Experts: Conditions behind cyberattack may be hard to mimic
NEW YORK » The cyberextortion attack hitting dozens of countries spread quickly and widely thanks to an unusual confluence of factors: a known and highly dangerous security hole in Microsoft Windows, tardy users who didn’t apply Microsoft’s March software fix, and a software design that allowed the malware to spread quickly once inside university, business and government networks.
Not to mention the fact that those responsible were able to borrow weaponized software code apparently created by the U.S. National Security Agency to launch the attack in the first place.
Other criminals may be tempted to mimic the success of Friday’s “ransomware “attack, which locks up computers and hold people’s files for ransom. Experts say it will be difficult for them to replicate the conditions that allowed the so-called WannaCry ransomware to proliferate across the globe.
But we’re still likely to be living with less virulent variants of WannaCry for some time. And that’s for a simple reason: Individuals and organizations alike are fundamentally terrible about keeping their computers up-todate with security fixes.
THE WORM TURNS ... AND TURNS
One of the first “attacks” on the internet came in 1988, when a graduate student named Robert Morris Jr. released a self-replicating and self-propagating program known as a “worm” onto the then-nascent internet. That program spread much more quickly than expected, soon choking and crashing machines across the internet.
The Morris worm wasn’t malicious, but other nastier variants followed — at first for annoyance, later for criminal purposes, such as stealing passwords. But these worm attacks became harder to pull off as computer owners and software makers shored up their defenses.
So criminals turned to targeted attacks instead to stay below the radar. With ransomware, criminals typically trick individuals into opening an email attachment containing malicious software. Once installed, the malware just locks up that computer without spreading to other machines.
The hackers behind WannaCry took things a step further by creating a ransomware worm, allowing them to demand ransom payments not just from individual but from entire organizations — maybe even thousands of organizations.
THE PERFECT STORM
Once inside an organization, WannaCry uses a Windows vulnerability purportedly identified by the NSA and later leaked to the internet. Although Microsoft released fixes in March, the attackers counted on many organizations not getting around to applying those fixes. Sure enough, WannaCry found plenty of targets.
Since security professionals typically focus on building walls to block hackers from entering, security tends to be less rigorous inside the network. WannaCry exploited common techniques employees use to share files via a central server.
“Malware that penetrates the perimeter and then spreads inside the network tends to be quite successful,” said Johannes Ullrich, director of the Internet Storm Center at the SANS Institute.
PERSISTENT INFECTIONS
“When any technique is shown to be effective, there are almost always copycats,” said Steve Grobman, chief technology officer of McAfee, a security company in Santa Clara, California. But that’s complicated, because hackers need to find security flaws that are unknown, widespread and relatively easy to exploit.
In this case, he said, the NSA apparently handed the WannaCry makers a blueprint — pre-written code for exploiting the flaw, allowing the attackers to essentially cut and paste that code into their own malware.
Mikko Hypponen, chief research officer at the Helsinkibased cybersecurity company FSecure, said ransomware attacks like WannaCry are “not going to be the norm.” But they could still linger as low-grade infections that flare up from time to time.
For instance, the Conficker virus, which first appeared in 2008 and can disable system security features, also spreads through vulnerabilities in internal file sharing. As makers of anti-virus software release updates to block it, hackers deploy new variants to evade detection.
Conficker was more and didn’t do major of a pest damage. WannaCry, on the other hand, threatens to permanently lock away user files if the computer owner doesn’t pay a ransom, which starts at $300 but goes up after two hours.
The damage might have been temporarily contained. An unidentified young cybersecurity researcher claimed to help halt WannaCry’s spread by activating a so-called “kill switch.” Other experts found his claim credible. But attackers can, and probably will, simply develop a variant to bypass this countermeasure.