If you're wondering why ransomware continues to be such a problem for state and local governments and other public institutions, all you have to do to get an answer is poke around the Internet a little. Publicly accessible security-scan data shows that many public organizations have failed to do more than put a bandage over long-standing system vulnerabilities that, if successfully exploited, could bring their operations to a standstill.
While the method by which RobbinHood ransomware infected the network of Baltimore City two weeks ago is still unknown, insiders within city government have pointed to the incomplete efforts by the Office of Information Technology to get a handle on the city's tangle of software, aging servers, and wide-flung network infrastructure. Baltimore isn't even the only city to have been hit by ransomware in the last month—Lynn, Massachusetts, and Cartersville, Georgia, both had electronic payment systems taken offline by ransomware this month. Greenville, North Carolina, was struck by the same RobbinHood ransomware affecting Baltimore in April.
But cities aren't the only highly vulnerable targets to be found by would-be attackers. There are hundreds of thousands of Internet-connected Windows systems in the United States that still appear to be vulnerable to an exploit of Microsoft Windows' Server Message Block version 1 (SMB v. 1) file sharing protocol, despite repeated public warnings to patch systems following the worldwide outbreak of the WannaCry cryptographic malware two years ago. And based on data from the Shodan search engine and other public sources, hundreds of them—if not thousands—are servers in use at US public school systems. Even in cases where Microsoft's patch of SMB v. 1 has been applied, the protocol remains a potential security problem—one that some organizations can't completely close because some vendors still require the protocol for applications such as networked copiers and scanners.
While conducting research as a follow-up to our coverage of Baltimore City’s ongoing ransomware attack, Ars discovered that neighboring Baltimore County’s public school system had eight publicly accessible servers that still were running in configurations that indicated they were vulnerable to EternalBlue, the Equation Group exploit exposed by Shadow Brokers in April 2017 and then used as part of the WannaCry malware a month later. The exploit is now packaged as part of multiple malware kits, according to security researchers.
“I’ll check with our IT team”
Ars reached out to a Baltimore County Public Schools (BCPS) spokesperson last week, who responded, "I'll check with our IT team." There was no further response from BCPS, but the school system's IT team has configured filtering for SMB requests on the district's firewall, based on technical data collected by Ars—the bare minimum required to prevent an attack by a WannaCry clone. It's not clear if Baltimore County applied the patch for the exploit within its network, however—which means that a malware attack based on EternalBlue could still spread if an attacker gained a foothold on the district's network.
And unfortunately, there are scores of other school systems and other state and local institutions running exposed servers. And the systems counted are only those directly accessible from the Internet, so they represent just a fraction of the potential vulnerability to ransomware or other malware. Some of the other districts hosting the largest number of potentially vulnerable systems included:
- The Montebello Unified School District in Los Angeles County, California
- Fresno Unified School District in Fresno, California [Update, May 23, 8:34 AM ET- a Fresno IT official told Ars that the district had since identified "a few servers that for some reason were allowed to pass SMB traffic via their NAT [firewalls]", and that continued use of SMB v.1 on school networks was because of " Ricoh and HP for only supporting SMB1 scanning on their copiers\scanners." "We were patched for EternalBlue on our servers within hours of Microsoft releasing the patch," the official said..]
- 9 School Districts in the State of Washington, using IP addresses owned by the Washington School Information Processing Cooperative. [Update, May 29, 3:00 PM— An official at the Washington School Information Processing Cooperative told Ars that the IP addresses of the vulnerable systems are owned by WSIPC, "but once they are in use by districts, we have no control of their maintenance or settings."]
- Cupertino Union School District in San Jose, California [Update, May 22, 1:00PM - Cupertino Union's IT director told Ars that patches have been applied and that SMB 1 is in the process of being disabled across the district's network.]
Furthermore, the fact that these systems remain unpatched a full two years after WannaCry—and after Microsoft pushed out emergency patches for even no-longer-supported operating systems—raises the question as to what other critical security patches these organizations didn't patch.
There are some aberrations in the Shodan data. For example, Shodan associated 230 vulnerable Windows server instances with a public school district in Littleton, Colorado. But that was a misreading of the address blocks associated with the systems—they were, in fact, virtual machines belonging to a German hosting provider that shared the same IP address block. That's hardly good news—it just shows how pervasive the lack of patching is worldwide.
reader comments
110