It’s been a few days since the ransomware WannaCry wreaked havoc across the globe. Now after few nights of rest and reflection, I want to look at what this incident means for the state of cyber security.
Yes, it is true that this attack utilized a well-known unpatched vulnerability to spread laterally from within an organization. While ransomware is not a new or unique attack, in this particular case, however, it is because of its reliance on the recent NSA leak. I want to emphasize here that the NSA invested a massive amount of time and effort to discover this nation-state vulnerability.
You can find more details about the NSA leak here - http://bit.ly/ShadowBrokers-NSA
Can you recall the last time an attack of this magnitude, executed on a global scale, utilized a rare unknown vulnerability to spread laterally inside the organization? No?
Ok, let me remind you. It was 10 YEARS ago. Back in 2008.
This is to show you just how rare of an occasion it is.
The solution to this problem is simple: patch the vulnerability. It’s the same as it was then and the same as it is now.
But what if I told you that there is a built-in capability to spread laterally in each and every corporation AND government around the world….and it’s been there for the past 17 years, back when I had my bar mitzvah. Would you call me crazy?
No guys, this is not a figment of my imagination. This is real.
It’s called the Active Directory.
Attackers don’t need to rely on nation-state zero days or unpatched vulnerabilities to spread laterally within the corporation. They just need to manipulate the corporate domain, which is managed by the Active Directory, into their favor, steal credentials and spread laterally.
This methodology has been used by all the most successful APTs to stay undetected and achieve their goal.
The day is not far when attackers will learn to combine these two methodologies: the Active Directory manipulation and the ransomware monetization.
When these two methodologies are combined, attackers are able to encrypt the entire corporation at once from the inside.
In fact, we have already seen this happen back in 2015 with Samas ransomware. With only one campaign in the United States, the group racked up $450,000 in ransom - http://bit.ly/SAMAS-RANSOM
WannaCry, on the other hand, has only been able to rack up $60,000 so far, and their attack was carried out on a global scale.
So imagine what will happen when attackers use the Active Directory to spread ransomware everywhere inside.
But we cannot leave this to imagination because this is what’s coming next. This is the next wave of ransomware.