If we look back at some of the recent cybersecurity headlines, it’s clear to see that it’s been a year full of ransomware and cover-ups. We saw a significant uptick in the maturity and sophistication of attacks. Not only was more data stolen than ever before, the biggest hacks we’ve ever experienced occurred. It short, it was a banner year for hackers.
With every successful attack and response failure though, there is a lesson to be learned. Here’s a look at what we think are the top 8 cybersecurity fails from the past year, and what actions you can take now to protect your organisation from similar incidents.
#1. Shadow Brokers
The Shadow Brokers is an anonymous group that’s been around since 2013. They are responsible for stealing secrets from the NSA hacking group, known as Tailored Access Operations (TAO). Part of the stolen information exposed vulnerabilities in Cisco Routers, Microsoft Windows, and Linux mail servers. In total they grabbed about 20 exploits, many of them were Zero Day. Microsoft confirmed that many had already been patched.
In 2016 they started dumping these secret files on the internet, and many of the largest cyberattacks of 2017 were propagated using the stolen exploits. At this point, no one knows who is behind the attack. While the Russians are suspected, it may be the work of an insider.
In May of 2017, we experienced a first-of-its-kind worldwide cyberattack involving a ransomware cryptoworm dubbed WannaCry. It encrypted data and demanded a Bitcoin ransom, but its ability to self-replicate was what made it so dangerous. Even though it was stopped within a few days when a kill switch was discovered, it infected over 200,000 computers in 150 countries, causing hundreds of millions dollars’ worth of damage. It was propagated through the EternalBlue exploit, which was stolen from the NSA by the Shadow Brokers.
In June, we experienced another massive global cyberattack in the form of an encrypting ransomware named NotPetya. It was once again propagated via the EternalBlue exploit. Targets included energy companies, the grid, transportation facilities, and banks. It was first reported in the Ukraine, but other European countries and the United States were affected, as well. The source was believed to be a Ukrainian tax preparation program, after a backdoor was detected. It was reported that 2,000 users were infected. The software demanded a payment of $300 to restore the user’s files and settings. But, for companies without controls in place, the cost was more than the ransom payment. The shipping giant Maersk reported that the NotPetya ransomware attack cost them over $200 million.
#4. Bad Rabbit
In late October we saw the third major ransomware outbreak of the year with Bad Rabbit. Like NotPetya, Bad Rabbit was able to move laterally across an infected network and propagate without user interaction. However it was a drive-by attack. Victims would infect themselves by visiting a malicious website where a fake Adobe Flash installer could be downloaded and manually executed.
Victims were directed to a Tor payment page and presented with a countdown timer and ransom demand of 0.05 bitcoin for decrypting the files. Those who didn’t pay the ransom before the timer reached zero were told the fee would go up and they would have to pay more. It was seen mostly in Russia and Eastern Europe, and appeared to have been a targeted attack against select corporations, including media outlets. In just a few hours, it affected over 200 major organisations. It’s not yet known who was behind it.
While the attack and subsequent breach at Uber occurred in late 2016, it wasn’t disclosed until November 2017. The personal data from 57 million riders and drivers was stolen, in addition to information from 600,000 driver’s licenses. Uber took very few steps to protect all this personal identifiable information. None of the data was encrypted. Hackers were able to compromise Uber’s Github account after they'd obtained credentials to access the data stored on an Amazon server. Then they approached Uber and demanded $100,000 in ransom to delete their copy.
Uber paid the hackers off and then kept the breach secret for more than a year. A huge fail considering they were required to do so under California’s breach notification laws. They are facing fines and legal fees, and some have lost their jobs because of the incident.
In December of 2016, Yahoo! reported that 1 billion user accounts had been hacked, and sent user notifications out in February of 2017. Unfortunately, it was later disclosed in October 2017 that the breach had actually taken place in 2013 and 3 billion user accounts were affected (that is every single user account at that time). Additionally, Yahoo! suffered a separate breach in late 2014 that wasn’t disclosed until 2016 that affected 500 million accounts. These breaches are the two largest breaches in the history of the Internet. It took 4 years for full disclosure.
At issue was the unfortunate fact that users weren’t required to change their passwords. Yahoo! was using the MD5 algorithm for their hash function, which is relatively easy to crack. Consequently, usernames and passwords were compromised, along with answers to encrypted security questions. Again, the big fail here is the delay in discovery and reporting, not to mention the lax attitude within Yahoo! towards security. Until very recently, Yahoo! still didn’t require users to change their passwords. This has now become one of the largest class action lawsuits ever because of the amount of time it took to disclose.
In March of 2017, the FBI charged four individuals, two of whom worked for Russia's Federal Security Service for the Yahoo! breach.
Early September 2017, it was reported that credit-reporting entity Equifax had been breached. It was initially reported that 143 million Americans had their information compromised, including name, social security numbers, birth dates, addresses, and driver’s license numbers. It was later upgraded to 145.5 million people in the United States and Canada. Additionally over 200,000 credit card numbers were stolen.
The breach was discovered at the end of July, but started in mid-May. Though smaller in number of those affected by the beaches at Yahoo!, it is considered the biggest in terms of the sensitivity of the data. When someone has all this personal information from a single person, their identity is essentially owned.
The breach exploited a flaw in Apache Struts, an open-source web application framework. A patch had been released in March 2017, but had not been applied. Additionally their network lacked sufficient segmentation, did not adequately encrypt the personally identifiable information (PII), and their breach detection mechanisms were ineffective. Equifax received strong criticism in its incident response handling. Many mistakes were made.
Deloitte, one of the world’s “big four” accounting firms, provides audit, tax, consulting, enterprise risk and financial advisory services with almost 270,000 professionals around the globe. In September of 2017 they reported that they had experienced an incident where only 6 clients were compromised. The small number seems unlikely though, as there were indications that Deloitte knew for some time that something was happening. In October 2016, there was a mandatory password reset internally. Plus, at the original time of reporting, it was unclear if the intruders were still in the system or not.
It was reported that their entire email database and all admin accounts were accessed, yet they never notified their clients. This is big deal because their clients include some top United States government agencies, including the Department of Defense and Homeland Security, the National Institutes of Health, Fannie Mae and Freddie Mac, not to mention major airlines, multinational car manufacturers, energy giants, and big Pharma.
The origin of the attack appeared to be at a location in Nashville known as the Hermitage where they were performing an upgrade to MS Office 365 and storing data in the MS Azure cloud. There was no multi-factor authentication required, and administrative credentials were stolen.
Lessons Learned and Actions Items
One important takeaway – especially from the four cover-up examples – is that if you experience a breach, it’s important to get out in front of it. Do not try to cover it up because it will eventually be discovered. The longer you wait, the worst it will get. And while Uber, Yahoo!, Equifax, and Deloitte will survive, they have work to do in terms of rebuilding reputation and trust of their clients, plus they’ll be in litigation for perhaps years to come.
Here are some other actions that you can take now.
- Implement a strong vulnerability management and patching program.
- Train employees to recognise threats and conduct internal social engineering practice engagements, including phishing expeditions and phone pre-texting to test compliance and inform your training plan.
- Develop and implement an Incident Response Plan. Be sure to include your process for notification. Train your team and practice / test regularly.
- Ensure clean, up-to-date backups are available in the event of a ransomware incident, and test your full restore process regularly.
- Receive threat intelligence from various and reliable sources to be aware of new threats, and follow the recommended mitigations provided.
- Follow your cyber insurance requirements to insure that you will be covered should an incident occur.
- Utilise strong encryption.
- Be aware of vendors using vendors to provide you services.
- Implement an effective intrusion detection process that will establish your network baseline and alert when something suspicious happens or if data loss / leakage may be occurring.
- Utilise multi-factor authentication.
- Implement network segmentation.
- Know where your sensitive data lives and where it travels.
- Implement administrative accounts that identify the specific admin, and do not share accounts with elevated privileges.
- And for the individuals… freeze your credit!
The trend of more and bigger cyberattacks is not expected to change any time soon. As we look beyond 2017, we expect to see more hardware attacks, like the recent Meltdown and Spectre exploits. Ransomware isn’t going to go anywhere, and will continue to evolve. Not only it is a lucrative business that is easy for cybercriminals to get into, the number of targets continues to grow with the proliferation of IoT devices and mobile devices. Be sure you are taking the necessary steps to mitigate risks and strengthen your cyber resiliency.