How the WannaCry's computer attack spread so easily on a global scale, affecting hundreds of systems in 105 countries?
Generally, a malware, after compromising a system, is silent on the system itself or tries to compromise adjacent systems without being discovered. This way in the future, the attacker can decide what to do with the compromised computer (steal confidential information, use it for other attacks, or more). For this reason, "classical malware" communications are usually "limited" to the minimum.
In the case of WannaCry, it was a combined high-replication attack.
The first PC in a company was infected because a user clicked on a phishing email link and the malware was installed on the pc by encrypting the data and asking for a ransom. From that moment on, malware has started acting differently as a worm, by scanning the local company's network to search Windows PCs with a certain kind of vulnerability in order to replicate itself.
It appears that WannaCry was developed by the "The Shadow Broker" hacker group using information from the National Security Agency published by WikiLeaks in its campaign called "Vault7". Attacks have focused a great deal on the fact that not all users and companies were quick to install security patches, so the worm quickly replicated by causing a contagion that in some cases it was an exponential pandemic.
The extension of the attack demonstrates the update was not performed globally, where possible. Also, in countries such as China and Russia, where there is a high presence of illegally duplicated Windows systems ("pirated copies") and which usually do not install patches, there was a very high rate of affected systems.
In this case, a ransom was asked: what are the reasons behind computer attacks of this entity in general?
Surely, the motivation behind WannaCry was the economic return: if even a small percentage of infected system users had paid, attackers would have a substantial revenue.
Generally, attacks are on a variety of grounds: from a hacker's demonstration of strength to a terrorist connotation or cyber-war conflict between countries. In the specific case of WannaCry, given the ransomware diffusion the attackers, in addition to their economic motivation, had the aim of producing an echo on a global scale, trying to weaken networks and IT infrastructures, especially the most obsolete and less up-to-date ones. One might say that it was attempted to kneel the Internet and the services provided through it.
What do hackers use to hit?
Hackers exploit two types of tools in a synthesis. One, they develop software - malware, viruses, or worms - that have a specific purpose, such as carping data, triggering abusive interceptions, making computer services useless, subtracting money, perpetrating fraud. Two, they study vulnerabilities in computer systems and how they can attack it.
The most used attack vector to introduce software developed by hackers through identified vulnerabilities are phishing emails, by which you can convince a user to click on a link that installs fraudulent software.
What should we do to protect our computer systems, set safe barriers to our data and limit the damage?
There is no single solution, but protection must take place through the adoption of cybersecurity programs and best practices that enable companies to act through organizational, technological and procedural solutions. In Wannacry's specific case, it would be advisable to install security patches on all installed Windows system, and this activity requires the preventive definition of a structured and periodic process for upgrading. However, several companies fail to install updates as they are issued because they need to be tested and certified in production environments, or they must be verified that they do not impact on delivering services to internal and external customers.
It is also possible to use some innovative tools that automatically study the network behavior - behavioral analysis - signaling anomalies and phenomena to be monitored.
At a preventive level, it is very important to keep backups of your data on external devices that are not connected to your computer. In this way, the loss of any data will always be contained.
A further action is the activation of awareness processes at all levels of business, from interns to CEOs.
Finally, the protection of all digital endpoints from PCs to smartphones to the tablet must be protected by the use of antivirus and tools that can detect and report in advance the level of security of applications and apps downloaded from the internet.
Once the attack is what you do?
It is necessary to turn to experts, capable of containing the spread of malware and recovering data encrypted. In general, best safety practices such as the isolation of infected machines, the security patch updates of all servers and PCs that may potentially fall into the perimeter of the attack, should be adopted. At the same time, it is necessary to understand the spread of infection by slowing down or inhibiting them through targeted network traffic blocks to be implemented through firewalls or other perimeter security tools.
Finally, it is advisable to activate collaborations, by the use of shared protocols, and access the communication channels to the authorities.
Well, maybe this is the real war of today, the one that strikes the net where we all live and work. How can we, apart from a strong security, help us to keep and increase freedom without succumbing to those who want to overthrow it?
Each of us projects on our digital domains their own virtual image consisting of personal data, navigation information, social networking data. This image has become more relevant in recent times because companies, citizens, and public administrations are increasingly relying on digital services, creating dependence as a direct consequence of the simplification that these services produce in our lives. The counterpart is the risks that arise from using the networks; risks that increase when no caution is taken and measures that can and should be implemented at the individual level. Consequently, it is crucial for digital service users to gain greater awareness of the use of such tools and the risks they pose both as employees of a company and as citizens of the Internet. It is therefore important that citizens and employees are "educated" about the proper use of such resources, as small precautions and remedies are able to drastically reduce the level of risk they have undergone.
It is also important to promote greater communication and information to the relevant bodies (such as the FBI for example), to help reduce the time for detecting and containing computer attacks and, by timely reporting, to increase the effectiveness of contrast actions.
In an increasingly interconnected world, the fate of the community is strongly influenced by the behavior of the individual and it is therefore important for everyone to make their own part properly.
Cybersecurity Expert, Chief Information Security Officer (CISO), and Certified Information Systems Auditor (CISA)
Copyright 2013. John Giordani. All Rights Reserved.