Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/23/2017
09:00 AM
Brett White
Brett White
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Ransomware: The Tripflare in the Modern Cyberwar

With the frequency and scale of breaches on the rise, and our legacy security failing to protect us, is ransomware the catalyst we need to trigger improvement in our security postures?

May and June 2017 saw the outbreak and rapid spread of WannaCry and NotPetya across the world. Though the initial infection vectors differed, both of these worms leveraged the same Server Message Block (SMB) vulnerabilities for lateral propagation and privilege escalation, though NotPetya added a couple of extra tricks to its bag. 

These SMB vulnerabilities – EternalBlue and DoublePulsar – stemmed from a leak of NSA-authored hacking tools released by The Shadow Brokers.  In both cases, the malware delivered was overt in nature, contributing to fast detection times and, in the case of WannaCry, the rapid discovery of a kill switch which was used to halt the attack.

When The Shadow Brokers dumped the cache of tools onto the Internet, Rapid7 reported that security researchers went from feeling "like kids in a candy store" to being disinterested as they realized that "the exploits were antiques and had all been patched."  However, as time and ransomware actors would go on to prove, "even though we thought we were safe against these non-zero-day, unexciting attacks, we were not." And although vulnerable servers should not have been "exposed to the public Internet in an unrestricted manner," over 250,000 machines were infected by WannaCry within the first day. This was also not the first time that a cryptoworm had leveraged vulnerabilities that had been patched years earlier by the vendor.

As the WannaCry and NotPetya attacks progressed, we saw reports of breaches from the NHS, telecommunications service providers, critical infrastructure providers, vehicle manufacturers, airports and logistics companies, and even speed camera operators.  But for each of these thousands of companies, across many industry verticals, the impact could have been much worse, if the payload had have been different. What if it had targeted and exfiltrated NHS patient records? What if it had modified shipping or customer manifests?  What if it had disabled speed cameras or worse, moved laterally and modified traffic light sequences? What if the attack was more covert in nature? Would we have ever known?

Over the last six years, Mandiant analysts have reported a reduction in the median breach detection time from 416 days (2012) to 99 days (2017). And while, on the surface, this looks positive, it worryingly corresponds to an increase in the percentage of breaches reported by internal sources from 6% (2012) to 47% (2017), during the period in which we have seen a massive boom in ransomware innovation and activity. 

So, I wonder, if ransomware attacks are leading to an increase in the percentage of internal breach notifications, and driving the median breach detection time down, thanks to their sheer volume and overt nature, how long are the covert attacks going undetected, before ransomware actors start leveraging their Tactics, Techniques and Procedures (TTPs), alerting us to the failings of our security architectures and policies, forcing us to make a change?

Until we see broader adoption of machine learning for discovering new threats, more automated sharing of threat intelligence between security vendors and security products, and the ability to leverage the network to shut down attacks at the source, we have to ask ourselves – is ransomware the tripflare in the modern cyberwar that we can’t afford not to have?

Brett White is a Senior Security Specialist with Juniper Networks in Australia.  He is a trained pen tester and ethical hacker who is passionate about leveraging threat intelligence to help educate people on the current threat landscape, improve their cyber-hygiene, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/23/2017 | 10:08:17 AM
If anything ....
Lack of solid, tested backup and restore protocols.  I have argued for some time that encrypted files on workstation or server are the functional same as a drive crash or OS failure.  Workstations generally far easier to restore, local backup of data less so as rules change all over the place.  SERVERS should have reliable, tested plans for data restoration IF drives or infrastructure fails.  Ransomware is thus EASY to defeat.  WHY go so crazy?  Because many firms DO NOT have these plans in place.  Thus, IT staff works 24/7 for 2 weeks not knowing what they are doing at 2 am.  Sad.
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Cracking 2FA: How It's Done and How to Stay Safe
Kelly Sheridan, Staff Editor, Dark Reading,  5/17/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "The one you have not seen, won't be remembered".
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10428
PUBLISHED: 2018-05-23
ILIAS before 5.1.26, 5.2.x before 5.2.15, and 5.3.x before 5.3.4, due to inconsistencies in parameter handling, is vulnerable to various instances of reflected cross-site-scripting.
CVE-2018-6495
PUBLISHED: 2018-05-23
Cross-Site Scripting (XSS) in Micro Focus Universal CMDB, version 10.20, 10.21, 10.22, 10.30, 10.31, 10.32, 10.33, 11.0, CMS, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1 and Micro Focus UCMDB Browser, version 4.10, 4.11, 4.12, 4.13, 4.14, 4.15.1. This vulnerability could be remotely exploited to al...
CVE-2018-10653
PUBLISHED: 2018-05-23
There is an XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
CVE-2018-10654
PUBLISHED: 2018-05-23
There is a Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.
CVE-2018-10648
PUBLISHED: 2018-05-23
There are Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server 10.8 before RP2 and 10.7 before RP3.