I’m sure we all seen the recent statistical figures talking about an increase in ransomware attacks ranging between 2 to 3 times in 2016 when compared to previous year. While these numbers are already depressing enough, recent events between WannaCry/WannCrypt and ExPetr/Petya/NotPetya have made the situation worse. We seen increase variations of the EternalBlue vulnerability/exploit previously patched in MS17-010. These new ransomware attacks are building on already known vulnerabilities that people are still struggling to patch or properly address as a serious threat.
From what I can see, more companies are being impacted than I would feel comfortable with when gauging the security ecosystem. This leads me to believe that companies are not taking these threats seriously, it’s as if they feel that such occurrence is so far away from their organization that it’s not going to be impact them. It also feels as if people did not understand the “mild” differences between WannaCry/WannaCrypt and ExPetr/Petya/NotPetya, where as I truly felt worried when I saw how NotPetya utilized common administrator tools such as PSExce and WMIC to move laterally. In my eyes I saw more occurrences and variations of such attacks that could be created by more people or groups with i’ll intentions and I’m glad I’m not the only one feeling concerned as more awareness needs to be brought to this issue.
Are People Not Taking It Seriously or Just Playing With Fire
When world wide fear of WannaCry spread throughout the web and the news, people did not begin to immediately patch their systems. Instead, many decided to wait and see if the threat was moving further to the US and luckily to them a kill-switch was found. I truly believe his approach is dangerous to not just an organization, but also their partners and the overall security ecosystem to anyone associated with such organizations. Furthermore, still a large number or organizations did not patch or make efforts to remediate any of the attack vectors from the EternalBlue vulnerability in time for Petya to attack them.
I also honestly believe that not understanding something is also a combination between not taking a threat seriously and just playing dangerous (fire). While not everyone agrees with me, people need to start moving away from non-supported operating systems such as Windows XP, Server 2003 to newer supported platforms. This is not something that needs to be done because the Microsoft koolaid is strong, but instead it should be considered as a standard security practice performed and reviewed via due care at minimum. Furthermore, people need to start realizing these threats are equally as important on both a desktop and servers alike. These type of vulnerabilities don’t care if your server is segregated via a firewall, so if it finds its way into the so called “protected area” it will attack anything that has not been properly patched or remediated.
What can an organization do to prepare?
- Always patch and stay current
- Get to understand vulnerabilities from recent and previous threats to see how they can attack/spread
- Attempt to identify weaknesses to address immediately or protect around to reduce exposure
- Make a plan of action with the right teams while making sure it includes before and after actions
- Take every threat seriously
What should organizations do to mitigate?
- Patch, patch, patch
- Disable entry points or known vulnerable areas (Disable SMBv1 or executable macros)
- Implement Microsoft’s LAPS (Do not have a single password for all your workstations or servers, just don’t)
- Implement a Windows Firewall on all managed clients (Test thoroughly and create a strong baseline)
- Implement credential guard when possible
- Implement privileged access management practices
Should We Be Concerned?
Yes, everyone should be concerned and cautious of what has happened so far in 2017. It is a sign of additional challenges to arise in the security landscape where more emphasis needs to be put on understanding the threats and building a layered approach. It’s definitely not going to be easy for everyone, but organizations need to start understanding that it is going to take extra effort to properly protect against growing threats.