Blog post

After WannaCry, what next?

By Jonathan Care | June 12, 2017 | 0 Comments


WannaCry (using the purloined exploit kit ETERNALBLUE) was paused, for now.  Heroic efforts from security practitioners around the world (and a congratulations to @malwaretech for finding the “kill switch” domain!) So, what’s next?

In a word, Linux.

Expanding on that, we must be aware of the many embedded systems that use linux. Include routers, POS terminals, lots of medical equipment, TVs, cameras, and pretty much every smart device you can think of, as well as web platforms in the cloud and within the organisation.
Open Samba ports
This graphic is from a Shodan search, taking a look at the machines running Linux with open Samba ports. There are a lot reported out there (and probably more obscured from a simple scan view).  Recently, news appeared online of a younger sibling for the sensational vulnerability ETERNALBLUE. The story was about a new vulnerability for Unix and Linux-based systems – ETERNALRED (aka SambaCry).  This vulnerability has been in existence since 2010 and has only recently been fixed in the latest distribution releases.

Kaspersky are reporting that their honeypots are picking up malware using ETERNALRED and this time, instead of ransomware, the payload is cryptocurrency mining.

What you need to know

  • Are many organizations still vulnerable to new variants exploiting this vector?

Unfortunately so. the map to the right shows how many linux machines globally are potentially vulnerable. Similar searches can be done for Windows (and as we now now, its not only WindowsXP that is vulnerable).

  • Top questions from clients after Wannacry?

WannaCry brought home to all of us that the basic hygiene factors of IT Security still matter, and that vulnerability management, ensuring critical patches are applied (or isolation of vulnerable systems), and of course, reliable and resilient backups still matter.

  • What are the challenges people are most worried about now?

One question that is on the radar of many CISOs is to how to examine their security stance given the undeniable evidence of advanced attacks which are increasingly being attributed to hostile nation-state attackers. It’s clear that the role of the CISO has evolved from being initially the defender of the castle walls, to becoming the digital firefighter, and now must become the leader who ensures business survivability in the face of attack. Gartner’s Adaptive Security Architecture is a great model to consider.

  • Any particular industries or types of company that are most affected?

Industries across the board are vulnerable. I’ve talked above about IoT, web applications, cloud, and as we’ve seen in ETERNALBLUE there are many vulnerable systems out there that have been forgotten. We have to take action and control, no matter what industry we’re in.

  • Can we explore more about the long term steps to ensure ongoing protection against similar attacks?

Long term, it’s definitely a case of making the realisation throughout the organisation that these advanced attacks are the new normal. It’s about adopting the Predict, Protect, Detect, Respond mindset that is outlined in Gartner’s Adaptive Security Architecture. This means making sure that:

  1. Basic infrastructure protection steps are taken.
  2. Application Development follows a secure development lifecycle
  3. Fraud managers are vigilant for misuse of organisational brand in phishing campaigns
  4. Incident responders are trained, ready and empowered to deal with crisis situations and are also able to move the organisation back from crisis into normal operation.



The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment