WannaCry can be patched, but NSA-based methodologies are harder to fight

F5 CISO Mike Convertino says hackers have embraced the Principle of Interchangeable Parts in their attacks.

By now you’ve probably heard or read about WannaCry; the massive ransomware attack that brought the UK National Health Service to its knees as well as causing major disruption to thousands of other companies across Europe and Asia.

Based on an NSA Exploit known as EternalBlue, the WannaCry ransomware – which encrypts files and demands a ransom to be paid in Bitcoin for the files to be decrypted - has infected hundreds of thousands of machines running unpatched versions of Windows XP and Windows 7. To help stem the spread, Microsoft made the rare move of issuing patches for systems no longer officially supported. And, according to Sophos, other examples of attacks based on NSA exploits are now being found in the wild.

But exploits such as EternalBlue aren’t the biggest impact of all the information gleaned from the NSA in recent months and years, according to F5 CISO Mike Convertino.


Exploits vs. methodologies

“Mr. Snowden's disclosures, the technical things that he released about particular exploits, those will come and they will go,” he said during an interview at the F5 Agility conference this week. “Just like all exploits do, software gets patched, things go away. But it's the surrounding methodologies he disclosed which I think have changed things.”

“It's brought mass governmental thinking about modularity in malware - making it modular and being able to substitute different components in the malware.”

“And also this concept of Malware infrastructures - exploitation infrastructures - where you create not just a piece of malware, but actually the ability to launch and be able to make that infrastructure dynamic and constantly changing.”

“Those concepts we're now seeing beginning to show up in the criminal sphere, where they had not really been before.”

Convertino likens this new approach to taking Eli Whitney’s Principle of Interchangeable Parts and applying it to malware; “Where you can take an exploit and recombine it with a payload and combine it with an infrastructure - both exploitation as well as exfiltration infrastructures - and any one of a number of different combinations.”

Although the WannaCry exploits came from a group known as the Shadow Brokers, rather than Snowden, Convertino says it is still a good example of his point. “It used two exploits, those two exploits are dead. So what they'll do is they'll change the exploits and relaunch on a different infrastructure. Guarantee that's what they're doing right now, this won't be the last time we'll hear about this.”

But while WannaCry has caused significant disruption to a number of companies and organisations, he warns the world was lucky in a way as it was only designed exploit older network vulnerabilities.

“It actually would have been a lot worse if it had spread throughout Cloud infrastructure. It's important to be able to provide the same sort of segmentation with your Cloud infrastructure that you do in your data centre or On-Prem.”


Also read:
Five tips to keep your business safe from the next global cyber worm
People & processes (not patches) responsible for WannaCry outbreak
Why WannaCry might make Microsoft cry in China
Could blockchain solve the threat of ransomware?