December 2018 has been a tough month in the cybersecurity community. In the span of a few days, we’ve been reminded that more often than not, cybersecurity teams show up to battle with the technology equivalent of knives to a gun fight. Consider what’s happened since 30th November:
- Two of the largest security breaches in history;
- The US Congress declared the 2017 attack against credit reporting agency Equifax as “entirely preventable”; and,
- A new variation of a ransomware is targeting servers with well-known vulnerabilities on common platforms.
The common theme in all of these events is the increasing level of automation and sophistication employed by attackers while InfoSec and DevOps teams struggle to keep pace.
It’s still too early to tell how Marriott and Quora were breached, exposing more than 600 million records. In the case of Marriott, there are indications the four-year long attack was Nation/State sponsored. No matter who is responsible, it’s highly likely the entry point was a known vulnerability that was discovered via an automated scanning tool.
That’s exactly what happened to Equifax in 2017 according to the findings of a year-long investigation by the US House of Representatives. While the politicians who ordered the investigation can’t agree on a fix, they do agree on the root cause: an unpatched, but well-known Struts 2 bug (CVE 2017-5638) resulting in a failure “to implement an adequate security program to protect this sensitive data.” The missed patch was compounded by an expired cert – for 19 months! – on the IDS system that could have detected the intrusion had it been fully operational.
Lost in all the noise created by the above is the announcement of what could be a significant escalation in how ransomware operates and how it is deployed. Discovered by independent researchers, the “Lucky” virus is the latest variant of the “Satan” worm. Only this time, Lucky attacks servers via one (or more) known CVEs that have not been patched rather than the more common attacks against OS vulnerabilities.
Enterprise applications are much more difficult to patch (see above for proof) and are ripe for exploitation by automated and autonomous hacker tools. The prospect of self-propagating ransomware that spreads without human invention via known, but unpatched CVEs is both a significant new threat and a reason to accelerate the deployment of automated tools to fix flawed code without downtime or source code changes.
All of this begs the question: If the bad guys are relying more and more on automation – why don’t we?
Author:
John K. Adams is the CEO of Waratek, a leading application security company used by the largest companies around the world.
