What kind of year has it been? Cybersecurity review part 1
For any fellow Aaron Sorkin fans out there, you’ll know that in each of his TV series he includes an episode entitled “What kind of day has it been?” (Usually the finale).
It’s Sorkin’s way of ensuring all the questions he’s been posing throughout the show receive some sort of answer (no spoilers from me though).
I’m no Aaron Sorkin (if only) but after a year that could be described as ‘tumultuous’ from a cybersecurity point of view, I’ve attempted to capture what happened during 2017 (I’ve by no means covered everything), and what we must now do as an industry to help our customers step up to these new levels of cyber threat.
So, what kind of year has it been?
Jan – April 2017
In January, there was a significant amount of coverage regarding cyber attacks that occurred against several political, governmental, and private sector entities in the United States. The Department of Homeland Security and the FBI jointly released a report referring to this activity as GRIZZLY STEPPE. Talos responded to ensure our customers were and are protected. Read more here.
Throughout the early part of the year, our Talos team covered all sorts of malware samples, such as ‘EyePyramid’ which targeted Italian police and celebrities, and a new spam campaign used to infect targets with the well known Loki Bot stealer, which went out of its way to attempt to evade content inspection devices like AV or network security devices.
For a full round up of all the malware samples and disclosures we covered at the start of the year, see the Talos blog.
We also released our 2017 Annual Security Report, which revealed some key security trends:
- Increasingly, the hackers behind malvertising campaigns are using ‘brokers’. Brokers enable the bad guys to infect more companies at scale, and they can run campaigns for longer – because using a broker helps them to evade detection.
- 27% of connected third-party cloud applications, introduced by employees in enterprises in 2016, posed a high security risk. This is undoubtedly a result of workers wanting to improve their own levels of productivity and stay connected while on the job…but they’re not necessarily thinking about the security implications on their data when accessing these applications.
Oh boy, the big one.
As news first broke of a “significant cyber attack” on the afternoon of the 12th May, it initially looked like a deliberate attempt on our National Health Service. They appeared to be hit by a ransomware campaign, which was designed to exploit any technology weaknesses, and bring their systems to a halt…unless they paid the cyber criminals a fee.
However, it soon became clear that as more and more countries came forward with their own similar reports, that this was a rapidly spreading global threat. No one industry was immune, and it definitely wasn’t your ‘usual’ case of ransomware…
The attack soon became known as WannaCry. WannaCry used SMB; a network protocol used to share files between computers (not through an email or phishing scam which is how ransomware is normally delivered). One of the reasons that this ransomware spread so rapidly and so quickly is because of the fact that it can spread laterally on the same network, automatically installing itself on other systems in the network without any end user involvement.
The malware was particularly effective in environments with Windows XP machines, as it can scan heavily over TCP port 445 (Server Message Block/SMB), compromising hosts, encrypting files stored on them, and then demanding a ransom payment in the form of Bitcoin.
The big one was shortly followed by the next big one…
Just weeks after WannaCry, Nyetya (or ‘Not Petya’) arrived. It first hit the Ukraine, with victims reportedly including its central bank, an international airport and even the Chernobyl nuclear plant – where workers were forced to manually monitor radiation levels after they were locked out of their computers. Nyetya then spread across the globe,affecting companies in 64 countries.
Although it appeared to look like ransomware, Nyetya actually wiped data from hard drives, rendering attempts to obtain encryption keys fruitless.
And that’s it for part one – I’ll bring you part 2 of our cybersecurity year in review later this week!
In the meantime for more security advice and resources, head to our dedicated webpage: www.cisco.co.uk/securityTags: