Report: WannaCry Hit Indian Railways' Wi-Fi Network HardestFailing to Block SMB Traffic Apparently Enabled the Attack
"We observed it to be the top-most network where WannaCry and other ransomware have been detected within India," the blog says.
Railwire, the free Wi-Fi service, was launched by RailTel in association with Google. RailTel was formed in 2000 to help create nationwide broadband, telecom and multimedia network to modernize the train control operations and safety system of Indian Railways.
ISMG reached out to both Google and Indian Railways to seek further details, but did not receive a response to its queries.
The Modus Operandi of the Attack
eScan says the attackers could easily sneak through as the SMB traffic had not been blocked. SMB is basically a protocol used by the Microsoft Windows operating system to share files over the network. WannaCry ransomware used an exploit called eternal blue which took advantage of an SMB vulnerability to infect the host system.
"We have every reason to believe that the majority of the ransomware which happened during the last week within India, would have been averted had Railtel implemented the stop-gap measure of blocking SMB traffic," eScan writes in its blog dated May 24.
"While we were collating the data from our telemetry server we came across a couple of IP addresses which belonged to RailTel," says an eScan spokesperson. "However, the number of records corresponding to these particular IP addresses were too high. After converting the IP to autonomous system number, we reached the conclusion that the ISP belongs to the Indian Railways.
"I am of the view that when we are designing a network which provides internet access to thousands of users and is also a part of the National Program, it should have been designed keeping in mind that systems which are getting connected would be vulnerable and the probability of any network based infection propagating would be very high."
Some security practitioners say Indian Railways apparently failed to filter out unnecessary connections to all devices, connected to the Railwire network via the Wi-Fi. "They should have configured their firewall in such a manner that all unconventional connection requests are blocked at the firewall level. This could have prevented the spread of WannaCry or any other ransomware/malware for that matter," says Pavan Kushwaha, founder and CEO at Kratikal Tech, a security testing firm.
As the use of public Wi-Fi networks in India continues to grow, updating security measures is becoming more critical, security experts say. Too many ISPs use outdated firewalls, devices and firmware, they say.
"An essential element of the WannaCry payload was a worm which enabled it to replicate itself throughout the network of ISPs," Kushwaha says. "If ISPs are not configured to properly block such attacks, it results in a widespread infection. As was the case with WannaCry itself, several of the devices deployed by such ISPs are not tested properly from a security perspective."
Blurry network boundaries are a big challenge in public Wi-Fi, says Rajesh Maurya, vice president, India and SAARC at Fortinet. "The reality is that there are many ingress and egress points on the network and not all of them are governed by an edge firewall," he says. "With no other safeguards beyond perimeter protection in place, once something malicious has internal access to the network, there is little to stop it from eventually making it to critical systems."
Essential Security Steps
Maurya says public Wi-Fi networks also need to take more steps to improve user authentication, because of the risk of credential theft via phishing attacks. They also need to guard against man-in-the-middle attacks, such as active eavesdropping, in which the attacker makes independent connections with victims and is able to intercept all messages passing between them.
All ISPs need to conduct detailed vulnerability assessments, security experts advise. "They should review their internal infrastructure as well, to segment data flows in a manner that infection of one system or a segment may not compromise other systems or segments respectively," Kushwaha says.
Moreover, ISPs need to train employees on how to detect phishing attacks and other social engineering techniques.
Rana Gupta, Gemalto's vice president, APAC sales, identity and data protection, lists four critical questions that the operators of RailWire and other ISPs should ask:
- Is the data being stored and flowing over the network encrypted, and are the encryption keys stored in tamper-proof hardware?
- Is the data being protected against tampering through the application of data integrity measures, such as digital signatures, and are the keys used for ensuring data integrity maintained in tamper-proof hardware?
- Are there multiple layers of security protections?
- Is there a role for artificial intelligence or machine learning in detecting intrusions?
"The hotspot network will need a fabric with deeply integrated security systems that share information across all areas, including wired, wireless, VPN and cloud environments," Maurya says. "When the integration is coupled with machine learning capabilities, the system can flag abnormalities more accurately and rapidly and coordinate responses between different security deployments. All of this contributes to better response time in mitigating threats."