WannaCry ransomware slipped in through slow patching


The plain truth about security updates is that enterprises will always have a lag time between when patches are released and when they’re deployed. Even so, too many organizations are taking too long to test and schedule, and they’re paying the price.

As reported earlier, a new ransomware attack called struck tens of thousands of systems in around the world, including hospitals at the United Kingdom’s National Health Service, KPMG, Spain’s telecommunications company Telefonica, and banks BBVA and Santander. The ransomware has wormlike properties, as it spreads through network file shares, possibly using the vulnerability in the Windows SMB (Server Message Block) protocol () that Microsoft patched in March. The flaw is used by the EternalBlue exploit, which was part of the cache of hacking tools allegedly developed by the NSA and dumped by the Shadow Brokers group.

Microsoft initially patched the vulnerability only for currently supported operating systems, leaving older ones, such as Windows Server 2003, at risk. After the outbreak, Microsoft bent its policy and . Though Windows Server 2003 has already reached end-of-life, many organizations hung onto older systems long past the expiration date. Health care organizations in particular are at risk because many of their custom applications cannot be updated to work on newer systems.

While some systems compromised by WannaCry were running outdated OSes that couldn’t be fixed, it’s likely that many PCs were new enough to be patched, but the IT teams hadn’t gotten around to doing so. Security experts say it takes more than 100 days to patch critical vulnerabilities, especially in larger organizations. The criminals were able to take advantage of this window to their financial gain.

recommends also blocking RDP (Remote Desktop Protocol) to be on the safe side. Organizations should consider compartmentalizing and self-containing until they can report 100 percent patching compliance.

More worms to come?

A lot of critical vulnerabilities have been patched recently, and odds are high that IT teams have not gotten around to applying the patches. Considering that WannaCry is using a Shadow Brokers implant, it’s clear criminal organizations are digging through the dump and figuring out how to use the tools for themselves.

Another potentially dangerous exploit from this dump, PassFreely, can be used to bypass Oracle database authentication. The exploit patches the Oracle process (oracle.exe, oracle80.exe and oracle73.exe) in-memory to allow unauthenticated sessions to Oracle instance, said Kapil Khot, of security company Qualys. The company’s researchers were able to use the exploit to compromise Oracle version 64-bit on Windows Server 2008 R2 and access the database.

PassFreely can potentially become a big headache for IT teams because the target server first needs to be compromised using EternalBlue, the same SMB backdoor that WannaCry is suspected of using. Consider that for a moment. If any of the machines that had been compromised by WannaCry also had a vulnerable Oracle database running, then ransomware won’t be the worst thing to happen.

IT teams must have a plan to prioritize security updates or put in safeguards for those that can’t be patched. The WannaCry ransomware is the clearest indication yet that criminals are quite prompt in adapting exploit tools for their operations.