More than 100 Aussie orgs vulnerable to WannaCrypt

One hundred and forty Australian organisations are leaving themselves open to infection from the damaging WannaCrypt ransomware, a security researcher has found.

The federal government has only confirmed receiving 12 reports from organisations who have fallen victim to the ransomware so far.

But a global tracker of the malware built by UK researcher MalwareTech indicates the rate of infection in Australia could be much higher than the confirmed 12 reports.

Analysis performed over the last 24 hours by Edward Farrell of Mercury Information Security Services lends weight to the suspicion that more Australian organisations have been impacted but aren't reporting it.

It shows 140 organisations have made themselves easy targets for the as-yet unidentified WannaCrypt attackers through a combination of open ports and unpatched systems.

Around ten of the 140 are ASX-listed businesses with vulnerable servers at the edge of their networks.

A further 100 or so are small business and individuals, with the remainder embedded systems with unclear owners.

Farrell combined data from the Shodan search engine with analysis he undertook last year on the Badlock vulnerability, along with other unidentified sources, to arrive at his findings.

WannaCrypt exploits a flaw in the Windows Server Message Block (SMB) v1 file sharing protocol.

The malware is able to replicate the infection to other machines that respond to SMBv1 requests through ports 139 and 445.

It uses two leaked exploits linked to the US NSA to perform its attack: ETERNALBLUE is used to initially exploit the SMBv1 flaw for access to the target, then the DOUBEPULSAR backdoor is implanted to allow the attacker to install the malware.

Farrell discovered around 2000 Windows servers with internet-facing network interfaces that listen on port 445.

He confirmed 140 of those also had unpatched instances of SMBv1.

And 30 organisations were already infected by the DOUBLEPULSAR backdoor that surfaced in April and was patched by Microsoft that same month, he found.

“It means they could be easily hit again with WannaCrypt,” Farrell told iTnews.

He said around 12 servers were patched within a 12-hour period yesterday, but a further 18 vulnerable servers had appeared.

“That could be for a number of reasons like if the infrastructure went down. It’s a reflection of the fact that all of this is in a constant state of flux.”

Farrell is unable to identify with certainty how many of the 140 vulnerable organisations are actually infected with WannaCrypt without gaining unauthorised access.

He has reported his findings to CERT Australia, which is in the process of notifying the impacted organisations.

Farrell himself has reached out to between 5-10 system owners that he has been able to identify to notify them of the risk. He said he is not charging for his services.

“I do this because at the end of the day someone else a little bit nastier is going to do this, and there’s an information gap in this space that a lot of people choose not to fill.”

He said he doesn’t expect many of the 140 vulnerable servers to be patched within the next couple of days despite the amount of press WannaCrypt has generated combined with individual notifications from CERT.

“The patches weren’t applied six to eight weeks ago [when Microsoft released them] so I don’t think much is going to change for these organisations. People don’t move as fast we we’d like them to.”