pixel_dreams - Fotolia

Windows 7 accounts for most WannaCry infections

Statistics show that computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry ransomware, while NHS suppliers are blamed for hampering patching by NHS trusts

Failure to update to the latest operating system was initially cited as one of the reasons more than 200,000 computers in 150 countries were rapidly infected by WannaCry.

NHS trusts were the most severely hit organisations in the UK, which also appeared to point to a failure of many to upgrade from Windows XP as being the reason they were especially hard hit.

But researchers have discovered that in fact Windows 7, particularly the 64-bit edition, was worst affected and responsible for the wide and fast spread of the attack.

According to security firm Kaspersky Lab, more than 98% of the Windows 7 computers it monitors were hit by WannaCry infections reports Bleeping Computer, while security ratings firm BitSight found 67% of infections hit Windows 7, according to Reuters.

“#WannaCry infection distribution by the Windows version. Worst hit – Windows 7 x64. The Windows XP count is insignificant,” Costin Raiu, director of global research and analysis team at Kaspersky Lab, tweeted.

The Windows XP computers that were compromised were likely infected manually for testing purposes, he said in a subsequent tweet.

According to researchers, Windows XP was largely unaffected by the WannaCry attack because PCs crashed before ransomware could take hold.

Read more about WannaCry

  • Ramsomware attack highlights system-wide issues around lack of infrastructure investment and the need for cyber security training and awareness.
  • Security advisers are urging organisations to patch their Windows systems to avert a possible second wave of an unprecedented, indiscriminate ransomware attack.
  • A failure by many organisations to take cyber security seriously has long been blamed on the lack of a single significant event to shake things up.
  • WannaCry reveals some important facts about our dependence on the internet and IT.

The fact that computers running Windows 7 were the worst affected indicates that a failure to install the critical MS17-010 security update is likely to be the main reason for the success of the attack, and the fact that the 64-bit edition was the worst affected indicates that patching is particularly poor in enterprises, which are the main users of that edition.

Further underlining the importance of patching and the difficulties that the NHS faces in this regard from medical equipment suppliers, Grant Harris, head of IT operations at Western Sussex Hospitals NHS Foundation Trust said it is time the NHS pushed back on suppliers of systems to the NHS who forbid applying the latest patches in case it breaks their software.

“Pathology system providers seem to be the worst, claiming that their systems are not Windows systems but Pathology devices and therefore cannot have any patches applied ever,” he wrote in a post on LinkedIn.

Harris said there is a need to take action against stop suppliers who will only test patches against their latest and greatest version.

He called for NHS organisations to include in any future procurements the requirement that they will test any critical patches/updates released within five working days of its release, that that tests will be carried out against any supported version of the software, application, service or device, and that tests will be concluded within 10 working days of the patch/update release and authority given to the customer to deploy or in the case of a managed system/application or device, be applied by the supplier.

Patch testing should include third-party software

Harris said testing of patches should not be limited to operating systems, databases and browsers, but include any third-party software required by the software, application or device to function.

Although the initial infection method is unknown, indications are that the EternalBlue exploit of Microsoft’s server message block (SMB) protocol developed by the US National Security Agency (NSA) and leaked by the Shadow Brokers hacking group was not only used to propagate the infection, but also to infect machines with SMB port 445 open.

“All sorts of pundits in the media are saying the initial vector was a phishing email, but there is no evidence for that at the moment,” said Neustar senior vice-president and fellow Rodney Joffe.

“Indications are that it probably wasn’t a phishing email. It may have been dropped by another piece of malware or it may have been a port 445 attack,” he told the inaugural session of the Neustar International Security Council (Nisc) in London.

Joffe, a former director of the official Conficker Working Group, warned that about 700,000 internet-connected computers are still infected with the Conficker worm that was designed to disable antivirus and stop Windows automatic updates.

“This means that at least 700,000 computers are guaranteed to be vulnerable to WannaCry or any other malware that exploits the same vulnerability in SMB,” he said.

This underlines the importance of patching as soon as it is possible to do so, said Joffe. “If all those machines had been patched against Conficker, they would now be less likely to be vulnerable to malware exploiting the SMB flaw.”

NSA EternalBlue used to exfiltrate user credentials

According to security firm Secdo, it has found evidence that several groups used the NSA EternalBlue exploit to infect, install backdoors and exfiltrate user credentials in networks around the world, including the US, three weeks before the WannaCry attack.

These attacks might pose a much bigger risk than WannaCry, according to Secdo, because even if companies were able to block WannaCry and patch the SMB Windows exploit, a backdoor may persist and compromised credentials may be used to regain access.

Secdo said that in late April some of its customers reported being attacked by an undetectable ransomware, much more advanced than WannaCry. The ransomware is the most apparent payload, but Secdo was able to detect a more sophisticated attack under the surface.

Secdo concludes that the actors behind these attacks are using the NSA framework to spawn threads inside legitimate applications, essentially impersonating them, to evade even the most advanced next generation antivirus systems.

While this is not a completely new idea, the security firm said this technique has been mostly used by state-grade actors in the past to bypass security systems from most suppliers.

Read more on Hackers and cybercrime prevention

Search CIO
Security
Search Networking
Search Data Center
Search Data Management
Close