Attackers aren’t always interested in winning prizes for originality. After all, why should they look for zero-day vulnerabilities when companies use millions of devices that contain known, easily exploitable flaws?
According to Fortinet, 90% of organizations have experienced attempts to exploit vulnerabilities that hadn’t been patched for at least three years. Without these patches, or without the money to replace obsolete equipment, an organization’s devices including its routers, servers, and ICS components can be hacked, modified or even shut down remotely at any time. Such is the power of the Forever Day vulnerability.
The power of NotPetya
In May 2017, the WannaCry ransomware caused damage estimated at between $4 billion and $8 billion worldwide, famously bringing the NHS to a standstill. The next day, Microsoft was forced to release a patch for the vulnerability within Windows XP and Windows Server 2003, which WannaCry had used to penetrate the infrastructure of hundreds of companies around the world.
However, this patch was no magic bullet. Just weeks later, the NotPetya crypto malware attack used the same vulnerability to cause $10 billion of losses, impacting the operations of pharmaceutical giant Reckitt Benckiser, Mondelez International, the owner of snack brands including Cadbury and Oreo, and shipping company Maersk amongst others.
So how was NotPetya able to cause so much more damage than WannaCry, or even happen in the first place when the patch had been released? For one thing, NotPetya was more aggressive, encrypting the master boot record (MBR) of its victims’ hard disks, while WannaCry only encrypted certain types of files.
Of course, not all companies immediately installed the Microsoft patch. Indeed, months after the two attacks, two thirds of companies were still vulnerable. NotPetya even remained operative on infrastructure where the lessons of WannaCry had been learned, spreading through a range of vulnerabilities in built-in Windows tools and functions.
What’s more, NotPetya included Mimikatz, a tool that enables the recovery of Windows in plaintext and which, if given certain privileges, launches the crypto malware payload. This again demonstrated the vulnerability inherent in outdated systems. Modern versions of Windows (8 and 10) don’t store passwords in memory, thereby limiting the abilities of Mimikatz. Older versions, on the other hand, are powerless against Mimikatz without special measures in place.
Hardware under attack
Microsoft’s actions in the face of such significant crypto malware attacks were admirable. The company dusted off outdated but still relevant versions of its OS – five percent of PCs in 2018 still ran on XP, and a third of servers ran on Windows Server 2003 just 18 months before WannaCry - and rolled out updates as quickly as possible.
Unlike Microsoft, however, many manufacturers of critical hardware and software simply turned their backs on users, telling them to buy new equipment. Sometimes, in situations such as this, it takes the actions of an outsider to ensure devices are protected. A mysterious grey-hat hacker, for example, recently took it upon himself to remotely patch the RouterOS vulnerability on 100,000 MikroTik routers, which allows remote interception of poorly protected passwords and other files.
Routers aren’t the only vulnerable devices, of course. The IoT contains many opportunities for exploitation. Flaws were recently found in connected security cameras and even vacuum cleaners - which could be exploited by hackers to build botnets, spy on the devices’ owners, or intercept and modify video traffic.
The biggest danger comes from old vulnerabilities in industrial control systems (ICS). Flaws were discovered in automation systems widely used in the oil industry, for example, that could allow attackers to control all processes or block the system. While manufacturers such as Siemens and Schneider Electric have active CERT units trained to deal with such incidents, smaller vendors will often pass the security risks on to their clients, making new devices and offering to upgrade old equipment.
When the patches stop
Looking closer to home, the Meltdown and Spectre vulnerabilities have both surfaced in recent years. Gaining access to a range of widely-used microprocessors, the malicious script is able to retrieve passwords, encryption keys and other sensitive data. And almost all smart devices are vulnerable – not only computers, laptops and servers, but also smartphones, tablets, smart TVs and more. It’s likely, though, that many of these will never receive a patch.
If this is the case, the best course of action would be to find workarounds. The industry needs to be smart about isolating critical network segments and monitoring ICS security. Firewalls should be used to protect vulnerable routers from incoming connections. More than anything, it’s essential to keep an eye open for updates. As Microsoft demonstrated, if the situation is critical, even end-of-service-time equipment should get a patch if the company is able to provide it.
Sooner or later, the patches will dry up. Attacks will grow in strength and sophistication, but Forever Day vulnerabilities will persist. It’s time then to look for more secure replacements, for it may be the only way to prevent exploitation.