On May 12, the WannaCry worm unleashed the fastest-spreading ransomware attack in computing history, encrypting files on millions of computers around the world in a matter of hours and demanding payment to unlock them.
The scope of the outbreak revealed the vast inadequacies of corporate and government security practices for addressing security vulnerabilities.
But WannaCry did not come as a surprise. Microsoft had released the MS17-010 patch which prevents infection two months before the outbreak. One month before the attacks, a hacking entity called Shadow Brokers released the EternalBlue exploit and the DoublePulsar backdoor that were used to carry out the attacks.
WannaCry was not an "advanced" attack, as was initially reported. In fact, by most indicators it was a crude piece of malware. It could have been created by anyone with rudimentary Windows and networking programming knowledge. It also wasn’t the first widespread attack to exploit missing patches, but it was one of the biggest and most widely reported on.
So, why was such a critical patch largely ignored? Poor patch management is prevalent across all industries. To this day, many organizations still have machines missing the MS17-010 patch, which protects against the WannaCry attack. These will either be discovered during a vulnerability assessment, or by future attackers.
When organizations don’t follow basic principles of security, threats do not need to be sophisticated or rely on new attacks methods to deliver their payloads. Adversaries only need tried and true techniques. Generally, this involves using known vulnerabilities, or "N-days” instead of "zero-day" (or unknown) vulnerabilities. In the WannaCry case, the vulnerability was known for 60 days. Oftentimes, pre-made and publicly available exploits already exist on the dark web for these N-days.
The quantity and frequency of patches that need to be applied make it difficult to stay current. This problem gets exponentially worse when an organization has tens of thousands of machines to patch. Prioritizing patches that are the most critical is an evolving science which must take many factors into account, including the business criticality of different assets, and if known active exploitation of a vulnerability is ongoing.
The vulnerabilities addressed by the MS17-010 patch were actively being exploited on a mass-scale by other types of malware for at least one month before the WannaCry ransomware outbreak occurred. Many security experts had been urging organizations to install this set of patches before the perfect storm arrived.
Unfortunately, these warnings were not sufficient to avert a global attack. One of the major issues that could have led to the warnings being ignored is the fact that the information security community has cried wolf far too many times. Many vulnerabilities are over-hyped and turn out to be insignificant issues that are never actually exploited in any meaningful capacity.
Many information technology professionals outside of the security realm are drowning out vulnerability alerts on the basis that they create more work and often pose no actual threat. This is what happens when every vulnerability is deemed critical.
There are many reasons used by organizations to delay or ignore installing security patches, such as compatibility testing requirements and concerns over taking production machines offline. Unfortunately, production systems are the most vulnerable assets on a network, as these are the ones generally exposed through firewalls and other common defenses. System administrators need to strike a balance between the five minutes it takes to reboot a machine in order to install a patch, and the risk of having malware take the organization down for days or weeks.
Moving forward, the information security community must do a better job of avoiding the hype surrounding new vulnerabilities in order to help system administrators prioritize and apply the most critical patches quickly. Likewise, organizations must perform routine audits and inventory their assets to discover the weakest links in the security chain that can be exploited by attackers.
In the case of WannaCry, Windows machines were exposed to the Internet and left unpatched for months. Hopefully the WannaCry incident, for all the pain it created, will force many organizations to reevaluate and change their patching practices for the better.
Sean Dillon is a senior security researcher at RiskSense, Inc. with more than 10 years of experience as a white hat hacker, software engineer and IT administrator.