Did ANZ dodge a bullet?

 

Nearly 2 weeks since the outbreak of the WannaCry Ransomware we pose the question – did organisations in ANZ dodge a bullet?

The timing of the WannaCry Ransomware (or WannaCrypt) released during Friday May 12th in the Northern Hemisphere meant our weekend had arrived and many businesses were not operating. The word went out in the media that there could be an issue with the nasty WannaCry worm as it was working its way across a range of countries including the UK, Russia and China.

There are no official reports of WannaCry encrypting systems in New Zealand and some media reports speculated that a dozen businesses were infected in Australia. We may never know the real impact in ANZ but it appears to have been minimal compared to other nations.

Feedback from several clients confirmed many of them moved quickly to check the status of their system patching on Saturday 13th and for the duration of the weekend.

The industry certainly responded and jumped into action.  A “kill switch” was discovered by accident, which didn’t stop the malware from spreading but did prevent it from activating the code that encrypts your data and holds you to ransom.

IT Security Forums were getting plenty of input from members. Security vendors provided commentary and recommendations.

Microsoft took what they termed – “the highly unusual step of providing a security update for all customers to protect Windows platforms that are in custom support only” – this update would include Windows XP, Windows 8, and Windows Server 2003.  Any customers running Windows 10 did not need to be worried about this attack.

Cert bodies provided a good level of communication – we thought the European based Cert-EU Advisory was very informative. Click Here to view.

By mid-week the number of affected nations had climbed to 150 from an initial estimate of 70+ countries and major issues were plaguing some very large organisations such as Telefonica, Renault, UK NHS, the German national rail system to name a few.

WannaCry has gone and its successor, EternalRock, is already headed  in our direction. By making headline news it has certainly given many organisations a wake-up call, demonstrated the fragility of some systems and identified the need for some tighter IT processes and procedures.

So what really happened?

Whilst initial indications were that the spread of the ransomware was via email this is not the case. Most systems were actually being exploited via a vulnerability in the Windows Server Message Block (SMB) file sharing protocol. Microsoft had addressed this vulnerability via a patch (MS17-010) released in March 2017.

The cyber criminals had searched the public internet for systems using vulnerable SMB services (port 445) and infected them using EternalBlue and DoublePulsar code that had been created originally by the NSA. Once infected the WannaCry ransomware could be installed and go to work encrypting files and demanding payment.

Click Here for details on how to enable and disable SMB.

The research labs at Kaspersky have stated that Windows XP machines were not actually the most effected systems in this outbreak. Their researchers discovered the worm worked reliably on systems running Windows 7 and caused errors on other platforms including Windows XP.

Kaspersky Research

In summary it would appear many organisations in ANZ did dodge a bullet and hopefully the media coverage and global impact of this outbreak will reinforce that failures in human factors – not doing the operational basics well –  still warrant increased investment over and above many other aspects of IT Security.

 

Back to Newsflash!