Security

Report: UK's NHS ignored patch warnings months before WannaCry, leading to wide-scale devastation

The UK National Audit Office said the NHS was warned two months prior to WannaCry that critical security patches were available, highlighting the importance of regular updates.

A report out from the UK's National Audit Office (NAO) reveals that the National Health Service (NHS) was warned by its digital arm to patch its computers against WannaCry as early as March 2017, two months prior to the attack.

The report found, however, that the NHS was negligent in following the warning, which NAO head Amyas Morse said led to a "relatively unsophisticated attack [that] could have been prevented by the NHS following basic IT security best practice."

The critical vulnerability that the NHS was warned about was EternalBlue, one of the alleged NSA-crafted exploits leaked to the public in April by hacker collective the Shadow Brokers.

It was that exploit that powered WannaCry just a month later, and NotPetya a month after that. Now, just four months later the world is facing another ransomware outbreak called Bad Rabbit, which uses a similar Shadow Broker-leaked exploit called EternalRomance to spread laterally on networks.

All of which could have been avoided by proper patching and basic IT security best practices.

wannacry-talos.jpg
Image: Talos

EternalBlue: A timeline

EternalBlue targets the Windows implementation of Server Message Block (SMB) version 1, which can be tricked by a fake packet sent by an attacker, granting them the ability to execute malicious code on the affected machine.

That the exploit was crafted by the NSA is still up for speculation, but regardless of its source Microsoft released patches for EternalBlue and similar exploits in March and April 2017.

SEE: How the GoldenEye/Petya ransomware attack reveals the sorry state of cybersecurity (TechRepublic)

On April 14, 2017, the Shadow Brokers released the exploits previously patched by Microsoft. If Microsoft's security bulletins had been adhered to, then what came next may never have happened.

But it did: On May 12, 2017, the WannaCry ransomware hit the internet, doing massive damage around the world. Then on June 27 came NotPetya, another global ransomware attack. Fast forward a few more months and the banking Trojan Retefe made use of EternalBlue as well.

The important thing to note in all of this is that every version of Windows still supported by Microsoft, and since June even those that aren't, are protected against EternalBlue, and thus from WannaCry and other related ransomware attacks.

A momentary lapse of patching?

WannaCry managed to disrupt 34% of NHS trusts, and it could have been prevented had those trusts only followed the warnings of their own IT organization, NHS Digital.

The wider problem is that a lapse in patching critical vulnerabilities isn't isolated to the NHS, as evidenced by the wide spread of WannaCry, NotPetya, and other EternalBlue-leveraging attacks.

SEE: The Four Volume Cyber Security Bundle (TechRepublic Academy)

Now, just four months after an already-patched exploit disrupted digital business around the world, the Bad Rabbit ransomware has started to spread. While it doesn't use EternalBlue it does use an exploit that also leverages an SMB exploit and is covered by the exact same Microsoft security bulletin.

The unfortunate takeaway is that cries to improve security have fallen on deaf ears. Some of the most devastating cyberattacks in recent memory have relied on known exploits, not unique code crafted by a master hacker. When security bulletins are issued, IT professionals need to listen and take action immediately.

The top three takeaways for TechRepublic readers:

  1. A report issued by the UK's NAO revealed that the NHS, one of the hardest hit by WannaCry, could have prevented the attack with basic IT security practices.
  2. The exploit leveraged by WannaCry, NotPetya, and other ransomware was patched several months before the outbreak, but despite multiple warnings the NHS, and IT professionals around the world, failed to patch their systems.
  3. The spread of a new ransomware, Bad Rabbit, that uses a nearly identical exploit as that used by WannaCry shows that IT teams aren't paying attention to security in the way that they should.

Also see:

About Brandon Vigliarolo

Brandon writes about apps and software for TechRepublic. He's an award-winning feature writer who previously worked as an IT professional and served as an MP in the US Army.

Editor's Picks

Free Newsletters, In your Inbox