The worldwide cyberattack that struck the weekend of May 12-14 – and that is preparing to strike again – has brutally thrown light on a formidable paradox: not only does it show just how utterly dependent the global economy is on digital technologies (and consequently, its vulnerability), it also reveals the shortcomings in our organisations – particularly in terms of digital risk management and security.

Apply security patches as soon as they become available

With over 200,000 victims affected (mainly companies) in 150 countries – from Russia to Spain, Mexico to Vietnam, and especially in Europe, WannaCry shows us just how badly maintained the world’s IT systems are. If the patch for the MS17-010 flaw (released by Microsoft on March 14, 2017) had been applied in a timely manner, the scale of the catastrophe would be nowhere near what we are currently experiencing. Then at least, only environments running on obsolete operating systems would have been infected.

Admittedly, rolling out patches can be time-consuming and often raises fears of side effects or even production shutdowns. However, compared to the financial and reputational cost of an attack – not to mention the human cost, with respect to critical infrastructures like the health industry – is the risk really worth it? The disastrous results to date demonstrate that prudence might have been the key to security.

It is surprising to see big names listed among the victims: FedEx, Hitachi, Telefonica, BBVA, Santander, Vodafone, Deutsche Bahn, etc.
In the United Kingdom, nearly fifty NHS hospitals saw their information systems compromised, forcing them to postpone certain operations.
In France, the automobile manufacturer Renault saw the virus spread to some of its production lines, paralyzing them. The Douai (5500 employees) and Sandouville (3400 employees) factories – as well as a branch in Novo Mesto in Slovenia – were particularly affected.
GitHub is drawing up a more comprehensive list of the victims.

However, assuming regular updates are among the indispensable preventative cybersecurity measures, these updates always end up running into the Zero-Day exploit of a weak spot. When that day arrives (since it cannot be avoided), it has to be possible to contain the attack.

Isolate your networks

With regard to WannaCry, the main vector identified at this point is a common tactic, namely sending emails that contain malicious (PDF or Word) attachments.

The recipient opens the email and clicks on the booby-trapped file. The malicious code runs and installs a backdoor – in this case, using the DoublePulsar tool, included in the panoply that the hacker group Shadow Brokers stole from the NSA. Next, any malware (in this case, ransomware) is run remotely.

The malware spreads from machine to machine thanks to an exploit called EternalBlue, which exploits a vulnerability in the Windows SMB protocol – the protocol that manages the sharing of resources (files, printers) on a local network.

Once a machine has been infected, the virus scans the entire network and contaminates all the vulnerable computers.

 

propagation wannacry eternal blue

 

In order to block this type of cascading attack, the in-depth defense is a robust response, regardless of the nature of the attack. Incidentally, ANSSI recommends “as a precaution, if it is not possible to update a server, […] logically isolating it.”

Erecting a succession of defenses, network compartmentalization with the help of secure interconnection gateways actually makes it possible to contain the attack and prevent its propagation.

2.2.9

“The lack of isolation among systems facilitates the work of an attacker, who can more easily change the system to achieve their aim. Effective isolation will also make it possible to limit the propagation of a virus.”

2.2.19

“Using the same working environment for different sensitivity- and exposure-related tasks increases the risk of compromise.”

Detailed measures regarding industrial system cybersecurity – ANSSI

bidirectional isolation and filtering mechanisms,

 

With bidirectional isolation and filtering mechanisms, the CrossinG® gateway enables the incoming and outgoing flows among systems or networks with varying levels of sensitivity to be controlled.

Unlike a firewall or a diode, it is not limited to filtering data flows or managing the direction of exchanges; it also verifies the safety of files and controls their format as well as their authenticity and confidentiality. What’s more, it helps protect your sensitive data by preventing data leaks.

Furthermore, CrossinG® is underpinned by a hardened OS that implements controlled isolation and security mechanisms.

One question remains. How did WannaCry manage to spread so fast in such a short period of time?

Of course, in this case, an especially massive number of emails were sent (several million at the time via the Necurs botnet, in particular). However, the odds are that this was not the only vector. Among the NSA’s digital weapons found on the Web, some install backdoors on firewalls. This could explain the malware’s swift propagation speed, since the company’s entire network became accessible via the Internet.
Furthermore, when Shadow Brokers made the NSA’s tools public on April 14, DoublePulsar had already infected over 36,000 computers worldwide. But was this an accurate count?

Cartographie DoublePulsar

If you are worried that this backdoor has been installed on your computer without your knowledge, a detection tool developed by Countercept is available from GitHub.


Useful links