Fortinet has released its latest Global Threat Landscape Report and it doesn't make for comfortable reading. With 90 percent of enterprises still recording exploits for vulnerabilities that are more than three years old, and 60 percent for vulnerabilities more than ten years old, threat actors are having an exploit heyday. It's hardly a coincidence, then, that we have seen a return of the network worm as a serious threat to the enterprise with the rise of the ransomworms.
The report quantified 184 billion total exploit detections, 62 million malware detections and 2.9 billion botnet communications attempts. Nearly 44 percent of all exploit attempts occurring on either a Saturday or Sunday; twice the attack volume of weekdays. Phil Quade, chief information security officer at Fortinet, admits that "something we don't talk about often enough is the opportunity everyone has to limit bad consequences by employing consistent and effective cyber-security hygiene." SC Media UK has been asking the industry just what's gone so wrong...
Let's start with why such old vulnerabilities are still so problematical in large enterprises. Wieland Alge, general manager EMEA at Barracuda, told SC Media that "we can only guess that it is a result of the massive contrast between what CIOs answer in surveys" Alge says "and what IT organisations actually do." And Ofer Maor, director of security strategy at Synopsys adds that "old vulnerabilities are an issue because, contrary to what many people think, patch management is an immensely complex problem within large enterprises."
Ken Munro, partner at Pen Test Partners agrees that patching isn't always as easy as it sounds in keynote presentations. Take MRI scanners, which we know got hit by the WannaCry ransomware as the underlying OS was vulnerable and hadn't been patched. "These systems are critical infrastructure and rarely have the downtime to patch" Munro explains, adding "plus what happens if the patch breaks it? Most hospitals don't have millions of pounds to spend on a ‘test MRI scanner' just to check patches don't break it before deploying to production."
Duncan McAlynn, principal engineer and security evangelist at Ivanti, puts poor patching down to three things that he hears from IT security professionals when asked why they aren't as diligent with third party applications as they are with Microsoft updates: "they don't have the time, they don't have the expertise and they don't have the proper tools."
Ian Trump, CTO at Octopi Research Labs (UK) Limited, thinks that dishonesty adds a fourth to that list. "In many corporate cultures management attempts to obfuscate the truth from executives" Trump insists, "with a don't rock the boat rhetoric persisting until the financial results come in."
And what about the dramatic rise of ransomworms, does this signal a comeback for that almost forgotten threat: the network worm?
Liviu Arsene, senior e-threat analyst at Bitdefender, argues that worms have never really gone away at all. "IoTs were previously targeted by Mirai, a worm designed to brute force its way into smart devices and turn them into bots." Not forgetting Conficker before that, of course. However, Luke Potter who is cyber-security practice director at SureCloud, points out the nearly 10-year gap between the two, Conficker and WannaCry, "demonstrates how difficult it can be to create these threats against modern systems."
Something Ondrej Kubovic, security awareness specialist for ESET picks up on, telling SC that "metaphorically, the leaked NSA exploit EternalBlue has become a vehicle for many of the recent large-scale attacks, but that doesn't mean that network worms are having a broader comeback." David Emm, principal security researcher at Kaspersky Lab, agrees that while there may well be subsequent attacks of a similar nature "I don't believe that the use of network worms will rival the use of other techniques for spreading malware..."
Ben Rafferty, global solutions director, Semafone is quick to suggest that what we are actually seeing with ransomware is not worms regaining their popularity as hacking tools but "viruses finding an effective way of monetising themselves." For as long as we have "organisations being negligent and failing to protect their data systems" Rafferty insists, such things will continue as they are now a viable criminal business model. When you accept that "attackers love the path of least resistance" as Marina Kidron, leader of the Skybox Security Research Lab points out, then this monetisation methodology makes sense.
So what can be done to stop the rise of the ransomworm? High-Tech Bridge CEO, Ilia Kolochenko, says it has to do with misunderstanding what a standalone machine is with organisations "assuming that if it is impossible to connect to the Internet from it then it's immune from all the risks." Indeed "organisations will need to step up their defences to shut down these types of attacks again." Tim Erlin, VP at Tripwire adds "let's just hope this lesson in cyber-security history is short-lived."
A hope that may not pan out to be reality, when you consider that a worm is a "much more effective model than trying to get 25 employees to launch the same phishing email attachment or having to put a USB stick in 25 machines." as Brian Robison, senior director of security technology at Cylance, concludes.