Three recent cyber security stories have recently appeared that combine to make a potentially wicked brew. Firstly, ransomware authors have realised that it is possible to improve monetisation from all their mischief by knocking out businesses in one go rather than individual computers one at a time, as witnessed by the attacks on hospitals in the US. The second is reports that the next generation of ransomware might allow malware to pass from server to server, rather than just from Internet to workstation and finally is the major announcement, due on April 12th 2016, regarding the Badlock vulnerability in the SMB/Samba technology that computers use to communicate with one another on local networks.
If it proves possible to combine these three factors into a workable attack before critical systems are patched then a whole business could be hijacked by a user clicking on a single malicious link in an Email or on a website, just as long as they were also connected to their corporate network drives shares such as home drives.
To take a step back, traditional ransomware works by persuading a user to download software, either through a malicious website or via spam Email. This is normally simple code that downloads a seperate malicious payload in such a way to try and fool antivirus and other traditional protection. The payload then encrypts files on the computers drives, or network drives and then extorts a ransom from the user to get the files decrypted.
Up to now such losses have generally effected individual users or a single computer but what if that has now changed, and are designed to infect server and storage farms? The impact may well be to make paying the ransom the only way that time critical business systems can be recovered by their IT departments and get users back to work.
Returning to the attack I describe at the beginning of this post, the user who clicked on a link and infected their own laptop, that infects the home drive and with a little help from Badlock proceeds onwards across the network isn’t really on the edge of the network at all, it has the reach into the network as though it is part the core of the network but is more likely to be running an older operating system, such as Windows 7, be less well maintained than servers and contain a far more uncontrolled software than any server would be allowed to have.
So, what is the real difference between a computer at the edge of corporate network where convenience drives design descisions and at the data centre core where availability is king? When confronted by well-motivated and profitable criminals, maybe the answer is nothing at all.
For more information:
Badlock Samba vulnerability http://badlock.org
Ransomware targeting servers (from Computer weekly)
Targetting of hospitals in the USA (from health care news)