What WannaCry signals for the coming wave of attacks using nation-state cyber weapons

Companies must fortify patch management as likelihood of cyber criminals using NSA, other hacking tools rises

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Com­pa­nies would be remiss to down­play the pro­found impli­ca­tions of last month’s head­line-grab­bing Wan­naCry ran­somware attack.

Wan­naCry was a mere har­bin­ger; the tip of the ice­berg. Wan­naCry hap­pened a few weeks after the Shad­ow Bro­kers hack­ing col­lec­tive stole dozens of the Nation­al Secu­ri­ty Agency’s ace-in-the-hole hack­ing tools.

Shad­ow Bro­kers futile­ly tried to sell these cyber weapons piece­meal. But after get­ting no tak­ers, pub­licly released them. Some­one then quick­ly snapped up two of the free spy tools—code named Eter­nal­Blue and DoublePulsar—and whipped up Wan­naCry, which spread, in a mat­ter of days, into gov­ern­ment, util­i­ty and com­pa­ny net­works in 150 countries.

Relat­ed arti­cle: Why inse­cure soft­ware is the root of all problems

The ini­tial ver­sion of Wan­naCry proved easy enough to thwart. No one in law enforce­ment and infor­ma­tion secu­ri­ty was sur­prised when more robust self-spread­ing vari­ants almost imme­di­ate­ly fol­lowed. With­in a week of WannaCry’s release, researchers at Cyphort Labs flushed out a vari­ant with the self-spread­ing fea­ture and ran­somware instruc­tions stripped out.

RATs hard to eradicate

Instead, some­one craft­ed this par­tic­u­lar vari­ant to take root in the tar­get­ed net­work, stay put and stand by to func­tion as a Remote Access Tool, or RAT. RATs are ter­rif­ic at screen and key­board mon­i­tor­ing, audio and video sur­veil­lance, file down­loads, file trans­fers and more.

Mean­while, cyber foren­sics firm Stroz Fried­berg exam­ined Shad­ow Bro­kers’ dis­clo­sures and tal­lied some 69 NSA cyber weapons. To be more pre­cise, these are so-called “exploits” con­jured up by the NSA that take advan­tage of hereto­fore undis­closed secu­ri­ty vul­ner­a­bil­i­ties in Win­dows, Lin­ux, IBM and oth­er core oper­at­ing sys­tems and appli­ca­tions wide­ly used in com­merce and government.

Third­Cer­tain­ty asked Mounir Hahad, senior direc­tor of Cyphort Labs, and Ed Stroz, co-pres­i­dent of Stroz Fried­berg an Aon com­pa­ny, to out­line the wider con­text. The text has been edit­ed for clar­i­ty and length.

Third­Cer­tain­ty: How should com­pa­ny deci­sion-mak­ers think about the dozens of exploits released by Shad­ow Brokers?

Mounir Hahad, Cyphort Labs senior director

Mounir Hahad: Most of the exploits leaked are for very old oper­at­ing sys­tems and appli­ca­tions dat­ing back to 2001, and most do not impact most com­pa­nies. For those exploits that poten­tial­ly apply, it is key that com­pa­nies estab­lish cri­sis cells to fol­low the devel­op­ment of these dis­clo­sures and be on the look­out for any patch or any attack report­ed in the media or social net­works. To be more proac­tive, com­pa­nies should be demand­ing from their secu­ri­ty ven­dors what mea­sures are being tak­en to guard against any future attack using any of these exploits.

Ed Stroz: The Wan­naCry cam­paign should serve as a stark reminder to orga­ni­za­tions that hav­ing a sound and time­ly patch man­age­ment process in place is crit­i­cal. Com­pa­nies should ensure they have an up-to-date asset inven­to­ry of their IT infra­struc­ture com­po­nents and threat sur­face, iden­ti­fy whether any high­light­ed sys­tems are still in use and, if so, for what pur­pose. In addi­tion, we rec­om­mend car­ry­ing out reg­u­lar IT inven­to­ry, secu­ri­ty assess­ments and pen­e­tra­tion test­ing exer­cis­es to help ensure vul­ner­a­bil­i­ties against their infra­struc­ture are addressed promptly.

3C: Is it pos­si­ble to triage these exploits, per­haps cat­e­go­rize them by sever­i­ty level?

Stroz: The sever­i­ty of an exploit is often less about the nature of the vul­ner­a­bil­i­ty than it is about how an orga­ni­za­tion would be affect­ed by it. Because sever­i­ty is there­fore sub­jec­tive to a giv­en envi­ron­ment it is some­what pre­ma­ture to assign a gener­ic sever­i­ty score.

Ed Stroz, Stroz Fried­berg co-president

Hahad: The type of envi­ron­ment exploit­ed, and the age of the vul­ner­a­bil­i­ty are fac­tors that mat­ter. For instance, a Win­dows desk­top exploit presents a high­er risk than an FTP serv­er exploit for most com­pa­nies just because the FTP serv­er may be used infre­quent­ly. Also, a more recent exploit presents a high­er risk than a 15-year-old exploit because of the poten­tial attack sur­face that still exists.

3C: Can you char­ac­ter­ize what’s going on in the cyber under­ground with these weapons avail­able to one and all?

Hahad: “It is clear some well-orga­nized cyber crim­i­nals have poured over this data and quick­ly took advan­tage of the most read­i­ly avail­able tools. The focus will now shift to the more obscure exploits. We will now see a resur­gence of activ­i­ty from well-fund­ed cyber crim­i­nals and many more nation-states, which did not have access to such a trea­sure trove of exploits. The less sophis­ti­cat­ed cyber crim­i­nals will prob­a­bly revert back to pre­vi­ous email-based tech­niques and just wait for the next Shad­ow Bro­kers dump, which may have fresh exploits to use.

Stroz: Cyber threat actors are aware of what’s hap­pen­ing, and will take advan­tage of the time laten­cy that exists between a patch release date and the organization’s instal­la­tion date. In gen­er­al, cyber threat actors are often quick to repur­pose leaked exploits and tools for their own use, as it is cost effec­tive to do so. A notable exam­ple is the Hack­ing Team leak in 2015 where (Adobe Flash exploits) were quick­ly repur­posed by var­i­ous espi­onage threat actors.

3C: How do you expect this to play out over the remain­der of 2017?

Stroz: Cyber crim­i­nals could very well change tac­tics and take aim at con­nect­ed devices and hold them ran­som, some­thing our firm pre­dict­ed at the start of the year. Com­pa­nies should not be sit­ting idle. If a com­pa­ny has not been apply­ing patch­es and updates in a time­ly man­ner, they may be vul­ner­a­ble to many oth­er lega­cy exploits and not just those recent­ly in the press.

Hahad: The secu­ri­ty com­mu­ni­ty has not fin­ished study­ing these exploits, and I sus­pect that as detailed analy­sis emerges, so will the dis­cov­ery of exist­ing com­pro­mised sys­tems that were pre­vi­ous­ly oper­at­ing under the radar.

More sto­ries relat­ed to cyber attack defense:
Five best prac­tices worth repeat­ing in wake of Wan­naCry attack
Man­ag­ing sur­pris­es before they hap­pen is key to effec­tive cybersecurity
Steps to avoid being infect­ed by the ran­somware pandemic

Posted in Data breaches, Featured Story