Critically Severe Windows Vulnerability Discovered
In May 2017, the WannaCry ransomware attack swept the globe, affecting computers that used Microsoft Windows. During the attack, users' files were locked and a ransom in Bitcoin was demanded in exchange for their release. It hit hundreds of thousands of computers globally and caused up to $4 billion worth of damage. The WannaCry ransomware attack made use of a Windows exploit called EternalBlue, which was developed by the US National Security Agency (NSA). Researchers have now discovered a new Windows code execution exploit called CVE-2022-37958, which could rival EternalBlue.
The vulnerability allows attackers to execute malicious code with no authentication required, and is wormable, meaning it can trigger a chain reaction of self-replicating follow-on exploits on other vulnerable systems. It was the wormability of EternalBlue that allowed WannaCry to spread so quickly and cause so much damage.
However, unlike EternalBlue, which could only be exploited using the SMB (server message block) protocol, the new vulnerability is present in a wider range of network protocols, giving attackers more flexibility. Valentina Palmiotti, who is the cybersecurity researcher at IBM who discovered exploit said:
“An attacker can trigger the vulnerability via any Windows application protocols that authenticates […] For example, the vulnerability can be triggered by trying to connect to an SMB share or via Remote Desktop. Some other examples include Internet-exposed Microsoft IIS servers and SMTP servers that have Windows Authentication enabled. Of course, they can also be exploited on internal networks if left unpatched.”
Fortunately, the vulnerability was fixed by Microsoft in September, but at the time it was initially believed to only allow for the disclosure of sensitive information and so wasn’t being taken nearly as seriously as it should. It has since been revised to a critical severity rating, with Microsoft giving it a severity rating of 8.1, which is the same rating EternalBlue has.
Therefore, although the vulnerability has been patched for three months some organizations may have been slow to deploy the patch or have not patched their systems at all in the meantime. The new severity rating and the nature of the exploit mean it is more important than ever to run security updates on any and all Windows machines. Although ransomware attacks tend to target organizations such as the hospitals and health authorities that fell victim to WannaCry, it is worth updating and running the latest security patches on your personal devices too.Advertisement