Remember more innocent times back in early 2017? Before Petya, WannaCry, leaked NSA vulnerabilities, Equifax, and Uber, the state of data security was anything but rosy, but I suppose there was more than a few of us left — consumers and companies — who could say that security incidents did not have a direct impact.
That has changed after Equifax’s massive breach affecting 145 million American adults — I was a victim — and then a series of weaponized ransomware attacks that held corporate data hostage on a global scale.
Get the Free Pen Testing Active Directory Environments EBook
Is there any major US company that hasn’t been affected by a breach?
Actually, ahem, no.
According to security researcher Mikko Hyponnen, all 500 of the Fortune 500 have been hacked. He didn’t offer evidence, but another cybersecurity research company has some tantalizing clues. A company called DarkOwl scans the dark web for stolen PII and other data, and traces it back to the source. They have strong evidence that all of the Fortune 500 have had data exposed at some point.
We Had Been Warned
Looking over past IOS blog posts, especially for this last year, I see the current massive breach pandemic as completely expected.
Back in 2016, we spoke with Ken Munro, UK’s leading IoT pen tester. After I got over the shock of learning that WiFi coffee makers and Internet-connected weighing scales actually exist, Munro explained that Security by Design is not really a prime directive for IoT gadget makers.
Or as he put it, “You’re making a big step there, which is assuming that the manufacturer gave any thought to an attack from a hacker at all.”
If you read a post from his company’s blog from October 2015 about hacking into an Internet-connected camera, you’ll see all the major ingredients of a now familiar pattern:
- Research vulnerability or (incredibly careless) backdoor in IoT gadget, router, or software;
- Take advantage of an exposed external ports to scan for suspect hardware or software;
- Enter target system from the Internet and inject malware; and
- Hack system, and then spread the malware in worm-like fashion.
WannaCry, though, introduced two new features not seen in classic IoT hacks: an unreported vulnerability – aka Eternal Blue – taken from the NSA’s top-secret TAO group and, of course, ransomware as the deadly payload.
Who could have anticipated that NSA code would make its way to the bad guys who then use it in for their evil attack?
Someone was warning us about that as well!
In January 2014, Cindy and I heard crypto legend Bruce Schneier talk about data security post-Snowden. Schneier warned us that the NSA wouldn’t be able to keep it secrets and that eventually their code would leak or would be re-engineered by hackers. And that is exactly what happened with WannaCry.
Here are Schneier’s wise words:
“We know that technology democratizes. Today’s secret NSA program, becomes tomorrow’s PhD thesis, becomes the next day’s hacker tool.”
Schneier also noted that many of the NSA’s tricks are based on simply getting around cryptography and perimeter defenses. In short, the NSA hackers were very good at finding ways to exploit our bad habits in choosing weak passwords, not keeping patches up to date, or not changing default settings.
It ain’t advanced cryptography (or even rocket science).
In my recent chat with Wade Baker, the former Verizon DBIR lead, I was reminded of this KISS (keep it simple,stupid) principle, but he had the hard statistical evidence to back it up. Wade told me most attacks are not sophisticated, but take advantage of unforced user errors.
Unfortunately, even in 2017, companies are still learning how to play the game. If you want a prime example of a simple attack, you have only to look at 2017’s massive Equifax breach, which was the result of a well-known bug in the company’s Apache Struts, which remained unpatched!
Weapons of Malware Destruction
Massive ransomware attacks was the big security story of 2017 — Petya, WannaCry, and NotPetya. By the way, we offered some practical advice on dealing with NotPetya, the Petya variant that was spread through a watering hole — downloaded from a website of a Ukrainian software company.
There are similarities in all of the aforementioned ransomwares: all exploited Eternal Blue and spread using either internal or open external ports. The end result was the same – encrypted files for which companies have to pay ransom in the form of some digital currency.
Ransomware viruses ain’t new either. Old timers may remember the AIDs Trojan, which was DOS-based ransomware spread by sneaker-net.
The big difference, of course, is that this current crop of ransomware can lock up entire file systems — not just individual C drives — and automatically spreads over the Internet or within an organization.
These are truly WMD – weapons of malware destruction. All the ingredients were in place, and it just took enterprising hackers to weaponize the ransomware
Sure there’s nothing new here as well — file-less or malware-free hacking has been used by hackers for years. Some of the tools and techniques have been productized for, cough, pen testing purposes, and so it’s now far easier for anyone to get their hands on these gray tools.
The good news is that Microsoft has made it easier to log PowerShell script execution to spot abnormalities.
The whole topic of whitelisting apps has also picked up speed in recent years. We even tried our own experiments in disabling PowerShell using AppLocker’s whitelisting capabilities. Note: it ain’t easy.
Going forward, it looks like Windows 10 Device Guard offers some real promise in preventing rogue malware from running using whitelisting techniques.
The more important point, though, is that security researchers recognize that the hacker will get in, and the goal should be to make it harder for them to run their apps.
Whitelisting is just one aspect of mitigating threats post-exploitation.
Varonis Data Security Platform can help protect data on the inside and notify you when there’s been a breach. Learn more today!