What WannaCry signals for the coming wave of attacks using nation-state cyber weapons

Companies would be remiss to downplay the profound implications of last month’s headline-grabbing WannaCry ransomware attack.

WannaCry was a mere harbinger; the tip of the iceberg. WannaCry happened a few weeks after the Shadow Brokers hacking collective stole dozens of the National Security Agency’s ace-in-the-hole hacking tools.

Shadow Brokers futilely tried to sell these cyber weapons piecemeal. But after getting no takers, publicly released them. Someone then quickly snapped up two of the free spy tools—code named EternalBlue and DoublePulsar—and whipped up WannaCry, which spread, in a matter of days, into government, utility and company networks in 150 countries.

The initial version of WannaCry proved easy enough to thwart. No one in law enforcement and information security was surprised when more robust self-spreading variants almost immediately followed. Within a week of WannaCry’s release, researchers at Cyphort Labs flushed out a variant with the self-spreading feature and ransomware instructions stripped out.

RATs hard to eradicate

Instead, someone crafted this particular variant to take root in the targeted network, stay put and stand by to function as a Remote Access Tool, or RAT. RATs are terrific at screen and keyboard monitoring, audio and video surveillance, file downloads, file transfers and more.

Meanwhile, cyber forensics firm Stroz Friedberg examined Shadow Brokers’ disclosures and tallied some 69 NSA cyber weapons. To be more precise, these are so-called “exploits” conjured up by the NSA that take advantage of heretofore undisclosed security vulnerabilities in Windows, Linux, IBM and other core operating systems and applications widely used in commerce and government.

ThirdCertainty asked Mounir Hahad, senior director of Cyphort Labs, and Ed Stroz, co-president of Stroz Friedberg an Aon company, to outline the wider context. The text has been edited for clarity and length.

ThirdCertainty: How should company decision-makers think about the dozens of exploits released by Shadow Brokers?

Mounir Hahad, Cyphort Labs senior director

Mounir Hahad: Most of the exploits leaked are for very old operating systems and applications dating back to 2001, and most do not impact most companies. For those exploits that potentially apply, it is key that companies establish crisis cells to follow the development of these disclosures and be on the lookout for any patch or any attack reported in the media or social networks. To be more proactive, companies should be demanding from their security vendors what measures are being taken to guard against any future attack using any of these exploits.

Ed Stroz: The WannaCry campaign should serve as a stark reminder to organizations that having a sound and timely patch management process in place is critical. Companies should ensure they have an up-to-date asset inventory of their IT infrastructure components and threat surface, identify whether any highlighted systems are still in use and, if so, for what purpose. In addition, we recommend carrying out regular IT inventory, security assessments and penetration testing exercises to help ensure vulnerabilities against their infrastructure are addressed promptly.

3C: Is it possible to triage these exploits, perhaps categorize them by severity level?

Stroz: The severity of an exploit is often less about the nature of the vulnerability than it is about how an organization would be affected by it. Because severity is therefore subjective to a given environment it is somewhat premature to assign a generic severity score.

Ed Stroz, Stroz Friedberg co-president

Hahad: The type of environment exploited, and the age of the vulnerability are factors that matter. For instance, a Windows desktop exploit presents a higher risk than an FTP server exploit for most companies just because the FTP server may be used infrequently. Also, a more recent exploit presents a higher risk than a 15-year-old exploit because of the potential attack surface that still exists.

3C: Can you characterize what’s going on in the cyber underground with these weapons available to one and all?

Hadad: “It is clear some well-organized cyber criminals have poured over this data and quickly took advantage of the most readily available tools. The focus will now shift to the more obscure exploits. We will now see a resurgence of activity from well-funded cyber criminals and many more nation-states, which did not have access to such a treasure trove of exploits. The less sophisticated cyber criminals will probably revert back to previous email-based techniques and just wait for the next Shadow Brokers dump, which may have fresh exploits to use.

Stroz: Cyber threat actors are aware of what’s happening, and will take advantage of the time latency that exists between a patch release date and the organization’s installation date. In general, cyber threat actors are often quick to repurpose leaked exploits and tools for their own use, as it is cost effective to do so. A notable example is the Hacking Team leak in 2015 where (Adobe Flash exploits) were quickly repurposed by various espionage threat actors.

3C: How do you expect this to play out over the remainder of 2017?

Stroz: Cyber criminals could very well change tactics and take aim at connected devices and hold them ransom, something our firm predicted at the start of the year. Companies should not be sitting idle. If a company has not been applying patches and updates in a timely manner, they may be vulnerable to many other legacy exploits and not just those recently in the press.

Hadad: The security community has not finished studying these exploits, and I suspect that as detailed analysis emerges, so will the discovery of existing compromised systems that were previously operating under the radar.


Patricia Kemp
Patricia Kemp