Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
8/23/2017
09:00 AM
Brett White
Brett White
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Ransomware: The Tripflare in the Modern Cyberwar

With the frequency and scale of breaches on the rise, and our legacy security failing to protect us, is ransomware the catalyst we need to trigger improvement in our security postures?

May and June 2017 saw the outbreak and rapid spread of WannaCry and NotPetya across the world. Though the initial infection vectors differed, both of these worms leveraged the same Server Message Block (SMB) vulnerabilities for lateral propagation and privilege escalation, though NotPetya added a couple of extra tricks to its bag. 

These SMB vulnerabilities – EternalBlue and DoublePulsar – stemmed from a leak of NSA-authored hacking tools released by The Shadow Brokers.  In both cases, the malware delivered was overt in nature, contributing to fast detection times and, in the case of WannaCry, the rapid discovery of a kill switch which was used to halt the attack.

When The Shadow Brokers dumped the cache of tools onto the Internet, Rapid7 reported that security researchers went from feeling "like kids in a candy store" to being disinterested as they realized that "the exploits were antiques and had all been patched."  However, as time and ransomware actors would go on to prove, "even though we thought we were safe against these non-zero-day, unexciting attacks, we were not." And although vulnerable servers should not have been "exposed to the public Internet in an unrestricted manner," over 250,000 machines were infected by WannaCry within the first day. This was also not the first time that a cryptoworm had leveraged vulnerabilities that had been patched years earlier by the vendor.

As the WannaCry and NotPetya attacks progressed, we saw reports of breaches from the NHS, telecommunications service providers, critical infrastructure providers, vehicle manufacturers, airports and logistics companies, and even speed camera operators.  But for each of these thousands of companies, across many industry verticals, the impact could have been much worse, if the payload had have been different. What if it had targeted and exfiltrated NHS patient records? What if it had modified shipping or customer manifests?  What if it had disabled speed cameras or worse, moved laterally and modified traffic light sequences? What if the attack was more covert in nature? Would we have ever known?

Over the last six years, Mandiant analysts have reported a reduction in the median breach detection time from 416 days (2012) to 99 days (2017). And while, on the surface, this looks positive, it worryingly corresponds to an increase in the percentage of breaches reported by internal sources from 6% (2012) to 47% (2017), during the period in which we have seen a massive boom in ransomware innovation and activity. 

So, I wonder, if ransomware attacks are leading to an increase in the percentage of internal breach notifications, and driving the median breach detection time down, thanks to their sheer volume and overt nature, how long are the covert attacks going undetected, before ransomware actors start leveraging their Tactics, Techniques and Procedures (TTPs), alerting us to the failings of our security architectures and policies, forcing us to make a change?

Until we see broader adoption of machine learning for discovering new threats, more automated sharing of threat intelligence between security vendors and security products, and the ability to leverage the network to shut down attacks at the source, we have to ask ourselves – is ransomware the tripflare in the modern cyberwar that we can’t afford not to have?

Brett White is a Senior Security Specialist with Juniper Networks in Australia.  He is a trained pen tester and ethical hacker who is passionate about leveraging threat intelligence to help educate people on the current threat landscape, improve their cyber-hygiene, and ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/23/2017 | 10:08:17 AM
If anything ....
Lack of solid, tested backup and restore protocols.  I have argued for some time that encrypted files on workstation or server are the functional same as a drive crash or OS failure.  Workstations generally far easier to restore, local backup of data less so as rules change all over the place.  SERVERS should have reliable, tested plans for data restoration IF drives or infrastructure fails.  Ransomware is thus EASY to defeat.  WHY go so crazy?  Because many firms DO NOT have these plans in place.  Thus, IT staff works 24/7 for 2 weeks not knowing what they are doing at 2 am.  Sad.
Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8354
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c has an integer overflow on the result of multiplication fed into malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow.
CVE-2019-8355
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. In xmalloc.h, there is an integer overflow on the result of multiplication fed into the lsx_valloc macro that wraps malloc. When the buffer is allocated, it is smaller than expected, leading to a heap-based buffer overflow in channels_start in remix.c.
CVE-2019-8356
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. One of the arguments to bitrv2 in fft4g.c is not guarded, such that it can lead to write access outside of the statically declared array, aka a stack-based buffer overflow.
CVE-2019-8357
PUBLISHED: 2019-02-15
An issue was discovered in SoX 14.4.2. lsx_make_lpf in effect_i_dsp.c allows a NULL pointer dereference.
CVE-2013-2516
PUBLISHED: 2019-02-15
Vulnerability in FileUtils v0.7, Ruby Gem Fileutils <= v0.7 Command Injection vulnerability in user supplied url variable that is passed to the shell.