A Single Weak Link Can Sink The Whole Company

Posted on October 26, 2017 by Admin

Recently, ransomware called WannaCry was set loose to infect computers all over the world. At last count, it compromised organizations in over 150 countries and infected over 300,000 machines. Interestingly, the attack itself was not particularly sophisticated. In fact, it was spread through a simple email phishing campaign and exploited vulnerabilities in Microsoft Windows that had already been publicly disclosed with patches available.  While WannaCry spread quickly, it was only active for a very short window of time thanks to a lucky break by a security researcher who found a kill switch for the virus.

Unfortunately, a lot of damage had already been done prior to that. It took down networks of the U.K.’s healthcare system, gave a very large telecommunications company in Spain a lot of grief, and even took down the German train system for a bit. These are very consequential interruptions. And the significance of WannaCry was that it used a two-stage attack design allowing the payload to spread to critical servers via unsuspecting users’ desktop computers.

You see, many of us think that we don’t really have anything significant or mission critical on our desktops, laptops, or mobile devices that a cybercriminal would care to find. Therefore, even if your system is compromised, it shouldn’t have any real impact on the organization itself.  The IT guys can just reload it and no harm, no foul.  What WannaCry showed was that just gaining access to a user’s non-critical computer was only the beginning. The goal was not to steal information from the user’s computer but instead use that computer as a launching point to attack the rest of the internal network, bypassing the corporate firewall and external intrusion prevention solutions.

This malware started in a very simple manner. An email was sent out to employees with a URL included that the user clicked to get a file available in the file sharing, collection, and storage application, Dropbox. Once clicked, the ransomware was executed and wormed its way through the corporate network, looking for vulnerable servers that had not received the security patch. When a vulnerable server was discovered, the ransomware automatically installed and began locking the administrators out of critical files.

A patch to fix this flaw had been released by Microsoft a full two months before WannaCry was released. However, oftentimes, critical servers are left unpatched because third party vendors require time to evaluate the patch before releasing it to clients for installation. This is common for critical servers, because vendors can’t risk having their software crash on these servers due to the installation of a new patch. So, they take time to test it before approving it to their customers. Unfortunately, this testing period often takes several months, if not longer.

What is most important to note is that WannaCry became so prolific because one person was convinced to click a link. His or her system wasn’t necessarily critical, probably wasn’t targeted, and likely the hackers had no idea who that person was. That victim was simply part of a mass mailing list the criminals probably obtained through the dark web. The victim was never the actual target; the desktop just became the launching point to attack the rest of the network, which ultimately led to critical systems being compromised.

According to the Department of Homeland Security, up to 85% of targeted cyberattacks are completely preventable simply by putting into place some basic risk-mitigation measures. At the top of the list is to make sure that you are educated about threats like this one and the others that exist in the Internet world. There is no guarantee that any given link or attachment is safe, regardless of what type of file. In fact, over the years the types of files used to spread malware have evolved from being almost exclusively executable files to Word documents and Excel spreadsheets to PDFs, text files, and now even PowerPoint. Literally, anything may be used now and it isn’t limited to email. Social media is growing in popularity with cybercriminals as well.

A 2014 study by German researchers found that people who receive messages via Facebook will click them 42.5% of the time, even when they don’t know the sender and are certain that what is included probably doesn’t pertain to them. They admitted to doing it because they were simply curious.

And it doesn’t matter if it looks like your colleague, your friend, or even your parents sent the email or posted the message. Cybercriminals are getting sneakier all the time. They can make a message look like came from anyone. If you’re not paying attention, you can fall victim too.

WannaCry was a wakeup call to organizations all over the world. The average user on a network may only have limited access to personal or confidential information. In many cases, the desktop may be completely non-critical and contain nothing of value to a cybercriminal at all. WannaCry, however, shows us that those still could be extremely valuable targets. Any computer, no matter how insignificant can become a launching point to attack the rest of a corporate network and should be considered just as critical as any other primary server the organization owns.

That’s why it is so important to take a bit of time to make sure that whatever you receive in email messages is 100%, without a doubt safe to click. If there is any doubt at all, call the sender on the phone, send a text, or walk over to his or her desk and verify. After all, you probably don’t want to be that one person that sets off worldwide panic like the first person to click that link and begin the spread of WannaCry around the world.

Posted in Cybersecurity, Social Engineering