3 January 2018

Cybersecurity review of 2017: The year of wake-up calls

BY TOMÁŠ FOLTÝN 

Fresh from peering into our crystal ball and outlining some of the trends that we expect to dominate the cyber-landscape in the coming year, we will now offer a snapshot of 2017. In a way, this year may be seen as a ‘year of wake-up calls’. Alarm bells barely stopped ringing as we kept waking up to the reality of a rash of fresh cyber-incidents. Striking far and wide, such incursions provided everybody who goes anywhere near the Web with abundant fodder for reflection on how unsafe our online worlds can be. Rather than ‘sit back and relax’, it is now often ‘sit up and take notice’.

As part of our narrative, we will draw attention to key events, and pinpoint common features underpinning some of the main trends and topics that have defined this year. We will also review some of the predictions for 2017 that our thought leaders made a year ago.
Going down the rabbit hole with ransomware

The amount of attention grabbed by ransomware or ransomware-esque attacks (such as wipers and some tech-support scams) this year also makes it tempting to conclude outright that 2017 will be remembered as ‘the year of ransomware’. In fact, chances are you’ve heard the phrase before, including with some caution in our review of 2016.

The picture may be a little blurrier, however. Not to be outshone by mere malware, large-scale data breaches continued to abound – and, indeed, spiked – this year, signaling that being affected by a data breach is no longer a matter of ‘if’, but of ‘when’. Ransomware and data breaches remain major thorns in the sides of users and organizations across the world, often piercing their defenses without too much effort. In fact, sometimes the two threats even become intertwined, resulting in a highly volatile concoction of cyber-insecurity ingredients.

While the vexatious problem that is ransomware has been stooping to ever new lows in recent years, profits – and, by extension, demand for profit – have been trending in the opposite direction. So much so that the drive to ever-greater profits has continued to encourage a flourishing trade in ransomware-as-a-service (RaaS) kits, enabling even not-particularly-tech-savvy attackers to strike their targets hard. Put bluntly, all it now takes is ill intentions and chump change. Contrast those negligible outgoings with the potential profits: the FBI estimates the total amount of cyber-ransom payments as close to US$1 billion annually.

In another shift in the ransomware paradigm, many attacks are now sophisticated, and even customized, campaigns involving deliberately-chosen sectors and victims, rather than being spray-and-pray attempts at squeezing whatever cash may be extorted from random victims.
Ransomware meets data breaches meets DDoS … is en route to meeting gaping holes in IoT security?

Ransomware has also been evolving in many other ways, ultimately resulting in hybrid threats. The profitability of the ‘business model’ based on cyber-extortion is also evidenced by the fact that these tactics were carried over to other platforms (Android) quite some time ago, and are also the backbone of hacks followed by shakedown threats on pain of going public with the stolen data. Television network HBO and streaming platform Netflix were in the limelight earlier this year for leaks that were reminiscent of Sony’s woes in 2014, in what effectively equates to weaponization of their own data.

“RANSOMWARE HAS ALSO BEEN EVOLVING IN MANY OTHER WAYS, ULTIMATELY RESULTING IN HYBRID THREATS”

Developments over the past few years have also validated some of our concerns regarding a degree of crossbreeding between extortion, DDoS, and/or the exploitation of IoT vulnerabilities, as further threat layers on top of tried-and-tested crypto-ransomware. In an unsurprising step in this evolution, an unpalatable witches’ brew of extortion and DDoS has had miscreants salivating even more this year and has gained further traction especially after a successful blackmail campaign that netted its orchestrators $1 million worth of bitcoin in June.

In the grand scheme of things, the appetite for hectoring victims into paying up under the threat of a DDoS attack is also being fueled by the easy availability of both ‘services’ – RaaS and DDoS-for-hire. While pay up or be DDoS-ed threats often turn out to be all bark and no bite, the prevalence of DDoSmakes these onslaughts one of the real menaces faced most often by organizations. Making things worse, such attacks are often intended as smokescreens for other incursions, notably malware compromises or data thefts.

Adding further to the woes is the proliferation of IoT devices. Leaving aside proofs-of-concept, we have yet to see a fully-fledged attack involving ransom demands in exchange for releasing hijacked “smart things”. However, the writing is, arguably, on the wall. While such hijacking is not necessarily as simple as sometimes reported in the media, we cannot help but echo our long-standing concerns as to what may happen if/when an in-vogue attack method, such as ransomware, converges with countless unsecured IoT devices ripe for exploitation.

DDoS attacks – such as the one that caused widespread disruption of legitimate internet activity in the United States a little over a year ago – are normally conducted by machines conscripted into botnets. Developments in the botnet space saw a notable feat just a few weeks ago, when an international law enforcement operation laid waste to hundreds of long-running botnets powered by a malware family called Wauchos (aka Gamarue aka Andromeda) following an effort that lasted for more than a year and involved technical assistance from ESET researchers.
WannaCryptor as a canary in a coal mine


May 12th, 2017, was an ordinary Friday until reports started pouring in of thousands of computers worldwide being locked up in exchange for $300 worth of bitcoin. The unprecedented infestation – ransomware called WannaCryptor (detected by ESET as WannaCryptor.D and also known as WannaCry and Wcrypt) – spread at a dizzying rate, affecting around 300,000 computers in approximately 150 countries. In contrast, the payouts were by no means hefty given the epidemic’s reach.

As the victims tried to make sense of the mayhem and attempted to recover their scrambled data – which was actually close to a fool’s errand – the outbreak was soon all but stopped dead in its tracks after a security researcher registered a ‘kill switch’ domain, halting the ransomware’s ongoing spread. That domain was soon under siege, however, as some hackers sought to resurrect WannaCryptor via DDoS attacks aimed at knocking the kill switch domain offline, utilizing their copycat versions of the Mirai botnet in the process.

WannaCryptor propagated by exploiting a vulnerability in the Windows implementation of the Server Message Block (SMB) protocol, co-opting the EternalBlue and DoublePulsar hacking tools developed by the National Security Agency (NSA). Microsoft had actually released a security update for supported versions of Windows to patch the hole exploited by EternalBlue two months before the outbreak and a month before a hacker or group known as Shadow Brokers released the two tools to the wild. In order to stymie later iterations of the attack, Microsoft even took the unusual move of issuing emergency patches for no-longer supported systems, such as Windows XP. Contrary to initial reports, nearly all of WannaCryptor’s casualties were found to be running (unpatched, obviously) Windows 7 systems.

Another global attack

Around six weeks later, with memories of WannaCryptor’s red-and-white ransom note still fresh, all eyes were riveted on another virulent threat with quirks of its own. On June 27th, ransomware detected by ESET as Diskcoder.C (aka ExPetr, PetrWrap, or Not-Petya) began to make the rounds and, while hitting organizations globally, most of the companies laid low were based in Ukraine.

“PUT BLUNTLY, ALL IT NOW TAKES IS ILL INTENTIONS AND CHUMP CHANGE”

The Diskcoder.C malware exemplified just how deceiving appearances can be in cybercriminal wares. In a departure from the previous trend and contrary to initial beliefs, this malware turned out to be a destructive wiper, rather than ransomware that should, at least in theory, be able to revert its own changes.

Diskcoder.C used a modified version of the same EternalBlue exploit as WannaCryptor, but went deeper inside the victim’s system. Instead of encrypting individual files, its payload overwrote the hard drive’s Master Boot Record (MBR) and triggered a restart. Consequently, although the ransom note and the demand for an unlock key were displayed, it was only the malware that started up after the machine’s reboot and there was no way to restore the files.

At the root of this global epidemic was a successful compromise of accounting software M.E.Doc, popular across various industries in Ukraine. A number of organizations executed a trojanized update of M.E.Doc and suffered the primary infestation, with the malware then propagating into global systems via businesses interconnected with their Ukrainian partners. Global multinationals put the damage at hundreds of millions of US dollars. While that spillover damage may be viewed as collateral, it laid bare the magnitude of the threat that malware attacks represent for infrastructure and supply chains.
In Bad Rabbit’s burrow


Fast forward to October 24 and a variant of the Diskcoder family with worm-like capabilities brought with itself another cybersecurity meltdown, although the infestation was largely confined to Russia and Ukraine. Dubbed Diskcoder.D and also known as Bad Rabbit, it propagated in the guise of a fake Flash update installer displayed as a pop-up on legitimate – but hacked – news and media websites. In addition to brute-forcing its way across networks, it also leveraged EternalRomance, another SMB exploit leaked by Shadow Brokers.

Mobile devices aren’t spared

The Android platform, nearly a decade old, remains the prime target for miscreants aiming at mobile devices, and mobile ransomware specifically has been a full-scale and continually rising global threat for quite a while now. Banking Trojans remain another mainstay in the Android space. In fact, the two functionalities may collude, as ESET malware researcher Lukáš Štefanko found out earlier this year.

Štefanko discovered a strain of Android ransomware with two firsts. For one thing, DoubleLocker not only encrypts the user’s files, but also locks the device by changing its PIN. Adding insult to injury, it’s also the first known ransomware to spread by misusing the platform’s accessibility services. DoubleLocker is actually derived from an established banking malware family and can be turned into what Štefanko called a ‘ransom-banker’ capable of wiping out a victim’s bank or PayPal account before locking the device and data and demanding a ransom. A test version of the ‘ransom-banker’ was detected in the wild in May 2017.

In part 2 of our of Cybersecurity in 2017 the focus will be on data (in)security, vulnerabilities and the dangers facing critical infrastructure.

Cybersecurity review of 2017: The year of wake-up calls – part 2


In the second part of our cybersecurity review of 2017 we look back at some of the key events that took place throughout a very busy year. If you missed part one of our review you can catch up here.
Data (in)security

Recent figures from Gemalto’s Breach Level Index for the first half of 2017 show a troubling trend and suggest that data breaches are increasingly pervasive and the volume of impacted records is rising in sync. A total of 918 data breaches resulted in the compromise of 1.9 billion data records worldwide in the first half of 2017, with the number of lost, stolen or compromised records up 164% from the second half of 2016. The US remains home to an overwhelming majority of data breaches.

It is safe to say that the data theft at the credit reporting agency Equifax stole the show in ‘standalone’ data breaches this year. The Equifax hack, truly a tale of woe for all its victims, along with the firm’s bungling of ‘picking up the pieces’ after discovering the incident, highlighted general concerns about data handling and privacy.

While not necessarily the largest in terms of records compromised, Equifax’s ‘mother of all breaches’ in 2017 was notable for the kind of information exposed. Indeed, data breaches may be a sad fact of digital life, but it’s not every day that information such as the social security numbers of one in every two Americans is stolen.

That is, unless we consider “the mother lode of all leaks”, in which data-analytics firm Deep Root Analytics accidentally leaked personal information on 198 million American voters halfway into this year, in what is believed to be the single biggest leak of voter records worldwide. A mere few days ago, it emerged that US citizens were ‘treated’ to another leak of sensitive information, this time impacting 123 million American households.

Meanwhile, Yahoo, which isn’t new to dropping bombshells, admitted in October that one of its two massive breaches – back in August 2013 – affected all three billion user accounts on the service, rather than the previously disclosed one billion accounts. The access credentials exposed can be used for large-scale automated attacks called ‘credential stuffing’, in which miscreants leverage names and passwords belonging to one account in order to invade the same user’s other account(s), notably in banks, given the well-known penchant of netizens for re-using their passwords for many accounts.
Vulnerabilities

The importance of plugging security holes was also made clear this year, as many of the worst incidents would have been prevented, had the systems been patched and had proper security practices been followed. A number of vulnerabilities came under scrutiny this year, but none had as lasting an impact as those exploited by threat actors who co-opted the batch of tools developed by the NSA and stolen and leaked by Shadow Brokers.

Another fundamental vulnerability to grab headlines this year – although not for being widely exploited – concerned the WPA2 encryption protocol. ‘KRACK’ or Key Reinstallation AttaCK – which has since the disclosure in October been patched across all major platforms – enabled third parties to eavesdrop on network traffic as long as they were within range of the victim’s Wi-Fi. As a result, private conversations might have no longer been so private in some circumstances.

Various implementations of the Bluetooth standard grappled with their own potentially high-impact set of flaws that put the users of almost all operating systems at risk. In September it surfaced that pretty much any Bluetooth-enabled device that hadn‘t been recently patched could be taken over, even if not paired with the hacker’s device.

As more and more devices, primarily from the IoT arena, are being connected to the internet, the attack surface is expanding at an alarming rate. And so do holes in security: reported vulnerabilities in 2017 more than doubled over those reported in 2016.
Critical infrastructure in critical danger?


The critical infrastructure ecosystem has been revealed as an orchard abundant in low-hanging fruit, as fundamental weaknesses kept coming to light this year. The urgency of threats faced by key infrastructure was laid bare again just a few days into 2017, as researchers concluded that a power outage that had caused an hour-long blackout in parts of and outside the Ukrainian capital of Kiev on December 17, 2016, had been caused by a cyberattack.

ESET researchers later dived deep into samples of malware detected by ESET as Win32/Industroyeronly to conclude that the malicious code had most probably been used in the December 2016 incursion. Courtesy of its highly customizable nature – along with its ability to persist in the system and to provide valuable information for fine-tuning the highly configurable payloads – the malware can be adapted for attacks against any environment, making it extremely dangerous.

The December 2016 attack was reminiscent of a similar, but much bigger cyberattack-induced power outage on 23 December 2015. That one left around half of the homes in the Ivano-Frankivsk region, populated by 1.4 million people, without electricity for several hours, in a first-of-its-kind attack that leveraged malware known as BlackEnergy.

ESET Senior Malware Researcher Robert Lipovský has voiced concern that Ukraine may serve as a blueprint for refining attacks on critical infrastructure that could be unleashed in other parts of the world. “The relatively low impact of December 2016’s blackout stands in great contrast to the technical level and sophistication of the suspected malware behind Industroyer,” he stated.

In October, the US government issued a rare public warning that “since at least May 2017, threat actors have targeted government entities and the energy, water, aviation, nuclear, and critical manufacturing sectors, and, in some cases, have leveraged their capabilities to compromise victims’ networks”.

In a “watershed cyberattack” disclosed earlier this month, threat actors recently used malware called Triton to take out the safety system of an industrial plant in the Middle East, resulting in the halting of the facility’s operations. While this was the first report of a safety system compromise at a critical infrastructure facility, the incident brought back memories of Industroyer and Stuxnet.

Meanwhile, the health care sector remains ailing as far as its own cyber-defenses are concerned. It has for long been a juicy target, not least because it stores a variety of sensitive personal records that often need to be accessed quickly.

Just how much havoc can be wrought by a cyberattack at health care facilities, regardless of whether it is targeted or not, was best exemplified by the damage that WannaCryptor inflicted on the United Kingdom’s National Health Service (NHS). The assault is claimed to have hobbled one in three NHS organizations in England. As a result, 19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked, and five hospitals had to divert ambulances elsewhere.

It was later announced that the NHS would receive a shot in the arm worth £20 million with an eye to boosting its immunity from similar incursions. In some ways, this represents a departure from the long-term trend in the industry, which in general has been incorporating more and more devices, each linked with confidential information and in many cases IoT functionality, while security and privacy have, as usual, remained an afterthought.
Denouement

With 2017 now almost in the rear view mirror, the dictum that even the best security can be outflanked by the weakest link in the security chain still holds true for cyberspace. As has been repeated ad nauseam – and even though it may not necessarily be applicable in all incidents – the human factor is usually the soft underbelly. Which is actually where high-profile attacks and breaches help as, among other things, they highlight vulnerabilities in the ways in which our personal information is handled. More broadly, the current threatscape lays bare the perils of our reliance on assailable technology and is a reminder of just how vital cybersecurity is amid the convergence of our digital and physical worlds.

Before we close the books on 2017, we have many lessons to derive from the events of the past 12 months as an undoubtedly hectic 2018 beckons. As increasing proportions of our lives take place in the online realm – and often with scant awareness on our part at that – the urgency of protecting our digital lives is now greater than ever. For starters, we need to give ourselves the opportunity to stay ahead of miscreants, who are innovating with alacrity and stand ready to exploit any weakness. We would be remiss in thinking that ‘it can’t happen to me’. Instead, learning from mistakes made by others—before those same mistakes are exploited against us—goes a long way towards maintaining and improving our defenses. That way, we lessen the likelihood that cyber-insecurity becomes an ongoing and undiagnosed problem that may come back to bite us and erode the value of not only our digital life, but our physical being as well.

No comments: