As my colleague Ben Seri, VP of Research at Armis, pointed out in a June 2019 blog, WannaCry is expected to have a “long tail” of presence into the future. Ben’s research team estimated that as many as 60% of manufacturing organizations had experienced at least one WannaCry attack in the first six months of 2019, almost two years after the attacks began.
As an example, Armis found a Human Machine Interface (HMI) in a manufacturing environment that was infected with WannaCry. Our threat detection engine saw that some traffic coming from the HMI machine was SMB version 1 traffic. When compared to the baseline of “known good” behavior stored in Armis’ Device Knowledgebase, it was clear that this traffic was abnormal. Further automated analysis of the traffic pattern clearly indicated that the HMI device was infected with WannaCry.All of this analysis was part of the automated threat detection engine that is part of the Armis agentless device security platform. Once Armis detected the threat, the Armis console flashed the alert. The alert included our conclusion (that the device was infected with WannaCry), the evidence that this conclusion was based on, and our recommended mitigation actions.Even though WannaCry is a “dormant” attack, devices containing WannaCry infections are of significant concern because:
Prior to the installation of Armis at this customer’s manufacturing facility, our customer was not aware that the HMI machine was infected because they had not deployed network IPS or other forms of behavior monitoring in this part of their OT environment.The ingredients that made up this scenario are actually quite common in OT environments. OT devices often contain software vulnerabilities because software update processes are very complex. Software updates and patches must go through a vendor qualification process which can take several months to complete.Also, updates for critical OT devices can only be applied during a process shutdown, which does not occur frequently. And finally, OT environments are often connected to the enterprise network, and this gives Internet-borne malware a way into the OT environment. Because of all these reasons, devices in OT environments can be infected by WannaCry and other threats.Our recommendations for all OT environments are the following:
WannaCry impacts devices running old versions of the Windows operating system. Other operating systems, such as VxWorks, are commonly used by OT devices, and they are vulnerable to other types of attacks. If you haven’t yet heard about URGENT/11, a set of vulnerabilities impacting seven different Real Time Operating Systems (RTOS), read our disclosure here.
Sign up to receive the latest news