Cybersecurity lessons learned one year after NotPetya
June 27 marked the one-year anniversary of the ExPetr/NotPetya malware outbreak, which affected tens of thousands of systems in more than 65 countries.
Most of the victims were located in Ukraine, the home of a tax software firm called MeDoc, whose product was used as the main attack vector in a supply chain attack scheme.
Today, a full year later, Ukraine continues to be a target. In fact, just this week, Ukrainian officials reportedly intercepted hackers planning a massive coordinated cyberattack on the country.
In addition to the significant damage caused to organizations worldwide, ExPetr/NotPetya also had the cybersecurity community on its toes, as researchers initially believed it was ransomware like WannaCry. However, further analysis revealed that it was actually a wiper. This conclusion meant that even if victims paid the ransom, they still were not able to get their data back. Secondly, this reinforced the theory that the main goal of the ExPetr/NotPetya attack was not financially motivated, but destructive.
A few days later, new evidence showed a link between ExPetr/NotPetya and BlackEnergy APT, which had previously also attacked mostly targets in Ukraine.
One Year Later, Things Remain the Same
Now, a year after the NotPetya/ExPetr malware attack took place, we are finding certain features continue to remain the same in the industry.
First, the EternalBlue exploit used in the attacks continues to impact users worldwide today. The exploit is being repackaged, and true to its name, shows no signs of dying anytime soon. In fact, from May 2017 to May 2018, more than two million users were attacked by EternalBlue. In addition, in 2018, Kaspersky Lab products detected more than 240,000 users being attacked by this exploit every month on average.
The fact that hackers keep targeting users using the EternalBlue exploit in their attacks means that many systems remain unpatched, which could lead to some dangerous consequences. To remain ahead of this threat, organizations should prioritize the security of their networks and install all necessary patches on time, in order to avoid future, continued damage from this exploit.
Lastly, the NotPetya/ExPetr attack also served as yet another example that attribution continues to be a very difficult and at times, somewhat impossible task, especially when finding links with open source tools, public frameworks and code reuse by third parties. In the great race to share timely information, it’s important to verify that research is accurate, which can be done through increased collaboration within the research community and beyond.
Moving forward, destructive malware disguised as ransomware will continue to be a problem. We’ve seen several major instances of this, and with the continued release and exploitation of vulnerabilities, it makes the game difficult.