Tuesday’s global cyber attack caused havoc and disruption to all manners of businesses. Many within the cyber industry are debating whether the ransomware used was actually a strain of Petya or was it something completely new. With it first being detected in Ukraine, where companies updating a mechanism within an accounting program that had connections to the Ukrainian government, the malware was able to seed itself and affect systems within the government, industrial enterprises, banks, airports and transportation services. It spread fast and caused havoc to systems at major European and American corporations with British advertising giant WPP, Danish shipping behemoth Maesk and Merck & Co the American pharmaceutical corporation among those that were hit. Cyber Security experts have offered their advice and insight around Petya or NotPetya with many saying attitudes towards cyber security need to change:
Javvad Malik, security Advocate at AlienVault:
It appears to be a new ransomware campaign impacting multiple countries and some major businesses with some manufacturing reportedly stopped. The ransomware appears to be a Petya variant that may be spreading via EternalBlue; although this is not confirmed yet. Further information is being collated at https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/
Andrew Clarke, EMEA Director at One Identity:
The best advice to all is it is time to act now – make cyber security the number 1 item on the agenda at the next board meeting – and resolve to take proactive action to strengthen your cyber defences. What we are seeing in the continuing battle against the cyber threats is a massive escalation that will impact anyone who is not taking this seriously and has proactively analysed, reviewed and acted upon advice for their own environments. The phrase ransomware is entering every day conversation and many people are familiar with the consequences of its impact. The overnight escalation of a global ransomware attack serves to re-enforce the need for all of us to step up our game regarding cyber security – both at a personal level as well as a corporate level
Robery Lipovksy, Researcher at ESET:
ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world. M.E.Doc has today released a warning on their website: http://www.me-doc.com.ua/vnimaniyu-polzovateley. Based on our investigation, it appears the attack was launched in the morning hours of June 27, Ukrainian time.
Lee Munson, Security Researcher at Comparitech.com:
When businesses around the world woke up to the WannaCry ransomware recently, they must have thought their worst nightmares had come true. That a kill switch was found, and the damage done relatively small, was extremely fortunate but it should have painted a powerful picture of what could happen should another ransomware attack come marching over the hill. That Petya has caught major organisations unaware, including financial companies that are usually among the most secure types of business, is therefore a massive shock and a huge cause for concern. Most businesses will have learned the value of maintaining regular backups and the implementation of technical security controls to create restore points and block ransomware at the point of entry. Petya, however, highlights how staff awareness may still be an issue, giving an in to attacks of this kind, and perhaps highlights how patch management may still be lagging way behind where it needs to be.
Paul Edon, Director at Tripwire:
Tuesdays cyber-attacks that caused disruption to Ukrainian Banks, Ukrenergo Power Distribution and other Ukrainian commercial business appears to have gained initial entry via a phishing attack and then spread across systems by means of the EternalBlue exploit. Phishing attacks are common-place and currently represent the most successful entry point leading to a successful breach. Foundational Controls such as Email and Web filtering combined with comprehensive workforce education will greatly reduce the success of these attacks. Email and Web filtering can recognise and block malicious URL access and quarantining suspicious attachments. Workforce education will help users identify phishing email, deter them from clicking on unknown or unexpected attachments, discourage the access of unknown URL’s, and assist staff in recognising unusual system activity. EternalBlue exploits a known vulnerability within the Microsoft Server Message Block (SMB v1) protocol, which allows attackers to execute arbitrary code using specially crafted packets. Microsoft originally released a patch for supported Microsoft Operating Systems in mid-March 2017. After the WannaCry ransomware attacks which also used EternalBlue to traverse networks Microsoft released a further patch for legacy operating systems such as Windows XP and Windows Server 2003. Patch Management is a Foundational Control that forms an important part of the technical security strategy. If for reasons of legacy or critical operations these patches cannot be deployed then it is crucial that organisations assess the risk accordingly and use further mitigating controls to monitor and protect those systems.
Amichai Shulman, co-founder and CTO at Imperva:
At the end of the day, all Ransomware is basically the same. Hackers, via the ransomware malware, are making files unavailable to users and as a consequence disrupt the operations. As long as the infection and effect of the Ransomware is constrained to end points, the damage to organisations should be minimal. That is key. Some might say – why after WannaCry are systems still unpatched? The issue of patching is irrelevant when looking at a potentially self-replicating malware like Petya because in any large network there will be some unpatched devices. By protecting file servers (e.g. deploying File Firewall solutions) rather than focusing on endpoints organisations can minimise the effect of such incident and avoid disruption to business. One interesting aspect of Petya is clearly attribution. As demonstrated by WannaCry, rapidly replicating Ransomware is not a viable financial model. This data supports the argument that this malware is nation state driven and is only aimed at disrupting operations rather than monetising on the ransom.
Mike Ahmadi, global director of critical systems security at Synopsys:
Scalable ransomware attacks are now a proven and viable business model where the risk is heavily skewed in favour of the attacker. This is has been predicted by security professionals for years and we are now witnessing it all unfold. Systems on a global level remain highly vulnerable and selective fixes only serve to perpetuate an attack based on the next vulnerability on what is now a nearly exponentially growing list of exploitable security bugs. Unless vulnerability management and certification of systems becomes a legal requirement, we can expect to see attacks that are bigger and more sophisticated. As it stands today, it will likely take decades to dig ourselves out of the nearly bottomless pit of vulnerable code making up our infrastructure.
Ryan Wilk, director at NuData Security:
Last month’s WannaCry attack likely emboldened cybercriminals worldwide. Today’s Petrwrap is another example of how pervasive the malware problem has become. There is a definite need for a multi-layered approach, that includes employee education about unusual links, what phishing emails look like and the concern for social engineering. There is the organisational need to stay up to date with patches, routine backups and impermeable barriers to entry. Finally there is the design need to build systems from the ground up that protects users and data through multi-factor authentication that includes passive biometrics and behavioural analytics. Behaviour-based authentication can vastly increase security of automated attacks and account takeovers. This rising trend must be countered with proactive measures to ensure ransomware and ransomware-as-a-service become ineffective.
Gavin Millard, technical director, Tenable Network Security:
“The ransomware appears to be a new version of Petya that could possibly have similar characteristics to WannaCry, employing ETERNALBLUE to spread to other systems before encrypting files and demanding payment. One major difference between this outbreak and WannaCry though, is the possible inclusion of exploit code for another known vulnerability CVE-2017-0199, affecting Microsoft Office to further spread the payload.
If this attack turns out to be leveraging the same vulnerabilities WannaCry leveraged to spread, or other known bugs that have had patches available for months, there are going to be some awkward conversations between IT teams that failed to patch or protect and businesses affected. The publicity around WannaCry couldn’t have been larger, probably eclipsing Heartbleed, yet if this is the same attack vector, it demonstrates a distinct lack of taking threats like this seriously.”