In April 2017 my monthly threat webinar focused on a cyberespionage group our Forward-Looking Threat Researcher, Feike Hacquebord, has been following for many years and recently published a report into the most recent two years of activities. In this post I want to focus on their tools and tactics versus who they target since this is what most organizations need to focus on in order to protect themselves if targeted by Pawn Storm or other actors using similar tactics.

Pawn Storm actors use a number of threats to compromise their victims:

All of these tools and tactics allow them to be very successful in their attacks and organizations should invest time in better understanding how these work and how they can improve their cyber security as well as their operational security to minimize the chance of compromise.

I cover all of these and the other information about the Pawn Storm group in my recorded webinar but more importantly share some solutions and best practices businesses can do to protect them from this group.  I hope you enjoy the presentation and feel free to leave a comment below if you have any questions or leave me a recommendation for future webinars on what threats you’d like me to cover.

The Randstad Group is currently in the process of consolidating and centralizing its IT infrastructure across 30 IT departments, and will be providing service to more than 40 operating countries across four continents. To ensure the new infrastructure will have optimal security the company selected Trend Micro as its cloud security solution partner for the next five years.

”We found in Trend Micro the perfect combination of an effective and scalable platform to fulfill Randstad’s security requirements,” said Bernardo Payet, general manager for Randstad Global IT Solutions 

Trend Micro is proud to support the Randstad Group and help the company embrace cloud technologies into its new infrastructure. Attributes of Trend Micro Deep Security that appealed to Randstad when selecting a cloud security provider, include:

To read more about the collaboration between Randstad Group and Trend Micro visit here.

When we talk about healthcare breaches, there are some big-name incidents. Yet in reality there’s a huge number of smaller providers who are in the hackers’ sights and maybe don’t have the resources or expertise to adequately defend themselves. With ransomware threatening to shut down systems and impact patient care, the stakes have never been higher.

That’s why Trend Micro is a committed partner of HITRUST CyberAid: the first program to protect the records of patients of small health care providers and single practitioners. In fact, our products were the first to be rolled out as part of the program and are already helping protect key data and systems in small healthcare organizations (HCOs) around the country.  Click here to watch more about the CyberAid program and hear insights from Senior Vice President and CIO at Children’s Health, Pamela Arora.

HCOs under fire

As we revealed in a recent report, Cybercrime and Other Threats Faced by the Healthcare Industry, North American HCOs are the most exposed in the world when it comes to internet-connected but unsecured devices. The report also explains how Electronic Health Records (EHRs) are in growing demand among cybercriminals. Why? Because they typically contain blend of information, including PII, medical, insurance and financial data. While the financial credentials can be reset and changed, personal identifiers and medical info has a much longer shelf life for the hackers and can be used to commit a variety of fraud, from filing fake insurance claims to getting hold of prescription drugs.

It’s no surprise that complete EHR databases can sell for as much as $500,000.

That’s not to mention the threat to hospital IT systems from ransomware which can have a major impact on service delivery and patient care. In fact, almost 80% of HCOs have suffered two or more security breaches, including records theft and ransomware, in the past two years.

Enter HITRUST CyberAid

HITRUST’s CyberAid program was launched specifically to help those HCOs which may currently be struggling to keep data and systems secure: physician practices with fewer than 75 employees. It combines network and endpoint security alongside end-user education, implementation, operations and support. The focus is on maximum protection for minimum cost – at just $25-$60 per user per year – and hassle-free maintenance, with zero ongoing administration and simple installation.

We’re proud to say Trend Micro has been supporting the initiative from the very beginning. Our cloud-hybrid network security appliance and endpoint security software were the first products to be approved by HITRUST; fulfilling the criteria for industry leading protection at low cost and with minimum fuss. In fact, we collaborated with HITRUST to customize our solutions specifically to meet the needs of CyberAid HCOs, and the results have been outstanding. Between October 20 and November 20, 2016 alone, each CyberAid participant was protected from 364 threats on average – that’s 12 potentially crippling ransomware, spyware, virus or other types of threat each day.

A hit with HCOs

The first partner organization in the HITRUST CyberAid program was Children’s Health, a pediatric healthcare system in North Texas which works closely with community physicians in the region. Given that these small practitioners comprise 40% of the healthcare community, the work of Children’s Health and organizations like it is vital to keeping cyber threats at bay in the industry. In fact, CIO Pamela Arora was recently presented with a prestigious 2016 Transformational Leadership Award by the College of Healthcare Information Management Executives (CHIME) for her efforts.

It’s early days, but we think CyberAid has the potential to transform the cybersecurity posture of small HCOs across the country, keeping patient data secure and key healthcare services up and running. That’s got to be good news all round.

Once the realm of science fiction, artificial intelligence (AI) is now very much science fact. The potential of this ground-breaking technology – and related disciplines including deep learning and machine learning – is so great that even governments in the UK and US have released reports on its long-term impact on society. Nowhere are the possibilities offered by AI more tantalising than in the cybersecurity industry.

That’s why Trend Micro is making significant investments in the area, including: collaborative partnerships with academia; a raft of new hires to build up expertise in the area; new product development; and initiatives including the T-Brain platform in Taiwan. We’re determined to extend our industry leading capabilities in cloud security with world-beating AI security expertise.

The future is here

AI has long been touted as a coming tidal wave of technology innovative which will change the way we live and work forever. Yet only in the past few years have technological advances finally begun to show the potential in the technology to do exactly that. Thus, we’ve seen IBM’s Watson supercomputer beat human opponents at quiz show Jeopardy. And most recently, Google’s AlphaGo program routed one of the world’s leading Go players, Lee Sedol. Carnegie Mellon University’s Libratus program has even reportedly managed to beat all-comers at Poker.

Although AI shouldn’t be seen as a “silver bullet” solution to modern threats,there are some major implications for cybersecurity. AI and machine learning can help spot zero day threats by learning normal and unusual behavior and then flagging when something’s not quite right. In so doing, it can make security products more effective at blocking threats and save IT teams much needed human resources to focus on more strategic endeavors. Trend Micro has been leveraging machine learning for several years and our high-fidelity machine learning technology forms an essential part of our XGen approach to threat defense.

All in for AI

At Trend Micro “AI” means something else for us: “All In!” From the early days of cloud computing, through big data and now AI, we’ve always been keen to invest in new technology platforms that offer better ways of protecting our global customers.

That’s why we’ve already invested in over 300 engineers with AI experience. We also recently sponsored the annual Artificial Intelligence Forum 2017– an event which will see a number of Japanese AI experts including Prof. Noda Hiroshi, the president of the RoboCup Federation, and Prof. Ishizuka from the CIC Center of National Institute of Informatics come to share their expertise in Taiwan.

Trend Micro’s capabilities have also seen us collaborate with Taiwan’s National Center for High Performance Computing (NCHC) on the “T-Brain” machine learning intelligence analysis platform, which we hope will provide a great resource to government and academia.

Accelerating AI

Trend Micro’s AI focus comes right from the top, with Chairman Steve Chang and CEO Eva Chen and  passionate about developing its potential to grow the company and enhance our products.

In fact, Steve was recently invited to give the opening address at the prestigious Artificial Intelligence Forum at Taiwan’s National Chi Nan University. In it, he stressed that the industry is accelerating at top speed towards an AI future. A clear vision, products that meet a definite market need and a staff filled with AI experts will be key to success in this area.

. It’s important to remember that Artificial Intelligence is not the answer to all our cybersecurity challenges. Like other technologies, there are pros and cons – that’s why at Trend Micro we advocate a layered approach to security combining multiple techniques. However, given that we’ve only just scratched the surface in terms of what AI could achieve,the next few years is  going to be an exciting time for all of us at Trend Micro.

From cash-hungry hackers to state-sponsored spies and careless insiders, there’s no shortage of cyber threats facing healthcare organizations (HCOs) today. At Trend Micro, we’ve been protecting organizations operating in the industry for years, but the challenges facing these customers show no signs of abating. In fact, figures from the US Department of Health and Human Services (HHS) put the number of recorded breaches in 2016 at more than 320; linked to the theft of more than 16 million records.

That’s why we’ve been showing our support at the HITRUST 2017 annual conference this week. HITRUST is doing fantastic work to help improve the cybersecurity posture of smaller HCOs which typically have fewer resources to throw at the problem – by providing low-cost tools and improving threat intelligence gathering and information sharing.

Digital threats

Healthcare organizations are keen to leverage the benefits of digital transformation to improve patient care and make themselves more cost effective. But new cloud, mobile and IoT technologies also open up cybersecurity gaps which cyber threat actors are ready and waiting to exploit. As Trend Micro explained in a February report, Cybercrime and Other Threats Faced by the Healthcare Industry, Electronic Health Records (EHRs) are increasingly popular in cybercriminal undergrounds. They typically contain protected health information (PHI), which have a long shelf life and can be used in a wide range of follow-on fraud scams, making them particularly lucrative fare. That’s why a complete EHR database can sell for as much as $500,000.

That’s not to mention the risks facing HCOs from ransomware, as cybercriminals look to target organizations with the most to lose from an IT outage. The Hollywood Presbyterian Medical Center was the first to publicly admit paying up in such a case – to the tune of $17,000. Unfortunately, that case was the first of far too many.

Fighting back with HITRUST

These challenges make the work of HITRUST and organizations like it all the more important. HITRUST runs CyberAid, a first-of-its-kind initiative designed to put high quality security tools and support in the hands of physician practices with fewer than 75 employees. Thanks to a partnership with Trend Micro this is already proving a great success: For example, between October and November 2016, each CyberAid participant was protected on average from 364 threats.

However, that’s not all. At the HITRUST 2017 event, attendees heard about the Cyber Threat XChange (CTX); an initiative designed to accelerate the detection of and response to cyber threats targeting HCOs. How does it do this? By automating the collection and analysis of cyber threats while digitally distributing actionable indicators which HCOs can use to improve their cyber defenses.

A two-week pilot in April returned some impressive results: more than 2,300 IoCs including email-borne ransomware, C&C callbacks and much more.

At the same event, I spoke of the importance of blended threat prevention in helping HCOs improve their cybersecurity, from the first line of defense provided by messaging and web security gateways; to network-based breach detection systems and IPS; physical, virtual and cloud security; and integrated endpoint security.

But I also highlighted the importance of industry partnerships, like the ones we have with HITRUST, in helping to raise security standards and share information for the good of all stakeholders. We’re thrilled that Trend Micro’s hybrid Unified Threat Management (UTM) appliance, Cloud Edge and endpoint security SaaS, Worry Free Services were the first products to be approved for the CyberAid program, and our Deep Discovery Inspector is the backbone in threat intelligence collection and analysis for the Enhanced HITRUST CTX.

Cyber threat actors will never let up, so neither should we. Here’s to many more successful partnerships and initiatives going forward.

The ingredients for strong cybersecurity aren’t a secret. In fact, they haven’t changed significantly over the past 20 years—the ingredients are available to almost every organization out there.

On the surface, doing security isn’t that hard:

That’s it. Executing well in these areas will stop most attacks and help minimize the impact from those that are successful. So why do most organizations have such a poor security posture?

Organizations—and security teams in particular—claim that cybersecurity is everyone’s responsibility, but do their actions back up their claims? The root of the problem may surprise you. It starts with the perceived role of security in the organization and the decisions that are based on that perception.

Here’s how to assess whether your security team is set up to fail.

The security team’s role

The common view of security’s role is to stop hackers. Looking around the security community, there’s plenty of material to support that. Most conferences and publications focus on the latest threat or malware variant. Movies always show the hackers taking down the firewall; rarely do we watch someone poring over log files.

A far more realistic and productive definition of the role is to ensure that your systems work as intended—and only as intended. This may seem like splitting hairs, but the definition of the role is critical.

Stopping hackers is an activity that is viewed as a job with limited scope and a definite perimeter. Ensuring that systems work as intended and only as intended requires multiple teams working together. An isolated team cannot accomplish this goal.

Centralizing security is a setup

The consistency with which security teams are structured is amazing. In all verticals, all regions, and all types of businesses, security teams are built in a purely centralized model. The only thing that changes is the relative scale of the team.

The teams break down into five areas:

As organizations grow, the leader becomes a CISO, and eventually the office of the CISO. The other areas of focus also reflect that growth and become dedicated teams rolling up to the CISO. Regardless of size, the centralized model rules supreme.

But isn’t cybersecurity everyone’s responsibility? This structure runs counter to that goal. It isolates the organization’s security knowledge in one place. This creates three significant problems that the security team is forced to address.

Communications overhead

Every team that the security team needs to communicate with adds overhead—and it needs to work with everyone. Each new link needs to be maintained, and eventually the number of connections becomes overwhelming. This severely impacts the team’s ability to effectively communicate within the organization.

This is the point when memos and meetings start to become more common. Despite the clear evidence that meetings are ineffective, they are relied on to bring security to the table and make critical decisions. It’s a recipe for disaster.

Teams within the organization don’t get the information and education they need, and the security team is always struggling to keep up with the latest initiatives. Lose, lose.

Lack of context

A parallel problem to direct communications is a lack of context and supporting information about the state of various IT systems and applications. If the security team’s role is to stop hackers, why would it need business metrics?

This setup leads the security team to areas it can control. Perimeter defense, endpoint systems, and threat intelligence all provide supporting information to the team to inform members’ decisions. This biases their response to common situations.

Take for example a massive spike in inbound network packets. If the security team sees an unexpected increase in network traffic from a variety of IP addresses, its (understandable) assumption is that the traffic represents a DDoS attack.

The team is missing additional details that would suggest alternative causes. What if this traffic is the result of a wildly successful marketing campaign and the business has had a day the sales team previously only dreamt of?

Without information from key business systems (such as the total number of completed transactions) and application metrics, the security team doesn’t have enough information to make the correct determination. This is the direct result of the isolation of a centralized team structure.

Attitude

Centralization also shapes the perception of both the team members and the rest of the organization. Security is known as the team of “no,” and the security team generally has a negative view of the organization’s users.

Nowhere is this clearer than in security awareness training. Users are told that they need to select a strong password and then are given arbitrary rules on how to create one. Eight characters, one capital letter, one number, and a symbol. Rinse and repeat every third month.

This, despite evidence that it leads to poorer security outcomes. Thankfully the NIST guidelines have been updated to a more reasonable and secure approach but this bad advice persists.

We see this attitude in training about phishing attacks. Users are told not to click on links for their own safety. That’s absurd. The sole purpose of a link is to be clicked on.

The centralized structure discourages empathy and understanding.

Is decentralizing the answer?

Completely decentralizing security isn’t realistic, nor is it the answer. What is needed is a change in perception and attitude for the members of the security team.

The good news is that understanding the forces at work allows the team to fight against them. A modern security team embraces the need to act as educators within the organization. Its members seek out an understanding of how the business works and build bridges with teams throughout the organization.

A modern security team works hand in hand with all the teams in the organization to move toward a common goal. The teams work together to ensure that all systems are working as intended—and only as intended.

When assessing your security team’s posture, remember: The biggest problem in cybersecurity isn’t a technical one—it’s a people problem.

Originally published on TechBeacon.com as, “Is your security team set up to fail?“.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Take a Closer Look into Cyberespionage Actor Group Pawn Storm

In this post we will focus on their tools and tactics versus who they target since this is what most organizations need to focus on in order to protect themselves if targeted by Pawn Storm or other actors using similar tactics. 

President Trump Signs Cybersecurity Executive Order

U.S. President Donald Trump on Thursday signed an executive order to bolster the government’s cyber security and protecting the nation’s critical infrastructure from cyberattacks, marking his first significant action to address what he has called a top priority. 

Don’t Pin the Macron Email Hack on Russia Just Yet

On Friday, nine gigabytes of emails from Macron’s En Marche party spilled onto the web in a collection of torrent files. Within hours, the party had issued a statement blaming that leak on hackers’ intent to disrupt the democratic process. This latest breach, for now, lacks conclusive fingerprints—and what few clues there are have only added to the confusion. 

New IoT Botnet, Persirai, Targets IP Cameras

A new Internet of Things (IoT) botnet called Persirai has been discovered targeting over 1,000 Internet Protocol Camera models based on various Original Equipment Manufacturer products. This development comes on the heels of Mirai, as well as the Hajime botnet. 

New ‘Bondnet’ Botnet Mines Cryptocurrencies

A newly detected botnet, made up of thousands of compromised servers, has infected more than 15,000 machines since it became active in December 2016. “Bondnet” is currently used to mine cryptocurrencies, primarily the open-source Monero. 

Snake Cyberespionage Malware is Ready to Bite Mac Users

A sophisticated Russian cyberespionage group is readying attacks against Mac users and has recently ported its Windows backdoor program to macOS. The group, known in the security industry as Snake, Turla or Uroburos, has been active since at least 2007. 

FCC Says it Was Victim of a Cyberattack After John Oliver’s Show

The Federal Communications Commission is claiming its website was hit by a cyberattack late Sunday night. The attack came shortly after comedian John Oliver urged viewers of his HBO show “Last Week Tonight” to file comments on the site in support of the agency’s net neutrality rules. 

Hackers Are Reusing Free Online Tools as Part of Their Cyberespionage Campaigns

A new form of cyberattack has set its sights on high-profile targets across the globe, enabling its perpetrators to conduct espionage and steal data by using readily available software tools, thus removing the need to deploy advanced malware.  

Cyber Health of Small HCOs is Transforming Across the U.S.

When we talk about healthcare breaches, people usually remember the big-name incidents. Yet in reality there’s a huge number of smaller providers who are in the hackers’ sights and maybe don’t have the resources or expertise to adequately defend themselves. 

Trend Micro Is Teaming Up with HITRUST to Raise Cybersecurity Standards in Healthcare

From cash-hungry hackers to state-sponsored spies and careless insiders, there’s no shortage of cyber threats facing healthcare organizations (HCOs) today. At Trend Micro, we’ve been protecting organizations operating in the industry for years. 

Trend Micro is Accelerating AI Research to Improve Threat Protection

Once the realm of science fiction, artificial intelligence (AI) is now very much science fact. Nowhere are the possibilities offered by AI more tantalizing than in the cybersecurity industry. That’s why Trend Micro is making significant investments in the area.

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

Although I’m still dreaming of the sandy beaches of Cancun, it’s time to get back to reality. Security vulnerabilities never take a holiday and this week is no exception. In addition to our normal Digital Vaccine (DV) package delivered earlier this week, we also issued an out-of-band DV package to address zero-day vulnerabilities for Intel Active Management Technology (AMT) (CVE-2017-5689) and Windows Defender (CVE-2017-0290).

The Intel AMT vulnerability is an escalation of privilege vulnerability that allows an unprivileged attacker to gain control of the manageability features provided by the affected Intel AMT products. The Windows Defender vulnerability is much scarier because allows a remote attacker to take over a system without any interaction from the system owner. Just the mere execution of Windows Defender scanning an email or instant message from an attacker is enough. But don’t worry – customers using TippingPoint solutions are protected from these vulnerabilities with the following DV filters:

Microsoft Update

This week’s Digital Vaccine (DV) package includes coverage for Microsoft updates released on or before May 9, 2017. Microsoft released patches for 55 new CVEs in Internet Explorer, Edge, Office, Windows, and .NET Framework. A total of 14 of these CVEs are rated Critical while the rest are rated Important in severity. The following table maps Digital Vaccine filters to the Microsoft updates. Filters marked with an (*) shipped prior to this DV package, providing zero-day protection for our customers. You can get more detailed information on this month’s security updates from Dustin Childs’ May 2017 Security Update Review:

Zero-Day Filters

There are 14 new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (5)

EMC (6)

NetGain (3)

Updated Existing Zero-Day Filters

This section highlights specific filter(s) of interest in this week’s Digital Vaccine package that have been updated as a result of a vendor either issuing a patch for a vulnerability found via the Zero Day Initiative or a vulnerability that has been published by the Zero Day Initiative in accordance with its Disclosure Policy.

Three of the filters we have for this month’s Microsoft bulletins are a direct result of the Zero Day Initiative’s Pwn2Own contest held in March. These filters have been updated to reflect the fact that the vulnerabilities have been patched:

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

[Editors note: For the latest WannaCry information as it relates to Trend Micro products, please read this support article.] 

The WannaCry ransomware variant of 12-May-2017 has been engineered to take advantage of the most common security challenges facing large organizations today. Starting with one infection system, this variant uses a recent vulnerability (CVE-2017-0144/MS17-010) to spread unchecked through weaker internal networks, wreaking havoc in large organizations.

Check out this NYT post, they made a really cool time based map with my data https://t.co/K7lVjagq29

— MalwareTech (@MalwareTechBlog) May 13, 2017

The gut reaction from those on the sidelines was–understandably–”Why haven’t they patched their systems?” Like most issues in the digital world, it’s just not that simple. While it’s easy to blame the victims, this ransomware campaign really highlights the fundamental challenges facing defenders.

It’s not the latest zero-day—a patch for MS17-010 was available 59 days before the attack—or persistent attacker. One of the biggest challenges facing the security community today is effectively communicating cybersecurity within the larger context of the business.

Patch…Now

A common refrain in the security community is that patching is your first line of defence. Despite this, it’s not uncommon for it to take 100 days or more for organizations to deploy a patch. Why?

It’s complicated. But the reason can be boiled down roughly to the fact that IT is critical to the business. Interruptions are frustrating and costly.

From the user’s perspective, there is a growing frustration with the dreaded “Configuring updates. 25% complete. Do not turn off your computer” screen. The constant barrage of updates is tiring and gets in the way of work. Making matters worse is the unpredictable nature of application behaviour post-patch.

About 10 years ago, “best practices” formed around extensive testing of patches before deploying them. At this time, the primary motivator was patch quality. It wasn’t uncommon for a patch to crash a system. Today, patches occasionally cause these types of issues but they’re the exception not the rule.

The biggest challenge now is custom and third party applications that don’t follow recommended coding practices. These applications might rely on undocumented features, unique behaviours, or shortcuts that aren’t officially supported. Patches can change the landscape rendering critical business applications unusable until they too can be patched.

This cycle is why most businesses stick to traditional practices of testing patches, which significantly delays their deployment. Investing in automated testing to reduce deployment time is expensive and a difficult cost to justify given the long list of areas that need attention within the IT infrastructure.

This unrelenting river of patches makes it difficult for organizations to truly evaluate the risks and challenges of deploying critical security patches.

Legacy Weight

The argument around patching assumes—of course—that a patch is actually available to resolve the issue. This is the zero-day. While the threat of zero-days is real, long patch cycles mean the 30-day, 180-day, and the forever-day are far more likely to be used in an attack. The Verizon Data Breach Investigations Report consistently highlights how many organizations are breached using exploits of patchable vulnerabilities.

The WannaCry campaign used a vulnerability that was publicly known for 59 days. Unfortunately, we’ll continue to see this vulnerability exploited for weeks—if not months—to come.

Making matters worse, MS17-010 was only patched on supported platforms. A position that Microsoft has since reversed and issued a patch for all affected platforms (kudos to them for making that call). While it’s logical only to provide patches for supported platforms, the reality is the “supported” number is far different than the “deployed” number.

We know that Windows XP, Windows Server 2003, and Windows 8 continue to live on – by some reports accounting for 11.6% of Windows desktops and 17.9% of Windows servers. That’s a lot of vulnerable systems that need to be protected.

There are third party security solutions (some from Trend Micro) that can help address the issue, these legacy systems are a weight on forward progress. As a system ages, it’s harder to maintain and poses a greater risk to the organization.

Malware, like the 12-May-2017 WannaCry variant, takes advantage of this fact  to maximize the success and their attack…and their potential profits.

Security teams need to help the rest of the IT teams explain the need to invest in updating legacy infrastructure. It’s a hard argument to make successfully. After all, the business processes have adapted to these systems and from a workflow process, they are reliable.

The challenge is quantifying the risk they pose (maintenance and security-wise) or at least putting this risk in the proper perspective in order to make an informed business decision.

Critical…For Real

All too frequently, vulnerabilities are flagged as critical. 637 and counting so far in 2017, which is a faster pace than the 1,057 reported in 2016 (and these numbers are only for remotely exploitable vulnerabilities!). Your organization is not going to be impacted by all of these, but it’s fair to say that you’ll face a decision about a critical vulnerability once a month.

To make the decision to disrupt the business, you’re going to have to evaluate that impact. This is where organizations tend to falter. It’s extremely difficult to boil the decision down to numbers.

In theory, you should take the cost of downtime (when deploying the patch) and compare it to the cost of a breach. Ponemon and IBM have the cost of a data breach in 2016 at an average of $4 million USD (4% of worldwide turnover for EU companies). This means that you should always patch unless the downtime cost is more than$4 million.

Except that it doesn’t factor in the probability of that breach happening or the cost of using security control to mitigate the issue. This is where it gets really complicated and highly individualized.

The debate on how to properly evaluate this decision rages on in the IT community, but specific to WannaCry, the equation was actually pretty straight forward.

Microsoft issued MS17-010 in March, 2017 and flagged it as critical. A month later, there was a very high profile and very public data dump that contained an easy to understand and execute exploit for the vulnerabilities patched by MS17-010. At this point, the security team can guarantee that their organization will see attacks taking advantage of this vulnerability.

That puts the probability of attack at 100 percent. So unless it’s going to cost $4 million to patch your systems, the patch should be rolled out immediately.

Mitigation

Un-patchable systems still need to be protected. With WannaCry, all affected systems are patchable now—again, thanks to a generous move by Microsoft. With other malware threats, that’s typically not the case.

This is where mitigations come into play. These mitigations also buy time for patches to be deployed.

WannaCry is a solid example of a new variant that caused significant damage before traditional anti-malware scanning could be implemented. This is where machine learning models and behavioural analysis running on the endpoint is critical.

These techniques provide continuous and immediate protection for new threats. In the case of WannaCry, systems with this type of endpoint protection were not impacted. After deeper analysis by the security community, traditional controls were able to detect and prevent the latest variant of WannaCry from taking root.

When in place, strong network controls (like intrusion prevention) were able to block WannaCry from spreading indiscriminately throughout corporate networks. This is another argument for microsegmentation within the network.

Finally, phishing emails continue to be the most effective method of malware distribution—even though it might not be the case with WannaCry. 79 percent of all ransomware attacks in 2016 started via phishing. Aggressively scanning emails for threats and implementing strong web gateways are a must.

Protecting Against The Next Threat

WannaCry is a fast moving threat that’s had a significant real-world impact. In the process, it’s exposed fundamental challenges of real-world cybersecurity.

Patching is a critical issue and it needs the entire IT organization working with the rest of the business to be effective. Year after year, the majority of attacks take advantage of patchable vulnerabilities. This means that most cyberattacks are currently preventable.

Rapid patching combined with reasonable security controls for mitigating new and existing threats are the one-two punch your organization needs to reduce its risk of operating in the digital world.

While the problem and solutions are technical in nature, getting the work done starts with communications. There’s no better time to start than now.

What do you think about legacy systems and patching? How are you tackling these issues in your organizations? Let me know on Twitter, where I’m @marknca.

[Editors note: Again, for the latest WannaCry information as it relates to Trend Micro products, please read this support article.]

Last week, The White House released its long awaited Executive Order (EO), Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, ironically enough during the same week we experienced the largest single ransomware attack that, by some estimates, has affected more than 200,000 victims across 150 countries. My intentions were to highlight the EO in this blog on Friday and discuss some of its merits while also discussing its inadequacies, specifically its inability to address the growing capability of cybercriminal undergrounds and the criminals that prowl within them. This attack alone has done this in just 48 hours with greater impact than a thousand blogs could ever do.

On the heels of so much visible activity and discussion around cyber espionage and cyber propaganda from Pawn Storm and their political impact, this new ransomware attack highlights the single largest threat to global cybersecurity—transnational cyber criminals. The monetization of traditional data breaches have taken a backseat to lucrative online extortion campaigns. Ransomware attacks by their very nature are designed around speed and impact. Cybercriminals are able to monetize their attacks in hours and days. This attack was taken to the next level on a global scale by using a public vulnerability (MS17-010) and the “EternalBlue” exploit coupled with the incredibly large number of unpatched and end-of-life Windows OSs around the world. While most in our industry, and rightfully so, will focus on the symptoms, specifically the critical need of sound vulnerability management; good cyber-hygiene and the problems of nation-state exploits, the real focus needs to address the cancer that is represented by numbers of transnational cybercriminals operating in virtual and physical safe havens globally.

When you look at this attack through the lens of this EO there are some promising mandates that will help the federal government properly assess their departments’ and agencies’ cyber risk, and more importantly, tie the responsibility and budget to manage these risks to secretaries and directors. Federal CISOs have made and will continue to make progress to improve their cybersecurity profile, but only if they are given the needed resources. And therein lies the question: will Federal CISOs, or any CISO for that matter, ever be provided enough resources to meet the changing threat landscape. This brings me to my biggest problem with the EO—it only addresses the symptoms. The EO fails to adequately address the incredible power of collaboration. Cybercriminals working in the Russian underground have scaled trust to a level evident by these attacks. Over the last 17 years they have created a marketplace where cybercriminals of varying degrees of skill have come together to plan, attack and monetize public and private organizations. While we are still challenged to leverage trust to protect ourselves at a very basic level.

However, there is good news around this event. Information Sharing Analysis Centers (ISACs) and Information Sharing Analysis Organizations (ISAOs) have been working overtime with their members and partners in the security industry to provide actionable intelligence. I’d like to specifically congratulate HITRUST for getting the word out to U.S. healthcare early in identifying and sharing indicators, but also in gaging impact. This collaboration enables us to leverage our resources to not only protect our customers directly but also helps us collectively impact the protection of entire sectors.

Until such time that we can address the global risk posed by transnational cybercriminals with a holistic approach to eliminate their freedom of movement and their ability to monetize attacks, we will continue to face these types of scenarios. In the meantime we can continue to work together on building the needed trust through events like these to ultimately improve our collective defense.

[Editors note: For the latest WannaCry information as it relates to Trend Micro products, please read this support article.] 

At the Zero Day Initiative (ZDI), we see patches in a way few do. We get the initial report from a researcher, we verify the issue internally, we notify the vendor, and finally we publish some details once a patch is released. Those patches represent the best method for preventing cyber attacks. Recently, an issue patched by Microsoft in March 2017 was used by malware, known as Wanna, Wannacry, or Wcry, to infect systems globally with ransomware.

How could something fixed for more than 60 days wreak so much havoc around the globe? Why can’t people simply patch? Sometimes patching isn’t as easy as it sounds – especially for enterprises.

Step 1: Prepare for the patch 

To establish a complete patching strategy, organizations need to identify the assets they own. This task is usually more difficult than it sounds. Enterprises have the choice of using a mixture of Open Source Software (OSS) or commercial tools to identify and catalog all the systems and devices on their network. Even if the software they use is free, implementing the solution has costs. Once an enterprise determines what needs to be protected, they must then create and document a process to update these devices. This includes updates for not just workstations and servers, but networking devices such as routers and switches. Decisions need to be made.

Will an automated system be used or will an administrator need to physically touch a machine? Since security patches often need a system reboot, or another type of workflow disruption, at what time will the patches be applied? Documenting the patching strategy ensures uniformity and consistency of patching throughout the enterprise.

Step 2: Find the patch 

Now all you need to do is find some patches. Having a robust strategy is somewhat pointless if those in charge are not subscribed to the appropriate email lists, RSS feeds, Twitter accounts, and other methods used by vendors to announce the release of a new patch. Some vendors communicate more robustly than others. Once you find the patch, you must determine how to install it. Small enterprises may consider doing this manually. However, any enterprise with more than a handful of machines should invest in automated tools. Similar to tools intended to identify assets, there are many choices of varying costs. Still, the costs of an automated system far outweigh the costs of manual installation.

Step 3: Test the patch 

There is just one final step an enterprise should consider before deploying any patch: testing. Repairing and restoring systems affected by a faulty patch is both disruptive and costly. To prevent this, there are various forms of testing. If resources exist, the minimum amount of testing should involve applying the patch to a similar system in a non-production environment to make sure business functions continue after the patch is installed.

Step 4: Patch! 

Once you identify your assets, document your processes, find your relevant patches, institute automated patch deployment, and test the patch – congratulations! You may now install that patch!

Beyond the complexity of patching in the enterprise, there’s also a psychological barrier with patching that many people need to overcome. Simply put, people are afraid of security patches for several reasons.

While the industry as a whole has improved over the years, problems – including historic fears – remain.

The vulnerability used in Wcry was listed in a dump of tools purportedly used by the NSA alongside something called EwokFrenzy. We knew EwokFrenzy in the ZDI program as ZDI-07-011 – when it came through 10 years prior. Does that imply the exploit was still effective 10 years after the vendor released a patch? That does seem likely. It’s also the latest data point in more than two decades of imploring regularly patches and strong backup policies.

It isn’t easy. It isn’t simple. It often isn’t cheap. But the potential cost (both financially and to the organization’s reputation) of leaving vulnerabilities unpatched far outweighs the cost of patching. Recovery after attacks is harder, more complex, and more expensive – it’s time we admit patches matter.

If the past few days of WannaCry ransomware activity have taught us anything it’s that cybercriminals pose a clear and present danger to organizations and their customers all over the world. But have you ever wondered exactly what the bad guys are after when they launch their online attacks at your own PC or mobile device?

New Trend Micro stats reveal that ransomware cuts across a broad sweep of personal, financial and work-related files.

The bad news is that such attacks could have a major impact on your life, both financially and emotionally.

A great deal at risk

Even before the global WannaCry attacks, ransomware was on the rise. In fact, Trend Micro recorded a massive 752 percent increase last year in new varieties of the malware. Ransomware attacks typically involve the bad guys infecting your machine with malware which effectively locks you out. They’ll usually promise to offer a virtual “key” to so you can get back into your machine and read that data – at a price. But if you refuse, and you haven’t backed-up that data, it could be gone forever.

So what’s at risk? Our recent survey of US households revealed that 24 percent lost photos as the result of an attack, while 18 percent lost videos. It’s not hard to see that the bad guys are betting on this. They want to threaten your most precious digital memories, so you pay for the ransomware key to regain access to them.

Yet that’s not all. One in five respondents said they also lost access to their work documents, while 19 percent claimed their Word docs had been encrypted and were unreadable. Suddenly this personal data loss dilemma has become a major work-related issue. The cybercriminals have just raised the stakes to force a ransom payment, knowing some employers are less tolerant than others. Are you prepared to gamble your job over a ransomware infection?

The bigger picture

The good news is that the majority of households we spoke to (58 percent) didn’t permanently lose any data. Presumably they followed best practice and had back-ups to restore from, or else found a security vendor to help them make their data readable again. But that still leaves a large number who lost valuable personal and/or work-related data.

We should also remember that this is just one type of cyber attack. Cybercriminals are fond of ransomware because it’s a quick and easy way for them to make money. But it’s not the only way, by any means. You could also be at risk from data thieves looking to steal rather than encrypt your personal and financial data. Why? Because it can fetch a tidy sum on the cyber black market, where scammers purchase and then use it to commit identity and other fraud.

These attacks can also have a long-term impact on victims. Even if the money you lose as a result is reimbursed by your bank, the incident could affect your credit rating, impairing your ability to get loans and new credit cards, and even result in letters from lawyers and debt collectors for debts that aren’t yours.

What should I do next?

That’s why it’s so important to ensure your PC and mobile devices are always secure and up-to-date, and that you regularly back-up any valuable data. Here are a few best practice tips to keep you safe:

May 12, 2017 saw the world’s first ever worm-based ransomware attack, WannaCry. Typically ransomware spreads via email as spam and phishing attacks, and relies on human intervention to initiate the infection. However, WannaCry is different in that it combines ransomware with a recently published vulnerability that was stolen from the NSA by The Shadow Brokers crime organization which means that the WannaCry ransomware is able to infect and spread without any human intervention. In a matter of hours, WannaCry spread to Internet-connected computers in more than 150 countries infecting tens of thousands of computers that were unpatched and exposed to the Internet.

As a small business owner, you may think you have nothing to worry about since all the media coverage has highlighting large companies like FedEx, Telefonica and National Health Service (NHS). Unfortunately, this threat, like many others, doesn’t discriminate based on company size and you need to worry just as much as every other organization out there if you are connected to the Internet.

So what can you do to protect yourself? Before I dive in to that, here are a few key things to remember:

Protecting Yourself and Your Business

There are a number of things you should be doing to protect your business against WannaCry and many other threats. If you don’t have the skills, there are many Value Added Resellers (VAR) and Managed Service Providers (MSPs) available in your area that have the expertise to assist.

Firewall

Every network connected to the Internet should have a firewall in place. This is a first line of defense that separates your organization from the wild west that is the Internet. Fortunately, firewalls are inexpensive, effective and widely available. It’s likely that your cable/dsl modem you received from your Internet service provider (ISP) has built-in firewall functionality already.

What should you check?

Endpoint Protection

Every device on your network should have some type of protection in place, ideally a centrally managed solution purpose-built for small businesses. That way you can ensure that all your devices are protected in a consistent manner.

What should you check?

Patching

All software needs updating from time to time to fix bugs that may have gone unnoticed when the software was initially released or add enhancements to the products. It’s critical that you keep all your systems up to date with the latest patches, as often times these patches include security updates.

What should you check?

Backups

As a general rule, you should always be backing up your data. You never know when a system will crash, a building will burn down, or a disgruntled employee will intentionally destroy data to harm you and your business. In addition to all of those concerns, you now have to worry about Ransomware finding and encrypting all your data, rendering it inaccessible. Fortunately, a good backup plan (a 3-2-1 strategy is the generally accepted best practice) can help prevent or mitigate many of these potential risks.

What should you check?

For more detailed information on WannaCry, or how you can protect yourself with Trend Micro solutions, please visit our information page for the latest updates.

“Are you crying? ARE YOU CRYING? There’s no crying! THERE’S NO CRYING IN BASEBALL!” Those famous words from Jimmy Dugan (portrayed by Tom Hanks) in the 1992 movie A League of their Own, ring true in the world of baseball. Unfortunately, in the cyber security world, there has been some crying this week with the outbreak of WannaCry, which is being dubbed the biggest global ransomware attack to date. WannaCry is taking advantage of a recently disclosed Microsoft vulnerability (MS17-010 – “EternalBlue”) associated with the Shadow Brokers tools release, and news outlets are reporting that as many as 300,000 computers in 150 countries have been infected with the malware.

For customers using TippingPoint solutions, we have identified the following Digital Vaccine® (DV) filters that should help you protect against the exploits listed in the table below:

In addition to the DV coverage already provided by TippingPoint, customers who subscribe to our ThreatDV service received additional coverage for the WannaCry/WCRY ransomware vulnerability prior to the usual ThreatDV weekly distribution time. The following filters can be used to prevent the download of the binary files which are known to infect target machines with the ransomware:

For further information related to Trend Micro’s response to WannaCry and our recommendations as a whole, please visit https://success.trendmicro.com/solution/1117391.

For information on indicators showing interception or blocking of WannaCry, please visit https://success.trendmicro.com/solution/1117402-indicators-showing-interception-blocking-of-wcry-wannacry-ransomware.

While Everyone was Freaking Out with WannaCry…

Apple had a doozy of a month with their release of seven updates addressing 66 unique CVEs in macOS, iOS, watchOS, tvOS, iTunes for Windows, Safari, and iCloud for Windows. 35 percent of the CVEs were submitted to Apple via our Zero Day Initiative (ZDI) bug bounty program, with a number of them initially disclosed during our Pwn2Own contest held earlier this year.

For more information on these vulnerabilities, check out the ZDI blog here: https://www.zerodayinitiative.com/blog/2017/5/15/the-may-2017-apple-security-update-review.

Adobe Security Updates

This week’s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before May 16, 2017. The following table maps Digital Vaccine filters to the Adobe updates. You can get more detailed information on this month’s security updates from Dustin Childs’ May 2017 Security Update Review:

Zero-Day Filters

There are 12 new zero-day filters covering six vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Adobe (2)

Apple (1)

Dell (1)

Hewlett Packard Enterprise (2)

Microsoft (3)

Trend Micro (3)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

After WannaCry, UIWIX Ransomware and Monero-Mining Malware Follow Suit

WannaCry ransomware’s outbreak during the weekend was mitigated by having its kill switch domain registered. It was only a matter of time, however, for other cybercriminals to follow suit. Case in point: the emergence of UIWIX ransomware (detected by Trend Micro as RANSOM_UIWIX.A) and one notable Trojan our sensors detected. 

Apple Patch Update Fixes 66 CVEs

Security experts are urging Apple users to get patching after the firm released seven updates addressing 66 vulnerabilities in iOS, macOS and other products. Apple famously doesn’t say if any of the bugs it is fixing are being actively exploited in the wild, but “the consequences of not applying these updates could prove costly in the months to come,” according to TippingPoint’s Zero Day Initiative (ZDI), which found a third of the software flaws. 

Cybersecurity Rules Were Proposed for Hong Kong’s Securities Industry

The Hong Kong Securities and Futures Commission’s recent proposals on mitigating hacking risks in the securities industry are aimed at an upswing in cybersecurity incidents in internet trading systems in Hong Kong, technology attorneys told Bloomberg BNA. 

Hackers Claim to Have Stolen a Disney Movie for Ransom

Hackers claim to have stolen a Disney movie for a ransom – but the company is refusing to give in, according to CEO Bob Iger. Iger made the comments to ABC employees during a company meeting in New York, according to The Hollywood Reporter. The hackers told the company they will release the first five minutes of the movie and then in 20-minute segments if the media company does not pay the fee via bitcoin. 

New York’s Toughest Cybersecurity Regulations Are Now in Effect, Impacting Many Businesses

One of the harshest cybersecurity regulations to hit companies in the US recently went into effect in New York. The state regulator, the New York Department of Financial Services, introduced its Cybersecurity Requirements for Financial Services Companies (23 NYCRR Part 500), a regulation designed to tighten cybersecurity practices across a wide selection of companies, which became effective on March 1, 2017. 

Boy Hacks Cybersecurity Audience to Demonstrate Possible Use of Toys as Weapons

An 11-year-old “cyber ninja” has stunned an audience of security experts by hacking into their Bluetooth devices to manipulate a robotic teddy bear, showing in the process how interconnected smart toys “can be weaponised”. Reuben Paul, who is in sixth grade at school in Austin, Texas, and his teddy bear Bob wowed hundreds at a cyber-security conference in the Netherlands. 

UK Government States Collaboration is Key to Cybersecurity Success

The UK government believes collaboration between the public and private sectors is critical to success in cybersecurity. Governments can lead the way, but they cannot deal with cyber threats alone, according to Mark Sayers, deputy director, cyber and government security directive, at the Home Office. 

US Department of Health and Human Services is Working on Cybersecurity Guidelines for Industry

The U.S. Department of Health and Human Services, taking a cue from Congress, has begun developing principles and best practices for cybersecurity in health care, officials said Tuesday.

“We had an information day … and we are kicking off next week,” said Julie Anne Chua, from the office of the department’s chief information officer.

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

Internet of Things technology is now more widespread than many people realize. Systems that fall under the IoT umbrella are popping up in an array of settings, even outside consumer circles. Today, every group from enterprise businesses to city governments is utilizing intelligent, internet- and Bluetooth-enabled devices to make a variety of critical capabilities possible.

Given this environment, the bullish predictions seen from certain industry authorities don't seem that far fetched. According to The Motley Fool contributor Leo Sun, Cisco estimated that by 2020, a total of 50 billion devices would contribute to the IoT. Intel, on the other hand, took things a step further, predicting a 2020 IoT that will be 200 billion devices strong.

Now that these systems increasingly make up critical infrastructure in cities and businesses across the globe, the IoT is even more attractive to hackers. Smart systems are under attack, and the organizations that run and support this technology must take the proper steps for protection.

Shining a light on Shodan

Trend Micro researchers Numaan Huq, Stephen Hilt and Natasha Hellberg recently took an in-depth look at Shodan, a search engine that lists internet-connected devices, such as those included in the IoT. According to their findings, a large number of Shodan-featured devices are exposed thanks to poor configuration and other security concerns. In fact, researchers were able to pinpoint the cities in which the most exposed devices were situated. Here's a summary of what was discovered, and how the nation's biggest cities rank:

• Houston has the most exposed webcams, with Chicago trailing by more than 1,500 devices.
• Los Angeles took the top spot for exposed web servers, with Houston coming in second.
• Surprisingly, smaller towns, including Lafayette, Louisiana and St. Paul, Minnesota were found to have the most exposed government cyber assets, beating out larger municipalities like Denver and the U.S. capitol.

But this was only the beginning. Trend Micro's paper, "US Cities Exposed: Industries and ICS," showed that devices in the emergency services, utilities and education sector were open to attack as well. Overall, Houston and Lafayette had the most exposed emergency services devices. What's more, while there are a considerable number of exposed devices in the education industry across the board, Philadelphia had the most, with 65,000 endpoints exposed and vulnerable.

Cities now leverage more smart systems – but are exposed devices putting officials and residents at risk?

IoT and critical infrastructure overlap: The power of hacking

When critical infrastructure systems, like those used in emergency situations, are combined with technology, cities can reap a multitude of benefits. Connected systems are easier to use, and streamlined utilization can make a big difference when time is of the essence. When these systems aren't protected correctly, though, they could fall into the wrong hands and be used in a way that wasn't initially intended.

Hackers recently flexed their muscles in Dallas during the spring, showcasing what happens when IoT and critical infrastructure overlap with cybercriminal activity. The Guardian reported that late on a Friday night, Dallas residents were awoken by sirens sounding throughout the city. However, there was no situation that called for the use of emergency tones.

Attackers had hacked and taken control of the system, launching sirens at 11:42 pm. The system went through 15, 90-second cycles, and officials finally deactivated it at 1:17 am.

"We shut it down as quickly as we could, taking into consideration all of the precautions and protocols we had to take to make sure that we were not compromising our 156-siren system," Rocky Vaz, Dallas' head of emergency management, said.

Officials did not elaborate on the process attackers used to hack the system, but believed the incident originated with cybercriminals within the city. While no one was hurt during the incident, the case does show the ways in which a critical technological system can be put at risk. Not only did residents have to deal with a panic-inducing emergency tone for an extended period of time, but city resources were also tied up trying to deal with the attack – local emergency operators experienced 4,400 calls about the sirens, including 800 calls within 15 minutes at around midnight.

Botnot hacks, takes control of IoT devices in widespread attack

A group of rogue hackers taking over a city's siren system pales in comparison with this next incident. In late 2016, reports began to surface about the Mirai Botnet, a considerably powerful malware strain with the ability to attack and use infected IoT devices to launch subsequent attacks.

Security expert Brian Krebs reported in November 2016 that Mirai had successfully taken control and was leveraging poorly secured IoT devices including inherently underprotected internet routers and IP cameras. In fact, Mirai became so powerful that Krebs' own website was taken offline that fall by a 620 Gpbs Mirai botnet attack.

Not long after, reports began to surface about Mirai attacks taking place in Liberia, with malicious activity centering around the nation's telecommunications infrastructure.

"From monitoring we can see websites hosted in country going offline during the attacks," wrote Kevin Beaumont, an England-based security architect, according to Krebs. "Additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack. The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state."

Several other outlets began to cover the story – including The Hacker News, the BBC and ZDNet. However, Krebs dug a little after being unconvinced of Mirai's ability to take out an entire nation's telecommunications infrastructure. Sources confirmed that hackers behind Mirai leveraged the botnet for a 500 Gbps attack against a mobile service provider in Liberia, but the company had DDoS protection in place that was put into action not long after the attack began.

While Liberia did not experience a nation-wide outage, the Mirai botnet and this incident does offer up a few very important takeaways. Mirai demonstrates just what malicious actors armed with the right malware can do with insecure IoT devices – the infection gleaned its attack power thanks to the devices making up the botnet and supporting its activity. In this way, it's imperative to properly safeguard every connected device, from large systems to individual endpoints.

Mirai also shows the potential that exists for hackers within city- and state-level critical infrastructure. Attacks on systems like these are not unique, but are growing in frequency and severity.

To find out more, check out Trend Micro's research, including "US Cities Exposed: A Shodan-Based Security Study on Exposed Assets in the US."

Ransomware has gained global attention over the course of the last two weeks due to the huge spread of WannaCry. Following the initial attacks, we’ve seen UIWIX, Adylkuzz and now EternalRocks come onto the scene leveraging the same core set of vulnerabilities.

The common thread between the three threats is MS17-010 along with other tools and vulnerabilities released by Shadow Brokers. These attacks are not only exploiting vulnerabilities in systems, but also taking advantage of fundamental struggles faced by all organizations with patch management and system upgrades. Let’s look at the impact and consider why these threats are occurring.

But first, here’s a quick look at the comparison between WannaCry, UIWIX and EternalRocks:

The impact

At last count, WannaCry alone had infected 230,000 users in some 150 countries. Given the massive spread and variety of these malwares, however, the payout so far has only been about $110,000. This demonstrates that the largest impact wasn’t financial, but physical. Organizations in some industries, including healthcare, were forced to shut down their systems to stop the malware propagation. This brings a digital threat into the physical world and gives real world impact to these attacks.

However, EternalRocks doesn’t drop any malicious payload. Despite leveraging five vulnerabilities and two reconnaissance tools, it doesn’t leave any malicious content behind. It does leverage the DoublePulsar exploit which allows a backdoor into the infected system, likely for later use by the threat actors.

Why are they doing it?

When threat actors get into a system and don’t drop a malicious payload, it brings up the potential that they’re leaving behind something else in turn. It’s possible that the attackers are preparing the network for future use. It could also be a distraction while other vulnerabilities are being exploited while no one is watching.

The first line of defense for all of these threats is to patch your systems against all of the vulnerabilities disclosed by ShadowBrokers. Trend Micro offers a variety of solutions, support and tools to help organizations protect against and respond to these threats. Learn more about the latest threats and how to prepare on today’s webinar at 12 p.m. Central time.

For all the panic it caused, WannaCry looks finally to have been contained by organisations round the globe. But this isn’t the time to forget about it and move on. There are valuable lessons to be learned about this attack, why it was so successful and what can be done to prevent it happening again. The unpalatable truth is that many of those organisations caught out by WannaCry earlier this month could face punitive fines if the same kind of thing happens again in a year’s time.

That’s right: the EU General Data Protection Regulation (GDPR) is coming, adding a whole new level of urgency to firms realising they need a major cybersecurity overhaul after WannaCry.

Data breach or ransomware?

On first look, there might not be anything obvious to link a ransomware attack to forthcoming European data protection laws. After all, those hit by WannaCry had all their data encrypted by attackers rather than stolen. However, a closer look at the GDPR tells us different.

Article 4.12 states:

“personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Customer data was most definitely accessed unlawfully and then lost, or arguably destroyed, once encrypted by the WannaCry hackers.

Similarly, Article 5.1 has this:

“Personal data shall be: processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

What’s more, Article 32 states that data controllers or processors should take account of “the state of the art” to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.

It adds:

“In assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.”

WannaCry was preventable

How did organisations get hit by WannaCry? By failing to patch a known Windows SMB vulnerability (CVE-‎2017-0144). This allowed attackers to drop a ransomware file on the affected system, and encrypt corporate files with 176 extensions, including those used by Microsoft Office, databases, file archives, multimedia files, and various programming languages. Of course, among these files was the all-important customer data set to be regulated by the GDPR.

So what would this mean in the eyes of the regulators? First, that any firms handling customer data which were hit by WannaCry would have potentially been guilty of allowing “unauthorised or unlawful processing” of this regulated data. They also technically suffered a personal data breach, despite no data being stolen, by virtue of that data being lost or de facto destroyed in the ransomware attack.

More damning still, because an official Microsoft patch was available for weeks before the attack, the victim organisations could be said to have failed to take adequate security measures given the evident risks. Even virtual patching technologies exist to protect unpatched or unsupported systems.

Getting security right

Scores of NHS Trusts and countless other organisations were caught out by WannaCry. But if it had happened just over a year later, they could have been on the hook for non-compliance with GDPR principles. Those fines reach 4 percent of global annual turnover or €20m at the top end. They’d also have been forced to notify the ICO within 72-hours of a data breach, which in itself could cause a bigger fallout in terms of negative publicity and associated costs.

This month marks one year until GDPR’s implementation and the message is simple: best practice security protected organisations against WannaCry and it will help protect them against GDPR fall-out after May 25, 2018.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days.

Below you’ll find a quick recap of topics followed by links to news articles and/or our blog posts providing additional insight. Be sure to check back each Friday for highlights of the goings-on each week!

Following WannaCry, We’ve Detected UIWIX, Adylkuzz, and EternalRocks

Ransomware has gained global attention over the course of the last two weeks due to the huge spread of WannaCry. Following the initial attacks, we’ve seen UIWIX, Adylkuzz and now EternalRocks come onto the scene leveraging the same core set of vulnerabilities. 

Attackers are Using LNK Files to Download Malware

PowerShell is a versatile command-line and shell scripting language from Microsoft that can integrate and interact with a wide array of technologies. It runs discreetly in the background, and can be used to obtain system information without an executable file. 

Bizarre New Cyberattack Lets Hackers Gain Control of Your TV through Subtitles

If you use a Kodi box to watch films and programs, you may want to steer away from any subtitled options. Security experts have warned of a new cyber-attack that is delivered when movie subtitles are loaded by the user’s media player. 

WannaCry Highlights Major Security Shortcomings Ahead of GDPR D-Day

For all the panic it caused, WannaCry looks finally to have been contained by organizations round the globe. But this isn’t the time to forget about it and move on. There are valuable lessons to be learned about this attack, why it was so successful and what can be done to prevent it from happening again. 

Crysis Ransomware Master Keys Released to the Public

The world has been rocked by WannaCry causing disruption and upheaval across core services and businesses alike over the past week, but there is good news for victims of Crysis with the release of 200 master keys to the public.                                

Firms Fret as China Implements New Cybersecurity Law

Just days before China’s new Cybersecurity Law goes into force, companies are grappling with rules that could tighten what is already one of the world’s most restricted technology regimes. Recent changes to the language of the law ahead of its June 1 implementation could drag in a wider array of services and products. 

64-Bit Malware Threat May Be Small Now, but It’s Only Set to Grow

The volume of 64-bit malware in the wild remains low even though computers running 64-bit operating systems became ubiquitous years ago. The vast majority (93 per cent) of new computers sold worldwide operate on 64-bit Windows but most nasties were written to infect 32-bit systems. 

The IoT and Smart Cities Are Under Attack

Internet of Things technology is now more widespread than many people realize. Today, every group from enterprise businesses to city governments is utilizing intelligent, internet- and Bluetooth-enabled devices to make a variety of critical capabilities possible.

Victims Called Hackers’ Bluff as Ransomware Deadline Neared

With the clock ticking on whether a global hacking attack would wipe out his data, Bolton Jiang had no intention of paying a 21st-century ransom. “Even if you do pay, you won’t necessarily be able to open the files that are hit,” he said. “There is no solution to it.”

Cybersecurity Careers Are More Desirable Than Ever

The FBI has seen a steady uptick in internet crime complaints since 2013, and cybersecurity is expected to be an even greater concern this year. And it isn’t limited to tech-fields – cybersecurity touches every industry. From major utilities to retail, a future in cybersecurity may be the right fit for you.

Please add your thoughts in the comments below or follow me on Twitter; @JonLClay.

For those of you who follow the National Football League (NFL), do you remember Super Bowl 47? I wasn’t exactly thrilled about the teams that played since I’m not a 49ers or Ravens fan. What was interesting about the game is that it was halted for over half an hour in the third quarter because of a power outage, earning that game the nickname of “Blackout Bowl.” Although it was eventually ruled a power surge issue, there were many, including me, that thought there could have been foul play involved.

There is always potential for a cyberattack against our electrical grid and public safety computer systems – especially during the biggest game of the year!

We have placed an emphasis on threat intelligence for our customers’ supervisory control and data acquisition (SCADA) networks for over a decade. Earlier this week, the Zero Day Initiative (ZDI) presented a session on their extensive analysis of more than 250 security vulnerabilities in SCADA human machine interface (HMI) systems from 2015-2016 at the Positive Hack Days conference in Moscow. Their research efforts, which included vulnerabilities acquired through the ZDI bug bounty program, found that most of these vulnerabilities are in the areas of memory corruption, poor credential management, lack of authentication/authorization and insecure defaults, and code injection bugs, all of which are preventable through secure development practices.

ZDI has released the companion paper that provides the details of what was covered in their presentation. You can access the full report and read commentary from Brian Gorenc here: https://www.zerodayinitiative.com/blog/2017/5/19/hacker-machine-interface-the-state-of-scada-hmi-security.

Zero-Day Filters

There are 18 new zero-day filters covering three vendors in this week’s Digital Vaccine (DV) package. A number of existing filters in this week’s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of published advisories and upcoming advisories on the Zero Day Initiative website.

Foxit (1)

Hewlett Packard Enterprise (2)

Trend Micro (15)

Missed Last Week’s News?

Catch up on last week’s news in my weekly recap.