{"id":194,"date":"2017-05-15T15:15:49","date_gmt":"2017-05-15T15:15:49","guid":{"rendered":"http:\/\/securitycurve.com\/?p=194"},"modified":"2017-05-15T15:15:49","modified_gmt":"2017-05-15T15:15:49","slug":"wannacry-so-much-distraction","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=194","title":{"rendered":"WannaCry: So much distraction"},"content":{"rendered":"<p><a href=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/05\/771bf553978abcff15be8d538deae656ad94e6205548ad4d1a0217d1214b292c.jpg\"><img decoding=\"async\" class=\"alignright size-medium wp-image-195 lazyload\" data-src=\"https:\/\/securitycurve.com\/wp-content\/uploads\/2017\/05\/771bf553978abcff15be8d538deae656ad94e6205548ad4d1a0217d1214b292c-266x300.jpg\" alt=\"\" width=\"266\" height=\"300\" src=\"data:image\/svg+xml;base64,PHN2ZyB3aWR0aD0iMSIgaGVpZ2h0PSIxIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPjwvc3ZnPg==\" style=\"--smush-placeholder-width: 266px; --smush-placeholder-aspect-ratio: 266\/300;\" \/><\/a>So you maybe noticed there was <a href=\"http:\/\/www.nbcnews.com\/news\/us-news\/blockbuster-wannacry-malware-could-just-be-getting-started-experts-n759356\">some ransomware<\/a> going around recently? \u00a0Sure you did. \u00a0If you&#8217;ve been in a coma for the past three days, a few things you need to know: <a href=\"https:\/\/en.wikipedia.org\/wiki\/While_You_Were_Sleeping_(film)\">she\u00a0isn&#8217;t really your fiance<\/a> (and she&#8217;s going to wind up with Bill Pullman anyway so don&#8217;t get too upset about it) and everyone is just getting over the <a href=\"https:\/\/en.wikipedia.org\/wiki\/WannaCry_ransomware_attack\">WannaCry malware<\/a> that was ransoming files and spamming the internet over the weekend.<\/p>\n<p>Events like this are nothing if they are not a learning experience. \u00a0And there are a few things I think we can learn from this event. \u00a0First, I think it served to highlight a fairly significant issue that the security profession has been ignoring for quite a while now about patching. \u00a0I&#8217;ll need a full post to do that one justice, so I&#8217;ll discuss that one in future (probably tomorrow. ) The bigger lesson though &#8211; the one that I&#8217;m going to focus on today &#8211; has to do with the response in the trade and mainstream media. \u00a0Specifically, it was a total cluster. \u00a0Well, maybe &#8220;cluster&#8221; is unfair; better stated, it was incredibly loud (coverage-wise) with a very, very reduced signal to noise ratio. \u00a0Long term, that&#8217;s a problem for a few reasons.<\/p>\n<p>The issue in brief was that someone repurposed the existing SMB exploit (<a href=\"https:\/\/en.wikipedia.org\/wiki\/EternalBlue\">EternalBlue<\/a>) that uses the issues described in\u00a0<a href=\"http:\/\/www.cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0143\">CVE-2017-0143<\/a>, CVE-2017-0144,<em> et cetera<\/em> to implant ransomware to the tune of $300 in Bitcoin. \u00a0The issue itself was mitigated in <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\">MS17-010<\/a>. \u00a0As you might imagine (because it&#8217;s SMB), it propagated quickly. \u00a0And the result? \u00a0Absolute sheer, &#8220;hair on fire&#8221; panic. \u00a0If you think that&#8217;s hyperbole, take a look at the Google Trends analysis for the terms &#8220;ransomware&#8221;, &#8220;wannacry&#8221; compared to something fairly newsworthy like &#8220;brexit&#8221; over the period of this weekend:<\/p>\n<p><script type=\"text\/javascript\" src=\"https:\/\/ssl.gstatic.com\/trends_nrtr\/1015_RC10\/embed_loader.js\"><\/script> <script type=\"text\/javascript\"> trends.embed.renderExploreWidget(\"TIMESERIES\", {\"comparisonItem\":[{\"keyword\":\"wannacry\",\"geo\":\"\",\"time\":\"2017-04-14 2017-05-15\"},{\"keyword\":\"brexit\",\"geo\":\"\",\"time\":\"2017-04-14 2017-05-15\"},{\"keyword\":\"ransomware\",\"geo\":\"\",\"time\":\"2017-04-14 2017-05-15\"}],\"category\":0,\"property\":\"\"}, {\"exploreQuery\":\"date=2017-04-14%202017-05-15&q=wannacry,brexit,ransomware\",\"guestPath\":\"https:\/\/trends.google.com:443\/trends\/embed\/\"}); <\/script><\/p>\n<p>Now, maybe you&#8217;re in the US and you&#8217;re thinking something like, &#8220;yeah but that&#8217;s Brexit&#8230; is that still even newsworthy outside of the EU and the UK?&#8221;\u00a0 After all, it&#8217;s been some time now. \u00a0Well, for those on this side of the pond,\u00a0how\u00a0about comparing it with the search term &#8220;Comey&#8221;? \u00a0You may rightly suspect that recent events might cause that name to &#8220;pop&#8221; as a function of search interest:<\/p>\n<p><script type=\"text\/javascript\" src=\"https:\/\/ssl.gstatic.com\/trends_nrtr\/1015_RC10\/embed_loader.js\"><\/script> <script type=\"text\/javascript\"> trends.embed.renderExploreWidget(\"TIMESERIES\", {\"comparisonItem\":[{\"keyword\":\"wannacry\",\"geo\":\"\",\"time\":\"2017-04-14 2017-05-15\"},{\"keyword\":\"Comey\",\"geo\":\"\",\"time\":\"2017-04-14 2017-05-15\"},{\"keyword\":\"ransomware\",\"geo\":\"\",\"time\":\"2017-04-14 2017-05-15\"}],\"category\":0,\"property\":\"\"}, {\"exploreQuery\":\"date=2017-04-14%202017-05-15&q=wannacry,Comey,ransomware\",\"guestPath\":\"https:\/\/trends.google.com:443\/trends\/embed\/\"}); <\/script><\/p>\n<p>You&#8217;ll notice that search interest in &#8220;ransomware&#8221; (even excepting for the moment the union of both &#8220;ransomware&#8221; and &#8220;wannacry&#8221;) exceeded that of the search term &#8220;Comey&#8221; at the height of the crisis. \u00a0That&#8217;s pretty significant, don&#8217;t you think?<\/p>\n<p>Now, the press is no stranger to covering worms and malware &#8211; particularly when it causes visible, real-world impact like ambulances queued up outside hospitals. \u00a0But what I think is problematic about the &#8220;hype&#8221; is when it distracts from the actual workaday business of addressing the issue or comes at the expense of actually doing something useful. \u00a0Compare the response to WannaCry to, for example, how the press covers a weather event like a hurricane. \u00a0When there&#8217;s a hurricane coming, they track it, right? \u00a0There are people out there whose job it is to warn that a tropical storm is brewing. \u00a0There is a chain in place to communicate the issue to those watching the weather\u00a0and report on events as they transpire (including who is impacted and when\/how viewers should protect themselves). \u00a0Then, there is targeted coverage of the impact as it unfolds with a near-incessant repetition of how those who might not have received the message can protect themselves. \u00a0It&#8217;s a fairly mature, outcome-driven process for which the goal is to minimize impact. \u00a0In the case, the actual response was as close to the opposite of that as you could get: the warnings\u00a0were there but nobody covered them &#8212; the information about who could be impacted and what they can do to protect themselves was there but was hard to find given the volume of other noise. \u00a0Ask yourself: how hard or easy would it be for someone to take action from that?<\/p>\n<p>Look, it&#8217;s not like it takes a rocket scientist to know that a parcel of remotely-exploitable SMB issues, the nastiest of which had <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2017-0143\">CVSS scores of 9+<\/a>, was\u00a0likely to be problematic. \u00a0People had been warning about that &#8211; and calling for action (like installing the patch) since EternalBlue was released. \u00a0See,\u00a0<a href=\"https:\/\/www.dearbytes.com\/blog\/playing-around-with-nsa-hacking-tools\/\">here it is with an exclamation point<\/a> after it in one of the early discussions of the released toolkit. \u00a0But yet, it seems like the world was unprepared. \u00a0Isn&#8217;t this kind of thing exactly the reason why intelligence-driven models are supposed to be more useful for security preparedness? \u00a0Isn&#8217;t this exactly what threat intelligence is for in the first place? \u00a0Likewise, a large percentage of the press coverage was totally silent on how to mitigate this issue when they did cover it &#8212; along with silence on whether or not people were impacted given various criteria (I had people for example asking me if their phones were vulnerable), etc. \u00a0How about a breakdown of who is &#8211; or isn&#8217;t &#8211; impacted and why? \u00a0Or a reference to an easy-to-find action plan for small organizations (like hospitals) and what they can do in the short term to respond and protect themselves?<\/p>\n<p>Lastly, how did the analysis fail? \u00a0It took a <a href=\"https:\/\/www.thesun.co.uk\/news\/3563598\/marcus-hutchins-malwaretech-wannacry-kill-switch-nhs-cyber-attack\/\">22 year old (Marcus Hutchins) poking around the code from his room at his parents&#8217; house<\/a> to find the embedded kill switch. \u00a0 Good for him, by the way&#8230; props for doing something useful to help the situation. \u00a0But where was the AV community? \u00a0Marcus (again, props) ran strings on the file, grepped the output for &#8220;com&#8221;, and lo and behold there was a URL in there. \u00a0Maybe it has something to do with remote communication? \u00a0So he tested that theory. \u00a0In doing so, he beat the all the AV researchers to the punch on figuring out that there was an embedded kill switch to &#8220;slow the roll&#8221; of the malware. \u00a0Is it me, or wouldn&#8217;t you think running strings on the file would be one of the first things a malware research team would do? \u00a0Yeah, hindsight and all that&#8230; \u00a0But my suspicion is that instead of analyzing the file, AV shops were clamoring to contribute to the press hype rather than taking active measures to research the code. \u00a0No inside knowledge here&#8230; just my gut informing me that human nature is as human nature does.<\/p>\n<p>My issue with this is that contributing to the feeding frenzy in the media is fine, but not when it comes at the expense of actually moving the ball forward on the research or in closing the issue. \u00a0Under the hood, this really isn&#8217;t a super complex attack. \u00a0It&#8217;s a remotely-exploitable issue in SMB (originally packaged in a super-friendly way by <del>the NSA<\/del> the Equation Group) which was publicly released (by\u00a0<del>Russia<\/del> The Shadow Brokers) so all could access it. \u00a0It targeted an issue that has been patch-able for months and did what ransomware does on top of that platform. \u00a0The rest is distraction.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>So you maybe noticed there was some ransomware going around recently? \u00a0Sure you did. \u00a0If you&#8217;ve been in a coma for the past three days, a few things you need to know: she\u00a0isn&#8217;t really your fiance (and she&#8217;s going to wind up with Bill Pullman anyway so don&#8217;t get too upset about it) and everyone [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[77,96,127],"class_list":["post-194","post","type-post","status-publish","format-standard","hentry","category-security","tag-malware","tag-ransomware","tag-wannacry"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/194","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=194"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/194\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=194"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=194"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=194"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}