BreachExchange mailing list archives
WannaCry Wakeup Call Not Heard?
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Tue, 27 Jun 2017 12:36:58 -0500
https://www.riskbasedsecurity.com/2017/06/wannacry-wakeup-call-not-heard/ t has been reported that Petya is spreading <https://www.wired.com/story/petya-ransomware-outbreak-eternal-blue/> by using a code execution vulnerability in Microsoft Office and WordPad (CVE-2017-0199) and then taking advantage of EternalBlue (CVE-2017-0145), which is the same vulnerability exploited by WannaCry. Most people would agree that WannaCry was a pretty big event, and it should have served as a big wake-up call as to the risks and importance of patching or – if not possible – apply proper workarounds to mitigate risk. Unfortunately, the fast spread of Petya makes it pretty clear that regardless of the reasons for not updating systems were valid or not, many companies were unable to properly address things the first time around. Neither of the vulnerabilities exploited by Petya are new. The vulnerability in Microsoft Office and WordPad, which exploits how OLE 2 Link objects in documents are permitted to request and execute HTA code, is known to have been exploited as far back as October of 2016 to deliver FINSPY spyware Finspy and later the Dridex banking trojan. This vulnerability was patched April 2017. EternalBlue, as we know, was also previously disclosed via NSA leaks and exploited by WannaCry. Microsoft provided a solution in March 2017 and even released special fixes for older, unsupported OS (Windows XP, Windows 8, and Windows Server 2003) in May 2017. There have been a lot of conversations recently concerning the ability to patch for many organizations, and how it is not always possible. No matter where you stand in this debate, if your organization is running unpatched software you are at serious risk and not only to these ransomware events. It is critical that all organizations, which are able, apply patches for these known vulnerabilities. If there is some legit reason for this not being possible, it is imperative to take other precautions and implement compensation controls to protect their systems and mitigate the risk. One such approach would be to stop using antiquated protocols such as SMBv1. It is 30 years old and even Microsoft have been warning against using it for a while – well before WannaCry. More information will continue to be published by researchers and security firms as this event unfolds including additional, what appears to be other techniques Petya is using for lateral movement <https://twitter.com/HackingDave/status/879738542276186114>. But to be clear, this is not the first and will not be the last systemic ransomware event to occur, and we should all expect the next one to be an improvement of previous versions. Make sure that you are prepared!
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- WannaCry Wakeup Call Not Heard? Inga Goddijn (Jun 27)