Worm Defense in the Era of Ransomware.

AWS

AWS

ISACA CISM

ISACA CISM

Huawei

Huawei

Palo Alto

Palo Alto

Aruba

Aruba

Juniper

Juniper

CompTIA

CompTIA

Fortinet

Fortinet

Microsoft

Microsoft

F5

F5

GCIH

GCIH

Oracle

Oracle

Itil-v4

Itil-v4

CWNA

CWNA

Opengroup

Opengroup

ic_r
ic_l
Worm Defense in the Era of Ransomware.
images

SPOTO focus on IT certification training for 16 years. Over 16 years, SPOTO helped tens of thousands of candidates achieve their Cisco CCNA, CCNP, CCIE, CISSP certification. Subscribe us and get more news.

On March 17, Microsoft released a security update for various versions of Windows that resolved a remote code execution vulnerability affecting a protocol named SMBv1 (MS17-010). This vulnerability allows a remote attacker to completely compromise an affected system and is rated as a "serious level" vulnerability by an organization that is recommended to perform a security update. In addition, for environments where security updates cannot be applied directly, Microsoft has released a contingency guide to eliminate this vulnerability. At the same time, Cisco released protection software to ensure that our customers are always protected.

Then, in April 2017, a group nicknamed “TheShadowBrokers” publicly released several exploits on the Internet. These exploits address a variety of security vulnerabilities that were resolved by MS17-010 a month ago. As always, whenever new exploit codes are released, it becomes the focus of both the information security industry and cybercrime research. The information security industry gains information and plays a greater role by improving security. Cybercriminals acquire code and try to find ways to use it to achieve their goals, whether it is economic benefits, manufacturing damage, etc.

Computer worms are not a new concept. Unlike other malware, worms spread themselves within and between systems. For example, Conficker is a computer worm that uses Windows Vulnerability Propagation (MS08-067), dating back to 2008. In fact, almost a decade later, Conficker was still spreading across the network by spreading between vulnerable systems. History tells us that whenever a vulnerability exploit code is released against a vulnerability, it is a "worm" vulnerability that will create and propagate worms. Although this phenomenon does not happen often, as long as it occurs, the worm has a huge impact on the world. In 2017, it has appeared twice so far. However, the worm has seen a new change, that is, it uses computer worms to spread ransomware and other destructive malware. Let us know about WannaCry and Nitya.

WannaCry

Over time, in May 2017, we saw an introduction to WannaCry's entry into the threat landscape. The attacker created WannaCry as a ransomware worm that exploits vulnerabilities within Windows to spread itself and infect other systems that do not require explicit user interaction. WannaCry exploited the vulnerability that was resolved two months ago (MS17-010) to perform this propagation. Once the malware infects the system, it will install ransomware and use their system to spread attacks to other systems. Soon, like snowballing, more and more systems are infected and actively spread malware. The damage caused by WannaCry is global, and many organizations around the world are either directly infected or indirectly affected by problems caused by malware elsewhere.

Nitya

Time to fast forward to June 2017, a more sophisticated attack, which again exploited the security update vulnerability that was released a few months ago. For a number of reasons, we believe this particular attack is more complicated. First, it uses the so-called “supply chain attack” as the initial vector that harms the organization. In a supply chain attack, an attacker exploits the trust relationship between the organization and the vendor. In this attack, the attackers behind Nyetya destroyed the software update servers widely used by businesses and organizations in Ukraine. They used the attacked server and deployed the software with the backdoor version in the guise of updating the software. Once the backdoor software is deployed, the attacker can distribute the malware directly to the target environment. In this particular case, malware has a major impact on the system and uses multiple methods to spread across the entire network within the compromised organization. Similar to WannaCry, this attack caused many organizations to face major business disruptions, but in this attack case, the damage was mainly concentrated in Ukraine.