Team we45
May 17, 2017

WannaCry in the AppSec World

There is literally no way anyone could have avoided hearing about “that ransomware attack” which crippled millions of computers all over the world. The WannaCry Attack has made waves across technologists and non-tech folks alike, and has made several folks definitely wanna cry, as they see their critical data encrypted and completely unavailable.

As a quick refresher, the WannaCry ransomware attack has emerged from the aftermath of the infamous Windows vulnerability MS17-010. An Attacker can send specially crafted messages using SMBv1 (Server Message Block), execute code on the remote server and gain access to the server as a privileged user of the computer. This affects multiple categories of windows products, including Windows Server 2008, 2003, 2012, XP, Vista, 10 and other windows OS products. The patch for this flaw was released by Microsoft in March 2017. However, it was only a patch for currently supported products and not older products like Windows XP, Server 2003 and so on, which still has a massive user base. The code from WannaCry is said to have emerged from the exploits stolen by a group known as the Shadow Brokers from the Equation Group (a cyber threat actor that is supposedly linked to the USA’s National Security Agency (NSA)). The malware, known as WannaCrypt0r has been used to perform the WannaCry attack.

The worm is extremely effective against unmatched Windows hosts, where it loops through the RDP sessions on the system, attempts to identify hosts on the network, loads the payload on the remote computer and scans the network for additional hosts to infect on port 445.

A detailed technical description of how wannaCrypt0r works is available  here for those interested to read

Adrien Guinet, a security researcher has released a decryption tool on May 18 that will be able to decrypt the ransomware without the users having the pay the $300 ransom. This works on several OS variants, but not all affected variants:

wannaCry is a wake up call for the industry and holds scary prospects for the application security world as well. With Applications, we use several third party libraries, frameworks and open source code that is often vulnerable to several security issues. In addition, vulnerabilities against these popular frameworks can easily be weaponized and used to decrypt sensitive/mission critical datasets for organizations. These can be fatal to organizations relying on these apps for their day-to-day operations. In fact, we saw a glimpse of this possibility when the Apache Struts2 Remote Code Execution flaw was identified, and everyone who got hold of the exploit used it to perform “tests” against any application out on the open internet.

I feel that its only a matter of time before ransomware payloads start making their way into Web Apps.