7 Stories From 2017 You Need to Know About
Before 2017 washes away, let us reflect on some of the big infosec stories of the year.
As we approach the end of 2017, it’s time to take a look back at the stories that made waves in the infosec world in the last 12 months.
Attackers targeting banks and the Necurs botnet going quiet kicked off the year, though Necurs made an impactful return in March. Meanwhile, in the Middle East, Shamoon reappeared to carry out targeted attacks in Saudi Arabia. Elsewhere, there was good news for law enforcement and bad news for cyber criminals when the Kelihos/Waledac botnet was successfully dismantled.
In the last quarter of the year, a growth in cryptocurrency mining, partly driven by a jump in the value of many cryptocurrencies, sparked a lot of interest.
But what were some of the other big events of the year in infosec? We round up seven of the must-know stories below:
Longhorn: Tools used by cyberespionage group linked to Vault 7
In April, Symantec published information gleaned as part of an investigation into a cyber espionage group we called Longhorn. Having looked at the Vault 7 documents leaked by WikiLeaks in March of this year, Symantec determined that Longhorn’s activities and the Vault 7 documents were the work of the same group. Symantec had been protecting its customers and tracking Longhorn for three years by the time this information was published, and was able to determine that the tools used by Longhorn closely followed development timelines and technical specifications laid out in the Vault 7 documents.
Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa, and has been active since at least 2011, and potentially as far back as 2007.
What you need to know about the WannaCry ransomware
The infosec story that made the biggest splash in 2017, and jumped straight to the front pages, was the WannaCry ransomware attack. WannaCry was such a big deal because from its initial outbreak on May 12 it spread at breakneck speed, until the discovery of a killswitch by security researcher MalwareTech dramatically curtailed its ability to spread.
Major organizations like the NHS in the UK, Telefonica in Spain, and car company Renault were just some of the businesses affected by WannaCry.
WannaCry was so virulent because it was able to use the Eternal Blue exploit to spread across Windows computers in corporate networks. Eternal Blue was an exploit that was leaked by the group known as the Shadow Brokers. It had been patched by Microsoft in March, but this attack two months later dramatically underlined that many corporate networks did not have their patches up to date.
Symantec was subsequently able to link the WannaCry attack to the Lazarus group, the infamous hacking group that is also believed to be behind the attacks on Sony Pictures in 2014 and the Bangladesh Bank attack last year.
In December, the U.S. government officially attributed the WannaCry attack to North Korea.
Petya ransomware outbreak: Here’s what you need to know
A little over a month after the WannaCry outbreak, the Petya/NotPetya attack emerged to make waves. Almost unbelievably, despite all the attention WannaCry received, this Petya outbreak was still able to use the Eternal Blue exploit to spread. Clearly, many businesses and people had still not patched their computers. However, not putting all its eggs in one basket, Petya also leveraged an exploit called Eternal Romance, as well as spreading by using stolen credentials.
While it was initially referred to as a ransomware attack, there was actually no way to decrypt disks that became infected with this outbreak of Petya. More accurately, it was a wiper. The initial infection vector for Petya was a tax and accounting software package that was widely used in Ukraine. This was used for the initial insertion of malware into corporate networks. This was a classic example of a supply chain attack, where a “weak link” in the supply chain is exploited in order to gain access to a company’s network, and also indicates that this attack may have been intended to target organizations in Ukraine. It did subsequently spread to many other countries, but the majority of Petya infections that occurred were in Ukraine.
Dragonfly: Western energy sector targeted by sophisticated attack group
In September, Symantec reported about the re-emegence of a cyber espionage group that had gone quiet for a couple of years. Dragonfly was linked to a series of cyber attacks on targets in the energy sector in Europe and North America.
Dragonfly has been active since at least 2011, but went quiet following exposure by Symantec and a number of other security researchers in 2014. This most recent campaign appears to have begun in late 2015, and has tactics and tools in common with the group’s earlier campaigns. The group appeared to ramp up its activity in 2017. Countries that had organizations targeted by the group include the U.S., Turkey, and Switzerland.
BadRabbit: New strain of ransomware hits Russia and Ukraine
There were fears that another outbreak of the level of Wannacry or Petya/NotPetya was on the cards when the BadRabbit ransomware outbreak was identified at the end of October. However, while this ransomware did have some similarities with the other two mentioned, it did not have so great an impact. BadRabbit, like WannaCry and Petya, was also able to use self-propagation as one of the ways it spread. It exploited the Eternal Romance vulnerability in Windows computers, which Petya had also done.
However, unlike Petya, BadRabbit was a ransomware, in that files could be decrypted if victims got access to the decryption key. BadRabbit mainly impacted Russia, with almost 90 percent of infection attempts detected by Symantec happening in that country.
Sowbug: Cyber espionage group targets South American and Southeast Asian governments
Sowbug was a previously unknown group identified by Symantec that was carrying out targeted cyber attacks against organizations in South America and Southeast Asia. The group appeared to be heavily focused on foreign policy institutions and diplomatic targets, and it was carrying out classic espionage activity such as stealing documents from the organizations it infiltrated.
Sowbug has been active since at least 2015 and has infiltrated organizations in Brazil, Argentina, Ecuador, Peru, Brunei, and Malaysia.
Triton: New malware threatens industrial safety systems
Breaking in December was news about a new Trojan targeting industrial control systems (ICS). This Triton malware has the potential to cause severe disruption at any organization it targets, and has already reportedly been used against at least one organization in the Middle East.
The malware can modify the behavior of safety instrumented systems (SIS) and cause them to malfunction. As SIS devices are designed to monitor the performance of critical systems and take remedial action if an unsafe condition is detected, attackers who gain access to them could cause a lot of disruption.
Triton is interesting, as malware that is specifically designed to attack ICS is relatively rare. The most famous example is undoubtedly Stuxnet, which was designed to attack programmable logic controllers (PLCs) being used in the Iranian uranium enrichment program.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cybersecurity.
Like this story? Recommend it by hitting the heart button so others on Medium see it, and follow Threat Intel on Medium for more great content.
