1) Lessons from the WannaCry Ransomware Attacks

Surveying the damage in the aftermath of the WannaCry ransomware campaign, cyber security researchers have gleaned important lessons based on data and analysis collected from victims and their infected systems. The WannaCry epidemic, which began on 12 May and had largely ended four days later, was one of the most widespread ransom attacks in recent history and effected some 300,000 systems on five continents.

Methods and Tactics
Forensic assessments of infected networks indicated that victims did not become exposed to the malware through downloading files contained on phishing emails, as is the typical mode of delivery in such campaigns. Rather WannaCry was able to enter systems by exploiting a flaw in a Windows Server Message Block (SMB) service, a program layer that allows for the interconnectivity of networks for transferring files and other data. Once the malware successfully infiltrates, it deploys a backdoor program to control various elements of the computer, thereby running the payload program, an encryption tool that targets files contained on the computer’s hard drive. WannaCry then takes advantage of the already compromised SMB to scan for other vulnerable connected systems and export itself to other computers, perpetuating the cycle of infections.

The ability for WannaCry to spread has been attributed by many experts in the field to numerous non-updated Windows operating systems that formed the catalyst for the epidemic. The fact that the stream of reported attacks began in Eastern European countries bolstered this assessment. Indeed, three of the countries most affected by WannaCry were Russia, Ukraine, and India, nations where earlier versions of Windows were likely to be running. After the initial four day rampage, one cyber security research firm produced a report indicating that most of all global victims, were running Windows 7, a non-supported version of the Microsoft operating system.

In response to the attack, Microsoft issued a “critical” network patch after becoming aware of SMB vulnerabilities on 14 March. Many system users were clearly slow to install the system patch, leaving them exposed to the malware, and ultimately assisting in the spread of the virus. On 13 May, Microsoft took the unusual step of offering patches for earlier unsupported system versions such as Windows 8, and Windows XP.

This episode strongly highlights the need for company IT as well as individual system users, to keep abreast of program updates. Maintaining regular updates via patches is often not a simple ordeal for a large organization. As pointed out by one cyber security firm director, the operating of critical infrastructure on some systems, or other vital systems that are being constantly run, often curtails the ability for a system to be stopped, patched, and rebooted. This underscores the need for contingency plans for such infrastructure in order to perform vital system updates. These may include back-up systems to run this infrastructure temporary, or even temporary pre-planned lapses in operations.

2) Ramifications of a Cyber Geneva Convention

The Twitter accounts hack of March 2017 in which hundreds of Twitter home pages were defaced by Turkey sympathizing hackers, the Bell Canada hack and the HipChat breach highlight the disruptive nature that such attacks have on national commerce and important online infrastructure. These series of attacks have prompted government and industry leaders to call for international consensus for standards in the use of cyber weapons. Activity pushing global consensus on cyber warfare has been increasing in recent years. The so called “Tallinn Manual”, a non-binding study on how international law might apply to cyber warfare, was first published in 2013 at the initiative of the NATO Cooperative Cyber Defence Centre of Excellence. A second edition came out in February. A multinational group known as the Shanghai Cooperation Organisation has been around since 2001 and has adopted policies making the dissemination of sensitive information by rival states a form of “warfare.” Currently the group’s list of participating states includes China, Russia, Uzbekistan, Iran, India and Pakistan among others. In October 2016 the G7 produced a document on international standards for cybersecurity, covering several elements including joint response actions to cyber crimes and information sharing between nations. The “Declaration on Responsible State’s Behavior in Cyberspace" issued by the G7 Foreign Minister's Conference in Lucca, Italy, last April reiterated the commitment of the participating countries to these guidelines.

The most recent instance of a private industry leader to call for such international cooperation involved Brad Smith, Microsoft’s president and chief legal officer. In a presentation at a February RSA Security Conference, Smith asserted that the world was in desperate need of a “Cyber Geneva Convention” to set international standards for cyber warfare in the same way that the 1949 convention set standards for traditional “kinetic” warfare. Smith reiterated his position in a widely disseminated memo originally posted on Microsoft's official blog in May following the WannaCry ransomware attacks. The Microsoft executive emphasized that the “Cyber Geneva” should institute policies that would partner private actors--namely large companies in the field--with governmental institutions to combat cyber criminals.

Smith’s calls have been met with a fair dose of cynicism from experts and other industry leaders. The crux of these critic’s claims: even if major world leaders were to come to binding agreements regarding the waging of war in cyberspace, nearly all state actors most suspected of out-of-bounds practices, such as the targeting of civilian infrastructure, would likely remain undeterred by such a consensus. North Korea for instance, highly suspected of being behind numerous private sector cyber attacks, is not known for its concern of international opinion. Additionally, such a convention would not even begin to address lone cyber criminals and non-state groups. Attribution would still remain a major problem.

Still, there are many issues that an international forum on cyber practices could address and potentially have major implications for the industry and private business. One major factor that is consistently raised in the aftermath of large cyber attacks, especially involving self-spreading malware programs, is the question of legal liability of large users initially targeted by hackers. When a company suffers a data breach, affecting the private data of its clientele, what is their level of culpability? What in the event that the company did not maintain the most up-to-date programs or software patches? In the aforementioned May statement by Smith, the Microsoft executive correctly pointed out that an overwhelming majority of successful hacks are made possible only by users not maintaining operating systems supported by distributors, or being careless in integrating patches when they become available. Best practices could also be a topic for an international forum. Standards for businesses in physical, personnel, and system security protocols could be set and enforced. Private businesses that failed to meet these standards and were subsequently shown to have passively assisted in, for instance, the spread of a malware epidemic, could be held accountable. Along those same lines, such policies could force organizations to suspend the operations of their critical infrastructure in order to patch and reboot systems that are running them.

Another area that could be affected by global standards regarding cyber security could be information privilege policy. Currently, due to regulatory compliance codes, network administrators are often barred from accessing a network in order to perform updates or patches due to confidentiality issues. The access of medical devices connected to the internet for instance, in many circumstances comes in violation with HIPPA protocol.

One case in point serves as a stark example of information access governments may at some point grant in the name of maintaining security in cyberspace. In May 2012 Microsoft initiated an effort, code named Operation B71, with the purpose of identifying and disrupting servers being used as part of botnet operations. Microsoft lawyers convinced a New York federal court to grant the corporation permission to sever command and control servers associated with the then ongoing Zeus botnet campaign. As part of this operation, Microsoft physically confiscated two servers in Pennsylvania and Illinois with the help of federal law enforcement personnel. According to Microsoft's own account of the events, over 800 domains were then secured and monitored and data flowing to them from Microsoft customers were diverted to internet “sinkholes.” As the assistant head of Microsoft’s Digital Crimes Unit Richard Boscovich admitted, many legitimate domains were also affected in this operation. According to Boscovich, these domains had been “compromised” by hackers. The case demonstrates how the trend of globalized standards in cyber security which require government and civilian sectors to be closely partnered, could lead to more forced intrusion into the private sector. It is worth noting that Operation B71 was brought up by Smith in his recent RSA Conference address as an example of a private industry organization--in this case Smith’s own company, Microsoft partnering with government to disrupt criminal activity.

3)Cross-Platform Programs New Targets of Ransomware

As the trend of ransomware attacks increases, hackers have shifted their focus onto the targets most lucrative for such an attack. As ransomware capitalizes on the victims attachment to personal data, a target of centralized data, preferably business oriented, would be the best for exploiting ransom. Thus it is no surprise that a trend has been identified by researchers in past months that show cross-platform programs becoming the newest targets for such attacks. Cross-platform programs such as Hadoop and CouchDB use multiple systems as nodes to handle complex applications and large data sets, similar to how a file would be stored on a single hard drive using several separate logical nodes. The amount of data stored on the most popular platforms, most often commercial and business related, is astoundingly large, reaching several thousand terabytes. A hacker capable of disrupting such a platform and holding hostage the data of users, would attain tremendous leverage to extort ransom.

Cases demonstrating this trend have been increasing as of late. Several US based security researchers began to detect the hacking of accounts on the cross-platform database program MongoDB. Hackers began wiping accounts clean and sending messages to account holders demanding ransom to restore the data.

The number of accounts compromised quickly spiked to over 27,000 within a week of the first identified hacks, clearly indicative of multiple criminals, perhaps worldwide, picking up on the initial success of the technique and joining the bandwagon. In the weeks that followed, several hundred accounts were reported hacked on similar programs including Elasticsearch and CouchDB. One UK based research firm reported multiple attacks on accounts of Hadoop Distributed File System (HDFS), the storage part of the Hadoop cross-platform software framework. Further investigations by the group uncovered that at least 8,000 HDFS installations were exposed worldwide.

Upon examining these attacks, it became clear that a neglect of basic security protocol lead to the breaches. The default mode of many cross-platform software framework systems is to allow access without authentication, essentially meaning that the administrator account to a given installation is configured without a password. This in turn means that anyone with a basic proficiency in the system can potentially start deleting files. Regarding the MongoDB hacks, researchers reported that every instance of a hack involved an account without a password. Similarly, hacked HDFS accounts were shown to have been set to the default “access without authentication.”

A probe by the cyber research group Shodan demonstrated that the vulnerabilities for cross-platforms are still rampant. Shodan’s study focused specifically on HDFS, dubbing it the “juggernaut” of exposed data. While other popular programs maintain more servers across the internet, HDFS servers hold many times more data volume than comparative platforms. The probe revealed approximately 4,500 exposed servers holding collectively some 5,000 terabytes of data.

In order to secure cross-platform operations, businesses and other organizations must switch their security protocol when using these programs. This is easier said than done. Undoing default settings and creating a sole administrator, password-protected account, will have its affects on day to day operations as it will ultimately limit accessibility. Several of these platforms, including Hadoop’s HDFS, require complex procedures in order to re-configure default settings. Many platforms can be configured to a “secure mode”. However, this requires authentication protocols be available to all relevant users. HDFS can be switched to secure mode using the Kerberos authentication tool, however the tool must then be available to all users. Each user would also be required to have a working knowledge of the tool as well as basic DNS functions.

Additionally, the very nature of these programs that require the connecting to a myriad of nodes, exponentialize the risk. Efficient and up to date firewalls capable of blocking undesirable access and packet-flow, as well as Secure Sockets Layer (SSL) configurations to encrypt server connections are vital in such as interconnected system.

Author's Bio: 

Cyberroot Risk Advisory is international strategic consultancy specializing in information security and online reputation management. We helps corporates, government agencies and individuals reduce their exposure to risk and maintain their online reputation.