All of these attacks have similarities in terms of attack strategies, and a shift in focus to operational business disruption vs. data theft as the goal or leverage for monetizing the attack.
First, the Mirai botnet, in late 2016, affected internet access for some hundreds of thousands of systems. The attack vector focused on home consumer devices, items that typically aren’t really configured securely, or administrated professionally. Home routers and IP-connected video cameras were exploited, but the public suffered. It was a prime example of the principle of interconnectedness goes both ways: like other powerful technologies, it can be either extremely useful or deeply damaging, depending on how it is used.
More recently, the WannaCry attack epitomized the fear and loathing that business and government offices have for ransomware, a frightening type of attack where malicious outside parties access files and systems, encrypt them and hold them for ransom. Ransomers generally ask for Bitcoin payments, which are relatively untraceable. Ransomware victims consider themselves lucky to have files remotely backed up, although in a few reported cases, hackers have apparently been able to get to the backups, too.
Initial reports on ransomware activity showed sporadic attempts using the same general tools that can compromise information anywhere on the Internet – but then, networked ransomware attacks like WannaCry gave rise to the spine-shivering moniker “ransomware-as-a-service,” the idea that through the software-as-a-service model, criminals could get their hands on their own ready-mix ransomware toolkits. All of that has made ransomware a now-familiar subject on the nightly news, and a major issue for corporate systems.
Perhaps most interesting in both the Dyn Mirai based attack and the WannaCry attacks in May, is the apparent focus on operation business disruption as the focus of the attackers. We have grown used to learning about data breaches several months after they have happened with notifications from companies to check credit scored and offers of free credit checking service subscriptions. These attacks were very different.
The healthcare system in the UK was significantly disrupted with surgeries being postponed and doctors have to use pencil and paper to do patient intake forms and record medical information. Renault and Nissan both had to shut down manufacturing lines because of the attack.
The Legacy of the WannaCry Attack
Since May 12 of this year, WannaCry is estimated to have hit over 200,000 network-connected machines around the world. It’s an example of what many would call a “flash attack” – the actual upgrade patch or “antidote” for the vulnerability had actually been released two months earlier, in March, and to further ameliorate the situation, a “kill switch” found by some enterprising party in a domain publishing scheme allowed network administrators to bar the doors against WannaCry, so that in a matter of days, new attacks had essentially subsided – although some volume of vulnerable targets still remained.
Looking inside the structure of the WannaCry attack, experts found that after making its way into a system, the attack used the Server Message Block (SMB) network protocol that helps provide shared access inside of a corporate system or other network. Remote access via port 445 led to the exploit against the vulnerability, for which, again, Windows had already issued a patch. In the wake of the attack, some found them asking themselves the existential question: if a previously fixed vulnerability can allow so much havoc, what happens when hackers find a similar weakness that hasn’t yet been addressed?
While targeting older Windows OS versions, WannaCry also strategically made its way to a point in an enterprise system that is generally not very closely administrated at all, where traffic makes its way freely from one place to another.
Another key clue is related to the origin of the WannaCry attack: those looking at the code realized that WannaCry utilized something called EternalBlue, which had been a part of a leak from the National Security Agency. That’s telling in the sense that when hackers get their hands on code resources from highly evolved offices like these, the results can be disastrous. As the security community found with WannaCry, the abuse of EternalBlue led to the very real infiltration of hospitals and places of learning, of corporations and small businesses, all to a very detrimental result.
WannaCry remains a real marker of just how fragile our network systems can be, without real, proactive security. In some ways, dwell time doesn’t really matter: whether a patch or fix takes a day or a year, the damage can be done in an instant. The Internet of Things (IoT) is expanding this threat in a real way, as businesses look to connect more and more business-critical parts of their companies to the internet and other parts of the business.
To go back to Mirai and WannaCry, these events provided security professionals with a partial road map: first, consider the threats that may come or target less than fully vetted and configured devices; say, medical devices, manufacturing equipment, new smart appliances. Then, assess how older legacy platforms tied into operational systems leave data and systems on the table for criminals to find and exploit.
Going Beyond the Network Perimeter
How do companies and other stakeholders achieve these goals?
In a broad sense there is a big sea change going on right now, away from yesterday’s approaches of perimeter-based security, toward other very different principles of “deep network” analysis and detection.
Increasingly, it’s not enough to rely on firewalls and Network Access Controls. Walls aren’t going to keep everything out, partly because of new data traffic models, but also because so many successful cyberattacks are aimed at identified holes and vulnerabilities in specific parts of an architecture – for example, an older operating system still deployed somewhere in a network.
This is where Pwnie Express shines. We provide the ability to detect all of the devices in your environment – IT, OT, IoT whether they use wired, wireless or even Bluetooth networks to communicate. We classify these devices and baseline what should and should be in your environment and identify threats and risks these devices present to your business. Pulse also provides vulnerability scanning to identify vulnerabilities. The Threat Dashboard and Risk Scorecard aid in the observation of business risks form a central vantage point.
In fact, we released WanaCry specific detection and workflow tools in Pulse to help customers pinpoint affected systems in minutes.
In the IoT age, deploying rigorous asset discovery helps decision makers to see, at a glance, which parts of a system are vulnerable, and how those vulnerabilities expose risk to the business. In fact, another major part of this approach is device visibility, as made evident in the 2017 Internet of Evil Things Report. Why evil things? Because too often, a “loose” device or an unknown asset ends up bringing down company systems in some way or another. That’s why Pwnie researchers have been studying BYOD, IoT and related connectivity phenomena.
Unfortunately, these types of attacks are not going away, in fact their ability to disrupt business operations and people’s safety is only increase with IoT. That is why we are so passionately focused on help companies protect their IoT systems.