I think that 2017 is a breakthrough in IT security for me. Meanwhile, I have managed to lose the illusion and significantly rethink the darkest scenario of what might happen in the network. It is possible that some of my insights will help. That’s why I have decided to share the information that had earned me a few sleepless nights.
Critical zero-day mistakes as a common part of life
I have always guessed that there are a lot of serious unrecognized errors in SW. But what came to light with Shadow Brokers leak has shocked me. A security bug in all versions of MS Windows and MS Windows Server (from Windows XP, Windows Server 2000 to Windows 10 and Windows Server 2016) that has remotely allowed to take over “the administration” over a PC/server without the user having to provide cooperation.
Imagine having a universal key to all of the doors in the world. We do not even know publicly how long the NSA had information about this error and the exploit available. Until now, they could do what they wanted and simply attack/control computers all around the world. If someone felt that Linux would be better, a similarly critical error was found in the SAMBA server, which began to be called “SambaCry“.
Similar mistakes have been found all throughout the past and more are still to be found. Especially when the Shadow Brokers group, which got the exploits from NSA, created a private “club“. Within this club, subscribers receive monthly access to information concerning bugs and zero-day exploits that they can immediately used to attack other systems. The bugs that will be abused will have no immediate fixes (thus even the regular updates will not save us). This, once again, puts us one huge step behind the attackers. I have thus realized I had to think about every SW / HW as a leak and to include it in my “design and solution” networks.
Smarter and more aggressive malware
For a long time, it came to me that malware (viruses, worms, trojans) is relatively amateurish. It often fails to propagate, is “incompatible” (crashes or fails), does not fully exploit it´s potential and does not do too much damage. As if it was coded by “beginners”, while cybercrime is full of professionals (often better than the “good ones”).
But with the arrival of WannaCry, my opinion has changed. Except for the trainee like bug with a pseudo kill switch (I think it was just a sandbox detection technology), it was an interesting malware. The primary infection of the network with this virus was via e-mail (that is, nothing revolutionary) and it was necessary for the user to open the e-mail attachment. This was a well-defendable stage (antivirus, e-mail policy, AppLocker, Software Restriction Policy). However, if the user has launched it, the virus was able to escalate its permission by exploiting EternalBlue exploit. Subsequently, it has attempted to replicate on all PCs on the network using EternalBlue exploit and eventually encrypted all the data it has received.
Most intriguing is the part of the internal network distribution through EternalBlue exploit. Basically, it was not enough to have an updated PC/server, and if it was not suitable for IPS, it was immediately compromised. The more computers were infected, the faster the virus spread across the network. This means that in 30 minutes from the first virus launch, you could have a network with several hundreds of computers and servers completely encrypted.
If you had backups on a network or local drive that the infected PC/server could see, you were without backups. Which is a situation that none of us wants to get into. Restoring your business to normal operation when you have to reinstall hundreds of computers and recover terabytes of data, it takes more than a single day.
This malware was similar to WannaCry. He used the same method to be spread across the network (EternalBlue). In addition, it has downloaded Mimikatz to the help, thanks to which it could read the passwords from the Windows memory. That being said, having updated Windows is not enough to be safe. If there were any stored passwords on the infected PC/server for scheduled tasks, services, or a user with access rights to the other stations (RDP unplugged), the virus was able to get even further. If it has managed to get access to the domain administrator’s access, the network was completely crashed.
This time, we had about two months of Windows updates before the WannaCry has appeared and began to spread. Similarly, there was a large number of companies that did not have computers up to date. Now imagine that it would be similar situation only with the update period of a single week, or if the exploit virus started spreading before the update.
What am I afraid of?
I’m afraid that a malware or a hacker group will appear that uses vulnerabilities/exploits that are not updatable. They will then encrypt all the data they get their hands on. We can all try to prevent it with layered security (restrictions, IPS, AV, behavioral AV, user training), but it most like will never be 100%. The question then is: will your backups survive it, or not?
And believe me, I definitely do not want to look in the eyes of any customer and tell him that we have lost his data. Fortunately, we are doing just opposite so far – saving data for companies that are not our customers. See, for example, the article Ransomware 1: Data Recovery of a Blessing in Disguise
At the same time, we have devised technologies and procedures that will protect our customers against crypto viruses and a ransomware.