the victim of a breach, like WannaCry, Skybox’s Security Policy Management solutions can also help Identify all the routes and firewall rules using the infecting services and drive to create change requests to remove these rules and prevent further infection.
- Review your network topology, third party connections and access routes
- Ensure these routes block any potential attack path to prevent the next attack
Read more about Skybox solutions here.
New business models like the distributed cybercrime model are making it easier than ever for criminals — even those with limited skills and knowledge. Within minutes, they can gain access to exploits that deliver devastating malware like WannaCry. And even when one outbreak has been stopped, you can be sure another is going to follow. To keep up, organizations must rethink their approach to security management. It’s as simple as that.
- WannaCry Remediation Advisory
- Skybox Threat-Centric Vulnerability Management
- Skybox Security White Paper: It’s Time for a Smarter Approach: Threat-Centric Vulnerability Management.
- Distributed Cybercime — Attack the World. How a business model innovation has changed the game of cybercrime.
- Press release: Skybox Security introduces threat-centric vulnerability management