As we all return to work from the summer holidays, we at Trend Micro reflect on what we have seen in the threat landscape over the first six months of 2017 with the release of our 2017 Mid-Year Security Roundup. It takes me back to the two major attacks that we witnessed, and I was ‘lucky’ enough to be involved with from an Incident Response point of view: namely WannaCry and NotPetya.
Trend Micro has been doing a lot of work with healthcare providers around the world over the last few years. As our report shows, 67 percent of ransomware related attacks come in through email; and Trend’s cloud and on-premises email gateways block 1,000s of new and unseen attacks every day. We also work closely with many healthcare providers to deliver leading edge and easy to manage security systems that protect the network, servers and end points in hospitals all over the world.
Often these projects start with us carrying out a “Breach Detection Report,” where we analyse current and existing security threats. This also gives greater visibility on what is happening on the hospital’s network and what is being communicated in and out of the these often highly complex environments.
A key conclusion (reached a long time before that fateful day in May when WannaCry hit) was the problem that was posed by the large number of un-patchable systems.
These systems not only fell out of scope of the overarching security policy being used by the hospital, but where often owned by 3rd party organisations that were not patching the system either. These systems often employed old versions of Windows and so are prone to attack.
We consistently find old, unpatched systems in the field. These are often infected with malware and often attempting communication to Command & Control (C&C) servers. In many cases these C&C servers were dead–taken down or sink holed a long time ago–which again highlighted how old these infections were.
When WannaCry hit on Friday 12th May, it was these un-patchable systems which were often the first to be hit and because they often ran critical systems needed to deliver care; their loss resulted in the hospital not being able to deliver the care required by its patients; and many had to close until the problem could be sorted.
When the attack struck, many were looking to the email systems to see if something was missed, and it took some hours before the fact that this was a worm was fully understood.
It is not surprising that it took a while for people to catch on that this was no normal ransomware attack; most analysts were still at school the last time there was a major worm outbreak.
We still often find Conficker infections even though that came out in 2008 and infected between 9-15 million systems (a worm that uses an exploit very similar to the one used by WannaCry). Sasser hit in 2004. SQL Slammer in 2003 and Code Red in 2001. Worms are old school.
Using worms to propagate ransomware also creates challenges for the hackers; with most ransomware (like Cerber) the decryption key is linked to a unique bitcoin address, making key management easier. However, both WannaCry and later NotPetya, relied on hard coded email addresses and bitcoin wallets, which were quickly shutdown and tracked. This made payments difficult, and ultimately meant that victims could not and did not get their data back when they tried to pay.
Much of that weekend, myself and others at Trend Micro worked closely with many hospitals and we offered our software and services for free to help get them back up and running. Existing Trend Micro customers, using our latest behavioural monitoring and machine learning, were protected. But there were some who had not updated to the latest versions, and so were minimally impacted.
This in itself also is an important take away. Just because you have an icon of s security solution on your desktop doesn’t mean it provides sufficient protection. GDPR requires organizations to use ‘State of the Art’ security systems. You have to use modern security controls and keep them up to date!
As the dust settled and the serious questions started to be asked as to why the hospitals had been hit so badly, a number of conclusions started to arise.
We are helping healthcare organizations ensure that proper controls are in place to protect all systems within hospitals. Using virtual patching really helps. By deploying Intrusion Prevention Systems (IPS) inline at the core of the network, protecting different VLANs, we not only stop the targeting of old vulnerabilities but also protect against the propagation of worm based attacks.
May taught us a lot about what could be the next generation of cyberattacks: Ones that are highly destructive and propagate very quickly across networks.
In fact, it only took six weeks for this to be shown true, when on June 27th a new threat was detected: NotPetya.
This was efficient and had a bigger impact on its victims. Using a dangerous variant of Petya (an MBR wiping ransomware first detected in 2016, Petya), NotPetya combined this approach with an efficient worm design that leveraged Microsoft Management protocols (WMI & PSExec) commonly used by operations teams around the world. On one incident response call we literally saw thousands of Windows workstations and servers wiped out in less than 2 hours!
Worms have the capacity to spread quickly throughout an organization. It’s best practice to use a standard image for systems within the same role (desktop, server, etc.) and if a worm finds a hole, it’s usually on every system. This is where security controls like intrusion prevention step it to help reduce the impact and stop the spread of a worm within your network.
Both WannaCry and NotPetya show us that worms are back. Worms are an effective technique for cybercriminals in an ever connected world. As more devices—IoT anyone?—are connected, this technique is too good for cybercriminals to pass by.
The problem that un-patchable systems present is not one that is restricted to healthcare, it also exists in National Critical Infrastructure, local and national government, and within manufacturing and other industrial sectors.
Systems that either can’t be patched because of the impact on the system they are running; or because they are (also) using very old versions of Windows (no longer supported by the vendor). The impact of worm attacks on these systems cannot be underestimated, but by deploying network based protection mechanisms, these threats do at least have a chance of being mitigated.
All organisations, no matter their size or complexity, must start to design systems and networks that can withstand these new attacks; simply relying on manual processes and patching regimens will not protect you. Defences therefore should be automated and kept up to date, so that the next time a worm-like attack hits; you can rely on these systems to protect you and the services you offer.