WannaCry and Mirai: old malware presents new threats

Organisations protect themselves against new forms of cyber-criminality, whilst old variants of malware can still cause considerable damages. It follows from research of Tesorion that Mirai and WannaCry are still embedded in business networks, despite the fact that patches and solutions are already widely available. It is very bothersome when you become the victim of a malware attack, but it feels even worse when it could and should have been prevented.

It is a Saturday mid-May. You just put that week’s groceries in the back of the car and installed the kids in the rear seats. It is remarkably noisy and busy in the car park. A floor down, it becomes clear why: cars can no longer exit. In itself not very strange; the gates occasionally show erratic behaviour. But considering the tremendous congestion, it is a serious problem. Meanwhile, the tension amongst the waiting motorists is rising. The cones from the bag of groceries are welcomed with loud cheers in the rear seats. ‘Aw well, just enjoy them!’ Eventually, a special officer sees no other option but to expertly demolish the gates and the long flow of cars is on the move again.

Patch and update policy

What the trapped motorists did not know at the time, is that the failure the international car park business was dealing with was caused by a ransomware attack. A couple of days earlier numerous businesses worldwide had become the victim of what would later be known as the WannaCry ransomware. Cyber-criminals had utilised a vulnerability in Windows to hack into systems and to encrypt files. Only through payment of US$ 300 to Bitcoins would the encryption be lifted. Microsoft had already been informed of the breach and had also already issued a patch. The fact that there were still a lot of victims indicates that, at the time, organisations did not have their patch and update policy in order. Including the car park business.

Non-secure IoT devices

That was then. Now, well over 3 years later, you would expect organisations to have learnt a lesson and to have their patch and update policy in order. And to therefore be properly protected against WannaCry and its successors. Or not? But nothing is further from the truth. On business networks monitored by Tesorion, this old form of malware is still detected regularly. This applies to, for instance, the Mirai botnet. Mirai mostly runs on IoT devices, like video cameras and network routers for home use. In September 2016 large numbers of devices infected by Mirai were used to launch a large-scale and specific denial-of-service attack. At the time many security exports pointed to the importance of securing these devices, which are usually external, however in connection with the network, adequately. In May of this year the Consumer Association sounded the alarm about non-secure surveillance cameras made in China. It would be particularly easy to hack these kinds of devices and to then take over control. Between July 2019 and June 2020 Tesorion signalled well over 150 infections with Mirai and WannaCry.

Awareness

The problem is that these devices are difficult to patch and you therefore need to take other measures. The best remedy is to replace vulnerable devices that do not receive software updates, to change passwords, and to otherwise ensure that the device is not connected to the internet – or only via a special secured environment. However, practice teaches that it is difficult to have an overview of all IoT devices within the organisation. Hence, you should not be surprised when an overzealous employee installs, without giving it a proper thought, internet equipment without the knowledge of IT. In that case there is still a lot to do to raise awareness about cyber-security to a higher level. Make sure that employees are aware of the methods that could expose them to social engineering and phishing and how they should handle this.

Back-ups of data

The chance that Mirai will continue causing noise on business networks keeps lurking. You should, in any case, make sure that if IoT devices are affected that cyber-criminals can inflict little damage. For instance, create back-ups of data, and make sure that they are stored off-line. Also make sure that the restore function is tested regularly. It may, perhaps, be utopia to think you are completely safe, but if a cyber-security incident occurs then you know what you should do. Prevent car parks, hospitals, and global ports from closing due to already known malware.