Well it was a relatively quiet few weeks, until it wasn’t….

Here are some of the key stories that stuck out from the last few weeks.

The #NotPetya/Nyetya worm

We have already written at length about ransomware and about this specific attack. This worm hit a number of different companies, appearing like ransomware but in practice having no effective decryption mechanism. It appears to have originated from a breached Ukrainian software house from where it was distributed as part of a forged updates file. Once it infected a machine, it spread throughout the network using both the EternalBlue exploit but also by dumping passwords and reusing them on other networked machines via psexec and wmic. This blog post gives a good overview of why this attack should be especially concerning for blue-teamers.

Key takeaways:

• More impetus to apply the MS17-010 if somehow this has not yet been done.
• Reportedly, the malware spread incredibly fast so detection solutions maybe not have been enough in this case. Frequent, robust and offline backups would have been crucial for recovery.
• The malware traversed networks in the same way as manual attackers. It’s important to use different local passwords on all endpoints and segment the network as much as possible.

Threats from your routers

Wikileaks have alleged that the CIA have the capability to infect routers with malware and intercept sensitive traffic. Similarly, researchers from Ben Gurion University demonstrated a technique of exfiltrating sensitive data using the LEDs on a router.

Key takeaways:

• Whilst neither of these threats may be particularly realistic for most company’s threat models, it is important to consider the risk from all devices in the technology environment.
• This is especially important in the “Internet of Things(IoT) age” where so many regular items have computers inside.