Information Security

Defending the digital infrastructure

lolloj - Fotolia

Why WannaCry and other computer worms may inherit the earth

A vast majority of APT attacks and malware delivery happens via spear phishing. But worms have always had a place in the toolkit when the delivery method fit the mission.

Using a self-replicating computer program to deliver malware on a target network is an old trick.

Like most things on the internet, computer worms come from an innocent enough past. Over time, the use of worms moved down a predictable path, from computer-savvy engineers who were experimenting to the criminal realm to the rise of nation-sponsored cyberespionage groups.

Why should this matter to CISOs? As global cyberattacks have exploded in recent months, computer worms are causing collateral damage, not only to nation-states, but to corporate valuations and financial performance. In June, FedEx warned that the Petya cyberattack, which disrupted operations at its TNT Express subsidiary, may have "material impact" on the company's 2017 financial performance. Merck & Co. Inc., another victim of the June attack, issued a similar warning.

A computer worm is similar to a computer virus, but it has distinct characteristics. Unlike spear-phishing emails, worms do not require a delivery system; instead, they attack the ports and protocols of vulnerable systems directly, as a stand-alone program. This makes worms ideal for spreading malware, and for creating armies of infected "zombie" computers, or botnets, used in distributed denial of service (DDoS) attacks.

Unleashed at MIT

Cybersecurity became a career field after the first headline-making worm crippled thousands of computers nationwide in November 1988. The self-replicating computer program started out as a simple experiment by Cornell University graduate student Robert Tappan Morris, who set out to measure the size of the internet. He launched the program from MIT systems in an effort to remain undetected while the software collected data from internet servers.

Once out in the wild, the non-malicious worm went full blast and replicated itself multiple times on tens of thousands of Unix-based machines. It created a massive denial-of-service attack on an internet comprising, at the time, roughly 60,000 hosts. As a result of his "experiment," Morris was the first person convicted of a crime under the Federal Computer Fraud and Abuse Act. He was fined $10,000, forced to do community service and sentenced to three years of probation. In a bit of irony, his father Robert H. Morris Sr. was the chief scientist in charge of the National Computer Security Center at the National Security Agency (NSA).

A computer worm enters a system and spreads infections

During the 1990s and early 2000s, worms and virus attacks continued to grow as an easy way to spread criminal malware. Computer worms were used to send spam from infected machines, to drop rootkits that allowed nefarious remote access and to participate in DDoS attacks. Worms followed the technologies prevalent on the internet, starting with Unix-based systems, and then turned to weaknesses found in Microsoft Windows products and services. Today, worm variants are written for Apple OS X, Linux and mobile devices.

Government-sponsored APTs

By the late 1990s, security organizations from nations' intelligence agencies were moving deeper into cyberspace as another means of collecting intelligence or stealing intellectual property and other state secrets. In 1999, the Russians were blamed for an alleged cyberespionage campaign, known as operation Moonlight Maze, against the U.S. Department of Defense. In 2003, a group associated with the People's Republic of China was blamed for Titan Rain, a massive cyberattack against the U.S. government and its defense contractors. In 2007, the same group was suspected of attacking the British government.

What differentiated these attacks from the criminals and "script kiddies" was the discipline and field craft that these mysterious adversaries followed. The term advanced persistent threat was coined in 2006. These early APT attacks were exceptional, stealthy and used unique signatures. Few networks had the technology or methods for detecting APT attacks, let alone stopping them.

As fidelity into the indicators of compromise and techniques used by APTs improved, the number of attacks against high tech companies and defense contractors globally increased dramatically, primarily because companies noticed they were being hacked. The NSA's Active Cyber Defense hacked Russia, China and others, and they hacked back in what has become another chapter in the global spy game nation-states play. GhostNet and Operation Aurora, both attributed to China, targeted defense contractors, U.S. embassies and major companies like Google in 2009.

The vast majority of APT malware delivery happens via spear phishing. But computer worms have always had a place in the APT toolkit, especially when the delivery method fit the mission. In 2010, Stuxnet, and its close relatives Duqu and Flame, targeted Iran's nuclear weapons program. Delivered onto a closed network via thumb drives, the Stuxnet worm compromised the machine by leveraging a zero-day vulnerability in the Windows operating system. The payload attacked the industrial-control systems that managed the centrifuges used in Iran's nuclear weapons research. The worm also searched for, and infected, other machines installed with industrial-control software. Attributed to the NSA and Israel, Stuxnet reportedly did major damage to Iran's nuclear weapons program.

Riding APT coattails

The links between APT attacks and the cybercriminals remains a gray area. Many government security services outsource work to contractors and, in a few cases, shady hacking groups. Russia has been known to even use cybercriminal organizations to do its bidding.

A month after the global WannaCry attack, another worm, with Petya-like malware, began spreading from Ukraine.

As cyberespionage matures, criminals have noticed the success of many techniques and methods used by nation-state actors. Because these techniques often work, criminal enterprises ride APT coattails when they can. Sometimes, it's hard to separate criminal and nation-state activity.

In the summer of 2016, a group calling themselves the Shadow Brokers conducted an online auction of a cyberwar chest full of zero-day exploits they were attributing to the Equation Group, an APT known for its encryption methods and that has been linked to the NSA. The Shadow Brokers are thought to be from the Russian security services. The FSB has been collecting malware and samples of code for years from Russian organizations hacked by the NSA.

A few years earlier, the U.S. outed a prolific Chinese cyberespionage unit, known as the APT1 group. The FBI exposed APT1's indicators of compromise and its tactics, techniques and procedures during a news conference with The New York Times, which was targeted by the group, essentially rendering APT1 ineffective. The Shadow Brokers may have attempted the same outcome with the release of the NSA's Equation Group tools.

Hitting a rough patch

After the Shadow Brokers' dump of the NSA war chest, the entire world gained access to code and programs able to exercise zero-day exploits against systems that had, until then, unknown vulnerabilities for which there were no published patches.

WannaCry, a Trojan that morphed into a worm, was developed around an exploit in the Shadow Brokers release called EternalBlue. It exploited a vulnerability in the Microsoft server message block protocol by allowing specially crafted packets to be executed on the target machine. The payload was a cryptovirus, or ransomware. WannaCry also used DoublePulsar, a backdoor tool that was part of the Shadow Brokers release, to maintain persistence or to infect computers that have the backdoor installed.

After much debate, WannaCry is loosely attributed to the Lazarus Group, the cybercrime organization that is credited with the massive attack on Sony Pictures Entertainment in 2013. The Lazarus Group may have links to the North Korean government, known as masters at mixing political and criminal enterprises. North Korea is also suspected in the cybertheft of $81 million from the central bank of Bangladesh. Attackers diverted funds from the bank's account at the Federal Reserve Bank of New York using the SWIFT payment network.

Recent global computer worms and Microsoft patches for known vulnerabilities

A month after the global WannaCry attack, another worm, with Petya-like malware, began spreading from Ukraine. The worm's initial attack vector was through a legitimate software update from a Ukrainian tax service. The "NotPetya" worm is attributed to the Russian FSB, as part of their cyber campaign against Ukraine. The worm, which spread globally, initially hit the Kiev airport, Ukrainian banks and energy utilities.

Although NotPetya and WannaCry are alike, they do have some important differences. In addition to EternalBlue, NotPetya used a more traditional approach by harvesting legitimate users' credentials using a variation of the Mimikatz hacker toolkit, and then spreading via the PsExec and Windows management instrumentation command-line tools.

CISOs must be cognizant of these events. To protect against lateral movement using credential theft and impersonation, an enterprise would need to have an antimalware system, strong firewalls and smart user-privilege rights.

When the Shadow Brokers published the new exploits, it made sense that the number and frequency of critical patches from IT vendors was about to increase. The period between the exposure of a zero-day vulnerability to the world and the release of a patch usually represents an enterprise's greatest risk, even if the security team aggressively patches the organization's computer systems.

The Petya worm and how it operates

The EternalBlue and DoublePulsar exploits were released on April 14, 2017. The WannaCry worm hit the street on May 12, 2017 -- a month later -- and then in late June, the NotPetya worm followed. Hundreds of thousands of computers were infected, costing tens of millions of dollars to fix. The Microsoft patches, starting in March, made supported systems immune to the computer worms: The fix was the security patch. Given the timeline -- the vulnerabilities were exposed at essentially the same time a patch was released -- organizations had a month to patch their supported operating systems. Yet many did not, and the results were predictable.

The speed of events in today's cyberworld means that if your organization lacks a robust patch and vulnerability management process, you are behind the power curve in mitigating risks like WannaCry and NotPetya. Companies that are aware of the problem, because they are actively looking for trouble on the horizon, had WannaCry, NotPetya and other cyber storms like Heartbleed pass their networks over without a blip.

Given the dire consequence cryptoware has on an organization, there are few CEOs who would argue against aggressive patching of computers on their networks. CISOs who cannot influence IT operations, and CIOs who are reluctant to allocate resources to patch systems in a timely manner -- the patching requires a reboot -- are failing their companies. The issues leading up to these events are complex. The solutions are fairly straightforward. Isolate or upgrade end-of-life systems; have a robust, risk-based vulnerability and patch management process; and don't be caught unaware. Find trouble before it finds you.

Article 3 of 5

Next Steps

WannaCry exposes holes in enterprise security

Find out best practices for removing malware

Research that could help malware attribution

This was last published in September 2017

Dig Deeper on Threats and vulnerabilities

Get More Information Security

Access to all of our back issues View All