Tag Archives: WannaCry

The Biggest Cyber Attacks of 2018 Will Come from Known Vulnerabilities

by Bharat Mistry

It’s that time of year again. As we bid farewell to 2017 and look forward to the next 12 months, it’s only right that we share our predictions for 2018 to help IT security bosses prepare for the inevitable cyber-assault on their systems. Our report, Paradigm Shifts: Security Predictions for 2018, features a range of trends to watch out for during the coming year, including: a continued growth in cyber-propaganda; BEC losses to exceed $9m; new IoT threats; and an uptick in digital extortion campaigns.

But to pull back a little and look at the bigger picture, one trend in particular will dominate: known vulnerabilities are set to cause havoc in 2018 as the primary cause of most of the year’s biggest attacks. The good news is that mitigating this risk should not require a major additional investment of time and resources — but it needs to start now.

The problem with vulnerabilities
Anyone with an eye on the past 12 months will understand why known software flaws could be so disruptive in 2018. After all, they caused the biggest security events of the past year. Exhibit A is undoubtedly WannaCry: the infamous ransomware-worm attack which spread around the world in just hours, infecting hundreds of thousands of computers. In this case those behind it used alleged NSA exploit information leaked by the Shadow Brokers group, which it is claimed is backed by the Russian state.

It’s proof if any were needed that even nation states can’t keep research on offensive cyber-tools a secret. Eventually they will find their way onto the cybercrime underground, putting innocent consumers and organisations around the world in danger. In the case of WannaCry it was the NSA’s EternalBlue Windows SMB exploit that was used to make the threat so prolific. It had been patched months earlier by Microsoft, but still managed to spread to a huge range of unprotected endpoints, highlighting organisations’ continued negligence when it comes to security best practices.

There are many potential repercussions. We can expect nation state groups like Pawn Storm to continue their exploitation of known vulnerabilities — as well as more sophisticated zero days — to infiltrate targets. Data theft is usually the outcome in these instances, while among financially motivated cybercrime gangs we can expect software flaws to be exploited in ransomware attacks as well as info-stealing raids.

Who knows what vulnerabilities may be exposed and used over the coming 12 months. All we know is that once flaws become public knowledge, the clock starts ticking: from then it’s just a matter of “when” not “if” it will hit users. The signs aren’t looking good: Trend Micro’s Zero Day Initiative uncovered 382 new vulnerabilities in the first half of 2017 alone, according to our Midyear Security Roundup.

Taking action
The bottom line is that if you have known and unpatched vulnerabilities in your IT environment, they will be targeted — it’s just a matter of time. Yet many IT leaders managing legacy systems either can’t patch — because none are available — or are reluctant to apply fixes in case they break mission critical installations. But there are solutions:

  • Consider reducing the attack surface by minimising the number of unpatched flaws in your environment. Virtual patching is a great way of keeping even legacy and “end-of-life” systems secure
  • Revisit patch management policies and invest in automated tools to ease the burden
  • Be prepared for a worst-case scenario. Ensure you have a comprehensive and thoroughly tested incident response plan in place. This should ideally include key stakeholders from all over the organisation (HR, Legal, IT etc). The quicker you get on top of an incident, the better your chances of minimising the financial and reputational fall-out.

Read our full list of predictions for 2018 in the report. Have any predictions of your own for 2018? Share them with us on Twitter @TrendMicroUK.


CLOUDSEC London Returns to Help IT Bosses Step Up Their Security Game

by Matt Poulton

We’re only halfway into 2017 and already UK organisations have been forced to face down a formidable array of cyber threats. From the global WannaCry epidemic to last week’s destructive ‘Petya’ attacks, the past few weeks alone have witnessed enough serious incidents to keep CISOs awake at night.

The good news is that help is at hand with the return of Trend Micro’s popular CLOUDSEC event in London this September. Once again, it’ll be packed full of fantastic opportunities to network with peers and industry leaders, and hear from some of the best in the business on ways to cope with the growing online threat. Continue reading

WannaCry Highlights Major Security Shortcomings Ahead of GDPR D-Day

by Bharat Mistry

For all the panic it caused, WannaCry looks finally to have been contained by organisations round the globe. But this isn’t the time to forget about it and move on. There are valuable lessons to be learned about this attack, why it was so successful and what can be done to prevent it happening again. The unpalatable truth is that many of those organisations caught out by WannaCry earlier this month could face punitive fines if the same kind of thing happens again in a year’s time.

That’s right: the EU General Data Protection Regulation (GDPR) is coming, adding a whole new level of urgency to firms realising they need a major cybersecurity overhaul after WannaCry. Continue reading

WannaCry & The Reality Of Patching

Mark Nunnikhoven, VP Cloud Research, Trend Micro

The WannaCry ransomware variant of 12-May-2017 has been engineered to take advantage of the most common security challenges facing large organizations today. Starting with a basic phish, this variant uses a recent vulnerability (CVE-2017-0144/MS17-010) to spread unchecked through weaker internal networks, wreaking havoc in large organizations.

The gut reaction from those on the sidelines was–understandably–”Why haven’t they patched their systems?” Like most issues in the digital world, it’s just not that simple. While it’s easy to blame the victims, this ransomware campaign really highlights the fundamental challenges facing defenders.

It’s not the latest zero-day—a patch for MS17-010 was available 59 days before the attack—or persistent attacker. One of the biggest challenges facing the security community today is effectively communicating cybersecurity within the larger context of the business.


A common refrain in the security community is that patching is your first line of defence. Despite this, it’s not uncommon for it to take 100 days or more for organizations to deploy a patch. Why?

It’s complicated. But the reason can be boiled down roughly to the fact that IT is critical to the business. Interruptions are frustrating and costly.

From the user’s perspective, there is a growing frustration with the dreaded “Configuring updates. 25% complete. Do not turn off your computer” screen. The constant barrage of updates is tiring and gets in the way of work. Making matters worse is the unpredictable nature of application behaviour post-patch.

About 10 years ago, “best practices” formed around extensive testing of patches before deploying them. At this time, the primary motivator was patch quality. It wasn’t uncommon for a patch to crash a system. Today, patches occasionally cause these types of issues but they’re the exception not the rule.

The biggest challenge now is custom and third party applications that don’t follow recommended coding practices. These applications might rely on undocumented features, unique behaviours, or shortcuts that aren’t officially supported. Patches can change the landscape rendering critical business applications unusable until they too can be patched.

This cycle is why most businesses stick to traditional practices of testing patches, which significantly delays their deployment. Investing in automated testing to reduce deployment time is expensive and a difficult cost to justify given the long list of areas that need attention within the IT infrastructure.

This unrelenting river of patches makes it difficult for organizations to truly evaluate the risks and challenges of deploying critical security patches.

Legacy Weight

The argument around patching assumes—of course—that a patch is actually available to resolve the issue. This is the zero-day. While the threat of zero-days is real, long patch cycles mean the 30-day, 180-day, and the forever-day are far more likely to be used in an attack. The Verizon Data Breach Investigations Report consistently highlights how many organizations are breached using exploits of patchable vulnerabilities.

The WannaCry campaign used a vulnerability that was publicly known for 59 days. Unfortunately, we’ll continue to see this vulnerability exploited for weeks—if not months—to come.

Making matters worse, MS17-010 was only patched on supported platforms. A position that Microsoft has since reversed and issued a patch for all affected platforms (kudos to them for making that call). While it’s logical only to provide patches for supported platforms, the reality is the “supported” number is far different than the “deployed” number.

We know that Windows XP, Windows Server 2003, and Windows 8 continue to live on – by some reports accounting for 11.6% of Windows desktops and 17.9% of Windows servers. That’s a lot of vulnerable systems that need to be protected.

There are third party security solutions (some from Trend Micro) that can help address the issue, these legacy systems are a weight on forward progress. As a system ages, it’s harder to maintain and poses a greater risk to the organization.

Malware, like the 12-May-2017 WannaCry variant, takes advantage of this fact  to maximize the success and their attack…and their potential profits.

Security teams need to help the rest of the IT teams explain the need to invest in updating legacy infrastructure. It’s a hard argument to make successfully. After all, the business processes have adapted to these systems and from a workflow process, they are reliable.

The challenge is quantifying the risk they pose (maintenance and security-wise) or at least putting this risk in the proper perspective in order to make an informed business decision.

Critical…For Real

All too frequently, vulnerabilities are flagged as critical. 637 and counting so far in 2017, which is a faster pace than the 1,057 reported in 2016 (and these numbers are only for remotely exploitable vulnerabilities!). Your organization is not going to be impacted by all of these, but it’s fair to say that you’ll face a decision about a critical vulnerability once a month.

To make the decision to disrupt the business, you’re going to have to evaluate that impact. This is where organizations tend to falter. It’s extremely difficult to boil the decision down to numbers.

In theory, you should take the cost of downtime (when deploying the patch) and compare it to the cost of a breach. Ponemon and IBM have the cost of a data breach in 2016 at an average of $4 million USD (4% of worldwide turnover for EU companies). This means that you should always patch unless the downtime cost is more than$4 million.

Except that it doesn’t factor in the probability of that breach happening or the cost of using security control to mitigate the issue. This is where it gets really complicated and highly individualized.

The debate on how to properly evaluate this decision rages on in the IT community, but specific to WannaCry, the equation was actually pretty straight forward.

Microsoft issued MS17-010 in March, 2017 and flagged it as critical. A month later, there was a very high profile and very public data dump that contained an easy to understand and execute exploit for the vulnerabilities patched by MS17-010. At this point, the security team can guarantee that their organization will see attacks taking advantage of this vulnerability.

That puts the probability of attack at 100 percent. So unless it’s going to cost $4 million to patch your systems, the patch should be rolled out immediately.


Un-patchable systems still need to be protected. With WannaCry, all affected systems are patchable now—again, thanks to a generous move by Microsoft. With other malware threats, that’s typically not the case.

This is where mitigations come into play. These mitigations also buy time for patches to be deployed.

WannaCry is a solid example of a new variant that caused significant damage before traditional anti-malware scanning could be implemented. This is where machine learning models and behavioural analysis running on the endpoint is critical.

These techniques provide continuous and immediate protection for new threats. In the case of WannaCry, systems with this type of endpoint protection were not impacted. After deeper analysis by the security community, traditional controls were able to detect and prevent the latest variant of WannaCry from taking root.

When in place, strong network controls (like intrusion prevention) were able to block WannaCry from spreading indiscriminately throughout corporate networks. This is another argument for microsegmentation within the network.

Finally, phishing emails continue to be the most effective method of malware distribution. 79 percent of all ransomware attacks in 2016 started via phishing. Aggressively scanning emails for threats and implementing strong web gateways are a must.

Protecting Against The Next Threat

WannaCry is a fast moving threat that’s had a significant real-world impact. In the process, it’s exposed fundamental challenges of real-world cybersecurity.

Patching is a critical issue and it needs the entire IT organization working with the rest of the business to be effective. Year after year, the majority of attacks take advantage of patchable vulnerabilities. This means that most cyberattacks are currently preventable.

Rapid patching combined with reasonable security controls for mitigating new and existing threats are the one-two punch your organization needs to reduce its risk of operating in the digital world.

While the problem and solutions are technical in nature, getting the work done starts with communications. There’s no better time to start than now.