Weekly podcast: EternalBlue (again), new USB compromise and widening cyber skills gap

This week, we discuss the use of the EternalBlue exploit to distribute new payloads after WannaCry, a vulnerability that will give access to network credentials via locked computers, and news that there will be 350,000 cyber security job vacancies by 2022.

Hello and welcome to the IT Governance podcast for Friday, 9 June 2017. Here are this week’s stories.

The EternalBlue exploit, which was used in the WannaCry ransomware attacks that caused such widespread disruption last month, is now being used by criminals to distribute other malicious payloads, according to FireEye.

(EternalBlue, you’ll remember, is an NSA ‘cyber weapon’ that exploits remote code execution vulnerabilities in version 1 of Microsoft’s Server Message Block protocol.)

FireEye said: “We observed [that] lab machines vulnerable to [the] SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine. […] However, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server.”

They added: “We have observed the same EternalBlue and VBScript combination used to distribute Gh0st RAT in Singapore, as well as Backdoor.Nitol being delivered in the South Asia region.”

(Gh0st RAT and Backdoor.Nitol are both trojans that open back doors on compromised computers, giving attackers remote access.)

Microsoft has issued patches for the SMB server vulnerabilities for all products. If you haven’t applied these patches, do so as soon as you possibly can – and consider upgrading to supported products where necessary.

As FireEye warns: “In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities […] to spread such infections with different payloads.”

Researchers from Kaspersky Lab have developed a proof-of-concept attack that would enable attackers to steal administrator credentials “by briefly connecting a microcomputer via USB to any computer within the corporate perimeter” – even if the computers are locked.

The “hardware cost of such an attack,” Kaspersky warns, “is no more than $20 and it can be carried out by a person without any specific skills or qualifications. All that’s needed is physical access to corporate computers.”

Sergey Lurye and Boris Stepanov used a Raspberry Pi Zero configured to emulate “an Ethernet adapter on the system it was being plugged into”. When they tested the attack against a corporate computer logged into a domain, they found they could “intercept not only the packets from the system it’s connected to […] but also NTLM authentication requests from other corporate network users in the domain”. Moreover, “the longer the device was connected, the more hashes it [extracted] from the network.”

Users are recommended never to leave their system unlocked, to check for suspicious USB devices, regularly change their passwords and enable two-factor authentication wherever possible.

Booz Allen Hamilton and (ISC)2 – the International Information System Security Certification Consortium – issued a report this week (Benchmarking Workforce Capacity and Response to Cyber Risk) that analyses information gleaned from the Global Information Security Workforce Study (GISWS) – an online survey of more than 19,000 information security professionals around the world.

According to the report, 38% of hiring managers in Europe plan to increase their workforce by more than 15% in the coming year – thanks in part to new legislation such as the GDPR, which places a greater onus on companies across Europe to secure the information they process.

However, a shortage of qualified personnel means that by 2022 there will be 350,000 more cyber security jobs in Europe than there are appropriately skilled workers. In fact, 48% of European respondents said the reason for this shortfall was that qualified personnel were difficult to find.

As an (ISC)2 blog about the report makes clear, if you want a career in cyber security, now is the time to get some qualifications under your belt. A third of the cyber security workforce in Europe earn more than £78,000 a year, and 87% of cyber security professionals started their careers in other sectors.

Head to itgovernance.co.uk/gdpr-training to find out more about our portfolio of GDPR training courses.

Well, that’s it for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.