The Breaches are Coming!

We are slightly more than halfway through the year, and yet from January to May, forty-two percent of high-level federal IT managers surveyed in new research reported experiencing a data breach in the last six months. According to a  survey in  The Hill, one in eight said their systems weathered a data breach in the last 30 days.

And that’s just the federal government breaches!

All this activity shouldn’t be a surprise since in 2016, reported breaches increased by 40%.  Here’s a list of 2017’s worst so far, including one in January, three in February, six in March, three in April,  seven in May, four in June and two (so far) in July.

2017 is the Year of Ransomware for Everyone

By now, we’ve all read that Ransomware is malicious software that blocks user access to files or systems, by holding files or entire devices hostage using encryption until the victim pays a ransom in exchange for a decryption key. This key (in theory) will allow the user to access the files or systems encrypted by the program.

While ransomware has been around for decades, the varieties of it have grown increasingly advanced in their capabilities to spread, evade detection, encrypt files, as well as to coerce users into paying ransoms.

Shadow Brokers. NSA. Malware. Ransomware. WannCry. Petya. NotPetya.

So far for 2017, the two major cybersecurity storylines blended: Ransomware & the use of nation-state developed malware by non-state actors.

While treating these two primary trends as individual threats, (the nation-state malware could be used sans the ransomware merger), for the last six months, their powerful combination has increased both the threat and the risk of ransomware outbreaks.

It all began, arguably, with Shadow Brokers and their theft and release of National Security Agency (NSA) malware and tools.  Yes, ransomware existed, and yes, ransomware was already a major concern and fear before Shadow Brokers.  However, the release of NSA tools took advantage of zero-day vulnerabilities and enabled extremely fast propagation across the global internet and brought ransomware to the next level.

The two NSA tools that the alleged North Korean hackers used to super-power WannaCry were EternalBlue and DoublePulsar.  The former took advantage of a zero-day vulnerability in Microsoft SMB (MS17-010) in which it wormed from computer to computer looking for open port 445.  When this was found and vulnerable, EternalBlue would execute and drop DoublePulsar, a backdoor exploit that allowed remote access to a compromised system. DoublePulsar would then reach out to a command and control server and download WannaCry onto the victim computer.

Before the Shadow Brokers release, WannaCry, like most other ransomware, propagated via phishing or web-exploits (down-by-download).  This mode of transmission resulted in its spread being slower and its victims fewer in number.  However, with EternalBlue all that changed, within 12 hours, WannaCry spread across the globe and infected over 200,000 systems.  It was a highly effective exploit and demonstrated the power and the danger of nation-state developed tools falling into the hands of non-state actors.

On its heels – just a month later – was the NotPetya outbreak.  These hackers learned lessons from the WannaCry incident and made their attack look like another outbreak via the Petya ransomware.  But NotPetya was both: Not Petya and not ransomware. Instead, it appeared to have been a destructive malware attack targeting Ukraine and resulted in a considerable amount of collateral damage by exploiting MeDoc: Ukrainian accounting software. The hackers were able to inject into the update function of MeDoc, so that when an update was pushed, any organization or company using MeDoc became infected.  Although it also took advantage of the same EternalBlue infection vector, it only did so internal to the network and did not worm across the public internet.  It also employed additional internal propagation vectors so that it would still spread in the event the Server Message Block (SMB) vulnerability was patched.  The result: Internally it spread fast.  One company reportedly had hundreds of systems infected within a mere six minutes.

Increasingly it not only appears that this was a targeted attack against the Ukraine, but it was likely an attack via a nation-state actor.  For such an incident to be so public, employ deception, and the fact that hundreds of companies outside of the Ukraine were collateral damage suggests this is a new threat to organizations and illustrates the evolution cycle in cyber aggression.

Unintended Targets Suffered Anyway

Companies like Maersk, DLA Piper, and Modelez are not Ukrainian companies and were likely not directly targeted in the attack. Understanding the anatomy of this attack, it appears likely that they deployed the MEDoc software somewhere on their network and they became infected and suffered massive data losses.

Lessons Learned. Best Practices.

1. Vulnerability and Patch Management: Perform regular vulnerability scans and patch systems. Companies that had patched their systems for MS17-010 were protected from WannaCry infection.
2. Network Monitoring and Alerting: This allows for fast identification of possible infection. In the event an attack makes it through company defenses, monitoring and alerting allows for rapid identification and mitigation of the threat.
3. Network Segmentation: Effective separation of the network with security between segments can reduce the spread of a breach. In the case of NotPetya, had companies been able to create a segment in which MeDoc sat and sufficiently isolated it, it could have limited propagation across the enterprise.
4. Management of Third Party Vendors: Have policies and procedures in place to secure yourself from third party network access. Again, in the NotPetya case, companies doing business in Ukraine were required to use MeDoc for billing purposes. Applying vendor management principles would define how the company works with MeDoc, how it connects it to the network, and help to protect against potential incidents.

What kinds of threats will the rest of 2017 bring?

More of the same – only smarter. Watch our blog for updates.