Saturday, May 20, 2017

Curiouser and curiouser

Some reports suggest that it was not spread by a phishing email[1] (although some hedge their bets by saying that it ‘could’ be, with some suggestions that the attackers had a pre-existing foothold that allowed the initial infection to occur,[2] or that it was through infected websites,[3] although there are also reports based on Darktrace information that it was initiated by a phishing email[4] and an initial email infection in Europe was reported as the source by the FT[5], although phishing is then conspicuous by its absence from the Darktrace blog of 17th May.[6] 

It is probably true that there has been more than a little fear, uncertainty and doubt around the attack vector in particular.

This continues as of today (20th May 2017) with the Register quotes Malwarebytes definitively that the vulnerability was exploited by ports canning for exposed SMB ports and not through phishing emails.[7]

The same report suggests that Windows XP does not now seem to have been impacted (it’s so out of date that even the malware won’t work on it) and it was Windows 7 more at risk.

For me, this does of course beg the question as to why Microsoft rushed out a patch for XP?  And then (for me at least) a secondary question as to how they tested the patch if the malware wouldn’t run on the system they just patched?  Maybe I’m just old fashioned.

In the same report comes the statement that the code that could have led to this exploit being loaded onto Github to work with Metasploit.  (For the conspiracy theorists among you, worth noting that Github is also used by GCHQ to upload ‘benign’ open source tools). 

So, obvious questions. 

Was the Github code used to create the wannacry exploit?

Who uploaded the tool on Github?

Why did it take six days for anyone to notice?

"Curiouser and curiouser," said Alice.


[3] Woollaston, Victoria, WannaCry ransomware: what is it and how to protect yourself available at accessed on 19/05/2017 at 10.25


[6] Tsonchev, Andrew, WannaCry: Darktrace’s response to the global ransomware campaign 17/05/2017 available at accessed on 19/05/2017 at 09:50

No comments: