SamSam and WannaCry
Unless you’ve been entirely off the grid, you have probably heard that a number of high-profile organizations have recently been targeted by ransomware. It’s part of a growing trend that has the potential to impact large numbers of people, with potentially devastating consequences.
The notorious WannaCry virus, which has been targeting the same vulnerable systems for nearly a year, hit a major production plant on March 28th, and one of the country’s largest municipalities has been fighting off the SamSam ransomware for the past several days, something that the city’s mayor has called a “hostage situation.” Fortunately, it appears that only a handful of the manufacturers servers were impacted, and it didn’t impact any of their production lines. And this latest SamSam attack only targeted online bill paying and court-scheduling services. It could have been much worse.
Normally, as in the case of WannaCry, an end user clicks on a link or opens a file attached to a malicious email that is part of a phishing (random) or spearphishing (targeted) campaign. Or, they visit a compromised website (usually by going somewhere they probably shouldn’t have gone) and pick up a bug along with whatever they were looking at or downloading. In either case, the malicious file is loaded onto a vulnerable endpoint device that is connected to an open network, and its payload spreads from there, locating other vulnerable systems and encrypting their data.
The battle being waged against SamSam is a bit more complicated. It primarily targets vulnerable servers that have been left exposed to the Internet, either through an RDP (Remote Desktop Protocol) brute force attack or by targeting and exploiting specific, known vulnerabilities. Its attacks tend to be much more directed and planned.
SamSam first appeared in late 2015, and while it was initially a fairly low-profile risk, over the past several months its developers have been on a tear, targeting a wide range of organizations from healthcare and educational institutions to local governments. Four major municipalities have been targeted since the beginning of the year, with one being hit twice within a week, forcing nearly 2,000 employees to conduct business using pencil and paper. It is estimated that, to date, the group responsible for SamSam has extorted nearly a million dollars from its victims.
Back to the Basics
While SamSam and WannaCry are different kinds of ransomware attacks, using different attack vectors, they both have one thing in common. They target systems with known vulnerabilities that should have been patched.
Part of the problem is networks are increasingly complex, and IT resources have been spread thin focused on expanding the capabilities of the network, such as managing cloud and application projects. This, in turn, has caused IT teams to take their eye off the ball when it comes to basic security practices, including basic security hygiene. According to one of the IT administrators at the city currently battling a SamSam infection, this “really speaks to the fact that as much as we focus on physical infrastructure, we need to focus on the security of our digital infrastructure…This is new territory for us.”
What You Need to Do
Cybercriminals have been using an “attack on all fronts” strategy that has been especially effective. Not only are they developing new attack vectors to exploit the expanding attack surface created by digital transformation, they have also been using the tried and true method of targeting older, known vulnerabilities that IT teams simply haven’t had the time to address.
The best defense approach is to develop a methodical process to reduce the number of possible attack avenues that your organization is exposed to. It starts with the basics:
Actively inventory all devices: You need to know what devices are on your network at all times. Of course, this is hard to do if your security devices and access points can’t talk to each other.
Track threats: You also need to be subscribing to real-time threat feeds that keep your security systems tuned to the latest threat landscape.
Monitor indicators of compromise (IOCs): Once you can tie inventory to threat, you can quickly see which of your devices are most at risk, and prioritize either hardening, patching, isolating, or replacing them.
Automate patching: No one likes patching systems. But they continue to be a primary conduit for attacks and malware – as the recent WannaCry breach makes clear. Which is why, as much as possible, you should be developing a process for automating the patching process.
Segment the network: The reality is, you are going to be breached. When that happens, you want to limit the impact of that event as much as possible. The best defense is to segment the network. Without proper segmentation, ransomworms like WannaCry can easily propagate to backup stores, making other parts of your incident response (IR) plan much more difficult to implement. Segmentation strategies, including microsegmentation in virtual environments, and macro-segmentation between physical and virtual networks, allow you to proactively and/or dynamically isolate an attack, thereby limiting its ability to spread.
Apply security controls: Implement signature and behavioral based solutions to detect and thwart attacks both at the edge, and once they have penetrated your network.
Backup critical systems: When dealing with ransomware, the most important thing you can do is make sure that you have a copy of critical data and resources stored off network so you can resume operations as soon as possible.
Harden endpoints and access points: Make sure that any devices coming onto your network meet basic security requirements, and that you are actively scanning for infected devices and traffic.
Implement Automation: After locking down those areas you have control over, you should apply automation to as many of your basic security processes as possible. This frees your IT resources to focus on the higher order threat analysis and response tasks that can protect you from the more advanced threats that are also targeting your organization.
Deploy a Security Fabric: To ensure that these security practices are seamlessly extended into every new network ecosystem you bring online, you need to deploy security solutions that are integrated and enable orchestration and analysis to be centralized. Rather than an increasingly complex and fragmented security strategy, a single Security Fabric designed to span and adapt to your dynamically evolving network returns broad visibility and granular control to your security operations.