The next time you want to complain about annual information assurance training, keep this past week in mind. It’s been an eventful time in cyberspace; between two major malware attacks and a raft of indictments, the nation’s cyber warriors have been running at full speed.
These attacks used different methods and applications, but they all demonstrate one irrefutable truth: any cybersecurity system is only as strong as its network’s weakest user. The whole point of the repetitive exercises like the DoD Cyber Awareness Challenge Training, as annoying as they can be to complete, is to help you spot the ways you could unwittingly become that weakest link.
Atlanta’s SamSam Shazam
The city of Atlanta, Ga. is still unable to process online payments for utilities, taxes, citations, and more, because the city’s network was paralyzed by malware called SamSam. The city took almost all of its systems offline last Thursday after several computers were infected by anonymous hackers.
The fact that the hackers only asked for $50,000 in Bitcoin to unencrypt the files is probably a clue the attack was automated and they (at least initially) had no idea which “phish” they had on the hook.
This malware is part of a family of ransomer applications known as Samas. As Microsoft documented two years ago, Samas searches for vulnerable networks then uses stolen credentials to enter and install ransomware that encrypts a hard drive’s contents.
iranian indictments
Last Friday, the Justice Department announced the indictment of nine Iranians who are alleged to be “leaders, contractors, associates, hackers-for-hire, and affiliates” of the Iranian Mabna Institute, an organization working on behalf of the Islamic Revolutionary Guard Corps. This organization has been silently attacking universities since at least 2013.
In that time, the government alleges that the group, who cybersecurity firm Phishlabs calls “Silent Librarian,” stole more than 30 terabytes of data from “144 U.S.-based universities, 176 universities across 21 foreign countries, 47 domestic and foreign private sector companies, the United States Department of Labor, the Federal Energy Regulatory Commission, the State of Hawaii, the State of Indiana, the United Nations, and the United Nations Children’s Fund.”
That’s quite a list.
According to the indictment, the hackers targeted 100,000 university professors with spear phishing attacks, which are targeted attempts to steal a particular person’s login credentials. In all, more than 8,000 professors, predominately in prominent research universities around the world, but in English-speaking countries, fell victim to this attack.
Boeing bombed by Wannacry
Most recently, the Boeing Company fell victim to WannaCry malware, another form of ransomware. According to the Seattle Times, who obtained a copy of the internal memo that Mike VanderWel, Boeing Commercial Aircraft’s chief engineer sent to employees calling for “all hands on deck.”
VanderWel’s memo said the virus was “metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down.” He voiced concern that the malware could spread to aircraft software if it wasn’t stopped immediately.
The Air Force’s trouble-plagued KC-46A Pegasus tanker, based on the Boeing 767, is also produced on the company’s commercial assembly lines, sparking early fears that the virus could further delay the program. Boeing is under pressure to deliver, especially given the fact that it only has the contract because it exerted its considerable political might to force the Air Force to reconsider the original award to want was then called EADS North America, the U.S. subsidiary of European conglomerate Airbus.
If Boeing’s public relations team is to be believed, VanderWal was overly panicked. A statement issued later in the day said “Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems. Remediations were applied and this is not a production and delivery issue.”
Fair Warning to Everyone
SamSam/Samas and the Iranian attacks gained access through phishing attacks, where hackers trick users into sharing their credentials. WannaCry, however, appears to be based on code stolen from the National Security Agency by a hacker group called Shadow Brokers. It is a more traditional worm that exploits vulnerabilities in a computer’s operating system.
During the WannaCry outbreak last year, the administration blamed North Korea for the attacks.
Microsoft published patches to address these vulnerabilities in March 2017; either Boeing hadn’t installed them, or hackers have modified the WannaCry software to exploit newly discovered vulnerabilities.
Either way, these three incidents in the space of a week should serve as a reminder that cybersecurity isn’t just something to grudgingly grind through once a year; it is a very real, persistent threat that could do serious damage to the data on your organization’s network.
Whether your a user or an administrator, don’t be the weak link.