Cyber security update May 2017
New attacks and threats:
The WannaCry ransomware attack, which exploits vulnerabilities in Server Message Block 1.0 (SMBv1), affected thousands of private and public sector organisations across dozens of countries. In the U.K. the attack caused significant disruption in the healthcare sector; NHS Digital published advice and guidance on protecting against the attack. Also see guidance from US-CERT (more detail here and also see this fact sheet) and the U.K. National Cyber Security Centre (NCSC), which also published advice for enterprise administrators and home users and small businesses. Reuters later reported on a newly discovered Samba vulnerability which could lead to attacks similar to WannaCry; again, see US-CERT for further detail. Also guidance from Carnegie Mellon University’s Software Engineering Institute on best practices for preventing and responding to ransomware attacks.
A new phishing campaign affected Google Docs users, employing spoofed email addresses to target users with emails purporting to share a document for collaboration. Google has taken action to protect users, including removing the fake Google Docs pages and disabling the offending accounts; again, see advice and guidance from US-CERT.
Cyber security policy developments:
In the U.S. President Trump signed a cyber security Executive Order setting out actions to address cybersecurity vulnerabilities (also see the related press statement). Specific actions include requiring all government agencies to use the industry-standard National Institute of Standards and Technology (NIST) Cybersecurity Framework to manage their cybersecurity risks and requiring all agencies to prefer shared IT services in all future procurements, consolidating to reduce risk.
In the U.K. BBC News, ISP Review and Out-Law reported that the Government is consulting on plans to require telecoms operators to remove or enable the removal of encryption they have applied to internet traffic, or which has been applied on their behalf (they would not be required to remove encryption applied by third parties). The proposals also include plans to provide "data in near real time" within one working day.
Cyber security research & analysis:
Akamai published it Q1 2017 State of the Internet / Security report. Risks to the Internet and to targeted industry sectors remain and continue to evolve: attackers are increasingly integrating Internet of Things (IoT) vulnerabilities beyond Mirai into distributed denial of service (DDoS) botnets and malware. Reflection attacks continued to comprise the largest number of DDoS attack vectors and accounted for 57 percent of all mitigated attacks in Q1 2017. The median size of DDoS attacks has fallen steadily since the beginning of 2015; huge attacks still occur, but in Q1 2017, half of all DDoS attacks were between 250 Mbit/s and 1.25 Gbit/s. However DDoS attacks that generate more than 100 Gbit/s are common enough to be a concern, with many driven by driven by compromised IoT devices.
Verisign published its Q1 2017 DDoS Trends Report: it saw a 23 percent decrease in the number of attacks in Q1 2017; however, the average peak attack size increased 26 percent compared to the previous quarter. Overall, average peak attack sizes have been noticeably larger since Q1 2016, with peak sizes over 10 Gbit/s. The largest DDoS attack observed by Verisign was a multi-vector attack that peaked over 120 Gbit/s and around 90 million packets per second (Mpps).
Researchers in the School of Electrical and Computer Engineering at the Georgia Institute of Technology (more detail here) found that analysis of network traffic going to suspicious domains provides the earliest indicator of infection, several weeks and often months before a sample of the invading malware can be captured. This approach leverages the fact that malware invaders need to communicate with their command and control computers, creating network traffic that can be detected and analysed and providing an earlier warning of developing malware infections.
