WannaCry Déjà Vu

Within the last 24 hours, Microsoft has released critical updates for a severe vulnerability (CVE-2019-0708) in Microsoft Windows Remote Desktop Services (RDS) running on older versions of Windows, including Windows XP and Windows Server 2003. The vulnerability affects the following Windows versions: Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows XP and Windows Server 2003. NOTE: Systems running Windows 8 or Windows 10 are not affected. This scenario brings back some memories from the WannaCry attack that occurred in 2018.

So, why should organizations and the IT security community care?

First, anytime Microsoft releases security-related updates for operating systems that are out of support (Windows XP and Windows Server 2003) it’s especially worth paying attention.

Second, the last time Microsoft released similar critical security patches was in April 2017. Those security patches closed a critical vulnerability that was susceptible to the EternalBlue exploit: an exploit developed by the United States National Security Agency (NSA) which was leaked by the Shadow Brokers group on April 14, 2017. It took only 28 days for North Korea to weaponize the leaked EternalBlue exploit into the worldwide WannaCry ransomware attack. In less than 24 hours, WannaCry infected more than 230,000 computers in over 150 countries. Total damages are estimated between hundreds of millions to billions of dollars.

Third, numerous organizations still use the affected Windows operating systems. Although Microsoft will no longer support Windows 7 and its server siblings after January 20, 2020, over 36% of the Desktop market is still currently using Windows 7. Worse yet, an estimated 40 million PCs still use Windows XP although Microsoft stopped supporting that operating system on April 8, 2014, over five years ago. It’s clear that many organizations and users will continue using Windows 7 and Windows Server 2008 up to the end-of-support date and, based on historical precedent, well past the support termination date.

Fourth, this vulnerability enables hackers to create a worm attack through remote code execution. Why is this so dangerous? Computer and IT systems often have vulnerabilities but many of them are isolated to that particular system or a piece of software or application running on that system. To exploit these vulnerabilities, hackers must first gain access to the system. A remote code execution exploit is one of the most dangerous types of exploits because hackers or malicious software can remotely access and execute software on other systems often without needing to authenticate, and they can even program this activity so that it occurs immediately. Thus, malicious software that infects a single device has the ability to quickly spread, or “worm”, it’s way throughout the entire environment. During the WannaCry attack, tens of thousands of computers within individual organizations were infected in less than a minute. When Microsoft itself is using the title: “Prevent a worm by updating Remote Desktop Services” for its blog post announcing this vulnerability, it’s evident this is a serious security concern.

As Simon Pope, director of incident response at Microsoft’s Security Response Center explains in Microsoft’s blog post, “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

Fifth, due to the nature of a remote code execution exploit, a single vulnerable or “unpatched” system can still compromise the entire IT infrastructure, including devices that are “patched” or secure from the vulnerability. How is this possible? The NotPetya worm attack, which also leveraged the EternalBlue exploit, is a perfect example of how even just a few vulnerable systems can lead to total infrastructure compromise. When a remote code execution exploit is paired with password, token, or credential stealing techniques or exploits (or worse yet a built-in set of valid privileged account credentials, e.g. the Olympic Destroyer malware), the malicious worm can now use legitimate remote execution protocols and privileged credentials to spread.

Here’s a play-by-play explaining in more detail the situation above:

1. The malicious software, aka the “worm”, gets executed on a device in the organization. The worm may be executed, or run, by a hacker using an existing backdoor into the organization (e.g., NotPetya), by a user intentionally opening malicious attachments from an email spear phishing campaign, by a hacker targeting an exposed vulnerable port or protocol (e.g., WannaCry), by a user opening an infected document on a USB thumb drive they brought from home, etc.
2. Once executed, the worm starts running its malicious intent (ransomware, file encryption, cryto-mining, wiper-ware, destruction-ware, data ex-fil, etc.)
3. At the same time, the worm identifies neighboring devices and attempts to spread, replicate, and execute itself on those remote devices using a remote code execution exploit that target’s a known vulnerability (like this CVE).
4. In parallel, the worm uses exploits and techniques to harvest known privileged account credentials on the compromised system or uses a built-in list of valid credentials to spread, replicate, and execute itself on remote devices using legitimate account credentials and remote execution protocols and technologies (e.g., RDP, SSH, WMI, WinRM, RPC, etc.) inherent in almost all IT infrastructures.
5. At this stage, the malicious worm is rapidly targeting and compromising systems in the environment regardless of whether they are susceptible to the remote code execution vulnerability or not.

So how do we prevent this vulnerability from becoming the next WannaCry?

Clearly, all users and organizations running one of the affected Microsoft operating systems should update their systems immediately. Unfortunately, many organizations often struggle to ensure all their affected systems are updated. In addition, this vulnerability was acknowledged and patched by Microsoft before it was ever weaponized, but future vulnerabilities may not be. Finally, endpoint protection like anti-virus and anti-malware will initially be limited in its ability to stop the “worm” and may take hours or days before it is updated with the latest signatures to stop the malicious software from running.

Organizations looking to enhance their detection of such worm-like techniques against unknown remote code execution vulnerabilities or other types of similar attacks which rely on lateral spread/movement and privileged account compromise, should consider Blackpoint’s SNAP-Defense platform. We designed and developed SNAP-Defense to be the best-in-class solution on monitoring and detecting lateral spread/movement and privileged account compromise. SNAP-Defense has patented lateral spread/movement detection, real-time asset and account visibility, and extensive privileged account remote access and execution. With SNAP-Defense in place, organizations increase their ability to detect and stop lateral spread/movement-based attacks.

For an example of SNAP-Defense’s capability against these types of attacks and vulnerabilities, check out this video showing SNAP-Defense detecting the NotPetya malware, which used similar techniques to the WannaCry attack.

In closing, if you or your organization is running any of the affected Microsoft operating systems, please ensure you download and apply the latest security update patches from Microsoft, especially if you’re running Windows XP or Windows Server 2003 since you need to manually download the update from Microsoft’s Update Center.

Finally, consider implementing lateral movement/spread detection and privileged account monitoring technology, like Blackpoint’s SNAP-Defense platform in your organization. Better yet, consider a managed detection and response service, like Blackpoint’s MDR which leverages SNAP-Defense, to provide 24×7 monitoring of lateral movement/spread and privileged account use and can actually respond directly to any malicious behavior discovered in your IT environment on your behalf without the need for extra staff or resources. To learn more and to inquire about receiving a FREE demo, visit https://blackpointcyber.com/snap-defense/

Links to downloads for Windows 7, Windows 2008 R2, and Windows 2008
Links to downloads for Windows 2003 and Windows XP