Wipe Away the Threat of Wiper AttacksExperts Preach Back to Basics: Strong Authentication, Least Privilege Access
So many information security challenges seem like déjà vu all over again, now with added "cyber" in the form of cybercrime opportunism or failed diplomacy having online repercussions.
Take the recent U.S. government alert, warning that as geopolitical tensions rise with Iran, Tehran could retaliate by launching more online attacks, including using data-destroying "wiper" malware attacks to destroy American businesses' networks (see DHS: Conflict With Iran Could Spur 'Wiper' Attacks).
"These efforts are often enabled through common tactics like spear-phishing, password spraying and credential stuffing," warned Christopher C. Krebs, director of the Department of Homeland Security's Cybersecurity and Infrastructure Agency. "What might start as an account compromise where you think you might just lose data can quickly become a situation where you've lost your whole network."
Read my statement on Iranian cybersecurity threats below. pic.twitter.com/qh7Zp9DBMY— Chris Krebs (@CISAKrebs) June 22, 2019
But spear-phishing, password spraying and credential attacks aren't new. Indeed, criminals have already been using them - literally for years - to compromise corporate networks and individuals' systems alike (see Credential Stuffing Attacks: How to Combat Reused Passwords).
Will corporate America - et al - suddenly get better prepared just because there's the specter of Iranian actors using these tactics to erase their hard drives?
Perhaps it's never a bad a idea to remind businesses to be prepared, as DHS is doing. That begs the question, however, of what's stopping them from already having defenses in place against simple attack techniques.
Wiper malware isn't new, and it doesn't have to be advanced or sophisticated to succeed. "These so-called 'wiper' attacks exploit the same vulnerabilities as 'ransomware,'" says information assurance trainer William H. Murray in a recent SANS Institute email newsletter. "However, they are targeted, not opportunistic, and are more likely to be exploited in times of other conflict, rather than immediately after the compromise."
The number of organizations that continue to fall victim to ransomware attacks highlights how ill-prepared many organizations remain (see Second Florida City Pays Up Following Ransomware Attack).
As Murray notes, one of the cautionary notes sounded by DHS is that Iranian hackers may have already infiltrated corporate systems and installed malware. In other words, they may simply be waiting for Tehran the green light to begin crashing networks.
Murray says too many senior executives fail to see their organization's information security program in light of what may have already happened to their organization, except that they remain unaware of it. "We continue to manage as though Sony and Saudi Aramco were anomalous events," he says, referring to previous wiper attacks that many have respectively tied to North Korea and Iran.
Essential Defenses: Start Here
As with ransomware, resisting wiper malware requires putting defenses in place before attackers come calling. "It is time for strong authentication, least privilege access control - or at least 'read-only' or 'execute-only' - and end-to-end application layer encryption," Murray says (see Solve Old Security Problems First).
But that's just the start. "You can add privileged access management - PAM - and safe backup with fast recovery to those three measures," Murray tells Information Security Media Group.
Don't stop there. "We need greatly improved proactive threat detection," Murray says. "We need out-of-band confirmations and alerts for all transactions, many data changes, and some users. We need document management systems for intellectual property."
"In addition to implementing multi-factor authentication, make sure that legacy protocols that don’t support MFA are either disabled or tightly restricted," Lee Neely, a veteran security professional at Lawrence Livermore National Laboratory, says in a recent SANS Newsletter. "Additionally awareness reminders, including spam/phishing reporting processes, would be timely."
Also use multi-factor authentication judiciously. "One other thing I encourage is enabling MFA, particularly for off-site - non-VPN - access to corporate email systems," Neely tells ISMG.
Unfortunately, many organizations don't have many of these essential defenses in place. "Some enterprises may be doing one or two of these, almost none are doing all of them," Murray says.
Such recommendations aren't about technology for technology's sake, but rather to help businesses ensure that when hackers come calling - whether with ransomware, wiper malware or one of my other potential types of attacks - they can fend off the attack or else quickly recover.
Least-privileged access, for example, helps limit the impact of a successful hack attack. Requiring two-factor authentication for access - not least to administrator accounts - also helps block remote attacks.
Many organizations are still failing to see the big picture. Incident response expert Jake Williams, president of Rendition Infosec, recently tweeted out lessons learned by a CISO whose organization was just breached.
Lessons learned during a breach (directly from a CISO that experienced a breach):— Jake Williams (@MalwareJake) June 27, 2019
1. Don't deploy technology without business context. Technology on a network with no business context will only indict you in a breach.
2. Drive your program from external industry experts 1/
"Don't deploy technology without business context," according to the CISO. "It's all about priorities and focus. We were looking at point security solutions versus [the] overall enterprise."
Maersk Retools for Wiper Defense
While organizations continue to get hacked because of basic failures, attackers haven't stopped upping their game. Even organizations with advanced security programs can fall victim to wiper attacks.
Take the NotPetya wiper malware that pummeled organizations beginning on June 27, 2017 (see NotPetya: From Russian Intelligence, With Love).
Speaking last month at the Infosecurity Europe conference in London, Adam Banks, CTO and CIO of Danish shipping giant A.P. Møller-Maersk, recounted how every organization that got infected with NotPetya suffered a 100 percent infection rate. In the case of Maersk, even its systems being fully patched and up to date didn't help (see 10 Highlights: Infosecurity Europe 2019 Keynotes).
The malware was distributed via a legitimate Ukrainian tax accountancy software firm that got hacked, and its systems used to distribute a trojanized application. The software is used by the vast majority of global businesses that must file Ukrainian taxes.
"This piece of malware was designed specifically to destroy data processing capability," Banks said, as well as "to destabilize the government by destabilizing the tax flow," he said. "Of the 7,000 companies that file tax returns in Ukraine, 7,000 were hit."
In Maersk's case, the malware successfully infected every Windows primary, secondary and backup systems in just seven minutes, before lying dormant for 53 minutes, and then irreversibly crypto-locking everything, including all primary, secondary and backup system, including DHCP and Active Directory servers.
Ultimately, Maersk said the malware attack cost it $350 million. Banks suggested the cost would have been even higher, if the company hadn't been so transparent about what happened and the steps it was taking to recover.
Maersk has been rebuilding its network to ensure that if it gets hit with wiper malware again, it will be able to recover. That's what an organization taking an advanced approach to information security, including defending against wiper malware, looks like.
It also stands in sharp contrast to the many organizations that have yet to master the basics. With the threat of wiper attacks increasing, best not delay.