Read about the new and emerging threats...
And to thicken the plot, you need to figure out how to get security everywhere to secure this complex infrastructure.
In 2016, 27% of connected third-party cloud applications, introduced by employees in enterprises in 2016, posed a high security risk.
This is undoubtedly a result of workers wanting to improve their own levels of productivity and stay connected while on the job… but they’re not necessarily thinking about the security implications on their data when accessing these applications.
This practice, known as ‘Shadow IT’, can be anything from installing an instant messenger service onto a corporate device, to downloading your own file sharing software and using it to transfer sensitive data. This kind of operation is like catnip for hackers.
On the 14th May, news broke in the UK of a ‘significant cyber attack’, which initially looked like a deliberate attempt on our national health service. They appeared to be hit by a ransomware campaign, which was designed to exploit any technology weaknesses, and bring their systems to a halt…unless they paid the cyber criminals a fee.
However, it soon became clear that as more and more countries came forward with their own similar reports, that this was a rapidly spreading global threat. No one industry was immune, and it definitely wasn’t your ‘usual’ case of ransomware…
Our Talos threat intelligence team dived deep into research mode, and here's what they found:
WannaCry became installed through a vulnerability in the Microsoft SMB protocol, not phishing emails or malvertising which is how ransomware normally gets distributed.
SMB is a network protocol used to share files between computers. One of the reasons that this ransomware spread so rapidly and so quickly is because of the fact that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement.
The malware was particularly effective in environments with Windows XP machines, as it could scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.
On March 14, Microsoft released a security update to patch this vulnerability. While this protected newer Windows computers that had Windows Update enabled, many computers remained unpatched globally.
This is very much true of Windows XP computers which are no longer supported by Microsoft, as well as the millions of computers globally running pirated software, which are (obviously) not automatically upgraded.
A really key part of our findings confirmed that the malware had been designed as a modular service. It appears to us that the executable files associated with the ransomware have been written by a different individual than whomever developed the service module. Potentially, this means that the structure of this malware can be used to deliver and run different malicious payloads.
Talos strongly encourages organisations take the following industry-standard recommended best practices to prevent attacks and campaigns like this and similar ones:
Though they are still primarily motivated by financial gain, the aim of some cyber criminals now is to step things up a gear, and not just to attack, but to destroy in a way that prevents organisations from restoring their systems and data (i.e taking out their backups).
As revealed in the 2017 Cisco Midyear Cybersecurity Report, our researchers commented that the extent of this new era of ‘destructive’ attacks is very sinister activity, and is a precursor to a new and devastating type of attack that is likely to emerge in the near future: Destruction of service (DeOS).
Why is this? A large reason is that cyber criminals have seen the huge opportunity in being able to hack into IoT devices (those which haven’t necessarily been built with security in mind), and create large scale attacks using IoT botnets.
The report goes on to explain that we’ve seen evidence that most organisations aren’t fully aware of what IoT devices may be connecting to their network – such as smart metres, cameras, or thermostats. Many of these devices lag well behind desktop security capabilities, and are typically rarely patched or run outdated applications.
In addition, it’s not always clear who inside the organisation is responsible for addressing IoT compromises. Typically, once an IoT project is completed, that team moves onto the next one.
This is why it has never been more important for organisations to make cybersecurity a top priority.
Visibility is the key here – it’s about learning to see what you currently can’t see, and that means devoting the time and resources to ensuring you always know exactly what is in your IT environment…and that everything within it is deployed correctly, and securely and kept up to date.
This isn’t an easy task for organisations, especially considering how fragmented the security industry has made itself.
Which is why, as an industry, we need a customer-first approach. Businesses should be able to implement security solutions that will work best for them, and make the most of their existing investments.
Solutions which can communicate with each other, and work together to protect users and businesses, is the only way in which we can meet the challenge of cyber criminals who are determined to interfere with an IoT world.
As one of our threat intelligence experts, Martin Lee, has observed, we have a small window of opportunity to do something about this: