Vulnerabilities / Threats //

Advanced Threats

6/19/2018
02:00 PM
Shimon Oren
Shimon Oren
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

How to Prepare for 'WannaCry 2.0'

It seems inevitable that a more-powerful follow-up to last year's malware attack will hit sooner or later. You'd better get prepared.

More than a year after it first struck, WannaCry is still one of the most damaging cyberattacks to date. It cost the global economy billions of dollars, although the impact goes far beyond the money.

Although companies incurred substantial monetary damages, WannaCry is the clearest example of the physical impact a malware attack can have on critical infrastructure, such as rail systems and hospitals. This can be the case even when the attack does not target or operate on industrial control systems, medical, or Internet of Things devices. WannaCry was "standard" malware aimed at Windows machines. And yet, it affected day-to-day life by preventing employees from getting to work and patients from receiving uninterrupted medical care.

It's important to understand the longer-term effects of WannaCry on the cyber ecosystem, and what security professionals should be aware of, because we'll likely see "WannaCry 2.0" at some point.

As things stand now, we're currently in the phase of "WannaCry 1.5," which is not causing the same level of damage but is still cause for concern. Every day, mutations (some minimal, others significant) of WannaCry appear and are used by ransom-hungry hacking groups. However, as malware becomes more sophisticated, there is an increased chance that a WannaCry 2.0 will become real. The underlying factors that enabled WannaCry to become so successful to its creators are still relevant:

  • Patching: Organizations are not implementing patching cycles in a timely manner. For example, a patch for EternalBlue was available in March 2017, but WannaCry was still able to infiltrate systems two months later, in May 2017, because of the delayed patching by organizations.
  • Hacker persistence: Zero-day and one-day vulnerabilities are still appearing and being used in the wild. Hackers, including independent and nation-state groups, are looking for the right opportunity to spread a ransomware strain that could have the same (or better) lateral movement capabilities as WannaCry.

This type of looming cyber threat is the "new normal" in today's world, but it's important to understand how we got here, where we are now, and what we can do to better protect against such threats in the future.

Industry and Public Pressure on Government Agencies
The long-term effects of WannaCry are still being felt by many organizations, and it has been a cause for debate both at the enterprise and government level. Industry and public pressure is being put on government agencies, and for good reason. Government agencies have been, for several years now, part of the cyber ecosystem. They no longer enjoy the luxury of public and economic indifference to their cyber-related research and operations, as was the case in the late 1990s and early 2000s. They need to opt for responsible disclosures of vulnerabilities in a way that balances national security interests on the one hand and keeping cyberspace as safe as possible for individuals and corporations on the other. If exploits and vulnerabilities are not in use, or are not needed, they should be disclosed before being discovered or leaked.

Government agencies that discover vulnerabilities must prevent them from leaking and keep them in the hands of the good guys. Secondly, agencies must be timelier in their disclosures. If a vulnerability or an exploit cannot (or can no longer) be leveraged to provide a tangible contribution to national security interests, it should be disclosed. The case should be the same with vulnerabilities that are extremely severe and easily exploitable. If those are leaked or discovered by hackers, the effect could be catastrophic. When surveying the NSA/CIA leaks in the past year or so, it is obvious that some vulnerabilities discovered were held for a long time, and were most likely not used. 

To change this current culture, government agencies must adopt clear policies. Of course, they do not have to disclose everything for the sake of national security, but they must own their faults in order to fix the problem.

Unfortunately, code and capabilities leaked from government agencies are continuously trickling down to everyday malware attacks — WannaCry and EternalBlue, for example. We are seeing malware strains from leaked code happening more frequently and at an expedited pace. Leaked exploits are always a hit in Dark Web hacking forums and find their way even to crypto-miners such as Monero. Attacks will become more sophisticated over time, which puts added pressure on enterprises to implement a strong cyber defense plan.

Implications for the Enterprise
Vulnerabilities are being disclosed on a daily basis, and many enterprises are overwhelmed and cannot patch at the fast pace that's required. This issue keeps many IT professionals and C-level executives up at night as hacker groups look to execute exploits at a mass scale to target employees, customers, and stakeholders.

To help mitigate some of this risk, security professionals within the enterprise must keep the following in mind:

  • Understand vulnerability databases: IT and security professionals need to take the time to understand vulnerabilities and assess how they will affect the company. Conducting a thorough risk factor assessment to verify how fast and serious the threat is will help inform and decide what the next action should be and the appropriate timeline for execution.
  • Out-of-the-ordinary workflow: Timely patching can be a huge burden on an organization, so think of new ways to streamline patching and update systems accordingly. Whether that means dedicating a small team to solely focus on patching or using solutions powered by artificial intelligence to help detect the vulnerabilities. This will leave executives more time to dissect, patch, and properly respond to the threat.

It's just a matter of time until WannaCry 2.0 is here, so understanding the cause of such an attack and having the right processes in place will be crucial for businesses to protect their assets.

Related Content:

Why Cybercriminals Attack: A DARK READING VIRTUAL EVENT Wednesday, June 27. Industry experts will offer a range of information and insight on who the bad guys are – and why they might be targeting your enterprise. Go here for more information on this free event.

Shimon Oren is an experienced cybersecurity professional focused on threat intelligence and process management, and is responsible for leading change processes and organizational transformations. Prior to this role, Shimon worked for the Israel Defense Forces as head of their ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14500
PUBLISHED: 2018-07-22
joyplus-cms 1.6.0 has XSS via the manager/collect/collect_vod_zhuiju.php keyword parameter.
CVE-2018-14501
PUBLISHED: 2018-07-22
manager/admin_ajax.php in joyplus-cms 1.6.0 has SQL Injection, as demonstrated by crafted POST data beginning with an "m_id=1 AND SLEEP(5)" substring.
CVE-2018-14492
PUBLISHED: 2018-07-21
Tenda AC7 through V15.03.06.44_CN, AC9 through V15.03.05.19(6318)_CN, and AC10 through V15.03.06.23_CN devices have a Stack-based Buffer Overflow via a long limitSpeed or limitSpeedup parameter to an unspecified /goform URI.
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.