What Kaspersky really discovered...

Daniel Boctor

21 Jun 202419:56

Summary

TLDROn May 12, 2017, the world experienced a massive cyber attack known as WannaCry, which encrypted data on hundreds of thousands of computers globally, demanding ransom payments. This attack utilized the EternalBlue exploit, developed by the NSA and later leaked by the Shadow Brokers. Despite a patch being available, many systems remained vulnerable, leading to widespread damage and disruption, especially in the UK's National Health Service. The attack highlighted significant vulnerabilities in global cyber defenses and raised questions about the responsibility of government agencies in handling such exploits.

Takeaways

🖥️ On May 12, 2017, a global cyber attack known as WannaCry encrypted data on computers, demanding a ransom for decryption.
💰 Victims had to pay $300 within 3 days or $600 after that, with the threat of permanent data loss if no payment was made after a week.
🌍 WannaCry quickly spread to other devices on the network, becoming a self-replicating worm that infected over 230,000 computers in 150 countries within a day.
🏥 The UK's National Health Service was severely affected, with up to 70,000 devices impacted, leading to emergency patient diversions and operational disruptions.
🇰🇵 The United States attributed the attack to North Korea in December 2017, later indicting three North Korean officials.
🔒 The attack utilized the EternalBlue exploit, initially developed by the NSA and later leaked by a group called The Shadow Brokers.
🛠️ EternalBlue exploits a vulnerability in Microsoft's SMBv1 protocol, enabling the worm to spread across networks.
🔓 Despite a patch being released by Microsoft in March 2017, many systems remained unpatched, allowing WannaCry to cause widespread damage.
🐛 EternalBlue involves an exploit chain leveraging three bugs, causing a buffer overflow and arbitrary memory allocation.
🚑 Following the WannaCry attack, another significant cyber attack using NotPetya malware targeted Ukraine, causing over $10 billion in damages.

Q & A

What happened on the morning of May 12th, 2017?
-On the morning of May 12th, 2017, individuals found a prompt from a program called WannaCry informing them that their data had been encrypted and was being held for ransom.
How does the WannaCry malware spread across networks?
-WannaCry malware spreads across networks using a self-replicating mechanism, functioning as a computer worm that propagates itself without user interaction.
What was the global impact of the WannaCry attack within the first day?
-Within a single day, over 230,000 computers across 150 different countries were infected by WannaCry, causing damages ranging from hundreds of millions to billions of dollars.
Which major organization was significantly impacted by the WannaCry attack?
-The National Health Service (NHS) in the UK was significantly impacted, with up to 70,000 devices affected, leading to emergency patients being turned away and ambulances being diverted.
Who did the United States formally assert was behind the WannaCry attack?
-In December 2017, the United States formally asserted that North Korea was behind the WannaCry attack, later indicting three North Korean officials.
What was the purpose of the NotPetya malware during the 2017 Ukraine ransomware attacks?
-The NotPetya malware, initially mistaken for ransomware, was actually a disc wiper designed to cause maximum damage to its targets.
Which country did the United States claim was behind the NotPetya attack?
-The United States claimed that Russia was behind the NotPetya attack, indicting a total of six Russian officials.
What common exploit did these cyber attacks (WannaCry and NotPetya) utilize?
-Both WannaCry and NotPetya utilized the EternalBlue exploit, which targeted Microsoft's SMBv1 protocol.
What is the significance of the SMB protocol in the context of the EternalBlue exploit?
-The SMB (Server Message Block) protocol is widely used for file sharing and print services on Windows computers and servers. Its vulnerability made it an ideal target for a computer worm like EternalBlue.
How did the EternalBlue exploit become publicly available?
-The EternalBlue exploit became publicly available after a group called The Shadow Brokers stole it from the NSA and released it online in April 2017.
What is 'Heap grooming' in the context of the EternalBlue exploit?
-Heap grooming is a technique used in the EternalBlue exploit to manipulate memory allocation and create conditions for successful exploitation, such as buffer overflows.
Why was the NSA criticized regarding the EternalBlue exploit?
-The NSA was criticized for not informing Microsoft about the vulnerabilities in SMBv1 protocol and instead keeping them under wraps, which led to massive damage once the exploit was released publicly.