Categories
Building Trust Improving Technical Security

Hit Pause: Take a Moment to Reflect on the Repercussions of the Recent Ransomware Attacks

As these devastating global ransomware attacks illustrate, cybersecurity is not an issue that can be ignored. Any time a device or system is connected to the Internet, it is a potential target. What was once just another lucrative means of extorting money from Internet users, ransomware is emerging as a preferred tool for causing widespread disruption of vital services such as hospitals, banks, shipping, or airports. Attacks are growing more sophisticated and more enduring, with longer term damaging effects and wider impact. Ransomware exploits the slow pace of security patching, systems that are dependent on old software, and poor backup practices. It also provides a smokescreen for other nefarious acts including stealing data and credentials, or even wiping data. So, the name “ransomware” becomes illusory: what we are really dealing with is “hydraware.”

Also, as the recent attack demonstrates, one security vulnerability in just one piece of software can wreak havoc across multiple critical government and business services. Information security experts have traced the “patient zero” in Petya/NotPetya to poisoned update servers for M.E.Doc, (accounting software developed by a Ukrainian company). This tactic is not new: as recently as May update servers for Handbrake, a a free and open-source transcoder for digital video files, were compromised with Proton malware, designed to scoop up the keychain (including all passwords) for future attack. These attacks underline how essential it is that vendors secure and monitor their software update servers.

Additionally, researchers tracing the progress of the Petya/NotPetya malware observed that it exploited user administrative privileges to gain access to credentials, which it used to infect other devices on the network. A timely reminder that giving users administrative privileges means a compromised device could more readily infect others in the network.

There are three other aspects of these attacks that should be called out – software patching, security vulnerability disclosure, and attribution.

Both the WannaCry and Petya/NotPetya malware exploited a security vulnerability in Windows OS known as “EternalBlue.” WannaCry should have been a warning to patch urgently, and many did. However, others did not. Why? Industrial systems may use legacy software. Enterprises may have poor software update policies, may be using unlicensed software, or old devices that cannot use supported software. Some of these scenarios are easy to fix than others. But, a good place to start is shortening the software update cycle for as many devices and systems as possible to improve the “herd immunity” of devices connected to the Internet.

While the EternalBlue security vulnerability was known at the time of the attacks, it was originally a zero-exploit held by the NSA, revealed to the public by ShadowBrokers. Imagine if it had not been exposed earlier in the year – how much worse might have the attacks been? These attacks bring to light the dangers of hoarding zero-day exploits and the importance of responsible security vulnerability disclosure.

Imagine you discovered that your neighbour forgot to lock their door, would you tell them? What if it was the door to their bank vault or medical file? Would you keep that information to yourself, planning to enter at your leisure when no one was looking? Or, would you help them secure their door? Or worse, were you hoping that only you will be able to try the handle when you decide you want something?

States have a vested interest in strengthening the security of the Internet and the devices that connect to it. Without the Internet, there would be no digital economy. Yet, anytime there is a known security vulnerability, it’s like leaving the door unlocked, hoping no one will try the handle. ZeroDay vulnerabilities might initially seem like attractive tools in the fight against cyber criminals, but as long as they exist they pose a real and imminent threat to hundreds or thousands of innocent users. And, as we saw with WannaCry and Petya/NotPetya, exploits of software security vulnerabilities can have real life consequences such as delays in medical treatment, suspension of banking operations, and disruption of port services.

Criminals will always search for any way in, but state actors have a responsibility to secure the Internet, not to weaken it. They should both practice and encourage swift responsible disclosure of security vulnerabilities so they can be patched everywhere. In the end, it’s about making sure we do all that we can to protect citizens online, and out in the world.

A number of security researchers speculate that the Petya/NotPetya attack was a state-sponsored attack on the Ukraine. If this is correct, it raises questions for which no one has an easy answer – Is attribution possible? When does a cyber attack rise to the level of an act of war? What should be the appropriate response? According to a statement from NATO’s Cooperative Cyber Defence Centre of Excellence, “NATO’s Secretary General reaffirmed on 28 June that a cyber operation with consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty.” In a recent speech, UK Defence Secretary Sir Michael Fallon clearly signaled that offensive cyber is part of their arsenal, and cyber attacks could be met with attacks by land, air, sea or cyber. A clear signal that cyber warfare could spill over into the realm of military warfare. Keep in mind too that Petya/NotPetya caused disruption and harm beyond Ukraine, across the world. If the target was Ukraine, the collateral damage was extensive. How might the “non-target” countries react? And, where might that take us?

These are not problems we can solve alone. However, it is clear that Internet security must be a priority, and deliberate acts to undermine it must be off limits. We must tackle Internet security from all fronts by ensuring: security vulnerabilities are identified early and responsibly disclosed; devices and systems are patched; security experts are able to coordinate and act; critical services have built in redundancy; and, users are alert to phishing and other types of social engineering.

Only through this type of collaborative security will we create an Internet we all can trust.

Categories
Improving Technical Security

New Petyawrap Ransomware Attack Again Highlights Critical Need For Security Processes

Whenever there’s a new attack on a global scale, the world trusts the Internet a little less. Today we are concerned with the many reports about this new ransomware attack called “Petyawrap”, “Petrwrap” or an older name of “Petya.”

The sad fact is: this new attack exploits the same vulnerabilities in Windows systems as last month’s WannaCry attack.

Fixes have been available for most Windows systems since March 2017!

The same tips Niel Harper provided last month to protect against ransomware also apply here.

Why haven’t the updates been applied? Often, smaller organizations may not have the needed IT staff. Enterprises may not fully embrace the level of business continuity planning they need. Companies may have legacy systems that are hard to patch.

Many organizations may have thought they were “safe” when they weren’t hit by WannaCry. They may have breathed a sigh of relief – and moved on to other critical needs.

The bad news is that this new attack gets nastier after the initial penetration of a network. Dan Goodin at ArsTechnia relays that the attack payload includes tools to extract user passwords. It can then infect other systems on your network using those credentials. Microsoft has more technical details. Unlike WannaCry, there seems to be no “kill switch” to stop the infections. (See update below.)

As Olaf Kolkman wrote last month in response to the WannaCry ransomware:

“When you are connected to the Internet, you are part of the Internet, and you have a responsibility to do your part.”

But yet as Brian Krebs reports at the end of his excellent piece, a recent ISACA survey found that:

  • 62 percent of organizations surveyed recently reported experiencing ransomware in 2016
  • only 53 percent said they had a formal process in place to address it

These attacks cause significant economic losses. They erode trust in the Internet. They limit the opportunities we all have online.

Collaborative security is a shared responsibility. We all have a part to play. We need to put the security processes in place to reduce these threats. In our companies and organizations. In nonprofits, schools, and community groups. In our homes. In our own actions.

We have the opportunity to shape tomorrow and build a stronger, more trusted Internet. One where ransomware no longer hits on a global scale.

Read Niel’s 6 tips. Promote the approach of “Collaborative Security“. Develop and implement security management strategies. Ask strong questions inside your organization.

Take action.

The time is now.

——

UPDATE #1 – There are now reports of a “vaccine” in the form of a file you can create on a Windows system to prevent the ransomware from running. This is not a “kill switch” that can apply globally, but it is something that can be done on individual PCs. If the ransomware finds that this read-only file exists, it will not perform its attack on that machine.

——

See also our past articles about the WannaCry attacks:

Categories
Improving Technical Security

6 Tips for Protecting Against Ransomware

The Internet Society has been closely monitoring the ransomware cyber-attacks that have been occurring over the last couple of days. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt, exploits a flaw in Microsoft Windows that was first reportedly discovered by the National Security Agency (NSA). A group of hackers leaked the code for exploiting this vulnerability earlier this year, and a fix or patch was available as far back as March 2017. Since Friday, 200,000 computers in 150 countries have been compromised using this exploit. The numbers are expected to grow exponentially as people settle back into their work routines and regular use of computer systems this week. As part of our continuing work in online trust and security, there are some key takeaways from this incident that we want to leave with our community.

Firstly, we want to highlight the extremely negative effects which government stockpiling of vulnerabilities and zero day attacks has on the overall security of the Internet. With over 60 countries known to be developing growing arsenals of cyber weapons, and with many of these exploits leaking into the public domain, the potential for widespread damage is a massive cause for concern. The impact is not only economic in terms of financial loss, but social in terms of how it impacts end user trust, and most importantly human in terms of loss of life (especially given that ransomware attacks have been focusing on hospitals). And with critical infrastructure like power plants, dams, and transportation systems being targeted in nation state cyber offensives, the threat to human life increases exponentially.

Secondly, it would appear that some hospitals are easy targets for ransomware attackers. Their systems house data that is critical to patient care and management, and many of these institutions don’t have the IT resources to support critical process areas like vulnerability management, patch management, business continuity management, etc. In general, hospitals are also now adapting to digital realities and a number of them are playing catchup with regards to cyber readiness. However, the aforementioned challenges are not unique to hospitals, and are faced by many small and medium enterprises (SMEs), and in several instances, large corporations. Individual users are also targeted based on their generally poor Internet hygiene or lack of security awareness.

We want to take this opportunity to emphasize the importance of good online security practices when accessing the Internet. So here are 6 basic tips for protecting against ransomware:

1. Employ strong, multi-layered endpoint security – Using endpoint security that can protect web browsing, control outbound traffic, protect system settings, proactively stop phishing attacks and continuously monitor for anomalous system behavior will allow for better protection of servers, laptops, tablets, and mobile devices.

2. Maintain regular backups of your critical data – Backups can help you to protect your data from more than just ransomware. Other risk events such as malware, theft, fire, flood or accidental deletion can all render your data unavailable. Be certain to encrypt your backed-up data so it can be effectively restored. Backups should also be stored at an offsite location isolated from the local network.

3. Do not open unsolicited emails or messages from unknown senders – Many ransomware variants are distributed through phishing attacks or email attachments. Increased mindfulness when handling ‘suspect’ emails can be effective in combating ransomware.

4. Patch your systems regularly – Patching your systems for vulnerabilities reduces the opportunities for hackers to infect you with ransomware. The fact that a patch was available for the WannaCrypt vulnerability since March highlights the somewhat lax attitude by organizations and individuals to keeping their system patches up to date. That being said, patch management is a complex activity and can impact the availability of key systems. Hence, thorough testing must be conducted to avoid unplanned downtime.

5. Disable macros if possible – Many forms of ransomware are distributed in Microsoft Office documents that attempt to trick users into enabling macros. There are a number of tools available that can limit to functionality of macros my preventing them from being enabled on files downloaded from the Internet.

6. Be aware and vigilant – For individuals, don’t assume that only techies need to know about all the recent malware and trends in online attacks. Subscribe to mailing lists that provide information on common vulnerabilities and exposures. In the case of organizations, developing an information security awareness program is an integral part of improving overall security posture.

Finally, we want to touch on the important work being done by the Online Trust Alliance (OTA), the Internet Society’s newest initiative. The OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship. With regards to preventing ransomware attacks, OTA has developed a number of industry best practices that address key threat areas such as email authentication and incident response. These are as follows:

Email Authentication: https://otalliance.org/resources/email-security

Domain-based Message Authentication, Reporting & Conformance (DMARC): https://otalliance.org/dmarc

Cyber Incident & Breach Response: https://otalliance.org/resources/cyber-incident-breach-response

Additional OTA best practices, resources and guidance to help enhance online safety, data security, privacy and brand protection can be found here.

The Spam Toolkit developed by the Internet Society also provides some guidance on addressing online threats.

The Internet Society is committed to the enhancement of online trust, and our work along this vein spans multiple areas. Our goal is to continue to provide our individual members, organizational members, chapters, partners, and other constituents with timely and relevant information and resources that equip and empower them to act.


See also: