NotPetya - another entirely predictable major incident?Thursday, June 29, 2017
A new series of attacks has wrought havoc globally, shutting down hundreds of businesses, including Maersk, WPP, TNT, Mondelez, Cadburys, Russian steel and oil firms Evraz and Rosneft, Kiev airport and Chernobyls monitoring systems.
A massive ransomware attack looks set to dwarf WannaCry just weeks after the latter caused havoc globally. The new malware has attacked Windows PCs belonging to companies in 64 countries, including banks in Ukraine, Russian oil giant Rosneft, UK advertising giant WPP, Maersk, TNT and US law firm DLA Piper.
There has been some confusion over the malware responsible, with initial reports labelling the ransomware as a variant of ‘Petya’, and others dubbing it by various names such as Petrwrap and GoldenEye. Naming aside, most agree that the malware takes advantage of the EternalBlue vulnerability used by WannaCry and also uses EternalRomance - an SMBv1 exploit leaked by "ShadowBrokers", as well as Windows Management Instrumentation (WMI) for lateral movement inside an affected network.
Several security researchers (including Cisco) have pointed the finger at software update systems for a Ukrainian tax accounting package called MeDoc as being the first point of compromise, and as a result Ukrainian systems have been hit the hardest. According to anti-virus vendor ESET, 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%.
MeDoc has denied being compromised, but researchers have speculated that the update functionality was compromised to push out malicious files. Microsoft described the method as "a recent dangerous trend".
TheShadowBrokers, the hacking group that leaked the NSA EternalBlue exploit used by WannaCry and now Petya, have resurfaced in the wake of the Petya outbreak, mainly to promote their July "dump of the month", which will cost significantly more than the $23,000 it charged for the June dump. The hackers have raised their ‘subscription’ to 200 Zcash, which converts to $65,000 at today's exchange rates.
Meanwhile, Petya’s flimsy ransom mechanism (a single Bitcoin address and email) has raised speculation about the money-making intentions behind the attack, and early checks on the Bitcoin address given in ransom notes indicate that the current ‘record’ for ransom payments is pretty safe. However, these concerns have even spurred NATO to speak up, with NATO chief Jens Stoltenberg warning that the alliance must step up its defence against cyberattacks, saying they could potentially trigger their Article 5 mutual defence commitment. Cyber-security will be a key talking point at a NATO meeting this week.
Aside from the politics though, the attack has definitely caused significant disruption to large enterprises across the globe, whether collateral damage or not. The fact is that the two key vulnerabilities exploited - EternalBlue and EternalRomance - were leaked months ago, and patched reasonably promptly to boot. Not only this, but these specific vulnerabilities have been so widely publicised, debated and analysed over the last month or two that awareness isn’t an excuse. The only remaining options are carelessness, or variations on complexity - in that the affected business networks are either so dense with legacy equipment that sys admins didn’t know they were running unpatched XP, or so complex that simply applying new patches without weeks of testing isn’t an option.
As Ilia Kolochenko, CEO of High-Tech Bridge said of the WannaCry outbreak earlier this year: “The root causes of WannaCry are fundamental cybersecurity problems: incomplete or outdated inventory of digital assets (software, hardware, users, data), missing or wrong risk assessment and risk mitigation plan, and lack of continuous security monitoring. These three are aggravated by operational problems such as poor patch management systems or missing security hardening on user machines. Very few vendors can help mitigate all these problems at once, and thus cannot be entirely responsible for WannaCry.
“However, it doesn't mean that vendors are exculpated of certain moral blame. Many cybersecurity companies sell their solutions and products to customers exaggerating the problem they solve and minimizing more pertinent risks and threats. Customers rely on their reckless advises and false promises, and blindly pay for inappropriate solutions they don't really need. Afterwards they unavoidably get hacked."
It seems pretty clear that unless businesses sharpen up their patching - and especially in the case of fixes for high-profile vulnerabilities - then similar widespread compromises are set to become an unwanted regular feature for online enterprise...