In 2017 hackers weren’t slackers. The threats – and the attacks – kept coming in rapidfire. In a year drowning in threats, these newbies made their mark.
EternalBlue: Since 2016, the mysterious threat group known as The Shadow Brokers has been leaking a trove of cyber weapons apparently stolen from the NSA. Of these purloined hacking tools, perhaps none has been more damaging than EternalBlue, a remote code execution exploit that leverages SMB vulnerabilities in Windows operating systems. Microsoft scrambled to issue an emergency patch in March 2017, one month before The Shadow Brokers published the tool. But as always, users were slow to patch, setting the stage for some highly damaging exploit attacks in the coming months that would reignite a long-running debate over the practice of intelligence agencies hoarding zero-day vulnerabilities.
WannaCry: On May 12, 2017, the world was stunned by an unprecedented global ransomware attack that infected more than 200,000 computers in 150-plus countries. The attack severely impacted the UK’s National Health Service operations, as well as FedEx, Spanish Telefonica, French Renault factories, a Chinese energy company and the Russian interior ministry. The malware, dubbed WanaCrypt0r 2.0 or WannaCry, spread rapidly among connected networks because it acted as a worm that self-propagated via the EternalBlue exploit. Fortunately, young British researcher Marcus Hutchins short-circuited the attack after stumbling upon a kill switch. The NSA and the security community at large have assessed with moderate confidence that North Korean hackers launched the attack.
NotPetya: One month after WannaCry, what appeared to be another EternalBlue-propelled “ransomware” attack ambushed businesses across the globe, infecting at least tens of thousands of systems, including many in the finance, oil and gas, and manufacturing industries. The malware’s extortion message was similar to that of the known ransomware Petya, but infosec analysts soon realized that this was not truly ransomware at all. Rather, it acted more like a business-disrupting disk wiper that overwrites an infected machine’s master boot record. Nicknamed NotPetya, the malware was initially spread when hackers compromised the update server of Ukrainian accounting software company MeDoc so that it would distribute the wiper. Because many Ukraine-based companies were affected, the prevailing theory is that the attack was sponsored by Russia. FedEx (again), U.S. pharmaceutical company Merck, and Dutch shipping company Maersk were among those significantly hit.
BadRabbit: A third major ransomware attack struck in October 2017, this time hitting several Russian news agencies including Interfax, as well as targets in Ukraine, including Kiev Metro, Odessa Airport, and Ukrainian ministries of infrastructure and finance. There were also reports of infections in Turkey, Bulgaria and the U.S. The malware shares ties to Not-Petya, but analysts have classified it as its own distinct family. It was initially distributed via a fake Adobe Flash Player update that appeared when victims visited Russian news media sites that were previously compromised as watering holes. But instead of using EternalBlue to propagate, BadRabbit instead leveraged a different SMB-based Microsoft vulnerability, EternalRomance.
Mirai/IoT Botnets: The destructive power of the Internet of Things was on full display in October 2016, when a mysterious attacker bombarded DNS service Dyn with a high-volume DDoS attack, fully disrupting the websites of many major clients, including Amazon, Twitter, and Netflix. The malicious traffic was sourced from IP cameras, DVRs and other connected devices that were compromised by Mirai, an IoT botnet malware whose source code had been publicly leaked by its author just weeks before. (Mirai emerged just a bit too late last year to make it into our 2016 Reboot issue.) In the months that followed, attackers began modifying the open-source malware to make it even more powerful. In May 2017, researchers warned of another IoT botnet, Persirai, targeting over 1,000 IP camera models, and in October 2017, another new research report disclosed a botnet called IOTroop that had already secretly infected a million organizations.
Broadpwn: The discovery of Broadpwn, a heap overflow vulnerability found in roughly one billion iOS and Android devices, demonstrated that an operating system’s best efforts to protect users from external threats can be rendered moot if the hardware remains vulnerable to attack. In this instance, security researcher Nitay Artenstein found a flaw in Broadcom Wi-Fi chipsets could allow malicious actors who exploited this bug to remotely take over any vulnerable device within Wi-Fi range without user interaction. They could then use that compromised device to infect others within range – effectively creating a never-beforeseen Wi-Fi worm. Apple distributed a patch for Broadpwn in July 2017, followed by Google in September.
BlueBorne: One million vulnerable devices not enough for you? Try 5.3 billion. That’s how many Bluetooth-enabled devices were found carrying major vulnerabilities that attackers at one point could have exploited to remotely execute code, take over devices, and perform man-in-the-middle (MITM) attacks. Google, Apple, Linux and Microsoft issued their own respective patches for the bugs, which were publicly disclosed by IoT security company Armis in September 2017. Making matters worse, it was revealed that attackers could exploit these bugs without user interaction, and then leverage compromised devices to attack additional Bluetooth-enabled systems over the air. In fact, a vulnerable targeted device would not even have to have to be paired with an attacking device or even be in Discovery Mode. In response to Armis’ announcement, some experts decried the lack of time and energy that vulnerability hunters have dedicated to researching the Bluetooth protocol.
KRACK: In October 2017, it became public knowledge that every Wi-Fi device using WPA2 was vulnerable to an exploit called KRACK, or Key Reinstallation AttaCKs, which allows an attacker to remotely read and steal a nearby device’s sensitive personal information, even if it’s supposedly encrypted. Security researcher Mathy Vanhoef, a researcher at Belgian University KU Leuven, developed the proof-of-concept attack earlier that year, after uncovering a set of 10 vulnerabilities in the WPA2 protocol used by every modern Wi-Fi network. “During our initial research, we discovered ourselves that Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks,” said Vanhoef on a website describing the attack. In the weeks that followed, device manufacturers quickly began issuing patches for the bugs, before anyone could employ KRACK attack for real, in the wild.