Cyber criminals match security professionals step for step in order to break through their established defenses which get stronger and stringent over time. As a natural consequence to this cat-and-mouse game, malicious actors have resorted to yet another scheme of innovative cyber intrusion – the threat of network based ransomware.
This ransomware effectively eliminated need of the human link to aid in the deployment of this malware. The self-propagating nature of this threat over networks is what sets it apart and makes it extremely lethal. Attackers have, over time, taken this approach to newer levels of sophistication by arming this network vector with automation, and in effect, have raised the bar – by lacing this malware with worm-like functionality enabling it to spread extensive destruction. The evolution of this malware can be seen with the propagation of malwares like WannaCry, Nyetya, EternalBlue and EternalRomance.
Before the advent of self-propagating ransomware, distribution of malware was carried out through generic downloads from the internet, USB or other physical media, or email attachments. These methods required some human link to interact with or install the malware. However, malware have evolved in a way that an unpatched computing system with network connection is all it takes for deployment and propagation without the need of human involvement.
Nyetya malware surfaced in 2017 and it operated through remote code execution vulnerability known as EternalBlue and EternalRomance. It was deployed via software upgrade patches for a tax software and package, and eventually installed on more than 1 million systems. Being self-propagating, this malware affected around 2000 companies in Ukraine alone.
WannaCry is another such ransomware which uses the same techniques. Initially it was thought that it propagated through phishing campaign or email attachment. It transpired later that the malware scanned and infected the Microsoft Windows Server Message Block (SMB) server ports. It also appears that the real purpose of this malware was wiping out data, and that its ransomware nature was only a front to conceal its real intent.
THE SUPPLY CHAIN CONUNDRUM
The Nyetya malware was a supply chain attack. Since it was deployed through automated software update, something not attributed to as a threat or risk, it was a major success.
In another episode of supply chain attack, servers of software developer was used to distribute a genuine software package called CCleaner whose binaries also contained a Trojan backdoor. It also contained a valid certificate deluding the users into buying into its authenticity.
Supply chain attacks have been steadily increasing over time and growing in complexity. Since Common Vulnerabilities and Exposures (CVEs) have decreased and associated securities generally improved, self-propagating malwares have evolved which, given their rapid spreading ability, have the deadly potential of bringing down the internet. In this context, security experts should look for vendors that in addition to issuing CVEs also address vulnerabilities.
Network Segmentation is another mitigation technique that should be utilized to isolate software not supported by a comprehensive security plan. This can considerably lower the chance of deployment and damage caused by supply chain attacks and its eventual spread to other networks.