Wednesday, 28 June 2017

The Ransomware called NotPetya – Cyber Experts have their say

Tuesday’s global cyber attack caused havoc and disruption to all manners of businesses. Many within the cyber industry are debating whether the ransomware used was actually a strain of Petya or was it something completely new. With it first being detected in Ukraine, where companies updating a mechanism within an accounting program that had connections to the Ukrainian government, the malware was able to seed itself and affect systems within the government, industrial enterprises, banks, airports and transportation services.  It spread fast and caused havoc to systems at major European and American corporations with British advertising giant WPP, Danish shipping behemoth Maesk and Merck & Co the American pharmaceutical corporation among those that were hit. Cyber Security experts have offered their advice and insight around Petya or NotPetya with many saying attitudes towards cyber security need to change:

Javvad Malik, security Advocate at AlienVault:

It appears to be a new ransomware campaign impacting multiple countries and some major businesses with some manufacturing reportedly stopped. The ransomware appears to be a Petya variant that may be spreading via EternalBlue; although this is not confirmed yet. Further information is being collated at https://otx.alienvault.com/pulse/59525e7a95270e240c055ead/

Andrew Clarke, EMEA Director at One Identity:

The best advice to all is it is time to act now – make cyber security the number 1 item on the agenda at the next board meeting – and resolve to take proactive action to strengthen your cyber defences.    What we are seeing in the continuing battle against the cyber threats is a massive escalation that will impact anyone who is not taking this seriously and has proactively analysed, reviewed and acted upon advice for their own environments. The phrase ransomware is entering every day conversation and many people are familiar with the consequences of its impact.  The overnight escalation of a global ransomware attack serves to re-enforce the need for all of us to step up our game regarding cyber security – both at a personal level as well as a corporate level

Robery Lipovksy, Researcher at ESET:

ESET researchers have located the point from which this global epidemic has all started. Attackers have successfully compromised the accounting software M.E.Doc, popular across various industries in Ukraine, including financial institutions. Several of them executed a trojanized update of M.E.Doc, which allowed attackers to launch the massive ransomware campaign today which spread across the whole country and to the whole world. M.E.Doc has today released a warning on their website: http://www.me-doc.com.ua/vnimaniyu-polzovateleyBased on our investigation, it appears the attack was launched in the morning hours of June 27, Ukrainian time.

Lee Munson, Security Researcher at Comparitech.com:

When businesses around the world woke up to the WannaCry ransomware recently, they must have thought their worst nightmares had come true. That a kill switch was found, and the damage done relatively small, was extremely fortunate but it should have painted a powerful picture of what could happen should another ransomware attack come marching over the hill. That Petya has caught major organisations unaware, including financial companies that are usually among the most secure types of business, is therefore a massive shock and a huge cause for concern. Most businesses will have learned the value of maintaining regular backups and the implementation of technical security controls to create restore points and block ransomware at the point of entry. Petya, however, highlights how staff awareness may still be an issue, giving an in to attacks of this kind, and perhaps highlights how patch management may still be lagging way behind where it needs to be.

Paul Edon, Director at Tripwire:

Tuesdays cyber-attacks that caused disruption to Ukrainian Banks, Ukrenergo Power Distribution and other Ukrainian commercial business appears to have gained initial entry via a phishing attack and then spread across systems by means of the EternalBlue exploit. Phishing attacks are common-place and currently represent the most successful entry point leading to a successful breach.  Foundational Controls such as Email and Web filtering combined with comprehensive workforce education will greatly reduce the success of these attacks. Email and Web filtering can recognise and block malicious URL access and quarantining suspicious attachments. Workforce education will help users identify phishing email, deter them from clicking on unknown or unexpected attachments, discourage the access of unknown URL’s, and assist staff in recognising unusual system activity. EternalBlue exploits a known vulnerability within the Microsoft Server Message Block (SMB v1) protocol, which allows attackers to execute arbitrary code using specially crafted packets. Microsoft originally released a patch for supported Microsoft Operating Systems in mid-March 2017.  After the WannaCry ransomware attacks which also used EternalBlue to traverse networks Microsoft released a further patch for legacy operating systems such as Windows XP and Windows Server 2003.  Patch Management is a Foundational Control that forms an important part of the technical security strategy. If for reasons of legacy or critical operations these patches cannot be deployed then it is crucial that organisations assess the risk accordingly and use further mitigating controls to monitor and protect those systems.

The post The Ransomware called NotPetya – Cyber Experts have their say appeared first on IT SECURITY GURU.



from The Ransomware called NotPetya – Cyber Experts have their say

No comments:

Post a Comment