Confirmed: Leaked ‘Equation Group’ Exploit Used Against Both Organizations
This story has been updated.
See Also: Balancing Fraud Detection & the Consumer Banking Experience
Spanish telecommunications giant Telefonica has reportedly instructed all employees to power down their systems in the wake of a massive ransomware attack. In addition, multiple National Health Service trusts in England say they’ve been hit with ransomware.
The incidents appear to be related – part of a mass ransomware outbreak that has hit numerous organizations and institutions, reportedly ranging from Fedex to Russia’s interior ministry. Multiple organizations have deactivated all endpoints as a precautionary measure.
The attacks against Telefonica and the NSH have infected endpoints with the WannaCry crypto-locking ransomware, which is also known as WCry and WanaCrypt0r.
Meanwhile, several news reports say the ransomware attacks were spreading to other companies in multiple nations in Europe and Asia.
Three security professionals with access to details surrounding the Telefonica incident say that attackers penetrated Telefonica’s network – after which they deployed the WannaCry ransomware – by using the DoublePulsar “Equation Group” exploit leaked in April by the Shadow Brokers (see DoublePulsar Pwnage: Attackers Tap Equation Group Exploit).
The Shadow Brokers is the shadowy group believed to tie to the Russia government, while the Equation Group appears to be the National Security Agency’s in-house hacking team, known as Tailored Access Operations.
Telefonica couldn’t be immediately reached for comment.
DoublePulsar is an exploit that was patched in April by Microsoft in the form of MS17-010. That security update patches a server message block, or SMB, server vulnerability present in every Windows operating system from XP to Server 2008 R2, and which appears to have been used by the Equation Group to gain access to targeted networks, at which point additional attack tools could be deployed.
Security firm Avast reports that more than 75,000 related outbreaks of what it dubs “WanaCrypt0r 2.0” were seen across 99 countries on May 12.
NHS: Major Emergencies Declared
Security experts have confirmed that the SMB flaw was also used to penetrate multiple NHS networks, after which WannaCry ransomware was deployed, seemingly via automated attacks.
At least 16 NHS trusts in England have been hit by ransomware infections, Sky News reports, leading the organizations in some cases to declare major emergencies and redirect patients – including to accident and emergency departments – to other locations.
Colchester General Hospital, for example, has shut down all computer systems as a precautionary measure, Sky News reports, and issued a statement saying it was “postponing all non-urgent activity for today and we are asking people not to come to A&E.”
Britain’s national fraud and cyber reporting center, ActionFraud, confirms that multiple NHS trusts and hospitals – in London, Nottingham, Blackburn, Cumbria and Hertfordshire – have been hit in the attacks. Infected endpoints are demanding $300 in bitcoins, it says, adding that intelligence agency GCHQ’s National Cyber Security Center is aware of the incident and working with the NHS and the National Crime Agency’s National Cyber Crime Unit.
NHS computers have been locked by Wanna Decryptor #ransomware. To protect yourself in the future, follow our advice https://t.co/DVtbNKSk7X
— Action Fraud (@actionfrauduk) May 12, 2017
“The investigation is at an early stage but we believe the malware variant is Wanna decryptor,” an NHS Digital spokeswoman says. “NHS Digital is working closely with the NCSC, the Department of Health and NHS England to support affected organizations and to recommend appropriate mitigations. This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors.”
The ActionFraud alert also included a copy of this tweet by journalist Lawrence Dunhill:
Here’s the malware attack which appears to have hit NHS hospitals right across England today pic.twitter.com/zIAJ6wbAG5
— Lawrence Dunhill (@LawrenceDunhill) May 12, 2017
Experts Warned This Would Happen
One security professional told Information Security Media Group that in the wake of the Equation Group SMB exploit coming to light, no organizations should have still been using unpatched Windows SMB and they should have eliminated all outdated or unpatchable systems that used it. Their failure to do so, this professional said, is evidenced by this ransomware worm now spreading.
Security experts have been predicting this type of outbreak would occur. On April 19, for example, U.K.-based security researcher Kevin Beaumont tweeted his prediction that the exploit would soon be targeted via a “ransomware worm” that would propagate around the world, encrypting as it went.
For any organization that isn’t prepared, the U.K.-based security researcher known as Hacker Fantastic says that applying the patch to all systems should happen immediately and that all unpatchable systems should be immediately decommissioned and related firewall rules put in place.
How not to be hit by WCry 2.0: Apply MS17-010 immediately, remove NT4, 2000, XP-2003 from production, Firewall ports 445/139 & 3389. Simple.
— Hacker Fantastic (@hackerfantastic) May 12, 2017
As this attack unfolds – on a Friday, as such attacks inevitably seem to do – it’s going to be a busy weekend for many information security professionals.