Back to overview

WannaCry, NSA-Exploits and the tale of SMBv1

Little red protocol and the seven hackers

Once upon a time, a certain Mr. Barry Feigenbaum set out for the development of a network protocol for file printing and other server services in computer networks. Over the years, the project grew and prospered. Thus, it became a joy to the current protocol for operating systems and network applications such as Samba. But unfortunately, not all those who read the protocol intended well. And so it happened in 2017 that an old protocol with moderate security was responsible for the biggest Ransomware attack in history …

And so after a few weeks of the hypes, the coverage around WannaCry and the EternalBlue Exploit is slowly but surely diminishing. The dust settles. Country on land, the digital banglers reported on the vicious combination of a not-so-fabulously written Ransomware and an NSA exploit developed by professional Hackerteam(s), presumably years ago, yet undetected, stolen by digital activists and leaked into the net in justified outrage. Another hairy fairy tale, which can be told of the current generation of small digital natives when putting them to bed at night.

The idea behind WannaCry is devilishly ingenious: A Ransomware encrypting the infected computer while spreading itself without user interaction, in order to make the largest possible profit. Sounds a little bit like a network worm from the early 2000s (when monsters such as Blaster, Slammer or Conficker roamed the dark corners of the web). “Hang on!” you probably think now, being the attentive reader you are: “Have we not learned anything?”. As a narrator, I put on a knowing face and answer, “Basically yes, but it’s not that simple.”

The protocol with the three golden hairs

The rapid spread of WannaCry using the EternalBlue exploit, a vulnerability present in SMB protocol version 1 (not as originally assumed via e-mail), once again showed that comprehensive Vulnerability Management is an essential part of any effective multi-level security strategy. Microsoft itself had already pointed out the long-known vulnerability in the SMBv1 protocol in November 2016 in a Technet-Blog.

In fact, there are hardly any arguments for the use of the SMBv1 protocol established in 1983 in companies. In the end, they boil down to three possible reasons:

  1. Windows XP or Server 2003 continue to be used with a Custom Support Agreement
  2. The enterprise uses a highly outdated management software, which is dependent on the so-called “Network Neighborhood” masterbrowser list for its full functionality
  3. antique multifunctional printers with outdated firmware are used, for example depending on scanning permissions to work correctly

Like ghosts, these three shadows from the past are wavering around. Maybe now is the time to remove the spiders. Let’s be honest: none of the three mentioned reasons is a particularly valid argument for the use of the outdated SMBv1 standard. Therefore, our advice can only be the following: Get rid of the old clutter and make room for more secure protocols, such as SMBv2 or better SMBv3 with end-to-end encryption.

It might also be appropriate to ask how long the NSA has known about the existence of the weak spot and over what time periode it was actually used. Even a more detailed analysis of the data provided by the hacker group “The Shadow Brokers” unfortunately does not allow a conclusion to a precise date. The SMB protocol in version 1 has been an integral part of every Microsoft operating system since Windows 2000. Including the server editions, the vulnerability has lived through about 11 versions of the operating system, for more than 17 years. There’s nothing better than exploits with downward compatibility. What an act of mercy and nobility that everyones favourite softwaregigant from Redmont was generously ready to patch even old versions.

“That armour of you is a pile of rust” the dragon cheered.

In conclusion, I would like to add a point from my own experience to our small excursion into the topic of antiquated protocols and possible safety risks. For often the noble knights not only set out with perforated armor. In most cases, they do not even know it. In the Vulnerability Management process, even the first step is often missing – to get accurate and up-to-date information about all IT systems. Only those who overlook their system landscape can find weak points to close or at least monitor them. One should therefore start in time to bring light into the area, which for good reasons is called “shadow IT”.

So-called vulnerability scanners, but also techniques such as static and dynamic code analysis for checking applications, hunt down security risks. They detect weaknesses, regardless of whether it is a bug, a missing patch, a design weakness or a configuration problem. Patch management tools can be used to resolve known security gaps quickly. Network monitoring and Next Generation Firewalls allow you to secure or at least monitor gaps, which for one reason or another, have to be accepted at least temporarily. There are highly automated solutions for these tasks. They just have to be used. For more information on Vulnerability Management, see e.g. here.

I’m afraid there will never be a “Happily ever after” in IT security. However, to ensure that most IT fairytales still end well and that such a huge Ransomware outbreak as WannaCry does not become your problem all of a sudden, despite any new security gaps and exploits of the NSA, it is now a good time to be professional about topics such as Vulnerability Management, Code Analysis and Patch Management.

After all, you do not have to eat every apple passed around by dubious figures.




Find professional help here:

Image: ©iT-CUBE SYSTEMS AG 2017

Leave a Reply

Wir nehmen Datenschutz ernst! Deshalb informieren wir Sie, was mit Ihren Daten geschieht:

  • Daten aus Formularen und Webseiten-Tracking können von uns zur Analyse gespeichert werden
  • Die Daten können zur Optimierung der Webseite ausgewertet werden. Das ermöglicht es uns, besser zu verstehen, wo das Interesse unserer Besucher liegt. Wir benutzen primär Hubspot für dieses Tracking (mehr dazu finden Sie in der Erklärung auf unserer Datenschutzseite, siehe unten)
  • Wir geben Ihre Daten nicht an Dritte weiter. Im Rahmen von Veranstaltungen, an denen Sie teilnehmen möchten, kann es nötig sein, dass Ihre Daten an Vertragspartner übermittelt werden.
  • Sie haben jederzeit ein Recht auf die Herausgabe, Berichtigung oder Löschung persönlicher Daten.
  • Sie können Ihre Einwilligung, mit uns in Kontakt zu treten, jederzeit mit sofortiger Wirkung widerrufen.

Weitere Details dazu, was wir mit den Daten tun und nicht tun finden Sie auf unserer Datenschutzseite, oder schreiben Sie mich bei Fragen direkt an!

Felix Möckel
Data Protection Officer