The WannaCry ransomware threat didn’t begin with malware-infected phishing emails as first suspected, according to a new analysis from Malwarebytes.
The security vendor claimed it had been “an easy mistake to make”, but that in reality, the now-infamous campaign began by scanning for vulnerable SMB ports exposed to the public internet.
The NSA’s EternalBlue exploit was then used by attackers to get on the target network and the DoublePulsar backdoor employed to gain persistence, allowing for the installation of additional malware, like WannaCry.
“Without otherwise definitive proof of the infection vector via user-provided captures or logs, and based on the user reports stating that machines were infected when employees arrived for work, we’re left to conclude that the attackers initiated an operation to hunt down vulnerable public facing SMB ports, and once located, using the newly available SMB exploits to deploy malware and propagate to other vulnerable machines within connected networks,” explained Malwarebytes senior malware intelligence analyst, Adam McNeil.
“Developing a well-crafted campaign to identify just as little as a few thousand vulnerable machines would allow for the widespread distribution of this malware on the scale and speed that we saw with this particular ransomware variant.”
As for takeaways, they remain pretty much the same: regular and timely patching of systems; migration to newer, supported operating systems where possible; disabling of unnecessary protocols like SMB and network segmentation.
McNeil also agreed with Microsoft president, Brad Smith, who called out the NSA and others for stockpiling exploits. The WannaCry incident is in many ways the perfect example of what can happen when government-developed exploits get into the wrong hands.
As for WannaCry, it appears as if the original threat is no longer infecting users, but newer variants have taken over.
Cryptomining threat Adylkuzz was flagged last week as one potential new threat which uses the same NSA exploits to spread.