By Krista M. and Laura H. | Cyber Threat Intelligence Analysts
To say that 2017 has been a busy year for cybersecurity professionals would be an understatement. From devastating data breaches to crippling ransomware incidents, every week that passed revealed new threats, attack vectors, exploits, and vulnerabilities. It quickly became evident that no person, organization, or sector is immune to the impact of cyber threats. As we prepare for the challenges that 2018 will bring to network defense initiatives, it’s important to reflect on some of this year’s biggest cybersecurity incidents and highlight the lessons learned from each one.
Profit-motivated hackers took aim at unprepared organizations by targeting vulnerabilities within software, systems, and networks and held data hostage in the hopes of receiving a large payoff. Just three days into 2017, the NJCCIC reported on a cyber extortion campaign targeting unsecured MongoDB servers and, shortly after, reported similar attacks against Hadoop servers, Elasticsearch clusters, CouchDB, and Cassandra databases. Three months into 2017, the CrySiS ransomware campaign impacted New Jersey organizations by compromising Remote Desktop Protocol (RDP) connections and deploying the malware across networks manually. In May, we collectively witnessed the world’s largest ransomware attack, dubbed WannaCry, that impacted at least 99 different countries and several sectors including, but not limited to, the healthcare sector. WannaCry rapidly spread across systems and networks using the EternalBlue exploit against a Microsoft Server Message Block (SMB) vulnerability, a vulnerability for which Microsoft had released a patch back in March. June brought what was initially thought to be another widespread ransomware attack, but after further analysis of the variant used, it was ultimately determined that this was a previously unseen and destructive data-wiping variant of malware. This malware, dubbed NotPetya, impacted organizations that used accounting software developed by the Ukrainian company, M.E.Doc. This incident demonstrated the devastating effects of a supply chain attack and the risks posed to organizations by third parties.
Lessons learned: Know what systems and servers on your network are open and exposed to the internet. Conduct regular audits of network access, both internally and externally. Close unneeded ports. If RDP is needed in your environment, secure remote connections by using IPSec, a multifactor authentication solution, and by locking accounts after a set number of failed login attempts. Apply software patches in a timely manner. Retire and replace unsupported, End-of-Life (EOL) software and hardware. Most importantly, back up your data and make sure backups are tested regularly and stored off the network in a separate, secure location.
Social engineering campaigns such as vishing, phishing, spear-phishing, and whaling impacted residents and organizations within New Jersey and across the US convincing them to divulge sensitive, personal information and wire large payments to money-hungry criminals. The real estate industry, in particular, was heavily targeted as savvy hackers intercepted email traffic between negotiating parties and interjected their own payment instructions, attempting to divert funds earmarked for closing costs to accounts operated by the hackers behind the schemes. The NJCCIC also observed countless phishing campaigns designed to trick recipients into downloading malware onto their systems or entering login credentials for various personal and financial accounts into fraudulent websites. Phone scams such as the IRS scam and Windows Tech Support scam persisted as perpetrators tried to scare call recipients into paying them money via prepaid gift cards or installing remote access software onto their computers.
Lessons learned: Education and awareness are truly the keys to preventing a successful social engineering attack. Remember that government agencies will never call and demand immediate payment in the form of prepaid gift cards and software companies will never call to inform you of a virus on your computer. Remain skeptical of all unsolicited phone calls and emails and never take action while under duress or if the communication evokes an immediate feeling of fear or panic. Take a moment to clearly assess the situation and research any associated phone numbers, email addresses, or links online to determine if they are associated with scam complaints or reports. Have a policy in place that requires additional authorization to conduct large financial transactions and to transfer sensitive information between parties. Use tools such as email filters and spam call filters to prevent these types of threats from reaching end users. Consider adopting the DMARC email authentication protocol to protect against domain spoofing and other phishing tactics.
Throughout 2017, we alerted our members to emerging threats targeting mobile devices including new ransomware variants and malicious applications available for download in legitimate marketplaces. Specifically, devices running Android OS have been increasingly targeted this year by malware campaigns designed to steal data such as login credentials for financial applications and intercept text messages to bypass two-factor authentication. Mobile malware creators have been sneaking malicious code not only into third-party applications, but also into seemingly legitimate applications made available for download from the official Google Play Store. Because of this growing threat, organizations that implement Bring-Your-Own-Device (BYOD) policies without taking preventative measures to protect their networks from mobile malware could be increasing their risk of attack and compromise.
Lessons learned: Even applications available in official app stores can contain malicious code; therefore, mobile device users are advised to thoroughly research mobile apps prior to installation. Reading user reviews and ensuring that the permissions requested by the app match the app’s advertised functionality can help reduce the risk of downloading malware onto mobile devices. Organizations seeking to reduce the risks associated with BYOD are encouraged to use a reputable enterprise mobility management platform to control network access and enforce mobile security policies.
Botnets and the Internet of Things (IoT)
Last week, Paras Jha, a New Jersey resident and former Rutgers University student, pleaded guilty to charges associated with his role in the creation of the Mirai botnet, a large group of IoT devices that he used to disrupt internet services for various targets, including Rutgers University and Dyn, a Domain Name System (DNS) provider. He faces up to 10 years in prison and a $250,000 fine. Although this gives the security community a reason to celebrate, it also highlights both the seriousness of the damage that can be done as a result of threat actors exploiting vulnerabilities in IoT devices and the seriousness of the charges that can be filed against the perpetrator. Poorly secured internet-connected devices are easy targets for hackers seeking to conduct various types of malicious activity such as Distributed Denial-of-Service (DDoS) attacks, large phishing and spam campaigns, and widespread malware distribution. Using botnets to conduct these attacks can make attribution difficult and the owners of these compromised devices rarely know that they are actively aiding illicit activity. Additionally, mass-produced IoT devices are often shipped with common default login credentials and vulnerabilities that are easy to exploit. Until legislators succeed in regulating the IoT industry and require manufacturers to develop tighter security controls on their products, we can expect more botnet-fueled illicit activity in the years ahead.
Lessons learned: IoT security is not currently a priority for manufacturers, even though many are rushing to integrate internet connectivity in an increasing number of devices designed for home and corporate use. Therefore, it is up to consumers to properly secure their devices and ensure that the integrated firmware is kept up-to-date or forgo using certain connected devices altogether to reduce the risk of network compromise. IoT devices should be secured by changing the default login credentials as soon as they are joined to a network, using complex passwords, and enabling two-factor authentication, if available. Additionally, disable unneeded ports, set devices to automatically apply firmware updates, and regularly check the manufacturer’s website for patches and recalls.
All of us here at the NJCCIC hope that we have served our membership well throughout 2017 and look forward to 2018 as we continue our commitment to serve New Jersey as the State’s one-stop shop for cybersecurity information sharing, threat analysis, and incident reporting. We wish all of our members a happy, healthy, and cyber safe New Year!