Security Central: 2017’s Biggest Hacks Illustrate Need for ‘Babysitter as a Service’
If 2013, the year of the cyber attack against retail giant Target, was the year that cyberterrorism became real to the widespread public, then 2017 might be remembered as the year it became personal. It’s extremely likely that everyone in the U.S. was impacted by the epic amount of sensitive information that was compromised last year. The number and depth of attacks was unprecedented, not to mention problematic for channel partners.
Here’s a recap of the biggest attacks from 2017 and some thoughts on lessons learned in the aftermath. What can they tell us about what’s coming in 2018?
Yahoo announced in October that a 2013 security breach compromised all 3 billion of its accounts, rather than “just” the 1 billion it had reported in 2016. Three. Billion. This by far is the most staggering breach in history, not just because of its scale but also because it took Yahoo three years to identify it. The attack was only discovered because Verizon pushed to dig into the incident when investigating an entirely separate breach in 2014.
Verizon received a $350 million discount off the purchase price for Yahoo because of all of the internet service provider’s security shenanigans. But the revelation that an additional 2 billion accounts were compromised came after it shelled out $4.5 billion for the acquisition.
The exposed information included names, email addresses, telephone numbers, dates of birth, hashed passwords, and some security-question answers. That stolen data potentially could be used in future attacks and was widely traded on the black market. (There are even suspicions that one of the buyers might be linked to a foreign intelligence agency.) Did you Yahoo in 2017? If so, our condolences. If your customers did, even more so. Best to get them off the service completely.
#4: Bad Rabbit
Also in October, a new ransomware bug dubbed ‘Bad Rabbit’ hopped across Eastern Europe, hitting (primarily) media and news sites in Russia, Turkey, and Bulgaria. It was delivered via drive-by downloads by heedless users thinking they were installing a Flash update and getting the ransomware instead.
As Cisco Talos put it, the virus “requires a user to facilitate the infection and does not use any exploit to compromise the system directly.” In other words, Bad Rabbit didn’t need some flaw in software to gain access to systems. Instead, it pinned its hopes on the pretty sure bet that a lot of people would click on random pop-ups telling them to install software. Like other notable 2017 ransomware attacks, Bad Rabbit used an SMB component to move laterally across networks by using a list of simple username and password combinations.
Bad Rabbit was, well, bad. But it wound up epitomizing what has become the new norm in cyber threats: quick and dirty attacks designed to inflict the maximum amount of damage in the minimum amount of time by exploiting users’ careless internet habits.
This creatively named malware outbreak that hit Europe last summer was a variant of the malware Petya. Like Bad Rabbit, the NotPetya ransomware campaign leveraged a host of tools to gain access to a corporate network. Once enabled, it moved insidiously from machine to machine, trashing file systems in its wake.
But while the malware seemed similar in nature to other attacks last year on the surface, it quickly fell down in one key area: payment collection. It wasn’t long after the attack before the cybersecurity world came to the conclusion that the purpose of NotPetya wasn’t financial gain. It was just to spread chaos and destruction. Like if the Gremlins could code.
Sure enough, earlier this month the CIA concluded that the Russian military was behind the attack, according to classified documents obtained by the Washington Post. Apparently, they’d hoped to disrupt the Ukraine’s financial systems in an effort to gain some ground in the fight against separatists.
In January 2018 at the World Economic Forum in Davos, Switzerland, chairman of Maersk Jim Hagemann said that the attack required the shipping giant to replace its “complete infrastructure” of “4,000 new servers, 45,000 new PCs, and 2,500 applications.” While Maersk apparently had the $250-$300 million required to complete the overhaul in one “heroic effort over 10 days,” other victims did not. Hagemann says that the internet wasn’t built to support a nearly entirely digitized world, and that a radical overhaul of infrastructure is needed if we want to truly stop cybercrime.
We know a few solution providers who can help with that …
It was the ransomware heard ‘round the world. Last May, the WannaCry virus spread across more than 150 countries and hundreds of thousands of systems by exploiting outdated Windows software. The attack leveraged leaked NSA tools, including the EternalBlue Windows exploit stolen and leaked by the group Shadow Brokers.
WannaCry wasn’t a smooth, sophisticated design. Security experts were even able to identify one mechanism in the code that they could use as a ‘kill switch,’ which helped stop the wildfire spread of the virus. But it still managed to wreak all kinds of havoc, and the details that emerged through 2017 kept levels of uneasiness high.
Late last year, the CIA officially pinned the attack on North Korea. It’s estimated that the attack netted the foreign government more than 50 bitcoins, worth more than $800,000 as of December. WannaCry served as a stark warning that we’re entering a Brave New World where a few coders in a country the rest of us know very little about can grind the outside world to a halt — all because of outdated Windows software.
Some of the freakiest talk surrounding WannaCry came from experts who said that the hack had all the telltale signs of a “trial balloon” instead of the rough-yet-effective attack it appeared to be on its surface. If this was a test run for a hostile nation-state, it should freeze your blood to think of what WannaCry taught them, not to mention what the next attack might be. This attack was probably the most aptly named of anything we saw in 2017.
Last September, credit-reporting company Equifax was the “victim” of a breach that exposed the personal information of nearly half of the adult United States population, if you can call a company whose security standards practically begged for a cyberattack a victim of its own negligence. The nature of the critically sensitive consumer information the breach compromised caused panic across the country in every race, creed, sexual orientation and tax bracket, which may have made it literally the only thing all Americans agreed on last year.
As the fourth quarter rolled on, Equifax appeared in headline after headline in a spectacular example of how not to handle a security breach. It was like the Keystone Cops, Cybersecurity Edition. The list of mishaps and mishandlings is so extensive, we’ve just summarized them below in some bullets lest we inspire too much PTSD in victims:
- Equifax actually knew about the breach for a full six weeks before saying anything.
- Immediately after the attack, the company erected a webpage that supposedly told consumers whether their information had been exposed. It didn’t work.
- Consumers who did manage to get the tool to work had unwittingly waived their right to arbitration. The class action lawsuits weren’t long in following.
- We discovered Equifax pretty much took the cake when it came to lax security practices, from storing information in plain text to not patching known vulnerabilities.
- Finally, we learned that three of the company’s senior executives sold shares collectively worth almost $1.8 million between when the hack was discovered and when it was disclosed. Dude, seriously?
Will 2018 Be Any Better?
If there’s anything we can learn from 2017’s attacks, it’s that people’s tendency to do things they know they shouldn’t is posing enormous risks and leading to incalculable amounts of damage when it comes to their online behavior. People are careless. What’s more, no one ever thinks anything is going to happen to them. We have laws, rules and regulations to protect people both from those with malicious intent and from their own sense of infallibility. It’s against the law not to wear a seatbelt, because the government is trying to protect you from yourself. It’s also against the law for someone to steal from your home, even if you leave the front door wide open.
But this digital world came on too fast for us to go through the cumbersome process of learning lessons and passing laws in time to save people from bad actors and their own negligence. 2018 will be a year of loud noises about compliance coming from all corners of government. But Washington can barely keep the government’s lights on, so there’s little hope that Congress will save us from cybercriminals.
If the government, big business and end users aren’t going to step up to the plate, that only leaves one lone knight to champion for us all: the channel. And, like Don Quixote tilting at windmills, it will be nigh impossible for service providers to know exactly who the real enemy is, or even the actual goal of the battle. Because the truth of the matter is that it isn’t only bad actors you have to save your customers from — you also have to save them from themselves.
Hagemann is right: We’re simply not equipped for the world we live in now, where everyday people’s entire lives are digitized, stored and left vulnerable to attackers. And with a truly always-connected, IoT-centric world just over the horizon, we’re rapidly running out of time to adapt.
Until our legal, business and social infrastructure is updated to reflect our digital reality, MSSPs’ biggest value-add might just be playing babysitter to their customers, trying simultaneously to shield them from the big bad cyberunderworld and slap their hands when they click on that “cutest cat video on the internet!” link.