1. GLOBAL RANSOMWARE ATTACKS - WANNACRY
McGRIFF, SEIBELS & WILLIAMS, INC.
URGENT CLIENT ALERT!
TherecentglobalcyberattackusingWannaCryransomwarereminds
usthatproperinformationsecurityhygieneandappropriateback-up
management and software patching protocols are critical to attack
prevention and loss minimization. To refresh, a ransomware attack
spread throughout the world over the weekend, infecting systems
in over 150 countries. The attack used software code stolen from
the National Security Agency that was posted online.
WHAT DOES THIS ATTACK MEAN?
What is interesting about this is how different it is and the
precedent it is setting. This is the second known usage of a hacking
toolset leaked from the NSA in 2017. It is the first time it was used
to execute this type of large scale extortion en masse. The hacking
toolset was tweaked just slightly and relatively quickly. Attackers
had to strike blitzkrieg-style â all at once and against many locations
-sincetheywerefullyawarethatafixwouldberelativelysimple.So,
itisclearthatthiswasacoordinatedandplannedevent,designedto
take advantage of a hunting technique within the attack itself that is
constantly looking for additional targets. That is why it propagated
so quickly and why, eventually, it will reach every part of the globe.
As already reported, this attack is primarily affecting Russia, Eastern
Europe, UK and Taiwan, which is an incredibly interesting mix - the
outliers in this initial attack were clearly Taiwan and the UK. While
we cannot know for sure, this could have just been opportunistic, or
possibly,agameofmisdirectionintendedtoobfuscateanyattemptat
attribution. The attack itself is new and unique, but not sophisticated.
Microsoft, for the most part, released a patch for this exploit
one month ago. Bottom line: the attackers behind this operation
developed an attack based upon new techniques disclosed in the
NSA leak and they preyed upon companies and their machines that
remained unpatched. In a sense, it was very avoidable.
MORE ON THE âHUNTER MODULEâ
This is an exploitive feature that scans for any vulnerable systems
within a target organizationâs ecosystem. Companies that have
adhered to the best patching protocols could still be accessed
through connections with their supply chain and external vendors
who have vulnerable devices. All the attackers need is one hook
(one weak machine) and then they can swim laterally within the
networktocausemaximumdamage.Asthesayinggoes,âanetwork
is only as secure as the least secure network connected to it.â
WHATâS NEXT?
This is just the beginning. We can assume that the attackers used
this as a pilot project and that they will adapt based on what they
learned with this effort. The NSA toolset that was leaked was vast
and there are people analyzing these tools and working on ways to
alter them slightly for their own nefarious purposes. The key will be
knowledgeofthetechniquesandpersistentpatchingandupgrading
worldwide. But, keep in mind, not all of the tools the NSA used
involved unpatched computers - far from it. This hack was built to
exploit the blind spots in traditional security.
Even though responders were able to identify and activate a kill
switch (safety valve) that was embedded by the attackers, this
is no panacea and will be bypassed soon. Hackers have adapted
based on what they learned from this past attack and we can
expect the next wave within 24 hours. Plus, you should note that
corporations do not benefit from the kill switch since it takes
advantage of a network protocol that most large corporations
do not use. In other words, private citizens are currently safer
but companies must be hyper-vigilant.
