Why experts believe malware is about to explodeThursday, May 18, 2017
The recent massive ransomware attack could be just the beginning of a new wave of malware, and your business is under threat...
It’s been a busy few days in IT security, post the ‘WannaCry’ ransomware attack, and although the initial infection was rapidly halted, there has been plenty of fallout of all kinds.
Inevitably there has been plenty of blame attribution, which has been spread evenly between the NSA ‘stockpiling zero-days’, Microsoft not patching unsupported OS (like XP), and businesses and public bodies not applying the patches in time. So far, so ordinary, although Microsoft in fairness did patch all current systems back in March, and even appeared to rush out an XP patch for the NHS.
However, closer scrutiny has revealed that the XP patch had been held back, only being provided to those paying a fee for ‘custom support’. The FT has obtained figures that claim the cost went from $200 per device in 2014, when regular support for XP ended, to $400 the following year. It jumped to $1,000 after that, according to one person who had seen a pricing schedule that Microsoft sent to one customer, with a minimum payment of $750,000 and a ceiling of $25m - quite an upgrade incentive there.
Of course, the initial malware was repackaged by other actors - essentially to remove the ‘kill switch’ - and now is in the wild, seeking new victims.
However, there are far bigger concerns post-attack. The Shadow Brokers group, generally held responsible for leaking the NSA data containing the ‘Eternal Blue’ exploit behind the recent chaos, has announced that it plans to set up a regular release of hacked code.
The group has promised a "monthly data dump" for subscribers, containing new attack tools, Windows 10 zero-days, banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs. "More details in June," it promised.
Whether The Shadow Brokers do have more zero-day NSA bugs to leak or not, the episode has highlighted the dangers of such a course of action. Microsoft president Brad Smith was unequivocal on this point, writing in a blog that: “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”
While this type of response may be some time in coming, it is certain that there are more caches of ‘zero-day’ attacks out there awaiting widespread exploitation, and if they are leaked for free then they will indeed receive widespread use. The template has been set. How much of a problem this will actually pose is an interesting question - as cyber security expert Ilia Kolochenko, CEO of High-Tech Bridge points out: “The real problem comes from organizations that failed to install security patches for almost two months, implement appropriate network segregation and assure daily backups. Cybercriminals are just leveraging their carelessness. Unfortunately, I don’t think that we will see a significant difference in the near future. Negligent IT personnel don’t have a clear incentive to change anything, as it will hardly improve their own lives, salaries or even comfort at work. Once several IT contractors will be held liable for negligence and breach of duty [for failure to install security patches for two months] – we will start seeing vigorous improvements. Otherwise, omitting temporary and minor ameliorations, nothing will really change.”
Meanwhile, the Cisco PSIRT Team is continuing to investigate the impact of the original vulnerability on Cisco products that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. The investigation is expected to be completed by Friday, May 19th - nearly a week after ‘WannaCry’ became big news, and nearly two months after the patch was issued. Here be the real dragons - not necessarily with Cisco, or even Microsoft’s custom support clients - but with applications and systems that just can’t be patched, either for ‘WannaCry’, or the next wave of malware.