WannaCry: So much distraction


So you maybe noticed there was some ransomware going around recently?  Sure you did.  If you’ve been in a coma for the past three days, a few things you need to know: she isn’t really your fiance (and she’s going to wind up with Bill Pullman anyway so don’t get too upset about it) and everyone is just getting over the WannaCry malware that was ransoming files and spamming the internet over the weekend.

Events like this are nothing if they are not a learning experience.  And there are a few things I think we can learn from this event.  First, I think it served to highlight a fairly significant issue that the security profession has been ignoring for quite a while now about patching.  I’ll need a full post to do that one justice, so I’ll discuss that one in future (probably tomorrow. ) The bigger lesson though – the one that I’m going to focus on today – has to do with the response in the trade and mainstream media.  Specifically, it was a total cluster.  Well, maybe “cluster” is unfair; better stated, it was incredibly loud (coverage-wise) with a very, very reduced signal to noise ratio.  Long term, that’s a problem for a few reasons.

The issue in brief was that someone repurposed the existing SMB exploit (EternalBlue) that uses the issues described in CVE-2017-0143, CVE-2017-0144, et cetera to implant ransomware to the tune of $300 in Bitcoin.  The issue itself was mitigated in MS17-010.  As you might imagine (because it’s SMB), it propagated quickly.  And the result?  Absolute sheer, “hair on fire” panic.  If you think that’s hyperbole, take a look at the Google Trends analysis for the terms “ransomware”, “wannacry” compared to something fairly newsworthy like “brexit” over the period of this weekend:

Now, maybe you’re in the US and you’re thinking something like, “yeah but that’s Brexit… is that still even newsworthy outside of the EU and the UK?”  After all, it’s been some time now.  Well, for those on this side of the pond, how about comparing it with the search term “Comey”?  You may rightly suspect that recent events might cause that name to “pop” as a function of search interest:

You’ll notice that search interest in “ransomware” (even excepting for the moment the union of both “ransomware” and “wannacry”) exceeded that of the search term “Comey” at the height of the crisis.  That’s pretty significant, don’t you think?

Now, the press is no stranger to covering worms and malware – particularly when it causes visible, real-world impact like ambulances queued up outside hospitals.  But what I think is problematic about the “hype” is when it distracts from the actual workaday business of addressing the issue or comes at the expense of actually doing something useful.  Compare the response to WannaCry to, for example, how the press covers a weather event like a hurricane.  When there’s a hurricane coming, they track it, right?  There are people out there whose job it is to warn that a tropical storm is brewing.  There is a chain in place to communicate the issue to those watching the weather and report on events as they transpire (including who is impacted and when/how viewers should protect themselves).  Then, there is targeted coverage of the impact as it unfolds with a near-incessant repetition of how those who might not have received the message can protect themselves.  It’s a fairly mature, outcome-driven process for which the goal is to minimize impact.  In the case, the actual response was as close to the opposite of that as you could get: the warnings were there but nobody covered them — the information about who could be impacted and what they can do to protect themselves was there but was hard to find given the volume of other noise.  Ask yourself: how hard or easy would it be for someone to take action from that?

Look, it’s not like it takes a rocket scientist to know that a parcel of remotely-exploitable SMB issues, the nastiest of which had CVSS scores of 9+, was likely to be problematic.  People had been warning about that – and calling for action (like installing the patch) since EternalBlue was released.  See, here it is with an exclamation point after it in one of the early discussions of the released toolkit.  But yet, it seems like the world was unprepared.  Isn’t this kind of thing exactly the reason why intelligence-driven models are supposed to be more useful for security preparedness?  Isn’t this exactly what threat intelligence is for in the first place?  Likewise, a large percentage of the press coverage was totally silent on how to mitigate this issue when they did cover it — along with silence on whether or not people were impacted given various criteria (I had people for example asking me if their phones were vulnerable), etc.  How about a breakdown of who is – or isn’t – impacted and why?  Or a reference to an easy-to-find action plan for small organizations (like hospitals) and what they can do in the short term to respond and protect themselves?

Lastly, how did the analysis fail?  It took a 22 year old (Marcus Hutchins) poking around the code from his room at his parents’ house to find the embedded kill switch.   Good for him, by the way… props for doing something useful to help the situation.  But where was the AV community?  Marcus (again, props) ran strings on the file, grepped the output for “com”, and lo and behold there was a URL in there.  Maybe it has something to do with remote communication?  So he tested that theory.  In doing so, he beat the all the AV researchers to the punch on figuring out that there was an embedded kill switch to “slow the roll” of the malware.  Is it me, or wouldn’t you think running strings on the file would be one of the first things a malware research team would do?  Yeah, hindsight and all that…  But my suspicion is that instead of analyzing the file, AV shops were clamoring to contribute to the press hype rather than taking active measures to research the code.  No inside knowledge here… just my gut informing me that human nature is as human nature does.

My issue with this is that contributing to the feeding frenzy in the media is fine, but not when it comes at the expense of actually moving the ball forward on the research or in closing the issue.  Under the hood, this really isn’t a super complex attack.  It’s a remotely-exploitable issue in SMB (originally packaged in a super-friendly way by the NSA the Equation Group) which was publicly released (by Russia The Shadow Brokers) so all could access it.  It targeted an issue that has been patch-able for months and did what ransomware does on top of that platform.  The rest is distraction.