Weekly podcast: WannaCry summarised, and DocuSign, Brooks Brothers and Zomato breached

This week we provide an overview of the WannaCry ransomware worm, and discuss a number of recent data breaches.

Hello and welcome to the IT Governance podcast for Friday, 19 May 2017. Here are this week’s stories.

I suppose we’d better start with last Friday’s ransomware pandemic. To begin at the beginning…

America’s National Security Agency (NSA) allegedly has a department that analyses popular software for vulnerabilities and develops so-called ‘cyber weapons’ that it can use against them. Kaspersky dubbed it the Equation Group.

One of the Equation Group’s exploits – EternalBlue – was stolen by a group of criminal hackers known as The Shadow Brokers last August and dumped online this April after attempts to auction it and other NSA cyber weapons were unsuccessful. The Shadow Brokers then disappeared.

EternalBlue exploited a number of remote code execution vulnerabilities in version 1 of Microsoft’s Server Message Block protocol.

Microsoft patched the SMBv1 server vulnerabilities for supported versions of Windows in March, but older, unsupported systems, such as the defunct but still popular Windows XP, Windows 8 and Windows Server 2003, remained vulnerable.

Last Friday, someone – associated by some researchers with North Korea’s Lazarus Group – used EternalBlue to spread ransomware to unsupported and unpatched Windows systems via the SMBv1 flaws, encrypting files and locking down systems until a bitcoin ransom was paid.

This attack, dubbed WannaCry/WannaCrypt/WanaCrypt0r 2.0/Wanna Decryptor/Wcry, spread quickly from its initial outbreak in Spainaffecting some 200,000 victims in 150 countries – including the UK’s NHS, which was forced to cancel procedures as a result of the attack.

In an unprecedented move, Microsoft issued patches for unsupported versions of its products in an attempt to stop WannaCry spreading further, saying that: “Seeing businesses and individuals affected by cyberattacks, such as [WannaCry], was painful.”

Meanwhile, a 22-year-old security researcher activated a convenient kill switch in the malware by registering a domain that stopped further infections and ‘sinkholing’ it to a server in California.

So, what can the average business learn from this?

The most important lesson is to keep systems and software up to date. I can confidently say that this was not an isolated incident and that there will definitely be other, similar attacks – as well as entirely different ones, of course.

(The Shadow Brokers have already re-emerged from apparent retirement, offering – in a characteristically rambling blog post – a monthly dump of new Equation Group exploits to subscribers. “Is being like wine of month club,” they say. “Each month peoples can be paying membership fee, then getting members only data dump each month. What members doing with data after is up to members.”)

Mitigating cyber risks is a constant battle, but the vast majority of attacks exploit well-known vulnerabilities and can be prevented by getting the basics right. (Microsoft patched the vulnerability that EternalBlue exploited a couple of months ago.)

Ensuring you run the latest versions and apply patches when they are released is essential, as is conducting regular penetration testing to determine the presence of vulnerabilities in your networks and applications.

Although WannaCry wasn’t spread via phishing emails, the vast majority of malware is, so it’s also very important to train your staff to recognise malicious email – it only takes one careless user to click a link or open an attachment to infect an entire network. A simulated phishing attack will identify your employees’ susceptibility to this particular form of social engineering. Oh, and don’t forget to back up properly.

In other news, electronic signature service provider DocuSign has acknowledged that a recent phishing campaign targeting its customers was the result of “a malicious third party” gaining access to a database of customer email addresses. The phishing emails contained “a link to a malicious, macro-enabled Word document” that downloaded malware. In an update on 16 May, the company explained that “no names, physical addresses, passwords, social security numbers, credit card data or other information was accessed. […] DocuSign’s core eSignature service, envelopes and customer documents and data remain secure.”

US outfitters Brooks Brothers has issued a data breach notice warning customers that their “payment card data – including name, payment card account number, card expiration date, and card verification code” may have been compromised. Point-of-sale malware at 223 retail locations accessed customer data between 4 April 2016 and 1 March 2017. The issue “has been resolved and is no longer impacting transactions.”

The personal information of 17 million users of online restaurant guide Zomato has been stolen from a database. The Indian company, which boasts more than 120 million users, said that the information included “user email addresses and hashed passwords”. No payment information was compromised and affected customers’ passwords have been reset. An “internal (human) security breach” was apparently to blame.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

And don’t forget that IT Governance’s May book of the month is EU General Data Protection Regulation – An Implementation and Compliance Guide, an in-depth guide to the changes your organisation needs to make to comply with the GDPR before its enforcement in just over a year’s time. Save 10% if you order by the end of the month.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.