A year after devastating NotPetya outbreak, what have we learnt? Er, not a lot, says BlackBerry bod Today (27 June) marks the first anniversary since the NotPetya ransomware ravaged a range of businesses from shipping ports and supermarkets to ad agencies and law firms. Once in a system, the code sought to encrypt files and destroyed master boot records, leaving infected Windows machines useless. The malware spread using the …
"outdated systems"
Where do you draw the system boundaries? A stand-alone PC running a particular version of a particular OS might be out-dated. An expensive piece of kit, of which a similar PC is a component, still performing the function for which it was bought and within its budgeted lifetime is a different matter.
And usually a basic firewall/router separating the critical, but non-updateable PC that operates this kit, from the wider network is all that is required. The unpatched system shouldn't be able to affect kit in the wider network and vice-versa.
Not always possible, of course, but usually is.
As a start point where the machine meets any network or other external boundaries and ensure they do not exist. This clearly includes external devices, portable external drives, thumb drives, etc. I have an old XP machine, actually several but none of them have had a problem since they are not currently turned on and used. Were they to be employed it would only be by me for a controlled reason under defined circumstances, set out by me. (Possibly this would include the extraction of data thought to be held there if not found anywhere else.)
Patching is hard... really monstrously hard. It is the single most important *security* activity, and yet is has zero visibility in most organizations. What *patching* means, is being able to update your operational systems weekly, having pre-operational systems that you can deploy to and have confidence that they really will see whatever happens in ops. If half the energy spent on security baubles and consultants' checklists were spent on process and equipment to enable patching, the world would be much better off.
"Patching is hard... really monstrously hard."
And harder still if the patch interferes with the operation of the overall system or with regulatory requirements. In the latter case the system which actually needs to be examined and modified if required includes the regulatory process.
It didn't matter if your systems were up-to-date with NotPetya or not. It harvested administrator and local administrator credentials via a custom version of Mimikatz and used those, in *addition* to spreading through ETERNALBLUE / DOUBLEPULSAR etc.
I suspect that many of the organisations so badly hit had decent patch management regimes, but were weaker on passwords. It was not the same as WannaCry. No, not at all.
"said the attack cost it £100m"
When hacked companies say things like this you have to wonder how much of that was spend putting in place the defences they should have had all along. In other words, some of it's deferred spending and some of it is what that deferring has cost them in the long run.
"When hacked companies say things like this you have to wonder how much of that was spend putting in place the defences they should have had all along."
You fail to understand the corporate management mentality. Security is a real and immediate cost which generates no return if it works as planned. Disruption costs are mostly potential and should they become actual, will be covered by insurance. Plus you get to attach your name to the valiant recovery operation thus furthering your career.
I know one of the companies hit was hit because they didn't patch. My understanding about the harvesting of cached credentials was that it depended on a (singular) Windows host being compromised by an alternative method to harvest those creds in the first place.
As for patching, they got rid of the people managing patching around 6 months prior as it was all being outsourced. Chances of patching being done between getting rid of those people and NotPetya based on the impact to their global operations? Zero... When they went to deploy new machines, they were wiped out almost instantly because (wait for it....) they weren't patched either... They needed to get a reseller to provide new standard builds as their outsourcer was unable to assist....
"The malware spread using the US National Security Agency's leaked EternalBlue exploit, which was also abused by WannaCry months earlier .. The effects were devastating. Western intel agencies subsequently blamed Russia for the attack."
In relate news Russian intelligence agencies were to blame for kidnapping a bear off of Paddington railway station and putting him to work in some gulag making Wellington boots.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
