Hackers again prove their global power with latest attacks


Two major global businesses with offices in SA are among hundreds of organisations across the world to have been infected by a large-scale ransomware attack.

The latest virus is similar to WannaCry, which wormed its way through computer systems last month.

Shipping giant Maersk, which has a presence in the Durban and Cape Town harbours, and British advertising agency WPP, which owns Native VML and Wunderman in SA, have reportedly been affected.

Digital forensic scientist Jason Jordaan, the MD of DFIRLABS, says he has also been alerted to other medium-sized companies in the country that have had their systems shut down. These firms, he says, are not owned by larger global organisations but do trade internationally.

The virus seizes control of a user’s computer and encrypts all data until a ransom is paid to the cyber criminal in the form of Bitcoin. The current asking price is $300 per machine infected.

The outbreak has infected major organisations, including airports and banks, mostly situated in Russia, Poland and France. It is estimated more than 300 000 computers have been infected in over 70 countries.

A name has not yet been agreed on for the new virus. It is not the same as the WannaCry virus but uses the same exploit, called Eternal Blue, which the US National Security Agency (NSA) reportedly developed to exploit a Windows vulnerability.

Edward Snowden tweeted: “If you’re a journalist writing about this [the international malware attack], remember this worm spreads based on a vulnerability NSA kept unfixed for years. #EternalBlue.”

This information was leaked by a group called the ShadowBrothers. Microsoft released a patch for the vulnerability in March.

According to Guy Golan, CEO of Performanta Group, the current exploit is an evolution of the Petya virus, which uses a backdoor in the Medoc payroll system. Medoc is predominantly used in Ukraine – which is where the virus is highly concentrated and is believed to have started.

Security firm Kaspersky Lab has coined the term ‘NotPetya’ or ‘ExPetr’ to describe the virus.

Golan says while the attacks are in the early phase, he does not believe it will spread aggressively across SA. He says this is because the WannaCry virus got directors to pay attention to threats they were unaware of and they took precautionary actions to prevent further incidents.

He says a team of 17 people at his company worked non-stop from 6pm yesterday till 4am this morning refining patches, updating systems and monitoring for suspicious behaviour. Golan says the team will be on high alert for the next 72 hours.

While WannaCry massively raised the level of cyber security awareness, Golan says these types of attacks will continue to happen.

Jordaan agrees the attacks are only going to get worse and his worry is when hackers start to target critical infrastructure.

How it spreads

Security company Sophos says the new variant of Petya, which was first discovered last year, “is particularly virulent because it uses multiple techniques to spread automatically within a company’s network once the first computer is infected”.

ESET says: “For spreading, it appears to be using a combination of the SMB exploit (Eternal Blue) used by WannaCry for getting inside the network, then spreading through PsExec for spreading within the network.
“This dangerous combination may be the reason why this outbreak has spread globally and rapidly, even after the previous outbreaks have generated media headlines and hopefully most vulnerabilities have been patched.
“It only takes one unpatched computer to get inside the network, and the malware can get administrator rights and spread to other computers.”

Silver lining

Golan says there are three major areas of discussion around security that have been brought into the mainstream due to these viruses. The first is that the US government has finally acknowledged countries need to increase cooperation between each other to fight cyber attacks.

The second is organisations’ confusion about what could come next: how hackers could evolve the exploit. He says there are a lot of conspiracies and rumours flying around within the industry and among board directors, and that confusion normally leads to fear.

The third discussion, he says, is where the end-user fits in, with their smartphone or laptop that they take off the premises. Golan says the security industry has been talking about this for years, but companies are finally realising their perimeters do not end at the firewalls but extend to each device.