You’ve probably all seen the news about some big global hack and most of it has gone over the everyday person’s head. So, I thought I’d try to shed some light on what has happened and help you understand the gravity of how serious this needs to be taken.
What happened?
In the early hours of Saturday morning (Australian time) a worldwide cyber-attack was launched. This was to this date the biggest cyber-attack that the world has ever seen. The real-world impact as you will soon learn goes way beyond what everyone thinks about when considering a computer viruses impact.
What is it?
Codenamed WannaCry, this was a form of Malware commonly known as Ransomware, which is by far the biggest security threat we encounter today.
Ransomware has been around since 2013. You may have heard people call it Cryptolocker or a crypto virus. What this form of malware does when it infects a machine is encrypts or locks files rendering them useless.
What happens next however is the real game changer. Unlike your traditional viruses which were just a destructive force destroying everything in their way, Ransomware as the name suggests holds your files at ransom and will only release the unlocking key once you have paid a pre-specified amount. Usually this is between $250-$1000. If this amount is not paid in a specified time the key will be permanently thrown away and your files are effectively digital paper weights.
This strain was asking for ransoms of $300 if paid in 24 hours or $600 within 7 days. Whilst the overall percentage of ransoms paid was low, the cybercrooks still made over $33,000,000 USD.
This is also thought to be leaked NSA/CIA malware as it makes use of a government created vulnerability that was previously leaked by a hacking group known as the Shadow Brokers, more on that soon.
What was the impact?
The main attack lasted little over 7 hours. In this time it infected a whopping 230,000 machines in over 150 countries, however the impact was far greater than people not being able to open a picture of their new puppy or a pdf document containing instructions on how to make the ultimate banana smoothie.
Take a look around you and think about the all things that rely on some form of connected technology. Electricity, traffic signals, telecommunications, surveillance systems, world finance, emergency support, hospitals, manufacturing plants. You get the pictur. That list is endless. We live in the digital age, where almost everything we rely on for our day to day lives relies on computers and the internet.
This attack should act as a warning that we are extremely vulnerable and susceptible to complete global cyber warfare.
National Health Services in London – some 70,000 devices were reported to have been affected. This resulted in patients being turned away, ambulances being diverted, patient records becoming inaccessible.
Nissan and Renault – Both car manufacturers were infected and halted production in an attempt to stop the spread of the virus. The Renault F1 team almost had to forfeit this Sundays race in Spain due to not being able to access machines critical to running the race.
Russian railways were shut down for a period of time, LATAM airways had to delay and cancel flights, Telefonica a major Spanish telco experienced major outages, FedEx’s order systems were affected. Even MIT one of the most advanced places on the planet were infected.
In short it hit fast and it hit hard. As you can see it had some pretty drastic real world effects, but honestly we got off light. Imagine the damage an infection like this could do if it hit nuclear power plants, major banks and Wall St, satellite communications systems, national water controls, major food manufacturing plants, weapons systems. You get the picture.
This particular attack hit Europe and North America far harder than it did us in Australia, most probably due to the phishing campaigns used and the hour of the day the attack took place, not to say we didn’t get any infections but we dodged the brunt of the attack.
How did it spread?
Wannacry is what we refer to as a multi vector attack, meaning it makes use of more than one technology for infecting machines.
Phishing emails – This is a common way machines will become infected with ransomwar. A phishing email looks like it comes from a legitimate source such as Australia Post, AGL, AFP, eBay, PayPal etc. Generally, these emails will require the user to click on a link. Once this malicious webpage is opened the ransomware is downloaded, installed and starts deploying its malicious payload.
Worm – This is a type of virus that self-replicates, meaning that as part of its malicious activity it hunts out other machines to infec. Remember when I was talking about the NSA and CIA, well this is where they come in.
Back on March 14, Microsoft issued an update to fix an exploit that the NSA developed as a way into system. Exactly one month later on the 14th April the exploit leaked online. It was due to this particular exploit that the infection was able to easily jump from one machine to another infecting hundreds of thousands of devices in such a short period of time.
So, when you see that little pop up from Microsoft asking you to update your system, this is why. The fix had been around for 2 months yet so many devices still had it as an openly exploitable vulnerability. This attack shows far too many companies are still complacent when it comes to cybersecurity.
What is also frightening were the number of Windows XP machines that were infected. XP was released in 2001 and Microsoft officially stopped supporting and releasing security updates for it in April 2014, yet so many companies still use it for business critical functions. So serious was the nature of this infection that Microsoft even took the unprecedented step of creating an update for XP (and even older operating systems) to plug the hole.
How was it stopped?
Well the world has a 22 year old wonder kid and $10 to thank for that.
When the code became available to reverse engineer he discovered that every time it infected a new machine it would make a call to an unregistered web address eg www.thisdoesnotexist.com. If there was no response the malware would infect the machine and continue on its malicious way. For $10 he registered the address effectively stopping the attack worldwide.
This is known as a killswitch and is another huge clue that this malware was developed by an official government organization rather than your everyday cybercriminal organization as this is not generally something blackhat hackers tend to include in their code.
How do I not get owned by stuff like this?
First and foremost, I want to say that there is no one single thing that you can do that will stop these kinds of threats. You must take lots of steps to minimize risk.
The weakest point of any computer network is generally the standard end user. The first step is education of standard users. If you are still reading then you’re probably someone who wants to be better informed which is a great mentality. Keep it up!!
Beyond that I’ve always suggested a 4-step approach. Preventative, Defensive, Detective, Remediative.
Preventative – Don’t go to places where bad stuff is on the internet, don’t blindly click on links, don’t download dodgy things that you think might be the latest movie or game, don’t sign up for all sorts of email lists. Those phishing emails I was talking about before… here’s a simple way to identify one. Hover your mouse over the link. It will show you the url that it is trying to go to. If that looks dodgy or you’re not expecting anything from that organization don’t click on it.
There are tools that can ensure you don’t navigate to these malicious sites in the first place. In fact, the antivirus company I work for does this very well.
Defensive – There are a number of things you can do here that will ensure that any potential threats don’t get in the gate. Some of these things are business grade but most will be applicable to the everyday user.
Patch your systems, I’m not just talking about Windows here either. Many things will exploit applications that are being used on your system, Adobe reader, Flash, Java etc and for god sake if you're using WordPress to create websites make sure it’s up to date. Tthat thing is notorious for being hijacked.
Have strong passwords – Another form of attack is known as a brute force attack where a computer-generated algorithm tries to guess your password to gain access to your system. If your password is anything like password, password1, your sports team, your name, your dog’s name, your wives or kids names, then you’re just an easy target. Make it completely random, use numbers and special characters and put capitals somewhere other than the first letter.
Filter your mail, create firewall rules to ensure that you know what traffic is happening on what ports, change who has administrative rights, whitelist certain applications.
Detective – There is a saying in the cyber security space. It’s not a matter of if you’ll get infected it’s a matter of when. This is where your antivirus comes into play and this is the space where I live. You need to make sure that if something gets onto your system that your antivirus can detect it and remove it.
The majority of today’s viruses use something called a polymorphic signature. Basically what this means is that each time it attacks a new computer it looks like a different virus signature. This is important to note as signatures are how many older antivirus products detect viruses. Due to the polymorphic approach this is now a redundant way to detect threats.
Remediative – If everything else fails, you should at least make sure that you can get back to where you were.
Backup your system. Now depending on what you have on there, determines the approach you should take here. If your stuff is really important to you make sure it exists in more than one location. I’ve heard it time and time again “I have my backups on an external hard drive in my office”. What good is that to you in the event of a natural disaster or fire?
Use a cloud based solution. If it’s personal stuff use dropbox or something similar.
My final piece of advice here is to use resources available to you, especially if you’re running a business. This stuff is critical. Team up a managed service provider to handle your IT environment. Guaranteed they know a lot more about the industry than you do. If you don’t know anyone let me know and I can point you in the right direction.
Final thoughts
This is just the beginning. The more and more that we rely on technology the more it becomes an area we need to focus on. Bigger and more sophisticated attacks will happen and the next wars will be fought in cyberspace not on the battlefield. This attack has opened lots of people’s eyes to the state of the world’s technology spac. It’s unfortunate that something like this needs to happen before people take this stuff seriously. The internet is still an infant, some 20 years old in the commercial world. We still have a lot to learn about living in a digital age. This current technology boom will not slow down to let us catch up so we need to make sure we go forward with the right things in place to protect ourselves from the things we cannot yet see.
Article courtesy of Greg Williams, WEBROOT.