Rapid 7 honeypots started seeing an increasing amount of traffic following the Shadow Brokers dump in mid-April culminating in giant spikes in May and June when WannaCry and NotPetya were launched.
Rapid 7 honeypots started seeing an increasing amount of traffic following the Shadow Brokers dump in mid-April culminating in giant spikes in May and June when WannaCry and NotPetya were launched.

If cybersecurity researchers had paid a bit more attention to the Shadow Brokers dump of alleged National Security Agency hacking tools back in April, the WannaCry and NotPetya attacks may have never happened, according to a new report.

That is the analysis put out by Rapid 7 in its 2017 Q2 Threat Report in which it noted that security analysts were initially thrilled to get their hands on these hacking tools, but after the researchers realized the tools were old and not obviously dangerous because they attacked known and patched vulnerabilities they moved on to other projects.

“Unfortunately, we were the only ones. Attackers did not move on; they realized that even though we thought we were safe against these non-zero-day, unexciting attacks, we were not,” the report stated.

In hindsight it might have been obvious that cybercriminals were up to something. Rapid 7 honeypots started seeing an increasing amount of traffic following the Shadow Brokers dump in mid-April culminating in giant spikes in May and June when WannaCry and NotPetya were launched.

Rapid 7 warned that EtneralBlue is not the only tool that can be used by criminals. The company specifically pointed to several that target Remote Desktop Protocol (RDP) and in fact the company has tracked what it calls an “alarming” increase in RDP traffic in late May, possibly based on the exploit, EsteemAudit. This has not developed into a full-fledged problem as Microsoft issued a patch for the end of life systems vulnerable to this tool.

The other main takeaway from all the activity that took place during the second quarter of the year is that even when the entire world becomes focused on one or two major attacks, the criminal underground is not so myopic and continues with its regularly scheduled attacks.

“During both outbreaks, we continued to see the same tempo of unrelated attacks, including phishing attacks, wire fraud attacks, and bot infections,” the report stated, adding, “Do not micro-focus on the specific IOCs related to a single event. Instead, look for the opportunities your enterprise is presenting to an attacker (i.e. unpatched vulnerabilities, misconfigurations, etc.), as well as behaviors that indicate not just the individual attack but similar attacks you may see.”

The top threat types per month were account privilege escalation, April; protocol poison, May; and account locked in June.

The company also noted that during the period small and large businesses experienced much different types of cyber problems with the former companies having to deal with external threats, while the latter firms had trouble caused by their employees.

“While threat categories such as malicious network and endpoint behaviors were very similar in large and small organizations, small organizations had a higher rate of remote entry threats, which include authentication from multiple countries and ingress from a disabled account, while large organizations had a much higher rate of dangerous user behavior, which includes visiting malicious websites, domains, or IP addresses,” the report stated.