This Part 1 blog post in a series of three posts recaps roughly the first third of the presentation that Chris Goettl, Ivanti’s director of Product Management for security solutions, presented at the recent IT Leadership Summit virtual event that’s available on demand. That presentation covered a number of trends being witnessed today, how you can go about strategizing a response, and ensuring a high level of security for your environments and prioritizing your efforts to maximize your effectiveness. 

The Part 2 and Part 3 posts in the series summarize the remaining portions of the presentation. Part 2 discusses SamSam Ransomware and their methods of attack, while Part 3 covers the need for a well-established security framework like the CIS Critical Security Controls for building an effective security strategy to defend against modern cyber threats.

The Rise of Nation-State Activities

One of the growing trends in the cyber security space is the rise of nation-state activities—and the accompanying level of sophistication in the tools intended for national cyber espionage and warfare. But now such tools have become generally available to your average cyber-criminal, and when that happens, a level of escalation occurs.

Without question, hackers today can have a major impact on critical infrastructure worldwide. Hospitals, banking systems, power grids, and many other areas are regularly prone to and affected by cyber threats. And hackers appear to be more and more intent on making that impact happen more readily, a nightmarish scenario.

For example, a NotPetya attack that occurred last year targeted specific companies around the globe that used the compromised Ukrainian accounting and tax software application from the financial tech company MeDoc to essentially launch the preemptive attack.

in this case, the threat actors strategically placed the NotPetya malware into the update system of the MeDoc software. As you may know, the base architecture for this attack utilized exploits that were developed by a nation-state entity, in this case, the U.S. National Security Agency (NSA). The tools and vulnerabilities that were being exploited were disclosed through the activities of a hacking group who actually got their hands on these NSA tools.

Most ransomware campaigns provide a variety of mechanisms to allow for payment to occur because they want to make sure that the authorities can't shut them down and limit their ability to get a payout. Well, a lot of those characteristics were lightly implemented or near nonexistent in the NotPetya attack.

What we really saw was ransomware used as a social and economic disrupter rather than a direct impact to try to get a payout—a new evolution in cyber-attacks. The focus of the attack was the Ukraine, and it disrupted that nation inflicting great pain in their efforts to sustain themselves during that period.

Entire organizations found themselves unable to operate for days on end. It affected various organizations inside Ukraine and wreaked collateral damage on organizations globally such as Merck, FedEx, and Maersk.

How can we as security and IT professionals protect our organizations from parallels like these? As these things are evolving, how do we strategize and make ourselves more effective at defending against this type of attack and a variety of other cyber threats?

The Threat Landscape of Software Vulnerabilities

To this day, software vulnerabilities play a significant part in the overall threat landscape—the total attack surface that we're exposed to—and what attack vectors could be used against us.

In studying the Q1 2018 Forrester Wave: Vulnerability Risk Management report, a key takeaway is the need to prioritize risk. The report cites that 58% of enterprise organizations suffered a breach at least once in the past year. Now, not every breach among that 58% were headline-grabbing where millions of accounts were exposed. But the scary part of all of this is that more than half of the companies out there suffered at least one breach in the past year.

Now, 41% of those breaches included software vulnerabilities being exploited as part of the breach. If you look at one of those specific events—the Equifax breach—there was exposure of 145.5 million Social Security numbers, addresses, driver’s license numbers, credit card numbers, and so on. Software vulnerabilities in the Apache Struts web framework led to Equifax being exposed to this breach.

Leading up to the exploitation of the Struts web framework, there were likely other stepping stones employed to get to that Apache web server in order to access sensitive data. But, again, software vulnerability as the way that the data was actually accessed and extracted.

Other Notable Occurrences

Let’s also consider a few other notable occurrences from the last 18 to 24 months, starting with WannaCry. It was a nation state-developed software exploit and ransomware incident that affected more than 230,000 endpoints in over 150 countries worldwide in a short period of time.

Attackers used the EternalBlue exploit, developed by the NSA and leaked by the Shadow Brokers hacker group on April 14, 2017. Eternal Blue exploits a vulnerability in Microsoft’s implementation of the Server Message Block protocol.

Microsoft issued a security bulletin that detailed the flaw and released a patch update. And even three months after that update was available, attackers were able to use the EternalBlue exploit and launch the WannaCry attack—a three-month gap between release from the vendor and widespread worldwide impact.

Another tool that was employed in the WannaCry attack was DoublePulsar, a backdoor utility developed by the NSA and leaked by the Shadow Brokers that allowed the WannaCry infections to get into environments where there wasn’t a public-facing SMB port. So, as a backdoor utility, DoublePulsar was installed on tens of thousands of systems globally, and from there the attackers could see all of those pre-existing DoublePulsar instances—these backdoors that were laid out and distributed globally.

From there, they were able to launch the EternalBlue exploit into those environments without having a public-facing SMB port. So, a combination of SMB protocols being public facing and exposed, plus DoublePulsar being a backdoor that allowed exploit, enabled WannaCry to become very successful. And once inside many of these environments, because the update had not been rolled out, the exploit spread very quickly. In a 24-hour period, 300,000 computers had been exposed to and crippled by that WannaCry attack.

A Sophisticated, Layered Approach to Attack

Once inside an environment, additional capabilities were used to spread the exploit further.

A tool called Mimikatz was employed to find admin credentials. Those credentials were then utilized to employ other existing tools like PsExec and WMIC, and to access other systems remotely using those tools and compromised credentials, allowing the exploit to spread even to where that eternal SMB exploit was not available.

This was a very sophisticated layered approach to attack—in this case, a preemptive strike along with other ways of opening that initial salvo of the attack—and then employing tools beyond just a software vulnerability to be able to diversify how it could spread. The approach made the NotPetya attack a very effective ransomware campaign.

A key takeaway here is that the common elements of a ransomware campaign simply did not exist here. The methods of payout seemed very single-threaded and easily disrupted. Actually, payouts were disrupted very early on in these attacks. So, there was something much more at the heart of this attack.

Indeed, we witnessed ransomware evolving from looking for quick payouts at an individual system level or a site-wide instance to causing mass disruption. It’s a cyber-attack evolution that has increased the level of sophistication and has also changed some of the rules surrounding how some of these types of malware work.

Take some time to read Parts 2 and 3 in this blog series, plus learn more about how Endpoint Security solutions from Ivanti can help you mitigate up to 95 percent of cyber threats.