Thursday 29 March 2018

Wannacry ransomware hits Boeing

*** FLASH TRAFFIC *** BULLETIN *** Ransomware Hits Boeing; May lock-up AIRCRAFT Computers

See also - 

Boeing Rapidly Plays Down "Hysteria" After WannaCry Ransomware Attack

Hal Turner,
28 June, 2018


The "WannaCry" ransomware is back and it has struck Boeing Corporation. WannaCry ransomware is infecting Boeing systems at a "rapid pace." Infection may be spreading to systems on aircraft.

Pilots do not fly planes, computers fly planes. and if this ransomware has gotten into the aircraft system and locks-it-up for ransom while a plane is in mid-air . . . .

Such aircraft could become totally unresponsive to pilot control and thus be unable to land or steer; flying until they run out of fuel, then plummeting to the earth. Worse, they could simply stop running in mid-air and fall right out of the sky.

Boeing was hit Wednesday by the WannaCry computer virus, raising fears within the company that it could cripple some vital airplane production equipment.

Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, sent out an alarming memo calling for “All hands on deck.”

It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,” VanderWel wrote, adding that he’s concerned the virus will hit equipment used in functional tests of airplanes ready to roll out and potentially “spread to airplane software.”

Indicating widespread alarm within the company at the potential impact, VanderWel said the attack required “a battery-like response,” a reference to the 787 in-flight battery fires in 2013 that grounded the world’s fleet of Dreamliners and led to an extraordinary three-month-long engineering effort to find a fix.


The WannaCry ransomware attack was a May 2017 worldwide cyberattack by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It propagated through EternalBlue, an exploit in older Windows systems released by The Shadow Brokers a few months prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry's spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. WannaCry also took advantage of installing backdoors onto infected systems.

The attack was stopped within a few days of its discovery due to emergency patches released by Microsoft, and the discovery of a kill switch that prevented infected computers from spreading WannaCry further. The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country.

In December 2017, the United States, United Kingdom and Australia formally asserted that North Korea was behind the attack.

WannaCry is a ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency. It is considered a network worm because it also includes a "transport" mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.

EternalBlue is an exploit of Windows' Server Message Block (SMB) protocol released by The Shadow Brokers. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. Microsoft eventually discovered the vulnerability, and on Tuesday, March 14, 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, and Windows Server 2016, in addition to Windows Vista (which had recently ended support).

DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017. Starting from 21 April 2017, security researchers reported that computers with the DoublePulsar backdoor installed were in the tens of thousands. By 25 April, reports estimated the number of infected computers to be up to several hundred thousands, with numbers increasing exponentially every day. The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.

When executed, the WannaCry malware first checks the "kill switch" domain name; if it is not found, then the ransomware encrypts the computer's data, then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet, and "laterally" to computers on the same network. As with other modern ransomware, the payload displays a message informing the user that files have been encrypted, and demands a payment of around $300 in bitcoin within three days, or $600 within seven days. Three hardcoded bitcoin addresses, or "wallets", are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown.

Several organizations released detailed technical writeups of the malware, including Microsoft, Cisco, Malwarebytes, Symantec and McAfee.

The attack began on Friday, 12 May 2017, with evidence pointing to an initial infection in Asia at 7:44am UTC. The initial infection was likely through an exposed vulnerable SMB port, rather than email phishing as initially assumed.[28] Within a day the code was reported to have infected more than 230,000 computers in over 150 countries.

Organizations that had not installed Microsoft's security update from April 2017 were affected by the attack. Those still running unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003 were at particularly high risk because no security patches had been released since April 2014 (with the exception of one emergency patch released in May 2014). A Kaspersky Lab study reported that less than 0.1 percent of the affected computers were running Windows XP, and that 98 percent of the affected computers were running Windows 7. In a controlled testing environment, the cybersecurity firm Kryptos Logic found that they were unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.

I have called the Federal Aviation Administration (FAA) regarding this. The Washington, DC Operations Center directed me to the off-hours Public Affairs Officer, Paul Packumodo; Calls to his number went to voice mail and he has not yet returned any call. This story will be updated if and when the FAA responds

No comments:

Post a Comment

Note: only a member of this blog may post a comment.