28 June 2017
Blogs by author: Mark Hughes, President, BT Security
It was only six weeks ago that the world was struck by the WannaCry ransomware attack, and here we are with yet another high profile and high impact attack – known as Petya, Petwrap or GoldenEye.
What do we know about the attack?
The initial attack is carried out via an e-mailed attachment which, if opened, takes advantage of CVE-2017-0199 (a remote code execution vulnerability in Microsoft Office and WordPad) by downloading and executing a malicious file. Once the device is infected, the code spreads further using EternalBlue (which was used by WannaCry and is an SMBv1 exploit that can be fixed with MS17-010). This method of infection, which spreads via lateral movement, means that a customer network does not need to have unpatched SMBv1 devices exposed to the Internet to be affected.
When the attachment is opened, it exploits the MS Office or WordPad vulnerability and executes the payload. It sets up a delayed scheduled task set to run an hour later which then reboots the machine and runs a fake check disk screen, leading the user to believe the disk is being scanned when it is actually being encrypted. The ransomware then rewrites the Master Boot Record to display the ransom message and waits for the decryption key.
If organisations have been hit, even if you did pay the ransom in Bitcoins, the email address which would give you the decryption key has been taken offline, so there is no way of unlocking the machine.
Why have so many fallen foul?
Large organisations have complex IT estates. Getting and keeping a grip on this estate and its level of vulnerability takes resource, considerable efforts and skill. Even then, it is a constant effort to maintain this position.
So what should operational teams be doing?
- You need to have the right tools in place which allow you to see across your entire estate and give you a view of the latest patching position.
- In addition, you need to be able to remediate the situation by pushing updates and patches, some programmatically and some as urgent fixes.
- You need a process and tools to respond quickly and contain an incident, limit the damage and stop the malware from spreading once it has been identified.
- And you need a robust process for assessing threats, the impact they might have on your estate and prioritising action, both in the heat of the moment when an attack is going on, but just as importantly in the cool light of day.
How do you respond to the board?
As teams come to work today, some having slept well, others maybe bolstered by coffee what do we as a security community have to say to the board? Although attacks like these are discussed at board level today, broader discussions around cyber security are too infrequent and are treated as a separate and disconnected issue from the broader operational risk. All too often, the issue of cyber security is not incorporated into the overarching business strategy.
Sharing intelligence, good practice and hard-won lessons among your network of peers and beyond would put the company in a position to think about cyber security differently. Namely, not as a risk which is discussed by the board twice a year, but as an opportunity and an enabler on a journey of digital transformation.
This particular attack is not over yet, and it won’t be long before we see the next high profile attack. How are we going to be better tomorrow at securing our digital enterprise?
Receive information about key security stories evaluated by our security analysts around the clock by signing up to our daily threat intelligence alert service.