I don't understand why some people are still using WOL?

[follower]

It's convenient for them? Throwing away security?
I remember that I mentioned WOL security risk at Snbforums years ago(7 or 8 years maybe?). I didn't talk about What I saw and knew at that time. Because when I talked about WOL is not safe, a lot of snbfoums users said it's safe including someone. Why am I talking about this now? I've seen someone who my friend knows got hacked by WOL recently. That's why. Do not use WOL. If you are still believing that WOL is safe keep using it.
But you may lose everything. You don't even know you've got hacked. I can say more, but this is enough I think.

 

[bbunge]

By any chance did the friend of a friend have port forward enabled to the computer that got hacked? If so, it is their fault. Not WoL's fault!

 

[Crimliar]

I think if someone is going to tell us a feature such as WOL is unsafe then I think that person needs to say more! So far as my understanding goes, WOL just wakes up a device, so unless I'm missing something, having a device use WOL should be no less secure than having the same device just sit there waiting for a connection without having its network connection sleep.
@follower if I'm wrong, please tell me why!

 

[follower]

By any chance did the friend of a friend have port forward enabled to the computer that got hacked? If so, it is their fault. Not WoL's fault!

Nope.

 

[follower]

I think if someone is going to tell us a feature such as WOL is unsafe then I think that person needs to say more! So far as my understanding goes, WOL just wakes up a device, so unless I'm missing something, having a device use WOL should be no less secure than having the same device just sit there waiting for a connection without having its network connection sleep.
@follower if I'm wrong, please tell me why!

It's not only waking up the device but also more. I don't think a lot of users know about this 3 or 4 years old incident.
This is just an example of 'Why is WOL risky?'. This is why some Network device companies remove or don't use WOL function.
It has a long story. It's still evolving. It's not only for Ransomware but also Hacking.
Vulnerability>Owning the network device or PC>Using this attack>

[2019 to 2020 incident]
I can tell you that there are many dedicated hacking tools for this, paid and free.

What is it?

RYUK Ransomware

www.trendmicro.com

How does it work?

A Deep Dive Into Wakeup On Lan (WoL) Implementation of Ryuk

Quick Heal Security Labs recently came across a variant of Ryuk Ransomware which contains an additional feature of identifying and encrypting systems in a

blogs.quickheal.com

How to do it?

Detection: Ryuk Wake on LAN Command

Updated Date: 2024-05-22 ID: 538d0152-7aaa-11eb-beaa-acde48001122 Author: Michael Haag, Splunk Type: TTP Product: Splunk Enterprise Security Description The following analytic detects the use of Wake-on-LAN commands associated with Ryuk ransomware. It leverages data from Endpoint Detection and...

research.splunk.com

 

[Crimliar]

It's an attack that wakes up a machine if it's sleeping to exploit a vulnerability that if it exists would also have been there when the machine was already awake. I'm either being incredibly stupid (wouldn't be the first time) or WOL would seem to be incidental to the problem!

 

[sfx2000]

Well - WOL is a "trusted" interface from a LAN side perspective...

As an interface, it's also an open port to rx packets - packet of any kind

Ryuk is a clever exploit of that fact...

 

[follower]

It's an attack that wakes up a machine if it's sleeping to exploit a vulnerability that if it exists would also have been there when the machine was already awake. I'm either being incredibly stupid (wouldn't be the first time) or WOL would seem to be incidental to the problem!

WOL is the key point and the loophole.

 

[coxhaus]

Well - WOL is a "trusted" interface from a LAN side perspective...

As an interface, it's also an open port to rx packets - packet of any kind

Ryuk is a clever exploit of that fact...

I would assume somebody would have to be running the hacking software on your network to be attacked using WOL? Maybe in the same network? Or is it routable across local networks?
I don't think my firewall will let it in.

I don't want to read it all. I thought you could enlighten me.

 

[sfx2000]

I would assume somebody would have to be running the hacking software on your network to be attacked using WOL? Maybe in the same network? Or is it routable across local networks?
I don't think my firewall will let it in.

I don't want to read it all. I thought you could enlighten me.

WOL is a concern as it's UDP on ports 7 (echo) or 9 (discard) - and UDP doesn't have the same kernel constraints as Raw Sockets... and since the WOL client is always listening outside of the OS the host is running, it's an interesting attack vector...

Challenge with WOL packets is that they are intercepted by the NIC at the network layer - before it hits the OS firewalls if any...

 

[ColinTaylor]

The fact that WOL is typically embedded in a UDP packet is of no real relevance because as you say, the packets are intercepted by the NIC and never reach the OS.

Ryuk is not doing anything clever. It's not "hacking" WOL in any way whatsoever. It's merely using WOL to try and wake up machines it's found in the ARP cache. Any user on the LAN could do the same thing. Once Ryuk has woken up any machines (and pinged others) it then crudely attempts to encrypt any insecure administrative shares that it's found.

So as @Crimliar noted the fact that it's using WOL is almost incidental. The main problem is the fact that a) your LAN has already been compromised for this malware to be running, and b) PCs/servers on your LAN have insecure administrative shares.

 

[coxhaus]

The fact that WOL is typically embedded in a UDP packet is of no real relevance because as you say, the packets are intercepted by the NIC and never reach the OS.

Ryuk is not doing anything clever. It's not "hacking" WOL in any way whatsoever. It's merely using WOL to try and wake up machines it's found in the ARP cache. Any user on the LAN could do the same thing. Once Ryuk has woken up any machines (and pinged others) it then crudely attempts to encrypt any insecure administrative shares that it's found.

So as @Crimliar noted the fact that it's using WOL is almost incidental. The main problem is the fact that a) your LAN has already been compromised for this malware to be running, and b) PCs/servers on your LAN have insecure administrative shares.

Thats what I kind of figured.

 

[follower]

All of labs and hackers say WOL is main. But some Snbforums users say it's not.

1. Ryuk is a variant of Hermes ransomware(2018). It's a well known ransomware and nothing new.
2. But Attackers have added WOL attack technique> Ryuk.
3. This attack is not a random attack but a targeted attack. What does meaning of Targeted?
4. Targeted means the attackers know all the vulnerabilities about victim's devices.
5. This kind of attack can overwrite your BIOS and Firmware(PC, Router, Switch, IoT and more) to hacked BIOS. Yes, this happens in the real world.
Does firewall work? Maybe yes. Maybe not. The problem is not only Ryuk but also Hacking.

 

[sfx2000]

All of labs and hackers say WOL is main. But some Snbforums users say it's not.

Well - I'm not one of those members that says - "don't worry about it..."

Rather - it's one of many things one can do to keep your LAN and Devices Secure... Depends on the NIC and BIOS/UEFI in use - easy enough to turn off, however defaults are to have it on...

At the risk of going off-thread - There are a lot of threats out there - and it's really about a few things...

1) remain current with your chosen OS provider
2) on device firewalls are a good thing - Mac and Windows are decent about this - I would say a 7 score out of 10
3) watch what services you expose on clients and the router/gateway
4) some spatial awareness around things - Apple/Google/Microsoft/Facebook/Amazon are going to contact you only in certain ways - and there, don't click the darn link - log in directly to the service provider...

It's really about practicing "Safe HEX" - and it's ok to refer to operational security like this - it's gets attention...

 

[coxhaus]

All of labs and hackers say WOL is main. But some Snbforums users say it's not.

1. Ryuk is a variant of Hermes ransomware(2018). It's a well known ransomware and nothing new.
2. But Attackers have added WOL attack technique> Ryuk.
3. This attack is not a random attack but a targeted attack. What does meaning of Targeted?
4. Targeted means the attackers know all the vulnerabilities about victim's devices.
5. This kind of attack can overwrite your BIOS and Firmware(PC, Router, Switch, IoT and more) to hacked BIOS. Yes, this happens in the real world.
Does firewall work? Maybe yes. Maybe not. The problem is not only Ryuk but also Hacking.

Dell has been pretty good about updating BIOS even in their older PCs. It is one of the reasons I don't build PCs using random motherboards anymore. I am now using all UEFI no BIOS.

The attack is still going to have to happen inside your home network. I think the IOT is how it is going to happen. Isolate them.