Earlier today it was revealed that the United Kingdom’s National Health Service was targeted by ransomware known as “WannaCry.” Sixteen NHS organizations were impacted by the attack, and victims have spread across the globe and will likely continue to do so. WannaCry takes advantage of SMB vulnerabilities in Windows, using the ETERNALBLUE exploit which was publicly released by the ShadowBrokers in April. This SMB vulnerability is “wormable” and reminiscent of the early 2000s worms like Code Red, Nimda and Blaster. Microsoft released MS17-010 to address this SMB vulnerability on March 14th prior to the ShadowBrokers dump.
Just over eight weeks later, we are seeing the initial implications of not deploying this SMB patch, and this is an area that I’d like to focus on. If you have been on the Twitters today, it is as if a million voices have suddenly cried out in terror tweeting “Why didn’t you just patch it!” This seems like a reasonable question, but reality isn’t always reasonable. Having been an industry analyst, I’m naturally familiar with ivory towers and questions like this can indicate that someone might be a bit disconnected from the realities of day to day security operations. There are legitimate reasons why not every endpoint on the planet is running MS17-010.
- Patching ain’t easy; managing a global patch/systems/configuration management program is complex.
- Devices and users are transient.
- Environments are very heterogeneous. How many organizations have a single workstation build? It’s more like you have many gold images.
- It simply isn’t possible to patch all the things: medical equipment, research gear, ICS devices, you know the drill.
Am I making excuses for organizations that didn’t apply MS17-010? No I am not, but it is important to remember that security isn’t black and white, operations are hard, and sometimes thoughtful risk management might still result in a loss. Back to WannaCry, here are some recommendations from our intelligence team on mitigations:
- Apply MS17-010 if you can
- In the event you can’t:
- Restrict access on TCP and UDP ports 138, 139 and 445 to the host.
- Disable SMBv1
- Disable RDP (TCP/UDP port 3389) access from the Internet. (I really hope you don’t have public facing RDP exposed).
- If that is also not possible, restrict access either via a VPN or IP access control lists.
Two final recommendations, if you don’t already have a ransomware response playbook, hopefully today isn’t the test run. You should also formalize your ransomware minimization strategy; you might not be able to prevent it all, but it doesn’t mean you shouldn’t try. Our intelligence team will continue to monitor the situation and update our clients as needed.