There was something in that event of 12.05.2017 that initiated probably a new Era for Cybersecurity issues in the digital transformation of our World. UK health care hit by cyber attacks with British hospitals disrupted. France’s Renault hit in worldwide ‘ransomware’ cyber attacks with lines of production stopped …
The map above shows that the attack struck simultaneously in many countries around the globe. Consequently, security researchers believe a criminal organization is behind this, given its global reach and sophistication.
About this similar tragic events, Jean Monnet, a French political economist and diplomat called “The Father of Europe”, said:
“Les hommes n’acceptent le changement que dans la nécessité et ils ne voient la nécessité que dans la crise.”
Translated in English and adapted by me, in light by the current global cybersecurity attack, a modernized version could be :
“People only accept change in necessity and see necessity only in (cyber)crisis.”
For Microsoft, Telefonica, British hospitals (NHS), Fedex, Santander, KPMG, Renault, BBVA, Vodafone, … and +100 countries impacted, that lesson, I think, has been learnt well.
Massive cyber attack boosted by NSA hacking tools
In practice, WannaCry (developed from an NSA exploit leaked in the most recent ShadowBrokers dump) scrambles data on computers and then demands payments of $300 to $600 (approximately €274 to €550) to restore access. Moreover, this cyber attack has generated a great deal of panic in all the world.
However, it’s a great stress test/exercises for all cyber security national agencies (ANSSI, BSI, NCSC, etc.) to assess the preparation/training of vital infrastructure operators for a nation. Then, they will have to do the full set back accounting due to unavailability of critical systems such as hospitals, banks, factories, express transports, telecommunication, etc.
In analogy with my previous job, I was having to explain continuously the necessity to anticipate threats by investing in intelligence solutions to support in the fight against terrorism and the protection of populations and vital infrastructure. After the tragics events in Europe and France in particular hit by terrorism, it was suddenly needless to extend the rhetoric on this horrible phenomenon in order to persuade decision makers of its importance. Therefore, the crisis was so significant that they had no choice but to propose some measures and efforts needed to combat threats.
The Security Operations Centers (SOC): the Cyber security core reactor
But we ought to have a special thought for all personnel of SOC (public or private) being in the front line of the cyber attack assigned directly in the defensive computing fight : CALID, COSSI, Airbus Cyber Security, Sopra-Steria, Thales, I-Trust, IMS Networks, etc.
A major and great sportsman, Michael Jordan had an interesting philosophy, principles and ways of living that guided his day to day activities:
As from next Monday, I hope a positive situation from this negative situation, where will be senseless to spent much time and energy to explain the importance to invest money and time to protect critical systems: security/privacy by design, ensure that IoT/Industrial IIoT are maintained in a state of operational security, the (layered) in-depth defence in the critical & complex systems such as Smart Grids, Factory Of Future, Connected Vehicle, IoT…
Next step: to adopt a Cyber Security Posture or to collapse
Don’t forget that defensive cyber warfare aims to keep operational networks and systems at a high security level, in a potentially hostile cyber-environment. That’s why it’s critical to improve cyber security of Smart Factory & Industrial IoT (Io4 project). In the same way, it’s vital to anticipate threats and mitigate cyber attacks with an empower supervision of complex networks of (internal & external) sensors. The SNG project purposes to build the SOC Next Generation with new Cyber Threat Intelligence capabilities putting forward an efficient public-private framework.
Executive Summary of the Cyber Attack
A major ransomware attack has affected many organizations across the world reportedly including Telefonica in Spain, the National Health Service in the UK, and FedEx in the US. The malware responsible for this attack is a ransomware variant known as ‘WannaCry’.
The malware then has the capability to scan heavily over TCP port 445 (Server Message Block/SMB), spreading similar to a worm, compromising hosts, encrypting files stored on them then demanding a ransom payment in the form of Bitcoin.
Additionally, Talos has observed WannaCry samples making use of DOUBLEPULSAR which is a persistent backdoor that is generally used to access and execute code on previously compromised systems. This allows for the installation and activation of additional software, such as malware. This backdoor is typically installed following successful exploitation of SMB vulnerabilities addressed as part of Microsoft Security Bulletin MS17-010. This backdoor is associated with an offensive exploitation framework that was released as part of the Shadow Brokers cache that was recently released to the public. Since its release it has been widely analyzed and studied by the security industry as well as on various underground hacking forums.
WannaCry does not appear to be only be leveraging the ETERNALBLUE modules associated with this attack framework, it is simply scanning accessible servers for the presence of the DOUBLEPULSAR backdoor. In cases where it identifies a host that has been implanted with this backdoor, it simply leverages the existing backdoor functionality available and uses it to infect the system with WannaCry. In cases where the system has not been previously compromised and implanted with DOUBLEPULSAR, the malware will use ETERNALBLUE for the initial exploitation of the SMB vulnerability. This is the cause of the worm-like activity that has been widely observed across the internet.
Organizations should ensure that devices running Windows are fully patched and deployed in accordance with best practices. Additionally, organizations should have SMB ports (139, 445) blocked from all externally accessible hosts.
Please note this threat is still under active investigation, the situation may change as we learn more or as our adversary responds to our actions. Talos will continue to actively monitor and analyze this situation for new developments and respond accordingly. As a result, new coverage may be developed or existing coverage adapted and/or modified at a later date. For current information, please refer to your Firepower Management Center or Snort.org.
source : tallosintelligence.com