Microsoft software is pretty good, and not to mention how often nowadays it outpaces Apple’s software. But one leg up that Apple has always had is the low likelihood of being attacked due to its comparatively low market share.
The NHS in England was recently attacked by something called ransomware, which is a type of Malware that infects machines often due to a person being negligent and downloading a Trojan (Malware disguised as a legitimate file). Ransomware locks the whole machine by either encrypting the contents of the drives or just locking it behind a password, then demanding the user pay for access. Typically ransomware is only isolated to the one machine that got the malware but this is not the case for WannaCry. There is an exploit in Windows 2008 R2 Server called EternalBlue that WannaCry uses that was revealed by the ShadowBrokers when they exposed all the NSA exploits that had been kept quiet. Interestingly enough this vulnerability had been patched by Microsoft in their MS17-010 update so if you are up to date you should be covered for this attack.
This whole thing raises an interesting question that is either, Has Microsoft truly patched this attack? Or are organisations lazy in updating software? I’m going to run with the latter as its more plausible to me that a company couldn’t be bothered to update software because it’d save time and money. So really what we are seeing is a targeted attack against companies who are slow on the uptake or are underfunded.
The initial point of origin is hard to pin down but as this ransomware has hit so many countries including; Russia, The UK, Spain and 71 more in such a short amount of time, this leads me to think this is organised by a well-funded hacker group rather than just the one guy in his bedroom which in hindsight is pretty obvious. The amount of research and planning that go into these kinds of attacks is often not recognised because people are unaware of the scale when it simply stares them in the face and demands bitcoins from them. The Vulnerability EternalBlue is a weakness in SMB (server message block) on Windows 2008 R2 Server. SMB is a protocol commonly used for file sharing and is also part of something called NETBIOS but you don’t need to know that. As this attack seems to be latching onto entire networks it’s safe to assume that the attack is distributing itself via this vulnerability in the servers and distributing itself across the entire network. There are many different ways this malware could get into systems but it’s likely to be either negligence which could be by simply clicking on what you shouldn’t, not updating when you should or a well thought out attack on the system.
So my advice to anyone who is worrying. Update your server now if you haven’t done so already and be very wary of any links you click on. Stay on your toes people.
Update: Microsoft has posted a report on the attack where they advise companies to stop using Windows xp and to update windows server 2008. report here