Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

Data Security 2017: We’re All Hacked

Remember more innocent times back in early 2017? Before Petya, WannaCry, leaked NSA vulnerabilities, Equifax, and Uber, the state of data security was anything but rosy, but I suppose there...
Michael Buckbee
4 min read
Published March 29, 2020
Last updated August 11, 2022

Remember more innocent times back in early 2017? Before Petya, WannaCry, leaked NSA vulnerabilities, Equifax, and Uber, the state of data security was anything but rosy, but I suppose there was more than a few of us left — consumers and companies — who could say that security incidents did not have a direct impact.

That has changed after Equifax’s massive breach affecting 145 million American adults — I was a victim — and then a series of weaponized ransomware attacks that held corporate data hostage on a global scale.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Is there any major US company that hasn’t been affected by a breach?

Actually, ahem, no.

According to security researcher Mikko Hyponnen, all 500 of the Fortune 500 have been hacked. He didn’t offer evidence, but another cybersecurity research company has some tantalizing clues. A company called DarkOwl scans the dark web for stolen PII and other data, and traces it back to the source. They have strong evidence that all of the Fortune 500 have had data exposed at some point.

We Had Been Warned

Looking over past IOS blog posts, especially for this last year, I see the current massive breach pandemic as completely expected.

Back in 2016, we spoke with Ken Munro, UK’s leading IoT pen tester. After I got over the shock of learning that WiFi coffee makers and Internet-connected weighing scales actually exist, Munro explained that Security by Design is not really a prime directive for IoT gadget makers.

Or as he put it, “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”

If you read a post from his company’s blog from October 2015 about hacking into an Internet-connected camera, you’ll see all the major ingredients of a now familiar pattern:

  1.  Research vulnerability or (incredibly careless) backdoor in IoT gadget, router, or software;
  2. Take advantage of an exposed external ports to scan for suspect hardware or software;
  3. Enter target system from the Internet and inject malware; and
  4. Hack system, and then spread the malware in worm-like fashion.

This attack pattern (with some variation) was used successfully in 2016 by Mirai, and in 2017 by Pinkslipbot and WannaCry.

WannaCry, though, introduced two new features not seen in classic IoT hacks: an unreported vulnerability – aka Eternal Blue – taken from the NSA’s top-secret TAO group and, of course, ransomware as the deadly payload.

Who could have anticipated that NSA code would make its way to the bad guys who then use it in for their evil attack?

Someone was warning us about that as well!

In January 2014, Cindy and I heard crypto legend Bruce Schneier talk about data security post-Snowden. Schneier warned us that the NSA wouldn’t be able to keep it secrets and that eventually their code would leak or would be re-engineered by hackers. And that is exactly what happened with  WannaCry.

Here are Schneier’s wise words:

“We know that technology democratizes. Today’s secret NSA program, becomes tomorrow’s PhD thesis, becomes the next day’s hacker tool.”

Schneier also noted that many of the NSA’s tricks are based on simply getting around cryptography and perimeter defenses. In short, the NSA hackers were very good at finding ways to exploit our bad habits in choosing weak passwords, not keeping patches up to date, or not changing default settings.

It ain’t advanced cryptography (or even rocket science).

In my recent chat with Wade Baker, the former Verizon DBIR lead, I was reminded of this KISS (keep it simple,stupid) principle, but he had the hard statistical evidence to back it up. Wade told me most attacks are not sophisticated, but take advantage of unforced user errors.

Unfortunately, even in 2017, companies are still learning how to play the game. If you want a prime example of a simple attack, you have only to look at 2017’s massive Equifax breach, which was the result of a well-known bug in the company’s Apache Struts, which remained  unpatched!

Weapons of Malware Destruction

Massive ransomware attacks was the big security story of 2017 — Petya, WannaCry, and NotPetya. By the way, we offered some practical advice on dealing with NotPetya, the Petya variant that was spread through a watering hole — downloaded from a website of a Ukrainian software company.

There are similarities in all of the aforementioned ransomwares: all exploited Eternal Blue and spread using either internal or open external ports. The end result was the same – encrypted files for which companies have to pay ransom in the form of some digital currency.

Ransomware viruses ain’t new either. Old timers may remember the AIDs Trojan, which was DOS-based ransomware spread by sneaker-net.

The big difference, of course, is that this current crop of ransomware can lock up entire file systems  — not just individual C drives — and automatically spreads over the Internet or within an organization.

These are truly WMD – weapons of malware destruction. All the ingredients were in place, and it just took enterprising hackers to weaponize the ransomware

2018?

One area of malware that I believe will continue to be a major headache for IT security is file-less PowerShell and FUD attacks. We wrote a few posts on both these topics in 2017.

Sure there’s nothing new here as well — file-less or malware-free hacking has been used by hackers for years. Some of the tools and techniques have been productized for, cough, pen testing purposes, and so it’s now far easier for anyone to get their hands on these gray tools.

The good news is that Microsoft has made it easier to log PowerShell script execution to spot abnormalities.

The whole topic of whitelisting apps has also picked up speed in recent years. We even tried our own experiments in disabling PowerShell using AppLocker’s whitelisting capabilities. Note: it ain’t easy.

Going forward, it looks like Windows 10 Device Guard offers some real promise in preventing rogue malware from running using whitelisting techniques.

The more important point, though, is that security researchers recognize that the hacker will get in, and the goal should be to make it harder for them to run their apps.

Whitelisting is just one aspect of mitigating threats post-exploitation.

Varonis Data Security Platform can help protect data on the inside and notify you when there’s been a breach. Learn more today!

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

last-week-in-microsoft-teams:-week-of-november-16th
Last Week in Microsoft Teams: Week of November 16th
This week’s review covers using polls in meetings, the first contact center certified for Teams, and a training bootcamp hosted by Microsoft.
last-week-in-ransomware:-week-of-august-16th
Last Week in Ransomware: Week of August 16th
This week was a win with REvil and SynACK decryption keys being released, but also saw a rise in PrintNightmare use by ransomware gangs.
last-week-in-ransomware:-week-of-june-28th
Last Week in Ransomware: Week of June 28th
Ransomware in the News If you’re a small or medium business using locally hosted cloud storage drives by a popular brand you need to disconnect them from the internet immediately....
windows-management-instrumentation-(wmi)-guide:-understanding-wmi-attacks
Windows Management Instrumentation (WMI) Guide: Understanding WMI Attacks
WMI is a subsystem of PowerShell that can be used to monitor remote systems and users. In this guide, we’ll explain what WMI is, and how to use it.