In the wake of the Robbinhood ransomware attack that hit Baltimore on May 7, Ars Technica’s Sean Gallagher looked into what other kinds of government IT networks are vulnerable to similar threats.
He discovered that among those at risk were hundreds, and possibly thousands, of U.S. public school systems – among them, Baltimore County Public Schools.
Looking at publicly accessible security-scan data, he zeroed in on Internet-connected Windows systems that are still vulnerable to EternalBlue, the Equation Group exploit that is a key component in the WannaCry ransomware attack that struck worldwide in 2017.
Baltimore County’s public school system had eight publicly accessible servers that still were running in configurations that indicated they were vulnerable to “an exploit of Microsoft Windows’ Server Message Block version 1 (SMB v. 1) file sharing protocol,” he wrote.
“The exploit is now packaged as part of multiple malware kits,” Gallagher wrote, in a story published Tuesday..
“It’s not deadly serious, but it is an indication that major parts of BCPS’ network are not properly configured or protected,” Gallagher said, speaking with The Brew.
“And it means that if something like the ransomware that hit Baltimore City got into their network, it would have an easier time spreading.”
Still at Risk
Asked to comment, a Baltimore County Public School system spokesman told Ars, “I’ll check with our IT team,” but did not reply or respond to several follow-up emails, Gallagher said.
County school officials have not yet responded to a query from The Brew.
While Gallagher, Ars Technica’s IT and national security editor, didn’t get a response from school officials, he does appear to have made an impact.
After Ars’ inquiries, the school system’s IT team appeared to have “configured filtering for SMB requests on the district’s firewall.”
It’s not much of a fix, according to Gallagher.
“It doesn’t prevent use of SMB-1 by malware inside the network,” he told The Brew. “And if scanners can see the protocol through their firewall, that’s a bad sign.”
Gallagher said many of the schools he did talk to have applied Microsoft patches, but can’t fully secure their networks because some systems (like networked fax machines and scanners) use SMB 1.
“These services are supposed to be blocked at the firewall–they’re not supposed to be visible to the outside world–and should be disconnected from the Internet, optimally,” he said. “But Baltimore County Public Schools has this service running on critical servers connected to the Internet, which security experts I’ve spoken to says makes no sense.”
Gallagher said he reported on the vulnerability because, as the Robbinhood attack still paralyzing major parts of Baltimore’s IT network demonstrates, the stakes are so high.
“The urgency is that this is how ransomware operates,” he said. “Attackers scan the Internet for potential targets and then go after targets of opportunity.”