- Using unpatched and unsupported software may increase the risk of being affected by malicious software, such as Petya ransomware infections, according to the Department of Homeland Security’s (DHS) US Computer Emergency Readiness Team (US-CERT).
US-CERT stated it has received multiple reports of Petya ransomware infections, which encrypt the master boot records of infected Windows computers. The ransomware exploits vulnerabilities in Server Message Block (SMB) and makes devices unusable, the agency said on its website.
Microsoft released a security update for its Microsoft Server Message Block 1.0 (SMBv1) server in March 2017.
“This security update resolves vulnerabilities in Microsoft Windows,” the company explained. “The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to [an SMBv1] server.”
The vulnerabilities exist in how the SMBv1 server handles certain requests, according to Microsoft.
“An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server,” the warning stated. “To exploit the vulnerability, in most situations, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv1 server.”
The Petya ransomware strain has impacted numerous countries, utilizing the same approach as the WannaCry ransomware strain – the National Security Agency’s (NSA) EternalBlue exploit – that caused NHS to shut down its system in May 2017.
HITRUST reports that this particular ransomware worm variant does not seem to have a “KillSwitch,” similar to WannaCry v2.0.
The “KillSwitch” in question was discovered by an individual who registered a domain name that had been hidden in the malware. The researcher, who identified himself as MalwareTech, found and inadvertently activated a “kill switch.”
Furthermore, Microsoft and DHS issued warnings in June 2017 on vulnerabilities in the Windows operating system as well as a threat by a group DHS calls “Hidden Cobra.”
“These vulnerabilities allow an attacker to remotely run programs or attacks on systems,” said the HHS Healthcare Cybersecurity and Communications Integration Center (HCCIC). “This could allow an attacker to perform a wide range of actions including exfiltrating documents or data, or gain access to other internal systems via the local network once initial access is gained.”
While “Hidden Cobra” was expected to target “the media, aerospace, financial, and critical infrastructure sectors in the United States and globally,” it was still considered possible that US healthcare and public health sector systems and devices were also targets.
Organizations were urged to “review logs and implement blocks for indicators listed in the “Hidden Cobra” report.”
“SMB vulnerabilities can be extremely dangerous if left unpatched on a local (internal) corporate network,” HCCIC maintained. “That’s because a single piece of malware that exploits this SMB flaw within a network could be used to replicate itself to all vulnerable systems very quickly.”
Hidden Cobra was also likely targeting systems running older, unsupported versions of Microsoft operating systems.
“The multiple vulnerabilities in these older systems provide cyber actors many targets for exploitation,” DHS said. “These actors have also used Adobe Flash player vulnerabilities to gain initial entry into users’ environments.”
With the recent SMB Microsoft vulnerability, US-CERT also encouraged organizations to follow its best practices related to SMB.
Specifically, users and administrators should consider the following steps:
- Disabling SMBv1
- Blocking all versions of SMB at the network boundary by blocking TCP port 445 with related protocols on UDP ports 137-138 and TCP port 139, for all boundary devices.
“US-CERT cautions users and administrators that disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices,” the agency stated. “The benefits of mitigation should be weighed against potential disruptions to users.”