It’s been a year since WannaCry and NotPetya wreaked havoc worldwide. And while the high-profile cyberattacks prompted an increased awareness of cyber issues, organisations are still overlooking some of the fundamental requirements for maintaining good cybersecurity. Brian Chappell, Senior Director, Enterprise and Solution Architecture at BeyondTrust, looks at this in more detail.
Just over a year ago, two global ransomware attacks struck down state governments, multinationals and millions of other users.
In May 2017, WannaCry hit over 300,000 computers in organisations as powerful and diverse as the NHS, Fedex, Chinese oil companies and Indian regional governments. Multinational giants were paralysed and oceans of data were destroyed. Shortly after the attacks it was predicted that global recovery costs could run as high as US$4 billion.
Just over a month later NotPetya hit. Springing from an infected version of a popular Ukrainian accounting software, this attack wrapped itself around the world with great speed. Again, power and scale were no objects to the attacks – reaching targets as far and wide as the Ukrainian government, law firm DLA piper, the global shipping empire of Maersk and consumer goods giant Reckitt Benckiser. The total global bill for the attack according to former Homeland Security Adviser, Tom Bossert, was in excess of US$10 billion.
Nothing quite like this had been seen before. For many, these were the public crises that would wake everyone up to cybersecurity as a concern for international public security. Things would never be the same – right?
The image is still unclear as to exactly how much effect the two crippling attacks had. On one hand, these were events that few could ignore, highlighting how easy it was to touch even state powers and knock millions off the revenue of global giants. On the other hand, many of the problems that permitted the success of those attacks still haunt us.
The NHS which was the UK’s headline victim of WannaCry has taken concrete steps to fortify itself. WannaCry shut down 80 NHS trusts – as a result, thousands of appointments were cancelled and many hospitals were forced to turn away non-critical emergencies.
The NHS spent much of the next year updating to Windows 10. One of the major weaknesses of the organisation when it was hit with WannaCry came from its continued use of Windows XP, no longer supported by Microsoft and specifically targeted by WannaCry’s EternalBlue exploit. The NHS has also begun steps to install a Security Operations Centre to better combat threats against it.
However, the service’s travails are not yet over. These developments are surely welcome but recent security tests have returned disappointing results.
Elsewhere, WannaCry and Petya has at least in part served as a wake-up call to the rest of the world.
Boards are becoming especially aware of these threats. A Vanson Bourne Survey of 500 businesses in Europe showed that 50% of respondents claimed that there was now more visibility at board level. Another 43% said that there is now more budget being allocated for security.
The cyberinsurance market is booming too, thanks in no small part to the attacks. Shortly after the WannaCry attacks, CFC Underwriting released data showing that in the weeks following, cyberinsurance inquiries increased by nearly 50%. Danish Insurance Company, Tryg saw a similar boom in new cyberinsurance policies. Having sold 700 in the first quarter of year, the company sold 2,800 in the second quarter, largely attributable to these events.
These developments notwithstanding, attention spans can be short and some of the key lessons which might have been taken on from this event may not have been learned at all.
Both attacks used EternalBlue – an NSA linked exploit leaked earlier in the year by a group calling themselves the Shadow Brokers – to propagate globally.
Vulnerabilities exist everywhere often unknown to their victims. When WannaCry hit however, a patch for that vulnerability had already been released nearly three months before the attacks. The hundreds of thousands of endpoints seized by WannaCry would likely not have suffered the same fate if they had only installed that patch.
This made it all the more shocking when NotPetya hit the next month, using the same exploit to attack millions of endpoints.
This kind of patch aversion is still with us. Research from Kollective, surveying 260 head of IT on both sides of the Atlantic found that it took nearly half of respondents a month to install new patches. Given that it’s not called a zero-month, this is far less than satisfactory.
Furthermore, EternalBlue still works. According to Juniper Networks there are still 2.3 million devices globally that are still using SMBv1, the insecure network protocol through which EternalBlue could propagate.
One of the least noted, but more notable aspects of WannaCry’s assault on the NHS was its attack on 70,000 connected medical devices. Blood refrigeration units, MRI scanners and surgical theatre equipment were all caught in WannaCry’s grip, deepening the NHS’ paralysis. NotPetya helped shut down the radiation monitoring systems around Chernobyl.
IoT vulnerabilities persist everywhere at both the production and implementation level. A recent Trend Micro survey of 1,150 IT decision makers, showed that while 79% of companies involve their IT teams in IoT implementations, only 38% involve their security teams. Many enterprises are interested in making the IoT work; fewer are interested in making it work safely.
It doesn’t stop at the IoT, but our very understanding of what an endpoint is. In this age of technological advancement, unchecked innovation is widening global attack vectors and opening us up to new and greater security threats.
That said, the vast majority of systems impacted in the fallout were endpoints, which remain the most likely vector for a successful attack. We need to stop thinking of the devices on our network as different, separate classes.
The artificial barriers between servers, workstations, infrastructure, IoT and more make us address each differently in our security approach. While we should never consider locking down workstation access to the level we would our most precious servers, we equally cannot ignore them.
IoT may look innocuous but any device on your network could provide a foothold for a most considered attack on other systems. When considering your cybersecurity approach, the Internet of Everything should be the scope of operation. No more, no less.
When WannaCry and NotPetya hit, no one had yet witnessed attacks as far reaching or effective. What was most striking was how easily even powerful international organisations fell in their wake. Most concerning, however, is that most of those impacted were simply collateral damage; the impact of a targeted attack doesn’t bear thinking about.
Many have learnt the lessons of those two months while others seem to have shorter memories. It may take at least one more global reminder, to get everyone up to speed.