At the end of 2019 the University of Maastricht suffered a ransomware attack. The university paid $200.000 to regain access to the data. Not a nice Christmas story. During a ransomware attack, data, say customer data, becomes encrypted. Attackers also corrupt or remove the backups. The only way to regain access is to pay the ransom.
The criminals started the attack by sending employees an Excel file with a macro, using the ‘eternal blue’ exploit. Interestingly enough this exploit was developed by the NSA… but we digress. The exploit allows “..remote code execution if a user opens a specially crafted Excel file. An attacker who successfully exploited any of these vulnerabilities could gain the same use rights as the local user”.
Any user who executed the macro would give the attacker remote access to his or her workstation if that device was vulnerable to this exploit. This is similar to offering the attacker the possibility to ‘work from home’, but on your network. Employees are smart so phishing emails are very well crafted. They appeal to human vices and virtues and have titles such as ‘employee redundancy plan 2020.xls’ or ‘bonus allocation.docx’.
The vulnerability is known as MS10-17 and dates from 2010. The researchers concluded that the university should be aware of what they are running and also should be aware of when patches had failed.
What can you do?
For this example, a colleague awareness program can help reduce the risk of employees opening suspicious attachments. Humans are curious, so colleague awareness training is important. Yet, it is only part of the solution. Anti-virus scanners can detect suspicious files but more advanced attackers avoid detection by encrypting the code.
The root cause of the problem is being able to detect and resolve the vulnerabilities related to MS10-17. These are CVE-2017-0143, CVE- 2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, and CVE-2017-0148.
The question remains: how do you know if you are exposed to these vulnerabilities on your network? Classic pen testing will not solve the problem as tools like Excel do not respond to a probe. The security team could run a manual check of each workstation but with thousands of devices and frequent changes, that is not feasible.
Know thy weaknesses
With Skopos we resolve this problem by deploying light touch dumb agents who frequently take a snapshot of a device, either Windows, Linux or ARM. This snapshot contains the names of all software versions, libraries and packages and some device information.
Skopos bots crawl the public-, deep- and dark web 24×7 for new vulnerabilities and exploits and ‘listen in’ on dark web conversations to learn what hackers are discussing. All this information is summarized in the Skopos Exploitation Score, or SKES. SKES provides the probability that a hacker will exploit a given vulnerability for software in the next 12 months. Newly detected vulnerabilities or risks are highlighted instantly, so you don’t have to wait for the next pen test session or vendor report.
Skopos prioritizes what software needs to be patched and why. Looking into the Skopos platform we can see for CVE-2017-0144 the risk is quite high, a 65,7% of exploitation. The reason for the Skopos scoring:
“There are 4 known exploits. There is 1 public reference. The attack vector is ‘network’. Which means that the attack can be performed remotely. The attack complexity is ‘medium’. Which means that the attack can be performed by an attacker with intermediate skills”.
Skopos can tell exactly what devices are affected, for how long and can give one or multiple recommendations. Skopos found the following related exploits (and luckily, no matches on our network):
Our mission is to help you identify what software is at the highest risk and help you remediate it. We do this by automating the manual work in the vulnerability management process and augment this information with real world risk. This way, you and your team can focus on the part where humans excel: decision-making and creative solutions to mitigate the risks!
Cyber security is a complex field and there is no one-size-fits-all solution. We believe Skopos is a helpful addition in the detection and remediation of vulnerabilities, based on real world risk.
Read more on the attack at the university here: we applaud the openness by the university to share the report – this way we all get to learn and improve.