WannaCry Highlights India's Patching ChallengeNews Analysis: Lessons in the Aftermath of the Global Ransomware Epidemic
India was one of the nations most affected by the global WannaCry ransomware epidemic. Key challenges revealed in the aftermath of the attacks include poor patching hygiene, widespread use of unlicensed software and a reactive security posture.
Security experts and analysts tell Information Security Media Group that although many private-sector industries responded to the attack well, public-sector organizations haven't fared as well because of insufficient security practices. (see: Is WannaCry the First Nation-State Ransomware?).
The frenzied response to the threat indicates that many organizations are neglecting basic security practices, such as patching, and failing to take advisories seriously despite growing awareness. "The security culture is to blame," says Sahir Hidayatullah, co-founder and CEO at Mumbai-based Smokescreen Technologies. "People are not being proactive, and the focus is on preventing what has already happened."
Reactive Security to Blame
While there is no official list of companies affected by WannaCry ransomware in India, media reports refer to multiple infections in the banking and the financial sector, a national stock exchange, research labs, fast-moving consumer goods companies, manufacturing companies, systems of the Maharashtra and Andhra Pradesh police, major IT companies and other infections in the states of Gujarat and Maharashtra.
Shomiron Das Gupta, founder of Mumbai-based security services firm Netmonastery, believes relatively few enterprises have been affected. "The home users, running unpatched, unlicensed system, are contributing to the spread of the malware," he says.
The WannaCry campaign highlights the reactive state of security in Indian enterprises. Hidayatullah says that a day after the malware began spreading globally, many security leaders in India were unsure if they had patched vulnerable Windows systems, and so they had to scramble to get patching reports to determine their exposure to the threat. Because the attack hit over a weekend, many of the systems/endpoints were offline and could only be patched once they came onto the corporate network.
The Microsoft SMB patch - MS17-010 - for newer Windows systems was released in March and should have been widely deployed by now, Hidayatullah notes. "But very few were patched for this. Here is a flaw rated critical by Microsoft, and which is known to be easily weaponizable and used by APT groups and the NSA. If this is not incentive enough, at what point would you consider patching?"
He says the exploit, used by Smokescreen's red teams during pen-testing activities, is like a skeleton key for a vulnerable windows systems.
Why So Slow to Patch?
Indian enterprises have traditionally been slow to patch. Security teams and CISOs may want to patch immediately, but many business owners demand patches be thoroughly tested to avoid any potential business downtime - usually taking weeks of testing and compliance clearances, Hidayatullah says. As a result, some patches are never made.
Shree Parthsarathy, partner and national leader for cyber risk at Deloitte India, notes: "From the trends we see, there are organizations that take three to four months to roll out patches. This is because they aren't part of early beta programs and can only test the patches once they are publically released, which takes four to six weeks. Once tested, it takes months more to roll these out across the organization."
Parthasarathy also contends that India has a big issue with unlicensed software being illegally used in enterprises, which prevents these systems from receiving security updates.
Some practitioners say many older systems, including SCADA and industrial control systems, medical devices and ATMs, run on older operating systems, including Windows XP, which Microsoft no longer supports without expensive extended support contracts.
"For some of our customers in these industries using XP, there wasn't even a patch available when the attacks started spreading. Fortunately Microsoft rolled out an emergency XP patch for this vulnerability, so now it can be fixed," Hidayatullah says (see: WannaCry Outbreak: Microsoft Issues Emergency XP Patch).
Another challenge is the use of custom third-party business applications, including core banking systems and ERP systems, that have specific legacy OS requirements. The third party may even own the app, preventing organizations from intervening.
Life After WannaCry
The unpatched Windows SMB vulnerability may have been exploited in other ways beyond WannaCry.
For example, a researcher at security firm Proofpoint confirmed that the same SMB vulnerability is being used by other attackers to run a cryptocurrency mining botnet (see: Before WannaCry, Cryptocurrency Miners Exploited SMB Flaw). Also, the Uiwix ransomware outbreak is tied to the vulnerability
A proactive security posture focusing on detection and response is needed to address the newer threats, Hidayatullah says. "Or else, be prepared to continue to play high-stakes security whack-a-mole with every attack."