Originally published here: https://www.linkedin.com/pulse/wannacry-quick-observations-indias-cyber-response-apparatus-singh.

Having waited long enough for someone to ask the right questions, here’s my litany of critical observations:

 

  • India’s cyber czar deems the attack as low-key. Around three weeks ago, I performed a nation-wide scan of the IP range and found multiple infections of the ETERNALBLUE-DOUBLEPULSAR implant kit. The information was corroborated with other folks on Twitter who had performed similar global scans, listing a high hit-rate from India. Someone had already weaponized the exploits and undertaken mass exploitation. A worm was merely a step away. CERT-In ought to have seen the blips on the radar right then.

 

  • It also tells us two things. First, anyone who’s still exposing ports like SMB to the Internet has a pathetic security posture. It’s not like other countries don’t have legacy systems on their network, but we just haven’t contained their exposure. During that scan, I got a lot of pings from the National Optical Fiber Network, which I believe is a re-branded National Knowledge Network. This is critical infrastructure 101 — some stock-taking from NCIIPC is required (it’s a constitutional body and the public should have access to its response mechanisms).

 

 

 

  • Keep in mind, a ransomware typically just subverts the functioning of a known vulnerability to blackmail the victim. It’s not worthy of so much publicity. Rather than being so reactive, the focus should have been on minimizing the exposure to the vulnerability itself, which could have been accomplished much, much in advance.
Written by Pukhraj Singh