As a general rule, I would generally avoid commenting on high profile cyberattacks. Criminals often get as much out of notoriety as they do stealing money from others. However the impact of the WanaCryptOR (aka WannaCry et al) ransomware on the National Health Services (NHS) can not pass without comment.
Why is this in the news?
On the 12th May, hundreds of organizations around the world, including sizable parts of the National Health Service in the UK, had computer systems that were encrypted and locked by a piece of malicious software called (variously) WanaCryptOR or WannaCry. The software demanded a ransom payment to unlock the infected system. From an initial infection, it spread from computer to computer quickly. Within a few days, it had reportedly infected 200,000 systems worldwide.
The news has been a big hit with the mainstream media, combining, as it does, a crowd-pleasing story of scary cyber attacks with the much-loved, but faded national treasure of the NHS. It comes at a time of election fever and strained international relations over cybercrime.
The news is being used as a political tool, gathering unnatural angles and hyperbole to go on top of inaccuracy and imprecision:
- Supporters of the NHS pointed to a lack of investment in NHS IT being at the root of the damage.
- The UK government, testy from needling about lack of investment in NHS IT, pointed a finger at decisions made by the Labour government in 2007.
- The Russian government, clearly sensitive about western accusations of voting manipulation in US, French and UK elections, was quick to deny responsibility, underlining the NSA’s involvement in the development of the exploit code.
- Microsoft complained about national security organizations knowing about problems with Microsoft’s software, but not reporting them – instead, exploiting them.
The first thing to note, that flies in the face of some of the reporting, is that this is not an attack on the NHS. The use of the word “target” in reports, and the focus on NHS issues in the UK does not disguise the fact that this is an indiscriminate computer worm that operates regardless of target identity. Hundreds of thousands of computers across the globe have been affected.
Canful of worms
A worm is a type of computer programme that automatically scans for vulnerable computers using a network, and then launches an exploit which, if the hole has not been patched, infects the computer system and then starts the process again finding other ‘nearby’ systems to infect.
Once a system is infected, the worm might do things other than propagating further. In this case, WanaCryptOR encrypts all of the local files on the computer and provides a mechanism for unlocking them through an anonymous payment of digital currency (BitCoins). Software following this type of behaviour is called ransomware.
Perhaps we should be grateful that this was just a ransomware attack. Affected computers can be scrubbed and then data restored from back-up (you did back that data up didn’t you?). A worm can, just as easily as encrypting local files, have harvested data from the drives and exfiltrated it – compromising patient privacy amongst other things. There’s no evidence that it did that, but the next worm might.
The amount of ransom money does not appear to be huge. Examination of the digital currency being used to collect the ransom payments suggests that criminals have extorted only £30,000 from this global infestation. At £300 per computer initially, increasing as the infection spreads, that measures the number of people succumbing to ransom demands at around 100 out of, perhaps, 200,000 infected computers. That’s not a stellar reward given the scale and capability of global law enforcement response from impacted countries.
Many of the infected systems were in Russia, including the interior ministry, and you can bet that they will be very interested in who was behind this attack.
An unprecedented level of attack?
Europol described the WannaCry attack featuring infections “at an unprecedented level”. That description seems incorrect given historically damaging events such as the 2000 ILOVEYOU/Love Bug worm. Love Bug was a worm that, according to some estimates, infected nearly 10% of Internet computers at the turn of the century. It was estimated to have caused billions of pounds of economic damage worldwide.
Either memories are short when it comes to cyberattacks, or the word “unprecedented” doesn’t mean what I think it means.
Since 2000 the number of devices connected to the public Internet has soared. Network giant Cisco estimated there were 200 million connected devices in 2000. In 2012, Cisco estimated that there were 8.7 billion devices connected to the Internet. With a reported 200,000 infections, WannaCry’s impact has been felt, but it hardly constitutes unprecedented levels of infection.
I am not sure that using words like “unprecedented” helps in resolution efforts. There’s a sense that if this attack was unprecedented, that somehow there was nothing that could be done. I believe that the success of the attack was inevitable because it only takes one infected machine to start a spread internal to an organisation, but that there was a lot that should have been done, and still needs to be done, to limit the damage when this kind of attack does appear.
This attack is far from unprecedented. It is predictable, common, ordinary, obvious, telegraphed in the media. People in these organizations gambled that the likely cost of a failure to secure their network was less than the cost of securing their network – and – in this case – that gamble has (probably) not paid off. It’s the patients who were affected that suffered and how does one quantify that suffering?
It would be much worse if you could not find who those people were that made the decision – or that the gamble was taken by default because there was no collective will to respond to issues of cyber-security.
What can be done to protect organizations?
The initial infection could have come from any number of places – malicious email attachment, link to a web-site hosting malware, open ports on an Internet-facing server or infected file introduced on USB key. Several early reports stated that this particular worm’s initial attack vector was phishing emails including an infected attachment that just needs one person to click on it.
Email has been a common vector for computer viruses almost ever since the ability to easily attach files to an email (MIME was ratified in 1993). Email is a very common Internet service, alongside web browsing, and email users are regularly targeted with spam, viral attachments, malicious links in email or scammers pretending to be their boss. Organizations should be very aware of the high risk of attack via email and it should receive particular attention from IT security.
Regardless of the initial infection, once one copy of the worm was inside a network perimeter, it would automatically find other systems with similar vulnerabilities and spread rapidly. If an organization had one vulnerable device – it was likely to have more.
The security controls that, if put in place, would have halted this worm are well understood.
To help prevent initial infection:
- You can restrict or treat as highly suspicious attachments and links in emails
- You can educate users to the risks of opening unsolicited attachments
- You can restrict the use of USB keys or other non-authorised sources of files and data
- You need as good a local host-based malware protection as you can find
- You need to have up to date software. “Up to date” in this case means “installing timely functional security patches”
- Establish strong filters to block unsolicited inbound connection attempts
- You have to assume these defences will be breached eventually
To limit spread and damage:
- You need to shut down obsolete or old services that are not used on hosts and servers – or better – only allow current and active services on machines (whitelisting).
- Strengthening internal bulkhead defences is important as well as looking at your perimeter. Internal firewalls, IPS/IDS systems and anti-malware gateways could be deployed inside the network.
- If possible, physically or at least logically separate critical systems from those with email/web/USB access. If connection is required, then a secure gateway with anti-malware protection with only whitelisted services between network segments.
WanaCryptOR had the impact it did because these controls were lacking in infected networks. Impacted systems were either running operating systems which were no longer receiving security patches (such as Windows XP) – or had not installed the security patch that was available. They may also have been running an old service (SMBv1) which has not really been current since 2008.
“Good old” Windows XP
A lot of media attention in the UK is focused on the proportion of NHS computers using Windows XP and a perceived lack of investment as the underlying reason why this situation is the case.
Windows XP is a popular computer operating system (OS) developed by Microsoft released in 2001. An estimated 1 billion copies of XP were shipped between launch and end of extended support by Microsoft in April 2014. Replacements have been available since 2008 – but Windows Vista and Windows 7 initially proved unpopular, which may have contributed to the widespread continued use of Windows XP beyond 2008.
According to this article on the eve of the imminent end of Windows XP support from Microsoft, the UK Department of Health and the Cabinet Office wrote to all NHS trusts in April 2014 stressing an “urgent need” to move away from Windows XP and promising transition funding. The government spent £5.5million pounds to extend support for the NHS until April 2015 giving trusts at least 12 months from the date of notification to comply – that is if they only started thinking about migrating from Windows XP at the drop-dead date for support. Microsoft was trying to sell people on upgrading since 2008.
According to a spokesman for the Prime Minister, in December 2015 Windows XP was installed on 15-18% of NHS computers.
InfoSecurity Magazine reported in December 2016 that 90% of NHS trusts were still relying on devices running Windows XP. The report recognised that some Windows XP computers had started as isolated machines, which may not have required regular patching, but that functional demands on computation devices – access to Wi-Fi or LAN connections for e-mail, printing, file sharing had increased exposure to worms and malware without a re-examination of host-based security controls.
According to 10 Downing Street, the proportion of NHS computers running Windows XP has fallen to 4.7% today. That seems like a very rapid change over 2016/17, but still means tens of thousands of machines in NHS trusts running Windows XP without any patch support.
With NHS IT guidelines including exhortations to run current and frequently patched software, it’s easy to be critical of this sluggish upgrading process. Some reports have described NHS IT administrators as “sleepy”. However it costs money and time and requires skills to upgrade and it can sometimes slip down a priority list particularly when funding priorities move from non-clinical to clinical staff. Also specialist medical software is sometimes in use which was designed for older versions of Windows and works poorly, if at all, with the latest and greatest versions. The cost/risk of upgrading can be perceived to be higher than the costs/risks associated with security vulnerabilities.
Ben Wallace, UK Minister of State for Security, said on Radio 4 that failure to protect against the attack dated back to decisions made by the labour government in 2007. Perhaps in the run-up to the general election in the UK, that kind of anti-opposition response is only to be expected.
A decade of government has been insufficient to remedy basic IT security issues in the NHS. Today’s government can point to reports, memos, briefings and other activities recognising the risks of obsolete software, but those methods have failed to introduce effective change in security posture and the government stopped paying Microsoft for XP support in 2015.
The problem is not just about Windows XP. It’s about patching, upgrading and, where that’s not possible, isolation and improved control. In the real world, legacy systems will continue to exist, creating hotspots of vulnerabilities in a network. This does not come as a surprise – and it won’t be fixed by tutting about unpatched vulnerabilities or the lack of money/resources to upgrade them.
Older IT assets need to be identified and a different level of security controls implemented for them. Vulnerable systems need to be isolated or connected to a network segment to limit subsequent damage when it gets compromised (a DMZ for “unpatchable” legacy systems).
Having said all of this – Kaspersky Labs have said that the majority of systems successfully infected with this worm were actually running versions of Windows 7, rather than Windows XP. So, although it is probably not recommended to continue running on older operating systems where it cannot be avoided – keeping those patches up to date, and isolating older devices where they cannot be upgraded should trump knee-jerk OS upgrades which may cause more issues than they solve.
The role of the National Security Agency (NSA)
The worm used an exploit tool called Eternal Blue that was coded by the NSA. This was one of many cyber attacks that were developed by the NSA to support their (counter) espionage work and necessitated not informing Microsoft, or others, about the existence of the vulnerability, or that the means to exploit it had been developed. However, this, and other, exploits were made public when the NSA tools were leaked.
Attackers, as expected, were quick to begin exploiting the published vulnerabilities and the power of the attack tools. Five days after the leak, there was a noticeable rise in the number of Internet-connected systems infected with a backdoor called DoublePulsar, which was installed using the Eternal Blue exploit tool. At the time, researchers said this was a “wake-up call” for people running unpatched systems or older operating systems.
Under a month later and someone has grafted the Eternal Blue exploit to the WanaCryptOR ransomware package – increasing its spread rate on networks. Given the number of systems infected with WanaCryptOR globally, a number of organizations have slept through the so-called wake-up call.
In the wake of WanaCryptOR researchers have now seen other worms in the wild that make use of more of the exploits contained in the leaks in April. IT and Security teams should be awake now even if they missed the first “Wake Up!”. Otherwise they might just fall foul of a WannaBe?
The role of Microsoft
Microsoft moved quickly to patch the holes exploited by the NSA tools included in the leak (March 2017), but these patches were for currently-supported versions of the Windows Operating System. The patches appeared before the leak – which suggests that Microsoft had early warning of the leaked contents, but the patch release was atypical. Microsoft delayed patches in February and only published in March. Detailed reasons for the delays were not given.
Microsoft stopped patch support for XP in 2014 and was explicit in stating that patches were not going to be available for XP.
However, as the scale of the WanaCryptOR worm impact was becoming known, Microsoft quickly released a free emergency patch for the vulnerability for Windows XP (13th May 2017). We know now that most infections were of Windows 7 machines, which suggests that this delayed patch deployment for unsupported Operating Systems was not a big issue.
Microsoft, like many software companies, has a difficult relationship with bugs and patches, particularly security issues in their software. On the one hand, their product is massively complicated and very widely scrutinised – on the other Microsoft has been repeatedly criticised for prioritising security below other considerations resulting in products that have more holes than others offering the same kind of functionality.
Microsoft’s software updating system has been around since the mid 1990s (starting with Windows 95). In the late 1990s it introduced five minute checks to see if software needed updating, and then in 2000, Microsoft launched automatic updates with daily checks. Microsoft regularly releases patches every second Tuesday of the month, interspersed with ad-hoc high priority patches and fixes.
Patches frequently caused problems with customer systems, some of which required a subsequent patch. IT staff in organizations have had to make decisions about whether to patch and roll-back if there is an issue – or test a patch before deployment – in order to manage the risks associated with regular patch releases.
In 2016, Microsoft used the the automatic update system to force-upgrade users of Windows 7 and 8 to Windows 10 by changing the designation of the update from optional to recommended. This approach upset a number of people and organizations.
Issues with patches, and a lack of trust in automatically applying updates released by Microsoft has made some people and organizations running Windows disable automatic updates – introducing critical delays in a process that relies on speed.
Do we accept the right for software companies such as Microsoft – to stop producing patches for old products? When modern car companies produce vehicles with millions of lines of code and network connectivity – will we accept them refusing to recall cars if that code proves to have bugs that might cause accidents or be abused by malicious code? Should I be grateful when Microsoft provides a possible fix but doesn’t take on the costs of patching old or incompatible models?
Wake up calls have become cliche in the rising tide of predictable cybersecurity threats. There is a lot to be said for getting basic security controls right, rather than investing time and money on managing the low risk of very sophisticated threat actors using sexy* intelligent machine-learning augmented security magic.
A little bit of love for old equipment, simplifying your networks, and looking at your internal bulkheads could go a long way.