WannaCry – What did we learn? 19/July/2017
The year 2017 has not yet come to its end but it will certainly be remembered as the Wannacry year by those who live and breathe cybersecurity. The alarm sounded on 12 May, near lunchtime. We were all fixing our eyes on Fatima and the Pope’s visit, when the first signs of a global ransomware campaign were underway.
The attack exploited several known vulnerabilities being the most important (Microsoft’s MS17-10) the subject of serious attention within the RCTS a few weeks earlier. That may not have been the deciding factor in the absence of reported cases of infection by WannaCry in RCTS. However, it is important to aknowledge that to give little relevance to a vulnerability in a non-critical system can result in serious impact on other more critical systems within the same network.
Another vector studied under this infection was the e-mail messaging. It is never too much to remind those around us that these messages, in order to take control of our devices, are increasingly elaborated.
WannaCry had another interesting feature: the alleged existence of a kill-switch which, through Internet communication, stopped infection. In the aftermath, and looking at the information collected by the RCTS CERT, a set of devices was identified in 40 RCTS institutions that reported this kill switch.
This identification gave rise to notifications and local teams verified if the systems in question had some kind of infection. What we have learnt in the course of this situation is that the fact that the addresses that inhibited the infection had been made public led some RCTS users to initiate communications or tests with those same addresses, which only indicates curiosity and not an infected system.
This event forced a lot of coordination during Saturday and Sunday (13 and 14 May). On the following working day, although we knew our systems were up to date, we launched the warning internally at FCT and at the FCCN Unit to be extremely careful about messages (e-mail) of doubtful or unknown origin.
Now that two months have passed, we can look at the occurrence at a distance and realize that it is absolutely necessary to eradicate as soon as possible the vulnerabilities that fall into public domain. The idea that users’ awareness of potentially malicious content mey be received has to continue to be reinforced. Another clear idea is that we must be equipped with tools that in the future allow us to cope with similar episodes or with incidents even more harmful than WannaCry.
RCTS CERT, 18 july, 2017.