When senior Boeing engineer Mike VanderWel reportedly sent an “all hands on deck” internal memo yesterday warning that the dreaded WannaCry malware was on the loose inside the company’s networks, alarm quickly spread.
According to excerpts leaked to the media, his anxiety is palpable:
[The malware] is metastasizing rapidly out of North Charleston and I just heard 777 [production] may have gone down. We are on a call with just about every VP in Boeing.
To many in the company and beyond, this must have sounded worryingly reminiscent of the way WannaCry attacks unfolded across numerous large organisations during its first appearance last May.
Now, as then, WannaCry carries with it a feeling of helplessness, as if what is happening is unstoppable and therefore disruption is inevitable.
A few hours later, however, Boeing felt able to downplay the incident in various statements, including the following tweet:
Statement: A number of articles on a malware disruption are overstated and inaccurate. Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production or delivery issue.
— Boeing Airplanes (@BoeingAirplanes) March 28, 2018
Statement: A number of articles on a malware disruption are overstated and inaccurate. Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production or delivery issue.
Some in the media have talked up this up as WannaCry’s ‘return’, even though it never went away entirely.
One reason for this persistence is that WannaCry doesn’t just affect regular desktops, laptops and servers, but also spreads to and from unpatched Windows 7 systems of the sort widely used in manufacturing as Windows Embedded.
Applying patches for vulnerabilities on this platform isn’t always straightforward, which helps to explain why WannaCry was so devastating in the first place, despite Microsoft having offered a patch three months earlier for the vulnerabilities exploited by the malware.
The Boeing incident echoes the other big vulnerability story this week in which an entire US city, Atlanta, found itself driven back to paper systems after a major ransomware outbreak. This too, it has been suggested, was aided by known but unpatched vulnerabilities.
Far from being behind us, the Boeing outbreak is a woeful reminder that a fair part of the WannaCry story lies ahead and has yet to unfold.
Image of Boeing 777 from Wikimedia.
Joe
Another reminder why “patch early and patch often” is the number one defense against most attacks. We are talking about a vulnerability that was patched in July 2017, 9 months ago.
I feel for Boeing’s operations folks having to deal with this right now, but I’m wagging my finger at their security folks…
Wilderness
The security folks are frequently shackled by management folks. It’ll stay that way until companies put security first in deed instead of just in word.
Paul Ducklin
+1
In some computer industry sectors, however – the Internet of Things leaps painfully to mind – we still have to cross the bridge of getting security “first in word” (sometimes, even second or third place would be a start) before we can approach the goal of “first in deed” :-(