This week, organizations across the world have fallen victim to a new ransomware attack, dubbed NotPetya, seemingly designed to cause maximum damage and disruption to computer systems.
While details of the exact nature of the attack are still emerging, security researchers familiar with the matter have pinpointed the cause of the infection to be malware seeded through a software update in Ukraine. It follows the ransomware attack in May, which knocked out systems in over 250 countries, notably the UK National Health Service.
The malware was initially thought to be the well-known Petya ransomware, however, researchers soon realized the resemblance was only skin deep. Subsequently, experts at Kaspersky Labs have dubbed the malware NotPetya, and disclosed that, while it may appear to be ransomware, the malware was not designed for financial gain. Rather, it is a wiper, meaning that even if victims pay up, they will not get their information back.
A second wave of the attack is said to have been spread through a phishing campaign containing malware within the attachments. For a more comprehensive breakdown of the attack, see this blog post by security expert the grugq.
A global attack with wider implications
The ransomware has affected organizations across the globe. The radiation monitoring system at Chernobyl was taken offline, forcing scientists to monitor radiation manually. Advertising agency WPP is known to have been affected, as well as Danish shipping company Maersk, and the law firm DLA Piper.
The malware uses various tools, described in detail here, to infect machines as it moves through a network. From an IoT standpoint, the increase in malware infections like this are a concern. As the number of internet-connected devices has proliferated, it appears that so has the opportunity for hackers to exploit IoT devices as vulnerable points in the network.
Internet connected vending machines have previously been used to take down university networks, while a ransomware attack in Austria recently targeted smart locks on connected hotel room doors. More disturbingly, children’s toys have also fallen prey to hackers.
While the NotPetya attack is different in nature, and while it did not target critical infrastructure, it once again serves to highlight some of the vulnerabilities that come with internet-connected machinery.
Separate networks for IoT
Speaking to Computer Reseller News, David Johnson, vice president of sales and marketing for The Fulcrum Group, which secures IoT networks, said “We recommend that IoT devices get their own separate logical network.
“If you look at some of the recent attacks – such as Target – Internet of Things devices like HVAC systems have been the jumping-off point for hackers. This wouldn’t happen if they were on a separate network.”
“IoT security is becoming one of the major problems in the industry – so many new kinds of devices are becoming plugged onto the network, and the people installing them are not necessarily IT or security professionals,” Johnson said. “There’s a lot of good revenue opportunities for the channel, and MSPs will become more involved in the design and implementation of IoT security measures.”
The NotPetya ransomware infects machines and then waits for about an hour before rebooting them. According to @HackerFantastic on Twitter, you can switch the machine off while it is rebooting to prevent any files from being encrypted.
If the machine successfully reboots with a ransom note, researchers are advising not to pay. Instead, it is recommended that victims disconnect all machines from the internet and reformat their hard drives.
Security, security, security
With a word to the future of IoT security, Ben Hertzberg, research group manager at cyber security company Imperva, told Internet of Business that the “main threat with IoT is that there are billions of internet-connected devices where basic security standards are not enforced. Devices are shipped with default credentials (sometimes without the ability to change them), vulnerabilities in their web interfaces, remote update procedures and more.
“The surge of Internet of Things systems is accompanied with a surge of breaches. As in previous IoT hacks, the tendency is to focus on the end device, the potential of someone taking control and the nature of the data that was poorly protected, bringing the cyber threats to the most intimate places of our lives.
“In many cases, it is not the device itself that was exploited, but the server through which the device was connecting to the Internet or mobile application along with the interaction between them. The security community well understands that a web server open to the Internet presents a target for any hacker located anywhere on the planet, and without proper security controls in place, getting hacked is only a question of time.
“We’re seeing [IoT] devices being used in other malicious activities like probing websites for vulnerabilities and attempting to take over accounts. In conclusion, every company that’s selling devices that connect to the internet must know that in that moment they become a target, and will probably not have a lot of grace time before they start getting attacked.”
Read more: Entropy: a shot in the arm for IoT security?