WAV files have been blamed for infecting Windows 7 machines with cryptomining malware at a medical tech (MedTech) vendor. It infected over 50% of the computers on the network causing them to freeze and be rebooted. Details of the attack were released by security specialists Guardicore.
The attack was made all the more effective by the use of the EternalBlue exploit. It was stolen from the NSA in 2017 and then leaked by hackers. It allowed the malware to find and infect other machines on the network.
The victim called in Guardicore Labs to work alongside its MSSP, Blue Bastion, to investigate the attack.
WAV files and cryptomining
The two companies looked at all the computers on the network. They discovered that infected machines were accessing suspicious data in a registry key. The data was a Windows Powershell script that was used to load the malware. The investigation also showed how the malware was spreading across the network using the EternalBlue exploit.
Reverse engineering the malware showed that it was a cryptomining module. It was using the CryptonightR algorithm and mining Monero which was then sent back to the attackers.
What makes this attack interesting is not the use of EternalBlue or the deployment of a cryptomining module. It is the way that the malware was hidden inside WAV (audio) files using steganography.
Two days after the attack was noticed, and completely coincidentally, three BlackBerry Cylance Threat Researchers published a blog called Hiding Beneath the WAV. The blog detailed the analysis of obfuscated code found inside WAV files. These files also mined Monero and used some of the other elements of this attack.
How big a threat is this?
According to NetMarketShare, over 32.74% of desktop machines were still using Windows 7 as of December 2019. This represents tens of millions of computers worldwide. Although a significant number of these will be older machines used by individuals, there is still significant business use of the operating system.
As already noted, the victim in this instance was a medical tech company. The healthcare industry has a significantly above average use of Windows 7. The reasons are simple:
- It was expensive to install
- Is widely used
- Runs software not tested on other operating systems.
- Healthcare lacks the money to migrate tens of thousands of users.
Healthcare is not the only place where Windows 7 is still heavily used. Education is another sector where it can regularly be found.
Is this a bigger threat than Windows 7?
Enterprise Times asked Guardicore that question. Daniel Goldberg, one of the senior researchers behind the Guardicore Labs report replied: “The exploit we researched is an EternalBlue exploit, so mainly Win7 and prior versions are at risk. 8/10 are not impacted.
“The cryptominer in this case, which was sent data using WAV files, spread in the network using the EternalBlue vulnerability, which was patched by Microsoft way back in 2017. The problem is that countless organisations have never updated their Win7 systems for the patches.
“However, the ability to hide data inside WAV files is always possible. The WAV risk relates specifically to information hidden inside audio files. This can’t be “changed”, as it’s inherent to how audio works. I can encode anything I want as audio.”
While the first two parts of his reply focused on Windows 7 it is the latter part that is important. When taking in context with the Blackberry Cylance report it would be a mistake to just dismiss this as a Windows 7 issue. There is a need for all organisations to now pay significant attention to the threat of steganography to get software onto endpoint devices.
In this instance, WAV files have been the culprit. However, image and video formats also have a lot of spare space that can be exploited to hide malware. With individuals regularly emailing meme’s and other image related materials, there is a need for a wider rethink of the risk that content brings to cybersecurity.
Enterprise Times: What does this mean
Failing to update Windows 7 is going to cause problems for large numbers of companies. Let’s be clear here. This is an OS that is no longer supported by Microsoft or many endpoint protection companies. This means that anyone using Windows 7 now has a target on their back. No matter how careful they are, new exploits and problems are going to arise and that means trouble.
The big question is how quickly will the Windows 7 landscape reduce. Between February and December 2019, its share of the global market dropped 8%. That is nowhere near enough. All eyes will now be on how fast it falls away over the next few months.
The other side of this story is the risk from content files such as audio, image and video. These are all easily exploited through steganography. Most organisations do not scan these files as part of their anti-virus routines. That needs to change with the obvious problem that it will mean scans will take longer. Users will also need better education around these files to reduce the risk.