Another week, another massive cyber attack hits the world. Since the Wikileaks share, powerful new hacking tools are readily available to anyone in the world. This will not be the last attack leveraging these newly available weapons.
This week, it’s a ransomware attack that is still playing out globally. It began on the morning of Tuesday, June 27, 2017, initiating in the Ukraine. By midday on the U.S. East Coast, the cyber attack had brought down systems and encrypted files at Ukraine government agencies, the Kiev public transportation system, the Boryspil International Airport, the Ukraine’s state telecom company, the National Bank of the Ukraine, and even the radiation monitoring system for Chernobyl (!). Over 60% of the infections (so far) have been reported in the Ukraine.
The cyber attack spread from the Ukraine, quickly hitting Russian oil conglomerate Rosneft and oil company Bashneft. It then spread to Evraz, the Russian steel and mining company. Over 80 companies were reportedly affected by the ransomware in Russia. The cyber attack continued to spread westward, attacking Danish shipping giant AP Moller- Maersk, French multinational Saint-Gobain, then multinational advertising firm WPP in the UK. Companies in Spain, France, Italy, Poland, and India were also reportedly affected. It then jumps “The Pond” and infiltrates systems at pharmaceutical giant Merck, multinational law firm DLA Piper, and possibly even food company Mondelez. It even hit Heritage Valley Health Systems, a Western Pennsylvania healthcare network that operates two hospitals in the Pittsburgh area.
The attack has been called several names by different groups. According to some cybersecurity researchers, the attack resembled a virus known at Petya, a ransomware that locks systems and encrypts files. Other analysts feel that while it resembles Petya, it’s not the same, and have dubbed the assault NotPetya. But, some are claiming that it is a variant of Petya, a new virus named GoldenEye that is spreading ransomware.
What most experts agree on, though, is that the virus spreading ransomware leverages the very same exploit that was stolen by the ShadowBrokers hacking group from the U.S. National Security Agency (NSA) this past April, called EternalBlue. If you remember the last massive global ransomware attack, WannaCry or WannaCrypt, which occurred in May, it too leveraged EternalBlue! And, it also attacked systems running Windows XP to Windows 10 – just like GoldenEye.
You may ask, “But, didn’t Microsoft release emergency patches to address the exploit holes that EternalBlue leveraged in Windows and used in the WannaCry attack? So, what happened?”
What happened was many systems were patched, some others were not. And, the systems left unpatched provided a conduit for GoldenEye. But, GoldenEye is so much more than a ransomware attack. It’s virus, ransomware, and credential theft rolled into one, a fairly large, ominous cyber attack.
The actual instigator for the attack is still being investigated. Some researchers say it was started by spam email and spearphishing coming from a trusted source. Others say that it was started by phishing emails – also from a trusted source – with malware-laden attachments; this prompted Microsoft to release a statement, basically saying that users should “exercise caution when opening files in emails from unknown sources”.
Other researchers have reported that Ukraine accounting software company, MeDoc, was “ground zero” for the cyber attack. MeDoc, however, denies the allegation. But, several cybersecurity researchers reportedly have confirmed it. They say it’s possible that some infections may be associated with software updates for the MeDoc accounting package. Speculation is that the company might have been hacked, and that a malware-laden software update was pushed out from their hacked servers to users. Hence, the trusted source.
Not only is the stolen NSA exploit, EternalBlue, being employed; but so is a separate exploit, PSExec. PSExec takes advantage of a single computer that has not been updated with the latest Windows updates to spread the infection looking for administrative credentials. The admin credentials allow the attack to spread across systems that had been updated or patched after the WannaCrypt/WannaCry attack. A Russian security firm reported that the GoldenEye attack also bundles a tool that can gather passwords and credential data from Windows computers and domain controllers on an attacked network. Additionally, the GoldenEye attack not only encrypts files, but also hard drives, rendering systems useless.
Adding to the issues is that the ransom note calls for payment in Bitcoin to an email address; however, the email used has been blocked by the email provider, so no files can be decrypted.
This will not be the last attack leveraging these newly available weapons. Protect your end users from phishing emails, continually update software with current patches, and deploy layers of defense. Meanwhile, revisit your security strategy now that threat levels have dramatically changed.