The latest ransomware attack which affected thousands of victims around the world brings a strong sense of déjà vu. The malware is different from the one used by WannaCry back in May, and the criminal group responsible is different, but the advice for dealing with the infection outbreak remains the same: Patch vulnerable systems, don’t pay the ransom, and restore from backups.
The new ransomware--Kaspersky Lab named it ExPetr after determining it was not a variant of the Petya malware—involved several vectors of compromise, including EternalBlue and EternalRomance, exploits ostensibly developed by the United States National Security Agency. EternalBlue, a Windows-based SMBv1 exploit, was also used in WannaCry back in May.
Unlike WannaCry, ExPetr appears to spread over local networks and not the Internet, but ExPetr encrypts the Master Boot Record, which is far more damaging than just encrypting individual files. ExPetr may be a new attack, but there is nothing new in terms of what it does. It exploits several known vulnerabilities, spreads via a protocol that shouldn’t be exposed to the Internet, and abuses an existing operating system utility (PsExec).
What’s also familiar is the finger-pointing and the blaming. Security experts took to blogs, social media and email to pontificate:
- This attack was yet another example of organizations not taking security as seriously as they should.
- These attacks could have easily been avoided if organizations had their systems patched properly and implemented a defense-in-depth approach to securing their networks.
- WannaCry should have been the wake-up call, but the fact that the new ransomware spread around the world so rapidly showed that there are still plenty of organizations and users who have yet to apply the MS17-010 patch released by Microsoft back in March.
- SMBv1 is old—there is no reason for the port to be open to the Internet. Neglecting security—in terms of investment, time, or priority—is irresponsible.
And the list goes on and on.
Stop. Scolding doesn’t help.
IT and operations are fully aware that core IT and security fundamentals, such as patch management, regular backups, disaster recovery and business continuity, and incident response, are critical to protecting their networks and users from damaging attacks. Acting like they are irresponsible or incompetent for being behind on patching is unhelpful and ignores the challenges they and their beleaguered security colleagues face. It’s undisputed reality that vulnerable systems are running software that is out of support, out of date, or just unpatched. This is not a surprise to anyone—or it shouldn’t be—in security.
“What always seems to take some by surprise, however, is that no matter how much we talk about patching as the solution, it doesn’t happen in many cases,” said Wendy Nather, principal security strategist at Duo Security. “It’s almost as if talking about the problem and ‘raising awareness’ isn’t enough to actually solve it.”
Don’t assume negligence. Understand the challenges.
If the system isn’t under your control, you can’t update it
It’s easy to say that all systems should be patched regularly, but it overlooks a key issue: IT doesn’t always have access to the systems on its networks. When patching systems can void the warranty or license terms, then staying on top of updates for those systems is not an option. “The issue is widespread, especially among organizations below the security poverty line, but it applies just as much to financial trading terminals and banks as it does to the network run by a centralized higher education system,” Nather said.
Recognize the organizational constraints
This is a big issue in the public sector, where legislative rules and spending cuts designed to rein in government spending interfere with IT security spending. “Taxpayers are not going to pay to update hardware and software that are working just fine,” Nather said. Outside the public sector, there may be other constraints on the organization. A non-profit has strict rules on what it can do and where it can spend money, for example.
“Built to last” directly conflicts with “update early and often”
When technology costs millions of dollars (say, an MRI machine), you expect it to last for years. Needing regular maintenance windows to update the software seems the antithesis of that promise. In healthcare, patient safety is critical, which means the equipment has to be retested and recertified as being safe every single time the software gets changed.
Any system with external, highly entangled dependencies will take longer to update
Organizations on average take 120 days to patch their systems. That includes testing against different system configurations, making sure there are no application conflicts, and verifying that current functionality doesn’t get lost. The complex web of dependencies means an update can inadvertently break something important. Consider Windows XP—an old operating system that continues to live on in kiosks and equipment, and can’t easily be phased out despite the fact that the desktop version is no longer supported.
“We need to address decades of legacy systems and organizational constraints, as well as the plain fact that nobody knows today how much effective security should cost a given enterprise; we don’t even know whether it’s affordable,” Nather said.
Be realistic and pragmatic
Come up with answers that reflect the architecture that currently exists, and not the utopian ideal of what IT infrastructure should look like. Organizations have legacy systems and many have made massive investments over the years in unpatchable systems and equipment. Migrations aren’t always the answer, and the security industry needs to be more creative about finding ways to work with organizations on upgrading obsolete systems or putting in safeguards to protect what is in place. There are restrictions on what the organization can do with its funds, which requires another set of creative ideas on making do with limited resources.
“Given the levels of complexity, externalized risk, economic incentives, and technical debt involved in this problem, we may need the equivalent of an Affordable Healthcare Act for technology,” Nather said.
If the organization has systems running unpatched software, updating the software is a good first step. But when that isn’t an option, as is frequently the case, cut out the finger-wagging and look for workarounds. Precautions include limiting and securing the use of PsExec, restricting user permissions, disabling SMBv1, and blocking ports 445 (SMB) and 139 (file and printer sharing) from users outside the organization. In the case of ExPetr, it appears blocking c:\Windows\perfc.dat from writing or executing can stop the infection. Proactively creating a file called perfc with no extension in %windir% will also prevent the ransomware from executing.
“We shouldn’t be terribly surprised to see another WannaCry-esque attack rear its ugly head, and frankly, we should all admit that this won’t be the last time. And it will probably get worse before it gets better,” Nather said.