[German]Ransomware WannaCry, known since2017, hits Taiwanese chip manufacturer TSMC last Friday and shut down various production fabs. Here is some information on the subject.
And I still wrote: “Reminds me of WannaCry”
Taiwan located chip manufacturer TSMC (Taiwan Semiconductor Manufacturing Company Limited) delivers components to Apple, AMD, Nvidia, Qualcomm, Broadcom and other vendors. According to press reports from Bloomberg and Reuters, the production facilities of the Taiwanese chip manufacturer TSMC were infected by a virus on Friday (August 3, 2018).
The virus has affected the manufacturer’s production facilities (which have probably been shut down to remove the infection). The problem should be solved by Sunday and then Monday. I reported this incident only within my German blog post Virus befällt Fabriken von iPhone Chip-Hersteller TSMC. Within this blog post I wrote: “This reminds me of WannaCry”, which was half intended as a joke.
What was WannaCry?
The Trojan WannaCry, a ransomware, has infected thousands of computers worldwide since May 12, 2017 (see Ransomware WannaCry infected worldwide thousands of Windows systems). WannaCry was originally distributed via phishing mails that contained the Trojan in a ZIP file. The Trojan encrypts the files on the infected Windows computer and demands a ransom.
The Trojan could spread rapidly in networks and infect other computers because it uses a known vulnerability to penetrate networks and spread laterally. This vulnerability is part of a leaked NSA hacking tool from a group called “The Shadow Brokers” (codenamed “ETERNALBLUE”). The NSA tool provides remote access to the attackers via an exploit of the SMB & NBT protocols of the Windows operating system.
WannaCry specifically uses the vulnerability (MS17-010 Security Update for Microsoft Windows SMB Server (4013389) patched by Microsoft on March 14, 2017) for spreading over a network. It was only by chance that a security researcher found a killswitch to stop the initial wave of WannyCry infections.
Microsoft has subsequently released security updates for Windows XP to Windows 10 for these vulnerabilities in the SMBv1 log. So WannaCry should not harm anymore. But during the last year we have had other WannaCry infections in several companies (Boing, Daimler etc.)
WannaCry hit TSMC
German news magazine heise.de reported, that TSMC was hit by WannaCry. According to TSMC CEO C.C. Wei, the problem occurred on Friday during the installation of new software on new company computers. These were probably connected to the TSMC intranet without further virus checking. Furthermore, the available updates against the SMBv1 vulnerabilities were unpatched.
According to Mr. Wei, the infected computers are Windows 7 machines used in various chip factories of TSMC in Taiwan. German magazine elektroniknet.de reported another interesting aspect of this case (I’ve translated the text):
The WannaCry variant that infected TSMC appeared to have been on a machine before the manufacturer delivered it to TSMC. When the people at TSMC integrated the new machine into the production environment, WannaCry remained undetected, allowing the worm to spread.
In my understanding, the new machine or it’s computer hasn’t been inspected with a antivirus scanner. Instead the system was connected to the Intranet. Due to the fact, that the Intranet contains still unpatched Windows 7 machines, the worm could spread through the network.
Meanwhile, TSMC claims that the problem is under control. It is already feared that the infection could have damages of 150 million to 170 million dollars. Whether the production of the new iPhone models has (some of their chips come from TSMC) is currently unclear.
Ransomware WannaCry infected worldwide thousands of Windows systems
Wannacry: first WCry-Decryptor for Windows XP
WannaCry: Decrypting with WanaKiwi also for Windows 7
WannaCry & Co.: EternalBlue Vulnerability Checker and Crysis Ransomware Decryptor
Petya ransomware is back – using WannaCry vulnerabilties
WannaCry infection stops Mercedes Benz production?
WannaCry ransomeware outbreak at Boeing
WannaCry is back? No, it’s a scam mail